diff --git a/.gitignore b/.gitignore
index 8abe6e01a..fc7745cb2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -71,6 +71,9 @@ ChangeLog
etc/barbican/barbican.conf
etc/barbican/barbican.conf.sample
+# File created by oslopolicy-sample-generator
+etc/barbican/policy.yaml.sample
+
# Files created by releasenotes build
releasenotes/build
diff --git a/barbican/common/policies/__init__.py b/barbican/common/policies/__init__.py
new file mode 100644
index 000000000..0d7653891
--- /dev/null
+++ b/barbican/common/policies/__init__.py
@@ -0,0 +1,43 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import itertools
+
+from barbican.common.policies import acls
+from barbican.common.policies import base
+from barbican.common.policies import cas
+from barbican.common.policies import consumers
+from barbican.common.policies import containers
+from barbican.common.policies import orders
+from barbican.common.policies import quotas
+from barbican.common.policies import secretmeta
+from barbican.common.policies import secrets
+from barbican.common.policies import secretstores
+from barbican.common.policies import transportkeys
+from barbican.common.policies import versions
+
+
+def list_rules():
+ return itertools.chain(
+ acls.list_rules(),
+ base.list_rules(),
+ cas.list_rules(),
+ consumers.list_rules(),
+ containers.list_rules(),
+ orders.list_rules(),
+ quotas.list_rules(),
+ secretmeta.list_rules(),
+ secrets.list_rules(),
+ secretstores.list_rules(),
+ transportkeys.list_rules(),
+ versions.list_rules(),
+ )
diff --git a/barbican/common/policies/acls.py b/barbican/common/policies/acls.py
new file mode 100644
index 000000000..41a2e34ac
--- /dev/null
+++ b/barbican/common/policies/acls.py
@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('secret_acls:put_patch',
+ 'rule:secret_project_admin or '
+ 'rule:secret_project_creator'),
+ policy.RuleDefault('secret_acls:delete',
+ 'rule:secret_project_admin or '
+ 'rule:secret_project_creator'),
+ policy.RuleDefault('secret_acls:get',
+ 'rule:all_but_audit and '
+ 'rule:secret_project_match'),
+ policy.RuleDefault('container_acls:put_patch',
+ 'rule:container_project_admin or '
+ 'rule:container_project_creator'),
+ policy.RuleDefault('container_acls:delete',
+ 'rule:container_project_admin or '
+ 'rule:container_project_creator'),
+ policy.RuleDefault('container_acls:get',
+ 'rule:all_but_audit and rule:container_project_match'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/base.py b/barbican/common/policies/base.py
new file mode 100644
index 000000000..9b5500d48
--- /dev/null
+++ b/barbican/common/policies/base.py
@@ -0,0 +1,77 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('admin',
+ 'role:admin'),
+ policy.RuleDefault('observer',
+ 'role:observer'),
+ policy.RuleDefault('creator',
+ 'role:creator'),
+ policy.RuleDefault('audit',
+ 'role:audit'),
+ policy.RuleDefault('service_admin',
+ 'role:key-manager:service-admin'),
+ policy.RuleDefault('admin_or_user_does_not_work',
+ 'project_id:%(project_id)s'),
+ policy.RuleDefault('admin_or_user',
+ 'rule:admin or project_id:%(project_id)s'),
+ policy.RuleDefault('admin_or_creator',
+ 'rule:admin or rule:creator'),
+ policy.RuleDefault('all_but_audit',
+ 'rule:admin or rule:observer or rule:creator'),
+ policy.RuleDefault('all_users',
+ 'rule:admin or rule:observer or rule:creator or '
+ 'rule:audit or rule:service_admin'),
+ policy.RuleDefault('secret_project_match',
+ 'project:%(target.secret.project_id)s'),
+ policy.RuleDefault('secret_acl_read',
+ "'read':%(target.secret.read)s"),
+ policy.RuleDefault('secret_private_read',
+ "'False':%(target.secret.read_project_access)s"),
+ policy.RuleDefault('secret_creator_user',
+ "user:%(target.secret.creator_id)s"),
+ policy.RuleDefault('container_project_match',
+ "project:%(target.container.project_id)s"),
+ policy.RuleDefault('container_acl_read',
+ "'read':%(target.container.read)s"),
+ policy.RuleDefault('container_private_read',
+ "'False':%(target.container.read_project_access)s"),
+ policy.RuleDefault('container_creator_user',
+ "user:%(target.container.creator_id)s"),
+ policy.RuleDefault('secret_non_private_read',
+ "rule:all_users and rule:secret_project_match and "
+ "not rule:secret_private_read"),
+ policy.RuleDefault('secret_decrypt_non_private_read',
+ "rule:all_but_audit and rule:secret_project_match and "
+ "not rule:secret_private_read"),
+ policy.RuleDefault('container_non_private_read',
+ "rule:all_users and rule:container_project_match and "
+ "not rule:container_private_read"),
+ policy.RuleDefault('secret_project_admin',
+ "rule:admin and rule:secret_project_match"),
+ policy.RuleDefault('secret_project_creator',
+ "rule:creator and rule:secret_project_match and "
+ "rule:secret_creator_user"),
+ policy.RuleDefault('container_project_admin',
+ "rule:admin and rule:container_project_match"),
+ policy.RuleDefault('container_project_creator',
+ "rule:creator and rule:container_project_match and "
+ "rule:container_creator_user"),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/cas.py b/barbican/common/policies/cas.py
new file mode 100644
index 000000000..4998cc10b
--- /dev/null
+++ b/barbican/common/policies/cas.py
@@ -0,0 +1,51 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('certificate_authorities:get_limited',
+ 'rule:all_users'),
+ policy.RuleDefault('certificate_authorities:get_all',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authorities:post',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authorities:get_preferred_ca',
+ 'rule:all_users'),
+ policy.RuleDefault('certificate_authorities:get_global_preferred_ca',
+ 'rule:service_admin'),
+ policy.RuleDefault('certificate_authorities:unset_global_preferred',
+ 'rule:service_admin'),
+ policy.RuleDefault('certificate_authority:delete',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authority:get',
+ 'rule:all_users'),
+ policy.RuleDefault('certificate_authority:get_cacert',
+ 'rule:all_users'),
+ policy.RuleDefault('certificate_authority:get_ca_cert_chain',
+ 'rule:all_users'),
+ policy.RuleDefault('certificate_authority:get_projects',
+ 'rule:service_admin'),
+ policy.RuleDefault('certificate_authority:add_to_project',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authority:remove_from_project',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authority:set_preferred',
+ 'rule:admin'),
+ policy.RuleDefault('certificate_authority:set_global_preferred',
+ 'rule:service_admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/consumers.py b/barbican/common/policies/consumers.py
new file mode 100644
index 000000000..e36024b2d
--- /dev/null
+++ b/barbican/common/policies/consumers.py
@@ -0,0 +1,43 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('consumer:get',
+ 'rule:admin or rule:observer or rule:creator or '
+ 'rule:audit or rule:container_non_private_read or '
+ 'rule:container_project_creator or '
+ 'rule:container_project_admin or '
+ 'rule:container_acl_read'),
+ policy.RuleDefault('consumers:get',
+ 'rule:admin or rule:observer or rule:creator or '
+ 'rule:audit or rule:container_non_private_read or '
+ 'rule:container_project_creator or '
+ 'rule:container_project_admin or '
+ 'rule:container_acl_read'),
+ policy.RuleDefault('consumers:post',
+ 'rule:admin or rule:container_non_private_read or '
+ 'rule:container_project_creator or '
+ 'rule:container_project_admin or '
+ 'rule:container_acl_read'),
+ policy.RuleDefault('consumers:delete',
+ 'rule:admin or rule:container_non_private_read or '
+ 'rule:container_project_creator or '
+ 'rule:container_project_admin or '
+ 'rule:container_acl_read'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/containers.py b/barbican/common/policies/containers.py
new file mode 100644
index 000000000..643f14116
--- /dev/null
+++ b/barbican/common/policies/containers.py
@@ -0,0 +1,37 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('containers:post',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('containers:get',
+ 'rule:all_but_audit'),
+ policy.RuleDefault('container:get',
+ 'rule:container_non_private_read or '
+ 'rule:container_project_creator or '
+ 'rule:container_project_admin or '
+ 'rule:container_acl_read'),
+ policy.RuleDefault('container:delete',
+ 'rule:container_project_admin or '
+ 'rule:container_project_creator'),
+ policy.RuleDefault('container_secret:post',
+ 'rule:admin'),
+ policy.RuleDefault('container_secret:delete',
+ 'rule:admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/orders.py b/barbican/common/policies/orders.py
new file mode 100644
index 000000000..0772ad2e4
--- /dev/null
+++ b/barbican/common/policies/orders.py
@@ -0,0 +1,31 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('orders:post',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('orders:get',
+ 'rule:all_but_audit'),
+ policy.RuleDefault('order:get',
+ 'rule:all_users'),
+ policy.RuleDefault('order:put',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('order:delete',
+ 'rule:admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/quotas.py b/barbican/common/policies/quotas.py
new file mode 100644
index 000000000..c31652c82
--- /dev/null
+++ b/barbican/common/policies/quotas.py
@@ -0,0 +1,29 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('quotas:get',
+ 'rule:all_users'),
+ policy.RuleDefault('project_quotas:get',
+ 'rule:service_admin'),
+ policy.RuleDefault('project_quotas:put',
+ 'rule:service_admin'),
+ policy.RuleDefault('project_quotas:delete',
+ 'rule:service_admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/secretmeta.py b/barbican/common/policies/secretmeta.py
new file mode 100644
index 000000000..f78c721ec
--- /dev/null
+++ b/barbican/common/policies/secretmeta.py
@@ -0,0 +1,29 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('secret_meta:get',
+ 'rule:all_but_audit'),
+ policy.RuleDefault('secret_meta:post',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('secret_meta:put',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('secret_meta:delete',
+ 'rule:admin_or_creator'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/secrets.py b/barbican/common/policies/secrets.py
new file mode 100644
index 000000000..e756bbc8e
--- /dev/null
+++ b/barbican/common/policies/secrets.py
@@ -0,0 +1,41 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('secret:decrypt',
+ 'rule:secret_decrypt_non_private_read or '
+ 'rule:secret_project_creator or '
+ 'rule:secret_project_admin or '
+ 'rule:secret_acl_read'),
+ policy.RuleDefault('secret:get',
+ 'rule:secret_non_private_read or '
+ 'rule:secret_project_creator or '
+ 'rule:secret_project_admin or '
+ 'rule:secret_acl_read'),
+ policy.RuleDefault('secret:put',
+ 'rule:admin_or_creator and '
+ 'rule:secret_project_match'),
+ policy.RuleDefault('secret:delete',
+ 'rule:secret_project_admin or '
+ 'rule:secret_project_creator'),
+ policy.RuleDefault('secrets:post',
+ 'rule:admin_or_creator'),
+ policy.RuleDefault('secrets:get',
+ 'rule:all_but_audit'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/secretstores.py b/barbican/common/policies/secretstores.py
new file mode 100644
index 000000000..81a3c7770
--- /dev/null
+++ b/barbican/common/policies/secretstores.py
@@ -0,0 +1,33 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('secretstores:get',
+ 'rule:admin'),
+ policy.RuleDefault('secretstores:get_global_default',
+ 'rule:admin'),
+ policy.RuleDefault('secretstores:get_preferred',
+ 'rule:admin'),
+ policy.RuleDefault('secretstore_preferred:post',
+ 'rule:admin'),
+ policy.RuleDefault('secretstore_preferred:delete',
+ 'rule:admin'),
+ policy.RuleDefault('secretstore:get',
+ 'rule:admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/transportkeys.py b/barbican/common/policies/transportkeys.py
new file mode 100644
index 000000000..d9bab4e2d
--- /dev/null
+++ b/barbican/common/policies/transportkeys.py
@@ -0,0 +1,29 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('transport_key:get',
+ 'rule:all_users'),
+ policy.RuleDefault('transport_key:delete',
+ 'rule:admin'),
+ policy.RuleDefault('transport_keys:get',
+ 'rule:all_users'),
+ policy.RuleDefault('transport_keys:post',
+ 'rule:admin'),
+]
+
+
+def list_rules():
+ return rules
diff --git a/barbican/common/policies/versions.py b/barbican/common/policies/versions.py
new file mode 100644
index 000000000..df6b14571
--- /dev/null
+++ b/barbican/common/policies/versions.py
@@ -0,0 +1,23 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from oslo_policy import policy
+
+
+rules = [
+ policy.RuleDefault('version:get',
+ '@')
+]
+
+
+def list_rules():
+ return rules
diff --git a/etc/oslo-config-generator/policy.conf b/etc/oslo-config-generator/policy.conf
new file mode 100644
index 000000000..8fffdef34
--- /dev/null
+++ b/etc/oslo-config-generator/policy.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+output_file = etc/barbican/policy.yaml.sample
+namespace = barbican
diff --git a/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml b/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml
new file mode 100644
index 000000000..35a4f886d
--- /dev/null
+++ b/releasenotes/notes/oslopolicy-genscripts-1a7b364b8ffd7c3f.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - Maintain the policy rules in code and add an oslo.policy CLI script
+ in tox to generate policy sample file.
+
+ The script can be called like
+ "oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf"
+ and will generate a policy.yaml.sample file with the effective policy.
diff --git a/setup.cfg b/setup.cfg
index 5164f6184..d0f81c52f 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -28,6 +28,9 @@ dogtag =
dogtag-pki>=10.3.5.1 # LGPLv3+
[entry_points]
+oslo.policy.policies =
+ barbican = barbican.common.policies:list_rules
+
console_scripts =
barbican-manage = barbican.cmd.barbican_manage:main
barbican-db-manage = barbican.cmd.db_manage:main
diff --git a/tox.ini b/tox.ini
index da517db61..a93eab5ac 100644
--- a/tox.ini
+++ b/tox.ini
@@ -124,5 +124,8 @@ commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install
deps = bindep
commands = bindep test
+[testenv:genpolicy]
+commands = oslopolicy-sample-generator --config-file=etc/oslo-config-generator/policy.conf
+
[hacking]
local-check-factory = barbican.hacking.checks.factory