From 57d7ff378a497af361c7597f2958f6cd4c0ce25b Mon Sep 17 00:00:00 2001 From: Andre Aranha Date: Wed, 24 May 2023 13:19:12 +0200 Subject: [PATCH] Update secret:delete policy to allow admin to delete secret Currently a secret can be orphan, if the project that owns it is deleted by an user that doesn`t have permission on the project.[1] The orphan secret cannot be deleted because the current rule enforces a scoped token on that project to delete it (that doesn't exist anymore). To solve this issue, it's necessary to override the secret:delete policy rule to allow the cloud admin to delete it. The secret:get policy rule also needed to be changed because the Python Barbican client gets the secret to check if it has consumers before actually deleting it. This patch is making these updates by default [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705 Co-author: Mauricio Harley Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8 --- barbican/common/policies/secrets.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/barbican/common/policies/secrets.py b/barbican/common/policies/secrets.py index 14e0f3dd2..1b47f8696 100644 --- a/barbican/common/policies/secrets.py +++ b/barbican/common/policies/secrets.py @@ -83,7 +83,8 @@ rules = [ name='secret:get', check_str=( "True:%(enforce_new_defaults)s and " - "(rule:secret_project_admin or " + "(role:admin or " + "rule:secret_project_admin or " "(rule:secret_project_member and rule:secret_owner) or " "(rule:secret_project_member and rule:secret_is_not_private) or " "rule:secret_acl_read)"), @@ -118,7 +119,8 @@ rules = [ name='secret:delete', check_str=( "True:%(enforce_new_defaults)s and " - "(rule:secret_project_admin or " + "(role:admin or " + "rule:secret_project_admin or " "(rule:secret_project_member and rule:secret_owner) or " "(rule:secret_project_member and rule:secret_is_not_private))"), scope_types=['project'],