Update secret:delete policy to allow admin to delete secret

Currently a secret can be orphan, if the project that owns it is deleted by an user that doesn`t have permission on the project.[1] The orphan secret cannot be deleted because the current rule enforces a scoped token on that project to delete it (that doesn't exist anymore). To solve this issue, it's necessary to override the secret:delete policy rule to allow the cloud admin to delete it. The secret:get policy rule also needed to be changed because the Python Barbican client gets the secret to check if it has consumers before actually deleting it. This patch is making these updates by default [1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705 Co-author: Mauricio Harley <mharley@redhat.com> Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8
2023-05-24 13:19:12 +02:00 · 2023-05-24 13:19:12 +02:00 · 57d7ff378a
parent 116a9045eb
commit 57d7ff378a
1 changed files with 4 additions and 2 deletions
--- a/barbican/common/policies/secrets.py
+++ b/barbican/common/policies/secrets.py
@ -83,7 +83,8 @@ rules = [
        name='secret:get',
        check_str=(
            "True:%(enforce_new_defaults)s and "
-            "(rule:secret_project_admin or "
+            "(role:admin or "
+            "rule:secret_project_admin or "
            "(rule:secret_project_member and rule:secret_owner) or "
            "(rule:secret_project_member and rule:secret_is_not_private) or "
            "rule:secret_acl_read)"),
@ -118,7 +119,8 @@ rules = [
        name='secret:delete',
        check_str=(
            "True:%(enforce_new_defaults)s and "
-            "(rule:secret_project_admin or "
+            "(role:admin or "
+            "rule:secret_project_admin or "
            "(rule:secret_project_member and rule:secret_owner) or "
            "(rule:secret_project_member and rule:secret_is_not_private))"),
        scope_types=['project'],