Currently a secret can be orphan, if the project that owns it
is deleted by an user that doesn`t have permission on the
project.[1]
The orphan secret cannot be deleted because the current rule
enforces a scoped token on that project to delete it (that
doesn't exist anymore).
To solve this issue, it's necessary to override the secret:delete
policy rule to allow the cloud admin to delete it.
The secret:get policy rule also needed to be changed because the
Python Barbican client gets the secret to check if it has
consumers before actually deleting it. This patch is making these
updates by default
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1932705
Co-author: Mauricio Harley <mharley@redhat.com>
Change-Id: Id755a9efd896b900d31eca93c0136398ed1925b8
(cherry picked from commit 57d7ff378a)
(cherry picked from commit 00274b2f07)
9c8fb8c3a9