Barbican

Default policy does not allow secrets to be deleted by non-admin creator

Bug #1475962 reported by Michael Durrant on 2015-07-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Invalid	Undecided	Unassigned

Bug Description

Currently - "secret:delete": "rule:admin and rule:secret_project_match"
What I believe it should be - "secret:delete": "rule:admin_or_creator_role and rule:secret_project_match"

Please let me know if this was intentional or if I'm missing something.

Thanks,
Michael

Michael Durrant (mdurrant) on 2015-07-19

summary:	- Default policy does not allow secrets to be deleted by non-admin creator + Default policy does not allow elements to be deleted by non-admin + creator
summary:	- Default policy does not allow elements to be deleted by non-admin - creator + Default policy does not allow secrets to be deleted by non-admin creator

Revision history for this message

Dave McCowan (dave-mccowan) wrote on 2015-07-20:

This is absolutely intentional. Secrets are precious. They could be a decryption key for terabytes of irreplaceable data. To prevent the chance for accidental loss, the default policy for delete is admin only.

Revision history for this message

Douglas Mendizábal (dougmendizabal) wrote on 2015-07-20:

Default policy defines 4 roles, each with different permissions. The "admin" role is allowed to get metadata, decrypt the secret, upload new secrets, and delete secrets. The "creator" role allows for all those same actions except for delete.

There are use cases where you may want a user to be able to upload a secret, but not be able to delete it. One that comes to mind is for an automation system that creates keys (or passwords, etc) that is allowed to push those secrets to Barbican. Deletions should not be allowed by that same user, since we wouldn't want a bug in t automation system to run amok and delete a bunch of secrets.

In order to allow for such a use case, the "creator" role is necessary. Note that a project can have an arbitrary number of admins, so if you need to allow someone to delete secrets, they should be granted the admin role on the project.

Changed in barbican:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.