ACLs in Barbican may break the security model for the database when using PKCS#11

From https://review.openstack.org/#/c/357978

1. Modification of ACLs in barbian database could compromise all secrets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Risk: barbican has a feature that allows a tenant to grant another tenant access to a secret. This is controlled via a tenant mapping table within the barbican database. The implied security model of the barbican database (when running with PCKS#11) is that all cryptographic operations are performed in the HSM, a confidentiality or integrity breach of the database will not directly result in secrets being compromised. However if an attacker was able to modify the ACL mapping, they could grant a tenant access to any/all secrets stored in the HSM. Once the mapping is manipulated the attacker could
  retrieve secrets using the normal barbican API.
- Impact: All secrets stored in barbican are exposed.
- Likelihood: Medium
- Impact: High
- Overall Risk Rating: High
- Bug: <link to launchpad bug for this finding>
- Recommendation: Provide deployment guidance requiring strong controls
  securing access to the barbican database.