Barbican

acl get policy breaks octavia and not working as expected

Bug #2069378 reported by Sam Morrison on 2024-06-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	New	Undecided	Douglas Mendizábal

Bug Description

Steps to produce.

env
Barbican 2024.1 with enforce_new_defaults=True
2 users in the same project with member role each

user 1: create a secret with default acl eg. {"read": {"project-access": true}

user 2: can decrypt secret but can't read the acl (openstack acl get)

The policy is:
"True:%(enforce_new_defaults)s and (rule:secret_project_admin or (rule:secret_project_member and rule:secret_owner) or (rule:secret_project_member and rule:secret_is_not_private))"

Which should allow user 2 to read as the acl however a 403 is returned

The rule:secret_is_not_private part doesn't seem to be working as expected. Removing this part makes the call work.

This is an issue as when creating a octavia listener with a barbican secret it will fail as octavia attempts to GET the acl

Revision history for this message

Sam Morrison (sorrison) wrote on 2024-06-14:

Should also mention this also affects the secret_acls:put_patch and secret_acls:delete rules too which needs to change to allow octavia to work.

Douglas Mendizábal (dougmendizabal) on 2024-06-24

Changed in barbican:
assignee:	nobody → Douglas Mendizábal (dougmendizabal)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.