barbican:
Run "openstack secret get <secret-href>" manually failed with errors "Secret retrieval attempt not allowed - please review your user/project privileges" after barbican api is ready.
it should be an issue about barbican policy configuration. policy config should be fixed, or we do not support this case.
from barbican-api log:
{"log":"2019-08-05 03:05:46.074 9 ERROR barbican.api.controllers [req-71a5f70c-ef7e-4a23-ae06-e7acdeedca76 64745dfc3d1a44cbbf9b8592ec950d7e 94b67db79b544a13b8bda20e0612e360 - default default] Secret retrieval attempt not allowed - please review your user/project privileges: PolicyNotAuthorized: secret:get is disallowed by policy\n","stream":"stdout","time":"2019-08-05T03:05:46.074915942Z"}
and the "secret:get" in barbican-api policy config file are show as follows:
"secret:get":"rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret_creator_user":"user:%(target.secret.creator_id)s",
"secret_decrypt_non_private_read":"rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
"secret_non_private_read":"rule:all_users and rule:secret_project_match and not rule:secret_private_read",
"secret_private_read":"'False':%(target.secret.read_project_access)s",
"secret_project_admin":"rule:admin and rule:secret_project_match",
"secret_project_creator":"rule:creator and rule:secret_project_match and rule:secret_creator_user",
"secret_project_match":"project:%(target.secret.project_id)s",
"secrets:get":"rule:all_but_audit",
barbican:
Run "openstack secret get <secret-href>" manually failed with errors "Secret retrieval attempt not allowed - please review your user/project privileges" after barbican api is ready.
it should be an issue about barbican policy configuration. policy config should be fixed, or we do not support this case.
from barbican-api log: api.controllers [req-71a5f70c- ef7e-4a23- ae06-e7acdeedca 76 64745dfc3d1a44c bbf9b8592ec950d 7e 94b67db79b544a1 3b8bda20e0612e3 60 - default default] Secret retrieval attempt not allowed - please review your user/project privileges: PolicyNotAuthor ized: secret:get is disallowed by policy\ n","stream" :"stdout" ,"time" :"2019- 08-05T03: 05:46.074915942 Z"}
{"log":"2019-08-05 03:05:46.074 9 ERROR barbican.
and the "secret:get" in barbican-api policy config file are show as follows: get":"rule: secret_ non_private_ read or rule:secret_ project_ creator or rule:secret_ project_ admin or rule:secret_ acl_read" , creator_ user":" user:%( target. secret. creator_ id)s", decrypt_ non_private_ read":" rule:all_ but_audit and rule:secret_ project_ match and not rule:secret_ private_ read", non_private_ read":" rule:all_ users and rule:secret_ project_ match and not rule:secret_ private_ read", private_ read":" 'False' :%(target. secret. read_project_ access) s", project_ admin": "rule:admin and rule:secret_ project_ match", project_ creator" :"rule: creator and rule:secret_ project_ match and rule:secret_ creator_ user", project_ match": "project: %(target. secret. project_ id)s", get":"rule: all_but_ audit",
"secret:
"secret_
"secret_
"secret_
"secret_
"secret_
"secret_
"secret_
"secrets: