StarlingX

Bug #1819021
Comment #16

Comment 16 for bug 1819021

Revision history for this message

Ran An (an.ran) wrote on 2019-08-05:

#16

barbican:
Run "openstack secret get <secret-href>" manually failed with errors "Secret retrieval attempt not allowed - please review your user/project privileges" after barbican api is ready.
it should be an issue about barbican policy configuration. policy config should be fixed, or we do not support this case.

from barbican-api log:
{"log":"2019-08-05 03:05:46.074 9 ERROR barbican.api.controllers [req-71a5f70c-ef7e-4a23-ae06-e7acdeedca76 64745dfc3d1a44cbbf9b8592ec950d7e 94b67db79b544a13b8bda20e0612e360 - default default] Secret retrieval attempt not allowed - please review your user/project privileges: PolicyNotAuthorized: secret:get is disallowed by policy\n","stream":"stdout","time":"2019-08-05T03:05:46.074915942Z"}

and the "secret:get" in barbican-api policy config file are show as follows:
"secret:get":"rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read",
"secret_creator_user":"user:%(target.secret.creator_id)s",
"secret_decrypt_non_private_read":"rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read",
"secret_non_private_read":"rule:all_users and rule:secret_project_match and not rule:secret_private_read",
"secret_private_read":"'False':%(target.secret.read_project_access)s",
"secret_project_admin":"rule:admin and rule:secret_project_match",
"secret_project_creator":"rule:creator and rule:secret_project_match and rule:secret_creator_user",
"secret_project_match":"project:%(target.secret.project_id)s",
"secrets:get":"rule:all_but_audit",