Update Barbican Orders policy for secure-rbac

This patch update the barbican policy for orders in the secure-rbac environment. The change was already implemented in barbican to fix an order access bug. Depends-On: Ie0e6f6edae40e47d45afbe92fd509032cb091b1a Change-Id: I4b61523d9169de4a82a9383def58710d303b3bcf (cherry picked from commit 1395d1c)
openstack-archive · Mar 1, 2022 · ccb4cfb · ccb4cfb
1 parent 3ad4133
commit ccb4cfb
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/environments/enable-secure-rbac.yaml b/environments/enable-secure-rbac.yaml
@@ -2996,6 +2996,9 @@ parameter_defaults:
     barbican-container_project_member:
       key: "container_project_member"
       value: "rule:member and project_id:%(target.container.project_id)s"
+    barbican-order_project_member:
+      key: "order_project_member"
+      value: "rule:member and project_id:%(target.order.project_id)s"
     barbican-secret_acls_get:
       key: "secret_acls:get"
       value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
@@ -3055,10 +3058,10 @@ parameter_defaults:
       value: "rule:member"
     barbican-order_get:
       key: "order:get"
-      value: "rule:member"
+      value: "rule:order_project_member"
     barbican-order_delete:
       key: "order:delete"
-      value: "rule:member"
+      value: "rule:order_project_member"
     barbican-quotas_get:
       key: "quotas:get"
       value: "rule:reader"