You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@jtopjian@ozerovandrei I analyzed the potential use cases. If we create an additional resource, which will set the ACLs, then there is a probability that there will be a gap between the secret creation and setting up the ACLs. During this gap the secret can be accessed by other users. This is different to manila shares ACLs, where the resource permissions are limited by default.
The barbican secret API allows to create the secret without the payload, then if there is no payload, it can be uploaded, but not updated. Using this behavior we can embed the ACL parameter into the secret resource and set ACLs during the resource creation:
@kayrus I guess that we could sacrifice the features that will come in case of decoupled resource (such as count, etc.) because of the security reasons that you explained.
Additional resources have to be introduced to cover the ACL functionality:
openstack_keymanager_secret_access_v1
openstack_keymanager_container_access_v1
Refs:
@jtopjian @ozerovandrei do you approve additional resources or should they be embedded in the source resources?
UPD: the default ACL, applied on the secret/container is https://docs.openstack.org/api-guide/key-manager/acls.html#default-acl :
The text was updated successfully, but these errors were encountered: