From 2cb3d4154443f055b41ec352c575fb49ceedd177 Mon Sep 17 00:00:00 2001
From: Phil Sphicas <phil.sphicas@att.com>
Date: Thu, 16 Jan 2020 14:54:35 -0800
Subject: [PATCH] barbican: fix values overrides for stein and ocata
When the default release was switched from ocata to stein, some of the
policies were duplicated. This moves the ocata overrides back to where
they belong, and adds overrides for pike, queens, and rocky.
Change-Id: I342d69e721b2692987951055e41ed5e153a91d6c
---
barbican/values.yaml | 4 ----
barbican/values_overrides/ocata.yaml | 6 ++++++
barbican/values_overrides/pike.yaml | 6 ++++++
barbican/values_overrides/queens.yaml | 6 ++++++
barbican/values_overrides/rocky.yaml | 6 ++++++
5 files changed, 24 insertions(+), 4 deletions(-)
create mode 100644 barbican/values_overrides/ocata.yaml
create mode 100644 barbican/values_overrides/pike.yaml
create mode 100644 barbican/values_overrides/queens.yaml
create mode 100644 barbican/values_overrides/rocky.yaml
diff --git a/barbican/values.yaml b/barbican/values.yaml
index e12f89b6ce..aef40919a5 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -322,14 +322,10 @@ conf:
admin_or_creator: rule:admin or rule:creator
all_but_audit: rule:admin or rule:observer or rule:creator
all_users: rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin
- secret_project_match: project:%(target.secret.project_id)s
secret_acl_read: "'read':%(target.secret.read)s"
secret_private_read: "'False':%(target.secret.read_project_access)s"
- secret_creator_user: user:%(target.secret.creator_id)s
- container_project_match: project:%(target.container.project_id)s
container_acl_read: "'read':%(target.container.read)s"
container_private_read: "'False':%(target.container.read_project_access)s"
- container_creator_user: user:%(target.container.creator_id)s
secret_non_private_read: rule:all_users and rule:secret_project_match and not rule:secret_private_read
secret_decrypt_non_private_read: rule:all_but_audit and rule:secret_project_match
and not rule:secret_private_read
diff --git a/barbican/values_overrides/ocata.yaml b/barbican/values_overrides/ocata.yaml
new file mode 100644
index 0000000000..5687ec9ef9
--- /dev/null
+++ b/barbican/values_overrides/ocata.yaml
@@ -0,0 +1,6 @@
+conf:
+ policy:
+ secret_project_match: project:%(target.secret.project_id)s
+ secret_creator_user: user:%(target.secret.creator_id)s
+ container_project_match: project:%(target.container.project_id)s
+ container_creator_user: user:%(target.container.creator_id)s
diff --git a/barbican/values_overrides/pike.yaml b/barbican/values_overrides/pike.yaml
new file mode 100644
index 0000000000..5687ec9ef9
--- /dev/null
+++ b/barbican/values_overrides/pike.yaml
@@ -0,0 +1,6 @@
+conf:
+ policy:
+ secret_project_match: project:%(target.secret.project_id)s
+ secret_creator_user: user:%(target.secret.creator_id)s
+ container_project_match: project:%(target.container.project_id)s
+ container_creator_user: user:%(target.container.creator_id)s
diff --git a/barbican/values_overrides/queens.yaml b/barbican/values_overrides/queens.yaml
new file mode 100644
index 0000000000..5687ec9ef9
--- /dev/null
+++ b/barbican/values_overrides/queens.yaml
@@ -0,0 +1,6 @@
+conf:
+ policy:
+ secret_project_match: project:%(target.secret.project_id)s
+ secret_creator_user: user:%(target.secret.creator_id)s
+ container_project_match: project:%(target.container.project_id)s
+ container_creator_user: user:%(target.container.creator_id)s
diff --git a/barbican/values_overrides/rocky.yaml b/barbican/values_overrides/rocky.yaml
new file mode 100644
index 0000000000..5687ec9ef9
--- /dev/null
+++ b/barbican/values_overrides/rocky.yaml
@@ -0,0 +1,6 @@
+conf:
+ policy:
+ secret_project_match: project:%(target.secret.project_id)s
+ secret_creator_user: user:%(target.secret.creator_id)s
+ container_project_match: project:%(target.container.project_id)s
+ container_creator_user: user:%(target.container.creator_id)s