Implementing Granular User Permission Controls for Secrets API endpoints

Why are we doing this work

This issue aims to implement permission checks that verify user access rights before allowing any Create, Read, Update, or Delete operations on the secrets page.

Relevant links

Discussion link: #470366 (comment 2365287030)

Non-functional requirements

Add details for required items and delete others.

Documentation:
Feature flag: N/A
Performance: N/A
Testing: N/A

Implementation plan

The permissions are saved as policies inside Openbao in the following structure,

project_{id}/users/roles/<role-id)> role-id internally mapped inside secret_permission.rb

project_{id}/users/direct/{custom_role,group,user}_{id}
For owners create a owner-role policy when enabling secrets manager that can read metadata in the mount and write on secrets.
We will be using additive permissions.

User permission = User permissions + Group permissions + Role permissions
Create a UserJWT and add the associated policies to it.

Verification steps

Verify the right permissions are used when accessing a secret.

Edited May 08, 2025 by Shabini Rajadas