#"admin": "role:admin or is_admin:True" #"owner": "project_id:%(tenant_id)s" #"admin_or_owner": "rule:admin or rule:owner" #"default": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "default":"rule:admin_or_owner" has been deprecated since W in favor # of "default":"(role:admin and system_scope:all) or (role:member and # project_id:%(project_id)s)". # The designate API now supports system scope and default roles. # Create blacklist. # POST /v2/blacklists # Intended scope(s): system #"create_blacklist": "role:admin and system_scope:all" # DEPRECATED # "create_blacklist":"rule:admin" has been deprecated since W in favor # of "create_blacklist":"role:admin and system_scope:all". # The blacklist API now supports system scope and default roles. # Find blacklists. # GET /v2/blacklists # Intended scope(s): system #"find_blacklists": "role:reader and system_scope:all" # DEPRECATED # "find_blacklists":"rule:admin" has been deprecated since W in favor # of "find_blacklists":"role:reader and system_scope:all". # The blacklist API now supports system scope and default roles. # Get blacklist. # GET /v2/blacklists/{blacklist_id} # Intended scope(s): system #"get_blacklist": "role:reader and system_scope:all" # DEPRECATED # "get_blacklist":"rule:admin" has been deprecated since W in favor of # "get_blacklist":"role:reader and system_scope:all". # The blacklist API now supports system scope and default roles. # Update blacklist. # PATCH /v2/blacklists/{blacklist_id} # Intended scope(s): system #"update_blacklist": "role:admin and system_scope:all" # DEPRECATED # "update_blacklist":"rule:admin" has been deprecated since W in favor # of "update_blacklist":"role:admin and system_scope:all". # The blacklist API now supports system scope and default roles. # Delete blacklist. # DELETE /v2/blacklists/{blacklist_id} # Intended scope(s): system #"delete_blacklist": "role:admin and system_scope:all" # DEPRECATED # "delete_blacklist":"rule:admin" has been deprecated since W in favor # of "delete_blacklist":"role:admin and system_scope:all". # The blacklist API now supports system scope and default roles. # Allowed bypass the blacklist. # POST /v2/zones # Intended scope(s): system #"use_blacklisted_zone": "role:admin and system_scope:all" # DEPRECATED # "use_blacklisted_zone":"rule:admin" has been deprecated since W in # favor of "use_blacklisted_zone":"role:admin and system_scope:all". # The blacklist API now supports system scope and default roles. # Action on all tenants. # Intended scope(s): system #"all_tenants": "role:admin and system_scope:all" # DEPRECATED # "all_tenants":"rule:admin" has been deprecated since W in favor of # "all_tenants":"role:admin and system_scope:all". # The designate API now supports system scope and default roles. # Edit managed records. # Intended scope(s): system #"edit_managed_records": "role:admin and system_scope:all" # DEPRECATED # "edit_managed_records":"rule:admin" has been deprecated since W in # favor of "edit_managed_records":"role:admin and system_scope:all". # The designate API now supports system scope and default roles. # Use low TTL. # Intended scope(s): system #"use_low_ttl": "role:admin and system_scope:all" # DEPRECATED # "use_low_ttl":"rule:admin" has been deprecated since W in favor of # "use_low_ttl":"role:admin and system_scope:all". # The designate API now supports system scope and default roles. # Accept sudo from user to tenant. # Intended scope(s): system #"use_sudo": "role:admin and system_scope:all" # DEPRECATED # "use_sudo":"rule:admin" has been deprecated since W in favor of # "use_sudo":"role:admin and system_scope:all". # The designate API now supports system scope and default roles. # Clean backend resources associated with zone # Intended scope(s): system #"hard_delete": "role:admin and system_scope:all" # DEPRECATED # "hard_delete":"rule:admin" has been deprecated since W in favor of # "hard_delete":"role:admin and system_scope:all". # The designate API now supports system scope and default roles. # Create pool. # Intended scope(s): system #"create_pool": "role:admin and system_scope:all" # DEPRECATED # "create_pool":"rule:admin" has been deprecated since W in favor of # "create_pool":"role:admin and system_scope:all". # The pool API now supports system scope and default roles. # Find pool. # GET /v2/pools # Intended scope(s): system #"find_pools": "role:reader and system_scope:all" # DEPRECATED # "find_pools":"rule:admin" has been deprecated since W in favor of # "find_pools":"role:reader and system_scope:all". # The pool API now supports system scope and default roles. # Find pools. # GET /v2/pools # Intended scope(s): system #"find_pool": "role:reader and system_scope:all" # DEPRECATED # "find_pool":"rule:admin" has been deprecated since W in favor of # "find_pool":"role:reader and system_scope:all". # The pool API now supports system scope and default roles. # Get pool. # GET /v2/pools/{pool_id} # Intended scope(s): system #"get_pool": "role:reader and system_scope:all" # DEPRECATED # "get_pool":"rule:admin" has been deprecated since W in favor of # "get_pool":"role:reader and system_scope:all". # The pool API now supports system scope and default roles. # Update pool. # Intended scope(s): system #"update_pool": "role:admin and system_scope:all" # DEPRECATED # "update_pool":"rule:admin" has been deprecated since W in favor of # "update_pool":"role:admin and system_scope:all". # The pool API now supports system scope and default roles. # Delete pool. # Intended scope(s): system #"delete_pool": "role:admin and system_scope:all" # DEPRECATED # "delete_pool":"rule:admin" has been deprecated since W in favor of # "delete_pool":"role:admin and system_scope:all". # The pool API now supports system scope and default roles. # load and set the pool to the one provided in the Zone attributes. # POST /v2/zones # Intended scope(s): system #"zone_create_forced_pool": "role:admin and system_scope:all" # DEPRECATED # "zone_create_forced_pool":"rule:admin" has been deprecated since W # in favor of "zone_create_forced_pool":"role:admin and # system_scope:all". # The pool API now supports system scope and default roles. # View Current Project's Quotas. # GET /v2/quotas # Intended scope(s): system, project #"get_quotas": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)" # DEPRECATED # "get_quotas":"rule:admin_or_owner" has been deprecated since W in # favor of "get_quotas":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s # and role:reader)". # The quota API now supports system scope and default roles. # Set Quotas. # PATCH /v2/quotas/{project_id} # Intended scope(s): system #"set_quota": "role:admin and system_scope:all" # DEPRECATED # "set_quota":"rule:admin" has been deprecated since W in favor of # "set_quota":"role:admin and system_scope:all". # The quota API now supports system scope and default roles. # Reset Quotas. # DELETE /v2/quotas/{project_id} # Intended scope(s): system #"reset_quotas": "role:admin and system_scope:all" # DEPRECATED # "reset_quotas":"rule:admin" has been deprecated since W in favor of # "reset_quotas":"role:admin and system_scope:all". # The quota API now supports system scope and default roles. # Find records. # GET /v2/reverse/floatingips/{region}:{floatingip_id} # GET /v2/reverse/floatingips # Intended scope(s): system, project #"find_records": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_records":"rule:admin_or_owner" has been deprecated since W in # favor of "find_records":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The records API now supports system scope and default roles. # Intended scope(s): system, project #"count_records": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "count_records":"rule:admin_or_owner" has been deprecated since W in # favor of "count_records":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The records API now supports system scope and default roles. # Create Recordset # POST /v2/zones/{zone_id}/recordsets # Intended scope(s): system, project #"create_recordset": "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or ("True":%(zone_shared)s) and ('PRIMARY':%(zone_type)s)" # DEPRECATED # "create_recordset":"('PRIMARY':%(zone_type)s AND # (rule:admin_or_owner OR 'True':%(zone_shared)s)) OR # ('SECONDARY':%(zone_type)s AND is_admin:True)" has been deprecated # since W in favor of "create_recordset":"(role:member and # project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or # ("True":%(zone_shared)s) and ('PRIMARY':%(zone_type)s)". # The record set API now supports system scope and default roles. # Intended scope(s): system, project #"get_recordsets": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_recordsets":"rule:admin_or_owner" has been deprecated since W # in favor of "get_recordsets":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The record set API now supports system scope and default roles. # Get recordset # GET /v2/zones/{zone_id}/recordsets/{recordset_id} # Intended scope(s): system, project #"get_recordset": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)" # DEPRECATED # "get_recordset":"rule:admin_or_owner or ("True":%(zone_shared)s)" # has been deprecated since W in favor of # "get_recordset":"(role:reader and system_scope:all) or (role:reader # and project_id:%(project_id)s) or ("True":%(zone_shared)s)". # The record set API now supports system scope and default roles. # List a Recordset in a Zone # Intended scope(s): system, project #"find_recordset": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_recordset":"rule:admin_or_owner" has been deprecated since W # in favor of "find_recordset":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The record set API now supports system scope and default roles. # List Recordsets in a Zone # GET /v2/zones/{zone_id}/recordsets # Intended scope(s): system, project #"find_recordsets": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_recordsets":"rule:admin_or_owner" has been deprecated since W # in favor of "find_recordsets":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The record set API now supports system scope and default roles. # Update recordset # PUT /v2/zones/{zone_id}/recordsets/{recordset_id} # Intended scope(s): system, project #"update_recordset": "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or role:member and (project_id::%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)" # DEPRECATED # "update_recordset":"rule:admin or ('PRIMARY':%(zone_type)s and # (rule:owner or project_id:%(recordset_project_id)s))" has been # deprecated since W in favor of "update_recordset":"(role:member and # project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or # role:member and (project_id::%(recordset_project_id)s) and # ('PRIMARY':%(zone_type)s)". # The record set API now supports system scope and default roles. # Delete RecordSet # DELETE /v2/zones/{zone_id}/recordsets/{recordset_id} # Intended scope(s): system, project #"delete_recordset": "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or role:member and (project_id::%(recordset_project_id)s) and ('PRIMARY':%(zone_type)s)" # DEPRECATED # "delete_recordset":"rule:admin or ('PRIMARY':%(zone_type)s and # (rule:owner or project_id:%(recordset_project_id)s))" has been # deprecated since W in favor of "delete_recordset":"(role:member and # project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or # (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s) or # role:member and (project_id::%(recordset_project_id)s) and # ('PRIMARY':%(zone_type)s)". # The record set API now supports system scope and default roles. # Count recordsets # Intended scope(s): system, project #"count_recordset": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "count_recordset":"rule:admin_or_owner" has been deprecated since W # in favor of "count_recordset":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The record set API now supports system scope and default roles. # Find a single Service Status # GET /v2/service_status/{service_id} # Intended scope(s): system #"find_service_status": "role:reader and system_scope:all" # DEPRECATED # "find_service_status":"rule:admin" has been deprecated since W in # favor of "find_service_status":"role:reader and system_scope:all". # The service status API now supports system scope and default roles. # List service statuses. # GET /v2/service_status # Intended scope(s): system #"find_service_statuses": "role:reader and system_scope:all" # DEPRECATED # "find_service_statuses":"rule:admin" has been deprecated since W in # favor of "find_service_statuses":"role:reader and system_scope:all". # The service status API now supports system scope and default roles. # Intended scope(s): system #"update_service_status": "role:admin and system_scope:all" # DEPRECATED # "update_service_status":"rule:admin" has been deprecated since W in # favor of "update_service_status":"role:admin and system_scope:all". # The service status API now supports system scope and default roles. # Get a Zone Share # GET /v2/zones/{zone_id}/shares/{zone_share_id} # Intended scope(s): system, project #"get_zone_share": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "get_zone_share":"rule:admin_or_owner" has been deprecated since W # in favor of "get_zone_share":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The shared zones API now supports system scope and default roles. # Share a Zone # POST /v2/zones/{zone_id}/shares # Intended scope(s): system, project #"share_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "share_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "share_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The shared zones API now supports system scope and default roles. # List Shared Zones # GET /v2/zones/{zone_id}/shares #"find_zone_shares": "@" # Check the can query for a specific projects shares. # Intended scope(s): system, project #"find_project_zone_share": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "find_project_zone_share":"rule:admin_or_owner" has been deprecated # since W in favor of "find_project_zone_share":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The shared zones API now supports system scope and default roles. # Unshare Zone # DELETE /v2/zones/{zone_id}/shares/{shared_zone_id} # Intended scope(s): system, project #"unshare_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "unshare_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "unshare_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The shared zones API now supports system scope and default roles. # Find all Tenants. # Intended scope(s): system #"find_tenants": "role:reader and system_scope:all" # DEPRECATED # "find_tenants":"rule:admin" has been deprecated since W in favor of # "find_tenants":"role:reader and system_scope:all". # The tenant API now supports system scope and default roles. # Get all Tenants. # Intended scope(s): system #"get_tenant": "role:reader and system_scope:all" # DEPRECATED # "get_tenant":"rule:admin" has been deprecated since W in favor of # "get_tenant":"role:reader and system_scope:all". # The tenant API now supports system scope and default roles. # Count tenants # Intended scope(s): system #"count_tenants": "role:reader and system_scope:all" # DEPRECATED # "count_tenants":"rule:admin" has been deprecated since W in favor of # "count_tenants":"role:reader and system_scope:all". # The tenant API now supports system scope and default roles. # Create Tld # POST /v2/tlds # Intended scope(s): system #"create_tld": "role:admin and system_scope:all" # DEPRECATED # "create_tld":"rule:admin" has been deprecated since W in favor of # "create_tld":"role:admin and system_scope:all". # The top-level domain API now supports system scope and default # roles. # List Tlds # GET /v2/tlds # Intended scope(s): system #"find_tlds": "role:reader and system_scope:all" # DEPRECATED # "find_tlds":"rule:admin" has been deprecated since W in favor of # "find_tlds":"role:reader and system_scope:all". # The top-level domain API now supports system scope and default # roles. # Show Tld # GET /v2/tlds/{tld_id} # Intended scope(s): system #"get_tld": "role:reader and system_scope:all" # DEPRECATED # "get_tld":"rule:admin" has been deprecated since W in favor of # "get_tld":"role:reader and system_scope:all". # The top-level domain API now supports system scope and default # roles. # Update Tld # PATCH /v2/tlds/{tld_id} # Intended scope(s): system #"update_tld": "role:admin and system_scope:all" # DEPRECATED # "update_tld":"rule:admin" has been deprecated since W in favor of # "update_tld":"role:admin and system_scope:all". # The top-level domain API now supports system scope and default # roles. # Delete Tld # DELETE /v2/tlds/{tld_id} # Intended scope(s): system #"delete_tld": "role:admin and system_scope:all" # DEPRECATED # "delete_tld":"rule:admin" has been deprecated since W in favor of # "delete_tld":"role:admin and system_scope:all". # The top-level domain API now supports system scope and default # roles. # Create Tsigkey # POST /v2/tsigkeys # Intended scope(s): system #"create_tsigkey": "role:admin and system_scope:all" # DEPRECATED # "create_tsigkey":"rule:admin" has been deprecated since W in favor # of "create_tsigkey":"role:admin and system_scope:all". # The tsigkey API now supports system scope and default roles. # List Tsigkeys # GET /v2/tsigkeys # Intended scope(s): system #"find_tsigkeys": "role:reader and system_scope:all" # DEPRECATED # "find_tsigkeys":"rule:admin" has been deprecated since W in favor of # "find_tsigkeys":"role:reader and system_scope:all". # The tsigkey API now supports system scope and default roles. # Show a Tsigkey # GET /v2/tsigkeys/{tsigkey_id} # Intended scope(s): system #"get_tsigkey": "role:reader and system_scope:all" # DEPRECATED # "get_tsigkey":"rule:admin" has been deprecated since W in favor of # "get_tsigkey":"role:reader and system_scope:all". # The tsigkey API now supports system scope and default roles. # Update Tsigkey # PATCH /v2/tsigkeys/{tsigkey_id} # Intended scope(s): system #"update_tsigkey": "role:admin and system_scope:all" # DEPRECATED # "update_tsigkey":"rule:admin" has been deprecated since W in favor # of "update_tsigkey":"role:admin and system_scope:all". # The tsigkey API now supports system scope and default roles. # Delete a Tsigkey # DELETE /v2/tsigkeys/{tsigkey_id} # Intended scope(s): system #"delete_tsigkey": "role:admin and system_scope:all" # DEPRECATED # "delete_tsigkey":"rule:admin" has been deprecated since W in favor # of "delete_tsigkey":"role:admin and system_scope:all". # The tsigkey API now supports system scope and default roles. # Create Zone # POST /v2/zones # Intended scope(s): system, project #"create_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "create_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Intended scope(s): system, project #"get_zones": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zones":"rule:admin_or_owner" has been deprecated since W in # favor of "get_zones":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Get Zone # GET /v2/zones/{zone_id} # Intended scope(s): system, project #"get_zone": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or ("True":%(zone_shared)s)" # DEPRECATED # "get_zone":"rule:admin_or_owner or ("True":%(zone_shared)s)" has # been deprecated since W in favor of "get_zone":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s) or # ("True":%(zone_shared)s)". # The zone API now supports system scope and default roles. # Intended scope(s): system, project #"get_zone_servers": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zone_servers":"rule:admin_or_owner" has been deprecated since W # in favor of "get_zone_servers":"(role:reader and system_scope:all) # or (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Get the Name Servers for a Zone # GET /v2/zones/{zone_id}/nameservers # Intended scope(s): system, project #"get_zone_ns_records": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zone_ns_records":"rule:admin_or_owner" has been deprecated # since W in favor of "get_zone_ns_records":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # List existing zones # GET /v2/zones # Intended scope(s): system, project #"find_zones": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_zones":"rule:admin_or_owner" has been deprecated since W in # favor of "find_zones":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Update Zone # PATCH /v2/zones/{zone_id} # Intended scope(s): system, project #"update_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "update_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Delete Zone # DELETE /v2/zones/{zone_id} # Intended scope(s): system, project #"delete_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "delete_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Manually Trigger an Update of a Secondary Zone # POST /v2/zones/{zone_id}/tasks/xfr # Intended scope(s): system, project #"xfr_zone": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "xfr_zone":"rule:admin_or_owner" has been deprecated since W in # favor of "xfr_zone":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Abandon Zone # POST /v2/zones/{zone_id}/tasks/abandon # Intended scope(s): system #"abandon_zone": "role:admin and system_scope:all" # DEPRECATED # "abandon_zone":"rule:admin" has been deprecated since W in favor of # "abandon_zone":"role:admin and system_scope:all". # The zone API now supports system scope and default roles. # Intended scope(s): system, project #"count_zones": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "count_zones":"rule:admin_or_owner" has been deprecated since W in # favor of "count_zones":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Intended scope(s): system, project #"count_zones_pending_notify": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "count_zones_pending_notify":"rule:admin_or_owner" has been # deprecated since W in favor of # "count_zones_pending_notify":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone API now supports system scope and default roles. # Intended scope(s): system #"purge_zones": "role:admin and system_scope:all" # DEPRECATED # "purge_zones":"rule:admin" has been deprecated since W in favor of # "purge_zones":"role:admin and system_scope:all". # The zone API now supports system scope and default roles. # Retrive a Zone Export from the Designate Datastore # GET /v2/zones/tasks/exports/{zone_export_id}/export # Intended scope(s): system, project #"zone_export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "zone_export":"rule:admin_or_owner" has been deprecated since W in # favor of "zone_export":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # Create Zone Export # POST /v2/zones/{zone_id}/tasks/export # Intended scope(s): system, project #"create_zone_export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_zone_export":"rule:admin_or_owner" has been deprecated since # W in favor of "create_zone_export":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # List Zone Exports # GET /v2/zones/tasks/exports # Intended scope(s): system, project #"find_zone_exports": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_zone_exports":"rule:admin_or_owner" has been deprecated since # W in favor of "find_zone_exports":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # Get Zone Exports # GET /v2/zones/tasks/exports/{zone_export_id} # Intended scope(s): system, project #"get_zone_export": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zone_export":"rule:admin_or_owner" has been deprecated since W # in favor of "get_zone_export":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # Update Zone Exports # POST /v2/zones/{zone_id}/tasks/export # Intended scope(s): system, project #"update_zone_export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_zone_export":"rule:admin_or_owner" has been deprecated since # W in favor of "update_zone_export":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # Delete a zone export # DELETE /v2/zones/tasks/exports/{zone_export_id} # Intended scope(s): system, project #"delete_zone_export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_zone_export":"rule:admin_or_owner" has been deprecated since # W in favor of "delete_zone_export":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone export API now supports system scope and default roles. # Create Zone Import # POST /v2/zones/tasks/imports # Intended scope(s): system, project #"create_zone_import": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_zone_import":"rule:admin_or_owner" has been deprecated since # W in favor of "create_zone_import":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone import API now supports system scope and default roles. # List all Zone Imports # GET /v2/zones/tasks/imports # Intended scope(s): system, project #"find_zone_imports": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "find_zone_imports":"rule:admin_or_owner" has been deprecated since # W in favor of "find_zone_imports":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s)". # The zone import API now supports system scope and default roles. # Get Zone Imports # GET /v2/zones/tasks/imports/{zone_import_id} # Intended scope(s): system, project #"get_zone_import": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zone_import":"rule:admin_or_owner" has been deprecated since W # in favor of "get_zone_import":"(role:reader and system_scope:all) or # (role:reader and project_id:%(project_id)s)". # The zone import API now supports system scope and default roles. # Update Zone Imports # POST /v2/zones/tasks/imports # Intended scope(s): system, project #"update_zone_import": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_zone_import":"rule:admin_or_owner" has been deprecated since # W in favor of "update_zone_import":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone import API now supports system scope and default roles. # Delete a Zone Import # DELETE /v2/zones/tasks/imports/{zone_import_id} # Intended scope(s): system, project #"delete_zone_import": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_zone_import":"rule:admin_or_owner" has been deprecated since # W in favor of "delete_zone_import":"(role:admin and # system_scope:all) or (role:member and project_id:%(project_id)s)". # The zone import API now supports system scope and default roles. # Create Zone Transfer Accept # POST /v2/zones/tasks/transfer_accepts # Intended scope(s): system, project #"create_zone_transfer_accept": "((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s" # DEPRECATED # "create_zone_transfer_accept":"rule:admin_or_owner OR # project_id:%(target_tenant_id)s OR None:%(target_tenant_id)s" has # been deprecated since W in favor of # "create_zone_transfer_accept":"((role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)) or # project_id:%(target_project_id)s or None:%(target_project_id)s". # The zone transfer accept API now supports system scope and default # roles. # Get Zone Transfer Accept # GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id} # Intended scope(s): system, project #"get_zone_transfer_accept": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_zone_transfer_accept":"rule:admin_or_owner" has been deprecated # since W in favor of "get_zone_transfer_accept":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s)". # The zone transfer accept API now supports system scope and default # roles. # List Zone Transfer Accepts # GET /v2/zones/tasks/transfer_accepts # Intended scope(s): system #"find_zone_transfer_accepts": "role:reader and system_scope:all" # DEPRECATED # "find_zone_transfer_accepts":"rule:admin" has been deprecated since # W in favor of "find_zone_transfer_accepts":"role:reader and # system_scope:all". # The zone transfer accept API now supports system scope and default # roles. # Create Zone Transfer Accept # POST /v2/zones/{zone_id}/tasks/transfer_requests # Intended scope(s): system, project #"create_zone_transfer_request": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_zone_transfer_request":"rule:admin_or_owner" has been # deprecated since W in favor of # "create_zone_transfer_request":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone transfer request API now supports system scope and default # roles. # Show a Zone Transfer Request # GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} # Intended scope(s): system, project #"get_zone_transfer_request": "((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s" # DEPRECATED # "get_zone_transfer_request":"rule:admin_or_owner OR # project_id:%(target_tenant_id)s OR None:%(target_tenant_id)s" has # been deprecated since W in favor of # "get_zone_transfer_request":"((role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)) or # project_id:%(target_project_id)s or None:%(target_project_id)s". # The zone transfer request API now supports system scope and default # roles. # Intended scope(s): system, project #"get_zone_transfer_request_detailed": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "create_zone_transfer_request":"rule:admin_or_owner" has been # deprecated since W in favor of # "get_zone_transfer_request_detailed":"(role:reader and # system_scope:all) or (role:reader and project_id:%(project_id)s)". # The zone transfer request API now supports system scope and default # roles. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "create_zone_transfer_request": "rule:get_zone_transfer_request_detailed" # List Zone Transfer Requests # GET /v2/zones/tasks/transfer_requests #"find_zone_transfer_requests": "@" # Update a Zone Transfer Request # PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} # Intended scope(s): system, project #"update_zone_transfer_request": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_zone_transfer_request":"rule:admin_or_owner" has been # deprecated since W in favor of # "update_zone_transfer_request":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone transfer request API now supports system scope and default # roles. # Delete a Zone Transfer Request # DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id} # Intended scope(s): system, project #"delete_zone_transfer_request": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_zone_transfer_request":"rule:admin_or_owner" has been # deprecated since W in favor of # "delete_zone_transfer_request":"(role:admin and system_scope:all) or # (role:member and project_id:%(project_id)s)". # The zone transfer request API now supports system scope and default # roles.