Sync default policy rules
This patch updates default policy-in-code rules in horizon based on nova/neutron/cinder/keystone RC deliverables. It doesn't update policy rules for glance as I have found no changes in their policy rules. Horizon needs to update default policy-in-code rules for all backend services before releasing the horizon[1]. [1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing Change-Id: I7437b3a46377c18f026db103237b4d107dc787cb
This commit is contained in:
manchandavishal
Vishal Manchanda
parent
be825dfda8
commit
712dbd26d1
@ -1138,6 +1138,10 @@
|
||||
# "personas". See "Policy Personas and Permissions" in the "Cinder
|
||||
# Service Configuration" documentation (Xena release) for details.
|
||||
|
||||
# Complete a volume extend operation.
|
||||
# POST /volumes/{volume_id}/action (os-extend_volume_completion)
|
||||
#"volume_extension:volume_admin_actions:extend_volume_completion": "rule:admin_api"
|
||||
|
||||
# Revert a volume to a snapshot.
|
||||
# POST /volumes/{volume_id}/action (revert)
|
||||
#"volume:revert_to_snapshot": "rule:xena_system_admin_or_project_member"
|
||||
|
||||
@ -1144,6 +1144,13 @@
|
||||
- method: POST
|
||||
path: /volumes/{volume_id}/action (os-extend)
|
||||
scope_types: null
|
||||
- check_str: rule:admin_api
|
||||
description: Complete a volume extend operation.
|
||||
name: volume_extension:volume_admin_actions:extend_volume_completion
|
||||
operations:
|
||||
- method: POST
|
||||
path: /volumes/{volume_id}/action (os-extend_volume_completion)
|
||||
scope_types: null
|
||||
- check_str: rule:xena_system_admin_or_project_member
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -3,6 +3,11 @@
|
||||
name: context_is_admin
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: role:service
|
||||
description: Default rule for the service-to-service APIs.
|
||||
name: service_api
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: tenant_id:%(tenant_id)s
|
||||
description: Rule for resource owner access
|
||||
name: owner
|
||||
@ -586,6 +591,16 @@
|
||||
path: /floatingips/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s)
|
||||
description: Get the floating IP tags
|
||||
name: get_floatingips_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /floatingips/{id}/tags
|
||||
- method: GET
|
||||
path: /floatingips/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -599,6 +614,16 @@
|
||||
path: /floatingips/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the floating IP tags
|
||||
name: update_floatingips_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /floatingips/{id}/tags
|
||||
- method: PUT
|
||||
path: /floatingips/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -612,6 +637,16 @@
|
||||
path: /floatingips/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete the floating IP tags
|
||||
name: delete_floatingips_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /floatingips/{id}/tags
|
||||
- method: DELETE
|
||||
path: /floatingips/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1137,8 +1172,8 @@
|
||||
operations: *id001
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared
|
||||
or rule:external or rule:context_is_advsvc
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api
|
||||
or rule:shared or rule:external or rule:context_is_advsvc
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc
|
||||
@ -1197,6 +1232,17 @@
|
||||
operations: *id002
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared
|
||||
or rule:external or rule:context_is_advsvc
|
||||
description: Get the network tags
|
||||
name: get_networks_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /networks/{id}/tags
|
||||
- method: GET
|
||||
path: /networks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1298,6 +1344,16 @@
|
||||
operations: *id003
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the network tags
|
||||
name: update_networks_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /networks/{id}/tags
|
||||
- method: PUT
|
||||
path: /networks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1311,6 +1367,16 @@
|
||||
path: /networks/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete the network tags
|
||||
name: delete_networks_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /networks/{id}/tags
|
||||
- method: DELETE
|
||||
path: /networks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1354,6 +1420,16 @@
|
||||
path: /network_segment_ranges/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Get the network segment range tags
|
||||
name: get_network_segment_ranges_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /network_segment_ranges/{id}/tags
|
||||
- method: GET
|
||||
path: /network_segment_ranges/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1367,6 +1443,16 @@
|
||||
path: /network_segment_ranges/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Update the network segment range tags
|
||||
name: update_network_segment_ranges_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /network_segment_ranges/{id}/tags
|
||||
- method: PUT
|
||||
path: /network_segment_ranges/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1381,6 +1467,16 @@
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Delete the network segment range tags
|
||||
name: delete_network_segment_ranges_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /network_segment_ranges/{id}/tags
|
||||
- method: DELETE
|
||||
path: /network_segment_ranges/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
description: Get port binding information
|
||||
name: get_port_binding
|
||||
operations:
|
||||
@ -1388,7 +1484,7 @@
|
||||
path: /ports/{port_id}/bindings/
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: rule:service_api
|
||||
description: Create port binding on the host
|
||||
name: create_port_binding
|
||||
operations:
|
||||
@ -1396,7 +1492,7 @@
|
||||
path: /ports/{port_id}/bindings/
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: rule:service_api
|
||||
description: Delete port binding on the host
|
||||
name: delete_port_binding
|
||||
operations:
|
||||
@ -1404,7 +1500,7 @@
|
||||
path: /ports/{port_id}/bindings/
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: rule:service_api
|
||||
description: Activate port binding on the host
|
||||
name: activate
|
||||
operations:
|
||||
@ -1422,7 +1518,7 @@
|
||||
name: admin_or_data_plane_int
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:regular_user
|
||||
@ -1435,8 +1531,8 @@
|
||||
path: /ports
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only)
|
||||
or (role:member and rule:network_owner)
|
||||
- check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or
|
||||
role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1447,7 +1543,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1458,7 +1554,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
or rule:shared
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1470,7 +1566,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1481,7 +1577,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
or rule:shared
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1493,7 +1589,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1504,7 +1600,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1515,7 +1611,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: rule:service_api
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1526,7 +1622,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:regular_user
|
||||
@ -1578,7 +1674,7 @@
|
||||
operations: *id004
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner
|
||||
or role:reader and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1594,7 +1690,7 @@
|
||||
path: /ports/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1605,7 +1701,7 @@
|
||||
operations: *id005
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1616,7 +1712,7 @@
|
||||
operations: *id005
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1627,7 +1723,7 @@
|
||||
operations: *id005
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1655,7 +1751,18 @@
|
||||
operations: *id005
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner)
|
||||
or role:reader and project_id:%(project_id)s
|
||||
description: Get the port tags
|
||||
name: get_ports_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /ports/{id}/tags
|
||||
- method: GET
|
||||
path: /ports/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner or rule:context_is_advsvc
|
||||
@ -1668,8 +1775,8 @@
|
||||
path: /ports/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: not rule:network_device or rule:context_is_advsvc or (rule:admin_only)
|
||||
or (role:member and rule:network_owner)
|
||||
- check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or
|
||||
role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1680,7 +1787,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only or rule:context_is_advsvc
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only or rule:context_is_advsvc
|
||||
@ -1691,7 +1798,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1702,7 +1809,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1713,7 +1820,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
or rule:shared
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -1725,7 +1832,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_or_network_owner
|
||||
@ -1736,7 +1843,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: (rule:admin_only) or (rule:service_api)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1747,7 +1854,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
- check_str: rule:service_api
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_only
|
||||
@ -1758,7 +1865,7 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner or rule:context_is_advsvc
|
||||
@ -1820,8 +1927,18 @@
|
||||
operations: *id006
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s or
|
||||
(rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc
|
||||
description: Update the port tags
|
||||
name: update_ports_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /ports/{id}/tags
|
||||
- method: PUT
|
||||
path: /ports/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner
|
||||
or role:member and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner
|
||||
@ -1834,6 +1951,17 @@
|
||||
path: /ports/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s or
|
||||
(rule:admin_only) or (role:member and rule:network_owner)
|
||||
description: Delete the port tags
|
||||
name: delete_ports_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /ports/{id}/tags
|
||||
- method: DELETE
|
||||
path: /ports/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: field:policies:shared=True
|
||||
description: Rule of shared qos policy
|
||||
name: shared_qos_policy
|
||||
@ -2537,6 +2665,16 @@
|
||||
operations: *id008
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s)
|
||||
description: Get the router tags
|
||||
name: get_routers_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /routers/{id}/tags
|
||||
- method: GET
|
||||
path: /routers/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2631,6 +2769,16 @@
|
||||
operations: *id007
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the router tags
|
||||
name: update_routers_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /routers/{id}/tags
|
||||
- method: PUT
|
||||
path: /routers/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2644,6 +2792,16 @@
|
||||
path: /routers/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete the router tags
|
||||
name: delete_routers_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /routers/{id}/tags
|
||||
- method: DELETE
|
||||
path: /routers/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2711,6 +2869,12 @@
|
||||
name: shared_security_group
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: field:security_group_rules:belongs_to_default_sg=True
|
||||
description: Definition of a security group rule that belongs to the project default
|
||||
security group
|
||||
name: rule_default_sg
|
||||
operations: []
|
||||
scope_types: null
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2739,6 +2903,16 @@
|
||||
path: /security-groups/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group
|
||||
description: Get the security group tags
|
||||
name: get_security_groups_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /security-groups/{id}/tags
|
||||
- method: GET
|
||||
path: /security-groups/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2752,6 +2926,16 @@
|
||||
path: /security-groups/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the security group tags
|
||||
name: update_security_groups_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /security-groups/{id}/tags
|
||||
- method: PUT
|
||||
path: /security-groups/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2765,6 +2949,16 @@
|
||||
path: /security-groups/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete the security group tags
|
||||
name: delete_security_groups_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /security-groups/{id}/tags
|
||||
- method: DELETE
|
||||
path: /security-groups/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2834,6 +3028,16 @@
|
||||
path: /segments/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Get the segment tags
|
||||
name: get_segments_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /segments/{id}/tags
|
||||
- method: GET
|
||||
path: /segments/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2847,6 +3051,16 @@
|
||||
path: /segments/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Update the segment tags
|
||||
name: update_segments_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /segments/{id}/tags
|
||||
- method: PUT
|
||||
path: /segments/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2860,6 +3074,16 @@
|
||||
path: /segments/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:admin_only
|
||||
description: Delete the segment tags
|
||||
name: delete_segments_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /segments/{id}/tags
|
||||
- method: DELETE
|
||||
path: /segments/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: role:reader
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -2908,7 +3132,8 @@
|
||||
operations: *id010
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:reader
|
||||
and project_id:%(project_id)s or rule:shared
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_owner or rule:shared
|
||||
@ -2934,7 +3159,19 @@
|
||||
operations: *id011
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:reader
|
||||
and project_id:%(project_id)s or rule:shared
|
||||
description: Get the subnet tags
|
||||
name: get_subnets_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /subnets/{id}/tags
|
||||
- method: GET
|
||||
path: /subnets/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member
|
||||
and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_network_owner
|
||||
@ -2969,7 +3206,19 @@
|
||||
operations: *id012
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner)
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member
|
||||
and project_id:%(project_id)s
|
||||
description: Update the subnet tags
|
||||
name: update_subnets_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /subnets/{id}/tags
|
||||
- method: PUT
|
||||
path: /subnets/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member
|
||||
and project_id:%(project_id)s
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
check_str: rule:admin_or_network_owner
|
||||
@ -2982,6 +3231,17 @@
|
||||
path: /subnets/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member
|
||||
and project_id:%(project_id)s
|
||||
description: Delete the subnet tags
|
||||
name: delete_subnets_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /subnets/{id}/tags
|
||||
- method: DELETE
|
||||
path: /subnets/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: field:subnetpools:shared=True
|
||||
description: Definition of a shared subnetpool
|
||||
name: shared_subnetpools
|
||||
@ -3041,6 +3301,16 @@
|
||||
path: /subnetpools/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools
|
||||
description: Get the subnetpool tags
|
||||
name: get_subnetpools_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /subnetpools/{id}/tags
|
||||
- method: GET
|
||||
path: /subnetpools/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -3067,6 +3337,16 @@
|
||||
path: /subnetpools/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the subnetpool tags
|
||||
name: update_subnetpools_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /subnetpools/{id}/tags
|
||||
- method: PUT
|
||||
path: /subnetpools/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -3080,6 +3360,16 @@
|
||||
path: /subnetpools/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete the subnetpool tags
|
||||
name: delete_subnetpools_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /subnetpools/{id}/tags
|
||||
- method: DELETE
|
||||
path: /subnetpools/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -3147,6 +3437,16 @@
|
||||
path: /trunks/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s)
|
||||
description: Get the trunk tags
|
||||
name: get_trunks_tags
|
||||
operations:
|
||||
- method: GET
|
||||
path: /trunks/{id}/tags
|
||||
- method: GET
|
||||
path: /trunks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -3160,6 +3460,16 @@
|
||||
path: /trunks/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Update the trunk tags
|
||||
name: update_trunks_tags
|
||||
operations:
|
||||
- method: PUT
|
||||
path: /trunks/{id}/tags
|
||||
- method: PUT
|
||||
path: /trunks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
@ -3173,6 +3483,16 @@
|
||||
path: /trunks/{id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s)
|
||||
description: Delete a trunk
|
||||
name: delete_trunks_tags
|
||||
operations:
|
||||
- method: DELETE
|
||||
path: /trunks/{id}/tags
|
||||
- method: DELETE
|
||||
path: /trunks/{id}/tags/{tag_id}
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s)
|
||||
deprecated_reason: null
|
||||
deprecated_rule:
|
||||
|
||||
@ -1120,7 +1120,7 @@
|
||||
scope_types:
|
||||
- project
|
||||
- check_str: rule:context_is_admin
|
||||
description: List quotas for specific quota classs
|
||||
description: List quotas for specific quota classes
|
||||
name: os_compute_api:os-quota-class-sets:show
|
||||
operations:
|
||||
- method: GET
|
||||
@ -1184,8 +1184,6 @@
|
||||
are deprecated:
|
||||
|
||||
|
||||
- ``os-getRDPConsole``
|
||||
|
||||
- ``os-getSerialConsole``
|
||||
|
||||
- ``os-getSPICEConsole``
|
||||
@ -1193,8 +1191,6 @@
|
||||
- ``os-getVNCConsole``.'
|
||||
name: os_compute_api:os-remote-consoles
|
||||
operations:
|
||||
- method: POST
|
||||
path: /servers/{server_id}/action (os-getRDPConsole)
|
||||
- method: POST
|
||||
path: /servers/{server_id}/action (os-getSerialConsole)
|
||||
- method: POST
|
||||
@ -1606,7 +1602,7 @@
|
||||
|
||||
Policies for showing flavor extra specs in server APIs response is
|
||||
|
||||
seprated as new policy. This policy is deprecated only for that but
|
||||
separated as new policy. This policy is deprecated only for that but
|
||||
|
||||
not for list extra specs and showing it in flavor API response.
|
||||
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,9 @@
|
||||
# Rule for cloud admin access
|
||||
#"context_is_admin": "role:admin"
|
||||
|
||||
# Default rule for the service-to-service APIs.
|
||||
#"service_api": "role:service"
|
||||
|
||||
# Rule for resource owner access
|
||||
#"owner": "tenant_id:%(tenant_id)s"
|
||||
|
||||
@ -460,6 +463,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The Floating IP API now supports system scope and default roles.
|
||||
|
||||
# Get the floating IP tags
|
||||
# GET /floatingips/{id}/tags
|
||||
# GET /floatingips/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_floatingips_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"
|
||||
|
||||
# Update a floating IP
|
||||
# PUT /floatingips/{id}
|
||||
# Intended scope(s): project
|
||||
@ -471,6 +480,12 @@
|
||||
# and project_id:%(project_id)s)".
|
||||
# The Floating IP API now supports system scope and default roles.
|
||||
|
||||
# Update the floating IP tags
|
||||
# PUT /floatingips/{id}/tags
|
||||
# PUT /floatingips/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a floating IP
|
||||
# DELETE /floatingips/{id}
|
||||
# Intended scope(s): project
|
||||
@ -482,6 +497,12 @@
|
||||
# and project_id:%(project_id)s)".
|
||||
# The Floating IP API now supports system scope and default roles.
|
||||
|
||||
# Delete the floating IP tags
|
||||
# DELETE /floatingips/{id}/tags
|
||||
# DELETE /floatingips/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Get floating IP pools
|
||||
# GET /floatingip_pools
|
||||
# Intended scope(s): project
|
||||
@ -948,14 +969,14 @@
|
||||
# GET /networks
|
||||
# GET /networks/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
|
||||
#"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_network":"rule:admin_or_owner or rule:shared or rule:external
|
||||
# or rule:context_is_advsvc" has been deprecated since W in favor of
|
||||
# "get_network":"(rule:admin_only) or (role:reader and
|
||||
# project_id:%(project_id)s) or rule:shared or rule:external or
|
||||
# rule:context_is_advsvc".
|
||||
# project_id:%(project_id)s) or rule:service_api or rule:shared or
|
||||
# rule:external or rule:context_is_advsvc".
|
||||
# The network API now supports system scope and default roles.
|
||||
|
||||
# Get ``segments`` attribute of a network
|
||||
@ -1005,6 +1026,12 @@
|
||||
# "get_network:provider:segmentation_id":"rule:admin_only".
|
||||
# The network API now supports system scope and default roles.
|
||||
|
||||
# Get the network tags
|
||||
# GET /networks/{id}/tags
|
||||
# GET /networks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_networks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
|
||||
|
||||
# Update a network
|
||||
# PUT /networks/{id}
|
||||
# Intended scope(s): project
|
||||
@ -1102,6 +1129,12 @@
|
||||
# (role:member and project_id:%(project_id)s)".
|
||||
# The network API now supports system scope and default roles.
|
||||
|
||||
# Update the network tags
|
||||
# PUT /networks/{id}/tags
|
||||
# PUT /networks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a network
|
||||
# DELETE /networks/{id}
|
||||
# Intended scope(s): project
|
||||
@ -1113,6 +1146,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The network API now supports system scope and default roles.
|
||||
|
||||
# Delete the network tags
|
||||
# DELETE /networks/{id}/tags
|
||||
# DELETE /networks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Get network IP availability
|
||||
# GET /network-ip-availabilities
|
||||
# GET /network-ip-availabilities/{network_id}
|
||||
@ -1149,6 +1188,12 @@
|
||||
# The network segment range API now supports project scope and default
|
||||
# roles.
|
||||
|
||||
# Get the network segment range tags
|
||||
# GET /network_segment_ranges/{id}/tags
|
||||
# GET /network_segment_ranges/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_network_segment_ranges_tags": "rule:admin_only"
|
||||
|
||||
# Update a network segment range
|
||||
# PUT /network_segment_ranges/{id}
|
||||
# Intended scope(s): project
|
||||
@ -1161,6 +1206,12 @@
|
||||
# The network segment range API now supports project scope and default
|
||||
# roles.
|
||||
|
||||
# Update the network segment range tags
|
||||
# PUT /network_segment_ranges/{id}/tags
|
||||
# PUT /network_segment_ranges/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_network_segment_ranges_tags": "rule:admin_only"
|
||||
|
||||
# Delete a network segment range
|
||||
# DELETE /network_segment_ranges/{id}
|
||||
# Intended scope(s): project
|
||||
@ -1173,25 +1224,31 @@
|
||||
# The network segment range API now supports project scope and default
|
||||
# roles.
|
||||
|
||||
# Delete the network segment range tags
|
||||
# DELETE /network_segment_ranges/{id}/tags
|
||||
# DELETE /network_segment_ranges/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_network_segment_ranges_tags": "rule:admin_only"
|
||||
|
||||
# Get port binding information
|
||||
# GET /ports/{port_id}/bindings/
|
||||
# Intended scope(s): project
|
||||
#"get_port_binding": "rule:admin_only"
|
||||
#"get_port_binding": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# Create port binding on the host
|
||||
# POST /ports/{port_id}/bindings/
|
||||
# Intended scope(s): project
|
||||
#"create_port_binding": "rule:admin_only"
|
||||
#"create_port_binding": "rule:service_api"
|
||||
|
||||
# Delete port binding on the host
|
||||
# DELETE /ports/{port_id}/bindings/
|
||||
# Intended scope(s): project
|
||||
#"delete_port_binding": "rule:admin_only"
|
||||
#"delete_port_binding": "rule:service_api"
|
||||
|
||||
# Activate port binding on the host
|
||||
# PUT /ports/{port_id}/bindings/{host}
|
||||
# Intended scope(s): project
|
||||
#"activate": "rule:admin_only"
|
||||
#"activate": "rule:service_api"
|
||||
|
||||
# Definition of port with network device_owner
|
||||
#"network_device": "field:port:device_owner=~^network:"
|
||||
@ -1202,120 +1259,122 @@
|
||||
# Create a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
#"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port":"rule:regular_user" has been deprecated since W in
|
||||
# favor of "create_port":"(rule:admin_only) or (role:member and
|
||||
# project_id:%(project_id)s)".
|
||||
# project_id:%(project_id)s) or rule:service_api".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``device_owner`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"create_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:device_owner":"not rule:network_device or
|
||||
# rule:context_is_advsvc or rule:admin_or_network_owner" has been
|
||||
# deprecated since W in favor of "create_port:device_owner":"not
|
||||
# rule:network_device or rule:context_is_advsvc or (rule:admin_only)
|
||||
# or (role:member and rule:network_owner)".
|
||||
# rule:network_device or (rule:admin_only) or (rule:service_api) or
|
||||
# role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``mac_address`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:mac_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:mac_address":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "create_port:mac_address":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner)".
|
||||
# "create_port:mac_address":"(rule:admin_only) or (rule:service_api)
|
||||
# or role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``fixed_ips`` information when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared"
|
||||
#"create_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:fixed_ips":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner or rule:shared" has been deprecated
|
||||
# since W in favor of "create_port:fixed_ips":"rule:context_is_advsvc
|
||||
# or (rule:admin_only) or (role:member and rule:network_owner) or
|
||||
# since W in favor of "create_port:fixed_ips":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner or
|
||||
# rule:shared".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify IP address in ``fixed_ips`` when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner)".
|
||||
# "create_port:fixed_ips:ip_address":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify subnet ID in ``fixed_ips`` when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared"
|
||||
#"create_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner or rule:shared" has been deprecated
|
||||
# since W in favor of
|
||||
# "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner) or
|
||||
# "create_port:fixed_ips:subnet_id":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner or
|
||||
# rule:shared".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``port_security_enabled`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"create_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:port_security_enabled":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "create_port:port_security_enabled":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner)".
|
||||
# "create_port:port_security_enabled":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``binding:host_id`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:binding:host_id": "rule:admin_only"
|
||||
#"create_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:binding:host_id":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "create_port:binding:host_id":"rule:admin_only".
|
||||
# since W in favor of "create_port:binding:host_id":"(rule:admin_only)
|
||||
# or (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``binding:profile`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:binding:profile": "rule:admin_only"
|
||||
#"create_port:binding:profile": "rule:service_api"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:binding:profile":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "create_port:binding:profile":"rule:admin_only".
|
||||
# since W in favor of
|
||||
# "create_port:binding:profile":"rule:service_api".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``binding:vnic_type`` attribute when creating a port
|
||||
# POST /ports
|
||||
# Intended scope(s): project
|
||||
#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
#"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api"
|
||||
|
||||
# DEPRECATED
|
||||
# "create_port:binding:vnic_type":"rule:regular_user" has been
|
||||
# deprecated since W in favor of
|
||||
# "create_port:binding:vnic_type":"(rule:admin_only) or (role:member
|
||||
# and project_id:%(project_id)s)".
|
||||
# and project_id:%(project_id)s) or rule:service_api".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``allowed_address_pairs`` attribute when creating a port
|
||||
@ -1365,13 +1424,13 @@
|
||||
# GET /ports
|
||||
# GET /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_port": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s"
|
||||
#"get_port": "(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_port":"rule:context_is_advsvc or
|
||||
# rule:admin_owner_or_network_owner" has been deprecated since W in
|
||||
# favor of "get_port":"rule:context_is_advsvc or (rule:admin_only) or
|
||||
# (role:reader and rule:network_owner) or role:reader and
|
||||
# favor of "get_port":"(rule:admin_only) or (rule:service_api) or
|
||||
# role:reader and rule:network_owner or role:reader and
|
||||
# project_id:%(project_id)s".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
@ -1379,45 +1438,49 @@
|
||||
# GET /ports
|
||||
# GET /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_port:binding:vif_type": "rule:admin_only"
|
||||
#"get_port:binding:vif_type": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_port:binding:vif_type":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "get_port:binding:vif_type":"rule:admin_only".
|
||||
# since W in favor of "get_port:binding:vif_type":"(rule:admin_only)
|
||||
# or (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Get ``binding:vif_details`` attribute of a port
|
||||
# GET /ports
|
||||
# GET /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_port:binding:vif_details": "rule:admin_only"
|
||||
#"get_port:binding:vif_details": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_port:binding:vif_details":"rule:admin_only" has been deprecated
|
||||
# since W in favor of
|
||||
# "get_port:binding:vif_details":"rule:admin_only".
|
||||
# "get_port:binding:vif_details":"(rule:admin_only) or
|
||||
# (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Get ``binding:host_id`` attribute of a port
|
||||
# GET /ports
|
||||
# GET /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_port:binding:host_id": "rule:admin_only"
|
||||
#"get_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_port:binding:host_id":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "get_port:binding:host_id":"rule:admin_only".
|
||||
# since W in favor of "get_port:binding:host_id":"(rule:admin_only) or
|
||||
# (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Get ``binding:profile`` attribute of a port
|
||||
# GET /ports
|
||||
# GET /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_port:binding:profile": "rule:admin_only"
|
||||
#"get_port:binding:profile": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_port:binding:profile":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "get_port:binding:profile":"rule:admin_only".
|
||||
# since W in favor of "get_port:binding:profile":"(rule:admin_only) or
|
||||
# (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Get ``resource_request`` attribute of a port
|
||||
@ -1437,123 +1500,129 @@
|
||||
# Intended scope(s): project
|
||||
#"get_port:hints": "rule:admin_only"
|
||||
|
||||
# Get the port tags
|
||||
# GET /ports/{id}/tags
|
||||
# GET /ports/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_ports_tags": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s"
|
||||
|
||||
# Update a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"
|
||||
#"update_port": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has
|
||||
# been deprecated since W in favor of "update_port":"rule:admin_only
|
||||
# or role:member and project_id:%(project_id)s or
|
||||
# rule:context_is_advsvc".
|
||||
# been deprecated since W in favor of "update_port":"(rule:admin_only)
|
||||
# or (rule:service_api) or role:member and project_id:%(project_id)s".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``device_owner`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"update_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:device_owner":"not rule:network_device or
|
||||
# rule:context_is_advsvc or rule:admin_or_network_owner" has been
|
||||
# deprecated since W in favor of "update_port:device_owner":"not
|
||||
# rule:network_device or rule:context_is_advsvc or (rule:admin_only)
|
||||
# or (role:member and rule:network_owner)".
|
||||
# rule:network_device or (rule:admin_only) or (rule:service_api) or
|
||||
# role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``mac_address`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
|
||||
#"update_port:mac_address": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:mac_address":"rule:admin_only or
|
||||
# rule:context_is_advsvc" has been deprecated since W in favor of
|
||||
# "update_port:mac_address":"rule:admin_only or
|
||||
# rule:context_is_advsvc".
|
||||
# "update_port:mac_address":"(rule:admin_only) or (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify ``fixed_ips`` information when updating a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:fixed_ips": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"update_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:fixed_ips":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "update_port:fixed_ips":"rule:context_is_advsvc or (rule:admin_only)
|
||||
# or (role:member and rule:network_owner)".
|
||||
# "update_port:fixed_ips":"(rule:admin_only) or (rule:service_api) or
|
||||
# role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify IP address in ``fixed_ips`` information when updating a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"update_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner)".
|
||||
# "update_port:fixed_ips:ip_address":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Specify subnet ID in ``fixed_ips`` information when updating a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner) or rule:shared"
|
||||
#"update_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner or rule:shared" has been deprecated
|
||||
# since W in favor of
|
||||
# "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner) or
|
||||
# "update_port:fixed_ips:subnet_id":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner or
|
||||
# rule:shared".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``port_security_enabled`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:port_security_enabled": "rule:context_is_advsvc or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"update_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:port_security_enabled":"rule:context_is_advsvc or
|
||||
# rule:admin_or_network_owner" has been deprecated since W in favor of
|
||||
# "update_port:port_security_enabled":"rule:context_is_advsvc or
|
||||
# (rule:admin_only) or (role:member and rule:network_owner)".
|
||||
# "update_port:port_security_enabled":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and rule:network_owner".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``binding:host_id`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:binding:host_id": "rule:admin_only"
|
||||
#"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:binding:host_id":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "update_port:binding:host_id":"rule:admin_only".
|
||||
# since W in favor of "update_port:binding:host_id":"(rule:admin_only)
|
||||
# or (rule:service_api)".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``binding:profile`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:binding:profile": "rule:admin_only"
|
||||
#"update_port:binding:profile": "rule:service_api"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:binding:profile":"rule:admin_only" has been deprecated
|
||||
# since W in favor of "update_port:binding:profile":"rule:admin_only".
|
||||
# since W in favor of
|
||||
# "update_port:binding:profile":"rule:service_api".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``binding:vnic_type`` attribute of a port
|
||||
# PUT /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_port:binding:vnic_type": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc"
|
||||
#"update_port:binding:vnic_type": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_port:binding:vnic_type":"rule:admin_or_owner or
|
||||
# rule:context_is_advsvc" has been deprecated since W in favor of
|
||||
# "update_port:binding:vnic_type":"rule:admin_only or role:member and
|
||||
# project_id:%(project_id)s or rule:context_is_advsvc".
|
||||
# "update_port:binding:vnic_type":"(rule:admin_only) or
|
||||
# (rule:service_api) or role:member and project_id:%(project_id)s".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Update ``allowed_address_pairs`` attribute of a port
|
||||
@ -1611,19 +1680,31 @@
|
||||
# Intended scope(s): project
|
||||
#"update_port:hints": "rule:admin_only"
|
||||
|
||||
# Update the port tags
|
||||
# PUT /ports/{id}/tags
|
||||
# PUT /ports/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_ports_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
|
||||
|
||||
# Delete a port
|
||||
# DELETE /ports/{id}
|
||||
# Intended scope(s): project
|
||||
#"delete_port": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"delete_port": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "delete_port":"rule:context_is_advsvc or
|
||||
# rule:admin_owner_or_network_owner" has been deprecated since W in
|
||||
# favor of "delete_port":"rule:context_is_advsvc or role:member and
|
||||
# project_id:%(project_id)s or (rule:admin_only) or (role:member and
|
||||
# rule:network_owner)".
|
||||
# favor of "delete_port":"(rule:admin_only) or (rule:service_api) or
|
||||
# role:member and rule:network_owner or role:member and
|
||||
# project_id:%(project_id)s".
|
||||
# The port API now supports project scope and default roles.
|
||||
|
||||
# Delete the port tags
|
||||
# DELETE /ports/{id}/tags
|
||||
# DELETE /ports/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_ports_tags": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)"
|
||||
|
||||
# Rule of shared qos policy
|
||||
#"shared_qos_policy": "field:policies:shared=True"
|
||||
|
||||
@ -2208,6 +2289,12 @@
|
||||
# favor of "get_router:ha":"rule:admin_only".
|
||||
# The router API now supports system scope and default roles.
|
||||
|
||||
# Get the router tags
|
||||
# GET /routers/{id}/tags
|
||||
# GET /routers/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_routers_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"
|
||||
|
||||
# Update a router
|
||||
# PUT /routers/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2300,6 +2387,12 @@
|
||||
# Intended scope(s): project
|
||||
#"update_router:enable_default_route_ecmp": "rule:admin_only"
|
||||
|
||||
# Update the router tags
|
||||
# PUT /routers/{id}/tags
|
||||
# PUT /routers/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a router
|
||||
# DELETE /routers/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2311,6 +2404,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The router API now supports system scope and default roles.
|
||||
|
||||
# Delete the router tags
|
||||
# DELETE /routers/{id}/tags
|
||||
# DELETE /routers/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Add an interface to a router
|
||||
# PUT /routers/{id}/add_router_interface
|
||||
# Intended scope(s): project
|
||||
@ -2364,6 +2463,10 @@
|
||||
# Definition of a shared security group
|
||||
#"shared_security_group": "field:security_groups:shared=True"
|
||||
|
||||
# Definition of a security group rule that belongs to the project
|
||||
# default security group
|
||||
#"rule_default_sg": "field:security_group_rules:belongs_to_default_sg=True"
|
||||
|
||||
# Create a security group
|
||||
# POST /security-groups
|
||||
# Intended scope(s): project
|
||||
@ -2387,6 +2490,12 @@
|
||||
# and project_id:%(project_id)s) or rule:shared_security_group".
|
||||
# The security group API now supports system scope and default roles.
|
||||
|
||||
# Get the security group tags
|
||||
# GET /security-groups/{id}/tags
|
||||
# GET /security-groups/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_security_groups_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group"
|
||||
|
||||
# Update a security group
|
||||
# PUT /security-groups/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2398,6 +2507,12 @@
|
||||
# (role:member and project_id:%(project_id)s)".
|
||||
# The security group API now supports system scope and default roles.
|
||||
|
||||
# Update the security group tags
|
||||
# PUT /security-groups/{id}/tags
|
||||
# PUT /security-groups/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a security group
|
||||
# DELETE /security-groups/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2409,6 +2524,12 @@
|
||||
# (role:member and project_id:%(project_id)s)".
|
||||
# The security group API now supports system scope and default roles.
|
||||
|
||||
# Delete the security group tags
|
||||
# DELETE /security-groups/{id}/tags
|
||||
# DELETE /security-groups/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Create a security group rule
|
||||
# POST /security-group-rules
|
||||
# Intended scope(s): project
|
||||
@ -2467,6 +2588,12 @@
|
||||
# of "get_segment":"rule:admin_only".
|
||||
# The segment API now supports project scope and default roles.
|
||||
|
||||
# Get the segment tags
|
||||
# GET /segments/{id}/tags
|
||||
# GET /segments/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_segments_tags": "rule:admin_only"
|
||||
|
||||
# Update a segment
|
||||
# PUT /segments/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2477,6 +2604,12 @@
|
||||
# favor of "update_segment":"rule:admin_only".
|
||||
# The segment API now supports project scope and default roles.
|
||||
|
||||
# Update the segment tags
|
||||
# PUT /segments/{id}/tags
|
||||
# PUT /segments/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_segments_tags": "rule:admin_only"
|
||||
|
||||
# Delete a segment
|
||||
# DELETE /segments/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2487,6 +2620,12 @@
|
||||
# favor of "delete_segment":"rule:admin_only".
|
||||
# The segment API now supports project scope and default roles.
|
||||
|
||||
# Delete the segment tags
|
||||
# DELETE /segments/{id}/tags
|
||||
# DELETE /segments/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_segments_tags": "rule:admin_only"
|
||||
|
||||
# Get service providers
|
||||
# GET /service-providers
|
||||
# Intended scope(s): project
|
||||
@ -2533,12 +2672,13 @@
|
||||
# GET /subnets
|
||||
# GET /subnets/{id}
|
||||
# Intended scope(s): project
|
||||
#"get_subnet": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared"
|
||||
#"get_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared"
|
||||
|
||||
# DEPRECATED
|
||||
# "get_subnet":"rule:admin_or_owner or rule:shared" has been
|
||||
# deprecated since W in favor of "get_subnet":"(rule:admin_only) or
|
||||
# (role:reader and project_id:%(project_id)s) or rule:shared".
|
||||
# (role:member and rule:network_owner) or role:reader and
|
||||
# project_id:%(project_id)s or rule:shared".
|
||||
# The subnet API now supports system scope and default roles.
|
||||
|
||||
# Get ``segment_id`` attribute of a subnet
|
||||
@ -2552,15 +2692,22 @@
|
||||
# W in favor of "get_subnet:segment_id":"rule:admin_only".
|
||||
# The subnet API now supports system scope and default roles.
|
||||
|
||||
# Get the subnet tags
|
||||
# GET /subnets/{id}/tags
|
||||
# GET /subnets/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared"
|
||||
|
||||
# Update a subnet
|
||||
# PUT /subnets/{id}
|
||||
# Intended scope(s): project
|
||||
#"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "update_subnet":"rule:admin_or_network_owner" has been deprecated
|
||||
# since W in favor of "update_subnet":"(rule:admin_only) or
|
||||
# (role:member and rule:network_owner)".
|
||||
# (role:member and rule:network_owner) or role:member and
|
||||
# project_id:%(project_id)s".
|
||||
# The subnet API now supports system scope and default roles.
|
||||
|
||||
# Update ``segment_id`` attribute of a subnet
|
||||
@ -2583,17 +2730,30 @@
|
||||
# since W in favor of "update_subnet:service_types":"rule:admin_only".
|
||||
# The subnet API now supports system scope and default roles.
|
||||
|
||||
# Update the subnet tags
|
||||
# PUT /subnets/{id}/tags
|
||||
# PUT /subnets/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# Delete a subnet
|
||||
# DELETE /subnets/{id}
|
||||
# Intended scope(s): project
|
||||
#"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner)"
|
||||
#"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# DEPRECATED
|
||||
# "delete_subnet":"rule:admin_or_network_owner" has been deprecated
|
||||
# since W in favor of "delete_subnet":"(rule:admin_only) or
|
||||
# (role:member and rule:network_owner)".
|
||||
# (role:member and rule:network_owner) or role:member and
|
||||
# project_id:%(project_id)s".
|
||||
# The subnet API now supports system scope and default roles.
|
||||
|
||||
# Delete the subnet tags
|
||||
# DELETE /subnets/{id}/tags
|
||||
# DELETE /subnets/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s"
|
||||
|
||||
# Definition of a shared subnetpool
|
||||
#"shared_subnetpools": "field:subnetpools:shared=True"
|
||||
|
||||
@ -2642,6 +2802,12 @@
|
||||
# project_id:%(project_id)s) or rule:shared_subnetpools".
|
||||
# The subnet pool API now supports system scope and default roles.
|
||||
|
||||
# Get the subnetpool tags
|
||||
# GET /subnetpools/{id}/tags
|
||||
# GET /subnetpools/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_subnetpools_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
|
||||
|
||||
# Update a subnetpool
|
||||
# PUT /subnetpools/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2664,6 +2830,12 @@
|
||||
# "update_subnetpool:is_default":"rule:admin_only".
|
||||
# The subnet pool API now supports system scope and default roles.
|
||||
|
||||
# Update the subnetpool tags
|
||||
# PUT /subnetpools/{id}/tags
|
||||
# PUT /subnetpools/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a subnetpool
|
||||
# DELETE /subnetpools/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2675,6 +2847,12 @@
|
||||
# and project_id:%(project_id)s)".
|
||||
# The subnet pool API now supports system scope and default roles.
|
||||
|
||||
# Delete the subnetpool tags
|
||||
# DELETE /subnetpools/{id}/tags
|
||||
# DELETE /subnetpools/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Onboard existing subnet into a subnetpool
|
||||
# PUT /subnetpools/{id}/onboard_network_subnets
|
||||
# Intended scope(s): project
|
||||
@ -2731,6 +2909,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The trunks API now supports system scope and default roles.
|
||||
|
||||
# Get the trunk tags
|
||||
# GET /trunks/{id}/tags
|
||||
# GET /trunks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"get_trunks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)"
|
||||
|
||||
# Update a trunk
|
||||
# PUT /trunks/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2742,6 +2926,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The trunks API now supports system scope and default roles.
|
||||
|
||||
# Update the trunk tags
|
||||
# PUT /trunks/{id}/tags
|
||||
# PUT /trunks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"update_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# Delete a trunk
|
||||
# DELETE /trunks/{id}
|
||||
# Intended scope(s): project
|
||||
@ -2753,6 +2943,12 @@
|
||||
# project_id:%(project_id)s)".
|
||||
# The trunks API now supports system scope and default roles.
|
||||
|
||||
# Delete a trunk
|
||||
# DELETE /trunks/{id}/tags
|
||||
# DELETE /trunks/{id}/tags/{tag_id}
|
||||
# Intended scope(s): project
|
||||
#"delete_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"
|
||||
|
||||
# List subports attached to a trunk
|
||||
# GET /trunks/{id}/get_subports
|
||||
# Intended scope(s): project
|
||||
|
||||
@ -1299,7 +1299,7 @@
|
||||
# Intended scope(s): project
|
||||
#"os_compute_api:os-pause-server:unpause": "rule:project_member_or_admin"
|
||||
|
||||
# List quotas for specific quota classs
|
||||
# List quotas for specific quota classes
|
||||
# GET /os-quota-class-sets/{quota_class}
|
||||
# Intended scope(s): project
|
||||
#"os_compute_api:os-quota-class-sets:show": "rule:context_is_admin"
|
||||
@ -1339,9 +1339,8 @@
|
||||
# This policy is for ``POST /remote-consoles`` API and below Server
|
||||
# actions APIs are deprecated:
|
||||
#
|
||||
# - ``os-getRDPConsole`` - ``os-getSerialConsole`` - ``os-
|
||||
# getSPICEConsole`` - ``os-getVNCConsole``.
|
||||
# POST /servers/{server_id}/action (os-getRDPConsole)
|
||||
# - ``os-getSerialConsole`` - ``os-getSPICEConsole`` - ``os-
|
||||
# getVNCConsole``.
|
||||
# POST /servers/{server_id}/action (os-getSerialConsole)
|
||||
# POST /servers/{server_id}/action (os-getSPICEConsole)
|
||||
# POST /servers/{server_id}/action (os-getVNCConsole)
|
||||
@ -1805,7 +1804,7 @@
|
||||
# "os_compute_api:servers:show:flavor-extra-
|
||||
# specs":"rule:project_reader_or_admin".
|
||||
# Policies for showing flavor extra specs in server APIs response is
|
||||
# seprated as new policy. This policy is deprecated only for that but
|
||||
# separated as new policy. This policy is deprecated only for that but
|
||||
# not for list extra specs and showing it in flavor API response.
|
||||
# WARNING: A rule name change has been identified.
|
||||
# This may be an artifact of new rules being
|
||||
|
||||
Loading…
Reference in New Issue
Block a user