From b7bb76eb204ef1cbd6df9f416437263a67371ba5 Mon Sep 17 00:00:00 2001 From: Akihiro Motoki Date: Mon, 7 Sep 2020 12:12:37 +0900 Subject: [PATCH] Support policy-in-code and deprecated policy This commit allows horizon to handle deprecated policy rules. The approach is explained in the document updated by this change. oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen just because it is the first release in Victoria cycle. requirements.txt and lower-constraints.txt are updated accordingly including oslo.policy dependencies. Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e --- doc/source/configuration/settings.rst | 41 +- doc/source/contributor/topics/policy.rst | 114 +- lower-constraints.txt | 6 +- openstack_auth/defaults.py | 1 + openstack_auth/policy.py | 48 + openstack_dashboard/conf/cinder_policy.json | 147 - openstack_dashboard/conf/cinder_policy.yaml | 646 ++++ .../conf/default_policies/README.txt | 12 + .../conf/default_policies/cinder.yaml | 1137 ++++++ .../conf/default_policies/glance.yaml | 280 ++ .../conf/default_policies/keystone.yaml | 2954 ++++++++++++++++ .../conf/default_policies/neutron.yaml | 1511 ++++++++ .../conf/default_policies/nova.yaml | 3103 +++++++++++++++++ openstack_dashboard/conf/glance_policy.json | 63 - openstack_dashboard/conf/glance_policy.yaml | 121 + openstack_dashboard/conf/keystone_policy.json | 174 - openstack_dashboard/conf/keystone_policy.yaml | 2330 +++++++++++++ openstack_dashboard/conf/neutron_policy.json | 220 -- openstack_dashboard/conf/neutron_policy.yaml | 961 +++++ openstack_dashboard/conf/nova_policy.json | 158 - openstack_dashboard/conf/nova_policy.yaml | 1877 ++++++++++ openstack_dashboard/defaults.py | 17 +- .../commands/dump_default_policies.py | 82 + ...licy-in-code-support-f79d559c25976215.yaml | 22 + requirements.txt | 4 +- 25 files changed, 15237 insertions(+), 792 deletions(-) delete mode 100644 openstack_dashboard/conf/cinder_policy.json create mode 100644 openstack_dashboard/conf/cinder_policy.yaml create mode 100644 openstack_dashboard/conf/default_policies/README.txt create mode 100644 openstack_dashboard/conf/default_policies/cinder.yaml create mode 100644 openstack_dashboard/conf/default_policies/glance.yaml create mode 100644 openstack_dashboard/conf/default_policies/keystone.yaml create mode 100644 openstack_dashboard/conf/default_policies/neutron.yaml create mode 100644 openstack_dashboard/conf/default_policies/nova.yaml delete mode 100644 openstack_dashboard/conf/glance_policy.json create mode 100644 openstack_dashboard/conf/glance_policy.yaml delete mode 100644 openstack_dashboard/conf/keystone_policy.json create mode 100644 openstack_dashboard/conf/keystone_policy.yaml delete mode 100644 openstack_dashboard/conf/neutron_policy.json create mode 100644 openstack_dashboard/conf/neutron_policy.yaml delete mode 100644 openstack_dashboard/conf/nova_policy.json create mode 100644 openstack_dashboard/conf/nova_policy.yaml create mode 100644 openstack_dashboard/management/commands/dump_default_policies.py create mode 100644 releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 08c4f9b2d9..466347d44b 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -136,6 +136,30 @@ the GUI. For example themes, see: /horizon/openstack_dashboard/themes/ Horizon ships with two themes configured. 'default' is the default theme, and 'material' is based on Google's Material Design. +DEFAULT_POLICY_FILES +-------------------- + +.. versionadded:: 19.1.0(Wallaby) + +Default: + +.. code-block:: python + + { + 'identity': 'default_policies/keystone.yaml', + 'compute': 'default_policies/nova.yaml', + 'volume': 'default_policies/cinder.yaml', + 'image': 'default_policies/glance.yaml', + 'network': 'default_policies/neutron.yaml', + } + +This is a mapping from service types to YAML files including default +policy definitions. Values of this mapping should be relative paths to +`POLICY_FILES_PATH`_ or absolute paths. Policy files specified in this +setting are generated from default policies of back-end services, +so you rarely need to configure it. If you would like to override the +default policies, consider customizing files under `POLICY_FILES`_. + DEFAULT_THEME ------------- @@ -792,20 +816,25 @@ POLICY_FILES .. versionadded:: 2013.2(Havana) +.. versionchanged:: 19.1.0(Wallaby) + + The default files are changed to YAML format. + JSON format still continues to be supported. + Default: .. code-block:: python { - 'compute': 'nova_policy.json', - 'identity': 'keystone_policy.json', - 'image': 'glance_policy.json', - 'network': 'neutron_policy.json', - 'volume': 'cinder_policy.json', + 'compute': 'nova_policy.yaml', + 'identity': 'keystone_policy.yaml', + 'image': 'glance_policy.yaml', + 'network': 'neutron_policy.yaml', + 'volume': 'cinder_policy.yaml', } This should essentially be the mapping of the contents of `POLICY_FILES_PATH`_ -to service types. When policy.json files are added to `POLICY_FILES_PATH`_, +to service types. When policy files are added to `POLICY_FILES_PATH`_, they should be included here too. POLICY_FILES_PATH diff --git a/doc/source/contributor/topics/policy.rst b/doc/source/contributor/topics/policy.rst index 96d8ab8581..f26503c27a 100644 --- a/doc/source/contributor/topics/policy.rst +++ b/doc/source/contributor/topics/policy.rst @@ -29,6 +29,7 @@ engine to work. * ``POLICY_DIRS`` * ``POLICY_FILES_PATH`` * ``POLICY_FILES`` +* ``DEFAULT_POLICY_FILES`` For more detail, see :doc:`/configuration/settings`. @@ -154,32 +155,117 @@ override the :meth:`horizon.tables.Action.get_policy_target` method. This allows a programmatic way to specify the target based on the current datum. The value returned should be the target dictionary. +Policy-in-Code and deprecated rules +=================================== + +As the effort of +`policy-in-code `__, +most OpenStack projects define their default policies in their codes. +All projects (except swift) covered by horizon supports "policy-in-code". +(Note that swift is an exception as it has its own mechanism to control RBAC.) + +"oslo.policy" provides a way to deprecate existing policy rules like +renaming rule definitions ("check_str") and renaming rule names. +They are defined as part of python codes in back-end services. +horizon cannot import python codes of back-end services, so we need a way +to restore policies defined by "policy-in-code" including deprecated rules. + +To address the above issue, horizon adopts the following two-step approach: + +* The first step scans policy-in-code of back-end services and + and dump the loaded default policies into YAML files per service + including information of deprecated rules. + This step is executed as part of the development process per release cycle + and these YAML files are shipped per release. + + Note that `oslopolicy-sample-generator` does not output deprecated rules + in a structured way, so we prepare a dedicated script for this purpose + in the horizon repo. + +* The horizon policy implementation loads the above YAML file into a list of + RuleDefault and registers the list as the default rules to the policy + enforcer. The default rules and operator-defined rules are maintained + separately, so operators still can edit the policy files as oslo.policy + does in back-end services. + +This approach has the following merits: + +* All features supported by oslo.policy can be supported in horizon + as default rules in back-end services are restored as-is. + Horizon can evaluate deprecated rules. +* The default rules and operator defined rules are maintained separately. + Operators can use the same way to maintain policy files of back-end services. + +The related files in the horizon codebase are: + +* `openstack_dashboard/conf/_policy.yaml`: + operator-defined policies. + These files are generated by `oslopolicy-sample-generator`. +* `openstack_dashboard/conf/default_policies/.yaml` + YAML files contain default policies. +* `openstack_dashboard/management/commands/dump_default_policies.py`: + This script scans policy-in-code of a specified namespace under + `oslo.policy.policies` entrypoints and dump them into the YAML file + under `openstack_dashboard/conf/default_policies`. +* `openstack_auth/policy.py`: `_load_default_rules` function loads + the YAML files with default rules and call `register_defautls` method + of the policy enforcer per service. + Policy file maintenance ======================= -The policy implementation uses the copies of policies defined in -back-end services. +* YAML files for default policies -As of Queens, the OpenStack community are in the process of -`policy-in-code `__. -Some projects already define their policies in the code, -and some still have their policies in ``policy.json`` files. + Run the following command after installing a corresponding project. + You need to run it for keystone, nova, cinder, neutron, glance. -For project with the legacy ``policy.json`` files, -what we need to do is just to copy ``policy.json`` into the horizon tree. + .. code-block:: console -For projects with "policy-in-code", all policies are defined as python codes, -so we first need to generate policy files with its default rules. -To do this, run the following command after install a corresponding project. + python3 manage.py dump_default_policies \ + --namespace $PROJECT \ + --output-file openstack_dashboard/conf/default_policies/${PROJECT}.yaml -.. code-block:: console +* Sample policy files - oslopolicy-sample-generator --namespace $PROJECT --format json \ - --output-file $HORIZON_REPO/openstack_dashboard/conf/$PROJECT_policy.json + Run the following commands after installing a corresponding project. + You need to run it for keystone, nova, cinder, neutron, glance. + + .. code-block:: console + + oslopolicy-sample-generator --namespace keystone \ + --output-file openstack_dashboard/conf/${PROJECT}_policy.yaml + sed -i 's/^"/#"/' openstack_dashboard/conf/${PROJECT}_policy.yaml + + .. note:: + + We now use YAML format for sample policy files now. + "oslo.policy" can accept both YAML and JSON files. + We now support default policies so there is no need to define all + policies using JSON files. YAML files also allows us to use comments, + so we can provide good sample policy files. + This is the same motivation as the Wallaby community goal + `Migrate RBAC Policy Format from JSON to YAML + `__. + + .. note:: + + The second "sed" command is to comment out rules for rule renames. + `oslopolicy-sample-generator` does not comment out them, but they + are unnecessary in horizon usage. A single renaming rule can map + to multiple rules, so it does not work as-is. In addition, + they trigger deprecation warnings in horizon log if these sample + files are used in horizon as-is. + Thus, we comment them out by default. After syncing policies from back-end services, you need to check what are changed. If a policy referred by horizon has been changed, you need to check and modify the horizon code base accordingly. + +.. note:: + + After the support of default policies, the following tool does not work. + It is a future work to make it work again or evaluate the need itself. + To summarize which policies are removed or added, a convenient tool is provided: diff --git a/lower-constraints.txt b/lower-constraints.txt index 832a253541..826e542832 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -56,16 +56,16 @@ os-service-types==1.2.0 osc-lib==1.8.0 oslo.concurrency==3.26.0 oslo.config==5.2.0 -oslo.context==2.19.2 +oslo.context==2.22.0 oslo.i18n==3.15.3 oslo.log==3.36.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==1.30.0 +oslo.policy==3.2.0 oslo.serialization==2.18.0 oslo.service==1.24.0 oslo.upgradecheck==0.1.1 -oslo.utils==3.33.0 +oslo.utils==3.40.0 osprofiler==2.3.0 Paste==2.0.2 PasteDeploy==1.5.0 diff --git a/openstack_auth/defaults.py b/openstack_auth/defaults.py index 845a40e7ce..060390f865 100644 --- a/openstack_auth/defaults.py +++ b/openstack_auth/defaults.py @@ -170,3 +170,4 @@ KEYSTONE_PROVIDER_IDP_ID = 'localkeystone' POLICY_FILES_PATH = '' POLICY_FILES = {} POLICY_DIRS = {} +DEFAULT_POLICY_FILES = {} diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 0263036bee..a2085b9172 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -20,6 +20,7 @@ from django.conf import settings from oslo_config import cfg from oslo_policy import opts as policy_opts from oslo_policy import policy +import yaml from openstack_auth import user as auth_user from openstack_auth import utils as auth_utils @@ -55,6 +56,51 @@ def _get_policy_file_with_full_path(service): return policy_file, policy_dirs +def _convert_to_ruledefault(p): + deprecated = p.get('deprecated_rule') + if deprecated: + deprecated_rule = policy.DeprecatedRule(deprecated['name'], + deprecated['check_str']) + else: + deprecated_rule = None + + return policy.RuleDefault( + p['name'], p['check_str'], + description=p['description'], + scope_types=p['scope_types'], + deprecated_rule=deprecated_rule, + deprecated_for_removal=p.get('deprecated_for_removal', False), + deprecated_reason=p.get('deprecated_reason'), + deprecated_since=p.get('deprecated_since'), + ) + + +def _load_default_rules(service, enforcer): + policy_files = settings.DEFAULT_POLICY_FILES + try: + policy_file = os.path.join(_BASE_PATH, policy_files[service]) + except KeyError: + LOG.error('Default policy file for %s is not defined. ' + 'Check DEFAULT_POLICY_FILES setting.', service) + return + + try: + with open(policy_file) as f: + policies = yaml.safe_load(f) + except IOError as e: + LOG.error('Failed to open the policy file for %(service)s %(path)s: ' + '%(reason)s', + {'service': service, 'path': policy_file, 'reason': e}) + return + except yaml.YAMLError as e: + LOG.error('Failed to load the default policies for %(service)s: ' + '%(reason)s', {'service': service, 'reason': e}) + return + + defaults = [_convert_to_ruledefault(p) for p in policies] + enforcer.register_defaults(defaults) + + def _get_enforcer(): global _ENFORCER if not _ENFORCER: @@ -64,6 +110,8 @@ def _get_enforcer(): policy_file, policy_dirs = _get_policy_file_with_full_path(service) conf = _get_policy_conf(policy_file, policy_dirs) enforcer = policy.Enforcer(conf) + enforcer.suppress_default_change_warnings = True + _load_default_rules(service, enforcer) try: enforcer.load_rules() except IOError: diff --git a/openstack_dashboard/conf/cinder_policy.json b/openstack_dashboard/conf/cinder_policy.json deleted file mode 100644 index 8bc3934528..0000000000 --- a/openstack_dashboard/conf/cinder_policy.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s", - "admin_api": "is_admin:True or (role:admin and is_admin_project:True)", - "volume:attachment_create": "", - "volume:attachment_update": "rule:admin_or_owner", - "volume:attachment_delete": "rule:admin_or_owner", - "volume:attachment_complete": "rule:admin_or_owner", - "volume:multiattach_bootable_volume": "rule:admin_or_owner", - "message:get_all": "rule:admin_or_owner", - "message:get": "rule:admin_or_owner", - "message:delete": "rule:admin_or_owner", - "clusters:get_all": "rule:admin_api", - "clusters:get": "rule:admin_api", - "clusters:update": "rule:admin_api", - "workers:cleanup": "rule:admin_api", - "volume:get_snapshot_metadata": "rule:admin_or_owner", - "volume:update_snapshot_metadata": "rule:admin_or_owner", - "volume:delete_snapshot_metadata": "rule:admin_or_owner", - "volume:get_all_snapshots": "rule:admin_or_owner", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner", - "volume:get_snapshot": "rule:admin_or_owner", - "volume:update_snapshot": "rule:admin_or_owner", - "volume:delete_snapshot": "rule:admin_or_owner", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", - "snapshot_extension:snapshot_actions:update_snapshot_status": "", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", - "snapshot_extension:list_manageable": "rule:admin_api", - "snapshot_extension:snapshot_manage": "rule:admin_api", - "snapshot_extension:snapshot_unmanage": "rule:admin_api", - "backup:get_all": "rule:admin_or_owner", - "backup:backup_project_attribute": "rule:admin_api", - "backup:create": "", - "backup:get": "rule:admin_or_owner", - "backup:update": "rule:admin_or_owner", - "backup:delete": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner", - "backup:backup-import": "rule:admin_api", - "backup:export-import": "rule:admin_api", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", - "group:get_all": "rule:admin_or_owner", - "group:create": "", - "group:get": "rule:admin_or_owner", - "group:update": "rule:admin_or_owner", - "group:group_project_attribute": "rule:admin_api", - "group:group_types_manage": "rule:admin_api", - "group:access_group_types_specs": "rule:admin_api", - "group:group_types_specs": "rule:admin_api", - "group:get_all_group_snapshots": "rule:admin_or_owner", - "group:create_group_snapshot": "", - "group:get_group_snapshot": "rule:admin_or_owner", - "group:delete_group_snapshot": "rule:admin_or_owner", - "group:update_group_snapshot": "rule:admin_or_owner", - "group:group_snapshot_project_attribute": "rule:admin_api", - "group:reset_group_snapshot_status": "rule:admin_or_owner", - "group:delete": "rule:admin_or_owner", - "group:reset_status": "rule:admin_api", - "group:enable_replication": "rule:admin_or_owner", - "group:disable_replication": "rule:admin_or_owner", - "group:failover_replication": "rule:admin_or_owner", - "group:list_replication_targets": "rule:admin_or_owner", - "volume_extension:qos_specs_manage:get_all": "rule:admin_api", - "volume_extension:qos_specs_manage:get": "rule:admin_api", - "volume_extension:qos_specs_manage:create": "rule:admin_api", - "volume_extension:qos_specs_manage:update": "rule:admin_api", - "volume_extension:qos_specs_manage:delete": "rule:admin_api", - "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quotas:show": "rule:admin_or_owner", - "volume_extension:quotas:update": "rule:admin_api", - "volume_extension:quotas:delete": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", - "volume_extension:capabilities": "rule:admin_api", - "volume_extension:services:index": "rule:admin_api", - "volume_extension:services:update": "rule:admin_api", - "volume:freeze_host": "rule:admin_api", - "volume:thaw_host": "rule:admin_api", - "volume:failover_host": "rule:admin_api", - "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api", - "volume_extension:hosts": "rule:admin_api", - "limits_extension:used_limits": "rule:admin_or_owner", - "volume_extension:list_manageable": "rule:admin_api", - "volume_extension:volume_manage": "rule:admin_api", - "volume_extension:volume_unmanage": "rule:admin_api", - "volume_extension:types_manage": "rule:admin_api", - "volume_extension:type_get": "", - "volume_extension:type_get_all": "", - "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption", - "volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption", - "volume_extension:access_types_extra_specs": "rule:admin_api", - "volume_extension:access_types_qos_specs_id": "rule:admin_api", - "volume_extension:volume_type_access": "rule:admin_or_owner", - "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", - "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", - "volume:extend": "rule:admin_or_owner", - "volume:extend_attached_volume": "rule:admin_or_owner", - "volume:revert_to_snapshot": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", - "volume:retype": "rule:admin_or_owner", - "volume:update_readonly_flag": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_actions:upload_public": "rule:admin_api", - "volume_extension:volume_actions:upload_image": "rule:admin_or_owner", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - "volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner", - "volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner", - "volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner", - "volume_extension:volume_actions:reserve": "rule:admin_or_owner", - "volume_extension:volume_actions:unreserve": "rule:admin_or_owner", - "volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner", - "volume_extension:volume_actions:attach": "rule:admin_or_owner", - "volume_extension:volume_actions:detach": "rule:admin_or_owner", - "volume:get_all_transfers": "rule:admin_or_owner", - "volume:create_transfer": "rule:admin_or_owner", - "volume:get_transfer": "rule:admin_or_owner", - "volume:accept_transfer": "", - "volume:delete_transfer": "rule:admin_or_owner", - "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:create_volume_metadata": "rule:admin_or_owner", - "volume:update_volume_metadata": "rule:admin_or_owner", - "volume:delete_volume_metadata": "rule:admin_or_owner", - "volume_extension:volume_image_metadata": "rule:admin_or_owner", - "volume:update_volume_admin_metadata": "rule:admin_api", - "volume_extension:types_extra_specs:index": "rule:admin_api", - "volume_extension:types_extra_specs:create": "rule:admin_api", - "volume_extension:types_extra_specs:show": "rule:admin_api", - "volume_extension:types_extra_specs:update": "rule:admin_api", - "volume_extension:types_extra_specs:delete": "rule:admin_api", - "volume:create": "", - "volume:create_from_image": "", - "volume:get": "rule:admin_or_owner", - "volume:get_all": "rule:admin_or_owner", - "volume:update": "rule:admin_or_owner", - "volume:delete": "rule:admin_or_owner", - "volume:force_delete": "rule:admin_api", - "volume_extension:volume_host_attribute": "rule:admin_api", - "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", - "volume_extension:volume_mig_status_attribute": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", - "volume:multiattach": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/cinder_policy.yaml b/openstack_dashboard/conf/cinder_policy.yaml new file mode 100644 index 0000000000..1d3f0fbaa1 --- /dev/null +++ b/openstack_dashboard/conf/cinder_policy.yaml @@ -0,0 +1,646 @@ +# Decides what is required for the 'is_admin:True' check to succeed. +#"context_is_admin": "role:admin" + +# Default rule for most non-Admin APIs. +#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" + +# Default rule for most Admin APIs. +#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)" + +# Create attachment. +# POST /attachments +#"volume:attachment_create": "" + +# Update attachment. +# PUT /attachments/{attachment_id} +#"volume:attachment_update": "rule:admin_or_owner" + +# Delete attachment. +# DELETE /attachments/{attachment_id} +#"volume:attachment_delete": "rule:admin_or_owner" + +# Mark a volume attachment process as completed (in-use) +# POST /attachments/{attachment_id}/action (os-complete) +#"volume:attachment_complete": "rule:admin_or_owner" + +# Allow multiattach of bootable volumes. +# POST /attachments +#"volume:multiattach_bootable_volume": "rule:admin_or_owner" + +# List messages. +# GET /messages +#"message:get_all": "rule:admin_or_owner" + +# Show message. +# GET /messages/{message_id} +#"message:get": "rule:admin_or_owner" + +# Delete message. +# DELETE /messages/{message_id} +#"message:delete": "rule:admin_or_owner" + +# List clusters. +# GET /clusters +# GET /clusters/detail +#"clusters:get_all": "rule:admin_api" + +# Show cluster. +# GET /clusters/{cluster_id} +#"clusters:get": "rule:admin_api" + +# Update cluster. +# PUT /clusters/{cluster_id} +#"clusters:update": "rule:admin_api" + +# Clean up workers. +# POST /workers/cleanup +#"workers:cleanup": "rule:admin_api" + +# Show snapshot's metadata or one specified metadata with a given key. +# GET /snapshots/{snapshot_id}/metadata +# GET /snapshots/{snapshot_id}/metadata/{key} +#"volume:get_snapshot_metadata": "rule:admin_or_owner" + +# Update snapshot's metadata or one specified metadata with a given +# key. +# PUT /snapshots/{snapshot_id}/metadata +# PUT /snapshots/{snapshot_id}/metadata/{key} +#"volume:update_snapshot_metadata": "rule:admin_or_owner" + +# Delete snapshot's specified metadata with a given key. +# DELETE /snapshots/{snapshot_id}/metadata/{key} +#"volume:delete_snapshot_metadata": "rule:admin_or_owner" + +# List snapshots. +# GET /snapshots +# GET /snapshots/detail +#"volume:get_all_snapshots": "rule:admin_or_owner" + +# List or show snapshots with extended attributes. +# GET /snapshots/{snapshot_id} +# GET /snapshots/detail +#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner" + +# Create snapshot. +# POST /snapshots +#"volume:create_snapshot": "rule:admin_or_owner" + +# Show snapshot. +# GET /snapshots/{snapshot_id} +#"volume:get_snapshot": "rule:admin_or_owner" + +# Update snapshot. +# PUT /snapshots/{snapshot_id} +#"volume:update_snapshot": "rule:admin_or_owner" + +# Delete snapshot. +# DELETE /snapshots/{snapshot_id} +#"volume:delete_snapshot": "rule:admin_or_owner" + +# Reset status of a snapshot. +# POST /snapshots/{snapshot_id}/action (os-reset_status) +#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api" + +# Update database fields of snapshot. +# POST /snapshots/{snapshot_id}/action (update_snapshot_status) +#"snapshot_extension:snapshot_actions:update_snapshot_status": "" + +# Force delete a snapshot. +# POST /snapshots/{snapshot_id}/action (os-force_delete) +#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api" + +# List (in detail) of snapshots which are available to manage. +# GET /manageable_snapshots +# GET /manageable_snapshots/detail +#"snapshot_extension:list_manageable": "rule:admin_api" + +# Manage an existing snapshot. +# POST /manageable_snapshots +#"snapshot_extension:snapshot_manage": "rule:admin_api" + +# Stop managing a snapshot. +# POST /snapshots/{snapshot_id}/action (os-unmanage) +#"snapshot_extension:snapshot_unmanage": "rule:admin_api" + +# List backups. +# GET /backups +# GET /backups/detail +#"backup:get_all": "rule:admin_or_owner" + +# List backups or show backup with project attributes. +# GET /backups/{backup_id} +# GET /backups/detail +#"backup:backup_project_attribute": "rule:admin_api" + +# Create backup. +# POST /backups +#"backup:create": "" + +# Show backup. +# GET /backups/{backup_id} +#"backup:get": "rule:admin_or_owner" + +# Update backup. +# PUT /backups/{backup_id} +#"backup:update": "rule:admin_or_owner" + +# Delete backup. +# DELETE /backups/{backup_id} +#"backup:delete": "rule:admin_or_owner" + +# Restore backup. +# POST /backups/{backup_id}/restore +#"backup:restore": "rule:admin_or_owner" + +# Import backup. +# POST /backups/{backup_id}/import_record +#"backup:backup-import": "rule:admin_api" + +# Export backup. +# POST /backups/{backup_id}/export_record +#"backup:export-import": "rule:admin_api" + +# Reset status of a backup. +# POST /backups/{backup_id}/action (os-reset_status) +#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api" + +# Force delete a backup. +# POST /backups/{backup_id}/action (os-force_delete) +#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api" + +# List groups. +# GET /groups +# GET /groups/detail +#"group:get_all": "rule:admin_or_owner" + +# Create group. +# POST /groups +#"group:create": "" + +# Show group. +# GET /groups/{group_id} +#"group:get": "rule:admin_or_owner" + +# Update group. +# PUT /groups/{group_id} +#"group:update": "rule:admin_or_owner" + +# List groups or show group with project attributes. +# GET /groups/{group_id} +# GET /groups/detail +#"group:group_project_attribute": "rule:admin_api" + +# Create, update or delete a group type. +# POST /group_types/ +# PUT /group_types/{group_type_id} +# DELETE /group_types/{group_type_id} +#"group:group_types_manage": "rule:admin_api" + +# Show group type with type specs attributes. +# GET /group_types/{group_type_id} +#"group:access_group_types_specs": "rule:admin_api" + +# Create, show, update and delete group type spec. +# GET /group_types/{group_type_id}/group_specs/{g_spec_id} +# GET /group_types/{group_type_id}/group_specs +# POST /group_types/{group_type_id}/group_specs +# PUT /group_types/{group_type_id}/group_specs/{g_spec_id} +# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id} +#"group:group_types_specs": "rule:admin_api" + +# List group snapshots. +# GET /group_snapshots +# GET /group_snapshots/detail +#"group:get_all_group_snapshots": "rule:admin_or_owner" + +# Create group snapshot. +# POST /group_snapshots +#"group:create_group_snapshot": "" + +# Show group snapshot. +# GET /group_snapshots/{group_snapshot_id} +#"group:get_group_snapshot": "rule:admin_or_owner" + +# Delete group snapshot. +# DELETE /group_snapshots/{group_snapshot_id} +#"group:delete_group_snapshot": "rule:admin_or_owner" + +# Update group snapshot. +# PUT /group_snapshots/{group_snapshot_id} +#"group:update_group_snapshot": "rule:admin_or_owner" + +# List group snapshots or show group snapshot with project attributes. +# GET /group_snapshots/{group_snapshot_id} +# GET /group_snapshots/detail +#"group:group_snapshot_project_attribute": "rule:admin_api" + +# Reset status of group snapshot. +# POST /group_snapshots/{g_snapshot_id}/action (reset_status) +#"group:reset_group_snapshot_status": "rule:admin_or_owner" + +# Delete group. +# POST /groups/{group_id}/action (delete) +#"group:delete": "rule:admin_or_owner" + +# Reset status of group. +# POST /groups/{group_id}/action (reset_status) +#"group:reset_status": "rule:admin_api" + +# Enable replication. +# POST /groups/{group_id}/action (enable_replication) +#"group:enable_replication": "rule:admin_or_owner" + +# Disable replication. +# POST /groups/{group_id}/action (disable_replication) +#"group:disable_replication": "rule:admin_or_owner" + +# Fail over replication. +# POST /groups/{group_id}/action (failover_replication) +#"group:failover_replication": "rule:admin_or_owner" + +# List failover replication. +# POST /groups/{group_id}/action (list_replication_targets) +#"group:list_replication_targets": "rule:admin_or_owner" + +# List qos specs or list all associations. +# GET /qos-specs +# GET /qos-specs/{qos_id}/associations +#"volume_extension:qos_specs_manage:get_all": "rule:admin_api" + +# Show qos specs. +# GET /qos-specs/{qos_id} +#"volume_extension:qos_specs_manage:get": "rule:admin_api" + +# Create qos specs. +# POST /qos-specs +#"volume_extension:qos_specs_manage:create": "rule:admin_api" + +# Update qos specs (including updating association). +# PUT /qos-specs/{qos_id} +# GET /qos-specs/{qos_id}/disassociate_all +# GET /qos-specs/{qos_id}/associate +# GET /qos-specs/{qos_id}/disassociate +#"volume_extension:qos_specs_manage:update": "rule:admin_api" + +# delete qos specs or unset one specified qos key. +# DELETE /qos-specs/{qos_id} +# PUT /qos-specs/{qos_id}/delete_keys +#"volume_extension:qos_specs_manage:delete": "rule:admin_api" + +# Show or update project quota class. +# GET /os-quota-class-sets/{project_id} +# PUT /os-quota-class-sets/{project_id} +#"volume_extension:quota_classes": "rule:admin_api" + +# Show project quota (including usage and default). +# GET /os-quota-sets/{project_id} +# GET /os-quota-sets/{project_id}/default +# GET /os-quota-sets/{project_id}?usage=True +#"volume_extension:quotas:show": "rule:admin_or_owner" + +# Update project quota. +# PUT /os-quota-sets/{project_id} +#"volume_extension:quotas:update": "rule:admin_api" + +# Delete project quota. +# DELETE /os-quota-sets/{project_id} +#"volume_extension:quotas:delete": "rule:admin_api" + +# Validate setup for nested quota. +# GET /os-quota-sets/validate_setup_for_nested_quota_use +#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api" + +# Show backend capabilities. +# GET /capabilities/{host_name} +#"volume_extension:capabilities": "rule:admin_api" + +# List all services. +# GET /os-services +#"volume_extension:services:index": "rule:admin_api" + +# Update service, including failover_host, thaw, freeze, disable, +# enable, set-log and get-log actions. +# PUT /os-services/{action} +#"volume_extension:services:update": "rule:admin_api" + +# Freeze a backend host. +# PUT /os-services/freeze +#"volume:freeze_host": "rule:admin_api" + +# Thaw a backend host. +# PUT /os-services/thaw +#"volume:thaw_host": "rule:admin_api" + +# Failover a backend host. +# PUT /os-services/failover_host +#"volume:failover_host": "rule:admin_api" + +# List all backend pools. +# GET /scheduler-stats/get_pools +#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api" + +# List, update or show hosts for a project. +# GET /os-hosts +# PUT /os-hosts/{host_name} +# GET /os-hosts/{host_id} +#"volume_extension:hosts": "rule:admin_api" + +# Show limits with used limit attributes. +# GET /limits +#"limits_extension:used_limits": "rule:admin_or_owner" + +# List (in detail) of volumes which are available to manage. +# GET /manageable_volumes +# GET /manageable_volumes/detail +#"volume_extension:list_manageable": "rule:admin_api" + +# Manage existing volumes. +# POST /manageable_volumes +#"volume_extension:volume_manage": "rule:admin_api" + +# Stop managing a volume. +# POST /volumes/{volume_id}/action (os-unmanage) +#"volume_extension:volume_unmanage": "rule:admin_api" + +# Create, update and delete volume type. +# POST /types +# PUT /types +# DELETE /types +#"volume_extension:types_manage": "rule:admin_api" + +# Get one specific volume type. +# GET /types/{type_id} +#"volume_extension:type_get": "" + +# List volume types. +# GET /types/ +#"volume_extension:type_get_all": "" + +# Base policy for all volume type encryption type operations. This +# can be used to set the policies for a volume type's encryption type +# create, show, update, and delete actions in one place, or any of +# those may be set individually using the following policy targets for +# finer grained control. +# POST /types/{type_id}/encryption +# PUT /types/{type_id}/encryption/{encryption_id} +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{key} +# DELETE /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption": "rule:admin_api" + +# Create volume type encryption. +# POST /types/{type_id}/encryption +#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption" + +# Show a volume type's encryption type, show an encryption specs item. +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{key} +#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption" + +# Update volume type encryption. +# PUT /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption" + +# Delete volume type encryption. +# DELETE /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption" + +# List or show volume type with access type extra specs attribute. +# GET /types/{type_id} +# GET /types +#"volume_extension:access_types_extra_specs": "rule:admin_api" + +# List or show volume type with access type qos specs id attribute. +# GET /types/{type_id} +# GET /types +#"volume_extension:access_types_qos_specs_id": "rule:admin_api" + +# Volume type access related APIs. +# GET /types +# GET /types/detail +# GET /types/{type_id} +# POST /types +#"volume_extension:volume_type_access": "rule:admin_or_owner" + +# Add volume type access for project. +# POST /types/{type_id}/action (addProjectAccess) +#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api" + +# Remove volume type access for project. +# POST /types/{type_id}/action (removeProjectAccess) +#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api" + +# Extend a volume. +# POST /volumes/{volume_id}/action (os-extend) +#"volume:extend": "rule:admin_or_owner" + +# Extend a attached volume. +# POST /volumes/{volume_id}/action (os-extend) +#"volume:extend_attached_volume": "rule:admin_or_owner" + +# Revert a volume to a snapshot. +# POST /volumes/{volume_id}/action (revert) +#"volume:revert_to_snapshot": "rule:admin_or_owner" + +# Reset status of a volume. +# POST /volumes/{volume_id}/action (os-reset_status) +#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api" + +# Retype a volume. +# POST /volumes/{volume_id}/action (os-retype) +#"volume:retype": "rule:admin_or_owner" + +# Update a volume's readonly flag. +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +#"volume:update_readonly_flag": "rule:admin_or_owner" + +# Force delete a volume. +# POST /volumes/{volume_id}/action (os-force_delete) +#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api" + +# Upload a volume to image with public visibility. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +#"volume_extension:volume_actions:upload_public": "rule:admin_api" + +# Upload a volume to image. +# POST /volumes/{volume_id}/action (os-volume_upload_image) +#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner" + +# Force detach a volume. +# POST /volumes/{volume_id}/action (os-force_detach) +#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api" + +# migrate a volume to a specified host. +# POST /volumes/{volume_id}/action (os-migrate_volume) +#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api" + +# Complete a volume migration. +# POST /volumes/{volume_id}/action (os-migrate_volume_completion) +#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api" + +# Initialize volume attachment. +# POST /volumes/{volume_id}/action (os-initialize_connection) +#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner" + +# Terminate volume attachment. +# POST /volumes/{volume_id}/action (os-terminate_connection) +#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner" + +# Roll back volume status to 'in-use'. +# POST /volumes/{volume_id}/action (os-roll_detaching) +#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner" + +# Mark volume as reserved. +# POST /volumes/{volume_id}/action (os-reserve) +#"volume_extension:volume_actions:reserve": "rule:admin_or_owner" + +# Unmark volume as reserved. +# POST /volumes/{volume_id}/action (os-unreserve) +#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner" + +# Begin detach volumes. +# POST /volumes/{volume_id}/action (os-begin_detaching) +#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner" + +# Add attachment metadata. +# POST /volumes/{volume_id}/action (os-attach) +#"volume_extension:volume_actions:attach": "rule:admin_or_owner" + +# Clear attachment metadata. +# POST /volumes/{volume_id}/action (os-detach) +#"volume_extension:volume_actions:detach": "rule:admin_or_owner" + +# List volume transfer. +# GET /os-volume-transfer +# GET /os-volume-transfer/detail +# GET /volume_transfers +# GET /volume-transfers/detail +#"volume:get_all_transfers": "rule:admin_or_owner" + +# Create a volume transfer. +# POST /os-volume-transfer +# POST /volume_transfers +#"volume:create_transfer": "rule:admin_or_owner" + +# Show one specified volume transfer. +# GET /os-volume-transfer/{transfer_id} +# GET /volume-transfers/{transfer_id} +#"volume:get_transfer": "rule:admin_or_owner" + +# Accept a volume transfer. +# POST /os-volume-transfer/{transfer_id}/accept +# POST /volume-transfers/{transfer_id}/accept +#"volume:accept_transfer": "" + +# Delete volume transfer. +# DELETE /os-volume-transfer/{transfer_id} +# DELETE /volume-transfers/{transfer_id} +#"volume:delete_transfer": "rule:admin_or_owner" + +# Show volume's metadata or one specified metadata with a given key. +# GET /volumes/{volume_id}/metadata +# GET /volumes/{volume_id}/metadata/{key} +#"volume:get_volume_metadata": "rule:admin_or_owner" + +# Create volume metadata. +# POST /volumes/{volume_id}/metadata +#"volume:create_volume_metadata": "rule:admin_or_owner" + +# Update volume's metadata or one specified metadata with a given key. +# PUT /volumes/{volume_id}/metadata +# PUT /volumes/{volume_id}/metadata/{key} +#"volume:update_volume_metadata": "rule:admin_or_owner" + +# Delete volume's specified metadata with a given key. +# DELETE /volumes/{volume_id}/metadata/{key} +#"volume:delete_volume_metadata": "rule:admin_or_owner" + +# Volume's image metadata related operation, create, delete, show and +# list. +# GET /volumes/detail +# GET /volumes/{volume_id} +# POST /volumes/{volume_id}/action (os-set_image_metadata) +# POST /volumes/{volume_id}/action (os-unset_image_metadata) +#"volume_extension:volume_image_metadata": "rule:admin_or_owner" + +# Update volume admin metadata. It's used in `attach` and `os- +# update_readonly_flag` APIs +# POST /volumes/{volume_id}/action (os-update_readonly_flag) +# POST /volumes/{volume_id}/action (os-attach) +#"volume:update_volume_admin_metadata": "rule:admin_api" + +# List type extra specs. +# GET /types/{type_id}/extra_specs +#"volume_extension:types_extra_specs:index": "rule:admin_api" + +# Create type extra specs. +# POST /types/{type_id}/extra_specs +#"volume_extension:types_extra_specs:create": "rule:admin_api" + +# Show one specified type extra specs. +# GET /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:show": "rule:admin_api" + +# Update type extra specs. +# PUT /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:update": "rule:admin_api" + +# Delete type extra specs. +# DELETE /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:delete": "rule:admin_api" + +# Create volume. +# POST /volumes +#"volume:create": "" + +# Create volume from image. +# POST /volumes +#"volume:create_from_image": "" + +# Show volume. +# GET /volumes/{volume_id} +#"volume:get": "rule:admin_or_owner" + +# List volumes or get summary of volumes. +# GET /volumes +# GET /volumes/detail +# GET /volumes/summary +#"volume:get_all": "rule:admin_or_owner" + +# Update volume or update a volume's bootable status. +# PUT /volumes +# POST /volumes/{volume_id}/action (os-set_bootable) +#"volume:update": "rule:admin_or_owner" + +# Delete volume. +# DELETE /volumes/{volume_id} +#"volume:delete": "rule:admin_or_owner" + +# Force Delete a volume. +# DELETE /volumes/{volume_id} +#"volume:force_delete": "rule:admin_api" + +# List or show volume with host attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_host_attribute": "rule:admin_api" + +# List or show volume with tenant attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner" + +# List or show volume with migration status attribute. +# GET /volumes/{volume_id} +# GET /volumes/detail +#"volume_extension:volume_mig_status_attribute": "rule:admin_api" + +# Show volume's encryption metadata. +# GET /volumes/{volume_id}/encryption +# GET /volumes/{volume_id}/encryption/{encryption_key} +#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner" + +# Create multiattach capable volume. +# POST /volumes +#"volume:multiattach": "rule:admin_or_owner" + diff --git a/openstack_dashboard/conf/default_policies/README.txt b/openstack_dashboard/conf/default_policies/README.txt new file mode 100644 index 0000000000..98bf8fb7c3 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/README.txt @@ -0,0 +1,12 @@ +This folder contains default policies of back-end services. +They are generated based on policy-in-code in back-end services. +Operators are not expected to edit them. + +To update these files, run the following command: + + python manage.py dump_default_policies \ + --namespace \ + --output-file openstack_dashboard/conf/default_policies/.yaml + + must be a namespace under oslo.policy.policies to query and +we use "keystone", "nova", "cinder", "neutron" and "glance". diff --git a/openstack_dashboard/conf/default_policies/cinder.yaml b/openstack_dashboard/conf/default_policies/cinder.yaml new file mode 100644 index 0000000000..adb540988f --- /dev/null +++ b/openstack_dashboard/conf/default_policies/cinder.yaml @@ -0,0 +1,1137 @@ +- check_str: role:admin + description: Decides what is required for the 'is_admin:True' check to succeed. + name: context_is_admin + operations: [] + scope_types: null +- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s + description: Default rule for most non-Admin APIs. + name: admin_or_owner + operations: [] + scope_types: null +- check_str: is_admin:True or (role:admin and is_admin_project:True) + description: Default rule for most Admin APIs. + name: admin_api + operations: [] + scope_types: null +- check_str: '' + description: Create attachment. + name: volume:attachment_create + operations: + - method: POST + path: /attachments + scope_types: null +- check_str: rule:admin_or_owner + description: Update attachment. + name: volume:attachment_update + operations: + - method: PUT + path: /attachments/{attachment_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete attachment. + name: volume:attachment_delete + operations: + - method: DELETE + path: /attachments/{attachment_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Mark a volume attachment process as completed (in-use) + name: volume:attachment_complete + operations: + - method: POST + path: /attachments/{attachment_id}/action (os-complete) + scope_types: null +- check_str: rule:admin_or_owner + description: Allow multiattach of bootable volumes. + name: volume:multiattach_bootable_volume + operations: + - method: POST + path: /attachments + scope_types: null +- check_str: rule:admin_or_owner + description: List messages. + name: message:get_all + operations: + - method: GET + path: /messages + scope_types: null +- check_str: rule:admin_or_owner + description: Show message. + name: message:get + operations: + - method: GET + path: /messages/{message_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete message. + name: message:delete + operations: + - method: DELETE + path: /messages/{message_id} + scope_types: null +- check_str: rule:admin_api + description: List clusters. + name: clusters:get_all + operations: + - method: GET + path: /clusters + - method: GET + path: /clusters/detail + scope_types: null +- check_str: rule:admin_api + description: Show cluster. + name: clusters:get + operations: + - method: GET + path: /clusters/{cluster_id} + scope_types: null +- check_str: rule:admin_api + description: Update cluster. + name: clusters:update + operations: + - method: PUT + path: /clusters/{cluster_id} + scope_types: null +- check_str: rule:admin_api + description: Clean up workers. + name: workers:cleanup + operations: + - method: POST + path: /workers/cleanup + scope_types: null +- check_str: rule:admin_or_owner + description: Show snapshot's metadata or one specified metadata with a given key. + name: volume:get_snapshot_metadata + operations: + - method: GET + path: /snapshots/{snapshot_id}/metadata + - method: GET + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Update snapshot's metadata or one specified metadata with a given key. + name: volume:update_snapshot_metadata + operations: + - method: PUT + path: /snapshots/{snapshot_id}/metadata + - method: PUT + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete snapshot's specified metadata with a given key. + name: volume:delete_snapshot_metadata + operations: + - method: DELETE + path: /snapshots/{snapshot_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: List snapshots. + name: volume:get_all_snapshots + operations: + - method: GET + path: /snapshots + - method: GET + path: /snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: List or show snapshots with extended attributes. + name: volume_extension:extended_snapshot_attributes + operations: + - method: GET + path: /snapshots/{snapshot_id} + - method: GET + path: /snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Create snapshot. + name: volume:create_snapshot + operations: + - method: POST + path: /snapshots + scope_types: null +- check_str: rule:admin_or_owner + description: Show snapshot. + name: volume:get_snapshot + operations: + - method: GET + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update snapshot. + name: volume:update_snapshot + operations: + - method: PUT + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete snapshot. + name: volume:delete_snapshot + operations: + - method: DELETE + path: /snapshots/{snapshot_id} + scope_types: null +- check_str: rule:admin_api + description: Reset status of a snapshot. + name: volume_extension:snapshot_admin_actions:reset_status + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-reset_status) + scope_types: null +- check_str: '' + description: Update database fields of snapshot. + name: snapshot_extension:snapshot_actions:update_snapshot_status + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (update_snapshot_status) + scope_types: null +- check_str: rule:admin_api + description: Force delete a snapshot. + name: volume_extension:snapshot_admin_actions:force_delete + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_api + description: List (in detail) of snapshots which are available to manage. + name: snapshot_extension:list_manageable + operations: + - method: GET + path: /manageable_snapshots + - method: GET + path: /manageable_snapshots/detail + scope_types: null +- check_str: rule:admin_api + description: Manage an existing snapshot. + name: snapshot_extension:snapshot_manage + operations: + - method: POST + path: /manageable_snapshots + scope_types: null +- check_str: rule:admin_api + description: Stop managing a snapshot. + name: snapshot_extension:snapshot_unmanage + operations: + - method: POST + path: /snapshots/{snapshot_id}/action (os-unmanage) + scope_types: null +- check_str: rule:admin_or_owner + description: List backups. + name: backup:get_all + operations: + - method: GET + path: /backups + - method: GET + path: /backups/detail + scope_types: null +- check_str: rule:admin_api + description: List backups or show backup with project attributes. + name: backup:backup_project_attribute + operations: + - method: GET + path: /backups/{backup_id} + - method: GET + path: /backups/detail + scope_types: null +- check_str: '' + description: Create backup. + name: backup:create + operations: + - method: POST + path: /backups + scope_types: null +- check_str: rule:admin_or_owner + description: Show backup. + name: backup:get + operations: + - method: GET + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update backup. + name: backup:update + operations: + - method: PUT + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete backup. + name: backup:delete + operations: + - method: DELETE + path: /backups/{backup_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Restore backup. + name: backup:restore + operations: + - method: POST + path: /backups/{backup_id}/restore + scope_types: null +- check_str: rule:admin_api + description: Import backup. + name: backup:backup-import + operations: + - method: POST + path: /backups/{backup_id}/import_record + scope_types: null +- check_str: rule:admin_api + description: Export backup. + name: backup:export-import + operations: + - method: POST + path: /backups/{backup_id}/export_record + scope_types: null +- check_str: rule:admin_api + description: Reset status of a backup. + name: volume_extension:backup_admin_actions:reset_status + operations: + - method: POST + path: /backups/{backup_id}/action (os-reset_status) + scope_types: null +- check_str: rule:admin_api + description: Force delete a backup. + name: volume_extension:backup_admin_actions:force_delete + operations: + - method: POST + path: /backups/{backup_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_or_owner + description: List groups. + name: group:get_all + operations: + - method: GET + path: /groups + - method: GET + path: /groups/detail + scope_types: null +- check_str: '' + description: Create group. + name: group:create + operations: + - method: POST + path: /groups + scope_types: null +- check_str: rule:admin_or_owner + description: Show group. + name: group:get + operations: + - method: GET + path: /groups/{group_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update group. + name: group:update + operations: + - method: PUT + path: /groups/{group_id} + scope_types: null +- check_str: rule:admin_api + description: List groups or show group with project attributes. + name: group:group_project_attribute + operations: + - method: GET + path: /groups/{group_id} + - method: GET + path: /groups/detail + scope_types: null +- check_str: rule:admin_api + description: Create, update or delete a group type. + name: group:group_types_manage + operations: + - method: POST + path: /group_types/ + - method: PUT + path: /group_types/{group_type_id} + - method: DELETE + path: /group_types/{group_type_id} + scope_types: null +- check_str: rule:admin_api + description: Show group type with type specs attributes. + name: group:access_group_types_specs + operations: + - method: GET + path: /group_types/{group_type_id} + scope_types: null +- check_str: rule:admin_api + description: Create, show, update and delete group type spec. + name: group:group_types_specs + operations: + - method: GET + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + - method: GET + path: /group_types/{group_type_id}/group_specs + - method: POST + path: /group_types/{group_type_id}/group_specs + - method: PUT + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + - method: DELETE + path: /group_types/{group_type_id}/group_specs/{g_spec_id} + scope_types: null +- check_str: rule:admin_or_owner + description: List group snapshots. + name: group:get_all_group_snapshots + operations: + - method: GET + path: /group_snapshots + - method: GET + path: /group_snapshots/detail + scope_types: null +- check_str: '' + description: Create group snapshot. + name: group:create_group_snapshot + operations: + - method: POST + path: /group_snapshots + scope_types: null +- check_str: rule:admin_or_owner + description: Show group snapshot. + name: group:get_group_snapshot + operations: + - method: GET + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete group snapshot. + name: group:delete_group_snapshot + operations: + - method: DELETE + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update group snapshot. + name: group:update_group_snapshot + operations: + - method: PUT + path: /group_snapshots/{group_snapshot_id} + scope_types: null +- check_str: rule:admin_api + description: List group snapshots or show group snapshot with project attributes. + name: group:group_snapshot_project_attribute + operations: + - method: GET + path: /group_snapshots/{group_snapshot_id} + - method: GET + path: /group_snapshots/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Reset status of group snapshot. + name: group:reset_group_snapshot_status + operations: + - method: POST + path: /group_snapshots/{g_snapshot_id}/action (reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Delete group. + name: group:delete + operations: + - method: POST + path: /groups/{group_id}/action (delete) + scope_types: null +- check_str: rule:admin_api + description: Reset status of group. + name: group:reset_status + operations: + - method: POST + path: /groups/{group_id}/action (reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Enable replication. + name: group:enable_replication + operations: + - method: POST + path: /groups/{group_id}/action (enable_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: Disable replication. + name: group:disable_replication + operations: + - method: POST + path: /groups/{group_id}/action (disable_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: Fail over replication. + name: group:failover_replication + operations: + - method: POST + path: /groups/{group_id}/action (failover_replication) + scope_types: null +- check_str: rule:admin_or_owner + description: List failover replication. + name: group:list_replication_targets + operations: + - method: POST + path: /groups/{group_id}/action (list_replication_targets) + scope_types: null +- check_str: rule:admin_api + description: List qos specs or list all associations. + name: volume_extension:qos_specs_manage:get_all + operations: + - method: GET + path: /qos-specs + - method: GET + path: /qos-specs/{qos_id}/associations + scope_types: null +- check_str: rule:admin_api + description: Show qos specs. + name: volume_extension:qos_specs_manage:get + operations: + - method: GET + path: /qos-specs/{qos_id} + scope_types: null +- check_str: rule:admin_api + description: Create qos specs. + name: volume_extension:qos_specs_manage:create + operations: + - method: POST + path: /qos-specs + scope_types: null +- check_str: rule:admin_api + description: Update qos specs (including updating association). + name: volume_extension:qos_specs_manage:update + operations: + - method: PUT + path: /qos-specs/{qos_id} + - method: GET + path: /qos-specs/{qos_id}/disassociate_all + - method: GET + path: /qos-specs/{qos_id}/associate + - method: GET + path: /qos-specs/{qos_id}/disassociate + scope_types: null +- check_str: rule:admin_api + description: delete qos specs or unset one specified qos key. + name: volume_extension:qos_specs_manage:delete + operations: + - method: DELETE + path: /qos-specs/{qos_id} + - method: PUT + path: /qos-specs/{qos_id}/delete_keys + scope_types: null +- check_str: rule:admin_api + description: Show or update project quota class. + name: volume_extension:quota_classes + operations: + - method: GET + path: /os-quota-class-sets/{project_id} + - method: PUT + path: /os-quota-class-sets/{project_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show project quota (including usage and default). + name: volume_extension:quotas:show + operations: + - method: GET + path: /os-quota-sets/{project_id} + - method: GET + path: /os-quota-sets/{project_id}/default + - method: GET + path: /os-quota-sets/{project_id}?usage=True + scope_types: null +- check_str: rule:admin_api + description: Update project quota. + name: volume_extension:quotas:update + operations: + - method: PUT + path: /os-quota-sets/{project_id} + scope_types: null +- check_str: rule:admin_api + description: Delete project quota. + name: volume_extension:quotas:delete + operations: + - method: DELETE + path: /os-quota-sets/{project_id} + scope_types: null +- check_str: rule:admin_api + description: Validate setup for nested quota. + name: volume_extension:quota_classes:validate_setup_for_nested_quota_use + operations: + - method: GET + path: /os-quota-sets/validate_setup_for_nested_quota_use + scope_types: null +- check_str: rule:admin_api + description: Show backend capabilities. + name: volume_extension:capabilities + operations: + - method: GET + path: /capabilities/{host_name} + scope_types: null +- check_str: rule:admin_api + description: List all services. + name: volume_extension:services:index + operations: + - method: GET + path: /os-services + scope_types: null +- check_str: rule:admin_api + description: Update service, including failover_host, thaw, freeze, disable, enable, + set-log and get-log actions. + name: volume_extension:services:update + operations: + - method: PUT + path: /os-services/{action} + scope_types: null +- check_str: rule:admin_api + description: Freeze a backend host. + name: volume:freeze_host + operations: + - method: PUT + path: /os-services/freeze + scope_types: null +- check_str: rule:admin_api + description: Thaw a backend host. + name: volume:thaw_host + operations: + - method: PUT + path: /os-services/thaw + scope_types: null +- check_str: rule:admin_api + description: Failover a backend host. + name: volume:failover_host + operations: + - method: PUT + path: /os-services/failover_host + scope_types: null +- check_str: rule:admin_api + description: List all backend pools. + name: scheduler_extension:scheduler_stats:get_pools + operations: + - method: GET + path: /scheduler-stats/get_pools + scope_types: null +- check_str: rule:admin_api + description: List, update or show hosts for a project. + name: volume_extension:hosts + operations: + - method: GET + path: /os-hosts + - method: PUT + path: /os-hosts/{host_name} + - method: GET + path: /os-hosts/{host_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show limits with used limit attributes. + name: limits_extension:used_limits + operations: + - method: GET + path: /limits + scope_types: null +- check_str: rule:admin_api + description: List (in detail) of volumes which are available to manage. + name: volume_extension:list_manageable + operations: + - method: GET + path: /manageable_volumes + - method: GET + path: /manageable_volumes/detail + scope_types: null +- check_str: rule:admin_api + description: Manage existing volumes. + name: volume_extension:volume_manage + operations: + - method: POST + path: /manageable_volumes + scope_types: null +- check_str: rule:admin_api + description: Stop managing a volume. + name: volume_extension:volume_unmanage + operations: + - method: POST + path: /volumes/{volume_id}/action (os-unmanage) + scope_types: null +- check_str: rule:admin_api + description: Create, update and delete volume type. + name: volume_extension:types_manage + operations: + - method: POST + path: /types + - method: PUT + path: /types + - method: DELETE + path: /types + scope_types: null +- check_str: '' + description: Get one specific volume type. + name: volume_extension:type_get + operations: + - method: GET + path: /types/{type_id} + scope_types: null +- check_str: '' + description: List volume types. + name: volume_extension:type_get_all + operations: + - method: GET + path: /types/ + scope_types: null +- check_str: rule:admin_api + description: Base policy for all volume type encryption type operations. This can + be used to set the policies for a volume type's encryption type create, show, + update, and delete actions in one place, or any of those may be set individually + using the following policy targets for finer grained control. + name: volume_extension:volume_type_encryption + operations: + - method: POST + path: /types/{type_id}/encryption + - method: PUT + path: /types/{type_id}/encryption/{encryption_id} + - method: GET + path: /types/{type_id}/encryption + - method: GET + path: /types/{type_id}/encryption/{key} + - method: DELETE + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Create volume type encryption. + name: volume_extension:volume_type_encryption:create + operations: + - method: POST + path: /types/{type_id}/encryption + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Show a volume type's encryption type, show an encryption specs item. + name: volume_extension:volume_type_encryption:get + operations: + - method: GET + path: /types/{type_id}/encryption + - method: GET + path: /types/{type_id}/encryption/{key} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Update volume type encryption. + name: volume_extension:volume_type_encryption:update + operations: + - method: PUT + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:volume_extension:volume_type_encryption + description: Delete volume type encryption. + name: volume_extension:volume_type_encryption:delete + operations: + - method: DELETE + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:admin_api + description: List or show volume type with access type extra specs attribute. + name: volume_extension:access_types_extra_specs + operations: + - method: GET + path: /types/{type_id} + - method: GET + path: /types + scope_types: null +- check_str: rule:admin_api + description: List or show volume type with access type qos specs id attribute. + name: volume_extension:access_types_qos_specs_id + operations: + - method: GET + path: /types/{type_id} + - method: GET + path: /types + scope_types: null +- check_str: rule:admin_or_owner + description: Volume type access related APIs. + name: volume_extension:volume_type_access + operations: + - method: GET + path: /types + - method: GET + path: /types/detail + - method: GET + path: /types/{type_id} + - method: POST + path: /types + scope_types: null +- check_str: rule:admin_api + description: Add volume type access for project. + name: volume_extension:volume_type_access:addProjectAccess + operations: + - method: POST + path: /types/{type_id}/action (addProjectAccess) + scope_types: null +- check_str: rule:admin_api + description: Remove volume type access for project. + name: volume_extension:volume_type_access:removeProjectAccess + operations: + - method: POST + path: /types/{type_id}/action (removeProjectAccess) + scope_types: null +- check_str: rule:admin_or_owner + description: Extend a volume. + name: volume:extend + operations: + - method: POST + path: /volumes/{volume_id}/action (os-extend) + scope_types: null +- check_str: rule:admin_or_owner + description: Extend a attached volume. + name: volume:extend_attached_volume + operations: + - method: POST + path: /volumes/{volume_id}/action (os-extend) + scope_types: null +- check_str: rule:admin_or_owner + description: Revert a volume to a snapshot. + name: volume:revert_to_snapshot + operations: + - method: POST + path: /volumes/{volume_id}/action (revert) + scope_types: null +- check_str: rule:admin_api + description: Reset status of a volume. + name: volume_extension:volume_admin_actions:reset_status + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reset_status) + scope_types: null +- check_str: rule:admin_or_owner + description: Retype a volume. + name: volume:retype + operations: + - method: POST + path: /volumes/{volume_id}/action (os-retype) + scope_types: null +- check_str: rule:admin_or_owner + description: Update a volume's readonly flag. + name: volume:update_readonly_flag + operations: + - method: POST + path: /volumes/{volume_id}/action (os-update_readonly_flag) + scope_types: null +- check_str: rule:admin_api + description: Force delete a volume. + name: volume_extension:volume_admin_actions:force_delete + operations: + - method: POST + path: /volumes/{volume_id}/action (os-force_delete) + scope_types: null +- check_str: rule:admin_api + description: Upload a volume to image with public visibility. + name: volume_extension:volume_actions:upload_public + operations: + - method: POST + path: /volumes/{volume_id}/action (os-volume_upload_image) + scope_types: null +- check_str: rule:admin_or_owner + description: Upload a volume to image. + name: volume_extension:volume_actions:upload_image + operations: + - method: POST + path: /volumes/{volume_id}/action (os-volume_upload_image) + scope_types: null +- check_str: rule:admin_api + description: Force detach a volume. + name: volume_extension:volume_admin_actions:force_detach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-force_detach) + scope_types: null +- check_str: rule:admin_api + description: migrate a volume to a specified host. + name: volume_extension:volume_admin_actions:migrate_volume + operations: + - method: POST + path: /volumes/{volume_id}/action (os-migrate_volume) + scope_types: null +- check_str: rule:admin_api + description: Complete a volume migration. + name: volume_extension:volume_admin_actions:migrate_volume_completion + operations: + - method: POST + path: /volumes/{volume_id}/action (os-migrate_volume_completion) + scope_types: null +- check_str: rule:admin_or_owner + description: Initialize volume attachment. + name: volume_extension:volume_actions:initialize_connection + operations: + - method: POST + path: /volumes/{volume_id}/action (os-initialize_connection) + scope_types: null +- check_str: rule:admin_or_owner + description: Terminate volume attachment. + name: volume_extension:volume_actions:terminate_connection + operations: + - method: POST + path: /volumes/{volume_id}/action (os-terminate_connection) + scope_types: null +- check_str: rule:admin_or_owner + description: Roll back volume status to 'in-use'. + name: volume_extension:volume_actions:roll_detaching + operations: + - method: POST + path: /volumes/{volume_id}/action (os-roll_detaching) + scope_types: null +- check_str: rule:admin_or_owner + description: Mark volume as reserved. + name: volume_extension:volume_actions:reserve + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reserve) + scope_types: null +- check_str: rule:admin_or_owner + description: Unmark volume as reserved. + name: volume_extension:volume_actions:unreserve + operations: + - method: POST + path: /volumes/{volume_id}/action (os-unreserve) + scope_types: null +- check_str: rule:admin_or_owner + description: Begin detach volumes. + name: volume_extension:volume_actions:begin_detaching + operations: + - method: POST + path: /volumes/{volume_id}/action (os-begin_detaching) + scope_types: null +- check_str: rule:admin_or_owner + description: Add attachment metadata. + name: volume_extension:volume_actions:attach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-attach) + scope_types: null +- check_str: rule:admin_or_owner + description: Clear attachment metadata. + name: volume_extension:volume_actions:detach + operations: + - method: POST + path: /volumes/{volume_id}/action (os-detach) + scope_types: null +- check_str: rule:admin_or_owner + description: List volume transfer. + name: volume:get_all_transfers + operations: + - method: GET + path: /os-volume-transfer + - method: GET + path: /os-volume-transfer/detail + - method: GET + path: /volume_transfers + - method: GET + path: /volume-transfers/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Create a volume transfer. + name: volume:create_transfer + operations: + - method: POST + path: /os-volume-transfer + - method: POST + path: /volume_transfers + scope_types: null +- check_str: rule:admin_or_owner + description: Show one specified volume transfer. + name: volume:get_transfer + operations: + - method: GET + path: /os-volume-transfer/{transfer_id} + - method: GET + path: /volume-transfers/{transfer_id} + scope_types: null +- check_str: '' + description: Accept a volume transfer. + name: volume:accept_transfer + operations: + - method: POST + path: /os-volume-transfer/{transfer_id}/accept + - method: POST + path: /volume-transfers/{transfer_id}/accept + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume transfer. + name: volume:delete_transfer + operations: + - method: DELETE + path: /os-volume-transfer/{transfer_id} + - method: DELETE + path: /volume-transfers/{transfer_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume's metadata or one specified metadata with a given key. + name: volume:get_volume_metadata + operations: + - method: GET + path: /volumes/{volume_id}/metadata + - method: GET + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Create volume metadata. + name: volume:create_volume_metadata + operations: + - method: POST + path: /volumes/{volume_id}/metadata + scope_types: null +- check_str: rule:admin_or_owner + description: Update volume's metadata or one specified metadata with a given key. + name: volume:update_volume_metadata + operations: + - method: PUT + path: /volumes/{volume_id}/metadata + - method: PUT + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume's specified metadata with a given key. + name: volume:delete_volume_metadata + operations: + - method: DELETE + path: /volumes/{volume_id}/metadata/{key} + scope_types: null +- check_str: rule:admin_or_owner + description: Volume's image metadata related operation, create, delete, show and + list. + name: volume_extension:volume_image_metadata + operations: + - method: GET + path: /volumes/detail + - method: GET + path: /volumes/{volume_id} + - method: POST + path: /volumes/{volume_id}/action (os-set_image_metadata) + - method: POST + path: /volumes/{volume_id}/action (os-unset_image_metadata) + scope_types: null +- check_str: rule:admin_api + description: Update volume admin metadata. It's used in `attach` and `os-update_readonly_flag` + APIs + name: volume:update_volume_admin_metadata + operations: + - method: POST + path: /volumes/{volume_id}/action (os-update_readonly_flag) + - method: POST + path: /volumes/{volume_id}/action (os-attach) + scope_types: null +- check_str: rule:admin_api + description: List type extra specs. + name: volume_extension:types_extra_specs:index + operations: + - method: GET + path: /types/{type_id}/extra_specs + scope_types: null +- check_str: rule:admin_api + description: Create type extra specs. + name: volume_extension:types_extra_specs:create + operations: + - method: POST + path: /types/{type_id}/extra_specs + scope_types: null +- check_str: rule:admin_api + description: Show one specified type extra specs. + name: volume_extension:types_extra_specs:show + operations: + - method: GET + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: rule:admin_api + description: Update type extra specs. + name: volume_extension:types_extra_specs:update + operations: + - method: PUT + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: rule:admin_api + description: Delete type extra specs. + name: volume_extension:types_extra_specs:delete + operations: + - method: DELETE + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null +- check_str: '' + description: Create volume. + name: volume:create + operations: + - method: POST + path: /volumes + scope_types: null +- check_str: '' + description: Create volume from image. + name: volume:create_from_image + operations: + - method: POST + path: /volumes + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume. + name: volume:get + operations: + - method: GET + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_or_owner + description: List volumes or get summary of volumes. + name: volume:get_all + operations: + - method: GET + path: /volumes + - method: GET + path: /volumes/detail + - method: GET + path: /volumes/summary + scope_types: null +- check_str: rule:admin_or_owner + description: Update volume or update a volume's bootable status. + name: volume:update + operations: + - method: PUT + path: /volumes + - method: POST + path: /volumes/{volume_id}/action (os-set_bootable) + scope_types: null +- check_str: rule:admin_or_owner + description: Delete volume. + name: volume:delete + operations: + - method: DELETE + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_api + description: Force Delete a volume. + name: volume:force_delete + operations: + - method: DELETE + path: /volumes/{volume_id} + scope_types: null +- check_str: rule:admin_api + description: List or show volume with host attribute. + name: volume_extension:volume_host_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_or_owner + description: List or show volume with tenant attribute. + name: volume_extension:volume_tenant_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_api + description: List or show volume with migration status attribute. + name: volume_extension:volume_mig_status_attribute + operations: + - method: GET + path: /volumes/{volume_id} + - method: GET + path: /volumes/detail + scope_types: null +- check_str: rule:admin_or_owner + description: Show volume's encryption metadata. + name: volume_extension:volume_encryption_metadata + operations: + - method: GET + path: /volumes/{volume_id}/encryption + - method: GET + path: /volumes/{volume_id}/encryption/{encryption_key} + scope_types: null +- check_str: rule:admin_or_owner + description: Create multiattach capable volume. + name: volume:multiattach + operations: + - method: POST + path: /volumes + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml new file mode 100644 index 0000000000..149d2f9417 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -0,0 +1,280 @@ +- check_str: '' + deprecated_reason: In order to allow operators to accept the default policies from + code by not defining them in the policy file, while still working with old policy + files that rely on the ``default`` rule for policies that are not specified in + the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"`` + when that is the desired default for unspecified rules. + deprecated_rule: + check_str: role:admin + name: default + deprecated_since: Ussuri + description: Defines the default rule used for policies that historically had an + empty policy in the supplied policy.json file. + name: default + operations: [] + scope_types: null +- check_str: role:admin + description: Defines the rule for the is_admin:True check. + name: context_is_admin + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_images + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_image + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: publicize_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: communitize_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: download_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: upload_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: set_image_location + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_member + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_members + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_member + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: manage_image_cache + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: deactivate + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: reactivate + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: copy_image + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_task + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_tasks + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_task + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_task + operations: [] + scope_types: null +- check_str: role:admin + description: null + name: tasks_api_access + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_namespaces + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_namespace + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_objects + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_object + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: list_metadef_resource_types + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_resource_type + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_resource_type_association + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: remove_metadef_resource_type_association + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_properties + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: remove_metadef_property + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: get_metadef_tags + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: modify_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: add_metadef_tags + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_tag + operations: [] + scope_types: null +- check_str: rule:default + description: null + name: delete_metadef_tags + operations: [] + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml new file mode 100644 index 0000000000..17d49fdc55 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -0,0 +1,2954 @@ +- check_str: role:admin or is_admin:1 + description: null + name: admin_required + operations: [] + scope_types: null +- check_str: role:service + description: null + name: service_role + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:service_role + description: null + name: service_or_admin + operations: [] + scope_types: null +- check_str: user_id:%(user_id)s + description: null + name: owner + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:owner + description: null + name: admin_or_owner + operations: [] + scope_types: null +- check_str: user_id:%(target.token.user_id)s + description: null + name: token_subject + operations: [] + scope_types: null +- check_str: rule:admin_required or rule:token_subject + description: null + name: admin_or_token_subject + operations: [] + scope_types: null +- check_str: rule:service_or_admin or rule:token_subject + description: null + name: service_admin_or_token_subject + operations: [] + scope_types: null +- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s + description: Show access rule details. + name: identity:get_access_rule + operations: + - method: GET + path: /v3/users/{user_id}/access_rules/{access_rule_id} + - method: HEAD + path: /v3/users/{user_id}/access_rules/{access_rule_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s + description: List access rules for a user. + name: identity:list_access_rules + operations: + - method: GET + path: /v3/users/{user_id}/access_rules + - method: HEAD + path: /v3/users/{user_id}/access_rules + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s + description: Delete an access_rule. + name: identity:delete_access_rule + operations: + - method: DELETE + path: /v3/users/{user_id}/access_rules/{access_rule_id} + scope_types: + - system + - project +- check_str: rule:admin_required + description: Authorize OAUTH1 request token. + name: identity:authorize_request_token + operations: + - method: PUT + path: /v3/OS-OAUTH1/authorize/{request_token_id} + scope_types: + - project +- check_str: rule:admin_required + description: Get OAUTH1 access token for user by access token ID. + name: identity:get_access_token + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} + scope_types: + - project +- check_str: rule:admin_required + description: Get role for user OAUTH1 access token. + name: identity:get_access_token_role + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} + scope_types: + - project +- check_str: rule:admin_required + description: List OAUTH1 access tokens for user. + name: identity:list_access_tokens + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens + scope_types: + - project +- check_str: rule:admin_required + description: List OAUTH1 access token roles. + name: identity:list_access_token_roles + operations: + - method: GET + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles + scope_types: + - project +- check_str: rule:admin_required + description: Delete OAUTH1 access token. + name: identity:delete_access_token + operations: + - method: DELETE + path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} + scope_types: + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:get_application_credentials + deprecated_since: T + description: Show application credential details. + name: identity:get_application_credential + operations: + - method: GET + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + - method: HEAD + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_application_credentials + deprecated_since: T + description: List application credentials for a user. + name: identity:list_application_credentials + operations: + - method: GET + path: /v3/users/{user_id}/application_credentials + - method: HEAD + path: /v3/users/{user_id}/application_credentials + scope_types: + - system + - project +- check_str: user_id:%(user_id)s + description: Create an application credential. + name: identity:create_application_credential + operations: + - method: POST + path: /v3/users/{user_id}/application_credentials + scope_types: + - project +- check_str: (role:admin and system_scope:all) or rule:owner + deprecated_reason: The application credential API is now aware of system scope and + default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:delete_application_credentials + deprecated_since: T + description: Delete an application credential. + name: identity:delete_application_credential + operations: + - method: DELETE + path: /v3/users/{user_id}/application_credentials/{application_credential_id} + scope_types: + - system + - project +- check_str: '' + description: Get service catalog. + name: identity:get_auth_catalog + operations: + - method: GET + path: /v3/auth/catalog + - method: HEAD + path: /v3/auth/catalog + scope_types: null +- check_str: '' + description: List all projects a user has access to via role assignments. + name: identity:get_auth_projects + operations: + - method: GET + path: /v3/auth/projects + - method: HEAD + path: /v3/auth/projects + scope_types: null +- check_str: '' + description: List all domains a user has access to via role assignments. + name: identity:get_auth_domains + operations: + - method: GET + path: /v3/auth/domains + - method: HEAD + path: /v3/auth/domains + scope_types: null +- check_str: '' + description: List systems a user has access to via role assignments. + name: identity:get_auth_system + operations: + - method: GET + path: /v3/auth/system + - method: HEAD + path: /v3/auth/system + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_consumer + deprecated_since: T + description: Show OAUTH1 consumer details. + name: identity:get_consumer + operations: + - method: GET + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_consumers + deprecated_since: T + description: List OAUTH1 consumers. + name: identity:list_consumers + operations: + - method: GET + path: /v3/OS-OAUTH1/consumers + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_consumer + deprecated_since: T + description: Create OAUTH1 consumer. + name: identity:create_consumer + operations: + - method: POST + path: /v3/OS-OAUTH1/consumers + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_consumer + deprecated_since: T + description: Update OAUTH1 consumer. + name: identity:update_consumer + operations: + - method: PATCH + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_consumer + deprecated_since: T + description: Delete OAUTH1 consumer. + name: identity:delete_consumer + operations: + - method: DELETE + path: /v3/OS-OAUTH1/consumers/{consumer_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_credential + deprecated_since: S + description: Show credentials details. + name: identity:get_credential + operations: + - method: GET + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_credentials + deprecated_since: S + description: List credentials. + name: identity:list_credentials + operations: + - method: GET + path: /v3/credentials + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_credential + deprecated_since: S + description: Create credential. + name: identity:create_credential + operations: + - method: POST + path: /v3/credentials + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_credential + deprecated_since: S + description: Update credential. + name: identity:update_credential + operations: + - method: PATCH + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_credential + deprecated_since: S + description: Delete credential. + name: identity:delete_credential + operations: + - method: DELETE + path: /v3/credentials/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s + or token.project.domain.id:%(target.domain.id)s + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s + name: identity:get_domain + deprecated_since: S + description: Show domain details. + name: identity:get_domain + operations: + - method: GET + path: /v3/domains/{domain_id} + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_domains + deprecated_since: S + description: List domains. + name: identity:list_domains + operations: + - method: GET + path: /v3/domains + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain + deprecated_since: S + description: Create domain. + name: identity:create_domain + operations: + - method: POST + path: /v3/domains + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain + deprecated_since: S + description: Update domain. + name: identity:update_domain + operations: + - method: PATCH + path: /v3/domains/{domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain + deprecated_since: S + description: Delete domain. + name: identity:delete_domain + operations: + - method: DELETE + path: /v3/domains/{domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain_config + deprecated_since: T + description: Create domain configuration. + name: identity:create_domain_config + operations: + - method: PUT + path: /v3/domains/{domain_id}/config + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_config + deprecated_since: T + description: Get the entire domain configuration for a domain, an option group within + a domain, or a specific configuration option within a group for a domain. + name: identity:get_domain_config + operations: + - method: GET + path: /v3/domains/{domain_id}/config + - method: HEAD + path: /v3/domains/{domain_id}/config + - method: GET + path: /v3/domains/{domain_id}/config/{group} + - method: HEAD + path: /v3/domains/{domain_id}/config/{group} + - method: GET + path: /v3/domains/{domain_id}/config/{group}/{option} + - method: HEAD + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: '' + description: Get security compliance domain configuration for either a domain or + a specific option in a domain. + name: identity:get_security_compliance_domain_config + operations: + - method: GET + path: /v3/domains/{domain_id}/config/security_compliance + - method: HEAD + path: /v3/domains/{domain_id}/config/security_compliance + - method: GET + path: v3/domains/{domain_id}/config/security_compliance/{option} + - method: HEAD + path: v3/domains/{domain_id}/config/security_compliance/{option} + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain_config + deprecated_since: T + description: Update domain configuration for either a domain, specific group or + a specific option in a group. + name: identity:update_domain_config + operations: + - method: PATCH + path: /v3/domains/{domain_id}/config + - method: PATCH + path: /v3/domains/{domain_id}/config/{group} + - method: PATCH + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain_config + deprecated_since: T + description: Delete domain configuration for either a domain, specific group or + a specific option in a group. + name: identity:delete_domain_config + operations: + - method: DELETE + path: /v3/domains/{domain_id}/config + - method: DELETE + path: /v3/domains/{domain_id}/config/{group} + - method: DELETE + path: /v3/domains/{domain_id}/config/{group}/{option} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_config_default + deprecated_since: T + description: Get domain configuration default for either a domain, specific group + or a specific option in a group. + name: identity:get_domain_config_default + operations: + - method: GET + path: /v3/domains/config/default + - method: HEAD + path: /v3/domains/config/default + - method: GET + path: /v3/domains/config/{group}/default + - method: HEAD + path: /v3/domains/config/{group}/default + - method: GET + path: /v3/domains/config/{group}/{option}/default + - method: HEAD + path: /v3/domains/config/{group}/{option}/default + scope_types: + - system +- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + name: identity:ec2_get_credential + deprecated_since: T + description: Show ec2 credential details. + name: identity:ec2_get_credential + operations: + - method: GET + path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:ec2_list_credentials + deprecated_since: T + description: List ec2 credentials. + name: identity:ec2_list_credentials + operations: + - method: GET + path: /v3/users/{user_id}/credentials/OS-EC2 + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or rule:owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:ec2_create_credentials + deprecated_since: T + description: Create ec2 credential. + name: identity:ec2_create_credential + operations: + - method: POST + path: /v3/users/{user_id}/credentials/OS-EC2 + scope_types: + - system + - project +- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + name: identity:ec2_delete_credentials + deprecated_since: T + description: Delete ec2 credential. + name: identity:ec2_delete_credential + operations: + - method: DELETE + path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint + deprecated_since: S + description: Show endpoint details. + name: identity:get_endpoint + operations: + - method: GET + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints + deprecated_since: S + description: List endpoints. + name: identity:list_endpoints + operations: + - method: GET + path: /v3/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_endpoint + deprecated_since: S + description: Create endpoint. + name: identity:create_endpoint + operations: + - method: POST + path: /v3/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_endpoint + deprecated_since: S + description: Update endpoint. + name: identity:update_endpoint + operations: + - method: PATCH + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_endpoint + deprecated_since: S + description: Delete endpoint. + name: identity:delete_endpoint + operations: + - method: DELETE + path: /v3/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_endpoint_group + deprecated_since: T + description: Create endpoint group. + name: identity:create_endpoint_group + operations: + - method: POST + path: /v3/OS-EP-FILTER/endpoint_groups + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoint_groups + deprecated_since: T + description: List endpoint groups. + name: identity:list_endpoint_groups + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint_group + deprecated_since: T + description: Get endpoint group. + name: identity:get_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + - method: HEAD + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_endpoint_group + deprecated_since: T + description: Update endpoint group. + name: identity:update_endpoint_group + operations: + - method: PATCH + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_endpoint_group + deprecated_since: T + description: Delete endpoint group. + name: identity:delete_endpoint_group + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects_associated_with_endpoint_group + deprecated_since: T + description: List all projects associated with a specific endpoint group. + name: identity:list_projects_associated_with_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_associated_with_endpoint_group + deprecated_since: T + description: List all endpoints associated with an endpoint group. + name: identity:list_endpoints_associated_with_endpoint_group + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_endpoint_group_in_project + deprecated_since: T + description: Check if an endpoint group is associated with a project. + name: identity:get_endpoint_group_in_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + - method: HEAD + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoint_groups_for_project + deprecated_since: T + description: List endpoint groups associated with a specific project. + name: identity:list_endpoint_groups_for_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:add_endpoint_group_to_project + deprecated_since: T + description: Allow a project to access an endpoint group. + name: identity:add_endpoint_group_to_project + operations: + - method: PUT + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_endpoint_group_from_project + deprecated_since: T + description: Remove endpoint group from project. + name: identity:remove_endpoint_group_from_project + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_grant + deprecated_since: S + description: Check a role grant between a target and an actor. A target can be either + a domain or a project. An actor can be either a user or a group. These terms also + apply to the OS-INHERIT APIs, where grants on the target are inherited to all + projects in the subtree, if applicable. + name: identity:check_grant + operations: + - method: HEAD + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: GET + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: HEAD + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: GET + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: HEAD + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: GET + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: HEAD + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: GET + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: HEAD + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: HEAD + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_grants + deprecated_since: S + description: List roles granted to an actor on a target. A target can be either + a domain or a project. An actor can be either a user or a group. For the OS-INHERIT + APIs, it is possible to list inherited role grants for actors on domains, where + grants are inherited to all projects in the specified domain. + name: identity:list_grants + operations: + - method: GET + path: /v3/projects/{project_id}/users/{user_id}/roles + - method: HEAD + path: /v3/projects/{project_id}/users/{user_id}/roles + - method: GET + path: /v3/projects/{project_id}/groups/{group_id}/roles + - method: HEAD + path: /v3/projects/{project_id}/groups/{group_id}/roles + - method: GET + path: /v3/domains/{domain_id}/users/{user_id}/roles + - method: HEAD + path: /v3/domains/{domain_id}/users/{user_id}/roles + - method: GET + path: /v3/domains/{domain_id}/groups/{group_id}/roles + - method: HEAD + path: /v3/domains/{domain_id}/groups/{group_id}/roles + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects + - method: GET + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_grant + deprecated_since: S + description: Create a role grant between a target and an actor. A target can be + either a domain or a project. An actor can be either a user or a group. These + terms also apply to the OS-INHERIT APIs, where grants on the target are inherited + to all projects in the subtree, if applicable. + name: identity:create_grant + operations: + - method: PUT + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: PUT + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: PUT + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: PUT + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: PUT + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: PUT + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s + and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s + or None:%(target.role.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_grant + deprecated_since: S + description: Revoke a role grant between a target and an actor. A target can be + either a domain or a project. An actor can be either a user or a group. These + terms also apply to the OS-INHERIT APIs, where grants on the target are inherited + to all projects in the subtree, if applicable. In that case, revoking the role + grant in the target would remove the logical effect of inheriting it to the target's + projects subtree. + name: identity:revoke_grant + operations: + - method: DELETE + path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} + - method: DELETE + path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} + - method: DELETE + path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} + - method: DELETE + path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} + - method: DELETE + path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects + - method: DELETE + path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects + scope_types: + - system + - domain +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_system_grants_for_user + deprecated_since: S + description: List all grants a specific user has on the system. + name: identity:list_system_grants_for_user + operations: + - method: + - HEAD + - GET + path: /v3/system/users/{user_id}/roles + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_system_grant_for_user + deprecated_since: S + description: Check if a user has a role on the system. + name: identity:check_system_grant_for_user + operations: + - method: + - HEAD + - GET + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_system_grant_for_user + deprecated_since: S + description: Grant a user a role on the system. + name: identity:create_system_grant_for_user + operations: + - method: + - PUT + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_system_grant_for_user + deprecated_since: S + description: Remove a role from a user on the system. + name: identity:revoke_system_grant_for_user + operations: + - method: + - DELETE + path: /v3/system/users/{user_id}/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_system_grants_for_group + deprecated_since: S + description: List all grants a specific group has on the system. + name: identity:list_system_grants_for_group + operations: + - method: + - HEAD + - GET + path: /v3/system/groups/{group_id}/roles + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_system_grant_for_group + deprecated_since: S + description: Check if a group has a role on the system. + name: identity:check_system_grant_for_group + operations: + - method: + - HEAD + - GET + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_system_grant_for_group + deprecated_since: S + description: Grant a group a role on the system. + name: identity:create_system_grant_for_group + operations: + - method: + - PUT + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:revoke_system_grant_for_group + deprecated_since: S + description: Remove a role from a group on the system. + name: identity:revoke_system_grant_for_group + operations: + - method: + - DELETE + path: /v3/system/groups/{group_id}/roles/{role_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_group + deprecated_since: S + description: Show group details. + name: identity:get_group + operations: + - method: GET + path: /v3/groups/{group_id} + - method: HEAD + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_groups + deprecated_since: S + description: List groups. + name: identity:list_groups + operations: + - method: GET + path: /v3/groups + - method: HEAD + path: /v3/groups + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) + or user_id:%(user_id)s + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_groups_for_user + deprecated_since: S + description: List groups to which a user belongs. + name: identity:list_groups_for_user + operations: + - method: GET + path: /v3/users/{user_id}/groups + - method: HEAD + path: /v3/users/{user_id}/groups + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_group + deprecated_since: S + description: Create group. + name: identity:create_group + operations: + - method: POST + path: /v3/groups + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_group + deprecated_since: S + description: Update group. + name: identity:update_group + operations: + - method: PATCH + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_group + deprecated_since: S + description: Delete group. + name: identity:delete_group + operations: + - method: DELETE + path: /v3/groups/{group_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_users_in_group + deprecated_since: S + description: List members of a specific group. + name: identity:list_users_in_group + operations: + - method: GET + path: /v3/groups/{group_id}/users + - method: HEAD + path: /v3/groups/{group_id}/users + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_user_from_group + deprecated_since: S + description: Remove user from group. + name: identity:remove_user_from_group + operations: + - method: DELETE + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_user_in_group + deprecated_since: S + description: Check whether a user is a member of a group. + name: identity:check_user_in_group + operations: + - method: HEAD + path: /v3/groups/{group_id}/users/{user_id} + - method: GET + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s + and domain_id:%(target.user.domain_id)s) + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:add_user_to_group + deprecated_since: S + description: Add user to group. + name: identity:add_user_to_group + operations: + - method: PUT + path: /v3/groups/{group_id}/users/{user_id} + scope_types: + - system + - domain +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_identity_providers + deprecated_since: S + description: Create identity provider. + name: identity:create_identity_provider + operations: + - method: PUT + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_identity_providers + deprecated_since: S + description: List identity providers. + name: identity:list_identity_providers + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers + - method: HEAD + path: /v3/OS-FEDERATION/identity_providers + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_identity_providers + deprecated_since: S + description: Get identity provider. + name: identity:get_identity_provider + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + - method: HEAD + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_identity_providers + deprecated_since: S + description: Update identity provider. + name: identity:update_identity_provider + operations: + - method: PATCH + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The identity provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_identity_providers + deprecated_since: S + description: Delete identity provider. + name: identity:delete_identity_provider + operations: + - method: DELETE + path: /v3/OS-FEDERATION/identity_providers/{idp_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_implied_role + deprecated_since: T + description: Get information about an association between two roles. When a relationship + exists between a prior role and an implied role and the prior role is assigned + to a user, the user also assumes the implied role. + name: identity:get_implied_role + operations: + - method: GET + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_implied_roles + deprecated_since: T + description: List associations between two roles. When a relationship exists between + a prior role and an implied role and the prior role is assigned to a user, the + user also assumes the implied role. This will return all the implied roles that + would be assumed by the user who gets the specified prior role. + name: identity:list_implied_roles + operations: + - method: GET + path: /v3/roles/{prior_role_id}/implies + - method: HEAD + path: /v3/roles/{prior_role_id}/implies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_implied_role + deprecated_since: T + description: Create an association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. + name: identity:create_implied_role + operations: + - method: PUT + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_implied_role + deprecated_since: T + description: Delete the association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. Removing the association will cause that + effect to be eliminated. + name: identity:delete_implied_role + operations: + - method: DELETE + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_inference_rules + deprecated_since: T + description: List all associations between two roles in the system. When a relationship + exists between a prior role and an implied role and the prior role is assigned + to a user, the user also assumes the implied role. + name: identity:list_role_inference_rules + operations: + - method: GET + path: /v3/role_inferences + - method: HEAD + path: /v3/role_inferences + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_implied_role + deprecated_since: T + description: Check an association between two roles. When a relationship exists + between a prior role and an implied role and the prior role is assigned to a user, + the user also assumes the implied role. + name: identity:check_implied_role + operations: + - method: HEAD + path: /v3/roles/{prior_role_id}/implies/{implied_role_id} + scope_types: + - system +- check_str: '' + description: Get limit enforcement model. + name: identity:get_limit_model + operations: + - method: GET + path: /v3/limits/model + - method: HEAD + path: /v3/limits/model + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s + or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s + and not None:%(target.limit.project_id)s) + description: Show limit details. + name: identity:get_limit + operations: + - method: GET + path: /v3/limits/{limit_id} + - method: HEAD + path: /v3/limits/{limit_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List limits. + name: identity:list_limits + operations: + - method: GET + path: /v3/limits + - method: HEAD + path: /v3/limits + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + description: Create limits. + name: identity:create_limits + operations: + - method: POST + path: /v3/limits + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Update limit. + name: identity:update_limit + operations: + - method: PATCH + path: /v3/limits/{limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Delete limit. + name: identity:delete_limit + operations: + - method: DELETE + path: /v3/limits/{limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_mapping + deprecated_since: S + description: Create a new federated mapping containing one or more sets of rules. + name: identity:create_mapping + operations: + - method: PUT + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_mapping + deprecated_since: S + description: Get a federated mapping. + name: identity:get_mapping + operations: + - method: GET + path: /v3/OS-FEDERATION/mappings/{mapping_id} + - method: HEAD + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_mappings + deprecated_since: S + description: List federated mappings. + name: identity:list_mappings + operations: + - method: GET + path: /v3/OS-FEDERATION/mappings + - method: HEAD + path: /v3/OS-FEDERATION/mappings + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_mapping + deprecated_since: S + description: Delete a federated mapping. + name: identity:delete_mapping + operations: + - method: DELETE + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated mapping API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_mapping + deprecated_since: S + description: Update a federated mapping. + name: identity:update_mapping + operations: + - method: PATCH + path: /v3/OS-FEDERATION/mappings/{mapping_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_policy + deprecated_since: T + description: Show policy details. + name: identity:get_policy + operations: + - method: GET + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_policies + deprecated_since: T + description: List policies. + name: identity:list_policies + operations: + - method: GET + path: /v3/policies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy + deprecated_since: T + description: Create policy. + name: identity:create_policy + operations: + - method: POST + path: /v3/policies + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_policy + deprecated_since: T + description: Update policy. + name: identity:update_policy + operations: + - method: PATCH + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy + deprecated_since: T + description: Delete policy. + name: identity:delete_policy + operations: + - method: DELETE + path: /v3/policies/{policy_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_endpoint + deprecated_since: T + description: Associate a policy to a specific endpoint. + name: identity:create_policy_association_for_endpoint + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_endpoint + deprecated_since: T + description: Check policy association for endpoint. + name: identity:check_policy_association_for_endpoint + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_endpoint + deprecated_since: T + description: Delete policy association for endpoint. + name: identity:delete_policy_association_for_endpoint + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_service + deprecated_since: T + description: Associate a policy to a specific service. + name: identity:create_policy_association_for_service + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_service + deprecated_since: T + description: Check policy association for service. + name: identity:check_policy_association_for_service + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_service + deprecated_since: T + description: Delete policy association for service. + name: identity:delete_policy_association_for_service + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_policy_association_for_region_and_service + deprecated_since: T + description: Associate a policy to a specific region and service combination. + name: identity:create_policy_association_for_region_and_service + operations: + - method: PUT + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:check_policy_association_for_region_and_service + deprecated_since: T + description: Check policy association for region and service. + name: identity:check_policy_association_for_region_and_service + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + - method: HEAD + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_policy_association_for_region_and_service + deprecated_since: T + description: Delete policy association for region and service. + name: identity:delete_policy_association_for_region_and_service + operations: + - method: DELETE + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_policy_for_endpoint + deprecated_since: T + description: Get policy for endpoint. + name: identity:get_policy_for_endpoint + operations: + - method: GET + path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy + - method: HEAD + path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The policy association API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_for_policy + deprecated_since: T + description: List endpoints for policy. + name: identity:list_endpoints_for_policy + operations: + - method: GET + path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:get_project + deprecated_since: S + description: Show project details. + name: identity:get_project + operations: + - method: GET + path: /v3/projects/{project_id} + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects + deprecated_since: S + description: List projects. + name: identity:list_projects + operations: + - method: GET + path: /v3/projects + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) + or user_id:%(target.user.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:list_user_projects + deprecated_since: S + description: List projects for user. + name: identity:list_user_projects + operations: + - method: GET + path: /v3/users/{user_id}/projects + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_project + deprecated_since: S + description: Create project. + name: identity:create_project + operations: + - method: POST + path: /v3/projects + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_project + deprecated_since: S + description: Update project. + name: identity:update_project + operations: + - method: PATCH + path: /v3/projects/{project_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project + deprecated_since: S + description: Delete project. + name: identity:delete_project + operations: + - method: DELETE + path: /v3/projects/{project_id} + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:list_project_tags + deprecated_since: T + description: List tags for a project. + name: identity:list_project_tags + operations: + - method: GET + path: /v3/projects/{project_id}/tags + - method: HEAD + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or project_id:%(target.project.id)s + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required or project_id:%(target.project.id)s + name: identity:get_project_tag + deprecated_since: T + description: Check if project contains a tag. + name: identity:get_project_tag + operations: + - method: GET + path: /v3/projects/{project_id}/tags/{value} + - method: HEAD + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:update_project_tags + deprecated_since: T + description: Replace all tags on a project with the new set of tags. + name: identity:update_project_tags + operations: + - method: PUT + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:create_project_tag + deprecated_since: T + description: Add a single tag to a project. + name: identity:create_project_tag + operations: + - method: PUT + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project_tags + deprecated_since: T + description: Remove all tags from a project. + name: identity:delete_project_tags + operations: + - method: DELETE + path: /v3/projects/{project_id}/tags + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: ' + + As of the Train release, the project tags API understands how to handle + + system-scoped tokens in addition to project and domain tokens, making the API + + more accessible to users without compromising security or manageability for + + administrators. The new default policies for this API account for these changes + + automatically. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_project_tag + deprecated_since: T + description: Delete a specified tag from project. + name: identity:delete_project_tag + operations: + - method: DELETE + path: /v3/projects/{project_id}/tags/{value} + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:list_projects_for_endpoint + deprecated_since: T + description: List projects allowed to access an endpoint. + name: identity:list_projects_for_endpoint + operations: + - method: GET + path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:add_endpoint_to_project + deprecated_since: T + description: Allow project to access an endpoint. + name: identity:add_endpoint_to_project + operations: + - method: PUT + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:check_endpoint_in_project + deprecated_since: T + description: Check if a project is allowed to access an endpoint. + name: identity:check_endpoint_in_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + - method: HEAD + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:list_endpoints_for_project + deprecated_since: T + description: List the endpoints a project is allowed to access. + name: identity:list_endpoints_for_project + operations: + - method: GET + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_rule: + check_str: rule:admin_required + name: identity:remove_endpoint_from_project + deprecated_since: T + description: Remove access to an endpoint from a project that has previously been + given explicit access. + name: identity:remove_endpoint_from_project + operations: + - method: DELETE + path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_protocol + deprecated_since: S + description: Create federated protocol. + name: identity:create_protocol + operations: + - method: PUT + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_protocol + deprecated_since: S + description: Update federated protocol. + name: identity:update_protocol + operations: + - method: PATCH + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_protocol + deprecated_since: S + description: Get federated protocol. + name: identity:get_protocol + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_protocols + deprecated_since: S + description: List federated protocols. + name: identity:list_protocols + operations: + - method: GET + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The federated protocol API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_protocol + deprecated_since: S + description: Delete federated protocol. + name: identity:delete_protocol + operations: + - method: DELETE + path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} + scope_types: + - system +- check_str: '' + description: Show region details. + name: identity:get_region + operations: + - method: GET + path: /v3/regions/{region_id} + - method: HEAD + path: /v3/regions/{region_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List regions. + name: identity:list_regions + operations: + - method: GET + path: /v3/regions + - method: HEAD + path: /v3/regions + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_region + deprecated_since: S + description: Create region. + name: identity:create_region + operations: + - method: POST + path: /v3/regions + - method: PUT + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_region + deprecated_since: S + description: Update region. + name: identity:update_region + operations: + - method: PATCH + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_region + deprecated_since: S + description: Delete region. + name: identity:delete_region + operations: + - method: DELETE + path: /v3/regions/{region_id} + scope_types: + - system +- check_str: '' + description: Show registered limit details. + name: identity:get_registered_limit + operations: + - method: GET + path: /v3/registered_limits/{registered_limit_id} + - method: HEAD + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system + - domain + - project +- check_str: '' + description: List registered limits. + name: identity:list_registered_limits + operations: + - method: GET + path: /v3/registered_limits + - method: HEAD + path: /v3/registered_limits + scope_types: + - system + - domain + - project +- check_str: role:admin and system_scope:all + description: Create registered limits. + name: identity:create_registered_limits + operations: + - method: POST + path: /v3/registered_limits + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Update registered limit. + name: identity:update_registered_limit + operations: + - method: PATCH + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + description: Delete registered limit. + name: identity:delete_registered_limit + operations: + - method: DELETE + path: /v3/registered_limits/{registered_limit_id} + scope_types: + - system +- check_str: rule:service_or_admin + description: List revocation events. + name: identity:list_revoke_events + operations: + - method: GET + path: /v3/OS-REVOKE/events + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_role + deprecated_since: S + description: Show role details. + name: identity:get_role + operations: + - method: GET + path: /v3/roles/{role_id} + - method: HEAD + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_roles + deprecated_since: S + description: List roles. + name: identity:list_roles + operations: + - method: GET + path: /v3/roles + - method: HEAD + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_role + deprecated_since: S + description: Create role. + name: identity:create_role + operations: + - method: POST + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_role + deprecated_since: S + description: Update role. + name: identity:update_role + operations: + - method: PATCH + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_role + deprecated_since: S + description: Delete role. + name: identity:delete_role + operations: + - method: DELETE + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_domain_role + deprecated_since: T + description: Show domain role. + name: identity:get_domain_role + operations: + - method: GET + path: /v3/roles/{role_id} + - method: HEAD + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_domain_roles + deprecated_since: T + description: List domain roles. + name: identity:list_domain_roles + operations: + - method: GET + path: /v3/roles?domain_id={domain_id} + - method: HEAD + path: /v3/roles?domain_id={domain_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_domain_role + deprecated_since: T + description: Create domain role. + name: identity:create_domain_role + operations: + - method: POST + path: /v3/roles + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_domain_role + deprecated_since: T + description: Update domain role. + name: identity:update_domain_role + operations: + - method: PATCH + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_domain_role + deprecated_since: T + description: Delete domain role. + name: identity:delete_domain_role + operations: + - method: DELETE + path: /v3/roles/{role_id} + scope_types: + - system +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_assignments + deprecated_since: S + description: List role assignments. + name: identity:list_role_assignments + operations: + - method: GET + path: /v3/role_assignments + - method: HEAD + path: /v3/role_assignments + scope_types: + - system + - domain +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) + or (role:admin and project_id:%(target.project.id)s) + deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_role_assignments_for_tree + deprecated_since: T + description: List all role assignments for a given tree of hierarchical projects. + name: identity:list_role_assignments_for_tree + operations: + - method: GET + path: /v3/role_assignments?include_subtree + - method: HEAD + path: /v3/role_assignments?include_subtree + scope_types: + - system + - domain + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_service + deprecated_since: S + description: Show service details. + name: identity:get_service + operations: + - method: GET + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_services + deprecated_since: S + description: List services. + name: identity:list_services + operations: + - method: GET + path: /v3/services + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_service + deprecated_since: S + description: Create service. + name: identity:create_service + operations: + - method: POST + path: /v3/services + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_service + deprecated_since: S + description: Update service. + name: identity:update_service + operations: + - method: PATCH + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_service + deprecated_since: S + description: Delete service. + name: identity:delete_service + operations: + - method: DELETE + path: /v3/services/{service_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_service_provider + deprecated_since: S + description: Create federated service provider. + name: identity:create_service_provider + operations: + - method: PUT + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_service_providers + deprecated_since: S + description: List federated service providers. + name: identity:list_service_providers + operations: + - method: GET + path: /v3/OS-FEDERATION/service_providers + - method: HEAD + path: /v3/OS-FEDERATION/service_providers + scope_types: + - system +- check_str: role:reader and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:get_service_provider + deprecated_since: S + description: Get federated service provider. + name: identity:get_service_provider + operations: + - method: GET + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + - method: HEAD + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_service_provider + deprecated_since: S + description: Update federated service provider. + name: identity:update_service_provider + operations: + - method: PATCH + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: role:admin and system_scope:all + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_service_provider + deprecated_since: S + description: Delete federated service provider. + name: identity:delete_service_provider + operations: + - method: DELETE + path: /v3/OS-FEDERATION/service_providers/{service_provider_id} + scope_types: + - system +- check_str: rule:service_or_admin + deprecated_for_removal: true + deprecated_reason: ' + + The identity:revocation_list policy isn''t used to protect any APIs in keystone + + now that the revocation list API has been deprecated and only returns a 410 or + + 403 depending on how keystone is configured. This policy can be safely removed + + from policy files. + + ' + deprecated_since: T + description: List revoked PKI tokens. + name: identity:revocation_list + operations: + - method: GET + path: /v3/auth/tokens/OS-PKI/revoked + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_token_subject + name: identity:check_token + deprecated_since: T + description: Check a token. + name: identity:check_token + operations: + - method: HEAD + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:service_admin_or_token_subject + name: identity:validate_token + deprecated_since: T + description: Validate a token. + name: identity:validate_token + operations: + - method: GET + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: (role:admin and system_scope:all) or rule:token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_token_subject + name: identity:revoke_token + deprecated_since: T + description: Revoke a token. + name: identity:revoke_token + operations: + - method: DELETE + path: /v3/auth/tokens + scope_types: + - system + - domain + - project +- check_str: user_id:%(trust.trustor_user_id)s + description: Create trust. + name: identity:create_trust + operations: + - method: POST + path: /v3/OS-TRUST/trusts + scope_types: + - project +- check_str: role:reader and system_scope:all + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_trusts + deprecated_since: T + description: List trusts. + name: identity:list_trusts + operations: + - method: GET + path: /v3/OS-TRUST/trusts + - method: HEAD + path: /v3/OS-TRUST/trusts + scope_types: + - system +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + description: List trusts for trustor. + name: identity:list_trusts_for_trustor + operations: + - method: GET + path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} + - method: HEAD + path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s + description: List trusts for trustee. + name: identity:list_trusts_for_trustee + operations: + - method: GET + path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} + - method: HEAD + path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:list_roles_for_trust + deprecated_since: T + description: List roles delegated by a trust. + name: identity:list_roles_for_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id}/roles + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id}/roles + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:get_role_for_trust + deprecated_since: T + description: Check if trust delegates a particular role. + name: identity:get_role_for_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} + scope_types: + - system + - project +- check_str: role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s + name: identity:delete_trust + deprecated_since: T + description: Revoke trust. + name: identity:delete_trust + operations: + - method: DELETE + path: /v3/OS-TRUST/trusts/{trust_id} + scope_types: + - system + - project +- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s + or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_rule: + check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + name: identity:get_trust + deprecated_since: T + description: Get trust. + name: identity:get_trust + operations: + - method: GET + path: /v3/OS-TRUST/trusts/{trust_id} + - method: HEAD + path: /v3/OS-TRUST/trusts/{trust_id} + scope_types: + - system + - project +- check_str: (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) + or user_id:%(target.user.id)s + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_or_owner + name: identity:get_user + deprecated_since: S + description: Show user details. + name: identity:get_user + operations: + - method: GET + path: /v3/users/{user_id} + - method: HEAD + path: /v3/users/{user_id} + scope_types: + - system + - domain + - project +- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:list_users + deprecated_since: S + description: List users. + name: identity:list_users + operations: + - method: GET + path: /v3/users + - method: HEAD + path: /v3/users + scope_types: + - system + - domain +- check_str: '' + description: List all projects a user has access to via role assignments. + name: identity:list_projects_for_user + operations: + - method: GET + path: ' /v3/auth/projects' + scope_types: null +- check_str: '' + description: List all domains a user has access to via role assignments. + name: identity:list_domains_for_user + operations: + - method: GET + path: /v3/auth/domains + scope_types: null +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:create_user + deprecated_since: S + description: Create a user. + name: identity:create_user + operations: + - method: POST + path: /v3/users + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:update_user + deprecated_since: S + description: Update a user, including administrative password resets. + name: identity:update_user + operations: + - method: PATCH + path: /v3/users/{user_id} + scope_types: + - system + - domain +- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_rule: + check_str: rule:admin_required + name: identity:delete_user + deprecated_since: S + description: Delete a user. + name: identity:delete_user + operations: + - method: DELETE + path: /v3/users/{user_id} + scope_types: + - system + - domain diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml new file mode 100644 index 0000000000..5628bf12e1 --- /dev/null +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -0,0 +1,1511 @@ +- check_str: role:admin + description: Rule for cloud admin access + name: context_is_admin + operations: [] + scope_types: null +- check_str: tenant_id:%(tenant_id)s + description: Rule for resource owner access + name: owner + operations: [] + scope_types: null +- check_str: rule:context_is_admin or rule:owner + description: Rule for admin or owner access + name: admin_or_owner + operations: [] + scope_types: null +- check_str: role:advsvc + description: Rule for advsvc role access + name: context_is_advsvc + operations: [] + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(network:tenant_id)s + description: Rule for admin or network owner access + name: admin_or_network_owner + operations: [] + scope_types: null +- check_str: rule:owner or rule:admin_or_network_owner + description: Rule for resource owner, admin or network owner access + name: admin_owner_or_network_owner + operations: [] + scope_types: null +- check_str: rule:context_is_admin + description: Rule for admin-only access + name: admin_only + operations: [] + scope_types: null +- check_str: '' + description: Rule for regular user access + name: regular_user + operations: [] + scope_types: null +- check_str: field:networks:shared=True + description: Rule of shared network + name: shared + operations: [] + scope_types: null +- check_str: rule:admin_or_owner + description: Default access rule + name: default + operations: [] + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s + description: Rule for common parent owner check + name: admin_or_ext_parent_owner + operations: [] + scope_types: null +- check_str: field:address_scopes:shared=True + description: Definition of a shared address scope + name: shared_address_scopes + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create an address scope + name: create_address_scope + operations: + - method: POST + path: /address-scopes + scope_types: null +- check_str: rule:admin_only + description: Create a shared address scope + name: create_address_scope:shared + operations: + - method: POST + path: /address-scopes + scope_types: null +- check_str: rule:admin_or_owner or rule:shared_address_scopes + description: Get an address scope + name: get_address_scope + operations: + - method: GET + path: /address-scopes + - method: GET + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update an address scope + name: update_address_scope + operations: + - method: PUT + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``shared`` attribute of an address scope + name: update_address_scope:shared + operations: + - method: PUT + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete an address scope + name: delete_address_scope + operations: + - method: DELETE + path: /address-scopes/{id} + scope_types: null +- check_str: rule:admin_only + description: Get an agent + name: get_agent + operations: + - method: GET + path: /agents + - method: GET + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Update an agent + name: update_agent + operations: + - method: PUT + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete an agent + name: delete_agent + operations: + - method: DELETE + path: /agents/{id} + scope_types: null +- check_str: rule:admin_only + description: Add a network to a DHCP agent + name: create_dhcp-network + operations: + - method: POST + path: /agents/{agent_id}/dhcp-networks + scope_types: null +- check_str: rule:admin_only + description: List networks on a DHCP agent + name: get_dhcp-networks + operations: + - method: GET + path: /agents/{agent_id}/dhcp-networks + scope_types: null +- check_str: rule:admin_only + description: Remove a network from a DHCP agent + name: delete_dhcp-network + operations: + - method: DELETE + path: /agents/{agent_id}/dhcp-networks/{network_id} + scope_types: null +- check_str: rule:admin_only + description: Add a router to an L3 agent + name: create_l3-router + operations: + - method: POST + path: /agents/{agent_id}/l3-routers + scope_types: null +- check_str: rule:admin_only + description: List routers on an L3 agent + name: get_l3-routers + operations: + - method: GET + path: /agents/{agent_id}/l3-routers + scope_types: null +- check_str: rule:admin_only + description: Remove a router from an L3 agent + name: delete_l3-router + operations: + - method: DELETE + path: /agents/{agent_id}/l3-routers/{router_id} + scope_types: null +- check_str: rule:admin_only + description: List DHCP agents hosting a network + name: get_dhcp-agents + operations: + - method: GET + path: /networks/{network_id}/dhcp-agents + scope_types: null +- check_str: rule:admin_only + description: List L3 agents hosting a router + name: get_l3-agents + operations: + - method: GET + path: /routers/{router_id}/l3-agents + scope_types: null +- check_str: rule:admin_or_owner + description: Get a project's auto-allocated topology + name: get_auto_allocated_topology + operations: + - method: GET + path: /auto-allocated-topology/{project_id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a project's auto-allocated topology + name: delete_auto_allocated_topology + operations: + - method: DELETE + path: /auto-allocated-topology/{project_id} + scope_types: null +- check_str: rule:regular_user + description: List availability zones + name: get_availability_zone + operations: + - method: GET + path: /availability_zones + scope_types: null +- check_str: rule:admin_only + description: Create a flavor + name: create_flavor + operations: + - method: POST + path: /flavors + scope_types: null +- check_str: rule:regular_user + description: Get a flavor + name: get_flavor + operations: + - method: GET + path: /flavors + - method: GET + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a flavor + name: update_flavor + operations: + - method: PUT + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a flavor + name: delete_flavor + operations: + - method: DELETE + path: /flavors/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a service profile + name: create_service_profile + operations: + - method: POST + path: /service_profiles + scope_types: null +- check_str: rule:admin_only + description: Get a service profile + name: get_service_profile + operations: + - method: GET + path: /service_profiles + - method: GET + path: /service_profiles/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a service profile + name: update_service_profile + operations: + - method: PUT + path: /service_profiles/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a service profile + name: delete_service_profile + operations: + - method: DELETE + path: /service_profiles/{id} + scope_types: null +- check_str: rule:regular_user + description: Get a flavor associated with a given service profiles. There is no + corresponding GET operations in API currently. This rule is currently referred + only in the DELETE of flavor_service_profile. + name: get_flavor_service_profile + operations: [] + scope_types: null +- check_str: rule:admin_only + description: Associate a flavor with a service profile + name: create_flavor_service_profile + operations: + - method: POST + path: /flavors/{flavor_id}/service_profiles + scope_types: null +- check_str: rule:admin_only + description: Disassociate a flavor with a service profile + name: delete_flavor_service_profile + operations: + - method: DELETE + path: /flavors/{flavor_id}/service_profiles/{profile_id} + scope_types: null +- check_str: rule:regular_user + description: Create a floating IP + name: create_floatingip + operations: + - method: POST + path: /floatingips + scope_types: null +- check_str: rule:admin_only + description: Create a floating IP with a specific IP address + name: create_floatingip:floating_ip_address + operations: + - method: POST + path: /floatingips + scope_types: null +- check_str: rule:admin_or_owner + description: Get a floating IP + name: get_floatingip + operations: + - method: GET + path: /floatingips + - method: GET + path: /floatingips/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a floating IP + name: update_floatingip + operations: + - method: PUT + path: /floatingips/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a floating IP + name: delete_floatingip + operations: + - method: DELETE + path: /floatingips/{id} + scope_types: null +- check_str: rule:regular_user + description: Get floating IP pools + name: get_floatingip_pool + operations: + - method: GET + path: /floatingip_pools + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Create a floating IP port forwarding + name: create_floatingip_port_forwarding + operations: + - method: POST + path: /floatingips/{floatingip_id}/port_forwardings + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Get a floating IP port forwarding + name: get_floatingip_port_forwarding + operations: + - method: GET + path: /floatingips/{floatingip_id}/port_forwardings + - method: GET + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Update a floating IP port forwarding + name: update_floatingip_port_forwarding + operations: + - method: PUT + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Delete a floating IP port forwarding + name: delete_floatingip_port_forwarding + operations: + - method: DELETE + path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Create a router conntrack helper + name: create_router_conntrack_helper + operations: + - method: POST + path: /routers/{router_id}/conntrack_helpers + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Get a router conntrack helper + name: get_router_conntrack_helper + operations: + - method: GET + path: /routers/{router_id}/conntrack_helpers + - method: GET + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Update a router conntrack helper + name: update_router_conntrack_helper + operations: + - method: PUT + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_or_ext_parent_owner + description: Delete a router conntrack helper + name: delete_router_conntrack_helper + operations: + - method: DELETE + path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} + scope_types: null +- check_str: rule:admin_only + description: Get loggable resources + name: get_loggable_resource + operations: + - method: GET + path: /log/loggable-resources + scope_types: null +- check_str: rule:admin_only + description: Create a network log + name: create_log + operations: + - method: POST + path: /log/logs + scope_types: null +- check_str: rule:admin_only + description: Get a network log + name: get_log + operations: + - method: GET + path: /log/logs + - method: GET + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a network log + name: update_log + operations: + - method: PUT + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a network log + name: delete_log + operations: + - method: DELETE + path: /log/logs/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a metering label + name: create_metering_label + operations: + - method: POST + path: /metering/metering-labels + scope_types: null +- check_str: rule:admin_only + description: Get a metering label + name: get_metering_label + operations: + - method: GET + path: /metering/metering-labels + - method: GET + path: /metering/metering-labels/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a metering label + name: delete_metering_label + operations: + - method: DELETE + path: /metering/metering-labels/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a metering label rule + name: create_metering_label_rule + operations: + - method: POST + path: /metering/metering-label-rules + scope_types: null +- check_str: rule:admin_only + description: Get a metering label rule + name: get_metering_label_rule + operations: + - method: GET + path: /metering/metering-label-rules + - method: GET + path: /metering/metering-label-rules/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a metering label rule + name: delete_metering_label_rule + operations: + - method: DELETE + path: /metering/metering-label-rules/{id} + scope_types: null +- check_str: field:networks:router:external=True + description: Definition of an external network + name: external + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a network + name: create_network + operations: &id001 + - method: POST + path: /networks + scope_types: null +- check_str: rule:admin_only + description: Create a shared network + name: create_network:shared + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Create an external network + name: create_network:router:external + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``is_default`` attribute when creating a network + name: create_network:is_default + operations: *id001 + scope_types: null +- check_str: rule:regular_user + description: Specify ``port_security_enabled`` attribute when creating a network + name: create_network:port_security_enabled + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``segments`` attribute when creating a network + name: create_network:segments + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:network_type`` when creating a network + name: create_network:provider:network_type + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:physical_network`` when creating a network + name: create_network:provider:physical_network + operations: *id001 + scope_types: null +- check_str: rule:admin_only + description: Specify ``provider:segmentation_id`` when creating a network + name: create_network:provider:segmentation_id + operations: *id001 + scope_types: null +- check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + description: Get a network + name: get_network + operations: &id002 + - method: GET + path: /networks + - method: GET + path: /networks/{id} + scope_types: null +- check_str: rule:regular_user + description: Get ``router:external`` attribute of a network + name: get_network:router:external + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``segments`` attribute of a network + name: get_network:segments + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:network_type`` attribute of a network + name: get_network:provider:network_type + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:physical_network`` attribute of a network + name: get_network:provider:physical_network + operations: *id002 + scope_types: null +- check_str: rule:admin_only + description: Get ``provider:segmentation_id`` attribute of a network + name: get_network:provider:segmentation_id + operations: *id002 + scope_types: null +- check_str: rule:admin_or_owner + description: Update a network + name: update_network + operations: &id003 + - method: PUT + path: /networks/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``segments`` attribute of a network + name: update_network:segments + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``shared`` attribute of a network + name: update_network:shared + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:network_type`` attribute of a network + name: update_network:provider:network_type + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:physical_network`` attribute of a network + name: update_network:provider:physical_network + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``provider:segmentation_id`` attribute of a network + name: update_network:provider:segmentation_id + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``router:external`` attribute of a network + name: update_network:router:external + operations: *id003 + scope_types: null +- check_str: rule:admin_only + description: Update ``is_default`` attribute of a network + name: update_network:is_default + operations: *id003 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``port_security_enabled`` attribute of a network + name: update_network:port_security_enabled + operations: *id003 + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a network + name: delete_network + operations: + - method: DELETE + path: /networks/{id} + scope_types: null +- check_str: rule:admin_only + description: Get network IP availability + name: get_network_ip_availability + operations: + - method: GET + path: /network-ip-availabilities + - method: GET + path: /network-ip-availabilities/{network_id} + scope_types: null +- check_str: rule:admin_only + description: Create a network segment range + name: create_network_segment_range + operations: + - method: POST + path: /network_segment_ranges + scope_types: null +- check_str: rule:admin_only + description: Get a network segment range + name: get_network_segment_range + operations: + - method: GET + path: /network_segment_ranges + - method: GET + path: /network_segment_ranges/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a network segment range + name: update_network_segment_range + operations: + - method: PUT + path: /network_segment_ranges/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a network segment range + name: delete_network_segment_range + operations: + - method: DELETE + path: /network_segment_ranges/{id} + scope_types: null +- check_str: 'field:port:device_owner=~^network:' + description: Definition of port with network device_owner + name: network_device + operations: [] + scope_types: null +- check_str: rule:context_is_admin or role:data_plane_integrator + description: Rule for data plane integration + name: admin_or_data_plane_int + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a port + name: create_port + operations: &id004 + - method: POST + path: /ports + scope_types: null +- check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``device_owner`` attribute when creting a port + name: create_port:device_owner + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``mac_address`` attribute when creating a port + name: create_port:mac_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify ``fixed_ips`` information when creating a port + name: create_port:fixed_ips + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify IP address in ``fixed_ips`` when creating a port + name: create_port:fixed_ips:ip_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify subnet ID in ``fixed_ips`` when creating a port + name: create_port:fixed_ips:subnet_id + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``port_security_enabled`` attribute when creating a port + name: create_port:port_security_enabled + operations: *id004 + scope_types: null +- check_str: rule:admin_only + description: Specify ``binding:host_id`` attribute when creating a port + name: create_port:binding:host_id + operations: *id004 + scope_types: null +- check_str: rule:admin_only + description: Specify ``binding:profile`` attribute when creating a port + name: create_port:binding:profile + operations: *id004 + scope_types: null +- check_str: rule:regular_user + description: Specify ``binding:vnic_type`` attribute when creating a port + name: create_port:binding:vnic_type + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``allowed_address_pairs`` attribute when creating a port + name: create_port:allowed_address_pairs + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``mac_address` of `allowed_address_pairs`` attribute when creating + a port + name: create_port:allowed_address_pairs:mac_address + operations: *id004 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Specify ``ip_address`` of ``allowed_address_pairs`` attribute when + creating a port + name: create_port:allowed_address_pairs:ip_address + operations: *id004 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + description: Get a port + name: get_port + operations: &id005 + - method: GET + path: /ports + - method: GET + path: /ports/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:vif_type`` attribute of a port + name: get_port:binding:vif_type + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:vif_details`` attribute of a port + name: get_port:binding:vif_details + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:host_id`` attribute of a port + name: get_port:binding:host_id + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``binding:profile`` attribute of a port + name: get_port:binding:profile + operations: *id005 + scope_types: null +- check_str: rule:admin_only + description: Get ``resource_request`` attribute of a port + name: get_port:resource_request + operations: *id005 + scope_types: null +- check_str: rule:admin_or_owner or rule:context_is_advsvc + description: Update a port + name: update_port + operations: &id006 + - method: PUT + path: /ports/{id} + scope_types: null +- check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + description: Update ``device_owner`` attribute of a port + name: update_port:device_owner + operations: *id006 + scope_types: null +- check_str: rule:admin_only or rule:context_is_advsvc + description: Update ``mac_address`` attribute of a port + name: update_port:mac_address + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify ``fixed_ips`` information when updating a port + name: update_port:fixed_ips + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Specify IP address in ``fixed_ips`` information when updating a port + name: update_port:fixed_ips:ip_address + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + description: Specify subnet ID in ``fixed_ips`` information when updating a port + name: update_port:fixed_ips:subnet_id + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_or_network_owner + description: Update ``port_security_enabled`` attribute of a port + name: update_port:port_security_enabled + operations: *id006 + scope_types: null +- check_str: rule:admin_only + description: Update ``binding:host_id`` attribute of a port + name: update_port:binding:host_id + operations: *id006 + scope_types: null +- check_str: rule:admin_only + description: Update ``binding:profile`` attribute of a port + name: update_port:binding:profile + operations: *id006 + scope_types: null +- check_str: rule:admin_or_owner or rule:context_is_advsvc + description: Update ``binding:vnic_type`` attribute of a port + name: update_port:binding:vnic_type + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``allowed_address_pairs`` attribute of a port + name: update_port:allowed_address_pairs + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``mac_address`` of ``allowed_address_pairs`` attribute of a + port + name: update_port:allowed_address_pairs:mac_address + operations: *id006 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update ``ip_address`` of ``allowed_address_pairs`` attribute of a port + name: update_port:allowed_address_pairs:ip_address + operations: *id006 + scope_types: null +- check_str: rule:admin_or_data_plane_int + description: Update ``data_plane_status`` attribute of a port + name: update_port:data_plane_status + operations: *id006 + scope_types: null +- check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + description: Delete a port + name: delete_port + operations: + - method: DELETE + path: /ports/{id} + scope_types: null +- check_str: rule:regular_user + description: Get QoS policies + name: get_policy + operations: + - method: GET + path: /qos/policies + - method: GET + path: /qos/policies/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS policy + name: create_policy + operations: + - method: POST + path: /qos/policies + scope_types: null +- check_str: rule:admin_only + description: Update a QoS policy + name: update_policy + operations: + - method: PUT + path: /qos/policies/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS policy + name: delete_policy + operations: + - method: DELETE + path: /qos/policies/{id} + scope_types: null +- check_str: rule:regular_user + description: Get available QoS rule types + name: get_rule_type + operations: + - method: GET + path: /qos/rule-types + - method: GET + path: /qos/rule-types/{rule_type} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS bandwidth limit rule + name: get_policy_bandwidth_limit_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/bandwidth_limit_rules + - method: GET + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS bandwidth limit rule + name: create_policy_bandwidth_limit_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/bandwidth_limit_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS bandwidth limit rule + name: update_policy_bandwidth_limit_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS bandwidth limit rule + name: delete_policy_bandwidth_limit_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS DSCP marking rule + name: get_policy_dscp_marking_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/dscp_marking_rules + - method: GET + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS DSCP marking rule + name: create_policy_dscp_marking_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/dscp_marking_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS DSCP marking rule + name: update_policy_dscp_marking_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS DSCP marking rule + name: delete_policy_dscp_marking_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} + scope_types: null +- check_str: rule:regular_user + description: Get a QoS minimum bandwidth rule + name: get_policy_minimum_bandwidth_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/minimum_bandwidth_rules + - method: GET + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Create a QoS minimum bandwidth rule + name: create_policy_minimum_bandwidth_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/minimum_bandwidth_rules + scope_types: null +- check_str: rule:admin_only + description: Update a QoS minimum bandwidth rule + name: update_policy_minimum_bandwidth_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:admin_only + description: Delete a QoS minimum bandwidth rule + name: delete_policy_minimum_bandwidth_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} + scope_types: null +- check_str: rule:get_policy_bandwidth_limit_rule + description: Get a QoS bandwidth limit rule through alias + name: get_alias_bandwidth_limit_rule + operations: + - method: GET + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_bandwidth_limit_rule + description: Update a QoS bandwidth limit rule through alias + name: update_alias_bandwidth_limit_rule + operations: + - method: PUT + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_bandwidth_limit_rule + description: Delete a QoS bandwidth limit rule through alias + name: delete_alias_bandwidth_limit_rule + operations: + - method: DELETE + path: /qos/alias_bandwidth_limit_rules/{rule_id}/ + scope_types: null +- check_str: rule:get_policy_dscp_marking_rule + description: Get a QoS DSCP marking rule through alias + name: get_alias_dscp_marking_rule + operations: + - method: GET + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_dscp_marking_rule + description: Update a QoS DSCP marking rule through alias + name: update_alias_dscp_marking_rule + operations: + - method: PUT + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_dscp_marking_rule + description: Delete a QoS DSCP marking rule through alias + name: delete_alias_dscp_marking_rule + operations: + - method: DELETE + path: /qos/alias_dscp_marking_rules/{rule_id}/ + scope_types: null +- check_str: rule:get_policy_minimum_bandwidth_rule + description: Get a QoS minimum bandwidth rule through alias + name: get_alias_minimum_bandwidth_rule + operations: + - method: GET + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_minimum_bandwidth_rule + description: Update a QoS minimum bandwidth rule through alias + name: update_alias_minimum_bandwidth_rule + operations: + - method: PUT + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_minimum_bandwidth_rule + description: Delete a QoS minimum bandwidth rule through alias + name: delete_alias_minimum_bandwidth_rule + operations: + - method: DELETE + path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: null +- check_str: rule:admin_only + description: Get a resource quota + name: get_quota + operations: + - method: GET + path: /quota + - method: GET + path: /quota/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a resource quota + name: update_quota + operations: + - method: PUT + path: /quota/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a resource quota + name: delete_quota + operations: + - method: DELETE + path: /quota/{id} + scope_types: null +- check_str: (not field:rbac_policy:target_tenant=*) or rule:admin_only + description: Definition of a wildcard target_tenant + name: restrict_wildcard + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create an RBAC policy + name: create_rbac_policy + operations: + - method: POST + path: /rbac-policies + scope_types: null +- check_str: rule:restrict_wildcard + description: Specify ``target_tenant`` when creating an RBAC policy + name: create_rbac_policy:target_tenant + operations: + - method: POST + path: /rbac-policies + scope_types: null +- check_str: rule:admin_or_owner + description: Update an RBAC policy + name: update_rbac_policy + operations: + - method: PUT + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:restrict_wildcard and rule:admin_or_owner + description: Update ``target_tenant`` attribute of an RBAC policy + name: update_rbac_policy:target_tenant + operations: + - method: PUT + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Get an RBAC policy + name: get_rbac_policy + operations: + - method: GET + path: /rbac-policies + - method: GET + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete an RBAC policy + name: delete_rbac_policy + operations: + - method: DELETE + path: /rbac-policies/{id} + scope_types: null +- check_str: rule:regular_user + description: Create a router + name: create_router + operations: &id007 + - method: POST + path: /routers + scope_types: null +- check_str: rule:admin_only + description: Specify ``distributed`` attribute when creating a router + name: create_router:distributed + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``ha`` attribute when creating a router + name: create_router:ha + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Specify ``external_gateway_info`` information when creating a router + name: create_router:external_gateway_info + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Specify ``network_id`` in ``external_gateway_info`` information when + creating a router + name: create_router:external_gateway_info:network_id + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``enable_snat`` in ``external_gateway_info`` information when + creating a router + name: create_router:external_gateway_info:enable_snat + operations: *id007 + scope_types: null +- check_str: rule:admin_only + description: Specify ``external_fixed_ips`` in ``external_gateway_info`` information + when creating a router + name: create_router:external_gateway_info:external_fixed_ips + operations: *id007 + scope_types: null +- check_str: rule:admin_or_owner + description: Get a router + name: get_router + operations: &id008 + - method: GET + path: /routers + - method: GET + path: /routers/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``distributed`` attribute of a router + name: get_router:distributed + operations: *id008 + scope_types: null +- check_str: rule:admin_only + description: Get ``ha`` attribute of a router + name: get_router:ha + operations: *id008 + scope_types: null +- check_str: rule:admin_or_owner + description: Update a router + name: update_router + operations: &id009 + - method: PUT + path: /routers/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``distributed`` attribute of a router + name: update_router:distributed + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``ha`` attribute of a router + name: update_router:ha + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``external_gateway_info`` information of a router + name: update_router:external_gateway_info + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Update ``network_id`` attribute of ``external_gateway_info`` information + of a router + name: update_router:external_gateway_info:network_id + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``enable_snat`` attribute of ``external_gateway_info`` information + of a router + name: update_router:external_gateway_info:enable_snat + operations: *id009 + scope_types: null +- check_str: rule:admin_only + description: Update ``external_fixed_ips`` attribute of ``external_gateway_info`` + information of a router + name: update_router:external_gateway_info:external_fixed_ips + operations: *id009 + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a router + name: delete_router + operations: + - method: DELETE + path: /routers/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Add an interface to a router + name: add_router_interface + operations: + - method: PUT + path: /routers/{id}/add_router_interface + scope_types: null +- check_str: rule:admin_or_owner + description: Remove an interface from a router + name: remove_router_interface + operations: + - method: PUT + path: /routers/{id}/remove_router_interface + scope_types: null +- check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s + description: Rule for admin or security group owner access + name: admin_or_sg_owner + operations: [] + scope_types: null +- check_str: rule:owner or rule:admin_or_sg_owner + description: Rule for resource owner, admin or security group owner access + name: admin_owner_or_sg_owner + operations: [] + scope_types: null +- check_str: rule:admin_or_owner + description: Create a security group + name: create_security_group + operations: + - method: POST + path: /security-groups + scope_types: null +- check_str: rule:regular_user + description: Get a security group + name: get_security_group + operations: + - method: GET + path: /security-groups + - method: GET + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a security group + name: update_security_group + operations: + - method: PUT + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a security group + name: delete_security_group + operations: + - method: DELETE + path: /security-groups/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Create a security group rule + name: create_security_group_rule + operations: + - method: POST + path: /security-group-rules + scope_types: null +- check_str: rule:admin_owner_or_sg_owner + description: Get a security group rule + name: get_security_group_rule + operations: + - method: GET + path: /security-group-rules + - method: GET + path: /security-group-rules/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a security group rule + name: delete_security_group_rule + operations: + - method: DELETE + path: /security-group-rules/{id} + scope_types: null +- check_str: rule:admin_only + description: Create a segment + name: create_segment + operations: + - method: POST + path: /segments + scope_types: null +- check_str: rule:admin_only + description: Get a segment + name: get_segment + operations: + - method: GET + path: /segments + - method: GET + path: /segments/{id} + scope_types: null +- check_str: rule:admin_only + description: Update a segment + name: update_segment + operations: + - method: PUT + path: /segments/{id} + scope_types: null +- check_str: rule:admin_only + description: Delete a segment + name: delete_segment + operations: + - method: DELETE + path: /segments/{id} + scope_types: null +- check_str: rule:regular_user + description: Get service providers + name: get_service_provider + operations: + - method: GET + path: /service-providers + scope_types: null +- check_str: rule:admin_or_network_owner + description: Create a subnet + name: create_subnet + operations: &id010 + - method: POST + path: /subnets + scope_types: null +- check_str: rule:admin_only + description: Specify ``segment_id`` attribute when creating a subnet + name: create_subnet:segment_id + operations: *id010 + scope_types: null +- check_str: rule:admin_only + description: Specify ``service_types`` attribute when creating a subnet + name: create_subnet:service_types + operations: *id010 + scope_types: null +- check_str: rule:admin_or_owner or rule:shared + description: Get a subnet + name: get_subnet + operations: &id011 + - method: GET + path: /subnets + - method: GET + path: /subnets/{id} + scope_types: null +- check_str: rule:admin_only + description: Get ``segment_id`` attribute of a subnet + name: get_subnet:segment_id + operations: *id011 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Update a subnet + name: update_subnet + operations: &id012 + - method: PUT + path: /subnets/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``segment_id`` attribute of a subnet + name: update_subnet:segment_id + operations: *id012 + scope_types: null +- check_str: rule:admin_only + description: Update ``service_types`` attribute of a subnet + name: update_subnet:service_types + operations: *id012 + scope_types: null +- check_str: rule:admin_or_network_owner + description: Delete a subnet + name: delete_subnet + operations: + - method: DELETE + path: /subnets/{id} + scope_types: null +- check_str: field:subnetpools:shared=True + description: Definition of a shared subnetpool + name: shared_subnetpools + operations: [] + scope_types: null +- check_str: rule:regular_user + description: Create a subnetpool + name: create_subnetpool + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_only + description: Create a shared subnetpool + name: create_subnetpool:shared + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_only + description: Specify ``is_default`` attribute when creating a subnetpool + name: create_subnetpool:is_default + operations: + - method: POST + path: /subnetpools + scope_types: null +- check_str: rule:admin_or_owner or rule:shared_subnetpools + description: Get a subnetpool + name: get_subnetpool + operations: + - method: GET + path: /subnetpools + - method: GET + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a subnetpool + name: update_subnetpool + operations: + - method: PUT + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_only + description: Update ``is_default`` attribute of a subnetpool + name: update_subnetpool:is_default + operations: + - method: PUT + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a subnetpool + name: delete_subnetpool + operations: + - method: DELETE + path: /subnetpools/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Onboard existing subnet into a subnetpool + name: onboard_network_subnets + operations: + - method: Put + path: /subnetpools/{id}/onboard_network_subnets + scope_types: null +- check_str: rule:admin_or_owner + description: Add prefixes to a subnetpool + name: add_prefixes + operations: + - method: Put + path: /subnetpools/{id}/add_prefixes + scope_types: null +- check_str: rule:admin_or_owner + description: Remove unallocated prefixes from a subnetpool + name: remove_prefixes + operations: + - method: Put + path: /subnetpools/{id}/remove_prefixes + scope_types: null +- check_str: rule:regular_user + description: Create a trunk + name: create_trunk + operations: + - method: POST + path: /trunks + scope_types: null +- check_str: rule:admin_or_owner + description: Get a trunk + name: get_trunk + operations: + - method: GET + path: /trunks + - method: GET + path: /trunks/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Update a trunk + name: update_trunk + operations: + - method: PUT + path: /trunks/{id} + scope_types: null +- check_str: rule:admin_or_owner + description: Delete a trunk + name: delete_trunk + operations: + - method: DELETE + path: /trunks/{id} + scope_types: null +- check_str: rule:regular_user + description: List subports attached to a trunk + name: get_subports + operations: + - method: GET + path: /trunks/{id}/get_subports + scope_types: null +- check_str: rule:admin_or_owner + description: Add subports to a trunk + name: add_subports + operations: + - method: PUT + path: /trunks/{id}/add_subports + scope_types: null +- check_str: rule:admin_or_owner + description: Delete subports from a trunk + name: remove_subports + operations: + - method: PUT + path: /trunks/{id}/remove_subports + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml new file mode 100644 index 0000000000..5f7f5700cc --- /dev/null +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -0,0 +1,3103 @@ +- check_str: role:admin + description: Decides what is required for the 'is_admin:True' check to succeed. + name: context_is_admin + operations: [] + scope_types: null +- check_str: is_admin:True or project_id:%(project_id)s + deprecated_for_removal: true + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 + description: Default rule for most non-Admin APIs. + name: admin_or_owner + operations: [] + scope_types: null +- check_str: is_admin:True + deprecated_for_removal: true + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 + description: Default rule for most Admin APIs. + name: admin_api + operations: [] + scope_types: null +- check_str: role:admin and system_scope:all + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for System Admin APIs. + name: system_admin_api + operations: [] + scope_types: null +- check_str: role:reader and system_scope:all + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for System level read only APIs. + name: system_reader_api + operations: [] + scope_types: null +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: 21.0.0 + description: Default rule for Project level admin APIs. + name: project_admin_api + operations: [] + scope_types: null +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for Project level non admin APIs. + name: project_member_api + operations: [] + scope_types: null +- check_str: role:reader and project_id:%(project_id)s + description: Default rule for Project level read only APIs. + name: project_reader_api + operations: [] + scope_types: null +- check_str: rule:system_admin_api or rule:project_member_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for System admin+owner APIs. + name: system_admin_or_owner + operations: [] + scope_types: null +- check_str: rule:system_reader_api or rule:project_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: 21.0.0 + description: Default rule for System+Project read only APIs. + name: system_or_project_reader + operations: [] + scope_types: null +- check_str: rule:system_admin_api + description: Reset the state of a given server + name: os_compute_api:os-admin-actions:reset_state + operations: + - method: POST + path: /servers/{server_id}/action (os-resetState) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Inject network information into the server + name: os_compute_api:os-admin-actions:inject_network_info + operations: + - method: POST + path: /servers/{server_id}/action (injectNetworkInfo) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Reset networking on a server + name: os_compute_api:os-admin-actions:reset_network + operations: + - method: POST + path: /servers/{server_id}/action (resetNetwork) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Change the administrative password for a server + name: os_compute_api:os-admin-password + operations: + - method: POST + path: /servers/{server_id}/action (changePassword) + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'List guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:list + operations: + - method: GET + path: /os-agents + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Create guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:create + operations: + - method: POST + path: /os-agents + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Update guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:update + operations: + - method: PUT + path: /os-agents/{agent_build_id} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-agents + deprecated_since: 21.0.0 + description: 'Delete guest agent builds + + This is XenAPI driver specific. + + It is used to force the upgrade of the XenAPI guest agent on instance boot. + + ' + name: os_compute_api:os-agents:delete + operations: + - method: DELETE + path: /os-agents/{agent_build_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Create or replace metadata for an aggregate + name: os_compute_api:os-aggregates:set_metadata + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (set_metadata) + scope_types: + - system +- check_str: rule:system_admin_api + description: Add a host to an aggregate + name: os_compute_api:os-aggregates:add_host + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (add_host) + scope_types: + - system +- check_str: rule:system_admin_api + description: Create an aggregate + name: os_compute_api:os-aggregates:create + operations: + - method: POST + path: /os-aggregates + scope_types: + - system +- check_str: rule:system_admin_api + description: Remove a host from an aggregate + name: os_compute_api:os-aggregates:remove_host + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/action (remove_host) + scope_types: + - system +- check_str: rule:system_admin_api + description: Update name and/or availability zone for an aggregate + name: os_compute_api:os-aggregates:update + operations: + - method: PUT + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: List all aggregates + name: os_compute_api:os-aggregates:index + operations: + - method: GET + path: /os-aggregates + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an aggregate + name: os_compute_api:os-aggregates:delete + operations: + - method: DELETE + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: Show details for an aggregate + name: os_compute_api:os-aggregates:show + operations: + - method: GET + path: /os-aggregates/{aggregate_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Request image caching for an aggregate + name: compute:aggregates:images + operations: + - method: POST + path: /os-aggregates/{aggregate_id}/images + scope_types: + - system +- check_str: rule:system_admin_api + description: Create an assisted volume snapshot + name: os_compute_api:os-assisted-volume-snapshots:create + operations: + - method: POST + path: /os-assisted-volume-snapshots + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an assisted volume snapshot + name: os_compute_api:os-assisted-volume-snapshots:delete + operations: + - method: DELETE + path: /os-assisted-volume-snapshots/{snapshot_id} + scope_types: + - system +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: List port interfaces attached to a server + name: os_compute_api:os-attach-interfaces:list + operations: + - method: GET + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Show details of a port interface attached to a server + name: os_compute_api:os-attach-interfaces:show + operations: + - method: GET + path: /servers/{server_id}/os-interface/{port_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Attach an interface to a server + name: os_compute_api:os-attach-interfaces:create + operations: + - method: POST + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-attach-interfaces + deprecated_since: 21.0.0 + description: Detach an interface from a server + name: os_compute_api:os-attach-interfaces:delete + operations: + - method: DELETE + path: /servers/{server_id}/os-interface/{port_id} + scope_types: + - system + - project +- check_str: '@' + description: List availability zone information without host information + name: os_compute_api:os-availability-zone:list + operations: + - method: GET + path: /os-availability-zone + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List detailed availability zone information with host information + name: os_compute_api:os-availability-zone:detail + operations: + - method: GET + path: /os-availability-zone/detail + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-baremetal-nodes + deprecated_since: 22.0.0 + description: 'List and show details of bare metal nodes. + + + These APIs are proxy calls to the Ironic service and are deprecated. + + ' + name: os_compute_api:os-baremetal-nodes:list + operations: + - method: GET + path: /os-baremetal-nodes + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-baremetal-nodes + deprecated_since: 22.0.0 + description: Show action details for a server. + name: os_compute_api:os-baremetal-nodes:show + operations: + - method: GET + path: /os-baremetal-nodes/{node_id} + scope_types: + - system +- check_str: rule:system_reader_api + description: Show console connection information for a given console authentication + token + name: os_compute_api:os-console-auth-tokens + operations: + - method: GET + path: /os-console-auth-tokens/{console_token} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Show console output for a server + name: os_compute_api:os-console-output + operations: + - method: POST + path: /servers/{server_id}/action (os-getConsoleOutput) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create a back up of a server + name: os_compute_api:os-create-backup + operations: + - method: POST + path: /servers/{server_id}/action (createBackup) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-deferred-delete + deprecated_since: 21.0.0 + description: Restore a soft deleted server + name: os_compute_api:os-deferred-delete:restore + operations: + - method: POST + path: /servers/{server_id}/action (restore) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-deferred-delete + deprecated_since: 21.0.0 + description: Force delete a server before deferred cleanup + name: os_compute_api:os-deferred-delete:force + operations: + - method: POST + path: /servers/{server_id}/action (forceDelete) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Evacuate a server from a failed host to a new host + name: os_compute_api:os-evacuate + operations: + - method: POST + path: /servers/{server_id}/action (evacuate) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: 'Return extended attributes for server. + + + This rule will control the visibility for a set of servers attributes: + + + - ``OS-EXT-SRV-ATTR:host`` + + - ``OS-EXT-SRV-ATTR:instance_name`` + + - ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3) + + - ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3) + + + Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}`` + + and ``POST /servers/{server_id}/action (rebuild)`` API responses which are + + also controlled by this policy rule, like the ``GET /servers*`` APIs. + + ' + name: os_compute_api:os-extended-server-attributes + operations: + - method: GET + path: /servers/{id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: '@' + description: List available extensions and show information for an extension by + alias + name: os_compute_api:extensions + operations: + - method: GET + path: /extensions + - method: GET + path: /extensions/{alias} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Add flavor access to a tenant + name: os_compute_api:os-flavor-access:add_tenant_access + operations: + - method: POST + path: /flavors/{flavor_id}/action (addTenantAccess) + scope_types: + - system +- check_str: rule:system_admin_api + description: Remove flavor access from a tenant + name: os_compute_api:os-flavor-access:remove_tenant_access + operations: + - method: POST + path: /flavors/{flavor_id}/action (removeTenantAccess) + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-flavor-access + deprecated_since: 21.0.0 + description: 'List flavor access information + + + Allows access to the full list of tenants that have access + + to a flavor via an os-flavor-access API. + + ' + name: os_compute_api:os-flavor-access + operations: + - method: GET + path: /flavors/{flavor_id}/os-flavor-access + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:show + operations: + - method: GET + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create extra specs for a flavor + name: os_compute_api:os-flavor-extra-specs:create + operations: + - method: POST + path: /flavors/{flavor_id}/os-extra_specs/ + scope_types: + - system +- check_str: rule:system_admin_api + description: Update an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:update + operations: + - method: PUT + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete an extra spec for a flavor + name: os_compute_api:os-flavor-extra-specs:delete + operations: + - method: DELETE + path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: List extra specs for a flavor. Starting with microversion 2.47, the + flavor used for a server is also returned in the response when showing server + details, updating a server or rebuilding a server. Starting with microversion + 2.61, extra specs may be returned in responses for the flavor resource. + name: os_compute_api:os-flavor-extra-specs:index + operations: + - method: GET + path: /flavors/{flavor_id}/os-extra_specs/ + - method: GET + path: /servers/detail + - method: GET + path: /servers/{server_id} + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + - method: POST + path: /flavors + - method: GET + path: /flavors/detail + - method: GET + path: /flavors/{flavor_id} + - method: PUT + path: /flavors/{flavor_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create a flavor + name: os_compute_api:os-flavor-manage:create + operations: + - method: POST + path: /flavors + scope_types: + - system +- check_str: rule:system_admin_api + description: Update a flavor + name: os_compute_api:os-flavor-manage:update + operations: + - method: PUT + path: /flavors/{flavor_id} + scope_types: + - system +- check_str: rule:system_admin_api + description: Delete a flavor + name: os_compute_api:os-flavor-manage:delete + operations: + - method: DELETE + path: /flavors/{flavor_id} + scope_types: + - system +- check_str: '@' + description: List floating IP pools. This API is deprecated. + name: os_compute_api:os-floating-ip-pools + operations: + - method: GET + path: /os-floating-ip-pools + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Associate floating IPs to server. This API is deprecated. + name: os_compute_api:os-floating-ips:add + operations: + - method: POST + path: /servers/{server_id}/action (addFloatingIp) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Disassociate floating IPs to server. This API is deprecated. + name: os_compute_api:os-floating-ips:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeFloatingIp) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: List floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:list + operations: + - method: GET + path: /os-floating-ips + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Create floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:create + operations: + - method: POST + path: /os-floating-ips + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Show floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:show + operations: + - method: GET + path: /os-floating-ips/{floating_ip_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-floating-ips + deprecated_since: 22.0.0 + description: Delete floating IPs. This API is deprecated. + name: os_compute_api:os-floating-ips:delete + operations: + - method: DELETE + path: /os-floating-ips/{floating_ip_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'List physical hosts. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:list + operations: + - method: GET + path: /os-hosts + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Show physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:show + operations: + - method: GET + path: /os-hosts/{host_name} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Update physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:update + operations: + - method: PUT + path: /os-hosts/{host_name} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Reboot physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:reboot + operations: + - method: GET + path: /os-hosts/{host_name}/reboot + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Shutdown physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:shutdown + operations: + - method: GET + path: /os-hosts/{host_name}/shutdown + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hosts + deprecated_since: 22.0.0 + description: 'Start physical host. + + + This API is deprecated in favor of os-hypervisors and os-services.' + name: os_compute_api:os-hosts:start + operations: + - method: GET + path: /os-hosts/{host_name}/startup + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all hypervisors. + name: os_compute_api:os-hypervisors:list + operations: + - method: GET + path: /os-hypervisors + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all hypervisors with details + name: os_compute_api:os-hypervisors:list-detail + operations: + - method: GET + path: /os-hypervisors/details + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show summary statistics for all hypervisors over all compute nodes. + name: os_compute_api:os-hypervisors:statistics + operations: + - method: GET + path: /os-hypervisors/statistics + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show details for a hypervisor. + name: os_compute_api:os-hypervisors:show + operations: + - method: GET + path: /os-hypervisors/{hypervisor_id} + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Show the uptime of a hypervisor. + name: os_compute_api:os-hypervisors:uptime + operations: + - method: GET + path: /os-hypervisors/{hypervisor_id}/uptime + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: Search hypervisor by hypervisor_hostname pattern. + name: os_compute_api:os-hypervisors:search + operations: + - method: GET + path: /os-hypervisors/{hypervisor_hostname_pattern}/search + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-hypervisors + deprecated_since: 21.0.0 + description: List all servers on hypervisors that can match the provided hypervisor_hostname + pattern. + name: os_compute_api:os-hypervisors:servers + operations: + - method: GET + path: /os-hypervisors/{hypervisor_hostname_pattern}/servers + scope_types: + - system +- check_str: rule:system_reader_api + description: 'Add "details" key in action events for a server. + + + This check is performed only after the check + + os_compute_api:os-instance-actions:show passes. Beginning with Microversion + + 2.84, new field ''details'' is exposed via API which can have more details about + + event failure. That field is controlled by this policy which is system reader + + by default. Making the ''details'' field visible to the non-admin user helps to + + understand the nature of the problem (i.e. if the action can be retried), + + but in the other hand it might leak information about the deployment + + (e.g. the type of the hypervisor). + + ' + name: os_compute_api:os-instance-actions:events:details + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: 'Add events details in action details for a server. + + This check is performed only after the check + + os_compute_api:os-instance-actions:show passes. Beginning with Microversion + + 2.51, events details are always included; traceback information is provided + + per event if policy enforcement passes. Beginning with Microversion 2.62, + + each event includes a hashed host identifier and, if policy enforcement + + passes, the name of the host.' + name: os_compute_api:os-instance-actions:events + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-instance-actions + deprecated_since: 21.0.0 + description: List actions for a server. + name: os_compute_api:os-instance-actions:list + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-instance-actions + deprecated_since: 21.0.0 + description: Show action details for a server. + name: os_compute_api:os-instance-actions:show + operations: + - method: GET + path: /servers/{server_id}/os-instance-actions/{request_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-instance-usage-audit-log + deprecated_since: 21.0.0 + description: List all usage audits. + name: os_compute_api:os-instance-usage-audit-log:list + operations: + - method: GET + path: /os-instance_usage_audit_log + scope_types: + - system +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-instance-usage-audit-log + deprecated_since: 21.0.0 + description: List all usage audits occurred before a specified time for all servers + on all compute hosts where usage auditing is configured + name: os_compute_api:os-instance-usage-audit-log:show + operations: + - method: GET + path: /os-instance_usage_audit_log/{before_timestamp} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show IP addresses details for a network label of a server + name: os_compute_api:ips:show + operations: + - method: GET + path: /servers/{server_id}/ips/{network_label} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List IP addresses that are assigned to a server + name: os_compute_api:ips:index + operations: + - method: GET + path: /servers/{server_id}/ips + scope_types: + - system + - project +- check_str: (rule:system_reader_api) or user_id:%(user_id)s + description: List all keypairs + name: os_compute_api:os-keypairs:index + operations: + - method: GET + path: /os-keypairs + scope_types: + - system + - project +- check_str: (rule:system_admin_api) or user_id:%(user_id)s + description: Create a keypair + name: os_compute_api:os-keypairs:create + operations: + - method: POST + path: /os-keypairs + scope_types: + - system + - project +- check_str: (rule:system_admin_api) or user_id:%(user_id)s + description: Delete a keypair + name: os_compute_api:os-keypairs:delete + operations: + - method: DELETE + path: /os-keypairs/{keypair_name} + scope_types: + - system + - project +- check_str: (rule:system_reader_api) or user_id:%(user_id)s + description: Show details of a keypair + name: os_compute_api:os-keypairs:show + operations: + - method: GET + path: /os-keypairs/{keypair_name} + scope_types: + - system + - project +- check_str: '@' + description: Show rate and absolute limits for the current user project + name: os_compute_api:limits + operations: + - method: GET + path: /limits + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-used-limits + deprecated_since: 21.0.0 + description: 'Show rate and absolute limits of other project. + + + This policy only checks if the user has access to the requested + + project limits. And this check is performed only after the check + + os_compute_api:limits passes' + name: os_compute_api:limits:other_project + operations: + - method: GET + path: /limits + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Lock a server + name: os_compute_api:os-lock-server:lock + operations: + - method: POST + path: /servers/{server_id}/action (lock) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unlock a server + name: os_compute_api:os-lock-server:unlock + operations: + - method: POST + path: /servers/{server_id}/action (unlock) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: 'Unlock a server, regardless who locked the server. + + + This check is performed only after the check + + os_compute_api:os-lock-server:unlock passes' + name: os_compute_api:os-lock-server:unlock:unlock_override + operations: + - method: POST + path: /servers/{server_id}/action (unlock) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Cold migrate a server to a host + name: os_compute_api:os-migrate-server:migrate + operations: + - method: POST + path: /servers/{server_id}/action (migrate) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Live migrate a server to a new host without a reboot + name: os_compute_api:os-migrate-server:migrate_live + operations: + - method: POST + path: /servers/{server_id}/action (os-migrateLive) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List migrations + name: os_compute_api:os-migrations:index + operations: + - method: GET + path: /os-migrations + scope_types: + - system +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-multinic + deprecated_since: 22.0.0 + description: 'Add a fixed IP address to a server. + + + This API is proxy calls to the Network service. This is + + deprecated.' + name: os_compute_api:os-multinic:add + operations: + - method: POST + path: /servers/{server_id}/action (addFixedIp) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-multinic + deprecated_since: 22.0.0 + description: 'Remove a fixed IP address from a server. + + + This API is proxy calls to the Network service. This is + + deprecated.' + name: os_compute_api:os-multinic:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeFixedIp) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-networks:view + deprecated_since: 22.0.0 + description: 'List networks for the project. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-networks:list + operations: + - method: GET + path: /os-networks + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-networks:view + deprecated_since: 22.0.0 + description: 'Show network details. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-networks:show + operations: + - method: GET + path: /os-networks/{network_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Pause a server + name: os_compute_api:os-pause-server:pause + operations: + - method: POST + path: /servers/{server_id}/action (pause) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unpause a paused server + name: os_compute_api:os-pause-server:unpause + operations: + - method: POST + path: /servers/{server_id}/action (unpause) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List quotas for specific quota classs + name: os_compute_api:os-quota-class-sets:show + operations: + - method: GET + path: /os-quota-class-sets/{quota_class} + scope_types: + - system +- check_str: rule:system_admin_api + description: Update quotas for specific quota class + name: os_compute_api:os-quota-class-sets:update + operations: + - method: PUT + path: /os-quota-class-sets/{quota_class} + scope_types: + - system +- check_str: rule:system_admin_api + description: Update the quotas + name: os_compute_api:os-quota-sets:update + operations: + - method: PUT + path: /os-quota-sets/{tenant_id} + scope_types: + - system +- check_str: '@' + description: List default quotas + name: os_compute_api:os-quota-sets:defaults + operations: + - method: GET + path: /os-quota-sets/{tenant_id}/defaults + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show a quota + name: os_compute_api:os-quota-sets:show + operations: + - method: GET + path: /os-quota-sets/{tenant_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Revert quotas to defaults + name: os_compute_api:os-quota-sets:delete + operations: + - method: DELETE + path: /os-quota-sets/{tenant_id} + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show the detail of quota + name: os_compute_api:os-quota-sets:detail + operations: + - method: GET + path: /os-quota-sets/{tenant_id}/detail + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: 'Generate a URL to access remove server console. + + + This policy is for ``POST /remote-consoles`` API and below Server actions APIs + + are deprecated: + + + - ``os-getRDPConsole`` + + - ``os-getSerialConsole`` + + - ``os-getSPICEConsole`` + + - ``os-getVNCConsole``.' + name: os_compute_api:os-remote-consoles + operations: + - method: POST + path: /servers/{server_id}/action (os-getRDPConsole) + - method: POST + path: /servers/{server_id}/action (os-getSerialConsole) + - method: POST + path: /servers/{server_id}/action (os-getSPICEConsole) + - method: POST + path: /servers/{server_id}/action (os-getVNCConsole) + - method: POST + path: /servers/{server_id}/remote-consoles + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rescue a server + name: os_compute_api:os-rescue + operations: + - method: POST + path: /servers/{server_id}/action (rescue) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Rescue/Unrescue API policies are made granular with new policy + + for unrescue and keeping old policy for rescue. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-rescue + deprecated_since: 21.0.0 + description: Unrescue a server + name: os_compute_api:os-unrescue + operations: + - method: POST + path: /servers/{server_id}/action (unrescue) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: List security groups. This API is deprecated. + name: os_compute_api:os-security-groups:get + operations: + - method: GET + path: /os-security-groups + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Show security group. This API is deprecated. + name: os_compute_api:os-security-groups:show + operations: + - method: GET + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Create security group. This API is deprecated. + name: os_compute_api:os-security-groups:create + operations: + - method: POST + path: /os-security-groups + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Update security group. This API is deprecated. + name: os_compute_api:os-security-groups:update + operations: + - method: PUT + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Delete security group. This API is deprecated. + name: os_compute_api:os-security-groups:delete + operations: + - method: DELETE + path: /os-security-groups/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Create security group Rule. This API is deprecated. + name: os_compute_api:os-security-groups:rule:create + operations: + - method: POST + path: /os-security-group-rules + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 22.0.0 + description: Delete security group Rule. This API is deprecated. + name: os_compute_api:os-security-groups:rule:delete + operations: + - method: DELETE + path: /os-security-group-rules/{security_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: List security groups of server. + name: os_compute_api:os-security-groups:list + operations: + - method: GET + path: /servers/{server_id}/os-security-groups + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: Add security groups to server. + name: os_compute_api:os-security-groups:add + operations: + - method: POST + path: /servers/{server_id}/action (addSecurityGroup) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-security-groups + deprecated_since: 21.0.0 + description: Remove security groups from server. + name: os_compute_api:os-security-groups:remove + operations: + - method: POST + path: /servers/{server_id}/action (removeSecurityGroup) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Show the usage data for a server + name: os_compute_api:os-server-diagnostics + operations: + - method: GET + path: /servers/{server_id}/diagnostics + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Create one or more external events + name: os_compute_api:os-server-external-events:create + operations: + - method: POST + path: /os-server-external-events + scope_types: + - system +- check_str: rule:project_member_api + description: Create a new server group + name: os_compute_api:os-server-groups:create + operations: + - method: POST + path: /os-server-groups + scope_types: + - project +- check_str: rule:system_admin_or_owner + description: Delete a server group + name: os_compute_api:os-server-groups:delete + operations: + - method: DELETE + path: /os-server-groups/{server_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all server groups + name: os_compute_api:os-server-groups:index + operations: + - method: GET + path: /os-server-groups + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List all server groups for all projects + name: os_compute_api:os-server-groups:index:all_projects + operations: + - method: GET + path: /os-server-groups + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show details of a server group + name: os_compute_api:os-server-groups:show + operations: + - method: GET + path: /os-server-groups/{server_group_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all metadata of a server + name: os_compute_api:server-metadata:index + operations: + - method: GET + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show metadata for a server + name: os_compute_api:server-metadata:show + operations: + - method: GET + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create metadata for a server + name: os_compute_api:server-metadata:create + operations: + - method: POST + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Replace metadata for a server + name: os_compute_api:server-metadata:update_all + operations: + - method: PUT + path: /servers/{server_id}/metadata + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Update metadata from a server + name: os_compute_api:server-metadata:update + operations: + - method: PUT + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete metadata from a server + name: os_compute_api:server-metadata:delete + operations: + - method: DELETE + path: /servers/{server_id}/metadata/{key} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-server-password + deprecated_since: 21.0.0 + description: Show the encrypted administrative password of a server + name: os_compute_api:os-server-password:show + operations: + - method: GET + path: /servers/{server_id}/os-server-password + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-server-password + deprecated_since: 21.0.0 + description: Clear the encrypted administrative password of a server + name: os_compute_api:os-server-password:clear + operations: + - method: DELETE + path: /servers/{server_id}/os-server-password + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete all the server tags + name: os_compute_api:os-server-tags:delete_all + operations: + - method: DELETE + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all tags for given server + name: os_compute_api:os-server-tags:index + operations: + - method: GET + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Replace all tags on specified server with the new set of tags. + name: os_compute_api:os-server-tags:update_all + operations: + - method: PUT + path: /servers/{server_id}/tags + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete a single tag from the specified server + name: os_compute_api:os-server-tags:delete + operations: + - method: DELETE + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Add a single tag to the server if server has no specified tag + name: os_compute_api:os-server-tags:update + operations: + - method: PUT + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Check tag existence on the server. + name: os_compute_api:os-server-tags:show + operations: + - method: GET + path: /servers/{server_id}/tags/{tag} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show the NUMA topology data for a server + name: compute:server:topology:index + operations: + - method: GET + path: /servers/{server_id}/topology + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Show the NUMA topology data for a server with host NUMA ID and CPU + pinning information + name: compute:server:topology:host:index + operations: + - method: GET + path: /servers/{server_id}/topology + scope_types: + - system +- check_str: rule:system_or_project_reader + description: List all servers + name: os_compute_api:servers:index + operations: + - method: GET + path: /servers + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List all servers with detailed information + name: os_compute_api:servers:detail + operations: + - method: GET + path: /servers/detail + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List all servers for all projects + name: os_compute_api:servers:index:get_all_tenants + operations: + - method: GET + path: /servers + scope_types: + - system +- check_str: rule:system_reader_api + description: List all servers with detailed information for all projects + name: os_compute_api:servers:detail:get_all_tenants + operations: + - method: GET + path: /servers/detail + scope_types: + - system +- check_str: rule:system_reader_api + description: Allow all filters when listing servers + name: os_compute_api:servers:allow_all_filters + operations: + - method: GET + path: /servers + - method: GET + path: /servers/detail + scope_types: + - system +- check_str: rule:system_or_project_reader + description: Show a server + name: os_compute_api:servers:show + operations: + - method: GET + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: ' + + Show a server with additional host status information. + + + This means host_status will be shown irrespective of status value. If showing + + only host_status UNKNOWN is desired, use the + + ``os_compute_api:servers:show:host_status:unknown-only`` policy rule. + + + Microvision 2.75 added the ``host_status`` attribute in the + + ``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)`` + + API responses which are also controlled by this policy rule, like the + + ``GET /servers*`` APIs. + + ' + name: os_compute_api:servers:show:host_status + operations: + - method: GET + path: /servers/{server_id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: ' + + Show a server with additional host status information, only if host status is + + UNKNOWN. + + + This policy rule will only be enforced when the + + ``os_compute_api:servers:show:host_status`` policy rule does not pass for the + + request. An example policy configuration could be where the + + ``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and + + the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to + + allow everyone. + + ' + name: os_compute_api:servers:show:host_status:unknown-only + operations: + - method: GET + path: /servers/{server_id} + - method: GET + path: /servers/detail + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:project_member_api + description: Create a server + name: os_compute_api:servers:create + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_admin_api + description: ' + + Create a server on the specified host and/or node. + + + In this case, the server is forced to launch on the specified + + host and/or node by bypassing the scheduler filters unlike the + + ``compute:servers:create:requested_destination`` rule. + + ' + name: os_compute_api:servers:create:forced_host + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_admin_api + description: ' + + Create a server on the requested compute service host and/or + + hypervisor_hostname. + + + In this case, the requested host and/or hypervisor_hostname is + + validated by the scheduler filters unlike the + + ``os_compute_api:servers:create:forced_host`` rule. + + ' + name: compute:servers:create:requested_destination + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_member_api + description: Create a server with the requested volume attached to it + name: os_compute_api:servers:create:attach_volume + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_member_api + description: Create a server with the requested network attached to it + name: os_compute_api:servers:create:attach_network + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_member_api + description: Create a server with trusted image certificate IDs + name: os_compute_api:servers:create:trusted_certs + operations: + - method: POST + path: /servers + scope_types: + - project +- check_str: rule:project_admin_api + description: ' + + This rule controls the compute API validation behavior of creating a server + + with a flavor that has 0 disk, indicating the server should be volume-backed. + + + For a flavor with disk=0, the root disk will be set to exactly the size of the + + image used to deploy the instance. However, in this case the filter_scheduler + + cannot select the compute host based on the virtual image size. Therefore, 0 + + should only be used for volume booted instances or for testing purposes. + + + WARNING: It is a potential security exposure to enable this policy rule + + if users can upload their own images since repeated attempts to + + create a disk=0 flavor instance with a large image can exhaust + + the local disk of the compute (or shared storage cluster). See bug + + https://bugs.launchpad.net/nova/+bug/1739646 for details. + + ' + name: os_compute_api:servers:create:zero_disk_flavor + operations: + - method: POST + path: /servers + scope_types: + - system + - project +- check_str: rule:project_admin_api + description: Attach an unshared external network to a server + name: network:attach_external_network + operations: + - method: POST + path: /servers + - method: POST + path: /servers/{server_id}/os-interface + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Delete a server + name: os_compute_api:servers:delete + operations: + - method: DELETE + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Update a server + name: os_compute_api:servers:update + operations: + - method: PUT + path: /servers/{server_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Confirm a server resize + name: os_compute_api:servers:confirm_resize + operations: + - method: POST + path: /servers/{server_id}/action (confirmResize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Revert a server resize + name: os_compute_api:servers:revert_resize + operations: + - method: POST + path: /servers/{server_id}/action (revertResize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Reboot a server + name: os_compute_api:servers:reboot + operations: + - method: POST + path: /servers/{server_id}/action (reboot) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Resize a server + name: os_compute_api:servers:resize + operations: + - method: POST + path: /servers/{server_id}/action (resize) + scope_types: + - system + - project +- check_str: '!' + description: 'Resize a server across cells. By default, this is disabled for all + users and recommended to be tested in a deployment for admin users before opening + it up to non-admin users. Resizing within a cell is the default preferred behavior + even if this is enabled. ' + name: compute:servers:resize:cross_cell + operations: + - method: POST + path: /servers/{server_id}/action (resize) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rebuild a server + name: os_compute_api:servers:rebuild + operations: + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Rebuild a server with trusted image certificate IDs + name: os_compute_api:servers:rebuild:trusted_certs + operations: + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create an image from a server + name: os_compute_api:servers:create_image + operations: + - method: POST + path: /servers/{server_id}/action (createImage) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Create an image from a volume backed server + name: os_compute_api:servers:create_image:allow_volume_backed + operations: + - method: POST + path: /servers/{server_id}/action (createImage) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Start a server + name: os_compute_api:servers:start + operations: + - method: POST + path: /servers/{server_id}/action (os-start) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Stop a server + name: os_compute_api:servers:stop + operations: + - method: POST + path: /servers/{server_id}/action (os-stop) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Trigger crash dump in a server + name: os_compute_api:servers:trigger_crash_dump + operations: + - method: POST + path: /servers/{server_id}/action (trigger_crash_dump) + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Show details for an in-progress live migration for a given server + name: os_compute_api:servers:migrations:show + operations: + - method: GET + path: /servers/{server_id}/migrations/{migration_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Force an in-progress live migration for a given server to complete + name: os_compute_api:servers:migrations:force_complete + operations: + - method: POST + path: /servers/{server_id}/migrations/{migration_id}/action (force_complete) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Delete(Abort) an in-progress live migration + name: os_compute_api:servers:migrations:delete + operations: + - method: DELETE + path: /servers/{server_id}/migrations/{migration_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: Lists in-progress live migrations for a given server + name: os_compute_api:servers:migrations:index + operations: + - method: GET + path: /servers/{server_id}/migrations + scope_types: + - system + - project +- check_str: rule:system_reader_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: List all running Compute services in a region. + name: os_compute_api:os-services:list + operations: + - method: GET + path: /os-services + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: Update a Compute service. + name: os_compute_api:os-services:update + operations: + - method: PUT + path: /os-services/{service_id} + scope_types: + - system +- check_str: rule:system_admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_api + name: os_compute_api:os-services + deprecated_since: 21.0.0 + description: Delete a Compute service. + name: os_compute_api:os-services:delete + operations: + - method: DELETE + path: /os-services/{service_id} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Shelve server + name: os_compute_api:os-shelve:shelve + operations: + - method: POST + path: /servers/{server_id}/action (shelve) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Unshelve (restore) shelved server + name: os_compute_api:os-shelve:unshelve + operations: + - method: POST + path: /servers/{server_id}/action (unshelve) + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Shelf-offload (remove) server + name: os_compute_api:os-shelve:shelve_offload + operations: + - method: POST + path: /servers/{server_id}/action (shelveOffload) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show usage statistics for a specific tenant + name: os_compute_api:os-simple-tenant-usage:show + operations: + - method: GET + path: /os-simple-tenant-usage/{tenant_id} + scope_types: + - system + - project +- check_str: rule:system_reader_api + description: List per tenant usage statistics for all tenants + name: os_compute_api:os-simple-tenant-usage:list + operations: + - method: GET + path: /os-simple-tenant-usage + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Resume suspended server + name: os_compute_api:os-suspend-server:resume + operations: + - method: POST + path: /servers/{server_id}/action (resume) + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Suspend server + name: os_compute_api:os-suspend-server:suspend + operations: + - method: POST + path: /servers/{server_id}/action (suspend) + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-tenant-networks + deprecated_since: 22.0.0 + description: 'List project networks. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-tenant-networks:list + operations: + - method: GET + path: /os-tenant-networks + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-tenant-networks + deprecated_since: 22.0.0 + description: 'Show project network details. + + + This API is proxy calls to the Network service. This is deprecated.' + name: os_compute_api:os-tenant-networks:show + operations: + - method: GET + path: /os-tenant-networks/{network_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List volumes. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:list + operations: + - method: GET + path: /os-volumes + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Create volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:create + operations: + - method: POST + path: /os-volumes + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List volumes detail. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:detail + operations: + - method: GET + path: /os-volumes/detail + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Show volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:show + operations: + - method: GET + path: /os-volumes/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Delete volume. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:delete + operations: + - method: DELETE + path: /os-volumes/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List snapshots. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:list + operations: + - method: GET + path: /os-snapshots + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Create snapshots. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:create + operations: + - method: POST + path: /os-snapshots + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'List snapshots details. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:detail + operations: + - method: GET + path: /os-snapshots/detail + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Show snapshot. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:show + operations: + - method: GET + path: /os-snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-volumes + deprecated_since: 22.0.0 + description: 'Delete snapshot. + + + This API is a proxy call to the Volume service. It is deprecated.' + name: os_compute_api:os-volumes:snapshots:delete + operations: + - method: DELETE + path: /os-snapshots/{snapshot_id} + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: List volume attachments for an instance + name: os_compute_api:os-volumes-attachments:index + operations: + - method: GET + path: /servers/{server_id}/os-volume_attachments + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: Attach a volume to an instance + name: os_compute_api:os-volumes-attachments:create + operations: + - method: POST + path: /servers/{server_id}/os-volume_attachments + scope_types: + - system + - project +- check_str: rule:system_or_project_reader + description: Show details of a volume attachment + name: os_compute_api:os-volumes-attachments:show + operations: + - method: GET + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_or_owner + description: 'Update a volume attachment. + + New ''update'' policy about ''swap + update'' request (which is possible + + only >2.85) only is checked. We expect to be + + always superset of this policy permission. + + ' + name: os_compute_api:os-volumes-attachments:update + operations: + - method: PUT + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project +- check_str: rule:system_admin_api + description: Update a volume attachment with a different volumeId + name: os_compute_api:os-volumes-attachments:swap + operations: + - method: PUT + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system +- check_str: rule:system_admin_or_owner + description: Detach a volume from an instance + name: os_compute_api:os-volumes-attachments:delete + operations: + - method: DELETE + path: /servers/{server_id}/os-volume_attachments/{volume_id} + scope_types: + - system + - project diff --git a/openstack_dashboard/conf/glance_policy.json b/openstack_dashboard/conf/glance_policy.json deleted file mode 100644 index 5b1f6be7eb..0000000000 --- a/openstack_dashboard/conf/glance_policy.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", - "tasks_api_access": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml new file mode 100644 index 0000000000..0d2da7ecc3 --- /dev/null +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -0,0 +1,121 @@ +# Defines the default rule used for policies that historically had an +# empty policy in the supplied policy.json file. +#"default": "" + +# DEPRECATED +# "default":"role:admin" has been deprecated since Ussuri in favor of +# "default":"". +# In order to allow operators to accept the default policies from code +# by not defining them in the policy file, while still working with +# old policy files that rely on the ``default`` rule for policies that +# are not specified in the policy file, the ``default`` rule must now +# be explicitly set to ``"role:admin"`` when that is the desired +# default for unspecified rules. + +# Defines the rule for the is_admin:True check. +#"context_is_admin": "role:admin" + +#"add_image": "rule:default" + +#"delete_image": "rule:default" + +#"get_image": "rule:default" + +#"get_images": "rule:default" + +#"modify_image": "rule:default" + +#"publicize_image": "role:admin" + +#"communitize_image": "rule:default" + +#"download_image": "rule:default" + +#"upload_image": "rule:default" + +#"delete_image_location": "rule:default" + +#"get_image_location": "rule:default" + +#"set_image_location": "rule:default" + +#"add_member": "rule:default" + +#"delete_member": "rule:default" + +#"get_member": "rule:default" + +#"get_members": "rule:default" + +#"modify_member": "rule:default" + +#"manage_image_cache": "role:admin" + +#"deactivate": "rule:default" + +#"reactivate": "rule:default" + +#"copy_image": "role:admin" + +#"get_task": "rule:default" + +#"get_tasks": "rule:default" + +#"add_task": "rule:default" + +#"modify_task": "rule:default" + +#"tasks_api_access": "role:admin" + +#"get_metadef_namespace": "rule:default" + +#"get_metadef_namespaces": "rule:default" + +#"modify_metadef_namespace": "rule:default" + +#"add_metadef_namespace": "rule:default" + +#"delete_metadef_namespace": "rule:default" + +#"get_metadef_object": "rule:default" + +#"get_metadef_objects": "rule:default" + +#"modify_metadef_object": "rule:default" + +#"add_metadef_object": "rule:default" + +#"delete_metadef_object": "rule:default" + +#"list_metadef_resource_types": "rule:default" + +#"get_metadef_resource_type": "rule:default" + +#"add_metadef_resource_type_association": "rule:default" + +#"remove_metadef_resource_type_association": "rule:default" + +#"get_metadef_property": "rule:default" + +#"get_metadef_properties": "rule:default" + +#"modify_metadef_property": "rule:default" + +#"add_metadef_property": "rule:default" + +#"remove_metadef_property": "rule:default" + +#"get_metadef_tag": "rule:default" + +#"get_metadef_tags": "rule:default" + +#"modify_metadef_tag": "rule:default" + +#"add_metadef_tag": "rule:default" + +#"add_metadef_tags": "rule:default" + +#"delete_metadef_tag": "rule:default" + +#"delete_metadef_tags": "rule:default" + diff --git a/openstack_dashboard/conf/keystone_policy.json b/openstack_dashboard/conf/keystone_policy.json deleted file mode 100644 index 3d820dccab..0000000000 --- a/openstack_dashboard/conf/keystone_policy.json +++ /dev/null @@ -1,174 +0,0 @@ -{ - "admin_required": "role:admin or is_admin:1", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner": "user_id:%(user_id)s", - "admin_or_owner": "rule:admin_required or rule:owner", - "token_subject": "user_id:%(target.token.user_id)s", - "admin_or_token_subject": "rule:admin_required or rule:token_subject", - "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject", - "identity:authorize_request_token": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:create_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:admin_required", - "identity:create_domain": "rule:admin_required", - "identity:update_domain": "rule:admin_required", - "identity:delete_domain": "rule:admin_required", - "identity:create_domain_config": "rule:admin_required", - "identity:get_domain_config": "rule:admin_required", - "identity:get_security_compliance_domain_config": "", - "identity:update_domain_config": "rule:admin_required", - "identity:delete_domain_config": "rule:admin_required", - "identity:get_domain_config_default": "rule:admin_required", - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_or_owner", - "identity:ec2_create_credential": "rule:admin_or_owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:admin_required", - "identity:update_endpoint": "rule:admin_required", - "identity:delete_endpoint": "rule:admin_required", - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - "identity:check_grant": "rule:admin_required", - "identity:list_grants": "rule:admin_required", - "identity:create_grant": "rule:admin_required", - "identity:revoke_grant": "rule:admin_required", - "identity:get_group": "rule:admin_required", - "identity:list_groups": "rule:admin_required", - "identity:list_groups_for_user": "rule:admin_or_owner", - "identity:create_group": "rule:admin_required", - "identity:update_group": "rule:admin_required", - "identity:delete_group": "rule:admin_required", - "identity:list_users_in_group": "rule:admin_required", - "identity:remove_user_from_group": "rule:admin_required", - "identity:check_user_in_group": "rule:admin_required", - "identity:add_user_to_group": "rule:admin_required", - "identity:create_identity_provider": "rule:admin_required", - "identity:list_identity_providers": "rule:admin_required", - "identity:get_identity_provider": "rule:admin_required", - "identity:update_identity_provider": "rule:admin_required", - "identity:delete_identity_provider": "rule:admin_required", - "identity:get_implied_role": "rule:admin_required", - "identity:list_implied_roles": "rule:admin_required", - "identity:create_implied_role": "rule:admin_required", - "identity:delete_implied_role": "rule:admin_required", - "identity:list_role_inference_rules": "rule:admin_required", - "identity:check_implied_role": "rule:admin_required", - "identity:create_mapping": "rule:admin_required", - "identity:get_mapping": "rule:admin_required", - "identity:list_mappings": "rule:admin_required", - "identity:delete_mapping": "rule:admin_required", - "identity:update_mapping": "rule:admin_required", - "identity:get_policy": "rule:admin_required", - "identity:list_policies": "rule:admin_required", - "identity:create_policy": "rule:admin_required", - "identity:update_policy": "rule:admin_required", - "identity:delete_policy": "rule:admin_required", - "identity:create_policy_association_for_endpoint": "rule:admin_required", - "identity:check_policy_association_for_endpoint": "rule:admin_required", - "identity:delete_policy_association_for_endpoint": "rule:admin_required", - "identity:create_policy_association_for_service": "rule:admin_required", - "identity:check_policy_association_for_service": "rule:admin_required", - "identity:delete_policy_association_for_service": "rule:admin_required", - "identity:create_policy_association_for_region_and_service": "rule:admin_required", - "identity:check_policy_association_for_region_and_service": "rule:admin_required", - "identity:delete_policy_association_for_region_and_service": "rule:admin_required", - "identity:get_policy_for_endpoint": "rule:admin_required", - "identity:list_endpoints_for_policy": "rule:admin_required", - "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s", - "identity:list_projects": "rule:admin_required", - "identity:list_user_projects": "rule:admin_or_owner", - "identity:create_project": "rule:admin_required", - "identity:update_project": "rule:admin_required", - "identity:delete_project": "rule:admin_required", - "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s", - "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s", - "identity:update_project_tags": "rule:admin_required", - "identity:create_project_tag": "rule:admin_required", - "identity:delete_project_tags": "rule:admin_required", - "identity:delete_project_tag": "rule:admin_required", - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - "identity:create_protocol": "rule:admin_required", - "identity:update_protocol": "rule:admin_required", - "identity:get_protocol": "rule:admin_required", - "identity:list_protocols": "rule:admin_required", - "identity:delete_protocol": "rule:admin_required", - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:admin_required", - "identity:update_region": "rule:admin_required", - "identity:delete_region": "rule:admin_required", - "identity:list_revoke_events": "rule:service_or_admin", - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:admin_required", - "identity:update_role": "rule:admin_required", - "identity:delete_role": "rule:admin_required", - "identity:get_domain_role": "rule:admin_required", - "identity:list_domain_roles": "rule:admin_required", - "identity:create_domain_role": "rule:admin_required", - "identity:update_domain_role": "rule:admin_required", - "identity:delete_domain_role": "rule:admin_required", - "identity:list_role_assignments": "rule:admin_required", - "identity:list_role_assignments_for_tree": "rule:admin_required", - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:admin_required", - "identity:update_service": "rule:admin_required", - "identity:delete_service": "rule:admin_required", - "identity:create_service_provider": "rule:admin_required", - "identity:list_service_providers": "rule:admin_required", - "identity:get_service_provider": "rule:admin_required", - "identity:update_service_provider": "rule:admin_required", - "identity:delete_service_provider": "rule:admin_required", - "identity:revocation_list": "rule:service_or_admin", - "identity:check_token": "rule:admin_or_token_subject", - "identity:validate_token": "rule:service_admin_or_token_subject", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_token_subject", - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - "identity:get_trust": "", - "identity:get_user": "rule:admin_or_owner", - "identity:list_users": "rule:admin_required", - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - "identity:create_user": "rule:admin_required", - "identity:update_user": "rule:admin_required", - "identity:delete_user": "rule:admin_required" -} diff --git a/openstack_dashboard/conf/keystone_policy.yaml b/openstack_dashboard/conf/keystone_policy.yaml new file mode 100644 index 0000000000..6439c74b5b --- /dev/null +++ b/openstack_dashboard/conf/keystone_policy.yaml @@ -0,0 +1,2330 @@ +#"admin_required": "role:admin or is_admin:1" + +#"service_role": "role:service" + +#"service_or_admin": "rule:admin_required or rule:service_role" + +#"owner": "user_id:%(user_id)s" + +#"admin_or_owner": "rule:admin_required or rule:owner" + +#"token_subject": "user_id:%(target.token.user_id)s" + +#"admin_or_token_subject": "rule:admin_required or rule:token_subject" + +#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" + +# Show access rule details. +# GET /v3/users/{user_id}/access_rules/{access_rule_id} +# HEAD /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# List access rules for a user. +# GET /v3/users/{user_id}/access_rules +# HEAD /v3/users/{user_id}/access_rules +# Intended scope(s): system, project +#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# Delete an access_rule. +# DELETE /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" + +# Authorize OAUTH1 request token. +# PUT /v3/OS-OAUTH1/authorize/{request_token_id} +# Intended scope(s): project +#"identity:authorize_request_token": "rule:admin_required" + +# Get OAUTH1 access token for user by access token ID. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:get_access_token": "rule:admin_required" + +# Get role for user OAUTH1 access token. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} +# Intended scope(s): project +#"identity:get_access_token_role": "rule:admin_required" + +# List OAUTH1 access tokens for user. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens +# Intended scope(s): project +#"identity:list_access_tokens": "rule:admin_required" + +# List OAUTH1 access token roles. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles +# Intended scope(s): project +#"identity:list_access_token_roles": "rule:admin_required" + +# Delete OAUTH1 access token. +# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:delete_access_token": "rule:admin_required" + +# Show application credential details. +# GET /v3/users/{user_id}/application_credentials/{application_credential_id} +# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:get_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:get_application_credential":"(role:reader and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. +#"identity:get_application_credentials": "rule:identity:get_application_credential" + +# List application credentials for a user. +# GET /v3/users/{user_id}/application_credentials +# HEAD /v3/users/{user_id}/application_credentials +# Intended scope(s): system, project +#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:list_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:list_application_credentials":"(role:reader and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. + +# Create an application credential. +# POST /v3/users/{user_id}/application_credentials +# Intended scope(s): project +#"identity:create_application_credential": "user_id:%(user_id)s" + +# Delete an application credential. +# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:delete_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:delete_application_credential":"(role:admin and +# system_scope:all) or rule:owner". +# The application credential API is now aware of system scope and +# default roles. +#"identity:delete_application_credentials": "rule:identity:delete_application_credential" + +# Get service catalog. +# GET /v3/auth/catalog +# HEAD /v3/auth/catalog +#"identity:get_auth_catalog": "" + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +# HEAD /v3/auth/projects +#"identity:get_auth_projects": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +# HEAD /v3/auth/domains +#"identity:get_auth_domains": "" + +# List systems a user has access to via role assignments. +# GET /v3/auth/system +# HEAD /v3/auth/system +#"identity:get_auth_system": "" + +# Show OAUTH1 consumer details. +# GET /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:get_consumer": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_consumer":"role:reader and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# List OAUTH1 consumers. +# GET /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:list_consumers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_consumers":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_consumers":"role:reader and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Create OAUTH1 consumer. +# POST /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:create_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:create_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Update OAUTH1 consumer. +# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:update_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:update_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Delete OAUTH1 consumer. +# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:delete_consumer": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_consumer":"rule:admin_required" has been deprecated +# since T in favor of "identity:delete_consumer":"role:admin and +# system_scope:all". +# The OAUTH1 consumer API is now aware of system scope and default +# roles. + +# Show credentials details. +# GET /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:get_credential":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_credential":"(role:reader and +# system_scope:all) or user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# List credentials. +# GET /v3/credentials +# Intended scope(s): system, project +#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:list_credentials":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_credentials":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Create credential. +# POST /v3/credentials +# Intended scope(s): system, project +#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:create_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Update credential. +# PATCH /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:update_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Delete credential. +# DELETE /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:delete_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". +# The credential API is now aware of system scope and default roles. + +# Show domain details. +# GET /v3/domains/{domain_id} +# Intended scope(s): system, domain, project +#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" + +# DEPRECATED +# "identity:get_domain":"rule:admin_required or +# token.project.domain.id:%(target.domain.id)s" has been deprecated +# since S in favor of "identity:get_domain":"(role:reader and +# system_scope:all) or token.domain.id:%(target.domain.id)s or +# token.project.domain.id:%(target.domain.id)s". +# The domain API is now aware of system scope and default roles. + +# List domains. +# GET /v3/domains +# Intended scope(s): system +#"identity:list_domains": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_domains":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_domains":"role:reader and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Create domain. +# POST /v3/domains +# Intended scope(s): system +#"identity:create_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Update domain. +# PATCH /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:update_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Delete domain. +# DELETE /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:delete_domain": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_domain":"role:admin and +# system_scope:all". +# The domain API is now aware of system scope and default roles. + +# Create domain configuration. +# PUT /v3/domains/{domain_id}/config +# Intended scope(s): system +#"identity:create_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get the entire domain configuration for a domain, an option group +# within a domain, or a specific configuration option within a group +# for a domain. +# GET /v3/domains/{domain_id}/config +# HEAD /v3/domains/{domain_id}/config +# GET /v3/domains/{domain_id}/config/{group} +# HEAD /v3/domains/{domain_id}/config/{group} +# GET /v3/domains/{domain_id}/config/{group}/{option} +# HEAD /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:get_domain_config": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_config":"role:reader and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get security compliance domain configuration for either a domain or +# a specific option in a domain. +# GET /v3/domains/{domain_id}/config/security_compliance +# HEAD /v3/domains/{domain_id}/config/security_compliance +# GET v3/domains/{domain_id}/config/security_compliance/{option} +# HEAD v3/domains/{domain_id}/config/security_compliance/{option} +# Intended scope(s): system, domain, project +#"identity:get_security_compliance_domain_config": "" + +# Update domain configuration for either a domain, specific group or a +# specific option in a group. +# PATCH /v3/domains/{domain_id}/config +# PATCH /v3/domains/{domain_id}/config/{group} +# PATCH /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:update_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Delete domain configuration for either a domain, specific group or a +# specific option in a group. +# DELETE /v3/domains/{domain_id}/config +# DELETE /v3/domains/{domain_id}/config/{group} +# DELETE /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:delete_domain_config": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain_config":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Get domain configuration default for either a domain, specific group +# or a specific option in a group. +# GET /v3/domains/config/default +# HEAD /v3/domains/config/default +# GET /v3/domains/config/{group}/default +# HEAD /v3/domains/config/{group}/default +# GET /v3/domains/config/{group}/{option}/default +# HEAD /v3/domains/config/{group}/{option}/default +# Intended scope(s): system +#"identity:get_domain_config_default": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_config_default":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_config_default":"role:reader and +# system_scope:all". +# The domain config API is now aware of system scope and default +# roles. + +# Show ec2 credential details. +# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:ec2_get_credential":"rule:admin_required or (rule:owner +# and user_id:%(target.credential.user_id)s)" has been deprecated +# since T in favor of "identity:ec2_get_credential":"(role:reader and +# system_scope:all) or user_id:%(target.credential.user_id)s". +# The EC2 credential API is now aware of system scope and default +# roles. + +# List ec2 credentials. +# GET /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:ec2_list_credentials":"rule:admin_or_owner" has been +# deprecated since T in favor of +# "identity:ec2_list_credentials":"(role:reader and system_scope:all) +# or rule:owner". +# The EC2 credential API is now aware of system scope and default +# roles. + +# Create ec2 credential. +# POST /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:ec2_create_credentials":"rule:admin_or_owner" has been +# deprecated since T in favor of +# "identity:ec2_create_credential":"(role:admin and system_scope:all) +# or rule:owner". +# The EC2 credential API is now aware of system scope and default +# roles. +#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" + +# Delete ec2 credential. +# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED +# "identity:ec2_delete_credentials":"rule:admin_required or +# (rule:owner and user_id:%(target.credential.user_id)s)" has been +# deprecated since T in favor of +# "identity:ec2_delete_credential":"(role:admin and system_scope:all) +# or user_id:%(target.credential.user_id)s". +# The EC2 credential API is now aware of system scope and default +# roles. +#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" + +# Show endpoint details. +# GET /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:get_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_endpoint":"role:reader and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# List endpoints. +# GET /v3/endpoints +# Intended scope(s): system +#"identity:list_endpoints": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_endpoints":"role:reader and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Create endpoint. +# POST /v3/endpoints +# Intended scope(s): system +#"identity:create_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Update endpoint. +# PATCH /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:update_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Delete endpoint. +# DELETE /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_endpoint":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_endpoint":"role:admin and +# system_scope:all". +# The endpoint API is now aware of system scope and default roles. + +# Create endpoint group. +# POST /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:create_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List endpoint groups. +# GET /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoint_groups":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoint_groups":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Get endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:get_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_endpoint_group":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Update endpoint group. +# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:update_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Delete endpoint group. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:delete_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_endpoint_group":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List all projects associated with a specific endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects +# Intended scope(s): system +#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_projects_associated_with_endpoint_group":"rule:admin_ +# required" has been deprecated since T in favor of +# "identity:list_projects_associated_with_endpoint_group":"role:reader +# and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List all endpoints associated with an endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin +# _required" has been deprecated since T in favor of "identity:list_en +# dpoints_associated_with_endpoint_group":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Check if an endpoint group is associated with a project. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint_group_in_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_endpoint_group_in_project":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# List endpoint groups associated with a specific project. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoint_groups_for_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:list_endpoint_groups_for_project":"role:reader and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Allow a project to access an endpoint group. +# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:add_endpoint_group_to_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:add_endpoint_group_to_project":"role:admin and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Remove endpoint group from project. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_group_from_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:remove_endpoint_group_from_project":"role:admin and +# system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. + +# Check a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:check_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:check_grant":"(role:reader and +# system_scope:all) or ((role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List roles granted to an actor on a target. A target can be either a +# domain or a project. An actor can be either a user or a group. For +# the OS-INHERIT APIs, it is possible to list inherited role grants +# for actors on domains, where grants are inherited to all projects in +# the specified domain. +# GET /v3/projects/{project_id}/users/{user_id}/roles +# HEAD /v3/projects/{project_id}/users/{user_id}/roles +# GET /v3/projects/{project_id}/groups/{group_id}/roles +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles +# GET /v3/domains/{domain_id}/users/{user_id}/roles +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles +# GET /v3/domains/{domain_id}/groups/{group_id}/roles +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects +# Intended scope(s): system, domain +#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" + +# DEPRECATED +# "identity:list_grants":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_grants":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)". +# The assignment API is now aware of system scope and default roles. + +# Create a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:create_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_grant":"(role:admin and +# system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# Revoke a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. In that case, revoking the role grant in the target +# would remove the logical effect of inheriting it to the target's +# projects subtree. +# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED +# "identity:revoke_grant":"rule:admin_required" has been deprecated +# since S in favor of "identity:revoke_grant":"(role:admin and +# system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List all grants a specific user has on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_user":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Check if a user has a role on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_user":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Grant a user a role on the system. +# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_user":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Remove a role from a user on the system. +# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_user":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# List all grants a specific group has on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_group":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Check if a group has a role on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_group":"role:reader and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Grant a group a role on the system. +# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_group":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Remove a role from a group on the system. +# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_group":"role:admin and +# system_scope:all". +# The assignment API is now aware of system scope and default roles. + +# Show group details. +# GET /v3/groups/{group_id} +# HEAD /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:get_group":"rule:admin_required" has been deprecated since +# S in favor of "identity:get_group":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List groups. +# GET /v3/groups +# HEAD /v3/groups +# Intended scope(s): system, domain +#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:list_groups":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_groups":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List groups to which a user belongs. +# GET /v3/users/{user_id}/groups +# HEAD /v3/users/{user_id}/groups +# Intended scope(s): system, domain, project +#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" + +# DEPRECATED +# "identity:list_groups_for_user":"rule:admin_or_owner" has been +# deprecated since S in favor of +# "identity:list_groups_for_user":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(user_id)s". +# The group API is now aware of system scope and default roles. + +# Create group. +# POST /v3/groups +# Intended scope(s): system, domain +#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:create_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Update group. +# PATCH /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:update_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Delete group. +# DELETE /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:delete_group":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_group":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# List members of a specific group. +# GET /v3/groups/{group_id}/users +# HEAD /v3/groups/{group_id}/users +# Intended scope(s): system, domain +#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED +# "identity:list_users_in_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_users_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Remove user from group. +# DELETE /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:remove_user_from_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:remove_user_from_group":"(role:admin and system_scope:all) +# or (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Check whether a user is a member of a group. +# HEAD /v3/groups/{group_id}/users/{user_id} +# GET /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:check_user_in_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:check_user_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Add user to group. +# PUT /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:add_user_to_group":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:add_user_to_group":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". +# The group API is now aware of system scope and default roles. + +# Create identity provider. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:create_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:create_identity_providers": "rule:identity:create_identity_provider" + +# List identity providers. +# GET /v3/OS-FEDERATION/identity_providers +# HEAD /v3/OS-FEDERATION/identity_providers +# Intended scope(s): system +#"identity:list_identity_providers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_identity_providers":"role:reader and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. + +# Get identity provider. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id} +# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:get_identity_provider": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_identity_provider":"role:reader and system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:get_identity_providers": "rule:identity:get_identity_provider" + +# Update identity provider. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:update_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:update_identity_providers": "rule:identity:update_identity_provider" + +# Delete identity provider. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:delete_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_identity_provider":"role:admin and +# system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +#"identity:delete_identity_providers": "rule:identity:delete_identity_provider" + +# Get information about an association between two roles. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:get_implied_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_implied_role":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# List associations between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. This +# will return all the implied roles that would be assumed by the user +# who gets the specified prior role. +# GET /v3/roles/{prior_role_id}/implies +# HEAD /v3/roles/{prior_role_id}/implies +# Intended scope(s): system +#"identity:list_implied_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_implied_roles":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_implied_roles":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Create an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:create_implied_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Delete the association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. Removing +# the association will cause that effect to be eliminated. +# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:delete_implied_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# List all associations between two roles in the system. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/role_inferences +# HEAD /v3/role_inferences +# Intended scope(s): system +#"identity:list_role_inference_rules": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_role_inference_rules":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_role_inference_rules":"role:reader and +# system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Check an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:check_implied_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_implied_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:check_implied_role":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. + +# Get limit enforcement model. +# GET /v3/limits/model +# HEAD /v3/limits/model +# Intended scope(s): system, domain, project +#"identity:get_limit_model": "" + +# Show limit details. +# GET /v3/limits/{limit_id} +# HEAD /v3/limits/{limit_id} +# Intended scope(s): system, domain, project +#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" + +# List limits. +# GET /v3/limits +# HEAD /v3/limits +# Intended scope(s): system, domain, project +#"identity:list_limits": "" + +# Create limits. +# POST /v3/limits +# Intended scope(s): system +#"identity:create_limits": "role:admin and system_scope:all" + +# Update limit. +# PATCH /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:update_limit": "role:admin and system_scope:all" + +# Delete limit. +# DELETE /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:delete_limit": "role:admin and system_scope:all" + +# Create a new federated mapping containing one or more sets of rules. +# PUT /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:create_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Get a federated mapping. +# GET /v3/OS-FEDERATION/mappings/{mapping_id} +# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:get_mapping": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_mapping":"role:reader and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# List federated mappings. +# GET /v3/OS-FEDERATION/mappings +# HEAD /v3/OS-FEDERATION/mappings +# Intended scope(s): system +#"identity:list_mappings": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_mappings":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_mappings":"role:reader and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Delete a federated mapping. +# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:delete_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Update a federated mapping. +# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:update_mapping": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_mapping":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_mapping":"role:admin and +# system_scope:all". +# The federated mapping API is now aware of system scope and default +# roles. + +# Show policy details. +# GET /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:get_policy": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_policy":"role:reader and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# List policies. +# GET /v3/policies +# Intended scope(s): system +#"identity:list_policies": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_policies":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_policies":"role:reader and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Create policy. +# POST /v3/policies +# Intended scope(s): system +#"identity:create_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:create_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Update policy. +# PATCH /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:update_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:update_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Delete policy. +# DELETE /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:delete_policy": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy":"rule:admin_required" has been deprecated +# since T in favor of "identity:delete_policy":"role:admin and +# system_scope:all". +# The policy API is now aware of system scope and default roles. + +# Associate a policy to a specific endpoint. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_endpoint":"rule:admin_requir +# ed" has been deprecated since T in favor of +# "identity:create_policy_association_for_endpoint":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for endpoint. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_endpoint":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:check_policy_association_for_endpoint":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for endpoint. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_endpoint":"rule:admin_requir +# ed" has been deprecated since T in favor of +# "identity:delete_policy_association_for_endpoint":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Associate a policy to a specific service. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:create_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_service":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:create_policy_association_for_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:check_policy_association_for_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_service":"rule:admin_required +# " has been deprecated since T in favor of +# "identity:check_policy_association_for_service":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_service":"rule:admin_require +# d" has been deprecated since T in favor of +# "identity:delete_policy_association_for_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Associate a policy to a specific region and service combination. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_policy_association_for_region_and_service":"rule:ad +# min_required" has been deprecated since T in favor of "identity:crea +# te_policy_association_for_region_and_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Check policy association for region and service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_policy_association_for_region_and_service":"rule:adm +# in_required" has been deprecated since T in favor of "identity:check +# _policy_association_for_region_and_service":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Delete policy association for region and service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_policy_association_for_region_and_service":"rule:ad +# min_required" has been deprecated since T in favor of "identity:dele +# te_policy_association_for_region_and_service":"role:admin and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Get policy for endpoint. +# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# Intended scope(s): system +#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_policy_for_endpoint":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_policy_for_endpoint":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# List endpoints for policy. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_policy":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_policy":"role:reader and +# system_scope:all". +# The policy association API is now aware of system scope and default +# roles. + +# Show project details. +# GET /v3/projects/{project_id} +# Intended scope(s): system, domain, project +#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:get_project":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since S in +# favor of "identity:get_project":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# The project API is now aware of system scope and default roles. + +# List projects. +# GET /v3/projects +# Intended scope(s): system, domain +#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_projects":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_projects":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# List projects for user. +# GET /v3/users/{user_id}/projects +# Intended scope(s): system, domain, project +#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED +# "identity:list_user_projects":"rule:admin_or_owner" has been +# deprecated since S in favor of +# "identity:list_user_projects":"(role:reader and system_scope:all) or +# (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". +# The project API is now aware of system scope and default roles. + +# Create project. +# POST /v3/projects +# Intended scope(s): system, domain +#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:create_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# Update project. +# PATCH /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:update_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# Delete project. +# DELETE /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED +# "identity:delete_project":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_project":"(role:admin and +# system_scope:all) or (role:admin and +# domain_id:%(target.project.domain_id)s)". +# The project API is now aware of system scope and default roles. + +# List tags for a project. +# GET /v3/projects/{project_id}/tags +# HEAD /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:list_project_tags":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:list_project_tags":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Check if project contains a tag. +# GET /v3/projects/{project_id}/tags/{value} +# HEAD /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED +# "identity:get_project_tag":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:get_project_tag":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Replace all tags on a project with the new set of tags. +# PUT /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:update_project_tags":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Add a single tag to a project. +# PUT /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:create_project_tag":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Remove all tags from a project. +# DELETE /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:delete_project_tags":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# Delete a specified tag from project. +# DELETE /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:delete_project_tag":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. + +# List projects allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects +# Intended scope(s): system +#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_projects_for_endpoint":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_projects_for_endpoint":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Allow project to access an endpoint. +# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:add_endpoint_to_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:add_endpoint_to_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:add_endpoint_to_project":"role:admin and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Check if a project is allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_endpoint_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_endpoint_in_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:check_endpoint_in_project":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# List the endpoints a project is allowed to access. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_project":"role:reader and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Remove access to an endpoint from a project that has previously been +# given explicit access. +# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_from_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:remove_endpoint_from_project":"role:admin and +# system_scope:all". +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. + +# Create federated protocol. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:create_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Update federated protocol. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:update_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Get federated protocol. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:get_protocol": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_protocol":"role:reader and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# List federated protocols. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols +# Intended scope(s): system +#"identity:list_protocols": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_protocols":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_protocols":"role:reader and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Delete federated protocol. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:delete_protocol": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_protocol":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_protocol":"role:admin and +# system_scope:all". +# The federated protocol API is now aware of system scope and default +# roles. + +# Show region details. +# GET /v3/regions/{region_id} +# HEAD /v3/regions/{region_id} +# Intended scope(s): system, domain, project +#"identity:get_region": "" + +# List regions. +# GET /v3/regions +# HEAD /v3/regions +# Intended scope(s): system, domain, project +#"identity:list_regions": "" + +# Create region. +# POST /v3/regions +# PUT /v3/regions/{region_id} +# Intended scope(s): system +#"identity:create_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Update region. +# PATCH /v3/regions/{region_id} +# Intended scope(s): system +#"identity:update_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Delete region. +# DELETE /v3/regions/{region_id} +# Intended scope(s): system +#"identity:delete_region": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_region":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_region":"role:admin and +# system_scope:all". +# The region API is now aware of system scope and default roles. + +# Show registered limit details. +# GET /v3/registered_limits/{registered_limit_id} +# HEAD /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system, domain, project +#"identity:get_registered_limit": "" + +# List registered limits. +# GET /v3/registered_limits +# HEAD /v3/registered_limits +# Intended scope(s): system, domain, project +#"identity:list_registered_limits": "" + +# Create registered limits. +# POST /v3/registered_limits +# Intended scope(s): system +#"identity:create_registered_limits": "role:admin and system_scope:all" + +# Update registered limit. +# PATCH /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:update_registered_limit": "role:admin and system_scope:all" + +# Delete registered limit. +# DELETE /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:delete_registered_limit": "role:admin and system_scope:all" + +# List revocation events. +# GET /v3/OS-REVOKE/events +# Intended scope(s): system +#"identity:list_revoke_events": "rule:service_or_admin" + +# Show role details. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_role":"rule:admin_required" has been deprecated since +# S in favor of "identity:get_role":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# List roles. +# GET /v3/roles +# HEAD /v3/roles +# Intended scope(s): system +#"identity:list_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_roles":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_roles":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Create role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Update role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Delete role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_role":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_role":"role:admin and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# Show domain role. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_domain_role": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_role":"rule:admin_required" has been deprecated +# since T in favor of "identity:get_domain_role":"role:reader and +# system_scope:all". +# The role API is now aware of system scope and default roles. + +# List domain roles. +# GET /v3/roles?domain_id={domain_id} +# HEAD /v3/roles?domain_id={domain_id} +# Intended scope(s): system +#"identity:list_domain_roles": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_domain_roles":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_domain_roles":"role:reader and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Create domain role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Update domain role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# Delete domain role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_domain_role": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_domain_role":"role:admin and system_scope:all". +# The role API is now aware of system scope and default roles. + +# List role assignments. +# GET /v3/role_assignments +# HEAD /v3/role_assignments +# Intended scope(s): system, domain +#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_role_assignments":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_role_assignments":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.domain_id)s)". +# The assignment API is now aware of system scope and default roles. + +# List all role assignments for a given tree of hierarchical projects. +# GET /v3/role_assignments?include_subtree +# HEAD /v3/role_assignments?include_subtree +# Intended scope(s): system, domain, project +#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:list_role_assignments_for_tree":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_role_assignments_for_tree":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# project_id:%(target.project.id)s)". +# The assignment API is now aware of system scope and default roles. + +# Show service details. +# GET /v3/services/{service_id} +# Intended scope(s): system +#"identity:get_service": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:get_service":"role:reader and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# List services. +# GET /v3/services +# Intended scope(s): system +#"identity:list_services": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_services":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_services":"role:reader and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Create service. +# POST /v3/services +# Intended scope(s): system +#"identity:create_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Update service. +# PATCH /v3/services/{service_id} +# Intended scope(s): system +#"identity:update_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Delete service. +# DELETE /v3/services/{service_id} +# Intended scope(s): system +#"identity:delete_service": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_service":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_service":"role:admin and +# system_scope:all". +# The service API is now aware of system scope and default roles. + +# Create federated service provider. +# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:create_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# List federated service providers. +# GET /v3/OS-FEDERATION/service_providers +# HEAD /v3/OS-FEDERATION/service_providers +# Intended scope(s): system +#"identity:list_service_providers": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_service_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_service_providers":"role:reader and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Get federated service provider. +# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} +# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:get_service_provider": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_service_provider":"role:reader and system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Update federated service provider. +# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:update_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# Delete federated service provider. +# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:delete_service_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_service_provider":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_service_provider":"role:admin and +# system_scope:all". +# The service provider API is now aware of system scope and default +# roles. + +# DEPRECATED +# "identity:revocation_list" has been deprecated since T. +# The identity:revocation_list policy isn't used to protect any APIs +# in keystone now that the revocation list API has been deprecated and +# only returns a 410 or 403 depending on how keystone is configured. +# This policy can be safely removed from policy files. +# List revoked PKI tokens. +# GET /v3/auth/tokens/OS-PKI/revoked +# Intended scope(s): system, project +#"identity:revocation_list": "rule:service_or_admin" + +# Check a token. +# HEAD /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" + +# DEPRECATED +# "identity:check_token":"rule:admin_or_token_subject" has been +# deprecated since T in favor of "identity:check_token":"(role:reader +# and system_scope:all) or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Validate a token. +# GET /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" + +# DEPRECATED +# "identity:validate_token":"rule:service_admin_or_token_subject" has +# been deprecated since T in favor of +# "identity:validate_token":"(role:reader and system_scope:all) or +# rule:service_role or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Revoke a token. +# DELETE /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" + +# DEPRECATED +# "identity:revoke_token":"rule:admin_or_token_subject" has been +# deprecated since T in favor of "identity:revoke_token":"(role:admin +# and system_scope:all) or rule:token_subject". +# The token API is now aware of system scope and default roles. + +# Create trust. +# POST /v3/OS-TRUST/trusts +# Intended scope(s): project +#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" + +# List trusts. +# GET /v3/OS-TRUST/trusts +# HEAD /v3/OS-TRUST/trusts +# Intended scope(s): system +#"identity:list_trusts": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_trusts":"rule:admin_required" has been deprecated +# since T in favor of "identity:list_trusts":"role:reader and +# system_scope:all". +# The trust API is now aware of system scope and default roles. + +# List trusts for trustor. +# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# List trusts for trustee. +# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" + +# List roles delegated by a trust. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles +# Intended scope(s): system, project +#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user +# _id)s or user_id:%(target.trust.trustee_user_id)s" has been +# deprecated since T in favor of +# "identity:list_roles_for_trust":"role:reader and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Check if trust delegates a particular role. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# Intended scope(s): system, project +#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i +# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated +# since T in favor of "identity:get_role_for_trust":"role:reader and +# system_scope:all or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Revoke trust. +# DELETE /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# DEPRECATED +# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" +# has been deprecated since T in favor of +# "identity:delete_trust":"role:admin and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Get trust. +# GET /v3/OS-TRUST/trusts/{trust_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s" has been deprecated since +# T in favor of "identity:get_trust":"role:reader and system_scope:all +# or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". +# The trust API is now aware of system scope and default roles. + +# Show user details. +# GET /v3/users/{user_id} +# HEAD /v3/users/{user_id} +# Intended scope(s): system, domain, project +#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED +# "identity:get_user":"rule:admin_or_owner" has been deprecated since +# S in favor of "identity:get_user":"(role:reader and +# system_scope:all) or (role:reader and +# token.domain.id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". +# The user API is now aware of system scope and default roles. + +# List users. +# GET /v3/users +# HEAD /v3/users +# Intended scope(s): system, domain +#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED +# "identity:list_users":"rule:admin_required" has been deprecated +# since S in favor of "identity:list_users":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +#"identity:list_projects_for_user": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +#"identity:list_domains_for_user": "" + +# Create a user. +# POST /v3/users +# Intended scope(s): system, domain +#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:create_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:create_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# Update a user, including administrative password resets. +# PATCH /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:update_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:update_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + +# Delete a user. +# DELETE /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED +# "identity:delete_user":"rule:admin_required" has been deprecated +# since S in favor of "identity:delete_user":"(role:admin and +# system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". +# The user API is now aware of system scope and default roles. + diff --git a/openstack_dashboard/conf/neutron_policy.json b/openstack_dashboard/conf/neutron_policy.json deleted file mode 100644 index a1dfae1767..0000000000 --- a/openstack_dashboard/conf/neutron_policy.json +++ /dev/null @@ -1,220 +0,0 @@ -{ - "context_is_admin": "role:admin", - "owner": "tenant_id:%(tenant_id)s", - "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "shared": "field:networks:shared=True", - "default": "rule:admin_or_owner", - "admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s", - "shared_address_scopes": "field:address_scopes:shared=True", - "create_address_scope": "rule:regular_user", - "create_address_scope:shared": "rule:admin_only", - "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner", - "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner", - "get_agent": "rule:admin_only", - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "create_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_agent-loadbalancers": "rule:admin_only", - "get_loadbalancer-hosting-agent": "rule:admin_only", - "get_auto_allocated_topology": "rule:admin_or_owner", - "delete_auto_allocated_topology": "rule:admin_or_owner", - "get_availability_zone": "rule:regular_user", - "create_flavor": "rule:admin_only", - "get_flavor": "rule:regular_user", - "update_flavor": "rule:admin_only", - "delete_flavor": "rule:admin_only", - "create_service_profile": "rule:admin_only", - "get_service_profile": "rule:admin_only", - "update_service_profile": "rule:admin_only", - "delete_service_profile": "rule:admin_only", - "create_flavor_service_profile": "rule:admin_only", - "delete_flavor_service_profile": "rule:admin_only", - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "get_floatingip": "rule:admin_or_owner", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip_pool": "rule:regular_user", - "create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner", - "get_loggable_resource": "rule:admin_only", - "create_log": "rule:admin_only", - "get_log": "rule:admin_only", - "update_log": "rule:admin_only", - "delete_log": "rule:admin_only", - "create_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "create_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "external": "field:networks:router:external=True", - "create_network": "rule:regular_user", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:is_default": "rule:admin_only", - "create_network:port_security_enabled": "rule:regular_user", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "update_network:is_default": "rule:admin_only", - "update_network:port_security_enabled": "rule:admin_or_owner", - "delete_network": "rule:admin_or_owner", - "get_network_ip_availability": "rule:admin_only", - "create_network_segment_range": "rule:admin_only", - "get_network_segment_range": "rule:admin_only", - "update_network_segment_range": "rule:admin_only", - "delete_network_segment_range": "rule:admin_only", - "network_device": "field:port:device_owner=~^network:", - "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator", - "create_port": "rule:regular_user", - "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:binding:vnic_type": "rule:regular_user", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner", - "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "get_port:resource_request": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner", - "update_port:data_plane_status": "rule:admin_or_data_plane_int", - "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_policy": "rule:regular_user", - "create_policy": "rule:admin_only", - "update_policy": "rule:admin_only", - "delete_policy": "rule:admin_only", - "get_rule_type": "rule:regular_user", - "get_policy_bandwidth_limit_rule": "rule:regular_user", - "create_policy_bandwidth_limit_rule": "rule:admin_only", - "update_policy_bandwidth_limit_rule": "rule:admin_only", - "delete_policy_bandwidth_limit_rule": "rule:admin_only", - "get_policy_dscp_marking_rule": "rule:regular_user", - "create_policy_dscp_marking_rule": "rule:admin_only", - "update_policy_dscp_marking_rule": "rule:admin_only", - "delete_policy_dscp_marking_rule": "rule:admin_only", - "get_policy_minimum_bandwidth_rule": "rule:regular_user", - "create_policy_minimum_bandwidth_rule": "rule:admin_only", - "update_policy_minimum_bandwidth_rule": "rule:admin_only", - "delete_policy_minimum_bandwidth_rule": "rule:admin_only", - "get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule", - "update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule", - "delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule", - "get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule", - "update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule", - "delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule", - "get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule", - "update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule", - "delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule", - "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", - "create_rbac_policy": "rule:regular_user", - "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", - "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner", - "create_router": "rule:regular_user", - "create_router:distributed": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "create_router:external_gateway_info": "rule:admin_or_owner", - "create_router:external_gateway_info:network_id": "rule:admin_or_owner", - "create_router:external_gateway_info:enable_snat": "rule:admin_only", - "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "get_router": "rule:admin_or_owner", - "get_router:distributed": "rule:admin_only", - "get_router:ha": "rule:admin_only", - "update_router": "rule:admin_or_owner", - "update_router:distributed": "rule:admin_only", - "update_router:ha": "rule:admin_only", - "update_router:external_gateway_info": "rule:admin_or_owner", - "update_router:external_gateway_info:network_id": "rule:admin_or_owner", - "update_router:external_gateway_info:enable_snat": "rule:admin_only", - "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - "create_security_group": "rule:admin_or_owner", - "get_security_group": "rule:regular_user", - "update_security_group": "rule:admin_or_owner", - "delete_security_group": "rule:admin_or_owner", - "create_security_group_rule": "rule:admin_or_owner", - "get_security_group_rule": "rule:admin_or_owner", - "delete_security_group_rule": "rule:admin_or_owner", - "create_segment": "rule:admin_only", - "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only", - "delete_segment": "rule:admin_only", - "get_service_provider": "rule:regular_user", - "create_subnet": "rule:admin_or_network_owner", - "create_subnet:segment_id": "rule:admin_only", - "create_subnet:service_types": "rule:admin_only", - "get_subnet": "rule:admin_or_owner or rule:shared", - "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner", - "update_subnet:segment_id": "rule:admin_only", - "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner", - "shared_subnetpools": "field:subnetpools:shared=True", - "create_subnetpool": "rule:regular_user", - "create_subnetpool:shared": "rule:admin_only", - "create_subnetpool:is_default": "rule:admin_only", - "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner", - "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner", - "onboard_network_subnets": "rule:admin_or_owner", - "create_trunk": "rule:regular_user", - "get_trunk": "rule:admin_or_owner", - "update_trunk": "rule:admin_or_owner", - "delete_trunk": "rule:admin_or_owner", - "get_subports": "rule:regular_user", - "add_subports": "rule:admin_or_owner", - "remove_subports": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml new file mode 100644 index 0000000000..75b8adcf94 --- /dev/null +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -0,0 +1,961 @@ +# Rule for cloud admin access +#"context_is_admin": "role:admin" + +# Rule for resource owner access +#"owner": "tenant_id:%(tenant_id)s" + +# Rule for admin or owner access +#"admin_or_owner": "rule:context_is_admin or rule:owner" + +# Rule for advsvc role access +#"context_is_advsvc": "role:advsvc" + +# Rule for admin or network owner access +#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s" + +# Rule for resource owner, admin or network owner access +#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner" + +# Rule for admin-only access +#"admin_only": "rule:context_is_admin" + +# Rule for regular user access +#"regular_user": "" + +# Rule of shared network +#"shared": "field:networks:shared=True" + +# Default access rule +#"default": "rule:admin_or_owner" + +# Rule for common parent owner check +#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" + +# Definition of a shared address scope +#"shared_address_scopes": "field:address_scopes:shared=True" + +# Create an address scope +# POST /address-scopes +#"create_address_scope": "rule:regular_user" + +# Create a shared address scope +# POST /address-scopes +#"create_address_scope:shared": "rule:admin_only" + +# Get an address scope +# GET /address-scopes +# GET /address-scopes/{id} +#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes" + +# Update an address scope +# PUT /address-scopes/{id} +#"update_address_scope": "rule:admin_or_owner" + +# Update ``shared`` attribute of an address scope +# PUT /address-scopes/{id} +#"update_address_scope:shared": "rule:admin_only" + +# Delete an address scope +# DELETE /address-scopes/{id} +#"delete_address_scope": "rule:admin_or_owner" + +# Get an agent +# GET /agents +# GET /agents/{id} +#"get_agent": "rule:admin_only" + +# Update an agent +# PUT /agents/{id} +#"update_agent": "rule:admin_only" + +# Delete an agent +# DELETE /agents/{id} +#"delete_agent": "rule:admin_only" + +# Add a network to a DHCP agent +# POST /agents/{agent_id}/dhcp-networks +#"create_dhcp-network": "rule:admin_only" + +# List networks on a DHCP agent +# GET /agents/{agent_id}/dhcp-networks +#"get_dhcp-networks": "rule:admin_only" + +# Remove a network from a DHCP agent +# DELETE /agents/{agent_id}/dhcp-networks/{network_id} +#"delete_dhcp-network": "rule:admin_only" + +# Add a router to an L3 agent +# POST /agents/{agent_id}/l3-routers +#"create_l3-router": "rule:admin_only" + +# List routers on an L3 agent +# GET /agents/{agent_id}/l3-routers +#"get_l3-routers": "rule:admin_only" + +# Remove a router from an L3 agent +# DELETE /agents/{agent_id}/l3-routers/{router_id} +#"delete_l3-router": "rule:admin_only" + +# List DHCP agents hosting a network +# GET /networks/{network_id}/dhcp-agents +#"get_dhcp-agents": "rule:admin_only" + +# List L3 agents hosting a router +# GET /routers/{router_id}/l3-agents +#"get_l3-agents": "rule:admin_only" + +# Get a project's auto-allocated topology +# GET /auto-allocated-topology/{project_id} +#"get_auto_allocated_topology": "rule:admin_or_owner" + +# Delete a project's auto-allocated topology +# DELETE /auto-allocated-topology/{project_id} +#"delete_auto_allocated_topology": "rule:admin_or_owner" + +# List availability zones +# GET /availability_zones +#"get_availability_zone": "rule:regular_user" + +# Create a flavor +# POST /flavors +#"create_flavor": "rule:admin_only" + +# Get a flavor +# GET /flavors +# GET /flavors/{id} +#"get_flavor": "rule:regular_user" + +# Update a flavor +# PUT /flavors/{id} +#"update_flavor": "rule:admin_only" + +# Delete a flavor +# DELETE /flavors/{id} +#"delete_flavor": "rule:admin_only" + +# Create a service profile +# POST /service_profiles +#"create_service_profile": "rule:admin_only" + +# Get a service profile +# GET /service_profiles +# GET /service_profiles/{id} +#"get_service_profile": "rule:admin_only" + +# Update a service profile +# PUT /service_profiles/{id} +#"update_service_profile": "rule:admin_only" + +# Delete a service profile +# DELETE /service_profiles/{id} +#"delete_service_profile": "rule:admin_only" + +# Get a flavor associated with a given service profiles. There is no +# corresponding GET operations in API currently. This rule is +# currently referred only in the DELETE of flavor_service_profile. +#"get_flavor_service_profile": "rule:regular_user" + +# Associate a flavor with a service profile +# POST /flavors/{flavor_id}/service_profiles +#"create_flavor_service_profile": "rule:admin_only" + +# Disassociate a flavor with a service profile +# DELETE /flavors/{flavor_id}/service_profiles/{profile_id} +#"delete_flavor_service_profile": "rule:admin_only" + +# Create a floating IP +# POST /floatingips +#"create_floatingip": "rule:regular_user" + +# Create a floating IP with a specific IP address +# POST /floatingips +#"create_floatingip:floating_ip_address": "rule:admin_only" + +# Get a floating IP +# GET /floatingips +# GET /floatingips/{id} +#"get_floatingip": "rule:admin_or_owner" + +# Update a floating IP +# PUT /floatingips/{id} +#"update_floatingip": "rule:admin_or_owner" + +# Delete a floating IP +# DELETE /floatingips/{id} +#"delete_floatingip": "rule:admin_or_owner" + +# Get floating IP pools +# GET /floatingip_pools +#"get_floatingip_pool": "rule:regular_user" + +# Create a floating IP port forwarding +# POST /floatingips/{floatingip_id}/port_forwardings +#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Get a floating IP port forwarding +# GET /floatingips/{floatingip_id}/port_forwardings +# GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Update a floating IP port forwarding +# PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Delete a floating IP port forwarding +# DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} +#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner" + +# Create a router conntrack helper +# POST /routers/{router_id}/conntrack_helpers +#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Get a router conntrack helper +# GET /routers/{router_id}/conntrack_helpers +# GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Update a router conntrack helper +# PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Delete a router conntrack helper +# DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} +#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner" + +# Get loggable resources +# GET /log/loggable-resources +#"get_loggable_resource": "rule:admin_only" + +# Create a network log +# POST /log/logs +#"create_log": "rule:admin_only" + +# Get a network log +# GET /log/logs +# GET /log/logs/{id} +#"get_log": "rule:admin_only" + +# Update a network log +# PUT /log/logs/{id} +#"update_log": "rule:admin_only" + +# Delete a network log +# DELETE /log/logs/{id} +#"delete_log": "rule:admin_only" + +# Create a metering label +# POST /metering/metering-labels +#"create_metering_label": "rule:admin_only" + +# Get a metering label +# GET /metering/metering-labels +# GET /metering/metering-labels/{id} +#"get_metering_label": "rule:admin_only" + +# Delete a metering label +# DELETE /metering/metering-labels/{id} +#"delete_metering_label": "rule:admin_only" + +# Create a metering label rule +# POST /metering/metering-label-rules +#"create_metering_label_rule": "rule:admin_only" + +# Get a metering label rule +# GET /metering/metering-label-rules +# GET /metering/metering-label-rules/{id} +#"get_metering_label_rule": "rule:admin_only" + +# Delete a metering label rule +# DELETE /metering/metering-label-rules/{id} +#"delete_metering_label_rule": "rule:admin_only" + +# Definition of an external network +#"external": "field:networks:router:external=True" + +# Create a network +# POST /networks +#"create_network": "rule:regular_user" + +# Create a shared network +# POST /networks +#"create_network:shared": "rule:admin_only" + +# Create an external network +# POST /networks +#"create_network:router:external": "rule:admin_only" + +# Specify ``is_default`` attribute when creating a network +# POST /networks +#"create_network:is_default": "rule:admin_only" + +# Specify ``port_security_enabled`` attribute when creating a network +# POST /networks +#"create_network:port_security_enabled": "rule:regular_user" + +# Specify ``segments`` attribute when creating a network +# POST /networks +#"create_network:segments": "rule:admin_only" + +# Specify ``provider:network_type`` when creating a network +# POST /networks +#"create_network:provider:network_type": "rule:admin_only" + +# Specify ``provider:physical_network`` when creating a network +# POST /networks +#"create_network:provider:physical_network": "rule:admin_only" + +# Specify ``provider:segmentation_id`` when creating a network +# POST /networks +#"create_network:provider:segmentation_id": "rule:admin_only" + +# Get a network +# GET /networks +# GET /networks/{id} +#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc" + +# Get ``router:external`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:router:external": "rule:regular_user" + +# Get ``segments`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:segments": "rule:admin_only" + +# Get ``provider:network_type`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:network_type": "rule:admin_only" + +# Get ``provider:physical_network`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:physical_network": "rule:admin_only" + +# Get ``provider:segmentation_id`` attribute of a network +# GET /networks +# GET /networks/{id} +#"get_network:provider:segmentation_id": "rule:admin_only" + +# Update a network +# PUT /networks/{id} +#"update_network": "rule:admin_or_owner" + +# Update ``segments`` attribute of a network +# PUT /networks/{id} +#"update_network:segments": "rule:admin_only" + +# Update ``shared`` attribute of a network +# PUT /networks/{id} +#"update_network:shared": "rule:admin_only" + +# Update ``provider:network_type`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:network_type": "rule:admin_only" + +# Update ``provider:physical_network`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:physical_network": "rule:admin_only" + +# Update ``provider:segmentation_id`` attribute of a network +# PUT /networks/{id} +#"update_network:provider:segmentation_id": "rule:admin_only" + +# Update ``router:external`` attribute of a network +# PUT /networks/{id} +#"update_network:router:external": "rule:admin_only" + +# Update ``is_default`` attribute of a network +# PUT /networks/{id} +#"update_network:is_default": "rule:admin_only" + +# Update ``port_security_enabled`` attribute of a network +# PUT /networks/{id} +#"update_network:port_security_enabled": "rule:admin_or_owner" + +# Delete a network +# DELETE /networks/{id} +#"delete_network": "rule:admin_or_owner" + +# Get network IP availability +# GET /network-ip-availabilities +# GET /network-ip-availabilities/{network_id} +#"get_network_ip_availability": "rule:admin_only" + +# Create a network segment range +# POST /network_segment_ranges +#"create_network_segment_range": "rule:admin_only" + +# Get a network segment range +# GET /network_segment_ranges +# GET /network_segment_ranges/{id} +#"get_network_segment_range": "rule:admin_only" + +# Update a network segment range +# PUT /network_segment_ranges/{id} +#"update_network_segment_range": "rule:admin_only" + +# Delete a network segment range +# DELETE /network_segment_ranges/{id} +#"delete_network_segment_range": "rule:admin_only" + +# Definition of port with network device_owner +#"network_device": "field:port:device_owner=~^network:" + +# Rule for data plane integration +#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator" + +# Create a port +# POST /ports +#"create_port": "rule:regular_user" + +# Specify ``device_owner`` attribute when creting a port +# POST /ports +#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``mac_address`` attribute when creating a port +# POST /ports +#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``fixed_ips`` information when creating a port +# POST /ports +#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Specify IP address in ``fixed_ips`` when creating a port +# POST /ports +#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify subnet ID in ``fixed_ips`` when creating a port +# POST /ports +#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Specify ``port_security_enabled`` attribute when creating a port +# POST /ports +#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify ``binding:host_id`` attribute when creating a port +# POST /ports +#"create_port:binding:host_id": "rule:admin_only" + +# Specify ``binding:profile`` attribute when creating a port +# POST /ports +#"create_port:binding:profile": "rule:admin_only" + +# Specify ``binding:vnic_type`` attribute when creating a port +# POST /ports +#"create_port:binding:vnic_type": "rule:regular_user" + +# Specify ``allowed_address_pairs`` attribute when creating a port +# POST /ports +#"create_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Specify ``mac_address` of `allowed_address_pairs`` attribute when +# creating a port +# POST /ports +#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner" + +# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when +# creating a port +# POST /ports +#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner" + +# Get a port +# GET /ports +# GET /ports/{id} +#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Get ``binding:vif_type`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:vif_type": "rule:admin_only" + +# Get ``binding:vif_details`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:vif_details": "rule:admin_only" + +# Get ``binding:host_id`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:host_id": "rule:admin_only" + +# Get ``binding:profile`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:binding:profile": "rule:admin_only" + +# Get ``resource_request`` attribute of a port +# GET /ports +# GET /ports/{id} +#"get_port:resource_request": "rule:admin_only" + +# Update a port +# PUT /ports/{id} +#"update_port": "rule:admin_or_owner or rule:context_is_advsvc" + +# Update ``device_owner`` attribute of a port +# PUT /ports/{id} +#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner" + +# Update ``mac_address`` attribute of a port +# PUT /ports/{id} +#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc" + +# Specify ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify IP address in ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Specify subnet ID in ``fixed_ips`` information when updating a port +# PUT /ports/{id} +#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" + +# Update ``port_security_enabled`` attribute of a port +# PUT /ports/{id} +#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner" + +# Update ``binding:host_id`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:host_id": "rule:admin_only" + +# Update ``binding:profile`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:profile": "rule:admin_only" + +# Update ``binding:vnic_type`` attribute of a port +# PUT /ports/{id} +#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc" + +# Update ``allowed_address_pairs`` attribute of a port +# PUT /ports/{id} +#"update_port:allowed_address_pairs": "rule:admin_or_network_owner" + +# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a +# port +# PUT /ports/{id} +#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner" + +# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a +# port +# PUT /ports/{id} +#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner" + +# Update ``data_plane_status`` attribute of a port +# PUT /ports/{id} +#"update_port:data_plane_status": "rule:admin_or_data_plane_int" + +# Delete a port +# DELETE /ports/{id} +#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner" + +# Get QoS policies +# GET /qos/policies +# GET /qos/policies/{id} +#"get_policy": "rule:regular_user" + +# Create a QoS policy +# POST /qos/policies +#"create_policy": "rule:admin_only" + +# Update a QoS policy +# PUT /qos/policies/{id} +#"update_policy": "rule:admin_only" + +# Delete a QoS policy +# DELETE /qos/policies/{id} +#"delete_policy": "rule:admin_only" + +# Get available QoS rule types +# GET /qos/rule-types +# GET /qos/rule-types/{rule_type} +#"get_rule_type": "rule:regular_user" + +# Get a QoS bandwidth limit rule +# GET /qos/policies/{policy_id}/bandwidth_limit_rules +# GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"get_policy_bandwidth_limit_rule": "rule:regular_user" + +# Create a QoS bandwidth limit rule +# POST /qos/policies/{policy_id}/bandwidth_limit_rules +#"create_policy_bandwidth_limit_rule": "rule:admin_only" + +# Update a QoS bandwidth limit rule +# PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"update_policy_bandwidth_limit_rule": "rule:admin_only" + +# Delete a QoS bandwidth limit rule +# DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} +#"delete_policy_bandwidth_limit_rule": "rule:admin_only" + +# Get a QoS DSCP marking rule +# GET /qos/policies/{policy_id}/dscp_marking_rules +# GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"get_policy_dscp_marking_rule": "rule:regular_user" + +# Create a QoS DSCP marking rule +# POST /qos/policies/{policy_id}/dscp_marking_rules +#"create_policy_dscp_marking_rule": "rule:admin_only" + +# Update a QoS DSCP marking rule +# PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"update_policy_dscp_marking_rule": "rule:admin_only" + +# Delete a QoS DSCP marking rule +# DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} +#"delete_policy_dscp_marking_rule": "rule:admin_only" + +# Get a QoS minimum bandwidth rule +# GET /qos/policies/{policy_id}/minimum_bandwidth_rules +# GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"get_policy_minimum_bandwidth_rule": "rule:regular_user" + +# Create a QoS minimum bandwidth rule +# POST /qos/policies/{policy_id}/minimum_bandwidth_rules +#"create_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Update a QoS minimum bandwidth rule +# PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"update_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Delete a QoS minimum bandwidth rule +# DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} +#"delete_policy_minimum_bandwidth_rule": "rule:admin_only" + +# Get a QoS bandwidth limit rule through alias +# GET /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule" + +# Update a QoS bandwidth limit rule through alias +# PUT /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule" + +# Delete a QoS bandwidth limit rule through alias +# DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/ +#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule" + +# Get a QoS DSCP marking rule through alias +# GET /qos/alias_dscp_marking_rules/{rule_id}/ +#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule" + +# Update a QoS DSCP marking rule through alias +# PUT /qos/alias_dscp_marking_rules/{rule_id}/ +#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule" + +# Delete a QoS DSCP marking rule through alias +# DELETE /qos/alias_dscp_marking_rules/{rule_id}/ +#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule" + +# Get a QoS minimum bandwidth rule through alias +# GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule" + +# Update a QoS minimum bandwidth rule through alias +# PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule" + +# Delete a QoS minimum bandwidth rule through alias +# DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/ +#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule" + +# Get a resource quota +# GET /quota +# GET /quota/{id} +#"get_quota": "rule:admin_only" + +# Update a resource quota +# PUT /quota/{id} +#"update_quota": "rule:admin_only" + +# Delete a resource quota +# DELETE /quota/{id} +#"delete_quota": "rule:admin_only" + +# Definition of a wildcard target_tenant +#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only" + +# Create an RBAC policy +# POST /rbac-policies +#"create_rbac_policy": "rule:regular_user" + +# Specify ``target_tenant`` when creating an RBAC policy +# POST /rbac-policies +#"create_rbac_policy:target_tenant": "rule:restrict_wildcard" + +# Update an RBAC policy +# PUT /rbac-policies/{id} +#"update_rbac_policy": "rule:admin_or_owner" + +# Update ``target_tenant`` attribute of an RBAC policy +# PUT /rbac-policies/{id} +#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner" + +# Get an RBAC policy +# GET /rbac-policies +# GET /rbac-policies/{id} +#"get_rbac_policy": "rule:admin_or_owner" + +# Delete an RBAC policy +# DELETE /rbac-policies/{id} +#"delete_rbac_policy": "rule:admin_or_owner" + +# Create a router +# POST /routers +#"create_router": "rule:regular_user" + +# Specify ``distributed`` attribute when creating a router +# POST /routers +#"create_router:distributed": "rule:admin_only" + +# Specify ``ha`` attribute when creating a router +# POST /routers +#"create_router:ha": "rule:admin_only" + +# Specify ``external_gateway_info`` information when creating a router +# POST /routers +#"create_router:external_gateway_info": "rule:admin_or_owner" + +# Specify ``network_id`` in ``external_gateway_info`` information when +# creating a router +# POST /routers +#"create_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Specify ``enable_snat`` in ``external_gateway_info`` information +# when creating a router +# POST /routers +#"create_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Specify ``external_fixed_ips`` in ``external_gateway_info`` +# information when creating a router +# POST /routers +#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Get a router +# GET /routers +# GET /routers/{id} +#"get_router": "rule:admin_or_owner" + +# Get ``distributed`` attribute of a router +# GET /routers +# GET /routers/{id} +#"get_router:distributed": "rule:admin_only" + +# Get ``ha`` attribute of a router +# GET /routers +# GET /routers/{id} +#"get_router:ha": "rule:admin_only" + +# Update a router +# PUT /routers/{id} +#"update_router": "rule:admin_or_owner" + +# Update ``distributed`` attribute of a router +# PUT /routers/{id} +#"update_router:distributed": "rule:admin_only" + +# Update ``ha`` attribute of a router +# PUT /routers/{id} +#"update_router:ha": "rule:admin_only" + +# Update ``external_gateway_info`` information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info": "rule:admin_or_owner" + +# Update ``network_id`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:network_id": "rule:admin_or_owner" + +# Update ``enable_snat`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:enable_snat": "rule:admin_only" + +# Update ``external_fixed_ips`` attribute of ``external_gateway_info`` +# information of a router +# PUT /routers/{id} +#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only" + +# Delete a router +# DELETE /routers/{id} +#"delete_router": "rule:admin_or_owner" + +# Add an interface to a router +# PUT /routers/{id}/add_router_interface +#"add_router_interface": "rule:admin_or_owner" + +# Remove an interface from a router +# PUT /routers/{id}/remove_router_interface +#"remove_router_interface": "rule:admin_or_owner" + +# Rule for admin or security group owner access +#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" + +# Rule for resource owner, admin or security group owner access +#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner" + +# Create a security group +# POST /security-groups +#"create_security_group": "rule:admin_or_owner" + +# Get a security group +# GET /security-groups +# GET /security-groups/{id} +#"get_security_group": "rule:regular_user" + +# Update a security group +# PUT /security-groups/{id} +#"update_security_group": "rule:admin_or_owner" + +# Delete a security group +# DELETE /security-groups/{id} +#"delete_security_group": "rule:admin_or_owner" + +# Create a security group rule +# POST /security-group-rules +#"create_security_group_rule": "rule:admin_or_owner" + +# Get a security group rule +# GET /security-group-rules +# GET /security-group-rules/{id} +#"get_security_group_rule": "rule:admin_owner_or_sg_owner" + +# Delete a security group rule +# DELETE /security-group-rules/{id} +#"delete_security_group_rule": "rule:admin_or_owner" + +# Create a segment +# POST /segments +#"create_segment": "rule:admin_only" + +# Get a segment +# GET /segments +# GET /segments/{id} +#"get_segment": "rule:admin_only" + +# Update a segment +# PUT /segments/{id} +#"update_segment": "rule:admin_only" + +# Delete a segment +# DELETE /segments/{id} +#"delete_segment": "rule:admin_only" + +# Get service providers +# GET /service-providers +#"get_service_provider": "rule:regular_user" + +# Create a subnet +# POST /subnets +#"create_subnet": "rule:admin_or_network_owner" + +# Specify ``segment_id`` attribute when creating a subnet +# POST /subnets +#"create_subnet:segment_id": "rule:admin_only" + +# Specify ``service_types`` attribute when creating a subnet +# POST /subnets +#"create_subnet:service_types": "rule:admin_only" + +# Get a subnet +# GET /subnets +# GET /subnets/{id} +#"get_subnet": "rule:admin_or_owner or rule:shared" + +# Get ``segment_id`` attribute of a subnet +# GET /subnets +# GET /subnets/{id} +#"get_subnet:segment_id": "rule:admin_only" + +# Update a subnet +# PUT /subnets/{id} +#"update_subnet": "rule:admin_or_network_owner" + +# Update ``segment_id`` attribute of a subnet +# PUT /subnets/{id} +#"update_subnet:segment_id": "rule:admin_only" + +# Update ``service_types`` attribute of a subnet +# PUT /subnets/{id} +#"update_subnet:service_types": "rule:admin_only" + +# Delete a subnet +# DELETE /subnets/{id} +#"delete_subnet": "rule:admin_or_network_owner" + +# Definition of a shared subnetpool +#"shared_subnetpools": "field:subnetpools:shared=True" + +# Create a subnetpool +# POST /subnetpools +#"create_subnetpool": "rule:regular_user" + +# Create a shared subnetpool +# POST /subnetpools +#"create_subnetpool:shared": "rule:admin_only" + +# Specify ``is_default`` attribute when creating a subnetpool +# POST /subnetpools +#"create_subnetpool:is_default": "rule:admin_only" + +# Get a subnetpool +# GET /subnetpools +# GET /subnetpools/{id} +#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools" + +# Update a subnetpool +# PUT /subnetpools/{id} +#"update_subnetpool": "rule:admin_or_owner" + +# Update ``is_default`` attribute of a subnetpool +# PUT /subnetpools/{id} +#"update_subnetpool:is_default": "rule:admin_only" + +# Delete a subnetpool +# DELETE /subnetpools/{id} +#"delete_subnetpool": "rule:admin_or_owner" + +# Onboard existing subnet into a subnetpool +# Put /subnetpools/{id}/onboard_network_subnets +#"onboard_network_subnets": "rule:admin_or_owner" + +# Add prefixes to a subnetpool +# Put /subnetpools/{id}/add_prefixes +#"add_prefixes": "rule:admin_or_owner" + +# Remove unallocated prefixes from a subnetpool +# Put /subnetpools/{id}/remove_prefixes +#"remove_prefixes": "rule:admin_or_owner" + +# Create a trunk +# POST /trunks +#"create_trunk": "rule:regular_user" + +# Get a trunk +# GET /trunks +# GET /trunks/{id} +#"get_trunk": "rule:admin_or_owner" + +# Update a trunk +# PUT /trunks/{id} +#"update_trunk": "rule:admin_or_owner" + +# Delete a trunk +# DELETE /trunks/{id} +#"delete_trunk": "rule:admin_or_owner" + +# List subports attached to a trunk +# GET /trunks/{id}/get_subports +#"get_subports": "rule:regular_user" + +# Add subports to a trunk +# PUT /trunks/{id}/add_subports +#"add_subports": "rule:admin_or_owner" + +# Delete subports from a trunk +# PUT /trunks/{id}/remove_subports +#"remove_subports": "rule:admin_or_owner" + diff --git a/openstack_dashboard/conf/nova_policy.json b/openstack_dashboard/conf/nova_policy.json deleted file mode 100644 index 8015bc347b..0000000000 --- a/openstack_dashboard/conf/nova_policy.json +++ /dev/null @@ -1,158 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "admin_api": "is_admin:True", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-password": "rule:admin_or_owner", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-attach-interfaces": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner", - "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner", - "os_compute_api:os-availability-zone:list": "rule:admin_or_owner", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-cells:create": "rule:admin_api", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:os-cells:delete": "rule:admin_api", - "cells_scheduler_filter:DifferentCellFilter": "is_admin:True", - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:os-console-output": "rule:admin_or_owner", - "os_compute_api:os-consoles:create": "rule:admin_or_owner", - "os_compute_api:os-consoles:show": "rule:admin_or_owner", - "os_compute_api:os-consoles:delete": "rule:admin_or_owner", - "os_compute_api:os-consoles:index": "rule:admin_or_owner", - "os_compute_api:os-create-backup": "rule:admin_or_owner", - "os_compute_api:os-deferred-delete": "rule:admin_or_owner", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:extensions": "rule:admin_or_owner", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access": "rule:admin_or_owner", - "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner", - "os_compute_api:os-flavor-manage:create": "rule:admin_api", - "os_compute_api:os-flavor-manage:update": "rule:admin_api", - "os_compute_api:os-flavor-manage:delete": "rule:admin_api", - "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner", - "os_compute_api:os-floating-ips": "rule:admin_or_owner", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-actions": "rule:admin_or_owner", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits": "rule:admin_or_owner", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-multinic": "rule:admin_or_owner", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "rule:admin_or_owner", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:defaults": "@", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner", - "os_compute_api:os-remote-consoles": "rule:admin_or_owner", - "os_compute_api:os-rescue": "rule:admin_or_owner", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "rule:admin_or_owner", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-external-events:create": "rule:admin_api", - "os_compute_api:os-server-groups:create": "rule:admin_or_owner", - "os_compute_api:os-server-groups:delete": "rule:admin_or_owner", - "os_compute_api:os-server-groups:index": "rule:admin_or_owner", - "os_compute_api:os-server-groups:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:os-server-password": "rule:admin_or_owner", - "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner", - "os_compute_api:os-server-tags:index": "rule:admin_or_owner", - "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner", - "os_compute_api:os-server-tags:delete": "rule:admin_or_owner", - "os_compute_api:os-server-tags:update": "rule:admin_or_owner", - "os_compute_api:os-server-tags:show": "rule:admin_or_owner", - "os_compute_api:servers:index": "rule:admin_or_owner", - "os_compute_api:servers:detail": "rule:admin_or_owner", - "os_compute_api:servers:index:get_all_tenants": "rule:admin_api", - "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api", - "os_compute_api:servers:allow_all_filters": "rule:admin_api", - "os_compute_api:servers:show": "rule:admin_or_owner", - "os_compute_api:servers:show:host_status": "rule:admin_api", - "os_compute_api:servers:create": "rule:admin_or_owner", - "os_compute_api:servers:create:forced_host": "rule:admin_api", - "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner", - "os_compute_api:servers:create:attach_network": "rule:admin_or_owner", - "os_compute_api:servers:create:trusted_certs": "rule:admin_or_owner", - "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_api", - "network:attach_external_network": "is_admin:True", - "os_compute_api:servers:delete": "rule:admin_or_owner", - "os_compute_api:servers:update": "rule:admin_or_owner", - "os_compute_api:servers:confirm_resize": "rule:admin_or_owner", - "os_compute_api:servers:revert_resize": "rule:admin_or_owner", - "os_compute_api:servers:reboot": "rule:admin_or_owner", - "os_compute_api:servers:resize": "rule:admin_or_owner", - "os_compute_api:servers:rebuild": "rule:admin_or_owner", - "os_compute_api:servers:rebuild:trusted_certs": "rule:admin_or_owner", - "os_compute_api:servers:create_image": "rule:admin_or_owner", - "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner", - "os_compute_api:servers:start": "rule:admin_or_owner", - "os_compute_api:servers:stop": "rule:admin_or_owner", - "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner", - "os_compute_api:servers:migrations:show": "rule:admin_api", - "os_compute_api:servers:migrations:force_complete": "rule:admin_api", - "os_compute_api:servers:migrations:delete": "rule:admin_api", - "os_compute_api:servers:migrations:index": "rule:admin_api", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-shelve:shelve": "rule:admin_or_owner", - "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-volumes": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner", - "os_compute_api:os-volumes-attachments:update": "rule:admin_api", - "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner" -} diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml new file mode 100644 index 0000000000..dab2e4e458 --- /dev/null +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -0,0 +1,1877 @@ +# Decides what is required for the 'is_admin:True' check to succeed. +#"context_is_admin": "role:admin" + +# DEPRECATED +# "admin_or_owner" has been deprecated since 21.0.0. +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +# Default rule for most non-Admin APIs. +#"admin_or_owner": "is_admin:True or project_id:%(project_id)s" + +# DEPRECATED +# "admin_api" has been deprecated since 21.0.0. +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +# Default rule for most Admin APIs. +#"admin_api": "is_admin:True" + +# Default rule for System Admin APIs. +#"system_admin_api": "role:admin and system_scope:all" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "system_admin_api":"role:admin and system_scope:all". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:system_admin_api" + +# Default rule for System level read only APIs. +#"system_reader_api": "role:reader and system_scope:all" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "system_reader_api":"role:reader and system_scope:all". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:system_reader_api" + +# Default rule for Project level admin APIs. +#"project_admin_api": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "project_admin_api":"role:admin and +# project_id:%(project_id)s". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:project_admin_api" + +# Default rule for Project level non admin APIs. +#"project_member_api": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "project_member_api":"role:member and project_id:%(project_id)s". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:project_member_api" + +# Default rule for Project level read only APIs. +#"project_reader_api": "role:reader and project_id:%(project_id)s" + +# Default rule for System admin+owner APIs. +#"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "system_admin_or_owner":"rule:system_admin_api or +# rule:project_member_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:system_admin_or_owner" + +# Default rule for System+Project read only APIs. +#"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "system_or_project_reader":"rule:system_reader_api or +# rule:project_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:system_or_project_reader" + +# Reset the state of a given server +# POST /servers/{server_id}/action (os-resetState) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:reset_state": "rule:system_admin_api" + +# Inject network information into the server +# POST /servers/{server_id}/action (injectNetworkInfo) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:inject_network_info": "rule:system_admin_api" + +# Reset networking on a server +# POST /servers/{server_id}/action (resetNetwork) +# Intended scope(s): system, project +#"os_compute_api:os-admin-actions:reset_network": "rule:system_admin_api" + +# Change the administrative password for a server +# POST /servers/{server_id}/action (changePassword) +# Intended scope(s): system, project +#"os_compute_api:os-admin-password": "rule:system_admin_or_owner" + +# List guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# GET /os-agents +# Intended scope(s): system +#"os_compute_api:os-agents:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:list" + +# Create guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# POST /os-agents +# Intended scope(s): system +#"os_compute_api:os-agents:create": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:create":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:create" + +# Update guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# PUT /os-agents/{agent_build_id} +# Intended scope(s): system +#"os_compute_api:os-agents:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:update" + +# Delete guest agent builds This is XenAPI driver specific. It is used +# to force the upgrade of the XenAPI guest agent on instance boot. +# DELETE /os-agents/{agent_build_id} +# Intended scope(s): system +#"os_compute_api:os-agents:delete": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-agents":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# agents:delete":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-agents": "rule:os_compute_api:os-agents:delete" + +# Create or replace metadata for an aggregate +# POST /os-aggregates/{aggregate_id}/action (set_metadata) +# Intended scope(s): system +#"os_compute_api:os-aggregates:set_metadata": "rule:system_admin_api" + +# Add a host to an aggregate +# POST /os-aggregates/{aggregate_id}/action (add_host) +# Intended scope(s): system +#"os_compute_api:os-aggregates:add_host": "rule:system_admin_api" + +# Create an aggregate +# POST /os-aggregates +# Intended scope(s): system +#"os_compute_api:os-aggregates:create": "rule:system_admin_api" + +# Remove a host from an aggregate +# POST /os-aggregates/{aggregate_id}/action (remove_host) +# Intended scope(s): system +#"os_compute_api:os-aggregates:remove_host": "rule:system_admin_api" + +# Update name and/or availability zone for an aggregate +# PUT /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:update": "rule:system_admin_api" + +# List all aggregates +# GET /os-aggregates +# Intended scope(s): system +#"os_compute_api:os-aggregates:index": "rule:system_reader_api" + +# Delete an aggregate +# DELETE /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:delete": "rule:system_admin_api" + +# Show details for an aggregate +# GET /os-aggregates/{aggregate_id} +# Intended scope(s): system +#"os_compute_api:os-aggregates:show": "rule:system_reader_api" + +# Request image caching for an aggregate +# POST /os-aggregates/{aggregate_id}/images +# Intended scope(s): system +#"compute:aggregates:images": "rule:system_admin_api" + +# Create an assisted volume snapshot +# POST /os-assisted-volume-snapshots +# Intended scope(s): system +#"os_compute_api:os-assisted-volume-snapshots:create": "rule:system_admin_api" + +# Delete an assisted volume snapshot +# DELETE /os-assisted-volume-snapshots/{snapshot_id} +# Intended scope(s): system +#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:system_admin_api" + +# List port interfaces attached to a server +# GET /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list" + +# Show details of a port interface attached to a server +# GET /servers/{server_id}/os-interface/{port_id} +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show" + +# Attach an interface to a server +# POST /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create" + +# Detach an interface from a server +# DELETE /servers/{server_id}/os-interface/{port_id} +# Intended scope(s): system, project +#"os_compute_api:os-attach-interfaces:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-attach- +# interfaces:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete" + +# List availability zone information without host information +# GET /os-availability-zone +# Intended scope(s): system, project +#"os_compute_api:os-availability-zone:list": "@" + +# List detailed availability zone information with host information +# GET /os-availability-zone/detail +# Intended scope(s): system +#"os_compute_api:os-availability-zone:detail": "rule:system_reader_api" + +# List and show details of bare metal nodes. +# +# These APIs are proxy calls to the Ironic service and are deprecated. +# GET /os-baremetal-nodes +# Intended scope(s): system +#"os_compute_api:os-baremetal-nodes:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- +# nodes:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:list" + +# Show action details for a server. +# GET /os-baremetal-nodes/{node_id} +# Intended scope(s): system +#"os_compute_api:os-baremetal-nodes:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- +# nodes:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:show" + +# Show console connection information for a given console +# authentication token +# GET /os-console-auth-tokens/{console_token} +# Intended scope(s): system +#"os_compute_api:os-console-auth-tokens": "rule:system_reader_api" + +# Show console output for a server +# POST /servers/{server_id}/action (os-getConsoleOutput) +# Intended scope(s): system, project +#"os_compute_api:os-console-output": "rule:system_admin_or_owner" + +# Create a back up of a server +# POST /servers/{server_id}/action (createBackup) +# Intended scope(s): system, project +#"os_compute_api:os-create-backup": "rule:system_admin_or_owner" + +# Restore a soft deleted server +# POST /servers/{server_id}/action (restore) +# Intended scope(s): system, project +#"os_compute_api:os-deferred-delete:restore": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- +# delete:restore":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore" + +# Force delete a server before deferred cleanup +# POST /servers/{server_id}/action (forceDelete) +# Intended scope(s): system, project +#"os_compute_api:os-deferred-delete:force": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- +# delete:force":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force" + +# Evacuate a server from a failed host to a new host +# POST /servers/{server_id}/action (evacuate) +# Intended scope(s): system, project +#"os_compute_api:os-evacuate": "rule:system_admin_api" + +# Return extended attributes for server. +# +# This rule will control the visibility for a set of servers +# attributes: +# +# - ``OS-EXT-SRV-ATTR:host`` - ``OS-EXT-SRV-ATTR:instance_name`` - +# ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) - ``OS- +# EXT-SRV-ATTR:launch_index`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:hostname`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:kernel_id`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:ramdisk_id`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:root_device_name`` (since microversion 2.3) - ``OS-EXT-SRV- +# ATTR:user_data`` (since microversion 2.3) +# +# Microvision 2.75 added the above attributes in the ``PUT +# /servers/{server_id}`` and ``POST /servers/{server_id}/action +# (rebuild)`` API responses which are also controlled by this policy +# rule, like the ``GET /servers*`` APIs. +# GET /servers/{id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:os-extended-server-attributes": "rule:system_admin_api" + +# List available extensions and show information for an extension by +# alias +# GET /extensions +# GET /extensions/{alias} +# Intended scope(s): system, project +#"os_compute_api:extensions": "@" + +# Add flavor access to a tenant +# POST /flavors/{flavor_id}/action (addTenantAccess) +# Intended scope(s): system +#"os_compute_api:os-flavor-access:add_tenant_access": "rule:system_admin_api" + +# Remove flavor access from a tenant +# POST /flavors/{flavor_id}/action (removeTenantAccess) +# Intended scope(s): system +#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:system_admin_api" + +# List flavor access information +# +# Allows access to the full list of tenants that have access to a +# flavor via an os-flavor-access API. +# GET /flavors/{flavor_id}/os-flavor-access +# Intended scope(s): system +#"os_compute_api:os-flavor-access": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-flavor-access":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-flavor- +# access":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. + +# Show an extra spec for a flavor +# GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system, project +#"os_compute_api:os-flavor-extra-specs:show": "rule:system_or_project_reader" + +# Create extra specs for a flavor +# POST /flavors/{flavor_id}/os-extra_specs/ +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api" + +# Update an extra spec for a flavor +# PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:update": "rule:system_admin_api" + +# Delete an extra spec for a flavor +# DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} +# Intended scope(s): system +#"os_compute_api:os-flavor-extra-specs:delete": "rule:system_admin_api" + +# List extra specs for a flavor. Starting with microversion 2.47, the +# flavor used for a server is also returned in the response when +# showing server details, updating a server or rebuilding a server. +# Starting with microversion 2.61, extra specs may be returned in +# responses for the flavor resource. +# GET /flavors/{flavor_id}/os-extra_specs/ +# GET /servers/detail +# GET /servers/{server_id} +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# POST /flavors +# GET /flavors/detail +# GET /flavors/{flavor_id} +# PUT /flavors/{flavor_id} +# Intended scope(s): system, project +#"os_compute_api:os-flavor-extra-specs:index": "rule:system_or_project_reader" + +# Create a flavor +# POST /flavors +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:create": "rule:system_admin_api" + +# Update a flavor +# PUT /flavors/{flavor_id} +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:update": "rule:system_admin_api" + +# Delete a flavor +# DELETE /flavors/{flavor_id} +# Intended scope(s): system +#"os_compute_api:os-flavor-manage:delete": "rule:system_admin_api" + +# List floating IP pools. This API is deprecated. +# GET /os-floating-ip-pools +# Intended scope(s): system, project +#"os_compute_api:os-floating-ip-pools": "@" + +# Associate floating IPs to server. This API is deprecated. +# POST /servers/{server_id}/action (addFloatingIp) +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:add" + +# Disassociate floating IPs to server. This API is deprecated. +# POST /servers/{server_id}/action (removeFloatingIp) +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:remove" + +# List floating IPs. This API is deprecated. +# GET /os-floating-ips +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:list" + +# Create floating IPs. This API is deprecated. +# POST /os-floating-ips +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:create" + +# Show floating IPs. This API is deprecated. +# GET /os-floating-ips/{floating_ip_id} +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:show" + +# Delete floating IPs. This API is deprecated. +# DELETE /os-floating-ips/{floating_ip_id} +# Intended scope(s): system, project +#"os_compute_api:os-floating-ips:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-floating- +# ips:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:delete" + +# List physical hosts. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts +# Intended scope(s): system +#"os_compute_api:os-hosts:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:list" + +# Show physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name} +# Intended scope(s): system +#"os_compute_api:os-hosts:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:show" + +# Update physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# PUT /os-hosts/{host_name} +# Intended scope(s): system +#"os_compute_api:os-hosts:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:update" + +# Reboot physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/reboot +# Intended scope(s): system +#"os_compute_api:os-hosts:reboot": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:reboot":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:reboot" + +# Shutdown physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/shutdown +# Intended scope(s): system +#"os_compute_api:os-hosts:shutdown": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:shutdown":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:shutdown" + +# Start physical host. +# +# This API is deprecated in favor of os-hypervisors and os-services. +# GET /os-hosts/{host_name}/startup +# Intended scope(s): system +#"os_compute_api:os-hosts:start": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since +# 22.0.0 in favor of "os_compute_api:os- +# hosts:start":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:start" + +# List all hypervisors. +# GET /os-hypervisors +# Intended scope(s): system +#"os_compute_api:os-hypervisors:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list" + +# List all hypervisors with details +# GET /os-hypervisors/details +# Intended scope(s): system +#"os_compute_api:os-hypervisors:list-detail": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os-hypervisors:list- +# detail":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail" + +# Show summary statistics for all hypervisors over all compute nodes. +# GET /os-hypervisors/statistics +# Intended scope(s): system +#"os_compute_api:os-hypervisors:statistics": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:statistics":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics" + +# Show details for a hypervisor. +# GET /os-hypervisors/{hypervisor_id} +# Intended scope(s): system +#"os_compute_api:os-hypervisors:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show" + +# Show the uptime of a hypervisor. +# GET /os-hypervisors/{hypervisor_id}/uptime +# Intended scope(s): system +#"os_compute_api:os-hypervisors:uptime": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:uptime":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime" + +# Search hypervisor by hypervisor_hostname pattern. +# GET /os-hypervisors/{hypervisor_hostname_pattern}/search +# Intended scope(s): system +#"os_compute_api:os-hypervisors:search": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:search":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search" + +# List all servers on hypervisors that can match the provided +# hypervisor_hostname pattern. +# GET /os-hypervisors/{hypervisor_hostname_pattern}/servers +# Intended scope(s): system +#"os_compute_api:os-hypervisors:servers": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# hypervisors:servers":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers" + +# Add "details" key in action events for a server. +# +# This check is performed only after the check os_compute_api:os- +# instance-actions:show passes. Beginning with Microversion 2.84, new +# field 'details' is exposed via API which can have more details about +# event failure. That field is controlled by this policy which is +# system reader by default. Making the 'details' field visible to the +# non-admin user helps to understand the nature of the problem (i.e. +# if the action can be retried), but in the other hand it might leak +# information about the deployment (e.g. the type of the hypervisor). +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:events:details": "rule:system_reader_api" + +# Add events details in action details for a server. This check is +# performed only after the check os_compute_api:os-instance- +# actions:show passes. Beginning with Microversion 2.51, events +# details are always included; traceback information is provided per +# event if policy enforcement passes. Beginning with Microversion +# 2.62, each event includes a hashed host identifier and, if policy +# enforcement passes, the name of the host. +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:events": "rule:system_reader_api" + +# List actions for a server. +# GET /servers/{server_id}/os-instance-actions +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-instance- +# actions:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list" + +# Show action details for a server. +# GET /servers/{server_id}/os-instance-actions/{request_id} +# Intended scope(s): system, project +#"os_compute_api:os-instance-actions:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-instance- +# actions:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show" + +# List all usage audits. +# GET /os-instance_usage_audit_log +# Intended scope(s): system +#"os_compute_api:os-instance-usage-audit-log:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has +# been deprecated since 21.0.0 in favor of "os_compute_api:os- +# instance-usage-audit-log:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list" + +# List all usage audits occurred before a specified time for all +# servers on all compute hosts where usage auditing is configured +# GET /os-instance_usage_audit_log/{before_timestamp} +# Intended scope(s): system +#"os_compute_api:os-instance-usage-audit-log:show": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has +# been deprecated since 21.0.0 in favor of "os_compute_api:os- +# instance-usage-audit-log:show":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show" + +# Show IP addresses details for a network label of a server +# GET /servers/{server_id}/ips/{network_label} +# Intended scope(s): system, project +#"os_compute_api:ips:show": "rule:system_or_project_reader" + +# List IP addresses that are assigned to a server +# GET /servers/{server_id}/ips +# Intended scope(s): system, project +#"os_compute_api:ips:index": "rule:system_or_project_reader" + +# List all keypairs +# GET /os-keypairs +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:index": "(rule:system_reader_api) or user_id:%(user_id)s" + +# Create a keypair +# POST /os-keypairs +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:create": "(rule:system_admin_api) or user_id:%(user_id)s" + +# Delete a keypair +# DELETE /os-keypairs/{keypair_name} +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:delete": "(rule:system_admin_api) or user_id:%(user_id)s" + +# Show details of a keypair +# GET /os-keypairs/{keypair_name} +# Intended scope(s): system, project +#"os_compute_api:os-keypairs:show": "(rule:system_reader_api) or user_id:%(user_id)s" + +# Show rate and absolute limits for the current user project +# GET /limits +# Intended scope(s): system, project +#"os_compute_api:limits": "@" + +# Show rate and absolute limits of other project. +# +# This policy only checks if the user has access to the requested +# project limits. And this check is performed only after the check +# os_compute_api:limits passes +# GET /limits +# Intended scope(s): system +#"os_compute_api:limits:other_project": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-used-limits":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of +# "os_compute_api:limits:other_project":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project" + +# Lock a server +# POST /servers/{server_id}/action (lock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:lock": "rule:system_admin_or_owner" + +# Unlock a server +# POST /servers/{server_id}/action (unlock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:unlock": "rule:system_admin_or_owner" + +# Unlock a server, regardless who locked the server. +# +# This check is performed only after the check os_compute_api:os-lock- +# server:unlock passes +# POST /servers/{server_id}/action (unlock) +# Intended scope(s): system, project +#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:system_admin_api" + +# Cold migrate a server to a host +# POST /servers/{server_id}/action (migrate) +# Intended scope(s): system, project +#"os_compute_api:os-migrate-server:migrate": "rule:system_admin_api" + +# Live migrate a server to a new host without a reboot +# POST /servers/{server_id}/action (os-migrateLive) +# Intended scope(s): system, project +#"os_compute_api:os-migrate-server:migrate_live": "rule:system_admin_api" + +# List migrations +# GET /os-migrations +# Intended scope(s): system +#"os_compute_api:os-migrations:index": "rule:system_reader_api" + +# Add a fixed IP address to a server. +# +# This API is proxy calls to the Network service. This is deprecated. +# POST /servers/{server_id}/action (addFixedIp) +# Intended scope(s): system, project +#"os_compute_api:os-multinic:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-multinic":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# multinic:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:add" + +# Remove a fixed IP address from a server. +# +# This API is proxy calls to the Network service. This is deprecated. +# POST /servers/{server_id}/action (removeFixedIp) +# Intended scope(s): system, project +#"os_compute_api:os-multinic:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-multinic":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# multinic:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:remove" + +# List networks for the project. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-networks +# Intended scope(s): system, project +#"os_compute_api:os-networks:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-networks:view":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# networks:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:list" + +# Show network details. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-networks/{network_id} +# Intended scope(s): system, project +#"os_compute_api:os-networks:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-networks:view":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# networks:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:show" + +# Pause a server +# POST /servers/{server_id}/action (pause) +# Intended scope(s): system, project +#"os_compute_api:os-pause-server:pause": "rule:system_admin_or_owner" + +# Unpause a paused server +# POST /servers/{server_id}/action (unpause) +# Intended scope(s): system, project +#"os_compute_api:os-pause-server:unpause": "rule:system_admin_or_owner" + +# List quotas for specific quota classs +# GET /os-quota-class-sets/{quota_class} +# Intended scope(s): system +#"os_compute_api:os-quota-class-sets:show": "rule:system_reader_api" + +# Update quotas for specific quota class +# PUT /os-quota-class-sets/{quota_class} +# Intended scope(s): system +#"os_compute_api:os-quota-class-sets:update": "rule:system_admin_api" + +# Update the quotas +# PUT /os-quota-sets/{tenant_id} +# Intended scope(s): system +#"os_compute_api:os-quota-sets:update": "rule:system_admin_api" + +# List default quotas +# GET /os-quota-sets/{tenant_id}/defaults +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:defaults": "@" + +# Show a quota +# GET /os-quota-sets/{tenant_id} +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:show": "rule:system_or_project_reader" + +# Revert quotas to defaults +# DELETE /os-quota-sets/{tenant_id} +# Intended scope(s): system +#"os_compute_api:os-quota-sets:delete": "rule:system_admin_api" + +# Show the detail of quota +# GET /os-quota-sets/{tenant_id}/detail +# Intended scope(s): system, project +#"os_compute_api:os-quota-sets:detail": "rule:system_or_project_reader" + +# Generate a URL to access remove server console. +# +# This policy is for ``POST /remote-consoles`` API and below Server +# actions APIs are deprecated: +# +# - ``os-getRDPConsole`` - ``os-getSerialConsole`` - ``os- +# getSPICEConsole`` - ``os-getVNCConsole``. +# POST /servers/{server_id}/action (os-getRDPConsole) +# POST /servers/{server_id}/action (os-getSerialConsole) +# POST /servers/{server_id}/action (os-getSPICEConsole) +# POST /servers/{server_id}/action (os-getVNCConsole) +# POST /servers/{server_id}/remote-consoles +# Intended scope(s): system, project +#"os_compute_api:os-remote-consoles": "rule:system_admin_or_owner" + +# Rescue a server +# POST /servers/{server_id}/action (rescue) +# Intended scope(s): system, project +#"os_compute_api:os-rescue": "rule:system_admin_or_owner" + +# Unrescue a server +# POST /servers/{server_id}/action (unrescue) +# Intended scope(s): system, project +#"os_compute_api:os-unrescue": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-rescue":"rule:admin_or_owner" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# unrescue":"rule:system_admin_or_owner". +# Rescue/Unrescue API policies are made granular with new policy for +# unrescue and keeping old policy for rescue. +#"os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" + +# List security groups. This API is deprecated. +# GET /os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:get": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:get":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:get" + +# Show security group. This API is deprecated. +# GET /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:show" + +# Create security group. This API is deprecated. +# POST /os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:create" + +# Update security group. This API is deprecated. +# PUT /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:update": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:update":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:update" + +# Delete security group. This API is deprecated. +# DELETE /os-security-groups/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:delete" + +# Create security group Rule. This API is deprecated. +# POST /os-security-group-rules +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:rule:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:rule:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:create" + +# Delete security group Rule. This API is deprecated. +# DELETE /os-security-group-rules/{security_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:rule:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-security- +# groups:rule:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:delete" + +# List security groups of server. +# GET /servers/{server_id}/os-security-groups +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list" + +# Add security groups to server. +# POST /servers/{server_id}/action (addSecurityGroup) +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:add": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:add":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add" + +# Remove security groups from server. +# POST /servers/{server_id}/action (removeSecurityGroup) +# Intended scope(s): system, project +#"os_compute_api:os-security-groups:remove": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-security-groups":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-security- +# groups:remove":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove" + +# Show the usage data for a server +# GET /servers/{server_id}/diagnostics +# Intended scope(s): system, project +#"os_compute_api:os-server-diagnostics": "rule:system_admin_api" + +# Create one or more external events +# POST /os-server-external-events +# Intended scope(s): system +#"os_compute_api:os-server-external-events:create": "rule:system_admin_api" + +# Create a new server group +# POST /os-server-groups +# Intended scope(s): project +#"os_compute_api:os-server-groups:create": "rule:project_member_api" + +# Delete a server group +# DELETE /os-server-groups/{server_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:delete": "rule:system_admin_or_owner" + +# List all server groups +# GET /os-server-groups +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:index": "rule:system_or_project_reader" + +# List all server groups for all projects +# GET /os-server-groups +# Intended scope(s): system +#"os_compute_api:os-server-groups:index:all_projects": "rule:system_reader_api" + +# Show details of a server group +# GET /os-server-groups/{server_group_id} +# Intended scope(s): system, project +#"os_compute_api:os-server-groups:show": "rule:system_or_project_reader" + +# List all metadata of a server +# GET /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:index": "rule:system_or_project_reader" + +# Show metadata for a server +# GET /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:show": "rule:system_or_project_reader" + +# Create metadata for a server +# POST /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:create": "rule:system_admin_or_owner" + +# Replace metadata for a server +# PUT /servers/{server_id}/metadata +# Intended scope(s): system, project +#"os_compute_api:server-metadata:update_all": "rule:system_admin_or_owner" + +# Update metadata from a server +# PUT /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:update": "rule:system_admin_or_owner" + +# Delete metadata from a server +# DELETE /servers/{server_id}/metadata/{key} +# Intended scope(s): system, project +#"os_compute_api:server-metadata:delete": "rule:system_admin_or_owner" + +# Show the encrypted administrative password of a server +# GET /servers/{server_id}/os-server-password +# Intended scope(s): system, project +#"os_compute_api:os-server-password:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-server-password":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-server- +# password:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show" + +# Clear the encrypted administrative password of a server +# DELETE /servers/{server_id}/os-server-password +# Intended scope(s): system, project +#"os_compute_api:os-server-password:clear": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-server-password":"rule:admin_or_owner" has been +# deprecated since 21.0.0 in favor of "os_compute_api:os-server- +# password:clear":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear" + +# Delete all the server tags +# DELETE /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:delete_all": "rule:system_admin_or_owner" + +# List all tags for given server +# GET /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:index": "rule:system_or_project_reader" + +# Replace all tags on specified server with the new set of tags. +# PUT /servers/{server_id}/tags +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:update_all": "rule:system_admin_or_owner" + +# Delete a single tag from the specified server +# DELETE /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:delete": "rule:system_admin_or_owner" + +# Add a single tag to the server if server has no specified tag +# PUT /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:update": "rule:system_admin_or_owner" + +# Check tag existence on the server. +# GET /servers/{server_id}/tags/{tag} +# Intended scope(s): system, project +#"os_compute_api:os-server-tags:show": "rule:system_or_project_reader" + +# Show the NUMA topology data for a server +# GET /servers/{server_id}/topology +# Intended scope(s): system, project +#"compute:server:topology:index": "rule:system_or_project_reader" + +# Show the NUMA topology data for a server with host NUMA ID and CPU +# pinning information +# GET /servers/{server_id}/topology +# Intended scope(s): system +#"compute:server:topology:host:index": "rule:system_reader_api" + +# List all servers +# GET /servers +# Intended scope(s): system, project +#"os_compute_api:servers:index": "rule:system_or_project_reader" + +# List all servers with detailed information +# GET /servers/detail +# Intended scope(s): system, project +#"os_compute_api:servers:detail": "rule:system_or_project_reader" + +# List all servers for all projects +# GET /servers +# Intended scope(s): system +#"os_compute_api:servers:index:get_all_tenants": "rule:system_reader_api" + +# List all servers with detailed information for all projects +# GET /servers/detail +# Intended scope(s): system +#"os_compute_api:servers:detail:get_all_tenants": "rule:system_reader_api" + +# Allow all filters when listing servers +# GET /servers +# GET /servers/detail +# Intended scope(s): system +#"os_compute_api:servers:allow_all_filters": "rule:system_reader_api" + +# Show a server +# GET /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:show": "rule:system_or_project_reader" + +# Show a server with additional host status information. +# +# This means host_status will be shown irrespective of status value. +# If showing only host_status UNKNOWN is desired, use the +# ``os_compute_api:servers:show:host_status:unknown-only`` policy +# rule. +# +# Microvision 2.75 added the ``host_status`` attribute in the ``PUT +# /servers/{server_id}`` and ``POST /servers/{server_id}/action +# (rebuild)`` API responses which are also controlled by this policy +# rule, like the ``GET /servers*`` APIs. +# GET /servers/{server_id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:show:host_status": "rule:system_admin_api" + +# Show a server with additional host status information, only if host +# status is UNKNOWN. +# +# This policy rule will only be enforced when the +# ``os_compute_api:servers:show:host_status`` policy rule does not +# pass for the request. An example policy configuration could be where +# the ``os_compute_api:servers:show:host_status`` rule is set to allow +# admin-only and the +# ``os_compute_api:servers:show:host_status:unknown-only`` rule is set +# to allow everyone. +# GET /servers/{server_id} +# GET /servers/detail +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:show:host_status:unknown-only": "rule:system_admin_api" + +# Create a server +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create": "rule:project_member_api" + +# Create a server on the specified host and/or node. +# +# In this case, the server is forced to launch on the specified host +# and/or node by bypassing the scheduler filters unlike the +# ``compute:servers:create:requested_destination`` rule. +# POST /servers +# Intended scope(s): system, project +#"os_compute_api:servers:create:forced_host": "rule:project_admin_api" + +# Create a server on the requested compute service host and/or +# hypervisor_hostname. +# +# In this case, the requested host and/or hypervisor_hostname is +# validated by the scheduler filters unlike the +# ``os_compute_api:servers:create:forced_host`` rule. +# POST /servers +# Intended scope(s): system, project +#"compute:servers:create:requested_destination": "rule:project_admin_api" + +# Create a server with the requested volume attached to it +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:attach_volume": "rule:project_member_api" + +# Create a server with the requested network attached to it +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:attach_network": "rule:project_member_api" + +# Create a server with trusted image certificate IDs +# POST /servers +# Intended scope(s): project +#"os_compute_api:servers:create:trusted_certs": "rule:project_member_api" + +# This rule controls the compute API validation behavior of creating a +# server with a flavor that has 0 disk, indicating the server should +# be volume-backed. +# +# For a flavor with disk=0, the root disk will be set to exactly the +# size of the image used to deploy the instance. However, in this case +# the filter_scheduler cannot select the compute host based on the +# virtual image size. Therefore, 0 should only be used for volume +# booted instances or for testing purposes. +# +# WARNING: It is a potential security exposure to enable this policy +# rule if users can upload their own images since repeated attempts to +# create a disk=0 flavor instance with a large image can exhaust the +# local disk of the compute (or shared storage cluster). See bug +# https://bugs.launchpad.net/nova/+bug/1739646 for details. +# POST /servers +# Intended scope(s): system, project +#"os_compute_api:servers:create:zero_disk_flavor": "rule:project_admin_api" + +# Attach an unshared external network to a server +# POST /servers +# POST /servers/{server_id}/os-interface +# Intended scope(s): system, project +#"network:attach_external_network": "rule:project_admin_api" + +# Delete a server +# DELETE /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:delete": "rule:system_admin_or_owner" + +# Update a server +# PUT /servers/{server_id} +# Intended scope(s): system, project +#"os_compute_api:servers:update": "rule:system_admin_or_owner" + +# Confirm a server resize +# POST /servers/{server_id}/action (confirmResize) +# Intended scope(s): system, project +#"os_compute_api:servers:confirm_resize": "rule:system_admin_or_owner" + +# Revert a server resize +# POST /servers/{server_id}/action (revertResize) +# Intended scope(s): system, project +#"os_compute_api:servers:revert_resize": "rule:system_admin_or_owner" + +# Reboot a server +# POST /servers/{server_id}/action (reboot) +# Intended scope(s): system, project +#"os_compute_api:servers:reboot": "rule:system_admin_or_owner" + +# Resize a server +# POST /servers/{server_id}/action (resize) +# Intended scope(s): system, project +#"os_compute_api:servers:resize": "rule:system_admin_or_owner" + +# Resize a server across cells. By default, this is disabled for all +# users and recommended to be tested in a deployment for admin users +# before opening it up to non-admin users. Resizing within a cell is +# the default preferred behavior even if this is enabled. +# POST /servers/{server_id}/action (resize) +# Intended scope(s): system, project +#"compute:servers:resize:cross_cell": "!" + +# Rebuild a server +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:rebuild": "rule:system_admin_or_owner" + +# Rebuild a server with trusted image certificate IDs +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): system, project +#"os_compute_api:servers:rebuild:trusted_certs": "rule:system_admin_or_owner" + +# Create an image from a server +# POST /servers/{server_id}/action (createImage) +# Intended scope(s): system, project +#"os_compute_api:servers:create_image": "rule:system_admin_or_owner" + +# Create an image from a volume backed server +# POST /servers/{server_id}/action (createImage) +# Intended scope(s): system, project +#"os_compute_api:servers:create_image:allow_volume_backed": "rule:system_admin_or_owner" + +# Start a server +# POST /servers/{server_id}/action (os-start) +# Intended scope(s): system, project +#"os_compute_api:servers:start": "rule:system_admin_or_owner" + +# Stop a server +# POST /servers/{server_id}/action (os-stop) +# Intended scope(s): system, project +#"os_compute_api:servers:stop": "rule:system_admin_or_owner" + +# Trigger crash dump in a server +# POST /servers/{server_id}/action (trigger_crash_dump) +# Intended scope(s): system, project +#"os_compute_api:servers:trigger_crash_dump": "rule:system_admin_or_owner" + +# Show details for an in-progress live migration for a given server +# GET /servers/{server_id}/migrations/{migration_id} +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:show": "rule:system_reader_api" + +# Force an in-progress live migration for a given server to complete +# POST /servers/{server_id}/migrations/{migration_id}/action (force_complete) +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:force_complete": "rule:system_admin_api" + +# Delete(Abort) an in-progress live migration +# DELETE /servers/{server_id}/migrations/{migration_id} +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:delete": "rule:system_admin_api" + +# Lists in-progress live migrations for a given server +# GET /servers/{server_id}/migrations +# Intended scope(s): system, project +#"os_compute_api:servers:migrations:index": "rule:system_reader_api" + +# List all running Compute services in a region. +# GET /os-services +# Intended scope(s): system +#"os_compute_api:os-services:list": "rule:system_reader_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:list":"rule:system_reader_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:list" + +# Update a Compute service. +# PUT /os-services/{service_id} +# Intended scope(s): system +#"os_compute_api:os-services:update": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:update":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:update" + +# Delete a Compute service. +# DELETE /os-services/{service_id} +# Intended scope(s): system +#"os_compute_api:os-services:delete": "rule:system_admin_api" + +# DEPRECATED +# "os_compute_api:os-services":"rule:admin_api" has been deprecated +# since 21.0.0 in favor of "os_compute_api:os- +# services:delete":"rule:system_admin_api". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-services": "rule:os_compute_api:os-services:delete" + +# Shelve server +# POST /servers/{server_id}/action (shelve) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:shelve": "rule:system_admin_or_owner" + +# Unshelve (restore) shelved server +# POST /servers/{server_id}/action (unshelve) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:unshelve": "rule:system_admin_or_owner" + +# Shelf-offload (remove) server +# POST /servers/{server_id}/action (shelveOffload) +# Intended scope(s): system, project +#"os_compute_api:os-shelve:shelve_offload": "rule:system_admin_api" + +# Show usage statistics for a specific tenant +# GET /os-simple-tenant-usage/{tenant_id} +# Intended scope(s): system, project +#"os_compute_api:os-simple-tenant-usage:show": "rule:system_or_project_reader" + +# List per tenant usage statistics for all tenants +# GET /os-simple-tenant-usage +# Intended scope(s): system +#"os_compute_api:os-simple-tenant-usage:list": "rule:system_reader_api" + +# Resume suspended server +# POST /servers/{server_id}/action (resume) +# Intended scope(s): system, project +#"os_compute_api:os-suspend-server:resume": "rule:system_admin_or_owner" + +# Suspend server +# POST /servers/{server_id}/action (suspend) +# Intended scope(s): system, project +#"os_compute_api:os-suspend-server:suspend": "rule:system_admin_or_owner" + +# List project networks. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-tenant-networks +# Intended scope(s): system, project +#"os_compute_api:os-tenant-networks:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- +# networks:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:list" + +# Show project network details. +# +# This API is proxy calls to the Network service. This is deprecated. +# GET /os-tenant-networks/{network_id} +# Intended scope(s): system, project +#"os_compute_api:os-tenant-networks:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- +# networks:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:show" + +# List volumes. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes +# Intended scope(s): system, project +#"os_compute_api:os-volumes:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:list" + +# Create volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# POST /os-volumes +# Intended scope(s): system, project +#"os_compute_api:os-volumes:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:create" + +# List volumes detail. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes/detail +# Intended scope(s): system, project +#"os_compute_api:os-volumes:detail": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:detail":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:detail" + +# Show volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-volumes/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:show" + +# Delete volume. +# +# This API is a proxy call to the Volume service. It is deprecated. +# DELETE /os-volumes/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:delete" + +# List snapshots. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:list": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:list":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:list" + +# Create snapshots. +# +# This API is a proxy call to the Volume service. It is deprecated. +# POST /os-snapshots +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:create": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:create":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:create" + +# List snapshots details. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots/detail +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:detail": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:detail":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:detail" + +# Show snapshot. +# +# This API is a proxy call to the Volume service. It is deprecated. +# GET /os-snapshots/{snapshot_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:show": "rule:system_or_project_reader" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:show":"rule:system_or_project_reader". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:show" + +# Delete snapshot. +# +# This API is a proxy call to the Volume service. It is deprecated. +# DELETE /os-snapshots/{snapshot_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes:snapshots:delete": "rule:system_admin_or_owner" + +# DEPRECATED +# "os_compute_api:os-volumes":"rule:admin_or_owner" has been +# deprecated since 22.0.0 in favor of "os_compute_api:os- +# volumes:snapshots:delete":"rule:system_admin_or_owner". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:delete" + +# List volume attachments for an instance +# GET /servers/{server_id}/os-volume_attachments +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:index": "rule:system_or_project_reader" + +# Attach a volume to an instance +# POST /servers/{server_id}/os-volume_attachments +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:create": "rule:system_admin_or_owner" + +# Show details of a volume attachment +# GET /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:show": "rule:system_or_project_reader" + +# Update a volume attachment. New 'update' policy about 'swap + +# update' request (which is possible only >2.85) only is +# checked. We expect to be always superset of this +# policy permission. +# PUT /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:update": "rule:system_admin_or_owner" + +# Update a volume attachment with a different volumeId +# PUT /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system +#"os_compute_api:os-volumes-attachments:swap": "rule:system_admin_api" + +# Detach a volume from an instance +# DELETE /servers/{server_id}/os-volume_attachments/{volume_id} +# Intended scope(s): system, project +#"os_compute_api:os-volumes-attachments:delete": "rule:system_admin_or_owner" + diff --git a/openstack_dashboard/defaults.py b/openstack_dashboard/defaults.py index 6b151ae719..45ce2d230a 100644 --- a/openstack_dashboard/defaults.py +++ b/openstack_dashboard/defaults.py @@ -73,11 +73,11 @@ POLICY_FILES_PATH = os.path.join(_get_root_path(), "conf") # Having matching policy files on the Horizon and Keystone servers is essential # for normal operation. This holds true for all services and their policy files. POLICY_FILES = { - 'identity': 'keystone_policy.json', - 'compute': 'nova_policy.json', - 'volume': 'cinder_policy.json', - 'image': 'glance_policy.json', - 'network': 'neutron_policy.json', + 'identity': 'keystone_policy.yaml', + 'compute': 'nova_policy.yaml', + 'volume': 'cinder_policy.yaml', + 'image': 'glance_policy.yaml', + 'network': 'neutron_policy.yaml', } # Services for which horizon has extra policies are defined # in POLICY_DIRS by default. @@ -85,6 +85,13 @@ POLICY_DIRS = { 'compute': ['nova_policy.d'], 'volume': ['cinder_policy.d'], } +DEFAULT_POLICY_FILES = { + 'identity': 'default_policies/keystone.yaml', + 'compute': 'default_policies/nova.yaml', + 'volume': 'default_policies/cinder.yaml', + 'image': 'default_policies/glance.yaml', + 'network': 'default_policies/neutron.yaml', +} POLICY_CHECK_FUNCTION = 'openstack_auth.policy.check' SITE_BRANDING = 'OpenStack Dashboard' diff --git a/openstack_dashboard/management/commands/dump_default_policies.py b/openstack_dashboard/management/commands/dump_default_policies.py new file mode 100644 index 0000000000..d253536362 --- /dev/null +++ b/openstack_dashboard/management/commands/dump_default_policies.py @@ -0,0 +1,82 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import logging +import sys + +from django.core.management.base import BaseCommand +from oslo_policy import generator +import yaml + + +LOG = logging.getLogger(__name__) + + +def _load_default_policies(namespace): + defaults = generator.get_policies_dict([namespace]) + return defaults.get(namespace) + + +def _format_default_policy(default): + data = { + 'name': default.name, + 'check_str': default.check_str, + 'description': default.description, + } + data['operations'] = getattr(default, 'operations', []) + data['scope_types'] = getattr(default, 'scope_types', None) + + if default.deprecated_for_removal: + data['deprecated_for_removal'] = True + data['deprecated_since'] = default.deprecated_since + data['deprecated_reason'] = default.deprecated_reason + + if default.deprecated_rule: + data['deprecated_rule'] = { + 'name': default.deprecated_rule.name, + 'check_str': default.deprecated_rule.check_str, + } + data['deprecated_since'] = default.deprecated_since + data['deprecated_reason'] = default.deprecated_reason + + return data + + +def _write_yaml_file(policies, output_file): + stream = open(output_file, 'w') if output_file else sys.stdout + yaml.dump(policies, stream=stream) + if output_file: + stream.close() + + +class Command(BaseCommand): + help = ("Dump default policies of back-end services defined in codes " + "as YAML file so that horizon can load default policies.") + + def add_arguments(self, parser): + parser.add_argument( + '--namespace', + required=True, + help='Namespace under "oslo.policy.policies" to query.') + parser.add_argument( + '--output-file', + help='Path of the file to write to. Defaults to stdout.') + + def handle(self, *args, **options): + namespace = options['namespace'] + defaults = _load_default_policies(namespace) + if defaults is None: + LOG.error('The requested namespace "%s" is not found.', namespace) + sys.exit(1) + + policies = [_format_default_policy(default) for default in defaults] + _write_yaml_file(policies, options['output_file']) diff --git a/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml b/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml new file mode 100644 index 0000000000..d1f06895e2 --- /dev/null +++ b/releasenotes/notes/policy-in-code-support-f79d559c25976215.yaml @@ -0,0 +1,22 @@ +--- +features: + - | + Horizon supports the registered default policies and operators now + only need to define policies which they would like to override in policy + files in ``POLICY_FILES`` setting. (Previously the policy files need to + contain all defined policies including default policies.) + The registered default policies are defined in files under + ``DEFAULT_POLICY_FILES`` and they are synced with registered defaults + of back-end services before the horizon release. +issues: + - | + Policies with the system scoped token (``system_scope:all``) are not + supported in horizon yet. The horizon team recognizes it as an important + feature gap and would like to support it in near future. +upgrade: + - | + The format of the policy files under ``POLICY_FILES`` is changed to YAML + and all contents of these files are commented out now. You only need to + define policies which you would like to modify from the default. + You can still use policy files with JSON format. If you continue to use + JSON format, configure ``POLICY_FILES`` setting to point JSON files. diff --git a/requirements.txt b/requirements.txt index 02089ef6c1..aaa9ad13a6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -23,10 +23,10 @@ netaddr>=0.7.18 # BSD oslo.concurrency>=3.26.0 # Apache-2.0 oslo.config>=5.2.0 # Apache-2.0 oslo.i18n>=3.15.3 # Apache-2.0 -oslo.policy>=1.30.0 # Apache-2.0 +oslo.policy>=3.2.0 # Apache-2.0 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 oslo.upgradecheck>=0.1.1 # Apache-2.0 -oslo.utils>=3.33.0 # Apache-2.0 +oslo.utils>=3.40.0 # Apache-2.0 osprofiler>=2.3.0 # Apache-2.0 pymongo!=3.1,>=3.0.2 # Apache-2.0 pyScss>=1.3.7 # MIT License