# Decides what is required for the 'is_admin:True' check to succeed. #"context_is_admin": "role:admin" # DEPRECATED # "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in # favor of "context_is_admin":"role:admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "rule:admin_api": "rule:context_is_admin" # DEPRECATED # "admin_or_owner" has been deprecated since 21.0.0. # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # Default rule for most non-Admin APIs. #"admin_or_owner": "is_admin:True or project_id:%(project_id)s" # DEPRECATED # "admin_api" has been deprecated since 21.0.0. # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # Default rule for most Admin APIs. #"admin_api": "is_admin:True" # Default rule for Project level non admin APIs. #"project_member_api": "role:member and project_id:%(project_id)s" # DEPRECATED # "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" # has been deprecated since 21.0.0 in favor of # "project_member_api":"role:member and project_id:%(project_id)s". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "rule:admin_or_owner": "rule:project_member_api" # Default rule for Project level read only APIs. #"project_reader_api": "role:reader and project_id:%(project_id)s" # DEPRECATED # "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" # has been deprecated since 21.0.0 in favor of # "project_reader_api":"role:reader and project_id:%(project_id)s". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "rule:admin_or_owner": "rule:project_reader_api" # Default rule for Project Member or admin APIs. #"project_member_or_admin": "rule:project_member_api or rule:context_is_admin" # DEPRECATED # "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" # has been deprecated since 21.0.0 in favor of # "project_member_or_admin":"rule:project_member_api or # rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "rule:admin_or_owner": "rule:project_member_or_admin" # Default rule for Project reader or admin APIs. #"project_reader_or_admin": "rule:project_reader_api or rule:context_is_admin" # DEPRECATED # "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" # has been deprecated since 21.0.0 in favor of # "project_reader_or_admin":"rule:project_reader_api or # rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "rule:admin_or_owner": "rule:project_reader_or_admin" # Reset the state of a given server # POST /servers/{server_id}/action (os-resetState) # Intended scope(s): project #"os_compute_api:os-admin-actions:reset_state": "rule:context_is_admin" # Inject network information into the server # POST /servers/{server_id}/action (injectNetworkInfo) # Intended scope(s): project #"os_compute_api:os-admin-actions:inject_network_info": "rule:context_is_admin" # Change the administrative password for a server # POST /servers/{server_id}/action (changePassword) # Intended scope(s): project #"os_compute_api:os-admin-password": "rule:project_member_or_admin" # Create or replace metadata for an aggregate # POST /os-aggregates/{aggregate_id}/action (set_metadata) # Intended scope(s): project #"os_compute_api:os-aggregates:set_metadata": "rule:context_is_admin" # Add a host to an aggregate # POST /os-aggregates/{aggregate_id}/action (add_host) # Intended scope(s): project #"os_compute_api:os-aggregates:add_host": "rule:context_is_admin" # Create an aggregate # POST /os-aggregates # Intended scope(s): project #"os_compute_api:os-aggregates:create": "rule:context_is_admin" # Remove a host from an aggregate # POST /os-aggregates/{aggregate_id}/action (remove_host) # Intended scope(s): project #"os_compute_api:os-aggregates:remove_host": "rule:context_is_admin" # Update name and/or availability zone for an aggregate # PUT /os-aggregates/{aggregate_id} # Intended scope(s): project #"os_compute_api:os-aggregates:update": "rule:context_is_admin" # List all aggregates # GET /os-aggregates # Intended scope(s): project #"os_compute_api:os-aggregates:index": "rule:context_is_admin" # Delete an aggregate # DELETE /os-aggregates/{aggregate_id} # Intended scope(s): project #"os_compute_api:os-aggregates:delete": "rule:context_is_admin" # Show details for an aggregate # GET /os-aggregates/{aggregate_id} # Intended scope(s): project #"os_compute_api:os-aggregates:show": "rule:context_is_admin" # Request image caching for an aggregate # POST /os-aggregates/{aggregate_id}/images # Intended scope(s): project #"compute:aggregates:images": "rule:context_is_admin" # Create an assisted volume snapshot # POST /os-assisted-volume-snapshots # Intended scope(s): project #"os_compute_api:os-assisted-volume-snapshots:create": "rule:context_is_admin" # Delete an assisted volume snapshot # DELETE /os-assisted-volume-snapshots/{snapshot_id} # Intended scope(s): project #"os_compute_api:os-assisted-volume-snapshots:delete": "rule:context_is_admin" # List port interfaces attached to a server # GET /servers/{server_id}/os-interface # Intended scope(s): project #"os_compute_api:os-attach-interfaces:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- # interfaces:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list" # Show details of a port interface attached to a server # GET /servers/{server_id}/os-interface/{port_id} # Intended scope(s): project #"os_compute_api:os-attach-interfaces:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- # interfaces:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show" # Attach an interface to a server # POST /servers/{server_id}/os-interface # Intended scope(s): project #"os_compute_api:os-attach-interfaces:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- # interfaces:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create" # Detach an interface from a server # DELETE /servers/{server_id}/os-interface/{port_id} # Intended scope(s): project #"os_compute_api:os-attach-interfaces:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- # interfaces:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete" # List availability zone information without host information # GET /os-availability-zone # Intended scope(s): project #"os_compute_api:os-availability-zone:list": "@" # List detailed availability zone information with host information # GET /os-availability-zone/detail # Intended scope(s): project #"os_compute_api:os-availability-zone:detail": "rule:context_is_admin" # List and show details of bare metal nodes. # # These APIs are proxy calls to the Ironic service and are deprecated. # GET /os-baremetal-nodes # Intended scope(s): project #"os_compute_api:os-baremetal-nodes:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- # nodes:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:list" # Show action details for a server. # GET /os-baremetal-nodes/{node_id} # Intended scope(s): project #"os_compute_api:os-baremetal-nodes:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- # nodes:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:show" # Show console connection information for a given console # authentication token # GET /os-console-auth-tokens/{console_token} # Intended scope(s): project #"os_compute_api:os-console-auth-tokens": "rule:context_is_admin" # Show console output for a server # POST /servers/{server_id}/action (os-getConsoleOutput) # Intended scope(s): project #"os_compute_api:os-console-output": "rule:project_member_or_admin" # Create a back up of a server # POST /servers/{server_id}/action (createBackup) # Intended scope(s): project #"os_compute_api:os-create-backup": "rule:project_member_or_admin" # Restore a soft deleted server # POST /servers/{server_id}/action (restore) # Intended scope(s): project #"os_compute_api:os-deferred-delete:restore": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- # delete:restore":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore" # Force delete a server before deferred cleanup # POST /servers/{server_id}/action (forceDelete) # Intended scope(s): project #"os_compute_api:os-deferred-delete:force": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- # delete:force":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force" # Evacuate a server from a failed host to a new host # POST /servers/{server_id}/action (evacuate) # Intended scope(s): project #"os_compute_api:os-evacuate": "rule:context_is_admin" # Return extended attributes for server. # # This rule will control the visibility for a set of servers # attributes: # # - ``OS-EXT-SRV-ATTR:host`` - ``OS-EXT-SRV-ATTR:instance_name`` - # ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) - ``OS- # EXT-SRV-ATTR:launch_index`` (since microversion 2.3) - ``OS-EXT-SRV- # ATTR:hostname`` (since microversion 2.3) - ``OS-EXT-SRV- # ATTR:kernel_id`` (since microversion 2.3) - ``OS-EXT-SRV- # ATTR:ramdisk_id`` (since microversion 2.3) - ``OS-EXT-SRV- # ATTR:root_device_name`` (since microversion 2.3) - ``OS-EXT-SRV- # ATTR:user_data`` (since microversion 2.3) # # Microvision 2.75 added the above attributes in the ``PUT # /servers/{server_id}`` and ``POST /servers/{server_id}/action # (rebuild)`` API responses which are also controlled by this policy # rule, like the ``GET /servers*`` APIs. # # Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute # available to all users, so this policy has no effect on that field # for microversions 2.90 and greater. Controlling the visibility of # this attribute for all microversions is therefore deprecated and # will be removed in a future release. # GET /servers/{id} # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:os-extended-server-attributes": "rule:context_is_admin" # List available extensions and show information for an extension by # alias # GET /extensions # GET /extensions/{alias} # Intended scope(s): project #"os_compute_api:extensions": "@" # Add flavor access to a tenant # POST /flavors/{flavor_id}/action (addTenantAccess) # Intended scope(s): project #"os_compute_api:os-flavor-access:add_tenant_access": "rule:context_is_admin" # Remove flavor access from a tenant # POST /flavors/{flavor_id}/action (removeTenantAccess) # Intended scope(s): project #"os_compute_api:os-flavor-access:remove_tenant_access": "rule:context_is_admin" # List flavor access information # # Allows access to the full list of tenants that have access to a # flavor via an os-flavor-access API. # GET /flavors/{flavor_id}/os-flavor-access # Intended scope(s): project #"os_compute_api:os-flavor-access": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-flavor-access":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-flavor- # access":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # Show an extra spec for a flavor # GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:show": "rule:project_reader_or_admin" # Create extra specs for a flavor # POST /flavors/{flavor_id}/os-extra_specs/ # Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:create": "rule:context_is_admin" # Update an extra spec for a flavor # PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:update": "rule:context_is_admin" # Delete an extra spec for a flavor # DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:delete": "rule:context_is_admin" # List extra specs for a flavor. Starting with microversion 2.61, # extra specs may be returned in responses for the flavor resource. # GET /flavors/{flavor_id}/os-extra_specs/ # POST /flavors # GET /flavors/detail # GET /flavors/{flavor_id} # PUT /flavors/{flavor_id} # Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:index": "rule:project_reader_or_admin" # Create a flavor # POST /flavors # Intended scope(s): project #"os_compute_api:os-flavor-manage:create": "rule:context_is_admin" # Update a flavor # PUT /flavors/{flavor_id} # Intended scope(s): project #"os_compute_api:os-flavor-manage:update": "rule:context_is_admin" # Delete a flavor # DELETE /flavors/{flavor_id} # Intended scope(s): project #"os_compute_api:os-flavor-manage:delete": "rule:context_is_admin" # List floating IP pools. This API is deprecated. # GET /os-floating-ip-pools # Intended scope(s): project #"os_compute_api:os-floating-ip-pools": "@" # Associate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (addFloatingIp) # Intended scope(s): project #"os_compute_api:os-floating-ips:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:add" # Disassociate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (removeFloatingIp) # Intended scope(s): project #"os_compute_api:os-floating-ips:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:remove" # List floating IPs. This API is deprecated. # GET /os-floating-ips # Intended scope(s): project #"os_compute_api:os-floating-ips:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:list" # Create floating IPs. This API is deprecated. # POST /os-floating-ips # Intended scope(s): project #"os_compute_api:os-floating-ips:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:create" # Show floating IPs. This API is deprecated. # GET /os-floating-ips/{floating_ip_id} # Intended scope(s): project #"os_compute_api:os-floating-ips:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:show" # Delete floating IPs. This API is deprecated. # DELETE /os-floating-ips/{floating_ip_id} # Intended scope(s): project #"os_compute_api:os-floating-ips:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- # ips:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:delete" # List physical hosts. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts # Intended scope(s): project #"os_compute_api:os-hosts:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:list" # Show physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name} # Intended scope(s): project #"os_compute_api:os-hosts:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:show" # Update physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # PUT /os-hosts/{host_name} # Intended scope(s): project #"os_compute_api:os-hosts:update": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:update":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:update" # Reboot physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/reboot # Intended scope(s): project #"os_compute_api:os-hosts:reboot": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:reboot":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:reboot" # Shutdown physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/shutdown # Intended scope(s): project #"os_compute_api:os-hosts:shutdown": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:shutdown":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:shutdown" # Start physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/startup # Intended scope(s): project #"os_compute_api:os-hosts:start": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- # hosts:start":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:start" # List all hypervisors. # GET /os-hypervisors # Intended scope(s): project #"os_compute_api:os-hypervisors:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list" # List all hypervisors with details # GET /os-hypervisors/details # Intended scope(s): project #"os_compute_api:os-hypervisors:list-detail": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os-hypervisors:list- # detail":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail" # Show summary statistics for all hypervisors over all compute nodes. # GET /os-hypervisors/statistics # Intended scope(s): project #"os_compute_api:os-hypervisors:statistics": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:statistics":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics" # Show details for a hypervisor. # GET /os-hypervisors/{hypervisor_id} # Intended scope(s): project #"os_compute_api:os-hypervisors:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show" # Show the uptime of a hypervisor. # GET /os-hypervisors/{hypervisor_id}/uptime # Intended scope(s): project #"os_compute_api:os-hypervisors:uptime": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:uptime":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime" # Search hypervisor by hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/search # Intended scope(s): project #"os_compute_api:os-hypervisors:search": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:search":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search" # List all servers on hypervisors that can match the provided # hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/servers # Intended scope(s): project #"os_compute_api:os-hypervisors:servers": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # hypervisors:servers":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers" # Add "details" key in action events for a server. # # This check is performed only after the check os_compute_api:os- # instance-actions:show passes. Beginning with Microversion 2.84, new # field 'details' is exposed via API which can have more details about # event failure. That field is controlled by this policy which is # system reader by default. Making the 'details' field visible to the # non-admin user helps to understand the nature of the problem (i.e. # if the action can be retried), but in the other hand it might leak # information about the deployment (e.g. the type of the hypervisor). # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project #"os_compute_api:os-instance-actions:events:details": "rule:context_is_admin" # Add events details in action details for a server. This check is # performed only after the check os_compute_api:os-instance- # actions:show passes. Beginning with Microversion 2.51, events # details are always included; traceback information is provided per # event if policy enforcement passes. Beginning with Microversion # 2.62, each event includes a hashed host identifier and, if policy # enforcement passes, the name of the host. # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project #"os_compute_api:os-instance-actions:events": "rule:context_is_admin" # List actions for a server. # GET /servers/{server_id}/os-instance-actions # Intended scope(s): project #"os_compute_api:os-instance-actions:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- # actions:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list" # Show action details for a server. # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project #"os_compute_api:os-instance-actions:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- # actions:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show" # List all usage audits. # GET /os-instance_usage_audit_log # Intended scope(s): project #"os_compute_api:os-instance-usage-audit-log:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has # been deprecated since 21.0.0 in favor of "os_compute_api:os- # instance-usage-audit-log:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list" # List all usage audits occurred before a specified time for all # servers on all compute hosts where usage auditing is configured # GET /os-instance_usage_audit_log/{before_timestamp} # Intended scope(s): project #"os_compute_api:os-instance-usage-audit-log:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has # been deprecated since 21.0.0 in favor of "os_compute_api:os- # instance-usage-audit-log:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show" # Show IP addresses details for a network label of a server # GET /servers/{server_id}/ips/{network_label} # Intended scope(s): project #"os_compute_api:ips:show": "rule:project_reader_or_admin" # List IP addresses that are assigned to a server # GET /servers/{server_id}/ips # Intended scope(s): project #"os_compute_api:ips:index": "rule:project_reader_or_admin" # List all keypairs # GET /os-keypairs # Intended scope(s): project #"os_compute_api:os-keypairs:index": "(rule:context_is_admin) or user_id:%(user_id)s" # Create a keypair # POST /os-keypairs # Intended scope(s): project #"os_compute_api:os-keypairs:create": "(rule:context_is_admin) or user_id:%(user_id)s" # Delete a keypair # DELETE /os-keypairs/{keypair_name} # Intended scope(s): project #"os_compute_api:os-keypairs:delete": "(rule:context_is_admin) or user_id:%(user_id)s" # Show details of a keypair # GET /os-keypairs/{keypair_name} # Intended scope(s): project #"os_compute_api:os-keypairs:show": "(rule:context_is_admin) or user_id:%(user_id)s" # Show rate and absolute limits for the current user project # GET /limits # Intended scope(s): project #"os_compute_api:limits": "@" # Show rate and absolute limits of other project. # # This policy only checks if the user has access to the requested # project limits. And this check is performed only after the check # os_compute_api:limits passes # GET /limits # Intended scope(s): project #"os_compute_api:limits:other_project": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-used-limits":"rule:admin_api" has been deprecated # since 21.0.0 in favor of # "os_compute_api:limits:other_project":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project" # Lock a server # POST /servers/{server_id}/action (lock) # Intended scope(s): project #"os_compute_api:os-lock-server:lock": "rule:project_member_or_admin" # Unlock a server # POST /servers/{server_id}/action (unlock) # Intended scope(s): project #"os_compute_api:os-lock-server:unlock": "rule:project_member_or_admin" # Unlock a server, regardless who locked the server. # # This check is performed only after the check os_compute_api:os-lock- # server:unlock passes # POST /servers/{server_id}/action (unlock) # Intended scope(s): project #"os_compute_api:os-lock-server:unlock:unlock_override": "rule:context_is_admin" # Cold migrate a server without specifying a host # POST /servers/{server_id}/action (migrate) # Intended scope(s): project #"os_compute_api:os-migrate-server:migrate": "rule:context_is_admin" # Cold migrate a server to a specified host # POST /servers/{server_id}/action (migrate) # Intended scope(s): project #"os_compute_api:os-migrate-server:migrate:host": "rule:context_is_admin" # Live migrate a server to a new host without a reboot # POST /servers/{server_id}/action (os-migrateLive) # Intended scope(s): project #"os_compute_api:os-migrate-server:migrate_live": "rule:context_is_admin" # List migrations # GET /os-migrations # Intended scope(s): project #"os_compute_api:os-migrations:index": "rule:context_is_admin" # Add a fixed IP address to a server. # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (addFixedIp) # Intended scope(s): project #"os_compute_api:os-multinic:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # multinic:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:add" # Remove a fixed IP address from a server. # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (removeFixedIp) # Intended scope(s): project #"os_compute_api:os-multinic:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # multinic:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:remove" # List networks for the project. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks # Intended scope(s): project #"os_compute_api:os-networks:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # networks:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:list" # Show network details. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks/{network_id} # Intended scope(s): project #"os_compute_api:os-networks:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # networks:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:show" # Pause a server # POST /servers/{server_id}/action (pause) # Intended scope(s): project #"os_compute_api:os-pause-server:pause": "rule:project_member_or_admin" # Unpause a paused server # POST /servers/{server_id}/action (unpause) # Intended scope(s): project #"os_compute_api:os-pause-server:unpause": "rule:project_member_or_admin" # List quotas for specific quota classes # GET /os-quota-class-sets/{quota_class} # Intended scope(s): project #"os_compute_api:os-quota-class-sets:show": "rule:context_is_admin" # Update quotas for specific quota class # PUT /os-quota-class-sets/{quota_class} # Intended scope(s): project #"os_compute_api:os-quota-class-sets:update": "rule:context_is_admin" # Update the quotas # PUT /os-quota-sets/{tenant_id} # Intended scope(s): project #"os_compute_api:os-quota-sets:update": "rule:context_is_admin" # List default quotas # GET /os-quota-sets/{tenant_id}/defaults # Intended scope(s): project #"os_compute_api:os-quota-sets:defaults": "@" # Show a quota # GET /os-quota-sets/{tenant_id} # Intended scope(s): project #"os_compute_api:os-quota-sets:show": "rule:project_reader_or_admin" # Revert quotas to defaults # DELETE /os-quota-sets/{tenant_id} # Intended scope(s): project #"os_compute_api:os-quota-sets:delete": "rule:context_is_admin" # Show the detail of quota # GET /os-quota-sets/{tenant_id}/detail # Intended scope(s): project #"os_compute_api:os-quota-sets:detail": "rule:project_reader_or_admin" # Generate a URL to access remove server console. # # This policy is for ``POST /remote-consoles`` API and below Server # actions APIs are deprecated: # # - ``os-getSerialConsole`` - ``os-getSPICEConsole`` - ``os- # getVNCConsole``. # POST /servers/{server_id}/action (os-getSerialConsole) # POST /servers/{server_id}/action (os-getSPICEConsole) # POST /servers/{server_id}/action (os-getVNCConsole) # POST /servers/{server_id}/remote-consoles # Intended scope(s): project #"os_compute_api:os-remote-consoles": "rule:project_member_or_admin" # Rescue a server # POST /servers/{server_id}/action (rescue) # Intended scope(s): project #"os_compute_api:os-rescue": "rule:project_member_or_admin" # Unrescue a server # POST /servers/{server_id}/action (unrescue) # Intended scope(s): project #"os_compute_api:os-unrescue": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-rescue":"rule:admin_or_owner" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # unrescue":"rule:project_member_or_admin". # Rescue/Unrescue API policies are made granular with new policy for # unrescue and keeping old policy for rescue. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" # List security groups. This API is deprecated. # GET /os-security-groups # Intended scope(s): project #"os_compute_api:os-security-groups:get": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:get":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:get" # Show security group. This API is deprecated. # GET /os-security-groups/{security_group_id} # Intended scope(s): project #"os_compute_api:os-security-groups:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:show" # Create security group. This API is deprecated. # POST /os-security-groups # Intended scope(s): project #"os_compute_api:os-security-groups:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:create" # Update security group. This API is deprecated. # PUT /os-security-groups/{security_group_id} # Intended scope(s): project #"os_compute_api:os-security-groups:update": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:update":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:update" # Delete security group. This API is deprecated. # DELETE /os-security-groups/{security_group_id} # Intended scope(s): project #"os_compute_api:os-security-groups:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:delete" # Create security group Rule. This API is deprecated. # POST /os-security-group-rules # Intended scope(s): project #"os_compute_api:os-security-groups:rule:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:rule:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:create" # Delete security group Rule. This API is deprecated. # DELETE /os-security-group-rules/{security_group_id} # Intended scope(s): project #"os_compute_api:os-security-groups:rule:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:rule:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:delete" # List security groups of server. # GET /servers/{server_id}/os-security-groups # Intended scope(s): project #"os_compute_api:os-security-groups:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list" # Add security groups to server. # POST /servers/{server_id}/action (addSecurityGroup) # Intended scope(s): project #"os_compute_api:os-security-groups:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add" # Remove security groups from server. # POST /servers/{server_id}/action (removeSecurityGroup) # Intended scope(s): project #"os_compute_api:os-security-groups:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- # groups:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove" # Show the usage data for a server # GET /servers/{server_id}/diagnostics # Intended scope(s): project #"os_compute_api:os-server-diagnostics": "rule:context_is_admin" # Create one or more external events # POST /os-server-external-events # Intended scope(s): project #"os_compute_api:os-server-external-events:create": "rule:context_is_admin" # Create a new server group # POST /os-server-groups # Intended scope(s): project #"os_compute_api:os-server-groups:create": "rule:project_member_or_admin" # Delete a server group # DELETE /os-server-groups/{server_group_id} # Intended scope(s): project #"os_compute_api:os-server-groups:delete": "rule:project_member_or_admin" # List all server groups # GET /os-server-groups # Intended scope(s): project #"os_compute_api:os-server-groups:index": "rule:project_reader_or_admin" # List all server groups for all projects # GET /os-server-groups # Intended scope(s): project #"os_compute_api:os-server-groups:index:all_projects": "rule:context_is_admin" # Show details of a server group # GET /os-server-groups/{server_group_id} # Intended scope(s): project #"os_compute_api:os-server-groups:show": "rule:project_reader_or_admin" # List all metadata of a server # GET /servers/{server_id}/metadata # Intended scope(s): project #"os_compute_api:server-metadata:index": "rule:project_reader_or_admin" # Show metadata for a server # GET /servers/{server_id}/metadata/{key} # Intended scope(s): project #"os_compute_api:server-metadata:show": "rule:project_reader_or_admin" # Create metadata for a server # POST /servers/{server_id}/metadata # Intended scope(s): project #"os_compute_api:server-metadata:create": "rule:project_member_or_admin" # Replace metadata for a server # PUT /servers/{server_id}/metadata # Intended scope(s): project #"os_compute_api:server-metadata:update_all": "rule:project_member_or_admin" # Update metadata from a server # PUT /servers/{server_id}/metadata/{key} # Intended scope(s): project #"os_compute_api:server-metadata:update": "rule:project_member_or_admin" # Delete metadata from a server # DELETE /servers/{server_id}/metadata/{key} # Intended scope(s): project #"os_compute_api:server-metadata:delete": "rule:project_member_or_admin" # Show the encrypted administrative password of a server # GET /servers/{server_id}/os-server-password # Intended scope(s): project #"os_compute_api:os-server-password:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- # password:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show" # Clear the encrypted administrative password of a server # DELETE /servers/{server_id}/os-server-password # Intended scope(s): project #"os_compute_api:os-server-password:clear": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- # password:clear":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear" # Delete all the server tags # DELETE /servers/{server_id}/tags # Intended scope(s): project #"os_compute_api:os-server-tags:delete_all": "rule:project_member_or_admin" # List all tags for given server # GET /servers/{server_id}/tags # Intended scope(s): project #"os_compute_api:os-server-tags:index": "rule:project_reader_or_admin" # Replace all tags on specified server with the new set of tags. # PUT /servers/{server_id}/tags # Intended scope(s): project #"os_compute_api:os-server-tags:update_all": "rule:project_member_or_admin" # Delete a single tag from the specified server # DELETE /servers/{server_id}/tags/{tag} # Intended scope(s): project #"os_compute_api:os-server-tags:delete": "rule:project_member_or_admin" # Add a single tag to the server if server has no specified tag # PUT /servers/{server_id}/tags/{tag} # Intended scope(s): project #"os_compute_api:os-server-tags:update": "rule:project_member_or_admin" # Check tag existence on the server. # GET /servers/{server_id}/tags/{tag} # Intended scope(s): project #"os_compute_api:os-server-tags:show": "rule:project_reader_or_admin" # Show the NUMA topology data for a server # GET /servers/{server_id}/topology # Intended scope(s): project #"compute:server:topology:index": "rule:project_reader_or_admin" # Show the NUMA topology data for a server with host NUMA ID and CPU # pinning information # GET /servers/{server_id}/topology # Intended scope(s): project #"compute:server:topology:host:index": "rule:context_is_admin" # List all servers # GET /servers # Intended scope(s): project #"os_compute_api:servers:index": "rule:project_reader_or_admin" # List all servers with detailed information # GET /servers/detail # Intended scope(s): project #"os_compute_api:servers:detail": "rule:project_reader_or_admin" # List all servers for all projects # GET /servers # Intended scope(s): project #"os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin" # List all servers with detailed information for all projects # GET /servers/detail # Intended scope(s): project #"os_compute_api:servers:detail:get_all_tenants": "rule:context_is_admin" # Allow all filters when listing servers # GET /servers # GET /servers/detail # Intended scope(s): project #"os_compute_api:servers:allow_all_filters": "rule:context_is_admin" # Show a server # GET /servers/{server_id} # Intended scope(s): project #"os_compute_api:servers:show": "rule:project_reader_or_admin" # Starting with microversion 2.47, the flavor and its extra specs used # for a server is also returned in the response when showing server # details, updating a server or rebuilding a server. # GET /servers/detail # GET /servers/{server_id} # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:servers:show:flavor-extra-specs": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-flavor-extra-specs:index":"rule:admin_or_owner" # has been deprecated since 25.0.0 in favor of # "os_compute_api:servers:show:flavor-extra- # specs":"rule:project_reader_or_admin". # Policies for showing flavor extra specs in server APIs response is # separated as new policy. This policy is deprecated only for that but # not for list extra specs and showing it in flavor API response. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-flavor-extra-specs:index": "rule:os_compute_api:servers:show:flavor-extra-specs" # Show a server with additional host status information. # # This means host_status will be shown irrespective of status value. # If showing only host_status UNKNOWN is desired, use the # ``os_compute_api:servers:show:host_status:unknown-only`` policy # rule. # # Microvision 2.75 added the ``host_status`` attribute in the ``PUT # /servers/{server_id}`` and ``POST /servers/{server_id}/action # (rebuild)`` API responses which are also controlled by this policy # rule, like the ``GET /servers*`` APIs. # GET /servers/{server_id} # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:servers:show:host_status": "rule:context_is_admin" # Show a server with additional host status information, only if host # status is UNKNOWN. # # This policy rule will only be enforced when the # ``os_compute_api:servers:show:host_status`` policy rule does not # pass for the request. An example policy configuration could be where # the ``os_compute_api:servers:show:host_status`` rule is set to allow # admin-only and the # ``os_compute_api:servers:show:host_status:unknown-only`` rule is set # to allow everyone. # GET /servers/{server_id} # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:servers:show:host_status:unknown-only": "rule:context_is_admin" # Create a server # POST /servers # Intended scope(s): project #"os_compute_api:servers:create": "rule:project_member_or_admin" # Create a server on the specified host and/or node. # # In this case, the server is forced to launch on the specified host # and/or node by bypassing the scheduler filters unlike the # ``compute:servers:create:requested_destination`` rule. # POST /servers # Intended scope(s): project #"os_compute_api:servers:create:forced_host": "rule:context_is_admin" # Create a server on the requested compute service host and/or # hypervisor_hostname. # # In this case, the requested host and/or hypervisor_hostname is # validated by the scheduler filters unlike the # ``os_compute_api:servers:create:forced_host`` rule. # POST /servers # Intended scope(s): project #"compute:servers:create:requested_destination": "rule:context_is_admin" # Create a server with the requested volume attached to it # POST /servers # Intended scope(s): project #"os_compute_api:servers:create:attach_volume": "rule:project_member_or_admin" # Create a server with the requested network attached to it # POST /servers # Intended scope(s): project #"os_compute_api:servers:create:attach_network": "rule:project_member_or_admin" # Create a server with trusted image certificate IDs # POST /servers # Intended scope(s): project #"os_compute_api:servers:create:trusted_certs": "rule:project_member_or_admin" # This rule controls the compute API validation behavior of creating a # server with a flavor that has 0 disk, indicating the server should # be volume-backed. # # For a flavor with disk=0, the root disk will be set to exactly the # size of the image used to deploy the instance. However, in this case # the filter_scheduler cannot select the compute host based on the # virtual image size. Therefore, 0 should only be used for volume # booted instances or for testing purposes. # # WARNING: It is a potential security exposure to enable this policy # rule if users can upload their own images since repeated attempts to # create a disk=0 flavor instance with a large image can exhaust the # local disk of the compute (or shared storage cluster). See bug # https://bugs.launchpad.net/nova/+bug/1739646 for details. # POST /servers # Intended scope(s): project #"os_compute_api:servers:create:zero_disk_flavor": "rule:context_is_admin" # Attach an unshared external network to a server # POST /servers # POST /servers/{server_id}/os-interface # Intended scope(s): project #"network:attach_external_network": "rule:context_is_admin" # Delete a server # DELETE /servers/{server_id} # Intended scope(s): project #"os_compute_api:servers:delete": "rule:project_member_or_admin" # Update a server # PUT /servers/{server_id} # Intended scope(s): project #"os_compute_api:servers:update": "rule:project_member_or_admin" # Confirm a server resize # POST /servers/{server_id}/action (confirmResize) # Intended scope(s): project #"os_compute_api:servers:confirm_resize": "rule:project_member_or_admin" # Revert a server resize # POST /servers/{server_id}/action (revertResize) # Intended scope(s): project #"os_compute_api:servers:revert_resize": "rule:project_member_or_admin" # Reboot a server # POST /servers/{server_id}/action (reboot) # Intended scope(s): project #"os_compute_api:servers:reboot": "rule:project_member_or_admin" # Resize a server # POST /servers/{server_id}/action (resize) # Intended scope(s): project #"os_compute_api:servers:resize": "rule:project_member_or_admin" # Resize a server across cells. By default, this is disabled for all # users and recommended to be tested in a deployment for admin users # before opening it up to non-admin users. Resizing within a cell is # the default preferred behavior even if this is enabled. # POST /servers/{server_id}/action (resize) # Intended scope(s): project #"compute:servers:resize:cross_cell": "!" # Rebuild a server # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:servers:rebuild": "rule:project_member_or_admin" # Rebuild a server with trusted image certificate IDs # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project #"os_compute_api:servers:rebuild:trusted_certs": "rule:project_member_or_admin" # Create an image from a server # POST /servers/{server_id}/action (createImage) # Intended scope(s): project #"os_compute_api:servers:create_image": "rule:project_member_or_admin" # Create an image from a volume backed server # POST /servers/{server_id}/action (createImage) # Intended scope(s): project #"os_compute_api:servers:create_image:allow_volume_backed": "rule:project_member_or_admin" # Start a server # POST /servers/{server_id}/action (os-start) # Intended scope(s): project #"os_compute_api:servers:start": "rule:project_member_or_admin" # Stop a server # POST /servers/{server_id}/action (os-stop) # Intended scope(s): project #"os_compute_api:servers:stop": "rule:project_member_or_admin" # Trigger crash dump in a server # POST /servers/{server_id}/action (trigger_crash_dump) # Intended scope(s): project #"os_compute_api:servers:trigger_crash_dump": "rule:project_member_or_admin" # Show details for an in-progress live migration for a given server # GET /servers/{server_id}/migrations/{migration_id} # Intended scope(s): project #"os_compute_api:servers:migrations:show": "rule:context_is_admin" # Force an in-progress live migration for a given server to complete # POST /servers/{server_id}/migrations/{migration_id}/action (force_complete) # Intended scope(s): project #"os_compute_api:servers:migrations:force_complete": "rule:context_is_admin" # Delete(Abort) an in-progress live migration # DELETE /servers/{server_id}/migrations/{migration_id} # Intended scope(s): project #"os_compute_api:servers:migrations:delete": "rule:context_is_admin" # Lists in-progress live migrations for a given server # GET /servers/{server_id}/migrations # Intended scope(s): project #"os_compute_api:servers:migrations:index": "rule:context_is_admin" # List all running Compute services in a region. # GET /os-services # Intended scope(s): project #"os_compute_api:os-services:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # services:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-services": "rule:os_compute_api:os-services:list" # Update a Compute service. # PUT /os-services/{service_id} # Intended scope(s): project #"os_compute_api:os-services:update": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # services:update":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-services": "rule:os_compute_api:os-services:update" # Delete a Compute service. # DELETE /os-services/{service_id} # Intended scope(s): project #"os_compute_api:os-services:delete": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- # services:delete":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-services": "rule:os_compute_api:os-services:delete" # Shelve server # POST /servers/{server_id}/action (shelve) # Intended scope(s): project #"os_compute_api:os-shelve:shelve": "rule:project_member_or_admin" # Unshelve (restore) shelved server # POST /servers/{server_id}/action (unshelve) # Intended scope(s): project #"os_compute_api:os-shelve:unshelve": "rule:project_member_or_admin" # Unshelve (restore) shelve offloaded server to a specific host # POST /servers/{server_id}/action (unshelve) # Intended scope(s): project #"os_compute_api:os-shelve:unshelve_to_host": "rule:context_is_admin" # Shelf-offload (remove) server # POST /servers/{server_id}/action (shelveOffload) # Intended scope(s): project #"os_compute_api:os-shelve:shelve_offload": "rule:context_is_admin" # Show usage statistics for a specific tenant # GET /os-simple-tenant-usage/{tenant_id} # Intended scope(s): project #"os_compute_api:os-simple-tenant-usage:show": "rule:project_reader_or_admin" # List per tenant usage statistics for all tenants # GET /os-simple-tenant-usage # Intended scope(s): project #"os_compute_api:os-simple-tenant-usage:list": "rule:context_is_admin" # Resume suspended server # POST /servers/{server_id}/action (resume) # Intended scope(s): project #"os_compute_api:os-suspend-server:resume": "rule:project_member_or_admin" # Suspend server # POST /servers/{server_id}/action (suspend) # Intended scope(s): project #"os_compute_api:os-suspend-server:suspend": "rule:project_member_or_admin" # List project networks. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks # Intended scope(s): project #"os_compute_api:os-tenant-networks:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- # networks:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:list" # Show project network details. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks/{network_id} # Intended scope(s): project #"os_compute_api:os-tenant-networks:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- # networks:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:show" # List volumes. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes # Intended scope(s): project #"os_compute_api:os-volumes:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:list" # Create volume. # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-volumes # Intended scope(s): project #"os_compute_api:os-volumes:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:create" # List volumes detail. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/detail # Intended scope(s): project #"os_compute_api:os-volumes:detail": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:detail":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:detail" # Show volume. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:show" # Delete volume. # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-volumes/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:delete" # List snapshots. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots # Intended scope(s): project #"os_compute_api:os-volumes:snapshots:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:snapshots:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:list" # Create snapshots. # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-snapshots # Intended scope(s): project #"os_compute_api:os-volumes:snapshots:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:snapshots:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:create" # List snapshots details. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/detail # Intended scope(s): project #"os_compute_api:os-volumes:snapshots:detail": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:snapshots:detail":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:detail" # Show snapshot. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/{snapshot_id} # Intended scope(s): project #"os_compute_api:os-volumes:snapshots:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:snapshots:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:show" # Delete snapshot. # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-snapshots/{snapshot_id} # Intended scope(s): project #"os_compute_api:os-volumes:snapshots:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- # volumes:snapshots:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. # WARNING: A rule name change has been identified. # This may be an artifact of new rules being # included which require legacy fallback # rules to ensure proper policy behavior. # Alternatively, this may just be an alias. # Please evaluate on a case by case basis # keeping in mind the format for aliased # rules is: # "old_rule_name": "new_rule_name". # "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:delete" # List volume attachments for an instance # GET /servers/{server_id}/os-volume_attachments # Intended scope(s): project #"os_compute_api:os-volumes-attachments:index": "rule:project_reader_or_admin" # Attach a volume to an instance # POST /servers/{server_id}/os-volume_attachments # Intended scope(s): project #"os_compute_api:os-volumes-attachments:create": "rule:project_member_or_admin" # Show details of a volume attachment # GET /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes-attachments:show": "rule:project_reader_or_admin" # Update a volume attachment. New 'update' policy about 'swap + # update' request (which is possible only >2.85) only is # checked. We expect to be always superset of this # policy permission. # PUT /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes-attachments:update": "rule:project_member_or_admin" # Update a volume attachment with a different volumeId # PUT /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes-attachments:swap": "rule:context_is_admin" # Detach a volume from an instance # DELETE /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project #"os_compute_api:os-volumes-attachments:delete": "rule:project_member_or_admin"