- check_str: ''
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:context_is_admin
    name: default
  deprecated_since: null
  description: Defines the default rule used for policies that historically had an
    empty policy in the supplied policy.json file.
  name: default
  operations: []
  scope_types: null
- check_str: role:admin
  description: Defines the rule for the is_admin:True check.
  name: context_is_admin
  operations: []
  scope_types: null
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s and
    project_id:%(owner)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: add_image
  deprecated_since: null
  description: Create new image
  name: add_image
  operations:
  - method: POST
    path: /v2/images
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: delete_image
  deprecated_since: null
  description: Deletes the image
  name: delete_image
  operations:
  - method: DELETE
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s
    or 'shared':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_image
  deprecated_since: null
  description: Get specified image
  name: get_image
  operations:
  - method: GET
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_images
  deprecated_since: null
  description: Get all available images
  name: get_images
  operations:
  - method: GET
    path: /v2/images
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: modify_image
  deprecated_since: null
  description: Updates given image
  name: modify_image
  operations:
  - method: PATCH
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Publicize given image
  name: publicize_image
  operations:
  - method: PATCH
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: communitize_image
  deprecated_since: null
  description: Communitize given image
  name: communitize_image
  operations:
  - method: PATCH
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and (project_id:%(project_id)s
    or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s
    or 'shared':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: download_image
  deprecated_since: null
  description: Downloads given image
  name: download_image
  operations:
  - method: GET
    path: /v2/images/{image_id}/file
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: upload_image
  deprecated_since: null
  description: Uploads data to specified image
  name: upload_image
  operations:
  - method: PUT
    path: /v2/images/{image_id}/file
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: delete_image_location
  deprecated_since: null
  description: Deletes the location of given image
  name: delete_image_location
  operations:
  - method: PATCH
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_image_location
  deprecated_since: null
  description: Reads the location of the image
  name: get_image_location
  operations:
  - method: GET
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: set_image_location
  deprecated_since: null
  description: Sets location URI to given image
  name: set_image_location
  operations:
  - method: PATCH
    path: /v2/images/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: add_member
  deprecated_since: null
  description: Create image member
  name: add_member
  operations:
  - method: POST
    path: /v2/images/{image_id}/members
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: delete_member
  deprecated_since: null
  description: Delete image member
  name: delete_member
  operations:
  - method: DELETE
    path: /v2/images/{image_id}/members/{member_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or
    project_id:%(member_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_member
  deprecated_since: null
  description: Show image member details
  name: get_member
  operations:
  - method: GET
    path: /v2/images/{image_id}/members/{member_id}
  scope_types:
  - project
- check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or
    project_id:%(member_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_members
  deprecated_since: null
  description: List image members
  name: get_members
  operations:
  - method: GET
    path: /v2/images/{image_id}/members
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(member_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: modify_member
  deprecated_since: null
  description: Update image member
  name: modify_member
  operations:
  - method: PUT
    path: /v2/images/{image_id}/members/{member_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Manage image cache
  name: manage_image_cache
  operations: []
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: deactivate
  deprecated_since: null
  description: Deactivate image
  name: deactivate
  operations:
  - method: POST
    path: /v2/images/{image_id}/actions/deactivate
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: reactivate
  deprecated_since: null
  description: Reactivate image
  name: reactivate
  operations:
  - method: POST
    path: /v2/images/{image_id}/actions/reactivate
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Copy existing image to other stores
  name: copy_image
  operations:
  - method: POST
    path: /v2/images/{image_id}/import
  scope_types:
  - project
- check_str: rule:default
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_task
  deprecated_since: null
  description: 'Get an image task.


    This granular policy controls access to tasks, both from the tasks API as well

    as internal locations in Glance that use tasks (like import). Practically this

    cannot be more restrictive than the policy that controls import or things will

    break, and changing it from the default is almost certainly not what you want.

    Access to the external tasks API should be restricted as desired by the

    tasks_api_access policy. This may change in the future.

    '
  name: get_task
  operations:
  - method: GET
    path: /v2/tasks/{task_id}
  scope_types:
  - project
- check_str: rule:default
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: get_tasks
  deprecated_since: null
  description: 'List tasks for all images.


    This granular policy controls access to tasks, both from the tasks API as well

    as internal locations in Glance that use tasks (like import). Practically this

    cannot be more restrictive than the policy that controls import or things will

    break, and changing it from the default is almost certainly not what you want.

    Access to the external tasks API should be restricted as desired by the

    tasks_api_access policy. This may change in the future.

    '
  name: get_tasks
  operations:
  - method: GET
    path: /v2/tasks
  scope_types:
  - project
- check_str: rule:default
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:default
    name: add_task
  deprecated_since: null
  description: 'List tasks for all images.


    This granular policy controls access to tasks, both from the tasks API as well

    as internal locations in Glance that use tasks (like import). Practically this

    cannot be more restrictive than the policy that controls import or things will

    break, and changing it from the default is almost certainly not what you want.

    Access to the external tasks API should be restricted as desired by the

    tasks_api_access policy. This may change in the future.

    '
  name: add_task
  operations:
  - method: POST
    path: /v2/tasks
  scope_types:
  - project
- check_str: rule:default
  deprecated_for_removal: true
  deprecated_reason: '

    This policy check has never been honored by the API. It will be removed in a

    future release.

    '
  deprecated_since: W
  description: This policy is not used.
  name: modify_task
  operations:
  - method: DELETE
    path: /v2/tasks/{task_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    This is a generic blanket policy for protecting all task APIs. It is not

    granular and will not allow you to separate writable and readable task

    operations into different roles.

    '
  name: tasks_api_access
  operations:
  - method: GET
    path: /v2/tasks/{task_id}
  - method: GET
    path: /v2/tasks
  - method: POST
    path: /v2/tasks
  - method: DELETE
    path: /v2/tasks/{task_id}
  scope_types:
  - project
- check_str: ''
  description: null
  name: metadef_default
  operations: []
  scope_types: null
- check_str: rule:context_is_admin
  description: null
  name: metadef_admin
  operations: []
  scope_types: null
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_namespace
  deprecated_since: null
  description: Get a specific namespace.
  name: get_metadef_namespace
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s)
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_namespaces
  deprecated_since: null
  description: List namespace.
  name: get_metadef_namespaces
  operations:
  - method: GET
    path: /v2/metadefs/namespaces
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Modify an existing namespace.
  name: modify_metadef_namespace
  operations:
  - method: PUT
    path: /v2/metadefs/namespaces/{namespace_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Create a namespace.
  name: add_metadef_namespace
  operations:
  - method: POST
    path: /v2/metadefs/namespaces
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete a namespace.
  name: delete_metadef_namespace
  operations:
  - method: DELETE
    path: /v2/metadefs/namespaces/{namespace_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_object
  deprecated_since: null
  description: Get a specific object from a namespace.
  name: get_metadef_object
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_objects
  deprecated_since: null
  description: Get objects from a namespace.
  name: get_metadef_objects
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/objects
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Update an object within a namespace.
  name: modify_metadef_object
  operations:
  - method: PUT
    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Create an object within a namespace.
  name: add_metadef_object
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/objects
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete an object within a namespace.
  name: delete_metadef_object
  operations:
  - method: DELETE
    path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: list_metadef_resource_types
  deprecated_since: null
  description: List meta definition resource types.
  name: list_metadef_resource_types
  operations:
  - method: GET
    path: /v2/metadefs/resource_types
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_resource_type
  deprecated_since: null
  description: Get meta definition resource types associations.
  name: get_metadef_resource_type
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/resource_types
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Create meta definition resource types association.
  name: add_metadef_resource_type_association
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/resource_types
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete meta definition resource types association.
  name: remove_metadef_resource_type_association
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_property
  deprecated_since: null
  description: Get a specific meta definition property.
  name: get_metadef_property
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_properties
  deprecated_since: null
  description: List meta definition properties.
  name: get_metadef_properties
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/properties
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Update meta definition property.
  name: modify_metadef_property
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Create meta definition property.
  name: add_metadef_property
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/properties
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete meta definition property.
  name: remove_metadef_property
  operations:
  - method: DELETE
    path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_tag
  deprecated_since: null
  description: Get tag definition.
  name: get_metadef_tag
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
  scope_types:
  - project
- check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s
    or 'public':%(visibility)s))
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:metadef_default
    name: get_metadef_tags
  deprecated_since: null
  description: List tag definitions.
  name: get_metadef_tags
  operations:
  - method: GET
    path: /v2/metadefs/namespaces/{namespace_name}/tags
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Update tag definition.
  name: modify_metadef_tag
  operations:
  - method: PUT
    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Add tag definition.
  name: add_metadef_tag
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Create tag definitions.
  name: add_metadef_tags
  operations:
  - method: POST
    path: /v2/metadefs/namespaces/{namespace_name}/tags
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete tag definition.
  name: delete_metadef_tag
  operations:
  - method: DELETE
    path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
  scope_types:
  - project
- check_str: rule:metadef_admin
  description: Delete tag definitions.
  name: delete_metadef_tags
  operations:
  - method: DELETE
    path: /v2/metadefs/namespaces/{namespace_name}/tags
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:manage_image_cache
    name: cache_image
  deprecated_since: null
  description: Queue image for caching
  name: cache_image
  operations:
  - method: PUT
    path: /v2/cache/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:manage_image_cache
    name: cache_list
  deprecated_since: null
  description: List cache status
  name: cache_list
  operations:
  - method: GET
    path: /v2/cache
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:manage_image_cache
    name: cache_delete
  deprecated_since: null
  description: Delete image(s) from cache and/or queue
  name: cache_delete
  operations:
  - method: DELETE
    path: /v2/cache
  - method: DELETE
    path: /v2/cache/{image_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Expose store specific information
  name: stores_info_detail
  operations:
  - method: GET
    path: /v2/info/stores/detail
  scope_types:
  - project