# Rule for cloud admin access #"context_is_admin": "role:admin" # Default rule for the service-to-service APIs. #"service_api": "role:service" # Rule for resource owner access #"owner": "tenant_id:%(tenant_id)s" # Rule for admin or owner access #"admin_or_owner": "rule:context_is_admin or rule:owner" # Rule for advsvc role access #"context_is_advsvc": "role:advsvc" # Rule for admin or network owner access #"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s" # Rule for resource owner, admin or network owner access #"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner" # Rule for network owner access #"network_owner": "tenant_id:%(network:tenant_id)s" # Rule for admin-only access #"admin_only": "rule:context_is_admin" # Rule for regular user access #"regular_user": "" # Rule of shared network #"shared": "field:networks:shared=True" # Default access rule #"default": "rule:admin_or_owner" # Rule for common parent owner check #"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" # Rule for common parent owner check #"ext_parent_owner": "tenant_id:%(ext_parent:tenant_id)s" # Rule for security group owner access #"sg_owner": "tenant_id:%(security_group:tenant_id)s" # Definition of a shared address group #"shared_address_groups": "field:address_groups:shared=True" # Get an address group # GET /address-groups # GET /address-groups/{id} # Intended scope(s): project #"get_address_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" # DEPRECATED # "get_address_group":"rule:admin_or_owner or # rule:shared_address_groups" has been deprecated since W in favor of # "get_address_group":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:shared_address_groups". # The Address scope API now supports system scope and default roles. # Definition of a shared address scope #"shared_address_scopes": "field:address_scopes:shared=True" # Create an address scope # POST /address-scopes # Intended scope(s): project #"create_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_address_scope":"rule:regular_user" has been deprecated since # W in favor of "create_address_scope":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Create a shared address scope # POST /address-scopes # Intended scope(s): project #"create_address_scope:shared": "rule:admin_only" # DEPRECATED # "create_address_scope:shared":"rule:admin_only" has been deprecated # since W in favor of "create_address_scope:shared":"rule:admin_only". # The Address scope API now supports system scope and default roles. # Get an address scope # GET /address-scopes # GET /address-scopes/{id} # Intended scope(s): project #"get_address_scope": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes" # DEPRECATED # "get_address_scope":"rule:admin_or_owner or # rule:shared_address_scopes" has been deprecated since W in favor of # "get_address_scope":"rule:admin_only or role:reader and # project_id:%(project_id)s or rule:shared_address_scopes". # The Address scope API now supports system scope and default roles. # Update an address scope # PUT /address-scopes/{id} # Intended scope(s): project #"update_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_address_scope":"rule:admin_or_owner" has been deprecated # since W in favor of "update_address_scope":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Update ``shared`` attribute of an address scope # PUT /address-scopes/{id} # Intended scope(s): project #"update_address_scope:shared": "rule:admin_only" # DEPRECATED # "update_address_scope:shared":"rule:admin_only" has been deprecated # since W in favor of "update_address_scope:shared":"rule:admin_only". # The Address scope API now supports system scope and default roles. # Delete an address scope # DELETE /address-scopes/{id} # Intended scope(s): project #"delete_address_scope": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_address_scope":"rule:admin_or_owner" has been deprecated # since W in favor of "delete_address_scope":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The Address scope API now supports system scope and default roles. # Get an agent # GET /agents # GET /agents/{id} # Intended scope(s): project #"get_agent": "rule:admin_only" # DEPRECATED # "get_agent":"rule:admin_only" has been deprecated since W in favor # of "get_agent":"rule:admin_only". # The Agent API now supports project scope and default roles. # Update an agent # PUT /agents/{id} # Intended scope(s): project #"update_agent": "rule:admin_only" # DEPRECATED # "update_agent":"rule:admin_only" has been deprecated since W in # favor of "update_agent":"rule:admin_only". # The Agent API now supports project scope and default roles. # Delete an agent # DELETE /agents/{id} # Intended scope(s): project #"delete_agent": "rule:admin_only" # DEPRECATED # "delete_agent":"rule:admin_only" has been deprecated since W in # favor of "delete_agent":"rule:admin_only". # The Agent API now supports project scope and default roles. # Add a network to a DHCP agent # POST /agents/{agent_id}/dhcp-networks # Intended scope(s): project #"create_dhcp-network": "rule:admin_only" # DEPRECATED # "create_dhcp-network":"rule:admin_only" has been deprecated since W # in favor of "create_dhcp-network":"rule:admin_only". # The Agent API now supports project scope and default roles. # List networks on a DHCP agent # GET /agents/{agent_id}/dhcp-networks # Intended scope(s): project #"get_dhcp-networks": "rule:admin_only" # DEPRECATED # "get_dhcp-networks":"rule:admin_only" has been deprecated since W in # favor of "get_dhcp-networks":"rule:admin_only". # The Agent API now supports project scope and default roles. # Remove a network from a DHCP agent # DELETE /agents/{agent_id}/dhcp-networks/{network_id} # Intended scope(s): project #"delete_dhcp-network": "rule:admin_only" # DEPRECATED # "delete_dhcp-network":"rule:admin_only" has been deprecated since W # in favor of "delete_dhcp-network":"rule:admin_only". # The Agent API now supports project scope and default roles. # Add a router to an L3 agent # POST /agents/{agent_id}/l3-routers # Intended scope(s): project #"create_l3-router": "rule:admin_only" # DEPRECATED # "create_l3-router":"rule:admin_only" has been deprecated since W in # favor of "create_l3-router":"rule:admin_only". # The Agent API now supports project scope and default roles. # List routers on an L3 agent # GET /agents/{agent_id}/l3-routers # Intended scope(s): project #"get_l3-routers": "rule:admin_only" # DEPRECATED # "get_l3-routers":"rule:admin_only" has been deprecated since W in # favor of "get_l3-routers":"rule:admin_only". # The Agent API now supports project scope and default roles. # Remove a router from an L3 agent # DELETE /agents/{agent_id}/l3-routers/{router_id} # Intended scope(s): project #"delete_l3-router": "rule:admin_only" # DEPRECATED # "delete_l3-router":"rule:admin_only" has been deprecated since W in # favor of "delete_l3-router":"rule:admin_only". # The Agent API now supports project scope and default roles. # List DHCP agents hosting a network # GET /networks/{network_id}/dhcp-agents # Intended scope(s): project #"get_dhcp-agents": "rule:admin_only" # DEPRECATED # "get_dhcp-agents":"rule:admin_only" has been deprecated since W in # favor of "get_dhcp-agents":"rule:admin_only". # The Agent API now supports project scope and default roles. # List L3 agents hosting a router # GET /routers/{router_id}/l3-agents # Intended scope(s): project #"get_l3-agents": "rule:admin_only" # DEPRECATED # "get_l3-agents":"rule:admin_only" has been deprecated since W in # favor of "get_l3-agents":"rule:admin_only". # The Agent API now supports project scope and default roles. # Get a project's auto-allocated topology # GET /auto-allocated-topology/{project_id} # Intended scope(s): project #"get_auto_allocated_topology": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of # "get_auto_allocated_topology":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The Auto allocated topology API now supports system scope and # default roles. # Delete a project's auto-allocated topology # DELETE /auto-allocated-topology/{project_id} # Intended scope(s): project #"delete_auto_allocated_topology": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of # "delete_auto_allocated_topology":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The Auto allocated topology API now supports system scope and # default roles. # List availability zones # GET /availability_zones # Intended scope(s): project #"get_availability_zone": "role:reader" # DEPRECATED # "get_availability_zone":"rule:regular_user" has been deprecated # since W in favor of "get_availability_zone":"role:reader". # The Availability Zone API now supports project scope and default # roles. # Create a templated of the security group rule # POST /default-security-group-rules # Intended scope(s): project #"create_default_security_group_rule": "rule:admin_only" # DEPRECATED # "create_default_security_group_rule":"rule:admin_only" has been # deprecated since 2023.2 in favor of # "create_default_security_group_rule":"rule:admin_only". # The default security group rules API supports system scope and # default roles. # Get a templated of the security group rule # GET /default-security-group-rules # GET /default-security-group-rules/{id} # Intended scope(s): project #"get_default_security_group_rule": "role:reader" # DEPRECATED # "get_default_security_group_rule":"rule:regular_user" has been # deprecated since 2023.2 in favor of # "get_default_security_group_rule":"role:reader". # The default security group rules API supports system scope and # default roles. # Delete a templated of the security group rule # DELETE /default-security-group-rules/{id} # Intended scope(s): project #"delete_default_security_group_rule": "rule:admin_only" # DEPRECATED # "delete_default_security_group_rule":"rule:admin_only" has been # deprecated since 2023.2 in favor of # "delete_default_security_group_rule":"rule:admin_only". # The default security group rules API supports system scope and # default roles. # Create a flavor # POST /flavors # Intended scope(s): project #"create_flavor": "rule:admin_only" # DEPRECATED # "create_flavor":"rule:admin_only" has been deprecated since W in # favor of "create_flavor":"rule:admin_only". # The flavor API now supports project scope and default roles. # Get a flavor # GET /flavors # GET /flavors/{id} # Intended scope(s): project #"get_flavor": "role:reader" # DEPRECATED # "get_flavor":"rule:regular_user" has been deprecated since W in # favor of "get_flavor":"role:reader". # The flavor API now supports project scope and default roles. # Update a flavor # PUT /flavors/{id} # Intended scope(s): project #"update_flavor": "rule:admin_only" # DEPRECATED # "update_flavor":"rule:admin_only" has been deprecated since W in # favor of "update_flavor":"rule:admin_only". # The flavor API now supports project scope and default roles. # Delete a flavor # DELETE /flavors/{id} # Intended scope(s): project #"delete_flavor": "rule:admin_only" # DEPRECATED # "delete_flavor":"rule:admin_only" has been deprecated since W in # favor of "delete_flavor":"rule:admin_only". # The flavor API now supports project scope and default roles. # Create a service profile # POST /service_profiles # Intended scope(s): project #"create_service_profile": "rule:admin_only" # DEPRECATED # "create_service_profile":"rule:admin_only" has been deprecated since # W in favor of "create_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Get a service profile # GET /service_profiles # GET /service_profiles/{id} # Intended scope(s): project #"get_service_profile": "rule:admin_only" # DEPRECATED # "get_service_profile":"rule:admin_only" has been deprecated since W # in favor of "get_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Update a service profile # PUT /service_profiles/{id} # Intended scope(s): project #"update_service_profile": "rule:admin_only" # DEPRECATED # "update_service_profile":"rule:admin_only" has been deprecated since # W in favor of "update_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Delete a service profile # DELETE /service_profiles/{id} # Intended scope(s): project #"delete_service_profile": "rule:admin_only" # DEPRECATED # "delete_service_profile":"rule:admin_only" has been deprecated since # W in favor of "delete_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Get a flavor associated with a given service profiles. There is no # corresponding GET operations in API currently. This rule is # currently referred only in the DELETE of flavor_service_profile. # Intended scope(s): project #"get_flavor_service_profile": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_flavor_service_profile":"rule:regular_user" has been deprecated # since W in favor of "get_flavor_service_profile":"(rule:admin_only) # or (role:reader and project_id:%(project_id)s)". # The flavor API now supports project scope and default roles. # Associate a flavor with a service profile # POST /flavors/{flavor_id}/service_profiles # Intended scope(s): project #"create_flavor_service_profile": "rule:admin_only" # DEPRECATED # "create_flavor_service_profile":"rule:admin_only" has been # deprecated since W in favor of # "create_flavor_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Disassociate a flavor with a service profile # DELETE /flavors/{flavor_id}/service_profiles/{profile_id} # Intended scope(s): project #"delete_flavor_service_profile": "rule:admin_only" # DEPRECATED # "delete_flavor_service_profile":"rule:admin_only" has been # deprecated since W in favor of # "delete_flavor_service_profile":"rule:admin_only". # The flavor API now supports project scope and default roles. # Create a floating IP # POST /floatingips # Intended scope(s): project #"create_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_floatingip":"rule:regular_user" has been deprecated since W # in favor of "create_floatingip":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Create a floating IP with a specific IP address # POST /floatingips # Intended scope(s): project #"create_floatingip:floating_ip_address": "rule:admin_only" # DEPRECATED # "create_floatingip:floating_ip_address":"rule:admin_only" has been # deprecated since W in favor of # "create_floatingip:floating_ip_address":"rule:admin_only". # The Floating IP API now supports system scope and default roles. # Get a floating IP # GET /floatingips # GET /floatingips/{id} # Intended scope(s): project #"get_floatingip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_floatingip":"rule:admin_or_owner" has been deprecated since W # in favor of "get_floatingip":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Get the floating IP tags # GET /floatingips/{id}/tags # GET /floatingips/{id}/tags/{tag_id} # Intended scope(s): project #"get_floatingips_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # Update a floating IP # PUT /floatingips/{id} # Intended scope(s): project #"update_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_floatingip":"rule:admin_or_owner" has been deprecated since # W in favor of "update_floatingip":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Update the floating IP tags # PUT /floatingips/{id}/tags # PUT /floatingips/{id}/tags/{tag_id} # Intended scope(s): project #"update_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a floating IP # DELETE /floatingips/{id} # Intended scope(s): project #"delete_floatingip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_floatingip":"rule:admin_or_owner" has been deprecated since # W in favor of "delete_floatingip":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The Floating IP API now supports system scope and default roles. # Delete the floating IP tags # DELETE /floatingips/{id}/tags # DELETE /floatingips/{id}/tags/{tag_id} # Intended scope(s): project #"delete_floatingips_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Get floating IP pools # GET /floatingip_pools # Intended scope(s): project #"get_floatingip_pool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_floatingip_pool":"rule:regular_user" has been deprecated since # W in favor of "get_floatingip_pool":"(rule:admin_only) or # (role:reader and project_id:%(project_id)s)". # The Floating IP Pool API now supports system scope and default # roles. # Create a floating IP port forwarding # POST /floatingips/{floatingip_id}/port_forwardings # Intended scope(s): project #"create_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "create_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "create_floatingip_port_forwarding":"(rule:admin_only) or # (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Get a floating IP port forwarding # GET /floatingips/{floatingip_id}/port_forwardings # GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project #"get_floatingip_port_forwarding": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "get_floatingip_port_forwarding":"(rule:admin_only) or (role:reader # and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Update a floating IP port forwarding # PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project #"update_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "update_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "update_floatingip_port_forwarding":"(rule:admin_only) or # (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Delete a floating IP port forwarding # DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} # Intended scope(s): project #"delete_floatingip_port_forwarding": "(rule:admin_only) or (role:member and rule:ext_parent_owner)" # DEPRECATED # "delete_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "delete_floatingip_port_forwarding":"(rule:admin_only) or # (role:member and rule:ext_parent_owner)". # The floating IP port forwarding API now supports system scope and # default roles. # Create a router conntrack helper # POST /routers/{router_id}/conntrack_helpers # Intended scope(s): project #"create_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "create_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "create_router_conntrack_helper":"(rule:admin_only) or (role:member # and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Get a router conntrack helper # GET /routers/{router_id}/conntrack_helpers # GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project #"get_router_conntrack_helper": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "get_router_conntrack_helper":"rule:admin_or_ext_parent_owner" has # been deprecated since W in favor of # "get_router_conntrack_helper":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Update a router conntrack helper # PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project #"update_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "update_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "update_router_conntrack_helper":"(rule:admin_only) or (role:member # and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Delete a router conntrack helper # DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} # Intended scope(s): project #"delete_router_conntrack_helper": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "delete_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "delete_router_conntrack_helper":"(rule:admin_only) or (role:member # and project_id:%(project_id)s) or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Create a Local IP # POST /local-ips # Intended scope(s): project #"create_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_local_ip":"rule:regular_user" has been deprecated since W in # favor of "create_local_ip":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Get a Local IP # GET /local-ips # GET /local-ips/{id} # Intended scope(s): project #"get_local_ip": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_local_ip":"rule:admin_or_owner" has been deprecated since W in # favor of "get_local_ip":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Update a Local IP # PUT /local-ips/{id} # Intended scope(s): project #"update_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_local_ip":"rule:admin_or_owner" has been deprecated since W # in favor of "update_local_ip":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Delete a Local IP # DELETE /local-ips/{id} # Intended scope(s): project #"delete_local_ip": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_local_ip":"rule:admin_or_owner" has been deprecated since W # in favor of "delete_local_ip":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The Local IP API now supports system scope and default roles. # Create a Local IP port association # POST /local_ips/{local_ip_id}/port_associations # Intended scope(s): project #"create_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "create_local_ip_port_association":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "create_local_ip_port_association":"(rule:admin_only) or # (role:member and project_id:%(project_id)s) or # rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Get a Local IP port association # GET /local_ips/{local_ip_id}/port_associations # GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id} # Intended scope(s): project #"get_local_ip_port_association": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "get_local_ip_port_association":"rule:admin_or_ext_parent_owner" has # been deprecated since W in favor of # "get_local_ip_port_association":"(rule:admin_only) or (role:reader # and project_id:%(project_id)s) or rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Delete a Local IP port association # DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id} # Intended scope(s): project #"delete_local_ip_port_association": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" # DEPRECATED # "delete_local_ip_port_association":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of # "delete_local_ip_port_association":"(rule:admin_only) or # (role:member and project_id:%(project_id)s) or # rule:ext_parent_owner". # The Local IP API now supports system scope and default roles. # Get loggable resources # GET /log/loggable-resources # Intended scope(s): project #"get_loggable_resource": "rule:admin_only" # DEPRECATED # "get_loggable_resource":"rule:admin_only" has been deprecated since # W in favor of "get_loggable_resource":"rule:admin_only". # The logging API now supports project scope and default roles. # Create a network log # POST /log/logs # Intended scope(s): project #"create_log": "rule:admin_only" # DEPRECATED # "create_log":"rule:admin_only" has been deprecated since W in favor # of "create_log":"rule:admin_only". # The logging API now supports project scope and default roles. # Get a network log # GET /log/logs # GET /log/logs/{id} # Intended scope(s): project #"get_log": "rule:admin_only" # DEPRECATED # "get_log":"rule:admin_only" has been deprecated since W in favor of # "get_log":"rule:admin_only". # The logging API now supports project scope and default roles. # Update a network log # PUT /log/logs/{id} # Intended scope(s): project #"update_log": "rule:admin_only" # DEPRECATED # "update_log":"rule:admin_only" has been deprecated since W in favor # of "update_log":"rule:admin_only". # The logging API now supports project scope and default roles. # Delete a network log # DELETE /log/logs/{id} # Intended scope(s): project #"delete_log": "rule:admin_only" # DEPRECATED # "delete_log":"rule:admin_only" has been deprecated since W in favor # of "delete_log":"rule:admin_only". # The logging API now supports project scope and default roles. # Create a metering label # POST /metering/metering-labels # Intended scope(s): project #"create_metering_label": "rule:admin_only" # DEPRECATED # "create_metering_label":"rule:admin_only" has been deprecated since # W in favor of "create_metering_label":"rule:admin_only". # The metering API now supports system scope and default roles. # Get a metering label # GET /metering/metering-labels # GET /metering/metering-labels/{id} # Intended scope(s): project #"get_metering_label": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_metering_label":"rule:admin_only" has been deprecated since W # in favor of "get_metering_label":"(rule:admin_only) or (role:reader # and project_id:%(project_id)s)". # The metering API now supports system scope and default roles. # Delete a metering label # DELETE /metering/metering-labels/{id} # Intended scope(s): project #"delete_metering_label": "rule:admin_only" # DEPRECATED # "delete_metering_label":"rule:admin_only" has been deprecated since # W in favor of "delete_metering_label":"rule:admin_only". # The metering API now supports system scope and default roles. # Create a metering label rule # POST /metering/metering-label-rules # Intended scope(s): project #"create_metering_label_rule": "rule:admin_only" # DEPRECATED # "create_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "create_metering_label_rule":"rule:admin_only". # The metering API now supports system scope and default roles. # Get a metering label rule # GET /metering/metering-label-rules # GET /metering/metering-label-rules/{id} # Intended scope(s): project #"get_metering_label_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "get_metering_label_rule":"(rule:admin_only) or # (role:reader and project_id:%(project_id)s)". # The metering API now supports system scope and default roles. # Delete a metering label rule # DELETE /metering/metering-label-rules/{id} # Intended scope(s): project #"delete_metering_label_rule": "rule:admin_only" # DEPRECATED # "delete_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "delete_metering_label_rule":"rule:admin_only". # The metering API now supports system scope and default roles. # Create a ndp proxy # POST /ndp_proxies # Intended scope(s): project #"create_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_ndp_proxy":"rule:regular_user" has been deprecated since W # in favor of "create_ndp_proxy":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Get a ndp proxy # GET /ndp_proxies # GET /ndp_proxies/{id} # Intended scope(s): project #"get_ndp_proxy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_ndp_proxy":"rule:admin_or_owner" has been deprecated since W in # favor of "get_ndp_proxy":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Update a ndp proxy # PUT /ndp_proxies/{id} # Intended scope(s): project #"update_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_ndp_proxy":"rule:admin_or_owner" has been deprecated since W # in favor of "update_ndp_proxy":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Delete a ndp proxy # DELETE /ndp_proxies/{id} # Intended scope(s): project #"delete_ndp_proxy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_ndp_proxy":"rule:admin_or_owner" has been deprecated since W # in favor of "delete_ndp_proxy":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The ndp proxy API now supports system scope and default roles. # Definition of an external network #"external": "field:networks:router:external=True" # Create a network # POST /networks # Intended scope(s): project #"create_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_network":"rule:regular_user" has been deprecated since W in # favor of "create_network":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Create a shared network # POST /networks # Intended scope(s): project #"create_network:shared": "rule:admin_only" # DEPRECATED # "create_network:shared":"rule:admin_only" has been deprecated since # W in favor of "create_network:shared":"rule:admin_only". # The network API now supports system scope and default roles. # Create an external network # POST /networks # Intended scope(s): project #"create_network:router:external": "rule:admin_only" # DEPRECATED # "create_network:router:external":"rule:admin_only" has been # deprecated since W in favor of # "create_network:router:external":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a network # POST /networks # Intended scope(s): project #"create_network:is_default": "rule:admin_only" # DEPRECATED # "create_network:is_default":"rule:admin_only" has been deprecated # since W in favor of "create_network:is_default":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``port_security_enabled`` attribute when creating a network # POST /networks # Intended scope(s): project #"create_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_network:port_security_enabled":"rule:regular_user" has been # deprecated since W in favor of # "create_network:port_security_enabled":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Specify ``segments`` attribute when creating a network # POST /networks # Intended scope(s): project #"create_network:segments": "rule:admin_only" # DEPRECATED # "create_network:segments":"rule:admin_only" has been deprecated # since W in favor of "create_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:network_type`` when creating a network # POST /networks # Intended scope(s): project #"create_network:provider:network_type": "rule:admin_only" # DEPRECATED # "create_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of # "create_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:physical_network`` when creating a network # POST /networks # Intended scope(s): project #"create_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "create_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of # "create_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:segmentation_id`` when creating a network # POST /networks # Intended scope(s): project #"create_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "create_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of # "create_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Get a network # GET /networks # GET /networks/{id} # Intended scope(s): project #"get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc" # DEPRECATED # "get_network":"rule:admin_or_owner or rule:shared or rule:external # or rule:context_is_advsvc" has been deprecated since W in favor of # "get_network":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:service_api or rule:shared or # rule:external or rule:context_is_advsvc". # The network API now supports system scope and default roles. # Get ``segments`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project #"get_network:segments": "rule:admin_only" # DEPRECATED # "get_network:segments":"rule:admin_only" has been deprecated since W # in favor of "get_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:network_type`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project #"get_network:provider:network_type": "rule:admin_only" # DEPRECATED # "get_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of # "get_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:physical_network`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project #"get_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "get_network:provider:physical_network":"rule:admin_only" has been # deprecated since W in favor of # "get_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:segmentation_id`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project #"get_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "get_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of # "get_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Get the network tags # GET /networks/{id}/tags # GET /networks/{id}/tags/{tag_id} # Intended scope(s): project #"get_networks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" # Update a network # PUT /networks/{id} # Intended scope(s): project #"update_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_network":"rule:admin_or_owner" has been deprecated since W # in favor of "update_network":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Update ``segments`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:segments": "rule:admin_only" # DEPRECATED # "update_network:segments":"rule:admin_only" has been deprecated # since W in favor of "update_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``shared`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:shared": "rule:admin_only" # DEPRECATED # "update_network:shared":"rule:admin_only" has been deprecated since # W in favor of "update_network:shared":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:network_type`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:provider:network_type": "rule:admin_only" # DEPRECATED # "update_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of # "update_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:physical_network`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "update_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of # "update_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:segmentation_id`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "update_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of # "update_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``router:external`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:router:external": "rule:admin_only" # DEPRECATED # "update_network:router:external":"rule:admin_only" has been # deprecated since W in favor of # "update_network:router:external":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``is_default`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:is_default": "rule:admin_only" # DEPRECATED # "update_network:is_default":"rule:admin_only" has been deprecated # since W in favor of "update_network:is_default":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``port_security_enabled`` attribute of a network # PUT /networks/{id} # Intended scope(s): project #"update_network:port_security_enabled": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_network:port_security_enabled":"rule:admin_or_owner" has # been deprecated since W in favor of # "update_network:port_security_enabled":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Update the network tags # PUT /networks/{id}/tags # PUT /networks/{id}/tags/{tag_id} # Intended scope(s): project #"update_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a network # DELETE /networks/{id} # Intended scope(s): project #"delete_network": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_network":"rule:admin_or_owner" has been deprecated since W # in favor of "delete_network":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The network API now supports system scope and default roles. # Delete the network tags # DELETE /networks/{id}/tags # DELETE /networks/{id}/tags/{tag_id} # Intended scope(s): project #"delete_networks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Get network IP availability # GET /network-ip-availabilities # GET /network-ip-availabilities/{network_id} # Intended scope(s): project #"get_network_ip_availability": "rule:admin_only" # DEPRECATED # "get_network_ip_availability":"rule:admin_only" has been deprecated # since W in favor of "get_network_ip_availability":"rule:admin_only". # The network IP availability API now support project scope and # default roles. # Create a network segment range # POST /network_segment_ranges # Intended scope(s): project #"create_network_segment_range": "rule:admin_only" # DEPRECATED # "create_network_segment_range":"rule:admin_only" has been deprecated # since W in favor of # "create_network_segment_range":"rule:admin_only". # The network segment range API now supports project scope and default # roles. # Get a network segment range # GET /network_segment_ranges # GET /network_segment_ranges/{id} # Intended scope(s): project #"get_network_segment_range": "rule:admin_only" # DEPRECATED # "get_network_segment_range":"rule:admin_only" has been deprecated # since W in favor of "get_network_segment_range":"rule:admin_only". # The network segment range API now supports project scope and default # roles. # Get the network segment range tags # GET /network_segment_ranges/{id}/tags # GET /network_segment_ranges/{id}/tags/{tag_id} # Intended scope(s): project #"get_network_segment_ranges_tags": "rule:admin_only" # Update a network segment range # PUT /network_segment_ranges/{id} # Intended scope(s): project #"update_network_segment_range": "rule:admin_only" # DEPRECATED # "update_network_segment_range":"rule:admin_only" has been deprecated # since W in favor of # "update_network_segment_range":"rule:admin_only". # The network segment range API now supports project scope and default # roles. # Update the network segment range tags # PUT /network_segment_ranges/{id}/tags # PUT /network_segment_ranges/{id}/tags/{tag_id} # Intended scope(s): project #"update_network_segment_ranges_tags": "rule:admin_only" # Delete a network segment range # DELETE /network_segment_ranges/{id} # Intended scope(s): project #"delete_network_segment_range": "rule:admin_only" # DEPRECATED # "delete_network_segment_range":"rule:admin_only" has been deprecated # since W in favor of # "delete_network_segment_range":"rule:admin_only". # The network segment range API now supports project scope and default # roles. # Delete the network segment range tags # DELETE /network_segment_ranges/{id}/tags # DELETE /network_segment_ranges/{id}/tags/{tag_id} # Intended scope(s): project #"delete_network_segment_ranges_tags": "rule:admin_only" # Get port binding information # GET /ports/{port_id}/bindings/ # Intended scope(s): project #"get_port_binding": "(rule:admin_only) or (rule:service_api)" # Create port binding on the host # POST /ports/{port_id}/bindings/ # Intended scope(s): project #"create_port_binding": "rule:service_api" # Delete port binding on the host # DELETE /ports/{port_id}/bindings/ # Intended scope(s): project #"delete_port_binding": "rule:service_api" # Activate port binding on the host # PUT /ports/{port_id}/bindings/{host} # Intended scope(s): project #"activate": "rule:service_api" # Definition of port with network device_owner #"network_device": "field:port:device_owner=~^network:" # Rule for data plane integration #"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator" # Create a port # POST /ports # Intended scope(s): project #"create_port": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api" # DEPRECATED # "create_port":"rule:regular_user" has been deprecated since W in # favor of "create_port":"(rule:admin_only) or (role:member and # project_id:%(project_id)s) or rule:service_api". # The port API now supports project scope and default roles. # Specify ``device_owner`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "create_port:device_owner":"not # rule:network_device or (rule:admin_only) or (rule:service_api) or # role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``mac_address`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:mac_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:mac_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:mac_address":"(rule:admin_only) or (rule:service_api) # or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when creating a port # POST /ports # Intended scope(s): project #"create_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "create_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of "create_port:fixed_ips":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project #"create_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:fixed_ips:ip_address":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project #"create_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "create_port:fixed_ips:subnet_id":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Specify ``port_security_enabled`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "create_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:port_security_enabled":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify ``binding:host_id`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "create_port:binding:host_id":"rule:admin_only" has been deprecated # since W in favor of "create_port:binding:host_id":"(rule:admin_only) # or (rule:service_api)". # The port API now supports project scope and default roles. # Specify ``binding:profile`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:binding:profile": "rule:service_api" # DEPRECATED # "create_port:binding:profile":"rule:admin_only" has been deprecated # since W in favor of # "create_port:binding:profile":"rule:service_api". # The port API now supports project scope and default roles. # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:binding:vnic_type": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api" # DEPRECATED # "create_port:binding:vnic_type":"rule:regular_user" has been # deprecated since W in favor of # "create_port:binding:vnic_type":"(rule:admin_only) or (role:member # and project_id:%(project_id)s) or rule:service_api". # The port API now supports project scope and default roles. # Specify ``allowed_address_pairs`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of # "create_port:allowed_address_pairs":"(rule:admin_only) or # (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``mac_address` of `allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project #"create_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of # "create_port:allowed_address_pairs:mac_address":"(rule:admin_only) # or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``ip_address`` of ``allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project #"create_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of # "create_port:allowed_address_pairs:ip_address":"(rule:admin_only) or # (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Specify ``hints`` attribute when creating a port # POST /ports # Intended scope(s): project #"create_port:hints": "rule:admin_only" # Get a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port": "(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in # favor of "get_port":"(rule:admin_only) or (rule:service_api) or # role:reader and rule:network_owner or role:reader and # project_id:%(project_id)s". # The port API now supports project scope and default roles. # Get ``binding:vif_type`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:binding:vif_type": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:vif_type":"rule:admin_only" has been deprecated # since W in favor of "get_port:binding:vif_type":"(rule:admin_only) # or (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:vif_details`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:binding:vif_details": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:vif_details":"rule:admin_only" has been deprecated # since W in favor of # "get_port:binding:vif_details":"(rule:admin_only) or # (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:host_id`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:host_id":"rule:admin_only" has been deprecated # since W in favor of "get_port:binding:host_id":"(rule:admin_only) or # (rule:service_api)". # The port API now supports project scope and default roles. # Get ``binding:profile`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:binding:profile": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "get_port:binding:profile":"rule:admin_only" has been deprecated # since W in favor of "get_port:binding:profile":"(rule:admin_only) or # (rule:service_api)". # The port API now supports project scope and default roles. # Get ``resource_request`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:resource_request": "rule:admin_only" # DEPRECATED # "get_port:resource_request":"rule:admin_only" has been deprecated # since W in favor of "get_port:resource_request":"rule:admin_only". # The port API now supports project scope and default roles. # Get ``hints`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project #"get_port:hints": "rule:admin_only" # Get the port tags # GET /ports/{id}/tags # GET /ports/{id}/tags/{tag_id} # Intended scope(s): project #"get_ports_tags": "rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s" # Update a port # PUT /ports/{id} # Intended scope(s): project #"update_port": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has # been deprecated since W in favor of "update_port":"(rule:admin_only) # or (rule:service_api) or role:member and project_id:%(project_id)s". # The port API now supports project scope and default roles. # Update ``device_owner`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:device_owner": "not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "update_port:device_owner":"not # rule:network_device or (rule:admin_only) or (rule:service_api) or # role:member and rule:network_owner". # The port API now supports project scope and default roles. # Update ``mac_address`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:mac_address": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "update_port:mac_address":"rule:admin_only or # rule:context_is_advsvc" has been deprecated since W in favor of # "update_port:mac_address":"(rule:admin_only) or (rule:service_api)". # The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project #"update_port:fixed_ips": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips":"(rule:admin_only) or (rule:service_api) or # role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project #"update_port:fixed_ips:ip_address": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips:ip_address":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project #"update_port:fixed_ips:subnet_id": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared" # DEPRECATED # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "update_port:fixed_ips:subnet_id":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner or # rule:shared". # The port API now supports project scope and default roles. # Update ``port_security_enabled`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:port_security_enabled": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner" # DEPRECATED # "update_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:port_security_enabled":"(rule:admin_only) or # (rule:service_api) or role:member and rule:network_owner". # The port API now supports project scope and default roles. # Update ``binding:host_id`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:binding:host_id": "(rule:admin_only) or (rule:service_api)" # DEPRECATED # "update_port:binding:host_id":"rule:admin_only" has been deprecated # since W in favor of "update_port:binding:host_id":"(rule:admin_only) # or (rule:service_api)". # The port API now supports project scope and default roles. # Update ``binding:profile`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:binding:profile": "rule:service_api" # DEPRECATED # "update_port:binding:profile":"rule:admin_only" has been deprecated # since W in favor of # "update_port:binding:profile":"rule:service_api". # The port API now supports project scope and default roles. # Update ``binding:vnic_type`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:binding:vnic_type": "(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_port:binding:vnic_type":"rule:admin_or_owner or # rule:context_is_advsvc" has been deprecated since W in favor of # "update_port:binding:vnic_type":"(rule:admin_only) or # (rule:service_api) or role:member and project_id:%(project_id)s". # The port API now supports project scope and default roles. # Update ``allowed_address_pairs`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:allowed_address_pairs": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of # "update_port:allowed_address_pairs":"(rule:admin_only) or # (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``mac_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project #"update_port:allowed_address_pairs:mac_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of # "update_port:allowed_address_pairs:mac_address":"(rule:admin_only) # or (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``ip_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project #"update_port:allowed_address_pairs:ip_address": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "update_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of # "update_port:allowed_address_pairs:ip_address":"(rule:admin_only) or # (role:member and rule:network_owner)". # The port API now supports project scope and default roles. # Update ``data_plane_status`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:data_plane_status": "rule:admin_only or role:data_plane_integrator" # DEPRECATED # "update_port:data_plane_status":"rule:admin_or_data_plane_int" has # been deprecated since W in favor of # "update_port:data_plane_status":"rule:admin_only or # role:data_plane_integrator". # The port API now supports project scope and default roles. # Update ``hints`` attribute of a port # PUT /ports/{id} # Intended scope(s): project #"update_port:hints": "rule:admin_only" # Update the port tags # PUT /ports/{id}/tags # PUT /ports/{id}/tags/{tag_id} # Intended scope(s): project #"update_ports_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" # Delete a port # DELETE /ports/{id} # Intended scope(s): project #"delete_port": "(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in # favor of "delete_port":"(rule:admin_only) or (rule:service_api) or # role:member and rule:network_owner or role:member and # project_id:%(project_id)s". # The port API now supports project scope and default roles. # Delete the port tags # DELETE /ports/{id}/tags # DELETE /ports/{id}/tags/{tag_id} # Intended scope(s): project #"delete_ports_tags": "rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)" # Rule of shared qos policy #"shared_qos_policy": "field:policies:shared=True" # Get QoS policies # GET /qos/policies # GET /qos/policies/{id} # Intended scope(s): project #"get_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy" # DEPRECATED # "get_policy":"rule:regular_user" has been deprecated since W in # favor of "get_policy":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:shared_qos_policy". # The QoS API now supports project scope and default roles. # Create a QoS policy # POST /qos/policies # Intended scope(s): project #"create_policy": "rule:admin_only" # DEPRECATED # "create_policy":"rule:admin_only" has been deprecated since W in # favor of "create_policy":"rule:admin_only". # The QoS API now supports project scope and default roles. # Update a QoS policy # PUT /qos/policies/{id} # Intended scope(s): project #"update_policy": "rule:admin_only" # DEPRECATED # "update_policy":"rule:admin_only" has been deprecated since W in # favor of "update_policy":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS policy # DELETE /qos/policies/{id} # Intended scope(s): project #"delete_policy": "rule:admin_only" # DEPRECATED # "delete_policy":"rule:admin_only" has been deprecated since W in # favor of "delete_policy":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get available QoS rule types # GET /qos/rule-types # GET /qos/rule-types/{rule_type} # Intended scope(s): project #"get_rule_type": "role:reader" # DEPRECATED # "get_rule_type":"rule:regular_user" has been deprecated since W in # favor of "get_rule_type":"role:reader". # The QoS API now supports project scope and default roles. # Get a QoS bandwidth limit rule # GET /qos/policies/{policy_id}/bandwidth_limit_rules # GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project #"get_policy_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_bandwidth_limit_rule":"(rule:admin_only) or (role:reader # and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS bandwidth limit rule # POST /qos/policies/{policy_id}/bandwidth_limit_rules # Intended scope(s): project #"create_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "create_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "create_policy_bandwidth_limit_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule # PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project #"update_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "update_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_policy_bandwidth_limit_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS bandwidth limit rule # DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project #"delete_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "delete_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_policy_bandwidth_limit_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS packet rate limit rule # GET /qos/policies/{policy_id}/packet_rate_limit_rules # GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} # Intended scope(s): project #"get_policy_packet_rate_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # Create a QoS packet rate limit rule # POST /qos/policies/{policy_id}/packet_rate_limit_rules # Intended scope(s): project #"create_policy_packet_rate_limit_rule": "rule:admin_only" # Update a QoS packet rate limit rule # PUT /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} # Intended scope(s): project #"update_policy_packet_rate_limit_rule": "rule:admin_only" # Delete a QoS packet rate limit rule # DELETE /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} # Intended scope(s): project #"delete_policy_packet_rate_limit_rule": "rule:admin_only" # Get a QoS DSCP marking rule # GET /qos/policies/{policy_id}/dscp_marking_rules # GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project #"get_policy_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_dscp_marking_rule":"(rule:admin_only) or (role:reader # and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS DSCP marking rule # POST /qos/policies/{policy_id}/dscp_marking_rules # Intended scope(s): project #"create_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "create_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of # "create_policy_dscp_marking_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule # PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project #"update_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "update_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_policy_dscp_marking_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS DSCP marking rule # DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project #"delete_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "delete_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_policy_dscp_marking_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS minimum bandwidth rule # GET /qos/policies/{policy_id}/minimum_bandwidth_rules # GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project #"get_policy_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_policy_minimum_bandwidth_rule":"(rule:admin_only) or # (role:reader and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Create a QoS minimum bandwidth rule # POST /qos/policies/{policy_id}/minimum_bandwidth_rules # Intended scope(s): project #"create_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "create_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "create_policy_minimum_bandwidth_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule # PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project #"update_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "update_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_policy_minimum_bandwidth_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS minimum bandwidth rule # DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project #"delete_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "delete_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_policy_minimum_bandwidth_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS minimum packet rate rule # GET /qos/policies/{policy_id}/minimum_packet_rate_rules # GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project #"get_policy_minimum_packet_rate_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # Create a QoS minimum packet rate rule # POST /qos/policies/{policy_id}/minimum_packet_rate_rules # Intended scope(s): project #"create_policy_minimum_packet_rate_rule": "rule:admin_only" # Update a QoS minimum packet rate rule # PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project #"update_policy_minimum_packet_rate_rule": "rule:admin_only" # Delete a QoS minimum packet rate rule # DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project #"delete_policy_minimum_packet_rate_rule": "rule:admin_only" # Get a QoS bandwidth limit rule through alias # GET /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project #"get_alias_bandwidth_limit_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_bandwidth_limit_rule":"(rule:admin_only) or (role:reader # and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule through alias # PUT /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project #"update_alias_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "update_alias_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_alias_bandwidth_limit_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS bandwidth limit rule through alias # DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project #"delete_alias_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "delete_alias_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_alias_bandwidth_limit_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS DSCP marking rule through alias # GET /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project #"get_alias_dscp_marking_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_dscp_marking_rule":"(rule:admin_only) or (role:reader and # rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule through alias # PUT /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project #"update_alias_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "update_alias_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_alias_dscp_marking_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS DSCP marking rule through alias # DELETE /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project #"delete_alias_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "delete_alias_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_alias_dscp_marking_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS minimum bandwidth rule through alias # GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project #"get_alias_minimum_bandwidth_rule": "(rule:admin_only) or (role:reader and rule:ext_parent_owner)" # DEPRECATED # "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of # "get_alias_minimum_bandwidth_rule":"(rule:admin_only) or # (role:reader and rule:ext_parent_owner)". # The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule through alias # PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project #"update_alias_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "update_alias_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_alias_minimum_bandwidth_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Delete a QoS minimum bandwidth rule through alias # DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project #"delete_alias_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "delete_alias_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_alias_minimum_bandwidth_rule":"rule:admin_only". # The QoS API now supports project scope and default roles. # Get a QoS minimum packet rate rule through alias # GET /qos/alias_minimum_packet_rate_rules/{rule_id}/ # Intended scope(s): project #"get_alias_minimum_packet_rate_rule": "rule:get_policy_minimum_packet_rate_rule" # Update a QoS minimum packet rate rule through alias # PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/ # Intended scope(s): project #"update_alias_minimum_packet_rate_rule": "rule:update_policy_minimum_packet_rate_rule" # Delete a QoS minimum packet rate rule through alias # DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/ # Intended scope(s): project #"delete_alias_minimum_packet_rate_rule": "rule:delete_policy_minimum_packet_rate_rule" # Get a resource quota # GET /quota # GET /quota/{id} # Intended scope(s): project #"get_quota": "rule:admin_only" # DEPRECATED # "get_quota":"rule:admin_only" has been deprecated since W in favor # of "get_quota":"rule:admin_only". # The quotas API now supports project scope and default roles. # Update a resource quota # PUT /quota/{id} # Intended scope(s): project #"update_quota": "rule:admin_only" # DEPRECATED # "update_quota":"rule:admin_only" has been deprecated since W in # favor of "update_quota":"rule:admin_only". # The quotas API now supports project scope and default roles. # Delete a resource quota # DELETE /quota/{id} # Intended scope(s): project #"delete_quota": "rule:admin_only" # DEPRECATED # "delete_quota":"rule:admin_only" has been deprecated since W in # favor of "delete_quota":"rule:admin_only". # The quotas API now supports project scope and default roles. # Definition of a wildcard target_project #"restrict_wildcard": "(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only" # Create an RBAC policy # POST /rbac-policies # Intended scope(s): project #"create_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_rbac_policy":"rule:regular_user" has been deprecated since W # in favor of "create_rbac_policy":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Specify ``target_tenant`` when creating an RBAC policy # POST /rbac-policies # Intended scope(s): project #"create_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been # deprecated since W in favor of # "create_rbac_policy:target_tenant":"rule:admin_only or (not # field:rbac_policy:target_tenant=* and not # field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Update an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): project #"update_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_rbac_policy":"rule:admin_or_owner" has been deprecated since # W in favor of "update_rbac_policy":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Update ``target_tenant`` attribute of an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): project #"update_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "update_rbac_policy:target_tenant":"rule:restrict_wildcard and # rule:admin_or_owner" has been deprecated since W in favor of # "update_rbac_policy:target_tenant":"rule:admin_only or (not # field:rbac_policy:target_tenant=* and not # field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Get an RBAC policy # GET /rbac-policies # GET /rbac-policies/{id} # Intended scope(s): project #"get_rbac_policy": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_rbac_policy":"rule:admin_or_owner" has been deprecated since W # in favor of "get_rbac_policy":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Delete an RBAC policy # DELETE /rbac-policies/{id} # Intended scope(s): project #"delete_rbac_policy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_rbac_policy":"rule:admin_or_owner" has been deprecated since # W in favor of "delete_rbac_policy":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The RBAC API now supports system scope and default roles. # Create a router # POST /routers # Intended scope(s): project #"create_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router":"rule:regular_user" has been deprecated since W in # favor of "create_router":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``distributed`` attribute when creating a router # POST /routers # Intended scope(s): project #"create_router:distributed": "rule:admin_only" # DEPRECATED # "create_router:distributed":"rule:admin_only" has been deprecated # since W in favor of "create_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``ha`` attribute when creating a router # POST /routers # Intended scope(s): project #"create_router:ha": "rule:admin_only" # DEPRECATED # "create_router:ha":"rule:admin_only" has been deprecated since W in # favor of "create_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``external_gateway_info`` information when creating a router # POST /routers # Intended scope(s): project #"create_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of # "create_router:external_gateway_info":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``network_id`` in ``external_gateway_info`` information when # creating a router # POST /routers # Intended scope(s): project #"create_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of # "create_router:external_gateway_info:network_id":"(rule:admin_only) # or (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Specify ``enable_snat`` in ``external_gateway_info`` information # when creating a router # POST /routers # Intended scope(s): project #"create_router:external_gateway_info:enable_snat": "rule:admin_only" # DEPRECATED # "create_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of # "create_router:external_gateway_info:enable_snat":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``external_fixed_ips`` in ``external_gateway_info`` # information when creating a router # POST /routers # Intended scope(s): project #"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only" # DEPRECATED # "create_router:external_gateway_info:external_fixed_ips":"rule:admin # _only" has been deprecated since W in favor of "create_router:extern # al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``enable_default_route_bfd`` attribute when creating a # router # POST /routers # Intended scope(s): project #"create_router:enable_default_route_bfd": "rule:admin_only" # Specify ``enable_default_route_ecmp`` attribute when creating a # router # POST /routers # Intended scope(s): project #"create_router:enable_default_route_ecmp": "rule:admin_only" # Get a router # GET /routers # GET /routers/{id} # Intended scope(s): project #"get_router": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_router":"rule:admin_or_owner" has been deprecated since W in # favor of "get_router":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Get ``distributed`` attribute of a router # GET /routers # GET /routers/{id} # Intended scope(s): project #"get_router:distributed": "rule:admin_only" # DEPRECATED # "get_router:distributed":"rule:admin_only" has been deprecated since # W in favor of "get_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Get ``ha`` attribute of a router # GET /routers # GET /routers/{id} # Intended scope(s): project #"get_router:ha": "rule:admin_only" # DEPRECATED # "get_router:ha":"rule:admin_only" has been deprecated since W in # favor of "get_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Get the router tags # GET /routers/{id}/tags # GET /routers/{id}/tags/{tag_id} # Intended scope(s): project #"get_routers_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # Update a router # PUT /routers/{id} # Intended scope(s): project #"update_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router":"rule:admin_or_owner" has been deprecated since W in # favor of "update_router":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``distributed`` attribute of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:distributed": "rule:admin_only" # DEPRECATED # "update_router:distributed":"rule:admin_only" has been deprecated # since W in favor of "update_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``ha`` attribute of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:ha": "rule:admin_only" # DEPRECATED # "update_router:ha":"rule:admin_only" has been deprecated since W in # favor of "update_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``external_gateway_info`` information of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:external_gateway_info": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of # "update_router:external_gateway_info":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``network_id`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:external_gateway_info:network_id": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of # "update_router:external_gateway_info:network_id":"(rule:admin_only) # or (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Update ``enable_snat`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:external_gateway_info:enable_snat": "rule:admin_only" # DEPRECATED # "update_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of # "update_router:external_gateway_info:enable_snat":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``external_fixed_ips`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project #"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only" # DEPRECATED # "update_router:external_gateway_info:external_fixed_ips":"rule:admin # _only" has been deprecated since W in favor of "update_router:extern # al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``enable_default_route_bfd`` attribute when updating a # router # POST /routers # Intended scope(s): project #"update_router:enable_default_route_bfd": "rule:admin_only" # Specify ``enable_default_route_ecmp`` attribute when updating a # router # POST /routers # Intended scope(s): project #"update_router:enable_default_route_ecmp": "rule:admin_only" # Update the router tags # PUT /routers/{id}/tags # PUT /routers/{id}/tags/{tag_id} # Intended scope(s): project #"update_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a router # DELETE /routers/{id} # Intended scope(s): project #"delete_router": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_router":"rule:admin_or_owner" has been deprecated since W in # favor of "delete_router":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Delete the router tags # DELETE /routers/{id}/tags # DELETE /routers/{id}/tags/{tag_id} # Intended scope(s): project #"delete_routers_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Add an interface to a router # PUT /routers/{id}/add_router_interface # Intended scope(s): project #"add_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_router_interface":"rule:admin_or_owner" has been deprecated # since W in favor of "add_router_interface":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Remove an interface from a router # PUT /routers/{id}/remove_router_interface # Intended scope(s): project #"remove_router_interface": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_router_interface":"rule:admin_or_owner" has been deprecated # since W in favor of "remove_router_interface":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Add extra route to a router # PUT /routers/{id}/add_extraroutes # Intended scope(s): project #"add_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_extraroutes":"rule:admin_or_owner" has been deprecated since # Xena in favor of "add_extraroutes":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Remove extra route from a router # PUT /routers/{id}/remove_extraroutes # Intended scope(s): project #"remove_extraroutes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_extraroutes":"rule:admin_or_owner" has been deprecated since # Xena in favor of "remove_extraroutes":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The router API now supports system scope and default roles. # Rule for admin or security group owner access #"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" # Rule for resource owner, admin or security group owner access #"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner" # Definition of a shared security group #"shared_security_group": "field:security_groups:shared=True" # Definition of a security group rule that belongs to the project # default security group #"rule_default_sg": "field:security_group_rules:belongs_to_default_sg=True" # Create a security group # POST /security-groups # Intended scope(s): project #"create_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_security_group":"rule:admin_or_owner" has been deprecated # since W in favor of "create_security_group":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Get a security group # GET /security-groups # GET /security-groups/{id} # Intended scope(s): project #"get_security_group": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" # DEPRECATED # "get_security_group":"rule:regular_user" has been deprecated since W # in favor of "get_security_group":"(rule:admin_only) or (role:reader # and project_id:%(project_id)s) or rule:shared_security_group". # The security group API now supports system scope and default roles. # Get the security group tags # GET /security-groups/{id}/tags # GET /security-groups/{id}/tags/{tag_id} # Intended scope(s): project #"get_security_groups_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group" # Update a security group # PUT /security-groups/{id} # Intended scope(s): project #"update_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_security_group":"rule:admin_or_owner" has been deprecated # since W in favor of "update_security_group":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Update the security group tags # PUT /security-groups/{id}/tags # PUT /security-groups/{id}/tags/{tag_id} # Intended scope(s): project #"update_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a security group # DELETE /security-groups/{id} # Intended scope(s): project #"delete_security_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_security_group":"rule:admin_or_owner" has been deprecated # since W in favor of "delete_security_group":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Delete the security group tags # DELETE /security-groups/{id}/tags # DELETE /security-groups/{id}/tags/{tag_id} # Intended scope(s): project #"delete_security_groups_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Create a security group rule # POST /security-group-rules # Intended scope(s): project #"create_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of # "create_security_group_rule":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Get a security group rule # GET /security-group-rules # GET /security-group-rules/{id} # Intended scope(s): project #"get_security_group_rule": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" # DEPRECATED # "get_security_group_rule":"rule:admin_owner_or_sg_owner" has been # deprecated since W in favor of # "get_security_group_rule":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:sg_owner". # The security group API now supports system scope and default roles. # Delete a security group rule # DELETE /security-group-rules/{id} # Intended scope(s): project #"delete_security_group_rule": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of # "delete_security_group_rule":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The security group API now supports system scope and default roles. # Create a segment # POST /segments # Intended scope(s): project #"create_segment": "rule:admin_only" # DEPRECATED # "create_segment":"rule:admin_only" has been deprecated since W in # favor of "create_segment":"rule:admin_only". # The segment API now supports project scope and default roles. # Get a segment # GET /segments # GET /segments/{id} # Intended scope(s): project #"get_segment": "rule:admin_only" # DEPRECATED # "get_segment":"rule:admin_only" has been deprecated since W in favor # of "get_segment":"rule:admin_only". # The segment API now supports project scope and default roles. # Get the segment tags # GET /segments/{id}/tags # GET /segments/{id}/tags/{tag_id} # Intended scope(s): project #"get_segments_tags": "rule:admin_only" # Update a segment # PUT /segments/{id} # Intended scope(s): project #"update_segment": "rule:admin_only" # DEPRECATED # "update_segment":"rule:admin_only" has been deprecated since W in # favor of "update_segment":"rule:admin_only". # The segment API now supports project scope and default roles. # Update the segment tags # PUT /segments/{id}/tags # PUT /segments/{id}/tags/{tag_id} # Intended scope(s): project #"update_segments_tags": "rule:admin_only" # Delete a segment # DELETE /segments/{id} # Intended scope(s): project #"delete_segment": "rule:admin_only" # DEPRECATED # "delete_segment":"rule:admin_only" has been deprecated since W in # favor of "delete_segment":"rule:admin_only". # The segment API now supports project scope and default roles. # Delete the segment tags # DELETE /segments/{id}/tags # DELETE /segments/{id}/tags/{tag_id} # Intended scope(s): project #"delete_segments_tags": "rule:admin_only" # Get service providers # GET /service-providers # Intended scope(s): project #"get_service_provider": "role:reader" # DEPRECATED # "get_service_provider":"rule:regular_user" has been deprecated since # W in favor of "get_service_provider":"role:reader". # The Service Providers API now supports project scope and default # roles. # Create a subnet # POST /subnets # Intended scope(s): project #"create_subnet": "(rule:admin_only) or (role:member and rule:network_owner)" # DEPRECATED # "create_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "create_subnet":"(rule:admin_only) or # (role:member and rule:network_owner)". # The subnet API now supports system scope and default roles. # Specify ``segment_id`` attribute when creating a subnet # POST /subnets # Intended scope(s): project #"create_subnet:segment_id": "rule:admin_only" # DEPRECATED # "create_subnet:segment_id":"rule:admin_only" has been deprecated # since W in favor of "create_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Specify ``service_types`` attribute when creating a subnet # POST /subnets # Intended scope(s): project #"create_subnet:service_types": "rule:admin_only" # DEPRECATED # "create_subnet:service_types":"rule:admin_only" has been deprecated # since W in favor of "create_subnet:service_types":"rule:admin_only". # The subnet API now supports system scope and default roles. # Get a subnet # GET /subnets # GET /subnets/{id} # Intended scope(s): project #"get_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared" # DEPRECATED # "get_subnet":"rule:admin_or_owner or rule:shared" has been # deprecated since W in favor of "get_subnet":"(rule:admin_only) or # (role:member and rule:network_owner) or role:reader and # project_id:%(project_id)s or rule:shared". # The subnet API now supports system scope and default roles. # Get ``segment_id`` attribute of a subnet # GET /subnets # GET /subnets/{id} # Intended scope(s): project #"get_subnet:segment_id": "rule:admin_only" # DEPRECATED # "get_subnet:segment_id":"rule:admin_only" has been deprecated since # W in favor of "get_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Get the subnet tags # GET /subnets/{id}/tags # GET /subnets/{id}/tags/{tag_id} # Intended scope(s): project #"get_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared" # Update a subnet # PUT /subnets/{id} # Intended scope(s): project #"update_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "update_subnet":"(rule:admin_only) or # (role:member and rule:network_owner) or role:member and # project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet # PUT /subnets/{id} # Intended scope(s): project #"update_subnet:segment_id": "rule:admin_only" # DEPRECATED # "update_subnet:segment_id":"rule:admin_only" has been deprecated # since W in favor of "update_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Update ``service_types`` attribute of a subnet # PUT /subnets/{id} # Intended scope(s): project #"update_subnet:service_types": "rule:admin_only" # DEPRECATED # "update_subnet:service_types":"rule:admin_only" has been deprecated # since W in favor of "update_subnet:service_types":"rule:admin_only". # The subnet API now supports system scope and default roles. # Update the subnet tags # PUT /subnets/{id}/tags # PUT /subnets/{id}/tags/{tag_id} # Intended scope(s): project #"update_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # Delete a subnet # DELETE /subnets/{id} # Intended scope(s): project #"delete_subnet": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated # since W in favor of "delete_subnet":"(rule:admin_only) or # (role:member and rule:network_owner) or role:member and # project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Delete the subnet tags # DELETE /subnets/{id}/tags # DELETE /subnets/{id}/tags/{tag_id} # Intended scope(s): project #"delete_subnets_tags": "(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s" # Definition of a shared subnetpool #"shared_subnetpools": "field:subnetpools:shared=True" # Create a subnetpool # POST /subnetpools # Intended scope(s): project #"create_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_subnetpool":"rule:regular_user" has been deprecated since W # in favor of "create_subnetpool":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Create a shared subnetpool # POST /subnetpools # Intended scope(s): project #"create_subnetpool:shared": "rule:admin_only" # DEPRECATED # "create_subnetpool:shared":"rule:admin_only" has been deprecated # since W in favor of "create_subnetpool:shared":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a subnetpool # POST /subnetpools # Intended scope(s): project #"create_subnetpool:is_default": "rule:admin_only" # DEPRECATED # "create_subnetpool:is_default":"rule:admin_only" has been deprecated # since W in favor of # "create_subnetpool:is_default":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Get a subnetpool # GET /subnetpools # GET /subnetpools/{id} # Intended scope(s): project #"get_subnetpool": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" # DEPRECATED # "get_subnetpool":"rule:admin_or_owner or rule:shared_subnetpools" # has been deprecated since W in favor of # "get_subnetpool":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s) or rule:shared_subnetpools". # The subnet pool API now supports system scope and default roles. # Get the subnetpool tags # GET /subnetpools/{id}/tags # GET /subnetpools/{id}/tags/{tag_id} # Intended scope(s): project #"get_subnetpools_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" # Update a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project #"update_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_subnetpool":"rule:admin_or_owner" has been deprecated since # W in favor of "update_subnetpool":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Update ``is_default`` attribute of a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project #"update_subnetpool:is_default": "rule:admin_only" # DEPRECATED # "update_subnetpool:is_default":"rule:admin_only" has been deprecated # since W in favor of # "update_subnetpool:is_default":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Update the subnetpool tags # PUT /subnetpools/{id}/tags # PUT /subnetpools/{id}/tags/{tag_id} # Intended scope(s): project #"update_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a subnetpool # DELETE /subnetpools/{id} # Intended scope(s): project #"delete_subnetpool": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_subnetpool":"rule:admin_or_owner" has been deprecated since # W in favor of "delete_subnetpool":"(rule:admin_only) or (role:member # and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Delete the subnetpool tags # DELETE /subnetpools/{id}/tags # DELETE /subnetpools/{id}/tags/{tag_id} # Intended scope(s): project #"delete_subnetpools_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Onboard existing subnet into a subnetpool # PUT /subnetpools/{id}/onboard_network_subnets # Intended scope(s): project #"onboard_network_subnets": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "onboard_network_subnets":"rule:admin_or_owner" has been deprecated # since W in favor of "onboard_network_subnets":"(rule:admin_only) or # (role:member and project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Add prefixes to a subnetpool # PUT /subnetpools/{id}/add_prefixes # Intended scope(s): project #"add_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_prefixes":"rule:admin_or_owner" has been deprecated since W in # favor of "add_prefixes":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Remove unallocated prefixes from a subnetpool # PUT /subnetpools/{id}/remove_prefixes # Intended scope(s): project #"remove_prefixes": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_prefixes":"rule:admin_or_owner" has been deprecated since W # in favor of "remove_prefixes":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The subnet pool API now supports system scope and default roles. # Create a trunk # POST /trunks # Intended scope(s): project #"create_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "create_trunk":"rule:regular_user" has been deprecated since W in # favor of "create_trunk":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Get a trunk # GET /trunks # GET /trunks/{id} # Intended scope(s): project #"get_trunk": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_trunk":"rule:admin_or_owner" has been deprecated since W in # favor of "get_trunk":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Get the trunk tags # GET /trunks/{id}/tags # GET /trunks/{id}/tags/{tag_id} # Intended scope(s): project #"get_trunks_tags": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # Update a trunk # PUT /trunks/{id} # Intended scope(s): project #"update_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "update_trunk":"rule:admin_or_owner" has been deprecated since W in # favor of "update_trunk":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Update the trunk tags # PUT /trunks/{id}/tags # PUT /trunks/{id}/tags/{tag_id} # Intended scope(s): project #"update_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # Delete a trunk # DELETE /trunks/{id} # Intended scope(s): project #"delete_trunk": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "delete_trunk":"rule:admin_or_owner" has been deprecated since W in # favor of "delete_trunk":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Delete a trunk # DELETE /trunks/{id}/tags # DELETE /trunks/{id}/tags/{tag_id} # Intended scope(s): project #"delete_trunks_tags": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # List subports attached to a trunk # GET /trunks/{id}/get_subports # Intended scope(s): project #"get_subports": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_subports":"rule:regular_user" has been deprecated since W in # favor of "get_subports":"(rule:admin_only) or (role:reader and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Add subports to a trunk # PUT /trunks/{id}/add_subports # Intended scope(s): project #"add_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "add_subports":"rule:admin_or_owner" has been deprecated since W in # favor of "add_subports":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles. # Delete subports from a trunk # PUT /trunks/{id}/remove_subports # Intended scope(s): project #"remove_subports": "(rule:admin_only) or (role:member and project_id:%(project_id)s)" # DEPRECATED # "remove_subports":"rule:admin_or_owner" has been deprecated since W # in favor of "remove_subports":"(rule:admin_only) or (role:member and # project_id:%(project_id)s)". # The trunks API now supports system scope and default roles.