openstack/horizon
Code Issues Proposed changes
35da6c52e4
horizon/openstack_dashboard/conf/default_policies/cinder.yaml
manchandavishal 05473b765e Sync default policy rules 
This patch updates default policy-in-code rules in horizon based on
nova/neutron/keystone/glance/cinder RC deliverables.

It also bumps a few packages versions in lower-constraints.txt and
requirements.txt to fix the failed lower-constraints job after
updating policy rules.

Change-Id: I168bb171076e3442b29670461a29d12c9988df52
2022-03-21 21:08:21 +05:30

1778 lines
53 KiB
YAML
Raw Blame History

- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
description: 'DEPRECATED: This rule will be removed in the Yoga release. Default
rule for most non-Admin APIs.'
name: admin_or_owner
operations: []
scope_types: null
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s)
or (role:admin and project_id:%(project_id)s)
description: 'DEPRECATED: This rule will be removed in the Yoga release. Default
rule for admins of cloud, domain or a project.'
name: system_or_domain_or_project_admin
operations: []
scope_types: null
- check_str: role:admin
description: Decides what is required for the 'is_admin:True' check to succeed.
name: context_is_admin
operations: []
scope_types: null
- check_str: is_admin:True or (role:admin and is_admin_project:True)
description: Default rule for most Admin APIs.
name: admin_api
operations: []
scope_types: null
- check_str: (role:admin) or (role:reader and project_id:%(project_id)s)
description: 'NOTE: this purely role-based rule recognizes only project scope'
name: xena_system_admin_or_project_reader
operations: []
scope_types: null
- check_str: (role:admin) or (role:member and project_id:%(project_id)s)
description: 'NOTE: this purely role-based rule recognizes only project scope'
name: xena_system_admin_or_project_member
operations: []
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume:attachment_create
deprecated_since: null
description: Create attachment.
name: volume:attachment_create
operations:
- method: POST
path: /attachments
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:attachment_update
deprecated_since: null
description: Update attachment.
name: volume:attachment_update
operations:
- method: PUT
path: /attachments/{attachment_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:attachment_delete
deprecated_since: null
description: Delete attachment.
name: volume:attachment_delete
operations:
- method: DELETE
path: /attachments/{attachment_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:attachment_complete
deprecated_since: null
description: Mark a volume attachment process as completed (in-use)
name: volume:attachment_complete
operations:
- method: POST
path: /attachments/{attachment_id}/action (os-complete)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:multiattach_bootable_volume
deprecated_since: null
description: Allow multiattach of bootable volumes.
name: volume:multiattach_bootable_volume
operations:
- method: POST
path: /attachments
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: message:get_all
deprecated_since: null
description: List messages.
name: message:get_all
operations:
- method: GET
path: /messages
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: message:get
deprecated_since: null
description: Show message.
name: message:get
operations:
- method: GET
path: /messages/{message_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: message:delete
deprecated_since: null
description: Delete message.
name: message:delete
operations:
- method: DELETE
path: /messages/{message_id}
scope_types: null
- check_str: rule:admin_api
description: List clusters.
name: clusters:get_all
operations:
- method: GET
path: /clusters
- method: GET
path: /clusters/detail
scope_types: null
- check_str: rule:admin_api
description: Show cluster.
name: clusters:get
operations:
- method: GET
path: /clusters/{cluster_id}
scope_types: null
- check_str: rule:admin_api
description: Update cluster.
name: clusters:update
operations:
- method: PUT
path: /clusters/{cluster_id}
scope_types: null
- check_str: rule:admin_api
description: Clean up workers.
name: workers:cleanup
operations:
- method: POST
path: /workers/cleanup
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_snapshot_metadata
deprecated_since: null
description: Show snapshot's metadata or one specified metadata with a given key.
name: volume:get_snapshot_metadata
operations:
- method: GET
path: /snapshots/{snapshot_id}/metadata
- method: GET
path: /snapshots/{snapshot_id}/metadata/{key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:update_snapshot_metadata
deprecated_since: null
description: Update snapshot's metadata or one specified metadata with a given key.
name: volume:update_snapshot_metadata
operations:
- method: POST
path: /snapshots/{snapshot_id}/metadata
- method: PUT
path: /snapshots/{snapshot_id}/metadata/{key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:delete_snapshot_metadata
deprecated_since: null
description: Delete snapshot's specified metadata with a given key.
name: volume:delete_snapshot_metadata
operations:
- method: DELETE
path: /snapshots/{snapshot_id}/metadata/{key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_all_snapshots
deprecated_since: null
description: List snapshots.
name: volume:get_all_snapshots
operations:
- method: GET
path: /snapshots
- method: GET
path: /snapshots/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:extended_snapshot_attributes
deprecated_since: null
description: List or show snapshots with extended attributes.
name: volume_extension:extended_snapshot_attributes
operations:
- method: GET
path: /snapshots/{snapshot_id}
- method: GET
path: /snapshots/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:create_snapshot
deprecated_since: null
description: Create snapshot.
name: volume:create_snapshot
operations:
- method: POST
path: /snapshots
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_snapshot
deprecated_since: null
description: Show snapshot.
name: volume:get_snapshot
operations:
- method: GET
path: /snapshots/{snapshot_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:update_snapshot
deprecated_since: null
description: Update snapshot.
name: volume:update_snapshot
operations:
- method: PUT
path: /snapshots/{snapshot_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:delete_snapshot
deprecated_since: null
description: Delete snapshot.
name: volume:delete_snapshot
operations:
- method: DELETE
path: /snapshots/{snapshot_id}
scope_types: null
- check_str: rule:admin_api
description: Reset status of a snapshot.
name: volume_extension:snapshot_admin_actions:reset_status
operations:
- method: POST
path: /snapshots/{snapshot_id}/action (os-reset_status)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: snapshot_extension:snapshot_actions:update_snapshot_status
deprecated_since: null
description: Update database fields of snapshot.
name: snapshot_extension:snapshot_actions:update_snapshot_status
operations:
- method: POST
path: /snapshots/{snapshot_id}/action (update_snapshot_status)
scope_types: null
- check_str: rule:admin_api
description: Force delete a snapshot.
name: volume_extension:snapshot_admin_actions:force_delete
operations:
- method: POST
path: /snapshots/{snapshot_id}/action (os-force_delete)
scope_types: null
- check_str: rule:admin_api
description: List (in detail) of snapshots which are available to manage.
name: snapshot_extension:list_manageable
operations:
- method: GET
path: /manageable_snapshots
- method: GET
path: /manageable_snapshots/detail
scope_types: null
- check_str: rule:admin_api
description: Manage an existing snapshot.
name: snapshot_extension:snapshot_manage
operations:
- method: POST
path: /manageable_snapshots
scope_types: null
- check_str: rule:admin_api
description: Stop managing a snapshot.
name: snapshot_extension:snapshot_unmanage
operations:
- method: POST
path: /snapshots/{snapshot_id}/action (os-unmanage)
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: backup:get_all
deprecated_since: null
description: List backups.
name: backup:get_all
operations:
- method: GET
path: /backups
- method: GET
path: /backups/detail
scope_types: null
- check_str: rule:admin_api
description: List backups or show backup with project attributes.
name: backup:backup_project_attribute
operations:
- method: GET
path: /backups/{backup_id}
- method: GET
path: /backups/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: backup:create
deprecated_since: null
description: Create backup.
name: backup:create
operations:
- method: POST
path: /backups
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: backup:get
deprecated_since: null
description: Show backup.
name: backup:get
operations:
- method: GET
path: /backups/{backup_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: backup:update
deprecated_since: null
description: Update backup.
name: backup:update
operations:
- method: PUT
path: /backups/{backup_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: backup:delete
deprecated_since: null
description: Delete backup.
name: backup:delete
operations:
- method: DELETE
path: /backups/{backup_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: backup:restore
deprecated_since: null
description: Restore backup.
name: backup:restore
operations:
- method: POST
path: /backups/{backup_id}/restore
scope_types: null
- check_str: rule:admin_api
description: Import backup.
name: backup:backup-import
operations:
- method: POST
path: /backups/{backup_id}/import_record
scope_types: null
- check_str: rule:admin_api
description: Export backup.
name: backup:export-import
operations:
- method: POST
path: /backups/{backup_id}/export_record
scope_types: null
- check_str: rule:admin_api
description: Reset status of a backup.
name: volume_extension:backup_admin_actions:reset_status
operations:
- method: POST
path: /backups/{backup_id}/action (os-reset_status)
scope_types: null
- check_str: rule:admin_api
description: Force delete a backup.
name: volume_extension:backup_admin_actions:force_delete
operations:
- method: POST
path: /backups/{backup_id}/action (os-force_delete)
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:get_all
deprecated_since: null
description: List groups.
name: group:get_all
operations:
- method: GET
path: /groups
- method: GET
path: /groups/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: group:create
deprecated_since: null
description: Create group.
name: group:create
operations:
- method: POST
path: /groups
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:get
deprecated_since: null
description: Show group.
name: group:get
operations:
- method: GET
path: /groups/{group_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:update
deprecated_since: null
description: Update group.
name: group:update
operations:
- method: PUT
path: /groups/{group_id}
scope_types: null
- check_str: rule:admin_api
description: List groups or show group with project attributes.
name: group:group_project_attribute
operations:
- method: GET
path: /groups/{group_id}
- method: GET
path: /groups/detail
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_manage
deprecated_since: null
description: Create a group type.
name: group:group_types:create
operations:
- method: POST
path: /group_types/
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_manage
deprecated_since: null
description: Update a group type.
name: group:group_types:update
operations:
- method: PUT
path: /group_types/{group_type_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_manage
deprecated_since: null
description: Delete a group type.
name: group:group_types:delete
operations:
- method: DELETE
path: /group_types/{group_type_id}
scope_types: null
- check_str: rule:admin_api
description: Show group type with type specs attributes.
name: group:access_group_types_specs
operations:
- method: GET
path: /group_types/{group_type_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_specs
deprecated_since: null
description: Show a group type spec.
name: group:group_types_specs:get
operations:
- method: GET
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_specs
deprecated_since: null
description: List group type specs.
name: group:group_types_specs:get_all
operations:
- method: GET
path: /group_types/{group_type_id}/group_specs
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_specs
deprecated_since: null
description: Create a group type spec.
name: group:group_types_specs:create
operations:
- method: POST
path: /group_types/{group_type_id}/group_specs
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_specs
deprecated_since: null
description: Update a group type spec.
name: group:group_types_specs:update
operations:
- method: PUT
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: group:group_types_specs
deprecated_since: null
description: Delete a group type spec.
name: group:group_types_specs:delete
operations:
- method: DELETE
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:get_all_group_snapshots
deprecated_since: null
description: List group snapshots.
name: group:get_all_group_snapshots
operations:
- method: GET
path: /group_snapshots
- method: GET
path: /group_snapshots/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: group:create_group_snapshot
deprecated_since: null
description: Create group snapshot.
name: group:create_group_snapshot
operations:
- method: POST
path: /group_snapshots
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:get_group_snapshot
deprecated_since: null
description: Show group snapshot.
name: group:get_group_snapshot
operations:
- method: GET
path: /group_snapshots/{group_snapshot_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:delete_group_snapshot
deprecated_since: null
description: Delete group snapshot.
name: group:delete_group_snapshot
operations:
- method: DELETE
path: /group_snapshots/{group_snapshot_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:update_group_snapshot
deprecated_since: null
description: Update group snapshot.
name: group:update_group_snapshot
operations:
- method: PUT
path: /group_snapshots/{group_snapshot_id}
scope_types: null
- check_str: rule:admin_api
description: List group snapshots or show group snapshot with project attributes.
name: group:group_snapshot_project_attribute
operations:
- method: GET
path: /group_snapshots/{group_snapshot_id}
- method: GET
path: /group_snapshots/detail
scope_types: null
- check_str: rule:admin_api
description: Reset status of group snapshot.
name: group:reset_group_snapshot_status
operations:
- method: POST
path: /group_snapshots/{g_snapshot_id}/action (reset_status)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:delete
deprecated_since: null
description: Delete group.
name: group:delete
operations:
- method: POST
path: /groups/{group_id}/action (delete)
scope_types: null
- check_str: rule:admin_api
description: Reset status of group.
name: group:reset_status
operations:
- method: POST
path: /groups/{group_id}/action (reset_status)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:enable_replication
deprecated_since: null
description: Enable replication.
name: group:enable_replication
operations:
- method: POST
path: /groups/{group_id}/action (enable_replication)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:disable_replication
deprecated_since: null
description: Disable replication.
name: group:disable_replication
operations:
- method: POST
path: /groups/{group_id}/action (disable_replication)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:failover_replication
deprecated_since: null
description: Fail over replication.
name: group:failover_replication
operations:
- method: POST
path: /groups/{group_id}/action (failover_replication)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: group:list_replication_targets
deprecated_since: null
description: List failover replication.
name: group:list_replication_targets
operations:
- method: POST
path: /groups/{group_id}/action (list_replication_targets)
scope_types: null
- check_str: rule:admin_api
description: List qos specs or list all associations.
name: volume_extension:qos_specs_manage:get_all
operations:
- method: GET
path: /qos-specs
- method: GET
path: /qos-specs/{qos_id}/associations
scope_types: null
- check_str: rule:admin_api
description: Show qos specs.
name: volume_extension:qos_specs_manage:get
operations:
- method: GET
path: /qos-specs/{qos_id}
scope_types: null
- check_str: rule:admin_api
description: Create qos specs.
name: volume_extension:qos_specs_manage:create
operations:
- method: POST
path: /qos-specs
scope_types: null
- check_str: rule:admin_api
description: Update qos specs (including updating association).
name: volume_extension:qos_specs_manage:update
operations:
- method: PUT
path: /qos-specs/{qos_id}
- method: GET
path: /qos-specs/{qos_id}/disassociate_all
- method: GET
path: /qos-specs/{qos_id}/associate
- method: GET
path: /qos-specs/{qos_id}/disassociate
scope_types: null
- check_str: rule:admin_api
description: delete qos specs or unset one specified qos key.
name: volume_extension:qos_specs_manage:delete
operations:
- method: DELETE
path: /qos-specs/{qos_id}
- method: PUT
path: /qos-specs/{qos_id}/delete_keys
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:quota_classes
deprecated_since: null
description: Show project quota class.
name: volume_extension:quota_classes:get
operations:
- method: GET
path: /os-quota-class-sets/{project_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:quota_classes
deprecated_since: null
description: Update project quota class.
name: volume_extension:quota_classes:update
operations:
- method: PUT
path: /os-quota-class-sets/{project_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:quotas:show
deprecated_since: null
description: Show project quota (including usage and default).
name: volume_extension:quotas:show
operations:
- method: GET
path: /os-quota-sets/{project_id}
- method: GET
path: /os-quota-sets/{project_id}/default
- method: GET
path: /os-quota-sets/{project_id}?usage=True
scope_types: null
- check_str: rule:admin_api
description: Update project quota.
name: volume_extension:quotas:update
operations:
- method: PUT
path: /os-quota-sets/{project_id}
scope_types: null
- check_str: rule:admin_api
description: Delete project quota.
name: volume_extension:quotas:delete
operations:
- method: DELETE
path: /os-quota-sets/{project_id}
scope_types: null
- check_str: rule:admin_api
description: Show backend capabilities.
name: volume_extension:capabilities
operations:
- method: GET
path: /capabilities/{host_name}
scope_types: null
- check_str: rule:admin_api
description: List all services.
name: volume_extension:services:index
operations:
- method: GET
path: /os-services
scope_types: null
- check_str: rule:admin_api
description: Update service, including failover_host, thaw, freeze, disable, enable,
set-log and get-log actions.
name: volume_extension:services:update
operations:
- method: PUT
path: /os-services/{action}
scope_types: null
- check_str: rule:admin_api
description: Freeze a backend host.
name: volume:freeze_host
operations:
- method: PUT
path: /os-services/freeze
scope_types: null
- check_str: rule:admin_api
description: Thaw a backend host.
name: volume:thaw_host
operations:
- method: PUT
path: /os-services/thaw
scope_types: null
- check_str: rule:admin_api
description: Failover a backend host.
name: volume:failover_host
operations:
- method: PUT
path: /os-services/failover_host
scope_types: null
- check_str: rule:admin_api
description: List all backend pools.
name: scheduler_extension:scheduler_stats:get_pools
operations:
- method: GET
path: /scheduler-stats/get_pools
scope_types: null
- check_str: rule:admin_api
description: List, update or show hosts for a project.
name: volume_extension:hosts
operations:
- method: GET
path: /os-hosts
- method: PUT
path: /os-hosts/{host_name}
- method: GET
path: /os-hosts/{host_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: limits_extension:used_limits
deprecated_since: null
description: Show limits with used limit attributes.
name: limits_extension:used_limits
operations:
- method: GET
path: /limits
scope_types: null
- check_str: rule:admin_api
description: List (in detail) of volumes which are available to manage.
name: volume_extension:list_manageable
operations:
- method: GET
path: /manageable_volumes
- method: GET
path: /manageable_volumes/detail
scope_types: null
- check_str: rule:admin_api
description: Manage existing volumes.
name: volume_extension:volume_manage
operations:
- method: POST
path: /manageable_volumes
scope_types: null
- check_str: rule:admin_api
description: Stop managing a volume.
name: volume_extension:volume_unmanage
operations:
- method: POST
path: /volumes/{volume_id}/action (os-unmanage)
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:types_manage
deprecated_since: null
description: Create volume type.
name: volume_extension:type_create
operations:
- method: POST
path: /types
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:types_manage
deprecated_since: null
description: Update volume type.
name: volume_extension:type_update
operations:
- method: PUT
path: /types
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:types_manage
deprecated_since: null
description: Delete volume type.
name: volume_extension:type_delete
operations:
- method: DELETE
path: /types
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume_extension:type_get
deprecated_since: null
description: Get one specific volume type.
name: volume_extension:type_get
operations:
- method: GET
path: /types/{type_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume_extension:type_get_all
deprecated_since: null
description: List volume types.
name: volume_extension:type_get_all
operations:
- method: GET
path: /types/
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_api
name: volume_extension:access_types_extra_specs
deprecated_since: null
description: Include the volume type's extra_specs attribute in the volume type
list or show requests. The ability to make these calls is governed by other policies.
name: volume_extension:access_types_extra_specs
operations:
- method: GET
path: /types/{type_id}
- method: GET
path: /types
scope_types: null
- check_str: rule:admin_api
description: Include the volume type's QoS specifications ID attribute in the volume
type list or show requests. The ability to make these calls is governed by other
policies.
name: volume_extension:access_types_qos_specs_id
operations:
- method: GET
path: /types/{type_id}
- method: GET
path: /types
scope_types: null
- check_str: rule:admin_api
description: 'DEPRECATED: This rule will be removed in the Yoga release.'
name: volume_extension:volume_type_encryption
operations: []
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:volume_extension:volume_type_encryption
name: volume_extension:volume_type_encryption:create
deprecated_since: null
description: Create volume type encryption.
name: volume_extension:volume_type_encryption:create
operations:
- method: POST
path: /types/{type_id}/encryption
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:volume_extension:volume_type_encryption
name: volume_extension:volume_type_encryption:get
deprecated_since: null
description: Show a volume type's encryption type, show an encryption specs item.
name: volume_extension:volume_type_encryption:get
operations:
- method: GET
path: /types/{type_id}/encryption
- method: GET
path: /types/{type_id}/encryption/{key}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:volume_extension:volume_type_encryption
name: volume_extension:volume_type_encryption:update
deprecated_since: null
description: Update volume type encryption.
name: volume_extension:volume_type_encryption:update
operations:
- method: PUT
path: /types/{type_id}/encryption/{encryption_id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:volume_extension:volume_type_encryption
name: volume_extension:volume_type_encryption:delete
deprecated_since: null
description: Delete volume type encryption.
name: volume_extension:volume_type_encryption:delete
operations:
- method: DELETE
path: /types/{type_id}/encryption/{encryption_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_type_access
deprecated_since: null
description: Adds the boolean field 'os-volume-type-access:is_public' to the responses
for these API calls. The ability to make these calls is governed by other policies.
name: volume_extension:volume_type_access
operations:
- method: GET
path: /types
- method: GET
path: /types/{type_id}
- method: POST
path: /types
scope_types: null
- check_str: rule:admin_api
description: Add volume type access for project.
name: volume_extension:volume_type_access:addProjectAccess
operations:
- method: POST
path: /types/{type_id}/action (addProjectAccess)
scope_types: null
- check_str: rule:admin_api
description: Remove volume type access for project.
name: volume_extension:volume_type_access:removeProjectAccess
operations:
- method: POST
path: /types/{type_id}/action (removeProjectAccess)
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: volume_extension:volume_type_access
name: volume_extension:volume_type_access:get_all_for_type
deprecated_since: null
description: List private volume type access detail, that is, list the projects
that have access to this volume type.
name: volume_extension:volume_type_access:get_all_for_type
operations:
- method: GET
path: /types/{type_id}/os-volume-type-access
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:extend
deprecated_since: null
description: Extend a volume.
name: volume:extend
operations:
- method: POST
path: /volumes/{volume_id}/action (os-extend)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:extend_attached_volume
deprecated_since: null
description: Extend a attached volume.
name: volume:extend_attached_volume
operations:
- method: POST
path: /volumes/{volume_id}/action (os-extend)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:revert_to_snapshot
deprecated_since: null
description: Revert a volume to a snapshot.
name: volume:revert_to_snapshot
operations:
- method: POST
path: /volumes/{volume_id}/action (revert)
scope_types: null
- check_str: rule:admin_api
description: Reset status of a volume.
name: volume_extension:volume_admin_actions:reset_status
operations:
- method: POST
path: /volumes/{volume_id}/action (os-reset_status)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:retype
deprecated_since: null
description: Retype a volume.
name: volume:retype
operations:
- method: POST
path: /volumes/{volume_id}/action (os-retype)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:update_readonly_flag
deprecated_since: null
description: Update a volume's readonly flag.
name: volume:update_readonly_flag
operations:
- method: POST
path: /volumes/{volume_id}/action (os-update_readonly_flag)
scope_types: null
- check_str: rule:admin_api
description: Force delete a volume.
name: volume_extension:volume_admin_actions:force_delete
operations:
- method: POST
path: /volumes/{volume_id}/action (os-force_delete)
scope_types: null
- check_str: rule:admin_api
description: Upload a volume to image with public visibility.
name: volume_extension:volume_actions:upload_public
operations:
- method: POST
path: /volumes/{volume_id}/action (os-volume_upload_image)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:upload_image
deprecated_since: null
description: Upload a volume to image.
name: volume_extension:volume_actions:upload_image
operations:
- method: POST
path: /volumes/{volume_id}/action (os-volume_upload_image)
scope_types: null
- check_str: rule:admin_api
description: Force detach a volume.
name: volume_extension:volume_admin_actions:force_detach
operations:
- method: POST
path: /volumes/{volume_id}/action (os-force_detach)
scope_types: null
- check_str: rule:admin_api
description: migrate a volume to a specified host.
name: volume_extension:volume_admin_actions:migrate_volume
operations:
- method: POST
path: /volumes/{volume_id}/action (os-migrate_volume)
scope_types: null
- check_str: rule:admin_api
description: Complete a volume migration.
name: volume_extension:volume_admin_actions:migrate_volume_completion
operations:
- method: POST
path: /volumes/{volume_id}/action (os-migrate_volume_completion)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:initialize_connection
deprecated_since: null
description: Initialize volume attachment.
name: volume_extension:volume_actions:initialize_connection
operations:
- method: POST
path: /volumes/{volume_id}/action (os-initialize_connection)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:terminate_connection
deprecated_since: null
description: Terminate volume attachment.
name: volume_extension:volume_actions:terminate_connection
operations:
- method: POST
path: /volumes/{volume_id}/action (os-terminate_connection)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:roll_detaching
deprecated_since: null
description: Roll back volume status to 'in-use'.
name: volume_extension:volume_actions:roll_detaching
operations:
- method: POST
path: /volumes/{volume_id}/action (os-roll_detaching)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:reserve
deprecated_since: null
description: Mark volume as reserved.
name: volume_extension:volume_actions:reserve
operations:
- method: POST
path: /volumes/{volume_id}/action (os-reserve)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:unreserve
deprecated_since: null
description: Unmark volume as reserved.
name: volume_extension:volume_actions:unreserve
operations:
- method: POST
path: /volumes/{volume_id}/action (os-unreserve)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:begin_detaching
deprecated_since: null
description: Begin detach volumes.
name: volume_extension:volume_actions:begin_detaching
operations:
- method: POST
path: /volumes/{volume_id}/action (os-begin_detaching)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:attach
deprecated_since: null
description: Add attachment metadata.
name: volume_extension:volume_actions:attach
operations:
- method: POST
path: /volumes/{volume_id}/action (os-attach)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_actions:detach
deprecated_since: null
description: Clear attachment metadata.
name: volume_extension:volume_actions:detach
operations:
- method: POST
path: /volumes/{volume_id}/action (os-detach)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
description: Reimage a volume in 'available' or 'error' status.
name: volume:reimage
operations:
- method: POST
path: /volumes/{volume_id}/action (os-reimage)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
description: Reimage a volume in 'reserved' status.
name: volume:reimage_reserved
operations:
- method: POST
path: /volumes/{volume_id}/action (os-reimage)
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_all_transfers
deprecated_since: null
description: List volume transfer.
name: volume:get_all_transfers
operations:
- method: GET
path: /os-volume-transfer
- method: GET
path: /os-volume-transfer/detail
- method: GET
path: /volume_transfers
- method: GET
path: /volume-transfers/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:create_transfer
deprecated_since: null
description: Create a volume transfer.
name: volume:create_transfer
operations:
- method: POST
path: /os-volume-transfer
- method: POST
path: /volume_transfers
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_transfer
deprecated_since: null
description: Show one specified volume transfer.
name: volume:get_transfer
operations:
- method: GET
path: /os-volume-transfer/{transfer_id}
- method: GET
path: /volume-transfers/{transfer_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume:accept_transfer
deprecated_since: null
description: Accept a volume transfer.
name: volume:accept_transfer
operations:
- method: POST
path: /os-volume-transfer/{transfer_id}/accept
- method: POST
path: /volume-transfers/{transfer_id}/accept
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:delete_transfer
deprecated_since: null
description: Delete volume transfer.
name: volume:delete_transfer
operations:
- method: DELETE
path: /os-volume-transfer/{transfer_id}
- method: DELETE
path: /volume-transfers/{transfer_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_volume_metadata
deprecated_since: null
description: Show volume's metadata or one specified metadata with a given key.
name: volume:get_volume_metadata
operations:
- method: GET
path: /volumes/{volume_id}/metadata
- method: GET
path: /volumes/{volume_id}/metadata/{key}
- method: POST
path: /volumes/{volume_id}/action (os-show_image_metadata)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:create_volume_metadata
deprecated_since: null
description: Create volume metadata.
name: volume:create_volume_metadata
operations:
- method: POST
path: /volumes/{volume_id}/metadata
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:update_volume_metadata
deprecated_since: null
description: Replace a volume's metadata dictionary or update a single metadatum
with a given key.
name: volume:update_volume_metadata
operations:
- method: PUT
path: /volumes/{volume_id}/metadata
- method: PUT
path: /volumes/{volume_id}/metadata/{key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:delete_volume_metadata
deprecated_since: null
description: Delete a volume's metadatum with the given key.
name: volume:delete_volume_metadata
operations:
- method: DELETE
path: /volumes/{volume_id}/metadata/{key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_image_metadata
deprecated_since: null
description: Include a volume's image metadata in volume detail responses. The
ability to make these calls is governed by other policies.
name: volume_extension:volume_image_metadata:show
operations:
- method: GET
path: /volumes/detail
- method: GET
path: /volumes/{volume_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_image_metadata
deprecated_since: null
description: Set image metadata for a volume
name: volume_extension:volume_image_metadata:set
operations:
- method: POST
path: /volumes/{volume_id}/action (os-set_image_metadata)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_image_metadata
deprecated_since: null
description: Remove specific image metadata from a volume
name: volume_extension:volume_image_metadata:remove
operations:
- method: POST
path: /volumes/{volume_id}/action (os-unset_image_metadata)
scope_types: null
- check_str: rule:admin_api
description: Update volume admin metadata. This permission is required to complete
these API calls, though the ability to make these calls is governed by other policies.
name: volume:update_volume_admin_metadata
operations:
- method: POST
path: /volumes/{volume_id}/action (os-update_readonly_flag)
- method: POST
path: /volumes/{volume_id}/action (os-attach)
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume_extension:types_extra_specs:index
deprecated_since: null
description: List type extra specs.
name: volume_extension:types_extra_specs:index
operations:
- method: GET
path: /types/{type_id}/extra_specs
scope_types: null
- check_str: rule:admin_api
description: Create type extra specs.
name: volume_extension:types_extra_specs:create
operations:
- method: POST
path: /types/{type_id}/extra_specs
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume_extension:types_extra_specs:show
deprecated_since: null
description: Show one specified type extra specs.
name: volume_extension:types_extra_specs:show
operations:
- method: GET
path: /types/{type_id}/extra_specs/{extra_spec_key}
scope_types: null
- check_str: rule:admin_api
description: Include extra_specs fields that may reveal sensitive information about
the deployment that should not be exposed to end users in various volume-type
responses that show extra_specs. The ability to make these calls is governed by
other policies.
name: volume_extension:types_extra_specs:read_sensitive
operations:
- method: GET
path: /types
- method: GET
path: /types/{type_id}
- method: GET
path: /types/{type_id}/extra_specs
- method: GET
path: /types/{type_id}/extra_specs/{extra_spec_key}
scope_types: null
- check_str: rule:admin_api
description: Update type extra specs.
name: volume_extension:types_extra_specs:update
operations:
- method: PUT
path: /types/{type_id}/extra_specs/{extra_spec_key}
scope_types: null
- check_str: rule:admin_api
description: Delete type extra specs.
name: volume_extension:types_extra_specs:delete
operations:
- method: DELETE
path: /types/{type_id}/extra_specs/{extra_spec_key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume:create
deprecated_since: null
description: Create volume.
name: volume:create
operations:
- method: POST
path: /volumes
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: ''
name: volume:create_from_image
deprecated_since: null
description: Create volume from image.
name: volume:create_from_image
operations:
- method: POST
path: /volumes
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get
deprecated_since: null
description: Show volume.
name: volume:get
operations:
- method: GET
path: /volumes/{volume_id}
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:get_all
deprecated_since: null
description: List volumes or get summary of volumes.
name: volume:get_all
operations:
- method: GET
path: /volumes
- method: GET
path: /volumes/detail
- method: GET
path: /volumes/summary
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:update
deprecated_since: null
description: Update volume or update a volume's bootable status.
name: volume:update
operations:
- method: PUT
path: /volumes
- method: POST
path: /volumes/{volume_id}/action (os-set_bootable)
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:delete
deprecated_since: null
description: Delete volume.
name: volume:delete
operations:
- method: DELETE
path: /volumes/{volume_id}
scope_types: null
- check_str: rule:admin_api
description: Force Delete a volume.
name: volume:force_delete
operations:
- method: DELETE
path: /volumes/{volume_id}
scope_types: null
- check_str: rule:admin_api
description: List or show volume with host attribute.
name: volume_extension:volume_host_attribute
operations:
- method: GET
path: /volumes/{volume_id}
- method: GET
path: /volumes/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_tenant_attribute
deprecated_since: null
description: List or show volume with tenant attribute.
name: volume_extension:volume_tenant_attribute
operations:
- method: GET
path: /volumes/{volume_id}
- method: GET
path: /volumes/detail
scope_types: null
- check_str: rule:admin_api
description: List or show volume with migration status attribute.
name: volume_extension:volume_mig_status_attribute
operations:
- method: GET
path: /volumes/{volume_id}
- method: GET
path: /volumes/detail
scope_types: null
- check_str: rule:xena_system_admin_or_project_reader
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume_extension:volume_encryption_metadata
deprecated_since: null
description: Show volume's encryption metadata.
name: volume_extension:volume_encryption_metadata
operations:
- method: GET
path: /volumes/{volume_id}/encryption
- method: GET
path: /volumes/{volume_id}/encryption/{encryption_key}
scope_types: null
- check_str: rule:xena_system_admin_or_project_member
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: volume:multiattach
deprecated_since: null
description: Create multiattach capable volume.
name: volume:multiattach
operations:
- method: POST
path: /volumes
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:system_or_domain_or_project_admin
name: volume_extension:default_set_or_update
deprecated_since: null
description: Set or update default volume type.
name: volume_extension:default_set_or_update
operations:
- method: PUT
path: /default-types
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:system_or_domain_or_project_admin
name: volume_extension:default_get
deprecated_since: null
description: Get default types.
name: volume_extension:default_get
operations:
- method: GET
path: /default-types/{project-id}
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: role:admin and system_scope:all
name: volume_extension:default_get_all
deprecated_since: null
description: 'Get all default types. WARNING: Changing this might open up too much
information regarding cloud deployment.'
name: volume_extension:default_get_all
operations:
- method: GET
path: /default-types/
scope_types: null
- check_str: rule:admin_api
deprecated_reason: null
deprecated_rule:
check_str: rule:system_or_domain_or_project_admin
name: volume_extension:default_unset
deprecated_since: null
description: Unset default type.
name: volume_extension:default_unset
operations:
- method: DELETE
path: /default-types/{project-id}
scope_types: null
View Git Blame Copy Permalink