316c24c5af
This patch updates default policy-in-code rules in horizon based on nova/neutron/glance RC deliverables. It doesn't update policy rules for cinder and keystone as I have found no changes in their policy rules. Horizon needs to update default policy-in-code rules for all backend services before releasing the horizon[1]. [1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing Change-Id: Ia636b32d0eeec9a4d399fcdbb4d4db1aeaa4fdab
556 lines
21 KiB
YAML
556 lines
21 KiB
YAML
# Defines the default rule used for policies that historically had an
|
|
# empty policy in the supplied policy.json file.
|
|
#"default": ""
|
|
|
|
# DEPRECATED
|
|
# "default":"rule:context_is_admin" has been deprecated since Ussuri
|
|
# in favor of "default":"".
|
|
# In order to allow operators to accept the default policies from code
|
|
# by not defining them in the policy file, while still working with
|
|
# old policy files that rely on the ``default`` rule for policies that
|
|
# are not specified in the policy file, the ``default`` rule must now
|
|
# be explicitly set to ``"role:admin"`` when that is the desired
|
|
# default for unspecified rules.
|
|
|
|
# Defines the rule for the is_admin:True check.
|
|
#"context_is_admin": "role:admin"
|
|
|
|
# Create new image
|
|
# POST /v2/images
|
|
# Intended scope(s): project
|
|
#"add_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
|
|
|
|
# DEPRECATED
|
|
# "add_image":"rule:default" has been deprecated since W in favor of
|
|
# "add_image":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s and project_id:%(owner)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Deletes the image
|
|
# DELETE /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"delete_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "delete_image":"rule:default" has been deprecated since W in favor
|
|
# of "delete_image":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Get specified image
|
|
# GET /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"get_image": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_image":"rule:default" has been deprecated since W in favor of
|
|
# "get_image":"rule:context_is_admin or (role:reader and
|
|
# (project_id:%(project_id)s or project_id:%(member_id)s or
|
|
# 'community':%(visibility)s or 'public':%(visibility)s or
|
|
# 'shared':%(visibility)s))".
|
|
# The image API now supports roles.
|
|
|
|
# Get all available images
|
|
# GET /v2/images
|
|
# Intended scope(s): project
|
|
#"get_images": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "get_images":"rule:default" has been deprecated since W in favor of
|
|
# "get_images":"rule:context_is_admin or (role:reader and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Updates given image
|
|
# PATCH /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"modify_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "modify_image":"rule:default" has been deprecated since W in favor
|
|
# of "modify_image":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Publicize given image
|
|
# PATCH /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"publicize_image": "rule:context_is_admin"
|
|
|
|
# Communitize given image
|
|
# PATCH /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"communitize_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "communitize_image":"rule:default" has been deprecated since W in
|
|
# favor of "communitize_image":"rule:context_is_admin or (role:member
|
|
# and project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Downloads given image
|
|
# GET /v2/images/{image_id}/file
|
|
# Intended scope(s): project
|
|
#"download_image": "rule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "download_image":"rule:default" has been deprecated since W in favor
|
|
# of "download_image":"rule:context_is_admin or (role:member and
|
|
# (project_id:%(project_id)s or project_id:%(member_id)s or
|
|
# 'community':%(visibility)s or 'public':%(visibility)s or
|
|
# 'shared':%(visibility)s))".
|
|
# The image API now supports roles.
|
|
|
|
# Uploads data to specified image
|
|
# PUT /v2/images/{image_id}/file
|
|
# Intended scope(s): project
|
|
#"upload_image": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "upload_image":"rule:default" has been deprecated since W in favor
|
|
# of "upload_image":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Deletes the location of given image
|
|
# PATCH /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"delete_image_location": "rule:context_is_admin"
|
|
|
|
# DEPRECATED
|
|
# "delete_image_location":"rule:default" has been deprecated since W
|
|
# in favor of "delete_image_location":"rule:context_is_admin".
|
|
# The image API now supports roles.
|
|
|
|
# Reads the location of the image
|
|
# GET /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"get_image_location": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "get_image_location":"rule:default" has been deprecated since W in
|
|
# favor of "get_image_location":"rule:context_is_admin or (role:reader
|
|
# and project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Sets location URI to given image
|
|
# PATCH /v2/images/{image_id}
|
|
# Intended scope(s): project
|
|
#"set_image_location": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "set_image_location":"rule:default" has been deprecated since W in
|
|
# favor of "set_image_location":"rule:context_is_admin or (role:member
|
|
# and project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Create image member
|
|
# POST /v2/images/{image_id}/members
|
|
# Intended scope(s): project
|
|
#"add_member": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "add_member":"rule:default" has been deprecated since W in favor of
|
|
# "add_member":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Delete image member
|
|
# DELETE /v2/images/{image_id}/members/{member_id}
|
|
# Intended scope(s): project
|
|
#"delete_member": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "delete_member":"rule:default" has been deprecated since W in favor
|
|
# of "delete_member":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Show image member details
|
|
# GET /v2/images/{image_id}/members/{member_id}
|
|
# Intended scope(s): project
|
|
#"get_member": "rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "get_member":"rule:default" has been deprecated since W in favor of
|
|
# "get_member":"rule:context_is_admin or role:reader and
|
|
# (project_id:%(project_id)s or project_id:%(member_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# List image members
|
|
# GET /v2/images/{image_id}/members
|
|
# Intended scope(s): project
|
|
#"get_members": "rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "get_members":"rule:default" has been deprecated since W in favor of
|
|
# "get_members":"rule:context_is_admin or role:reader and
|
|
# (project_id:%(project_id)s or project_id:%(member_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Update image member
|
|
# PUT /v2/images/{image_id}/members/{member_id}
|
|
# Intended scope(s): project
|
|
#"modify_member": "rule:context_is_admin or (role:member and project_id:%(member_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "modify_member":"rule:default" has been deprecated since W in favor
|
|
# of "modify_member":"rule:context_is_admin or (role:member and
|
|
# project_id:%(member_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Manage image cache
|
|
# Intended scope(s): project
|
|
#"manage_image_cache": "rule:context_is_admin"
|
|
|
|
# Deactivate image
|
|
# POST /v2/images/{image_id}/actions/deactivate
|
|
# Intended scope(s): project
|
|
#"deactivate": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "deactivate":"rule:default" has been deprecated since W in favor of
|
|
# "deactivate":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Reactivate image
|
|
# POST /v2/images/{image_id}/actions/reactivate
|
|
# Intended scope(s): project
|
|
#"reactivate": "rule:context_is_admin or (role:member and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "reactivate":"rule:default" has been deprecated since W in favor of
|
|
# "reactivate":"rule:context_is_admin or (role:member and
|
|
# project_id:%(project_id)s)".
|
|
# The image API now supports roles.
|
|
|
|
# Copy existing image to other stores
|
|
# POST /v2/images/{image_id}/import
|
|
# Intended scope(s): project
|
|
#"copy_image": "rule:context_is_admin"
|
|
|
|
# Get an image task.
|
|
#
|
|
# This granular policy controls access to tasks, both from the tasks
|
|
# API as well as internal locations in Glance that use tasks (like
|
|
# import). Practically this cannot be more restrictive than the policy
|
|
# that controls import or things will break, and changing it from the
|
|
# default is almost certainly not what you want. Access to the
|
|
# external tasks API should be restricted as desired by the
|
|
# tasks_api_access policy. This may change in the future.
|
|
# GET /v2/tasks/{task_id}
|
|
# Intended scope(s): project
|
|
#"get_task": "rule:default"
|
|
|
|
# DEPRECATED
|
|
# "get_task":"rule:default" has been deprecated since X in favor of
|
|
# "get_task":"rule:default".
|
|
# From Xena we are enforcing policy checks in the API and policy layer
|
|
# where task policies were enforcing will be removed. Since task APIs
|
|
# are already deprecated and `tasks_api_access` is checked for each
|
|
# API at API layer, there will be no benefit of other having other
|
|
# task related policies.
|
|
|
|
# List tasks for all images.
|
|
#
|
|
# This granular policy controls access to tasks, both from the tasks
|
|
# API as well as internal locations in Glance that use tasks (like
|
|
# import). Practically this cannot be more restrictive than the policy
|
|
# that controls import or things will break, and changing it from the
|
|
# default is almost certainly not what you want. Access to the
|
|
# external tasks API should be restricted as desired by the
|
|
# tasks_api_access policy. This may change in the future.
|
|
# GET /v2/tasks
|
|
# Intended scope(s): project
|
|
#"get_tasks": "rule:default"
|
|
|
|
# DEPRECATED
|
|
# "get_tasks":"rule:default" has been deprecated since X in favor of
|
|
# "get_tasks":"rule:default".
|
|
# From Xena we are enforcing policy checks in the API and policy layer
|
|
# where task policies were enforcing will be removed. Since task APIs
|
|
# are already deprecated and `tasks_api_access` is checked for each
|
|
# API at API layer, there will be no benefit of other having other
|
|
# task related policies.
|
|
|
|
# List tasks for all images.
|
|
#
|
|
# This granular policy controls access to tasks, both from the tasks
|
|
# API as well as internal locations in Glance that use tasks (like
|
|
# import). Practically this cannot be more restrictive than the policy
|
|
# that controls import or things will break, and changing it from the
|
|
# default is almost certainly not what you want. Access to the
|
|
# external tasks API should be restricted as desired by the
|
|
# tasks_api_access policy. This may change in the future.
|
|
# POST /v2/tasks
|
|
# Intended scope(s): project
|
|
#"add_task": "rule:default"
|
|
|
|
# DEPRECATED
|
|
# "add_task":"rule:default" has been deprecated since X in favor of
|
|
# "add_task":"rule:default".
|
|
# From Xena we are enforcing policy checks in the API and policy layer
|
|
# where task policies were enforcing will be removed. Since task APIs
|
|
# are already deprecated and `tasks_api_access` is checked for each
|
|
# API at API layer, there will be no benefit of other having other
|
|
# task related policies.
|
|
|
|
# DEPRECATED
|
|
# "modify_task" has been deprecated since W.
|
|
# This policy check has never been honored by the API. It will be
|
|
# removed in a future release.
|
|
# This policy is not used.
|
|
# DELETE /v2/tasks/{task_id}
|
|
# Intended scope(s): project
|
|
#"modify_task": "rule:default"
|
|
|
|
# This is a generic blanket policy for protecting all task APIs. It is
|
|
# not granular and will not allow you to separate writable and
|
|
# readable task operations into different roles.
|
|
# GET /v2/tasks/{task_id}
|
|
# GET /v2/tasks
|
|
# POST /v2/tasks
|
|
# DELETE /v2/tasks/{task_id}
|
|
# Intended scope(s): project
|
|
#"tasks_api_access": "rule:context_is_admin"
|
|
|
|
#"metadef_default": ""
|
|
|
|
#"metadef_admin": "rule:context_is_admin"
|
|
|
|
# Get a specific namespace.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}
|
|
# Intended scope(s): project
|
|
#"get_metadef_namespace": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_namespace":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_namespace":"rule:context_is_admin
|
|
# or (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# List namespace.
|
|
# GET /v2/metadefs/namespaces
|
|
# Intended scope(s): project
|
|
#"get_metadef_namespaces": "rule:context_is_admin or (role:reader and project_id:%(project_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_namespaces":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_namespaces":"rule:context_is_admin
|
|
# or (role:reader and project_id:%(project_id)s)".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Modify an existing namespace.
|
|
# PUT /v2/metadefs/namespaces/{namespace_name}
|
|
# Intended scope(s): project
|
|
#"modify_metadef_namespace": "rule:metadef_admin"
|
|
|
|
# Create a namespace.
|
|
# POST /v2/metadefs/namespaces
|
|
# Intended scope(s): project
|
|
#"add_metadef_namespace": "rule:metadef_admin"
|
|
|
|
# Delete a namespace.
|
|
# DELETE /v2/metadefs/namespaces/{namespace_name}
|
|
# Intended scope(s): project
|
|
#"delete_metadef_namespace": "rule:metadef_admin"
|
|
|
|
# Get a specific object from a namespace.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
|
|
# Intended scope(s): project
|
|
#"get_metadef_object": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_object":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_object":"rule:context_is_admin or
|
|
# (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Get objects from a namespace.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/objects
|
|
# Intended scope(s): project
|
|
#"get_metadef_objects": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_objects":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_objects":"rule:context_is_admin or
|
|
# (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Update an object within a namespace.
|
|
# PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
|
|
# Intended scope(s): project
|
|
#"modify_metadef_object": "rule:metadef_admin"
|
|
|
|
# Create an object within a namespace.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/objects
|
|
# Intended scope(s): project
|
|
#"add_metadef_object": "rule:metadef_admin"
|
|
|
|
# Delete an object within a namespace.
|
|
# DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
|
|
# Intended scope(s): project
|
|
#"delete_metadef_object": "rule:metadef_admin"
|
|
|
|
# List meta definition resource types.
|
|
# GET /v2/metadefs/resource_types
|
|
# Intended scope(s): project
|
|
#"list_metadef_resource_types": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "list_metadef_resource_types":"rule:metadef_default" has been
|
|
# deprecated since X in favor of
|
|
# "list_metadef_resource_types":"rule:context_is_admin or (role:reader
|
|
# and (project_id:%(project_id)s or 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Get meta definition resource types associations.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/resource_types
|
|
# Intended scope(s): project
|
|
#"get_metadef_resource_type": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_resource_type":"rule:metadef_default" has been
|
|
# deprecated since X in favor of
|
|
# "get_metadef_resource_type":"rule:context_is_admin or (role:reader
|
|
# and (project_id:%(project_id)s or 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Create meta definition resource types association.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/resource_types
|
|
# Intended scope(s): project
|
|
#"add_metadef_resource_type_association": "rule:metadef_admin"
|
|
|
|
# Delete meta definition resource types association.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
|
|
# Intended scope(s): project
|
|
#"remove_metadef_resource_type_association": "rule:metadef_admin"
|
|
|
|
# Get a specific meta definition property.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
|
|
# Intended scope(s): project
|
|
#"get_metadef_property": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_property":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_property":"rule:context_is_admin or
|
|
# (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# List meta definition properties.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/properties
|
|
# Intended scope(s): project
|
|
#"get_metadef_properties": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_properties":"rule:metadef_default" has been deprecated
|
|
# since X in favor of "get_metadef_properties":"rule:context_is_admin
|
|
# or (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Update meta definition property.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
|
|
# Intended scope(s): project
|
|
#"modify_metadef_property": "rule:metadef_admin"
|
|
|
|
# Create meta definition property.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/properties
|
|
# Intended scope(s): project
|
|
#"add_metadef_property": "rule:metadef_admin"
|
|
|
|
# Delete meta definition property.
|
|
# DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
|
|
# Intended scope(s): project
|
|
#"remove_metadef_property": "rule:metadef_admin"
|
|
|
|
# Get tag definition.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
|
|
# Intended scope(s): project
|
|
#"get_metadef_tag": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_tag":"rule:metadef_default" has been deprecated since X
|
|
# in favor of "get_metadef_tag":"rule:context_is_admin or (role:reader
|
|
# and (project_id:%(project_id)s or 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# List tag definitions.
|
|
# GET /v2/metadefs/namespaces/{namespace_name}/tags
|
|
# Intended scope(s): project
|
|
#"get_metadef_tags": "rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
|
|
|
|
# DEPRECATED
|
|
# "get_metadef_tags":"rule:metadef_default" has been deprecated since
|
|
# X in favor of "get_metadef_tags":"rule:context_is_admin or
|
|
# (role:reader and (project_id:%(project_id)s or
|
|
# 'public':%(visibility)s))".
|
|
# The metadata API now supports project scope and default roles.
|
|
|
|
# Update tag definition.
|
|
# PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
|
|
# Intended scope(s): project
|
|
#"modify_metadef_tag": "rule:metadef_admin"
|
|
|
|
# Add tag definition.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
|
|
# Intended scope(s): project
|
|
#"add_metadef_tag": "rule:metadef_admin"
|
|
|
|
# Create tag definitions.
|
|
# POST /v2/metadefs/namespaces/{namespace_name}/tags
|
|
# Intended scope(s): project
|
|
#"add_metadef_tags": "rule:metadef_admin"
|
|
|
|
# Delete tag definition.
|
|
# DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
|
|
# Intended scope(s): project
|
|
#"delete_metadef_tag": "rule:metadef_admin"
|
|
|
|
# Delete tag definitions.
|
|
# DELETE /v2/metadefs/namespaces/{namespace_name}/tags
|
|
# Intended scope(s): project
|
|
#"delete_metadef_tags": "rule:metadef_admin"
|
|
|
|
# Queue image for caching
|
|
# PUT /v2/cache/{image_id}
|
|
# Intended scope(s): project
|
|
#"cache_image": "rule:context_is_admin"
|
|
|
|
# DEPRECATED
|
|
# "cache_image":"rule:manage_image_cache" has been deprecated since X
|
|
# in favor of "cache_image":"rule:context_is_admin".
|
|
# The image API now supports roles.
|
|
|
|
# List cache status
|
|
# GET /v2/cache
|
|
# Intended scope(s): project
|
|
#"cache_list": "rule:context_is_admin"
|
|
|
|
# DEPRECATED
|
|
# "cache_list":"rule:manage_image_cache" has been deprecated since X
|
|
# in favor of "cache_list":"rule:context_is_admin".
|
|
# The image API now supports roles.
|
|
|
|
# Delete image(s) from cache and/or queue
|
|
# DELETE /v2/cache
|
|
# DELETE /v2/cache/{image_id}
|
|
# Intended scope(s): project
|
|
#"cache_delete": "rule:context_is_admin"
|
|
|
|
# DEPRECATED
|
|
# "cache_delete":"rule:manage_image_cache" has been deprecated since X
|
|
# in favor of "cache_delete":"rule:context_is_admin".
|
|
# The image API now supports roles.
|
|
|
|
# Expose store specific information
|
|
# GET /v2/info/stores/detail
|
|
# Intended scope(s): project
|
|
#"stores_info_detail": "rule:context_is_admin"
|
|
|