b7bb76eb20
This commit allows horizon to handle deprecated policy rules. The approach is explained in the document updated by this change. oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen just because it is the first release in Victoria cycle. requirements.txt and lower-constraints.txt are updated accordingly including oslo.policy dependencies. Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
962 lines
29 KiB
YAML
962 lines
29 KiB
YAML
# Rule for cloud admin access
|
|
#"context_is_admin": "role:admin"
|
|
|
|
# Rule for resource owner access
|
|
#"owner": "tenant_id:%(tenant_id)s"
|
|
|
|
# Rule for admin or owner access
|
|
#"admin_or_owner": "rule:context_is_admin or rule:owner"
|
|
|
|
# Rule for advsvc role access
|
|
#"context_is_advsvc": "role:advsvc"
|
|
|
|
# Rule for admin or network owner access
|
|
#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
|
|
|
|
# Rule for resource owner, admin or network owner access
|
|
#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
|
|
|
|
# Rule for admin-only access
|
|
#"admin_only": "rule:context_is_admin"
|
|
|
|
# Rule for regular user access
|
|
#"regular_user": ""
|
|
|
|
# Rule of shared network
|
|
#"shared": "field:networks:shared=True"
|
|
|
|
# Default access rule
|
|
#"default": "rule:admin_or_owner"
|
|
|
|
# Rule for common parent owner check
|
|
#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
|
|
|
|
# Definition of a shared address scope
|
|
#"shared_address_scopes": "field:address_scopes:shared=True"
|
|
|
|
# Create an address scope
|
|
# POST /address-scopes
|
|
#"create_address_scope": "rule:regular_user"
|
|
|
|
# Create a shared address scope
|
|
# POST /address-scopes
|
|
#"create_address_scope:shared": "rule:admin_only"
|
|
|
|
# Get an address scope
|
|
# GET /address-scopes
|
|
# GET /address-scopes/{id}
|
|
#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
|
|
|
|
# Update an address scope
|
|
# PUT /address-scopes/{id}
|
|
#"update_address_scope": "rule:admin_or_owner"
|
|
|
|
# Update ``shared`` attribute of an address scope
|
|
# PUT /address-scopes/{id}
|
|
#"update_address_scope:shared": "rule:admin_only"
|
|
|
|
# Delete an address scope
|
|
# DELETE /address-scopes/{id}
|
|
#"delete_address_scope": "rule:admin_or_owner"
|
|
|
|
# Get an agent
|
|
# GET /agents
|
|
# GET /agents/{id}
|
|
#"get_agent": "rule:admin_only"
|
|
|
|
# Update an agent
|
|
# PUT /agents/{id}
|
|
#"update_agent": "rule:admin_only"
|
|
|
|
# Delete an agent
|
|
# DELETE /agents/{id}
|
|
#"delete_agent": "rule:admin_only"
|
|
|
|
# Add a network to a DHCP agent
|
|
# POST /agents/{agent_id}/dhcp-networks
|
|
#"create_dhcp-network": "rule:admin_only"
|
|
|
|
# List networks on a DHCP agent
|
|
# GET /agents/{agent_id}/dhcp-networks
|
|
#"get_dhcp-networks": "rule:admin_only"
|
|
|
|
# Remove a network from a DHCP agent
|
|
# DELETE /agents/{agent_id}/dhcp-networks/{network_id}
|
|
#"delete_dhcp-network": "rule:admin_only"
|
|
|
|
# Add a router to an L3 agent
|
|
# POST /agents/{agent_id}/l3-routers
|
|
#"create_l3-router": "rule:admin_only"
|
|
|
|
# List routers on an L3 agent
|
|
# GET /agents/{agent_id}/l3-routers
|
|
#"get_l3-routers": "rule:admin_only"
|
|
|
|
# Remove a router from an L3 agent
|
|
# DELETE /agents/{agent_id}/l3-routers/{router_id}
|
|
#"delete_l3-router": "rule:admin_only"
|
|
|
|
# List DHCP agents hosting a network
|
|
# GET /networks/{network_id}/dhcp-agents
|
|
#"get_dhcp-agents": "rule:admin_only"
|
|
|
|
# List L3 agents hosting a router
|
|
# GET /routers/{router_id}/l3-agents
|
|
#"get_l3-agents": "rule:admin_only"
|
|
|
|
# Get a project's auto-allocated topology
|
|
# GET /auto-allocated-topology/{project_id}
|
|
#"get_auto_allocated_topology": "rule:admin_or_owner"
|
|
|
|
# Delete a project's auto-allocated topology
|
|
# DELETE /auto-allocated-topology/{project_id}
|
|
#"delete_auto_allocated_topology": "rule:admin_or_owner"
|
|
|
|
# List availability zones
|
|
# GET /availability_zones
|
|
#"get_availability_zone": "rule:regular_user"
|
|
|
|
# Create a flavor
|
|
# POST /flavors
|
|
#"create_flavor": "rule:admin_only"
|
|
|
|
# Get a flavor
|
|
# GET /flavors
|
|
# GET /flavors/{id}
|
|
#"get_flavor": "rule:regular_user"
|
|
|
|
# Update a flavor
|
|
# PUT /flavors/{id}
|
|
#"update_flavor": "rule:admin_only"
|
|
|
|
# Delete a flavor
|
|
# DELETE /flavors/{id}
|
|
#"delete_flavor": "rule:admin_only"
|
|
|
|
# Create a service profile
|
|
# POST /service_profiles
|
|
#"create_service_profile": "rule:admin_only"
|
|
|
|
# Get a service profile
|
|
# GET /service_profiles
|
|
# GET /service_profiles/{id}
|
|
#"get_service_profile": "rule:admin_only"
|
|
|
|
# Update a service profile
|
|
# PUT /service_profiles/{id}
|
|
#"update_service_profile": "rule:admin_only"
|
|
|
|
# Delete a service profile
|
|
# DELETE /service_profiles/{id}
|
|
#"delete_service_profile": "rule:admin_only"
|
|
|
|
# Get a flavor associated with a given service profiles. There is no
|
|
# corresponding GET operations in API currently. This rule is
|
|
# currently referred only in the DELETE of flavor_service_profile.
|
|
#"get_flavor_service_profile": "rule:regular_user"
|
|
|
|
# Associate a flavor with a service profile
|
|
# POST /flavors/{flavor_id}/service_profiles
|
|
#"create_flavor_service_profile": "rule:admin_only"
|
|
|
|
# Disassociate a flavor with a service profile
|
|
# DELETE /flavors/{flavor_id}/service_profiles/{profile_id}
|
|
#"delete_flavor_service_profile": "rule:admin_only"
|
|
|
|
# Create a floating IP
|
|
# POST /floatingips
|
|
#"create_floatingip": "rule:regular_user"
|
|
|
|
# Create a floating IP with a specific IP address
|
|
# POST /floatingips
|
|
#"create_floatingip:floating_ip_address": "rule:admin_only"
|
|
|
|
# Get a floating IP
|
|
# GET /floatingips
|
|
# GET /floatingips/{id}
|
|
#"get_floatingip": "rule:admin_or_owner"
|
|
|
|
# Update a floating IP
|
|
# PUT /floatingips/{id}
|
|
#"update_floatingip": "rule:admin_or_owner"
|
|
|
|
# Delete a floating IP
|
|
# DELETE /floatingips/{id}
|
|
#"delete_floatingip": "rule:admin_or_owner"
|
|
|
|
# Get floating IP pools
|
|
# GET /floatingip_pools
|
|
#"get_floatingip_pool": "rule:regular_user"
|
|
|
|
# Create a floating IP port forwarding
|
|
# POST /floatingips/{floatingip_id}/port_forwardings
|
|
#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get a floating IP port forwarding
|
|
# GET /floatingips/{floatingip_id}/port_forwardings
|
|
# GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Update a floating IP port forwarding
|
|
# PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Delete a floating IP port forwarding
|
|
# DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Create a router conntrack helper
|
|
# POST /routers/{router_id}/conntrack_helpers
|
|
#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get a router conntrack helper
|
|
# GET /routers/{router_id}/conntrack_helpers
|
|
# GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Update a router conntrack helper
|
|
# PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Delete a router conntrack helper
|
|
# DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get loggable resources
|
|
# GET /log/loggable-resources
|
|
#"get_loggable_resource": "rule:admin_only"
|
|
|
|
# Create a network log
|
|
# POST /log/logs
|
|
#"create_log": "rule:admin_only"
|
|
|
|
# Get a network log
|
|
# GET /log/logs
|
|
# GET /log/logs/{id}
|
|
#"get_log": "rule:admin_only"
|
|
|
|
# Update a network log
|
|
# PUT /log/logs/{id}
|
|
#"update_log": "rule:admin_only"
|
|
|
|
# Delete a network log
|
|
# DELETE /log/logs/{id}
|
|
#"delete_log": "rule:admin_only"
|
|
|
|
# Create a metering label
|
|
# POST /metering/metering-labels
|
|
#"create_metering_label": "rule:admin_only"
|
|
|
|
# Get a metering label
|
|
# GET /metering/metering-labels
|
|
# GET /metering/metering-labels/{id}
|
|
#"get_metering_label": "rule:admin_only"
|
|
|
|
# Delete a metering label
|
|
# DELETE /metering/metering-labels/{id}
|
|
#"delete_metering_label": "rule:admin_only"
|
|
|
|
# Create a metering label rule
|
|
# POST /metering/metering-label-rules
|
|
#"create_metering_label_rule": "rule:admin_only"
|
|
|
|
# Get a metering label rule
|
|
# GET /metering/metering-label-rules
|
|
# GET /metering/metering-label-rules/{id}
|
|
#"get_metering_label_rule": "rule:admin_only"
|
|
|
|
# Delete a metering label rule
|
|
# DELETE /metering/metering-label-rules/{id}
|
|
#"delete_metering_label_rule": "rule:admin_only"
|
|
|
|
# Definition of an external network
|
|
#"external": "field:networks:router:external=True"
|
|
|
|
# Create a network
|
|
# POST /networks
|
|
#"create_network": "rule:regular_user"
|
|
|
|
# Create a shared network
|
|
# POST /networks
|
|
#"create_network:shared": "rule:admin_only"
|
|
|
|
# Create an external network
|
|
# POST /networks
|
|
#"create_network:router:external": "rule:admin_only"
|
|
|
|
# Specify ``is_default`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:is_default": "rule:admin_only"
|
|
|
|
# Specify ``port_security_enabled`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:port_security_enabled": "rule:regular_user"
|
|
|
|
# Specify ``segments`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:segments": "rule:admin_only"
|
|
|
|
# Specify ``provider:network_type`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Specify ``provider:physical_network`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Specify ``provider:segmentation_id`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Get a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
|
|
|
|
# Get ``router:external`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:router:external": "rule:regular_user"
|
|
|
|
# Get ``segments`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:segments": "rule:admin_only"
|
|
|
|
# Get ``provider:network_type`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Get ``provider:physical_network`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Get ``provider:segmentation_id`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Update a network
|
|
# PUT /networks/{id}
|
|
#"update_network": "rule:admin_or_owner"
|
|
|
|
# Update ``segments`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:segments": "rule:admin_only"
|
|
|
|
# Update ``shared`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:shared": "rule:admin_only"
|
|
|
|
# Update ``provider:network_type`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Update ``provider:physical_network`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Update ``provider:segmentation_id`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Update ``router:external`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:router:external": "rule:admin_only"
|
|
|
|
# Update ``is_default`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:is_default": "rule:admin_only"
|
|
|
|
# Update ``port_security_enabled`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:port_security_enabled": "rule:admin_or_owner"
|
|
|
|
# Delete a network
|
|
# DELETE /networks/{id}
|
|
#"delete_network": "rule:admin_or_owner"
|
|
|
|
# Get network IP availability
|
|
# GET /network-ip-availabilities
|
|
# GET /network-ip-availabilities/{network_id}
|
|
#"get_network_ip_availability": "rule:admin_only"
|
|
|
|
# Create a network segment range
|
|
# POST /network_segment_ranges
|
|
#"create_network_segment_range": "rule:admin_only"
|
|
|
|
# Get a network segment range
|
|
# GET /network_segment_ranges
|
|
# GET /network_segment_ranges/{id}
|
|
#"get_network_segment_range": "rule:admin_only"
|
|
|
|
# Update a network segment range
|
|
# PUT /network_segment_ranges/{id}
|
|
#"update_network_segment_range": "rule:admin_only"
|
|
|
|
# Delete a network segment range
|
|
# DELETE /network_segment_ranges/{id}
|
|
#"delete_network_segment_range": "rule:admin_only"
|
|
|
|
# Definition of port with network device_owner
|
|
#"network_device": "field:port:device_owner=~^network:"
|
|
|
|
# Rule for data plane integration
|
|
#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
|
|
|
|
# Create a port
|
|
# POST /ports
|
|
#"create_port": "rule:regular_user"
|
|
|
|
# Specify ``device_owner`` attribute when creting a port
|
|
# POST /ports
|
|
#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``mac_address`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``fixed_ips`` information when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Specify IP address in ``fixed_ips`` when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify subnet ID in ``fixed_ips`` when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Specify ``port_security_enabled`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``binding:host_id`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Specify ``binding:profile`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:profile": "rule:admin_only"
|
|
|
|
# Specify ``binding:vnic_type`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:vnic_type": "rule:regular_user"
|
|
|
|
# Specify ``allowed_address_pairs`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``mac_address` of `allowed_address_pairs`` attribute when
|
|
# creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when
|
|
# creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
|
|
|
|
# Get a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
|
|
|
|
# Get ``binding:vif_type`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:vif_type": "rule:admin_only"
|
|
|
|
# Get ``binding:vif_details`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:vif_details": "rule:admin_only"
|
|
|
|
# Get ``binding:host_id`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Get ``binding:profile`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:profile": "rule:admin_only"
|
|
|
|
# Get ``resource_request`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:resource_request": "rule:admin_only"
|
|
|
|
# Update a port
|
|
# PUT /ports/{id}
|
|
#"update_port": "rule:admin_or_owner or rule:context_is_advsvc"
|
|
|
|
# Update ``device_owner`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Update ``mac_address`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
|
|
|
|
# Specify ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify IP address in ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify subnet ID in ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Update ``port_security_enabled`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Update ``binding:host_id`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Update ``binding:profile`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:profile": "rule:admin_only"
|
|
|
|
# Update ``binding:vnic_type`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc"
|
|
|
|
# Update ``allowed_address_pairs`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs": "rule:admin_or_network_owner"
|
|
|
|
# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a
|
|
# port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
|
|
|
|
# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a
|
|
# port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
|
|
|
|
# Update ``data_plane_status`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:data_plane_status": "rule:admin_or_data_plane_int"
|
|
|
|
# Delete a port
|
|
# DELETE /ports/{id}
|
|
#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
|
|
|
|
# Get QoS policies
|
|
# GET /qos/policies
|
|
# GET /qos/policies/{id}
|
|
#"get_policy": "rule:regular_user"
|
|
|
|
# Create a QoS policy
|
|
# POST /qos/policies
|
|
#"create_policy": "rule:admin_only"
|
|
|
|
# Update a QoS policy
|
|
# PUT /qos/policies/{id}
|
|
#"update_policy": "rule:admin_only"
|
|
|
|
# Delete a QoS policy
|
|
# DELETE /qos/policies/{id}
|
|
#"delete_policy": "rule:admin_only"
|
|
|
|
# Get available QoS rule types
|
|
# GET /qos/rule-types
|
|
# GET /qos/rule-types/{rule_type}
|
|
#"get_rule_type": "rule:regular_user"
|
|
|
|
# Get a QoS bandwidth limit rule
|
|
# GET /qos/policies/{policy_id}/bandwidth_limit_rules
|
|
# GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"get_policy_bandwidth_limit_rule": "rule:regular_user"
|
|
|
|
# Create a QoS bandwidth limit rule
|
|
# POST /qos/policies/{policy_id}/bandwidth_limit_rules
|
|
#"create_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Update a QoS bandwidth limit rule
|
|
# PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"update_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS bandwidth limit rule
|
|
# DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"delete_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Get a QoS DSCP marking rule
|
|
# GET /qos/policies/{policy_id}/dscp_marking_rules
|
|
# GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"get_policy_dscp_marking_rule": "rule:regular_user"
|
|
|
|
# Create a QoS DSCP marking rule
|
|
# POST /qos/policies/{policy_id}/dscp_marking_rules
|
|
#"create_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Update a QoS DSCP marking rule
|
|
# PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"update_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS DSCP marking rule
|
|
# DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"delete_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Get a QoS minimum bandwidth rule
|
|
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules
|
|
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"get_policy_minimum_bandwidth_rule": "rule:regular_user"
|
|
|
|
# Create a QoS minimum bandwidth rule
|
|
# POST /qos/policies/{policy_id}/minimum_bandwidth_rules
|
|
#"create_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Update a QoS minimum bandwidth rule
|
|
# PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"update_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS minimum bandwidth rule
|
|
# DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"delete_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Get a QoS bandwidth limit rule through alias
|
|
# GET /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule"
|
|
|
|
# Update a QoS bandwidth limit rule through alias
|
|
# PUT /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule"
|
|
|
|
# Delete a QoS bandwidth limit rule through alias
|
|
# DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule"
|
|
|
|
# Get a QoS DSCP marking rule through alias
|
|
# GET /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule"
|
|
|
|
# Update a QoS DSCP marking rule through alias
|
|
# PUT /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule"
|
|
|
|
# Delete a QoS DSCP marking rule through alias
|
|
# DELETE /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule"
|
|
|
|
# Get a QoS minimum bandwidth rule through alias
|
|
# GET /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule"
|
|
|
|
# Update a QoS minimum bandwidth rule through alias
|
|
# PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule"
|
|
|
|
# Delete a QoS minimum bandwidth rule through alias
|
|
# DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule"
|
|
|
|
# Get a resource quota
|
|
# GET /quota
|
|
# GET /quota/{id}
|
|
#"get_quota": "rule:admin_only"
|
|
|
|
# Update a resource quota
|
|
# PUT /quota/{id}
|
|
#"update_quota": "rule:admin_only"
|
|
|
|
# Delete a resource quota
|
|
# DELETE /quota/{id}
|
|
#"delete_quota": "rule:admin_only"
|
|
|
|
# Definition of a wildcard target_tenant
|
|
#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
|
|
|
# Create an RBAC policy
|
|
# POST /rbac-policies
|
|
#"create_rbac_policy": "rule:regular_user"
|
|
|
|
# Specify ``target_tenant`` when creating an RBAC policy
|
|
# POST /rbac-policies
|
|
#"create_rbac_policy:target_tenant": "rule:restrict_wildcard"
|
|
|
|
# Update an RBAC policy
|
|
# PUT /rbac-policies/{id}
|
|
#"update_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Update ``target_tenant`` attribute of an RBAC policy
|
|
# PUT /rbac-policies/{id}
|
|
#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
|
|
|
|
# Get an RBAC policy
|
|
# GET /rbac-policies
|
|
# GET /rbac-policies/{id}
|
|
#"get_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Delete an RBAC policy
|
|
# DELETE /rbac-policies/{id}
|
|
#"delete_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Create a router
|
|
# POST /routers
|
|
#"create_router": "rule:regular_user"
|
|
|
|
# Specify ``distributed`` attribute when creating a router
|
|
# POST /routers
|
|
#"create_router:distributed": "rule:admin_only"
|
|
|
|
# Specify ``ha`` attribute when creating a router
|
|
# POST /routers
|
|
#"create_router:ha": "rule:admin_only"
|
|
|
|
# Specify ``external_gateway_info`` information when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info": "rule:admin_or_owner"
|
|
|
|
# Specify ``network_id`` in ``external_gateway_info`` information when
|
|
# creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:network_id": "rule:admin_or_owner"
|
|
|
|
# Specify ``enable_snat`` in ``external_gateway_info`` information
|
|
# when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:enable_snat": "rule:admin_only"
|
|
|
|
# Specify ``external_fixed_ips`` in ``external_gateway_info``
|
|
# information when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
|
|
|
|
# Get a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router": "rule:admin_or_owner"
|
|
|
|
# Get ``distributed`` attribute of a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router:distributed": "rule:admin_only"
|
|
|
|
# Get ``ha`` attribute of a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router:ha": "rule:admin_only"
|
|
|
|
# Update a router
|
|
# PUT /routers/{id}
|
|
#"update_router": "rule:admin_or_owner"
|
|
|
|
# Update ``distributed`` attribute of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:distributed": "rule:admin_only"
|
|
|
|
# Update ``ha`` attribute of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:ha": "rule:admin_only"
|
|
|
|
# Update ``external_gateway_info`` information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info": "rule:admin_or_owner"
|
|
|
|
# Update ``network_id`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:network_id": "rule:admin_or_owner"
|
|
|
|
# Update ``enable_snat`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:enable_snat": "rule:admin_only"
|
|
|
|
# Update ``external_fixed_ips`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
|
|
|
|
# Delete a router
|
|
# DELETE /routers/{id}
|
|
#"delete_router": "rule:admin_or_owner"
|
|
|
|
# Add an interface to a router
|
|
# PUT /routers/{id}/add_router_interface
|
|
#"add_router_interface": "rule:admin_or_owner"
|
|
|
|
# Remove an interface from a router
|
|
# PUT /routers/{id}/remove_router_interface
|
|
#"remove_router_interface": "rule:admin_or_owner"
|
|
|
|
# Rule for admin or security group owner access
|
|
#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
|
|
|
|
# Rule for resource owner, admin or security group owner access
|
|
#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner"
|
|
|
|
# Create a security group
|
|
# POST /security-groups
|
|
#"create_security_group": "rule:admin_or_owner"
|
|
|
|
# Get a security group
|
|
# GET /security-groups
|
|
# GET /security-groups/{id}
|
|
#"get_security_group": "rule:regular_user"
|
|
|
|
# Update a security group
|
|
# PUT /security-groups/{id}
|
|
#"update_security_group": "rule:admin_or_owner"
|
|
|
|
# Delete a security group
|
|
# DELETE /security-groups/{id}
|
|
#"delete_security_group": "rule:admin_or_owner"
|
|
|
|
# Create a security group rule
|
|
# POST /security-group-rules
|
|
#"create_security_group_rule": "rule:admin_or_owner"
|
|
|
|
# Get a security group rule
|
|
# GET /security-group-rules
|
|
# GET /security-group-rules/{id}
|
|
#"get_security_group_rule": "rule:admin_owner_or_sg_owner"
|
|
|
|
# Delete a security group rule
|
|
# DELETE /security-group-rules/{id}
|
|
#"delete_security_group_rule": "rule:admin_or_owner"
|
|
|
|
# Create a segment
|
|
# POST /segments
|
|
#"create_segment": "rule:admin_only"
|
|
|
|
# Get a segment
|
|
# GET /segments
|
|
# GET /segments/{id}
|
|
#"get_segment": "rule:admin_only"
|
|
|
|
# Update a segment
|
|
# PUT /segments/{id}
|
|
#"update_segment": "rule:admin_only"
|
|
|
|
# Delete a segment
|
|
# DELETE /segments/{id}
|
|
#"delete_segment": "rule:admin_only"
|
|
|
|
# Get service providers
|
|
# GET /service-providers
|
|
#"get_service_provider": "rule:regular_user"
|
|
|
|
# Create a subnet
|
|
# POST /subnets
|
|
#"create_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``segment_id`` attribute when creating a subnet
|
|
# POST /subnets
|
|
#"create_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Specify ``service_types`` attribute when creating a subnet
|
|
# POST /subnets
|
|
#"create_subnet:service_types": "rule:admin_only"
|
|
|
|
# Get a subnet
|
|
# GET /subnets
|
|
# GET /subnets/{id}
|
|
#"get_subnet": "rule:admin_or_owner or rule:shared"
|
|
|
|
# Get ``segment_id`` attribute of a subnet
|
|
# GET /subnets
|
|
# GET /subnets/{id}
|
|
#"get_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Update a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Update ``segment_id`` attribute of a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Update ``service_types`` attribute of a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet:service_types": "rule:admin_only"
|
|
|
|
# Delete a subnet
|
|
# DELETE /subnets/{id}
|
|
#"delete_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Definition of a shared subnetpool
|
|
#"shared_subnetpools": "field:subnetpools:shared=True"
|
|
|
|
# Create a subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool": "rule:regular_user"
|
|
|
|
# Create a shared subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool:shared": "rule:admin_only"
|
|
|
|
# Specify ``is_default`` attribute when creating a subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool:is_default": "rule:admin_only"
|
|
|
|
# Get a subnetpool
|
|
# GET /subnetpools
|
|
# GET /subnetpools/{id}
|
|
#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
|
|
|
|
# Update a subnetpool
|
|
# PUT /subnetpools/{id}
|
|
#"update_subnetpool": "rule:admin_or_owner"
|
|
|
|
# Update ``is_default`` attribute of a subnetpool
|
|
# PUT /subnetpools/{id}
|
|
#"update_subnetpool:is_default": "rule:admin_only"
|
|
|
|
# Delete a subnetpool
|
|
# DELETE /subnetpools/{id}
|
|
#"delete_subnetpool": "rule:admin_or_owner"
|
|
|
|
# Onboard existing subnet into a subnetpool
|
|
# Put /subnetpools/{id}/onboard_network_subnets
|
|
#"onboard_network_subnets": "rule:admin_or_owner"
|
|
|
|
# Add prefixes to a subnetpool
|
|
# Put /subnetpools/{id}/add_prefixes
|
|
#"add_prefixes": "rule:admin_or_owner"
|
|
|
|
# Remove unallocated prefixes from a subnetpool
|
|
# Put /subnetpools/{id}/remove_prefixes
|
|
#"remove_prefixes": "rule:admin_or_owner"
|
|
|
|
# Create a trunk
|
|
# POST /trunks
|
|
#"create_trunk": "rule:regular_user"
|
|
|
|
# Get a trunk
|
|
# GET /trunks
|
|
# GET /trunks/{id}
|
|
#"get_trunk": "rule:admin_or_owner"
|
|
|
|
# Update a trunk
|
|
# PUT /trunks/{id}
|
|
#"update_trunk": "rule:admin_or_owner"
|
|
|
|
# Delete a trunk
|
|
# DELETE /trunks/{id}
|
|
#"delete_trunk": "rule:admin_or_owner"
|
|
|
|
# List subports attached to a trunk
|
|
# GET /trunks/{id}/get_subports
|
|
#"get_subports": "rule:regular_user"
|
|
|
|
# Add subports to a trunk
|
|
# PUT /trunks/{id}/add_subports
|
|
#"add_subports": "rule:admin_or_owner"
|
|
|
|
# Delete subports from a trunk
|
|
# PUT /trunks/{id}/remove_subports
|
|
#"remove_subports": "rule:admin_or_owner"
|
|
|