horizon/openstack_dashboard/conf/cinder_policy.yaml

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"

# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"

# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"

# Create attachment.
# POST  /attachments
#"volume:attachment_create": ""

# Update attachment.
# PUT  /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"

# Delete attachment.
# DELETE  /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"

# Mark a volume attachment process as completed (in-use)
# POST  /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"

# Allow multiattach of bootable volumes.
# POST  /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"

# List messages.
# GET  /messages
#"message:get_all": "rule:admin_or_owner"

# Show message.
# GET  /messages/{message_id}
#"message:get": "rule:admin_or_owner"

# Delete message.
# DELETE  /messages/{message_id}
#"message:delete": "rule:admin_or_owner"

# List clusters.
# GET  /clusters
# GET  /clusters/detail
#"clusters:get_all": "rule:admin_api"

# Show cluster.
# GET  /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"

# Update cluster.
# PUT  /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"

# Clean up workers.
# POST  /workers/cleanup
#"workers:cleanup": "rule:admin_api"

# Show snapshot's metadata or one specified metadata with a given key.
# GET  /snapshots/{snapshot_id}/metadata
# GET  /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"

# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT  /snapshots/{snapshot_id}/metadata
# PUT  /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"

# Delete snapshot's specified metadata with a given key.
# DELETE  /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"

# List snapshots.
# GET  /snapshots
# GET  /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"

# List or show snapshots with extended attributes.
# GET  /snapshots/{snapshot_id}
# GET  /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"

# Create snapshot.
# POST  /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"

# Show snapshot.
# GET  /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"

# Update snapshot.
# PUT  /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"

# Delete snapshot.
# DELETE  /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"

# Reset status of a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"

# Update database fields of snapshot.
# POST  /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""

# Force delete a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"

# List (in detail) of snapshots which are available to manage.
# GET  /manageable_snapshots
# GET  /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"

# Manage an existing snapshot.
# POST  /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"

# Stop managing a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"

# List backups.
# GET  /backups
# GET  /backups/detail
#"backup:get_all": "rule:admin_or_owner"

# List backups or show backup with project attributes.
# GET  /backups/{backup_id}
# GET  /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"

# Create backup.
# POST  /backups
#"backup:create": ""

# Show backup.
# GET  /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"

# Update backup.
# PUT  /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"

# Delete backup.
# DELETE  /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"

# Restore backup.
# POST  /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"

# Import backup.
# POST  /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"

# Export backup.
# POST  /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"

# Reset status of a backup.
# POST  /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"

# Force delete a backup.
# POST  /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"

# List groups.
# GET  /groups
# GET  /groups/detail
#"group:get_all": "rule:admin_or_owner"

# Create group.
# POST  /groups
#"group:create": ""

# Show group.
# GET  /groups/{group_id}
#"group:get": "rule:admin_or_owner"

# Update group.
# PUT  /groups/{group_id}
#"group:update": "rule:admin_or_owner"

# List groups or show group with project attributes.
# GET  /groups/{group_id}
# GET  /groups/detail
#"group:group_project_attribute": "rule:admin_api"

# Create, update or delete a group type.
# POST  /group_types/
# PUT  /group_types/{group_type_id}
# DELETE  /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"

# Show group type with type specs attributes.
# GET  /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"

# Create, show, update and delete group type spec.
# GET  /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET  /group_types/{group_type_id}/group_specs
# POST  /group_types/{group_type_id}/group_specs
# PUT  /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE  /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"

# List group snapshots.
# GET  /group_snapshots
# GET  /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"

# Create group snapshot.
# POST  /group_snapshots
#"group:create_group_snapshot": ""

# Show group snapshot.
# GET  /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"

# Delete group snapshot.
# DELETE  /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"

# Update group snapshot.
# PUT  /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"

# List group snapshots or show group snapshot with project attributes.
# GET  /group_snapshots/{group_snapshot_id}
# GET  /group_snapshots/detail
#"group:group_snapshot_project_attribute": "rule:admin_api"

# Reset status of group snapshot.
# POST  /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_or_owner"

# Delete group.
# POST  /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"

# Reset status of group.
# POST  /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"

# Enable replication.
# POST  /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"

# Disable replication.
# POST  /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"

# Fail over replication.
# POST  /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"

# List failover replication.
# POST  /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"

# List qos specs or list all associations.
# GET  /qos-specs
# GET  /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"

# Show qos specs.
# GET  /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"

# Create qos specs.
# POST  /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"

# Update qos specs (including updating association).
# PUT  /qos-specs/{qos_id}
# GET  /qos-specs/{qos_id}/disassociate_all
# GET  /qos-specs/{qos_id}/associate
# GET  /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"

# delete qos specs or unset one specified qos key.
# DELETE  /qos-specs/{qos_id}
# PUT  /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"

# Show or update project quota class.
# GET  /os-quota-class-sets/{project_id}
# PUT  /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"

# Show project quota (including usage and default).
# GET  /os-quota-sets/{project_id}
# GET  /os-quota-sets/{project_id}/default
# GET  /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"

# Update project quota.
# PUT  /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"

# Delete project quota.
# DELETE  /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"

# Validate setup for nested quota.
# GET  /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"

# Show backend capabilities.
# GET  /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"

# List all services.
# GET  /os-services
#"volume_extension:services:index": "rule:admin_api"

# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT  /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"

# Freeze a backend host.
# PUT  /os-services/freeze
#"volume:freeze_host": "rule:admin_api"

# Thaw a backend host.
# PUT  /os-services/thaw
#"volume:thaw_host": "rule:admin_api"

# Failover a backend host.
# PUT  /os-services/failover_host
#"volume:failover_host": "rule:admin_api"

# List all backend pools.
# GET  /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"

# List, update or show hosts for a project.
# GET  /os-hosts
# PUT  /os-hosts/{host_name}
# GET  /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"

# Show limits with used limit attributes.
# GET  /limits
#"limits_extension:used_limits": "rule:admin_or_owner"

# List (in detail) of volumes which are available to manage.
# GET  /manageable_volumes
# GET  /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"

# Manage existing volumes.
# POST  /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"

# Stop managing a volume.
# POST  /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"

# Create, update and delete volume type.
# POST  /types
# PUT  /types
# DELETE  /types
#"volume_extension:types_manage": "rule:admin_api"

# Get one specific volume type.
# GET  /types/{type_id}
#"volume_extension:type_get": ""

# List volume types.
# GET  /types/
#"volume_extension:type_get_all": ""

# Base policy for all volume type encryption type operations.  This
# can be used to set the policies for a volume type's encryption type
# create, show, update, and delete actions in one place, or any of
# those may be set individually using the following policy targets for
# finer grained control.
# POST  /types/{type_id}/encryption
# PUT  /types/{type_id}/encryption/{encryption_id}
# GET  /types/{type_id}/encryption
# GET  /types/{type_id}/encryption/{key}
# DELETE  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"

# Create volume type encryption.
# POST  /types/{type_id}/encryption
#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"

# Show a volume type's encryption type, show an encryption specs item.
# GET  /types/{type_id}/encryption
# GET  /types/{type_id}/encryption/{key}
#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"

# Update volume type encryption.
# PUT  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"

# Delete volume type encryption.
# DELETE  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"

# List or show volume type with access type extra specs attribute.
# GET  /types/{type_id}
# GET  /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"

# List or show volume type with access type qos specs id attribute.
# GET  /types/{type_id}
# GET  /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"

# Volume type access related APIs.
# GET  /types
# GET  /types/detail
# GET  /types/{type_id}
# POST  /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"

# Add volume type access for project.
# POST  /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"

# Remove volume type access for project.
# POST  /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"

# Extend a volume.
# POST  /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"

# Extend a attached volume.
# POST  /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"

# Revert a volume to a snapshot.
# POST  /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"

# Reset status of a volume.
# POST  /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"

# Retype a volume.
# POST  /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"

# Update a volume's readonly flag.
# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"

# Force delete a volume.
# POST  /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"

# Upload a volume to image with public visibility.
# POST  /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"

# Upload a volume to image.
# POST  /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"

# Force detach a volume.
# POST  /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"

# migrate a volume to a specified host.
# POST  /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"

# Complete a volume migration.
# POST  /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"

# Initialize volume attachment.
# POST  /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"

# Terminate volume attachment.
# POST  /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"

# Roll back volume status to 'in-use'.
# POST  /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"

# Mark volume as reserved.
# POST  /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"

# Unmark volume as reserved.
# POST  /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"

# Begin detach volumes.
# POST  /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"

# Add attachment metadata.
# POST  /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"

# Clear attachment metadata.
# POST  /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"

# List volume transfer.
# GET  /os-volume-transfer
# GET  /os-volume-transfer/detail
# GET  /volume_transfers
# GET  /volume-transfers/detail
#"volume:get_all_transfers": "rule:admin_or_owner"

# Create a volume transfer.
# POST  /os-volume-transfer
# POST  /volume_transfers
#"volume:create_transfer": "rule:admin_or_owner"

# Show one specified volume transfer.
# GET  /os-volume-transfer/{transfer_id}
# GET  /volume-transfers/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"

# Accept a volume transfer.
# POST  /os-volume-transfer/{transfer_id}/accept
# POST  /volume-transfers/{transfer_id}/accept
#"volume:accept_transfer": ""

# Delete volume transfer.
# DELETE  /os-volume-transfer/{transfer_id}
# DELETE  /volume-transfers/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"

# Show volume's metadata or one specified metadata with a given key.
# GET  /volumes/{volume_id}/metadata
# GET  /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"

# Create volume metadata.
# POST  /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"

# Update volume's metadata or one specified metadata with a given key.
# PUT  /volumes/{volume_id}/metadata
# PUT  /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"

# Delete volume's specified metadata with a given key.
# DELETE  /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"

# Volume's image metadata related operation, create, delete, show and
# list.
# GET  /volumes/detail
# GET  /volumes/{volume_id}
# POST  /volumes/{volume_id}/action (os-set_image_metadata)
# POST  /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"

# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
# POST  /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"

# List type extra specs.
# GET  /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"

# Create type extra specs.
# POST  /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"

# Show one specified type extra specs.
# GET  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"

# Update type extra specs.
# PUT  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"

# Delete type extra specs.
# DELETE  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"

# Create volume.
# POST  /volumes
#"volume:create": ""

# Create volume from image.
# POST  /volumes
#"volume:create_from_image": ""

# Show volume.
# GET  /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"

# List volumes or get summary of volumes.
# GET  /volumes
# GET  /volumes/detail
# GET  /volumes/summary
#"volume:get_all": "rule:admin_or_owner"

# Update volume or update a volume's bootable status.
# PUT  /volumes
# POST  /volumes/{volume_id}/action (os-set_bootable)
#"volume:update": "rule:admin_or_owner"

# Delete volume.
# DELETE  /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"

# Force Delete a volume.
# DELETE  /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"

# List or show volume with host attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"

# List or show volume with tenant attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"

# List or show volume with migration status attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"

# Show volume's encryption metadata.
# GET  /volumes/{volume_id}/encryption
# GET  /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"

# Create multiattach capable volume.
# POST  /volumes
#"volume:multiattach": "rule:admin_or_owner"