240 lines
7.6 KiB
Plaintext
240 lines
7.6 KiB
Plaintext
# Legacy rule for cloud admin access
|
|
#"admin_api": "role:admin or role:administrator"
|
|
|
|
# Internal flag for public API routes
|
|
#"public_api": "is_public_api:True"
|
|
|
|
# Show or mask secrets within node driver information in API responses
|
|
#"show_password": "!"
|
|
|
|
# Show or mask secrets within instance information in API responses
|
|
#"show_instance_secrets": "!"
|
|
|
|
# May be used to restrict access to specific projects
|
|
#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
|
|
|
|
# Read-only API access
|
|
#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
|
|
|
|
# Full read/write API access
|
|
#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
|
|
|
|
# Create Node records
|
|
# POST /nodes
|
|
#"baremetal:node:create": "rule:is_admin"
|
|
|
|
# Retrieve Node records
|
|
# GET /nodes
|
|
# GET /nodes/detail
|
|
# GET /nodes/{node_ident}
|
|
#"baremetal:node:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# Update Node records
|
|
# PATCH /nodes/{node_ident}
|
|
#"baremetal:node:update": "rule:is_admin"
|
|
|
|
# Delete Node records
|
|
# DELETE /nodes/{node_ident}
|
|
#"baremetal:node:delete": "rule:is_admin"
|
|
|
|
# Request active validation of Nodes
|
|
# GET /nodes/{node_ident}/validate
|
|
#"baremetal:node:validate": "rule:is_admin"
|
|
|
|
# Set maintenance flag, taking a Node out of service
|
|
# PUT /nodes/{node_ident}/maintenance
|
|
#"baremetal:node:set_maintenance": "rule:is_admin"
|
|
|
|
# Clear maintenance flag, placing the Node into service again
|
|
# DELETE /nodes/{node_ident}/maintenance
|
|
#"baremetal:node:clear_maintenance": "rule:is_admin"
|
|
|
|
# Retrieve Node boot device metadata
|
|
# GET /nodes/{node_ident}/management/boot_device
|
|
# GET /nodes/{node_ident}/management/boot_device/supported
|
|
#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
|
|
|
|
# Change Node boot device
|
|
# PUT /nodes/{node_ident}/management/boot_device
|
|
#"baremetal:node:set_boot_device": "rule:is_admin"
|
|
|
|
# Inject NMI for a node
|
|
# PUT /nodes/{node_ident}/management/inject_nmi
|
|
#"baremetal:node:inject_nmi": "rule:is_admin"
|
|
|
|
# View Node power and provision state
|
|
# GET /nodes/{node_ident}/states
|
|
#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
|
|
|
|
# Change Node power status
|
|
# PUT /nodes/{node_ident}/states/power
|
|
#"baremetal:node:set_power_state": "rule:is_admin"
|
|
|
|
# Change Node provision status
|
|
# PUT /nodes/{node_ident}/states/provision
|
|
#"baremetal:node:set_provision_state": "rule:is_admin"
|
|
|
|
# Change Node RAID status
|
|
# PUT /nodes/{node_ident}/states/raid
|
|
#"baremetal:node:set_raid_state": "rule:is_admin"
|
|
|
|
# Get Node console connection information
|
|
# GET /nodes/{node_ident}/states/console
|
|
#"baremetal:node:get_console": "rule:is_admin"
|
|
|
|
# Change Node console status
|
|
# PUT /nodes/{node_ident}/states/console
|
|
#"baremetal:node:set_console_state": "rule:is_admin"
|
|
|
|
# List VIFs attached to node
|
|
# GET /nodes/{node_ident}/vifs
|
|
#"baremetal:node:vif:list": "rule:is_admin"
|
|
|
|
# Attach a VIF to a node
|
|
# POST /nodes/{node_ident}/vifs
|
|
#"baremetal:node:vif:attach": "rule:is_admin"
|
|
|
|
# Detach a VIF from a node
|
|
# DELETE /nodes/{node_ident}/vifs/{node_vif_ident}
|
|
#"baremetal:node:vif:detach": "rule:is_admin"
|
|
|
|
# List node traits
|
|
# GET /nodes/{node_ident}/traits
|
|
#"baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
|
|
|
|
# Add a trait to, or replace all traits of, a node
|
|
# PUT /nodes/{node_ident}/traits
|
|
# PUT /nodes/{node_ident}/traits/{trait}
|
|
#"baremetal:node:traits:set": "rule:is_admin"
|
|
|
|
# Remove one or all traits from a node
|
|
# DELETE /nodes/{node_ident}/traits
|
|
# DELETE /nodes/{node_ident}/traits/{trait}
|
|
#"baremetal:node:traits:delete": "rule:is_admin"
|
|
|
|
# Retrieve Port records
|
|
# GET /ports
|
|
# GET /ports/detail
|
|
# GET /ports/{port_id}
|
|
# GET /nodes/{node_ident}/ports
|
|
# GET /nodes/{node_ident}/ports/detail
|
|
# GET /portgroups/{portgroup_ident}/ports
|
|
# GET /portgroups/{portgroup_ident}/ports/detail
|
|
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# Create Port records
|
|
# POST /ports
|
|
#"baremetal:port:create": "rule:is_admin"
|
|
|
|
# Delete Port records
|
|
# DELETE /ports/{port_id}
|
|
#"baremetal:port:delete": "rule:is_admin"
|
|
|
|
# Update Port records
|
|
# PATCH /ports/{port_id}
|
|
#"baremetal:port:update": "rule:is_admin"
|
|
|
|
# Retrieve Portgroup records
|
|
# GET /portgroups
|
|
# GET /portgroups/detail
|
|
# GET /portgroups/{portgroup_ident}
|
|
# GET /nodes/{node_ident}/portgroups
|
|
# GET /nodes/{node_ident}/portgroups/detail
|
|
#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# Create Portgroup records
|
|
# POST /portgroups
|
|
#"baremetal:portgroup:create": "rule:is_admin"
|
|
|
|
# Delete Portgroup records
|
|
# DELETE /portgroups/{portgroup_ident}
|
|
#"baremetal:portgroup:delete": "rule:is_admin"
|
|
|
|
# Update Portgroup records
|
|
# PATCH /portgroups/{portgroup_ident}
|
|
#"baremetal:portgroup:update": "rule:is_admin"
|
|
|
|
# Retrieve Chassis records
|
|
# GET /chassis
|
|
# GET /chassis/detail
|
|
# GET /chassis/{chassis_id}
|
|
#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# Create Chassis records
|
|
# POST /chassis
|
|
#"baremetal:chassis:create": "rule:is_admin"
|
|
|
|
# Delete Chassis records
|
|
# DELETE /chassis/{chassis_id}
|
|
#"baremetal:chassis:delete": "rule:is_admin"
|
|
|
|
# Update Chassis records
|
|
# PATCH /chassis/{chassis_id}
|
|
#"baremetal:chassis:update": "rule:is_admin"
|
|
|
|
# View list of available drivers
|
|
# GET /drivers
|
|
# GET /drivers/{driver_name}
|
|
#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# View driver-specific properties
|
|
# GET /drivers/{driver_name}/properties
|
|
#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
|
|
|
|
# View driver-specific RAID metadata
|
|
# GET /drivers/{driver_name}/raid/logical_disk_properties
|
|
#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
|
|
|
|
# Access vendor-specific Node functions
|
|
# GET nodes/{node_ident}/vendor_passthru/methods
|
|
# GET nodes/{node_ident}/vendor_passthru?method={method_name}
|
|
# PUT nodes/{node_ident}/vendor_passthru?method={method_name}
|
|
# POST nodes/{node_ident}/vendor_passthru?method={method_name}
|
|
# PATCH nodes/{node_ident}/vendor_passthru?method={method_name}
|
|
# DELETE nodes/{node_ident}/vendor_passthru?method={method_name}
|
|
#"baremetal:node:vendor_passthru": "rule:is_admin"
|
|
|
|
# Access vendor-specific Driver functions
|
|
# GET drivers/{driver_name}/vendor_passthru/methods
|
|
# GET drivers/{driver_name}/vendor_passthru?method={method_name}
|
|
# PUT drivers/{driver_name}/vendor_passthru?method={method_name}
|
|
# POST drivers/{driver_name}/vendor_passthru?method={method_name}
|
|
# PATCH drivers/{driver_name}/vendor_passthru?method={method_name}
|
|
# DELETE drivers/{driver_name}/vendor_passthru?method={method_name}
|
|
#"baremetal:driver:vendor_passthru": "rule:is_admin"
|
|
|
|
# Send heartbeats from IPA ramdisk
|
|
# POST /heartbeat/{node_ident}
|
|
#"baremetal:node:ipa_heartbeat": "rule:public_api"
|
|
|
|
# Access IPA ramdisk functions
|
|
# GET /lookup
|
|
#"baremetal:driver:ipa_lookup": "rule:public_api"
|
|
|
|
# Retrieve Volume connector and target records
|
|
# GET /volume
|
|
# GET /volume/connectors
|
|
# GET /volume/connectors/{volume_connector_id}
|
|
# GET /volume/targets
|
|
# GET /volume/targets/{volume_target_id}
|
|
# GET /nodes/{node_ident}/volume
|
|
# GET /nodes/{node_ident}/volume/connectors
|
|
# GET /nodes/{node_ident}/volume/targets
|
|
#"baremetal:volume:get": "rule:is_admin or rule:is_observer"
|
|
|
|
# Create Volume connector and target records
|
|
# POST /volume/connectors
|
|
# POST /volume/targets
|
|
#"baremetal:volume:create": "rule:is_admin"
|
|
|
|
# Delete Volume connector and target records
|
|
# DELETE /volume/connectors/{volume_connector_id}
|
|
# DELETE /volume/targets/{volume_target_id}
|
|
#"baremetal:volume:delete": "rule:is_admin"
|
|
|
|
# Update Volume connector and target records
|
|
# PATCH /volume/connectors/{volume_connector_id}
|
|
# PATCH /volume/targets/{volume_target_id}
|
|
#"baremetal:volume:update": "rule:is_admin"
|
|
|