# Intended scope(s): system #"system-admin": "role:admin and system_scope:all" # Intended scope(s): system #"system-reader": "role:reader and system_scope:all" # Intended scope(s): project #"project-member": "role:member and project_id:%(project_id)s" # Intended scope(s): project #"project-reader": "role:reader and project_id:%(project_id)s" # Intended scope(s): system #"context_is_admin": "role:load-balancer_admin or rule:system-admin" # DEPRECATED # "context_is_admin":"role:admin or role:load-balancer_admin" has been # deprecated since W in favor of "context_is_admin":"role:load- # balancer_admin or rule:system-admin". # The Octavia API now requires the OpenStack default roles and scoped # tokens. See # https://docs.openstack.org/octavia/latest/configuration/policy.html # and https://docs.openstack.org/keystone/latest/contributor/services. # html#reusable-default-roles for more information. # Intended scope(s): project #"load-balancer:owner": "project_id:%(project_id)s" # Intended scope(s): project #"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:project-reader" # DEPRECATED # "load-balancer:observer_and_owner":"role:load-balancer_observer and # rule:load-balancer:owner" has been deprecated since W in favor of # "load-balancer:observer_and_owner":"role:load-balancer_observer and # rule:project-reader". # The Octavia API now requires the OpenStack default roles and scoped # tokens. See # https://docs.openstack.org/octavia/latest/configuration/policy.html # and https://docs.openstack.org/keystone/latest/contributor/services. # html#reusable-default-roles for more information. # Intended scope(s): system #"load-balancer:global_observer": "role:load-balancer_global_observer or rule:system-reader" # Intended scope(s): project #"load-balancer:member_and_owner": "role:load-balancer_member and rule:project-member" # DEPRECATED # "load-balancer:member_and_owner":"role:load-balancer_member and # rule:load-balancer:owner" has been deprecated since W in favor of # "load-balancer:member_and_owner":"role:load-balancer_member and # rule:project-member". # The Octavia API now requires the OpenStack default roles and scoped # tokens. See # https://docs.openstack.org/octavia/latest/configuration/policy.html # and https://docs.openstack.org/keystone/latest/contributor/services. # html#reusable-default-roles for more information. # Intended scope(s): system #"load-balancer:admin": "is_admin:True or role:load-balancer_admin or rule:system-admin" # Intended scope(s): project, system #"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin" # Intended scope(s): system #"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin" # Intended scope(s): project, system #"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin" # Intended scope(s): project, system #"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin" # Intended scope(s): system #"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin" # Intended scope(s): system #"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin" # List Flavors # GET /v2.0/lbaas/flavors #"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read" # Create a Flavor # POST /v2.0/lbaas/flavors #"os_load-balancer_api:flavor:post": "rule:load-balancer:admin" # Update a Flavor # PUT /v2.0/lbaas/flavors/{flavor_id} #"os_load-balancer_api:flavor:put": "rule:load-balancer:admin" # Show Flavor details # GET /v2.0/lbaas/flavors/{flavor_id} #"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read" # Remove a Flavor # DELETE /v2.0/lbaas/flavors/{flavor_id} #"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin" # List Flavor Profiles # GET /v2.0/lbaas/flavorprofiles #"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin" # Create a Flavor Profile # POST /v2.0/lbaas/flavorprofiles #"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin" # Update a Flavor Profile # PUT /v2.0/lbaas/flavorprofiles/{flavor_profile_id} #"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin" # Show Flavor Profile details # GET /v2.0/lbaas/flavorprofiles/{flavor_profile_id} #"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin" # Remove a Flavor Profile # DELETE /v2.0/lbaas/flavorprofiles/{flavor_profile_id} #"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin" # List Availability Zones # GET /v2.0/lbaas/availabilityzones #"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read" # Create an Availability Zone # POST /v2.0/lbaas/availabilityzones #"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin" # Update an Availability Zone # PUT /v2.0/lbaas/availabilityzones/{availability_zone_id} #"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin" # Show Availability Zone details # GET /v2.0/lbaas/availabilityzones/{availability_zone_id} #"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read" # Remove an Availability Zone # DELETE /v2.0/lbaas/availabilityzones/{availability_zone_id} #"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin" # List Availability Zones # GET /v2.0/lbaas/availabilityzoneprofiles #"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin" # Create an Availability Zone # POST /v2.0/lbaas/availabilityzoneprofiles #"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin" # Update an Availability Zone # PUT /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} #"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin" # Show Availability Zone details # GET /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} #"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin" # Remove an Availability Zone # DELETE /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id} #"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin" # List Health Monitors of a Pool # GET /v2/lbaas/healthmonitors #"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read" # List Health Monitors including resources owned by others # GET /v2/lbaas/healthmonitors #"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global" # Create a Health Monitor # POST /v2/lbaas/healthmonitors #"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write" # Show Health Monitor details # GET /v2/lbaas/healthmonitors/{healthmonitor_id} #"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read" # Update a Health Monitor # PUT /v2/lbaas/healthmonitors/{healthmonitor_id} #"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write" # Remove a Health Monitor # DELETE /v2/lbaas/healthmonitors/{healthmonitor_id} #"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write" # List L7 Policys # GET /v2/lbaas/l7policies #"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read" # List L7 Policys including resources owned by others # GET /v2/lbaas/l7policies #"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global" # Create a L7 Policy # POST /v2/lbaas/l7policies #"os_load-balancer_api:l7policy:post": "rule:load-balancer:write" # Show L7 Policy details # GET /v2/lbaas/l7policies/{l7policy_id} #"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read" # Update a L7 Policy # PUT /v2/lbaas/l7policies/{l7policy_id} #"os_load-balancer_api:l7policy:put": "rule:load-balancer:write" # Remove a L7 Policy # DELETE /v2/lbaas/l7policies/{l7policy_id} #"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write" # List L7 Rules # GET /v2/lbaas/l7policies/{l7policy_id}/rules #"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read" # Create a L7 Rule # POST /v2/lbaas/l7policies/{l7policy_id}/rules #"os_load-balancer_api:l7rule:post": "rule:load-balancer:write" # Show L7 Rule details # GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} #"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read" # Update a L7 Rule # PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} #"os_load-balancer_api:l7rule:put": "rule:load-balancer:write" # Remove a L7 Rule # DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} #"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write" # List Listeners # GET /v2/lbaas/listeners #"os_load-balancer_api:listener:get_all": "rule:load-balancer:read" # List Listeners including resources owned by others # GET /v2/lbaas/listeners #"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global" # Create a Listener # POST /v2/lbaas/listeners #"os_load-balancer_api:listener:post": "rule:load-balancer:write" # Show Listener details # GET /v2/lbaas/listeners/{listener_id} #"os_load-balancer_api:listener:get_one": "rule:load-balancer:read" # Update a Listener # PUT /v2/lbaas/listeners/{listener_id} #"os_load-balancer_api:listener:put": "rule:load-balancer:write" # Remove a Listener # DELETE /v2/lbaas/listeners/{listener_id} #"os_load-balancer_api:listener:delete": "rule:load-balancer:write" # Show Listener statistics # GET /v2/lbaas/listeners/{listener_id}/stats #"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read" # List Load Balancers # GET /v2/lbaas/loadbalancers #"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read" # List Load Balancers including resources owned by others # GET /v2/lbaas/loadbalancers #"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global" # Create a Load Balancer # POST /v2/lbaas/loadbalancers #"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write" # Show Load Balancer details # GET /v2/lbaas/loadbalancers/{loadbalancer_id} #"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read" # Update a Load Balancer # PUT /v2/lbaas/loadbalancers/{loadbalancer_id} #"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write" # Remove a Load Balancer # DELETE /v2/lbaas/loadbalancers/{loadbalancer_id} #"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write" # Show Load Balancer statistics # GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats #"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read" # Show Load Balancer status # GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status #"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read" # Failover a Load Balancer # PUT /v2/lbaas/loadbalancers/{loadbalancer_id}/failover #"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin" # List Members of a Pool # GET /v2/lbaas/pools/{pool_id}/members #"os_load-balancer_api:member:get_all": "rule:load-balancer:read" # Create a Member # POST /v2/lbaas/pools/{pool_id}/members #"os_load-balancer_api:member:post": "rule:load-balancer:write" # Show Member details # GET /v2/lbaas/pools/{pool_id}/members/{member_id} #"os_load-balancer_api:member:get_one": "rule:load-balancer:read" # Update a Member # PUT /v2/lbaas/pools/{pool_id}/members/{member_id} #"os_load-balancer_api:member:put": "rule:load-balancer:write" # Remove a Member # DELETE /v2/lbaas/pools/{pool_id}/members/{member_id} #"os_load-balancer_api:member:delete": "rule:load-balancer:write" # List Pools # GET /v2/lbaas/pools #"os_load-balancer_api:pool:get_all": "rule:load-balancer:read" # List Pools including resources owned by others # GET /v2/lbaas/pools #"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global" # Create a Pool # POST /v2/lbaas/pools #"os_load-balancer_api:pool:post": "rule:load-balancer:write" # Show Pool details # GET /v2/lbaas/pools/{pool_id} #"os_load-balancer_api:pool:get_one": "rule:load-balancer:read" # Update a Pool # PUT /v2/lbaas/pools/{pool_id} #"os_load-balancer_api:pool:put": "rule:load-balancer:write" # Remove a Pool # DELETE /v2/lbaas/pools/{pool_id} #"os_load-balancer_api:pool:delete": "rule:load-balancer:write" # List enabled providers # GET /v2/lbaas/providers #"os_load-balancer_api:provider:get_all": "rule:load-balancer:read" # List Quotas # GET /v2/lbaas/quotas #"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota" # List Quotas including resources owned by others # GET /v2/lbaas/quotas #"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global" # Show Quota details # GET /v2/lbaas/quotas/{project_id} #"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota" # Update a Quota # PUT /v2/lbaas/quotas/{project_id} #"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota" # Reset a Quota # DELETE /v2/lbaas/quotas/{project_id} #"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota" # Show Default Quota for a Project # GET /v2/lbaas/quotas/{project_id}/default #"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota" # List Amphorae # GET /v2/octavia/amphorae #"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin" # Show Amphora details # GET /v2/octavia/amphorae/{amphora_id} #"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin" # Delete an Amphora # DELETE /v2/octavia/amphorae/{amphora_id} #"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin" # Update Amphora Agent Configuration # PUT /v2/octavia/amphorae/{amphora_id}/config #"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin" # Failover Amphora # PUT /v2/octavia/amphorae/{amphora_id}/failover #"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin" # Show Amphora statistics # GET /v2/octavia/amphorae/{amphora_id}/stats #"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin" # List the provider flavor capabilities. # GET /v2/lbaas/providers/{provider}/flavor_capabilities #"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin" # List the provider availability zone capabilities. # GET /v2/lbaas/providers/{provider}/availability_zone_capabilities #"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"