parameter_defaults:
  EnforceSecureRbac: false
  NovaApiPolicies:
    nova-context_is_admin:
      key: "context_is_admin"
      value: "role:admin"
    nova-admin_or_owner:
      key: "admin_or_owner"
      value: "is_admin:True or project_id:%(project_id)s"
    nova-admin_api:
      key: "admin_api"
      value: "role:admin"
    nova-system_admin_api:
      key: "system_admin_api"
      value: "role:admin and system_scope:all"
    nova-system_reader_api:
      key: "system_reader_api"
      value: "role:reader and system_scope:all"
    nova-project_admin_api:
      key: "project_admin_api"
      value: "role:admin and project_id:%(project_id)s"
    nova-project_member_api:
      key: "project_member_api"
      value: "role:member and project_id:%(project_id)s"
    nova-rule_admin_or_owner:
      key: "rule:admin_or_owner"
      value: "rule:project_member_api"
    nova-project_reader_api:
      key: "project_reader_api"
      value: "role:reader and project_id:%(project_id)s"
    nova-system_admin_or_owner:
      key: "system_admin_or_owner"
      value: "rule:system_admin_api or rule:project_member_api"
    nova-system_or_project_reader:
      key: "system_or_project_reader"
      value: "rule:system_reader_api or rule:project_reader_api"
    nova-os_compute_api_os-admin-actions_reset_state:
      key: "os_compute_api:os-admin-actions:reset_state"
      value: "rule:admin_api"
    nova-os_compute_api_os-admin-actions_inject_network_info:
      key: "os_compute_api:os-admin-actions:inject_network_info"
      value: "rule:admin_api"
    nova-os_compute_api_os-admin-password:
      key: "os_compute_api:os-admin-password"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-aggregates_set_metadata:
      key: "os_compute_api:os-aggregates:set_metadata"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_add_host:
      key: "os_compute_api:os-aggregates:add_host"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_create:
      key: "os_compute_api:os-aggregates:create"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_remove_host:
      key: "os_compute_api:os-aggregates:remove_host"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_update:
      key: "os_compute_api:os-aggregates:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_index:
      key: "os_compute_api:os-aggregates:index"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_delete:
      key: "os_compute_api:os-aggregates:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-aggregates_show:
      key: "os_compute_api:os-aggregates:show"
      value: "rule:admin_api"
    nova-compute_aggregates_images:
      key: "compute:aggregates:images"
      value: "rule:admin_api"
    nova-os_compute_api_os-assisted-volume-snapshots_create:
      key: "os_compute_api:os-assisted-volume-snapshots:create"
      value: "rule:admin_api"
    nova-os_compute_api_os-assisted-volume-snapshots_delete:
      key: "os_compute_api:os-assisted-volume-snapshots:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-attach-interfaces_list:
      key: "os_compute_api:os-attach-interfaces:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-attach-interfaces:
      key: "os_compute_api:os-attach-interfaces"
      value: "rule:os_compute_api:os-attach-interfaces:list"
    nova-os_compute_api_os-attach-interfaces_show:
      key: "os_compute_api:os-attach-interfaces:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-attach-interfaces_create:
      key: "os_compute_api:os-attach-interfaces:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-attach-interfaces_delete:
      key: "os_compute_api:os-attach-interfaces:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-availability-zone_list:
      key: "os_compute_api:os-availability-zone:list"
      value: "@"
    nova-os_compute_api_os-availability-zone_detail:
      key: "os_compute_api:os-availability-zone:detail"
      value: "rule:admin_api"
    nova-os_compute_api_os-baremetal-nodes_list:
      key: "os_compute_api:os-baremetal-nodes:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-baremetal-nodes:
      key: "os_compute_api:os-baremetal-nodes"
      value: "rule:os_compute_api:os-baremetal-nodes:list"
    nova-os_compute_api_os-baremetal-nodes_show:
      key: "os_compute_api:os-baremetal-nodes:show"
      value: "rule:admin_api"
    nova-os_compute_api_os-console-auth-tokens:
      key: "os_compute_api:os-console-auth-tokens"
      value: "rule:admin_api"
    nova-os_compute_api_os-console-output:
      key: "os_compute_api:os-console-output"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-create-backup:
      key: "os_compute_api:os-create-backup"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-deferred-delete_restore:
      key: "os_compute_api:os-deferred-delete:restore"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-deferred-delete:
      key: "os_compute_api:os-deferred-delete"
      value: "rule:os_compute_api:os-deferred-delete:restore"
    nova-os_compute_api_os-deferred-delete_force:
      key: "os_compute_api:os-deferred-delete:force"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-evacuate:
      key: "os_compute_api:os-evacuate"
      value: "rule:admin_api"
    nova-os_compute_api_os-extended-server-attributes:
      key: "os_compute_api:os-extended-server-attributes"
      value: "rule:admin_api"
    nova-os_compute_api_extensions:
      key: "os_compute_api:extensions"
      value: "@"
    nova-os_compute_api_os-flavor-access_add_tenant_access:
      key: "os_compute_api:os-flavor-access:add_tenant_access"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-access_remove_tenant_access:
      key: "os_compute_api:os-flavor-access:remove_tenant_access"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-access:
      key: "os_compute_api:os-flavor-access"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-extra-specs_show:
      key: "os_compute_api:os-flavor-extra-specs:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-flavor-extra-specs_create:
      key: "os_compute_api:os-flavor-extra-specs:create"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-extra-specs_update:
      key: "os_compute_api:os-flavor-extra-specs:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-extra-specs_delete:
      key: "os_compute_api:os-flavor-extra-specs:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-extra-specs_index:
      key: "os_compute_api:os-flavor-extra-specs:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-flavor-manage_create:
      key: "os_compute_api:os-flavor-manage:create"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-manage_update:
      key: "os_compute_api:os-flavor-manage:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-flavor-manage_delete:
      key: "os_compute_api:os-flavor-manage:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-floating-ip-pools:
      key: "os_compute_api:os-floating-ip-pools"
      value: "@"
    nova-os_compute_api_os-floating-ips_add:
      key: "os_compute_api:os-floating-ips:add"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-floating-ips:
      key: "os_compute_api:os-floating-ips"
      value: "rule:os_compute_api:os-floating-ips:add"
    nova-os_compute_api_os-floating-ips_remove:
      key: "os_compute_api:os-floating-ips:remove"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-floating-ips_list:
      key: "os_compute_api:os-floating-ips:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-floating-ips_create:
      key: "os_compute_api:os-floating-ips:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-floating-ips_show:
      key: "os_compute_api:os-floating-ips:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-floating-ips_delete:
      key: "os_compute_api:os-floating-ips:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-hosts_list:
      key: "os_compute_api:os-hosts:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-hosts:
      key: "os_compute_api:os-hosts"
      value: "rule:os_compute_api:os-hosts:list"
    nova-os_compute_api_os-hosts_show:
      key: "os_compute_api:os-hosts:show"
      value: "rule:admin_api"
    nova-os_compute_api_os-hosts_update:
      key: "os_compute_api:os-hosts:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-hosts_reboot:
      key: "os_compute_api:os-hosts:reboot"
      value: "rule:admin_api"
    nova-os_compute_api_os-hosts_shutdown:
      key: "os_compute_api:os-hosts:shutdown"
      value: "rule:admin_api"
    nova-os_compute_api_os-hosts_start:
      key: "os_compute_api:os-hosts:start"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_list:
      key: "os_compute_api:os-hypervisors:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors:
      key: "os_compute_api:os-hypervisors"
      value: "rule:os_compute_api:os-hypervisors:list"
    nova-os_compute_api_os-hypervisors_list-detail:
      key: "os_compute_api:os-hypervisors:list-detail"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_statistics:
      key: "os_compute_api:os-hypervisors:statistics"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_show:
      key: "os_compute_api:os-hypervisors:show"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_uptime:
      key: "os_compute_api:os-hypervisors:uptime"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_search:
      key: "os_compute_api:os-hypervisors:search"
      value: "rule:admin_api"
    nova-os_compute_api_os-hypervisors_servers:
      key: "os_compute_api:os-hypervisors:servers"
      value: "rule:admin_api"
    nova-os_compute_api_os-instance-actions_events_details:
      key: "os_compute_api:os-instance-actions:events:details"
      value: "rule:admin_api"
    nova-os_compute_api_os-instance-actions_events:
      key: "os_compute_api:os-instance-actions:events"
      value: "rule:admin_api"
    nova-os_compute_api_os-instance-actions_list:
      key: "os_compute_api:os-instance-actions:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-instance-actions:
      key: "os_compute_api:os-instance-actions"
      value: "rule:os_compute_api:os-instance-actions:list"
    nova-os_compute_api_os-instance-actions_show:
      key: "os_compute_api:os-instance-actions:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-instance-usage-audit-log_list:
      key: "os_compute_api:os-instance-usage-audit-log:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-instance-usage-audit-log:
      key: "os_compute_api:os-instance-usage-audit-log"
      value: "rule:os_compute_api:os-instance-usage-audit-log:list"
    nova-os_compute_api_os-instance-usage-audit-log_show:
      key: "os_compute_api:os-instance-usage-audit-log:show"
      value: "rule:admin_api"
    nova-os_compute_api_ips_show:
      key: "os_compute_api:ips:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_ips_index:
      key: "os_compute_api:ips:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-keypairs_index:
      key: "os_compute_api:os-keypairs:index"
      value: "rule:admin_api or user_id:%(user_id)s"
    nova-os_compute_api_os-keypairs_create:
      key: "os_compute_api:os-keypairs:create"
      value: "rule:admin_api or user_id:%(user_id)s"
    nova-os_compute_api_os-keypairs_delete:
      key: "os_compute_api:os-keypairs:delete"
      value: "rule:admin_api or user_id:%(user_id)s"
    nova-os_compute_api_os-keypairs_show:
      key: "os_compute_api:os-keypairs:show"
      value: "rule:admin_api or user_id:%(user_id)s"
    nova-os_compute_api_limits:
      key: "os_compute_api:limits"
      value: "@"
    nova-os_compute_api_limits_other_project:
      key: "os_compute_api:limits:other_project"
      value: "rule:admin_api"
    nova-os_compute_api_os-used-limits:
      key: "os_compute_api:os-used-limits"
      value: "rule:os_compute_api:limits:other_project"
    nova-os_compute_api_os-lock-server_lock:
      key: "os_compute_api:os-lock-server:lock"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-lock-server_unlock:
      key: "os_compute_api:os-lock-server:unlock"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-lock-server_unlock_unlock_override:
      key: "os_compute_api:os-lock-server:unlock:unlock_override"
      value: "rule:admin_api"
    nova-os_compute_api_os-migrate-server_migrate:
      key: "os_compute_api:os-migrate-server:migrate"
      value: "rule:admin_api"
    nova-os_compute_api_os-migrate-server_migrate_live:
      key: "os_compute_api:os-migrate-server:migrate_live"
      value: "rule:admin_api"
    nova-os_compute_api_os-migrations_index:
      key: "os_compute_api:os-migrations:index"
      value: "rule:admin_api"
    nova-os_compute_api_os-multinic_add:
      key: "os_compute_api:os-multinic:add"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-multinic:
      key: "os_compute_api:os-multinic"
      value: "rule:os_compute_api:os-multinic:add"
    nova-os_compute_api_os-multinic_remove:
      key: "os_compute_api:os-multinic:remove"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-networks_list:
      key: "os_compute_api:os-networks:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-networks_view:
      key: "os_compute_api:os-networks:view"
      value: "rule:os_compute_api:os-networks:list"
    nova-os_compute_api_os-networks_show:
      key: "os_compute_api:os-networks:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-pause-server_pause:
      key: "os_compute_api:os-pause-server:pause"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-pause-server_unpause:
      key: "os_compute_api:os-pause-server:unpause"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-quota-class-sets_show:
      key: "os_compute_api:os-quota-class-sets:show"
      value: "rule:admin_api"
    nova-os_compute_api_os-quota-class-sets_update:
      key: "os_compute_api:os-quota-class-sets:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-quota-sets_update:
      key: "os_compute_api:os-quota-sets:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-quota-sets_defaults:
      key: "os_compute_api:os-quota-sets:defaults"
      value: "@"
    nova-os_compute_api_os-quota-sets_show:
      key: "os_compute_api:os-quota-sets:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-quota-sets_delete:
      key: "os_compute_api:os-quota-sets:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-quota-sets_detail:
      key: "os_compute_api:os-quota-sets:detail"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-remote-consoles:
      key: "os_compute_api:os-remote-consoles"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-rescue:
      key: "os_compute_api:os-rescue"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-unrescue:
      key: "os_compute_api:os-unrescue"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_get:
      key: "os_compute_api:os-security-groups:get"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-security-groups:
      key: "os_compute_api:os-security-groups"
      value: "rule:os_compute_api:os-security-groups:get"
    nova-os_compute_api_os-security-groups_show:
      key: "os_compute_api:os-security-groups:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-security-groups_create:
      key: "os_compute_api:os-security-groups:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_update:
      key: "os_compute_api:os-security-groups:update"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_delete:
      key: "os_compute_api:os-security-groups:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_rule_create:
      key: "os_compute_api:os-security-groups:rule:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_rule_delete:
      key: "os_compute_api:os-security-groups:rule:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_list:
      key: "os_compute_api:os-security-groups:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-security-groups_add:
      key: "os_compute_api:os-security-groups:add"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-security-groups_remove:
      key: "os_compute_api:os-security-groups:remove"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-diagnostics:
      key: "os_compute_api:os-server-diagnostics"
      value: "rule:admin_api"
    nova-os_compute_api_os-server-external-events_create:
      key: "os_compute_api:os-server-external-events:create"
      value: "rule:admin_api"
    nova-os_compute_api_os-server-groups_create:
      key: "os_compute_api:os-server-groups:create"
      value: "rule:project_member_api"
    nova-os_compute_api_os-server-groups_delete:
      key: "os_compute_api:os-server-groups:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-groups_index:
      key: "os_compute_api:os-server-groups:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-server-groups_index_all_projects:
      key: "os_compute_api:os-server-groups:index:all_projects"
      value: "rule:admin_api"
    nova-os_compute_api_os-server-groups_show:
      key: "os_compute_api:os-server-groups:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_server-metadata_index:
      key: "os_compute_api:server-metadata:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_server-metadata_show:
      key: "os_compute_api:server-metadata:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_server-metadata_create:
      key: "os_compute_api:server-metadata:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_server-metadata_update_all:
      key: "os_compute_api:server-metadata:update_all"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_server-metadata_update:
      key: "os_compute_api:server-metadata:update"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_server-metadata_delete:
      key: "os_compute_api:server-metadata:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-password_show:
      key: "os_compute_api:os-server-password:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-server-password:
      key: "os_compute_api:os-server-password"
      value: "rule:os_compute_api:os-server-password:show"
    nova-os_compute_api_os-server-password_clear:
      key: "os_compute_api:os-server-password:clear"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-tags_delete_all:
      key: "os_compute_api:os-server-tags:delete_all"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-tags_index:
      key: "os_compute_api:os-server-tags:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-server-tags_update_all:
      key: "os_compute_api:os-server-tags:update_all"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-tags_delete:
      key: "os_compute_api:os-server-tags:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-tags_update:
      key: "os_compute_api:os-server-tags:update"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-server-tags_show:
      key: "os_compute_api:os-server-tags:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-compute_server_topology_index:
      key: "compute:server:topology:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-compute_server_topology_host_index:
      key: "compute:server:topology:host:index"
      value: "rule:admin_api"
    nova-os_compute_api_servers_index:
      key: "os_compute_api:servers:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_servers_detail:
      key: "os_compute_api:servers:detail"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_servers_index_get_all_tenants:
      key: "os_compute_api:servers:index:get_all_tenants"
      value: "rule:admin_api"
    nova-os_compute_api_servers_detail_get_all_tenants:
      key: "os_compute_api:servers:detail:get_all_tenants"
      value: "rule:admin_api"
    nova-os_compute_api_servers_allow_all_filters:
      key: "os_compute_api:servers:allow_all_filters"
      value: "rule:admin_api"
    nova-os_compute_api_servers_show:
      key: "os_compute_api:servers:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_servers_show_host_status:
      key: "os_compute_api:servers:show:host_status"
      value: "rule:admin_api"
    nova-os_compute_api_servers_show_host_status_unknown-only:
      key: "os_compute_api:servers:show:host_status:unknown-only"
      value: "rule:admin_api"
    nova-os_compute_api_servers_create:
      key: "os_compute_api:servers:create"
      value: "rule:project_member_api"
    nova-os_compute_api_servers_create_forced_host:
      key: "os_compute_api:servers:create:forced_host"
      value: "rule:admin_api"
    nova-compute_servers_create_requested_destination:
      key: "compute:servers:create:requested_destination"
      value: "rule:admin_api"
    nova-os_compute_api_servers_create_attach_volume:
      key: "os_compute_api:servers:create:attach_volume"
      value: "rule:project_member_api"
    nova-os_compute_api_servers_create_attach_network:
      key: "os_compute_api:servers:create:attach_network"
      value: "rule:project_member_api"
    nova-os_compute_api_servers_create_trusted_certs:
      key: "os_compute_api:servers:create:trusted_certs"
      value: "rule:project_member_api"
    nova-os_compute_api_servers_create_zero_disk_flavor:
      key: "os_compute_api:servers:create:zero_disk_flavor"
      value: "rule:admin_api"
    nova-network_attach_external_network:
      key: "network:attach_external_network"
      value: "rule:admin_api"
    nova-os_compute_api_servers_delete:
      key: "os_compute_api:servers:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_update:
      key: "os_compute_api:servers:update"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_confirm_resize:
      key: "os_compute_api:servers:confirm_resize"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_revert_resize:
      key: "os_compute_api:servers:revert_resize"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_reboot:
      key: "os_compute_api:servers:reboot"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_resize:
      key: "os_compute_api:servers:resize"
      value: "rule:admin_api or rule:project_member_api"
    nova-compute_servers_resize_cross_cell:
      key: "compute:servers:resize:cross_cell"
      value: "!"
    nova-os_compute_api_servers_rebuild:
      key: "os_compute_api:servers:rebuild"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_rebuild_trusted_certs:
      key: "os_compute_api:servers:rebuild:trusted_certs"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_create_image:
      key: "os_compute_api:servers:create_image"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_create_image_allow_volume_backed:
      key: "os_compute_api:servers:create_image:allow_volume_backed"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_start:
      key: "os_compute_api:servers:start"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_stop:
      key: "os_compute_api:servers:stop"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_trigger_crash_dump:
      key: "os_compute_api:servers:trigger_crash_dump"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_servers_migrations_show:
      key: "os_compute_api:servers:migrations:show"
      value: "rule:admin_api"
    nova-os_compute_api_servers_migrations_force_complete:
      key: "os_compute_api:servers:migrations:force_complete"
      value: "rule:admin_api"
    nova-os_compute_api_servers_migrations_delete:
      key: "os_compute_api:servers:migrations:delete"
      value: "rule:admin_api"
    nova-os_compute_api_servers_migrations_index:
      key: "os_compute_api:servers:migrations:index"
      value: "rule:admin_api"
    nova-os_compute_api_os-services_list:
      key: "os_compute_api:os-services:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-services:
      key: "os_compute_api:os-services"
      value: "rule:os_compute_api:os-services:list"
    nova-os_compute_api_os-services_update:
      key: "os_compute_api:os-services:update"
      value: "rule:admin_api"
    nova-os_compute_api_os-services_delete:
      key: "os_compute_api:os-services:delete"
      value: "rule:admin_api"
    nova-os_compute_api_os-shelve_shelve:
      key: "os_compute_api:os-shelve:shelve"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-shelve_unshelve:
      key: "os_compute_api:os-shelve:unshelve"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-shelve_shelve_offload:
      key: "os_compute_api:os-shelve:shelve_offload"
      value: "rule:admin_api"
    nova-os_compute_api_os-simple-tenant-usage_show:
      key: "os_compute_api:os-simple-tenant-usage:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-simple-tenant-usage_list:
      key: "os_compute_api:os-simple-tenant-usage:list"
      value: "rule:admin_api"
    nova-os_compute_api_os-suspend-server_resume:
      key: "os_compute_api:os-suspend-server:resume"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-suspend-server_suspend:
      key: "os_compute_api:os-suspend-server:suspend"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-tenant-networks_list:
      key: "os_compute_api:os-tenant-networks:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-tenant-networks:
      key: "os_compute_api:os-tenant-networks"
      value: "rule:os_compute_api:os-tenant-networks:list"
    nova-os_compute_api_os-tenant-networks_show:
      key: "os_compute_api:os-tenant-networks:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_list:
      key: "os_compute_api:os-volumes:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes:
      key: "os_compute_api:os-volumes"
      value: "rule:os_compute_api:os-volumes:list"
    nova-os_compute_api_os-volumes_create:
      key: "os_compute_api:os-volumes:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes_detail:
      key: "os_compute_api:os-volumes:detail"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_show:
      key: "os_compute_api:os-volumes:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_delete:
      key: "os_compute_api:os-volumes:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes_snapshots_list:
      key: "os_compute_api:os-volumes:snapshots:list"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_snapshots_create:
      key: "os_compute_api:os-volumes:snapshots:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes_snapshots_detail:
      key: "os_compute_api:os-volumes:snapshots:detail"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_snapshots_show:
      key: "os_compute_api:os-volumes:snapshots:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes_snapshots_delete:
      key: "os_compute_api:os-volumes:snapshots:delete"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes-attachments_index:
      key: "os_compute_api:os-volumes-attachments:index"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes-attachments_create:
      key: "os_compute_api:os-volumes-attachments:create"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes-attachments_show:
      key: "os_compute_api:os-volumes-attachments:show"
      value: "rule:admin_api or rule:project_reader_api"
    nova-os_compute_api_os-volumes-attachments_update:
      key: "os_compute_api:os-volumes-attachments:update"
      value: "rule:admin_api or rule:project_member_api"
    nova-os_compute_api_os-volumes-attachments_swap:
      key: "os_compute_api:os-volumes-attachments:swap"
      value: "rule:admin_api"
    nova-os_compute_api_os-volumes-attachments_delete:
      key: "os_compute_api:os-volumes-attachments:delete"
      value: "rule:admin_api or rule:project_member_api"
  PlacementPolicies:
    placement-placement_resource_providers_list:
      key: "placement:resource_providers:list"
      value: "rule:admin_api"
    placement-placement_resource_providers_create:
      key: "placement:resource_providers:create"
      value: "rule:admin_api"
    placement-placement_resource_providers_show:
      key: "placement:resource_providers:show"
      value: "rule:admin_api"
    placement-placement_resource_providers_update:
      key: "placement:resource_providers:update"
      value: "rule:admin_api"
    placement-placement_resource_providers_delete:
      key: "placement:resource_providers:delete"
      value: "rule:admin_api"
    placement-placement_resource_classes_list:
      key: "placement:resource_classes:list"
      value: "rule:admin_api"
    placement-placement_resource_classes_create:
      key: "placement:resource_classes:create"
      value: "rule:admin_api"
    placement-placement_resource_classes_show:
      key: "placement:resource_classes:show"
      value: "rule:admin_api"
    placement-placement_resource_classes_update:
      key: "placement:resource_classes:update"
      value: "rule:admin_api"
    placement-placement_resource_classes_delete:
      key: "placement:resource_classes:delete"
      value: "rule:admin_api"
    placement-placement_resource_providers_inventories_list:
      key: "placement:resource_providers:inventories:list"
      value: "rule:admin_api"
    placement-placement_resource_providers_inventories_create:
      key: "placement:resource_providers:inventories:create"
      value: "rule:admin_api"
    placement-placement_resource_providers_inventories_show:
      key: "placement:resource_providers:inventories:show"
      value: "rule:admin_api"
    placement-placement_resource_providers_inventories_update:
      key: "placement:resource_providers:inventories:update"
      value: "rule:admin_api"
    placement-placement_resource_providers_inventories_delete:
      key: "placement:resource_providers:inventories:delete"
      value: "rule:admin_api"
    placement-placement_resource_providers_aggregates_list:
      key: "placement:resource_providers:aggregates:list"
      value: "rule:admin_api"
    placement-placement_resource_providers_aggregates_update:
      key: "placement:resource_providers:aggregates:update"
      value: "rule:admin_api"
    placement-placement_resource_providers_usages:
      key: "placement:resource_providers:usages"
      value: "rule:admin_api"
    placement-placement_usages:
      key: "placement:usages"
      value: "rule:admin_api or rule:project_reader_api"
    placement-placement_traits_list:
      key: "placement:traits:list"
      value: "rule:admin_api"
    placement-placement_traits_show:
      key: "placement:traits:show"
      value: "rule:admin_api"
    placement-placement_traits_update:
      key: "placement:traits:update"
      value: "rule:admin_api"
    placement-placement_traits_delete:
      key: "placement:traits:delete"
      value: "rule:admin_api"
    placement-placement_resource_providers_traits_list:
      key: "placement:resource_providers:traits:list"
      value: "rule:admin_api"
    placement-placement_resource_providers_traits_update:
      key: "placement:resource_providers:traits:update"
      value: "rule:admin_api"
    placement-placement_resource_providers_traits_delete:
      key: "placement:resource_providers:traits:delete"
      value: "rule:admin_api"
    placement-placement_allocations_manage:
      key: "placement:allocations:manage"
      value: "rule:admin_api"
    placement-placement_allocations_list:
      key: "placement:allocations:list"
      value: "rule:admin_api"
    placement-placement_allocations_update:
      key: "placement:allocations:update"
      value: "rule:admin_api"
    placement-placement_allocations_delete:
      key: "placement:allocations:delete"
      value: "rule:admin_api"
    placement-placement_resource_providers_allocations_list:
      key: "placement:resource_providers:allocations:list"
      value: "rule:admin_api"
    placement-placement_allocation_candidates_list:
      key: "placement:allocation_candidates:list"
      value: "rule:admin_api"
    placement-placement_reshaper_reshape:
      key: "placement:reshaper:reshape"
      value: "rule:admin_api"
  NeutronApiPolicies:
    neutron-context_is_admin:
      key: "context_is_admin"
      value: "role:admin"
    neutron-owner:
      key: "owner"
      value: "tenant_id:%(tenant_id)s"
    neutron-admin_or_owner:
      key: "admin_or_owner"
      value: "rule:context_is_admin or rule:owner"
    neutron-context_is_advsvc:
      key: "context_is_advsvc"
      value: "role:advsvc"
    neutron-admin_or_network_owner:
      key: "admin_or_network_owner"
      value: "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
    neutron-admin_owner_or_network_owner:
      key: "admin_owner_or_network_owner"
      value: "rule:owner or rule:admin_or_network_owner"
    neutron-network_owner:
      key: "network_owner"
      value: "tenant_id:%(network:tenant_id)s"
    neutron-admin_only:
      key: "admin_only"
      value: "rule:context_is_admin"
    neutron-admin_api:
      key: "admin_api"
      value: "role:admin"
    neutron-regular_user:
      key: "regular_user"
      value: ""
    neutron-shared:
      key: "shared"
      value: "field:networks:shared=True"
    neutron-default:
      key: "default"
      value: "rule:admin_or_owner"
    neutron-admin_or_ext_parent_owner:
      key: "admin_or_ext_parent_owner"
      value: "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
    neutron-ext_parent_owner:
      key: "ext_parent_owner"
      value: "tenant_id:%(ext_parent:tenant_id)s"
    neutron-sg_owner:
      key: "sg_owner"
      value: "tenant_id:%(security_group:tenant_id)s"
    neutron-shared_address_groups:
      key: "shared_address_groups"
      value: "field:address_groups:shared=True"
    neutron-get_address_group:
      key: "get_address_group"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"
    neutron-shared_address_scopes:
      key: "shared_address_scopes"
      value: "field:address_scopes:shared=True"
    neutron-create_address_scope:
      key: "create_address_scope"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_address_scope_shared:
      key: "create_address_scope:shared"
      value: "rule:admin_api"
    neutron-get_address_scope:
      key: "get_address_scope"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes"
    neutron-update_address_scope:
      key: "update_address_scope"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_address_scope_shared:
      key: "update_address_scope:shared"
      value: "rule:admin_api"
    neutron-delete_address_scope:
      key: "delete_address_scope"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_agent:
      key: "get_agent"
      value: "rule:admin_api"
    neutron-update_agent:
      key: "update_agent"
      value: "rule:admin_api"
    neutron-delete_agent:
      key: "delete_agent"
      value: "rule:admin_api"
    neutron-create_dhcp-network:
      key: "create_dhcp-network"
      value: "rule:admin_api"
    neutron-get_dhcp-networks:
      key: "get_dhcp-networks"
      value: "rule:admin_api"
    neutron-delete_dhcp-network:
      key: "delete_dhcp-network"
      value: "rule:admin_api"
    neutron-create_l3-router:
      key: "create_l3-router"
      value: "rule:admin_api"
    neutron-get_l3-routers:
      key: "get_l3-routers"
      value: "rule:admin_api"
    neutron-delete_l3-router:
      key: "delete_l3-router"
      value: "rule:admin_api"
    neutron-get_dhcp-agents:
      key: "get_dhcp-agents"
      value: "rule:admin_api"
    neutron-get_l3-agents:
      key: "get_l3-agents"
      value: "rule:admin_api"
    neutron-get_auto_allocated_topology:
      key: "get_auto_allocated_topology"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-delete_auto_allocated_topology:
      key: "delete_auto_allocated_topology"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_availability_zone:
      key: "get_availability_zone"
      value: "rule:admin_api"
    neutron-create_flavor:
      key: "create_flavor"
      value: "rule:admin_api"
    neutron-get_flavor:
      key: "get_flavor"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-update_flavor:
      key: "update_flavor"
      value: "rule:admin_api"
    neutron-delete_flavor:
      key: "delete_flavor"
      value: "rule:admin_api"
    neutron-create_service_profile:
      key: "create_service_profile"
      value: "rule:admin_api"
    neutron-get_service_profile:
      key: "get_service_profile"
      value: "rule:admin_api"
    neutron-update_service_profile:
      key: "update_service_profile"
      value: "rule:admin_api"
    neutron-delete_service_profile:
      key: "delete_service_profile"
      value: "rule:admin_api"
    neutron-get_flavor_service_profile:
      key: "get_flavor_service_profile"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_flavor_service_profile:
      key: "create_flavor_service_profile"
      value: "rule:admin_api"
    neutron-delete_flavor_service_profile:
      key: "delete_flavor_service_profile"
      value: "rule:admin_api"
    neutron-create_floatingip:
      key: "create_floatingip"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_floatingip_floating_ip_address:
      key: "create_floatingip:floating_ip_address"
      value: "rule:admin_api"
    neutron-get_floatingip:
      key: "get_floatingip"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-update_floatingip:
      key: "update_floatingip"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-delete_floatingip:
      key: "delete_floatingip"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_floatingip_pool:
      key: "get_floatingip_pool"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_floatingip_port_forwarding:
      key: "create_floatingip_port_forwarding"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-get_floatingip_port_forwarding:
      key: "get_floatingip_port_forwarding"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-update_floatingip_port_forwarding:
      key: "update_floatingip_port_forwarding"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-delete_floatingip_port_forwarding:
      key: "delete_floatingip_port_forwarding"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-create_router_conntrack_helper:
      key: "create_router_conntrack_helper"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-get_router_conntrack_helper:
      key: "get_router_conntrack_helper"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-update_router_conntrack_helper:
      key: "update_router_conntrack_helper"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-delete_router_conntrack_helper:
      key: "delete_router_conntrack_helper"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
    neutron-get_loggable_resource:
      key: "get_loggable_resource"
      value: "rule:admin_api"
    neutron-create_log:
      key: "create_log"
      value: "rule:admin_api"
    neutron-get_log:
      key: "get_log"
      value: "rule:admin_api"
    neutron-update_log:
      key: "update_log"
      value: "rule:admin_api"
    neutron-delete_log:
      key: "delete_log"
      value: "rule:admin_api"
    neutron-create_metering_label:
      key: "create_metering_label"
      value: "rule:admin_api"
    neutron-get_metering_label:
      key: "get_metering_label"
      value: "rule:admin_api"
    neutron-delete_metering_label:
      key: "delete_metering_label"
      value: "rule:admin_api"
    neutron-create_metering_label_rule:
      key: "create_metering_label_rule"
      value: "rule:admin_api"
    neutron-get_metering_label_rule:
      key: "get_metering_label_rule"
      value: "rule:admin_api"
    neutron-delete_metering_label_rule:
      key: "delete_metering_label_rule"
      value: "rule:admin_api"
    neutron-external:
      key: "external"
      value: "field:networks:router:external=True"
    neutron-create_network:
      key: "create_network"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_network_shared:
      key: "create_network:shared"
      value: "rule:admin_api"
    neutron-create_network_router_external:
      key: "create_network:router:external"
      value: "rule:admin_api"
    neutron-create_network_is_default:
      key: "create_network:is_default"
      value: "rule:admin_api"
    neutron-create_network_port_security_enabled:
      key: "create_network:port_security_enabled"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_network_segments:
      key: "create_network:segments"
      value: "rule:admin_api"
    neutron-create_network_provider_network_type:
      key: "create_network:provider:network_type"
      value: "rule:admin_api"
    neutron-create_network_provider_physical_network:
      key: "create_network:provider:physical_network"
      value: "rule:admin_api"
    neutron-create_network_provider_segmentation_id:
      key: "create_network:provider:segmentation_id"
      value: "rule:admin_api"
    neutron-get_network:
      key: "get_network"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
    neutron-get_network_router_external:
      key: "get_network:router:external"
      value: "role:reader"
    neutron-get_network_segments:
      key: "get_network:segments"
      value: "rule:admin_api"
    neutron-get_network_provider_network_type:
      key: "get_network:provider:network_type"
      value: "rule:admin_api"
    neutron-get_network_provider_physical_network:
      key: "get_network:provider:physical_network"
      value: "rule:admin_api"
    neutron-get_network_provider_segmentation_id:
      key: "get_network:provider:segmentation_id"
      value: "rule:admin_api"
    neutron-update_network:
      key: "update_network"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_network_segments:
      key: "update_network:segments"
      value: "rule:admin_api"
    neutron-update_network_shared:
      key: "update_network:shared"
      value: "rule:admin_api"
    neutron-update_network_provider_network_type:
      key: "update_network:provider:network_type"
      value: "rule:admin_api"
    neutron-update_network_provider_physical_network:
      key: "update_network:provider:physical_network"
      value: "rule:admin_api"
    neutron-update_network_provider_segmentation_id:
      key: "update_network:provider:segmentation_id"
      value: "rule:admin_api"
    neutron-update_network_router_external:
      key: "update_network:router:external"
      value: "rule:admin_api"
    neutron-update_network_is_default:
      key: "update_network:is_default"
      value: "rule:admin_api"
    neutron-update_network_port_security_enabled:
      key: "update_network:port_security_enabled"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-delete_network:
      key: "delete_network"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_network_ip_availability:
      key: "get_network_ip_availability"
      value: "rule:admin_api"
    neutron-create_network_segment_range:
      key: "create_network_segment_range"
      value: "rule:admin_api"
    neutron-get_network_segment_range:
      key: "get_network_segment_range"
      value: "rule:admin_api"
    neutron-update_network_segment_range:
      key: "update_network_segment_range"
      value: "rule:admin_api"
    neutron-delete_network_segment_range:
      key: "delete_network_segment_range"
      value: "rule:admin_api"
    neutron-network_device:
      key: "network_device"
      value: "field:port:device_owner=~^network:"
    neutron-admin_or_data_plane_int:
      key: "admin_or_data_plane_int"
      value: "rule:context_is_admin or role:data_plane_integrator"
    neutron-create_port:
      key: "create_port"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_port_device_owner:
      key: "create_port:device_owner"
      value: "not rule:network_device or rule:admin_api or rule:context_is_advsvc or rule:network_owner"
    neutron-create_port_mac_address:
      key: "create_port:mac_address"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-create_port_fixed_ips:
      key: "create_port:fixed_ips"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
    neutron-create_port_fixed_ips_ip_address:
      key: "create_port:fixed_ips:ip_address"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-create_port_fixed_ips_subnet_id:
      key: "create_port:fixed_ips:subnet_id"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
    neutron-create_port_port_security_enabled:
      key: "create_port:port_security_enabled"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-create_port_binding_host_id:
      key: "create_port:binding:host_id"
      value: "rule:admin_api"
    neutron-create_port_binding_profile:
      key: "create_port:binding:profile"
      value: "rule:admin_api"
    neutron-create_port_binding_vnic_type:
      key: "create_port:binding:vnic_type"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_port_allowed_address_pairs:
      key: "create_port:allowed_address_pairs"
      value: "rule:admin_api or rule:network_owner"
    neutron-create_port_allowed_address_pairs_mac_address:
      key: "create_port:allowed_address_pairs:mac_address"
      value: "rule:admin_api or rule:network_owner"
    neutron-create_port_allowed_address_pairs_ip_address:
      key: "create_port:allowed_address_pairs:ip_address"
      value: "rule:admin_api or rule:network_owner"
    neutron-get_port:
      key: "get_port"
      value: "rule:context_is_advsvc or rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-get_port_binding_vif_type:
      key: "get_port:binding:vif_type"
      value: "rule:admin_api"
    neutron-get_port_binding_vif_details:
      key: "get_port:binding:vif_details"
      value: "rule:admin_api"
    neutron-get_port_binding_host_id:
      key: "get_port:binding:host_id"
      value: "rule:admin_api"
    neutron-get_port_binding_profile:
      key: "get_port:binding:profile"
      value: "rule:admin_api"
    neutron-get_port_resource_request:
      key: "get_port:resource_request"
      value: "rule:admin_api"
    neutron-update_port:
      key: "update_port"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
    neutron-update_port_device_owner:
      key: "update_port:device_owner"
      value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-update_port_mac_address:
      key: "update_port:mac_address"
      value: "rule:admin_api or rule:context_is_advsvc"
    neutron-update_port_fixed_ips:
      key: "update_port:fixed_ips"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-update_port_fixed_ips_ip_address:
      key: "update_port:fixed_ips:ip_address"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-update_port_fixed_ips_subnet_id:
      key: "update_port:fixed_ips:subnet_id"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
    neutron-update_port_port_security_enabled:
      key: "update_port:port_security_enabled"
      value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
    neutron-update_port_binding_host_id:
      key: "update_port:binding:host_id"
      value: "rule:admin_api"
    neutron-update_port_binding_profile:
      key: "update_port:binding:profile"
      value: "rule:admin_api"
    neutron-update_port_binding_vnic_type:
      key: "update_port:binding:vnic_type"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
    neutron-update_port_allowed_address_pairs:
      key: "update_port:allowed_address_pairs"
      value: "rule:admin_api or rule:network_owner"
    neutron-update_port_allowed_address_pairs_mac_address:
      key: "update_port:allowed_address_pairs:mac_address"
      value: "rule:admin_api or rule:network_owner"
    neutron-update_port_allowed_address_pairs_ip_address:
      key: "update_port:allowed_address_pairs:ip_address"
      value: "rule:admin_api or rule:network_owner"
    neutron-update_port_data_plane_status:
      key: "update_port:data_plane_status"
      value: "rule:admin_api or role:data_plane_integrator"
    neutron-delete_port:
      key: "delete_port"
      value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_policy:
      key: "get_policy"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_policy:
      key: "create_policy"
      value: "rule:admin_api"
    neutron-update_policy:
      key: "update_policy"
      value: "rule:admin_api"
    neutron-delete_policy:
      key: "delete_policy"
      value: "rule:admin_api"
    neutron-get_rule_type:
      key: "get_rule_type"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-get_policy_bandwidth_limit_rule:
      key: "get_policy_bandwidth_limit_rule"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_policy_bandwidth_limit_rule:
      key: "create_policy_bandwidth_limit_rule"
      value: "rule:admin_api"
    neutron-update_policy_bandwidth_limit_rule:
      key: "update_policy_bandwidth_limit_rule"
      value: "rule:admin_api"
    neutron-delete_policy_bandwidth_limit_rule:
      key: "delete_policy_bandwidth_limit_rule"
      value: "rule:admin_api"
    neutron-get_policy_dscp_marking_rule:
      key: "get_policy_dscp_marking_rule"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_policy_dscp_marking_rule:
      key: "create_policy_dscp_marking_rule"
      value: "rule:admin_api"
    neutron-update_policy_dscp_marking_rule:
      key: "update_policy_dscp_marking_rule"
      value: "rule:admin_api"
    neutron-delete_policy_dscp_marking_rule:
      key: "delete_policy_dscp_marking_rule"
      value: "rule:admin_api"
    neutron-get_policy_minimum_bandwidth_rule:
      key: "get_policy_minimum_bandwidth_rule"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-create_policy_minimum_bandwidth_rule:
      key: "create_policy_minimum_bandwidth_rule"
      value: "rule:admin_api"
    neutron-update_policy_minimum_bandwidth_rule:
      key: "update_policy_minimum_bandwidth_rule"
      value: "rule:admin_api"
    neutron-delete_policy_minimum_bandwidth_rule:
      key: "delete_policy_minimum_bandwidth_rule"
      value: "rule:admin_api"
    neutron-get_alias_bandwidth_limit_rule:
      key: "get_alias_bandwidth_limit_rule"
      value: "rule:get_policy_bandwidth_limit_rule"
    neutron-update_alias_bandwidth_limit_rule:
      key: "update_alias_bandwidth_limit_rule"
      value: "rule:update_policy_bandwidth_limit_rule"
    neutron-delete_alias_bandwidth_limit_rule:
      key: "delete_alias_bandwidth_limit_rule"
      value: "rule:delete_policy_bandwidth_limit_rule"
    neutron-get_alias_dscp_marking_rule:
      key: "get_alias_dscp_marking_rule"
      value: "rule:get_policy_dscp_marking_rule"
    neutron-update_alias_dscp_marking_rule:
      key: "update_alias_dscp_marking_rule"
      value: "rule:update_policy_dscp_marking_rule"
    neutron-delete_alias_dscp_marking_rule:
      key: "delete_alias_dscp_marking_rule"
      value: "rule:delete_policy_dscp_marking_rule"
    neutron-get_alias_minimum_bandwidth_rule:
      key: "get_alias_minimum_bandwidth_rule"
      value: "rule:get_policy_minimum_bandwidth_rule"
    neutron-update_alias_minimum_bandwidth_rule:
      key: "update_alias_minimum_bandwidth_rule"
      value: "rule:update_policy_minimum_bandwidth_rule"
    neutron-delete_alias_minimum_bandwidth_rule:
      key: "delete_alias_minimum_bandwidth_rule"
      value: "rule:delete_policy_minimum_bandwidth_rule"
    neutron-get_quota:
      key: "get_quota"
      value: "rule:admin_api"
    neutron-update_quota:
      key: "update_quota"
      value: "rule:admin_api"
    neutron-delete_quota:
      key: "delete_quota"
      value: "rule:admin_api"
    neutron-restrict_wildcard:
      key: "restrict_wildcard"
      value: "(not field:rbac_policy:target_tenant=*) or rule:admin_api"
    neutron-create_rbac_policy:
      key: "create_rbac_policy"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_rbac_policy_target_tenant:
      key: "create_rbac_policy:target_tenant"
      value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
    neutron-update_rbac_policy:
      key: "update_rbac_policy"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_rbac_policy_target_tenant:
      key: "update_rbac_policy:target_tenant"
      value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
    neutron-get_rbac_policy:
      key: "get_rbac_policy"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-delete_rbac_policy:
      key: "delete_rbac_policy"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_router:
      key: "create_router"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_router_distributed:
      key: "create_router:distributed"
      value: "rule:admin_api"
    neutron-create_router_ha:
      key: "create_router:ha"
      value: "rule:admin_api"
    neutron-create_router_external_gateway_info:
      key: "create_router:external_gateway_info"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_router_external_gateway_info_network_id:
      key: "create_router:external_gateway_info:network_id"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_router_external_gateway_info_enable_snat:
      key: "create_router:external_gateway_info:enable_snat"
      value: "rule:admin_api"
    neutron-create_router_external_gateway_info_external_fixed_ips:
      key: "create_router:external_gateway_info:external_fixed_ips"
      value: "rule:admin_api"
    neutron-get_router:
      key: "get_router"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-get_router_distributed:
      key: "get_router:distributed"
      value: "rule:admin_api"
    neutron-get_router_ha:
      key: "get_router:ha"
      value: "rule:admin_api"
    neutron-update_router:
      key: "update_router"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_router_distributed:
      key: "update_router:distributed"
      value: "rule:admin_api"
    neutron-update_router_ha:
      key: "update_router:ha"
      value: "rule:admin_api"
    neutron-update_router_external_gateway_info:
      key: "update_router:external_gateway_info"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_router_external_gateway_info_network_id:
      key: "update_router:external_gateway_info:network_id"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_router_external_gateway_info_enable_snat:
      key: "update_router:external_gateway_info:enable_snat"
      value: "rule:admin_api"
    neutron-update_router_external_gateway_info_external_fixed_ips:
      key: "update_router:external_gateway_info:external_fixed_ips"
      value: "rule:admin_api"
    neutron-delete_router:
      key: "delete_router"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-add_router_interface:
      key: "add_router_interface"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-remove_router_interface:
      key: "remove_router_interface"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-add_extraroutes:
      key: "add_extraroutes"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-remove_extraroutes:
      key: "remove_extraroutes"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-admin_or_sg_owner:
      key: "admin_or_sg_owner"
      value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
    neutron-admin_owner_or_sg_owner:
      key: "admin_owner_or_sg_owner"
      value: "rule:owner or rule:admin_or_sg_owner"
    neutron-create_security_group:
      key: "create_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_security_group:
      key: "get_security_group"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-update_security_group:
      key: "update_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-delete_security_group:
      key: "delete_security_group"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_security_group_rule:
      key: "create_security_group_rule"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_security_group_rule:
      key: "get_security_group_rule"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:sg_owner"
    neutron-delete_security_group_rule:
      key: "delete_security_group_rule"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_segment:
      key: "create_segment"
      value: "rule:admin_api"
    neutron-get_segment:
      key: "get_segment"
      value: "rule:admin_api"
    neutron-update_segment:
      key: "update_segment"
      value: "rule:admin_api"
    neutron-delete_segment:
      key: "delete_segment"
      value: "rule:admin_api"
    neutron-get_service_provider:
      key: "get_service_provider"
      value: "role:reader"
    neutron-create_subnet:
      key: "create_subnet"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
    neutron-create_subnet_segment_id:
      key: "create_subnet:segment_id"
      value: "rule:admin_api"
    neutron-create_subnet_service_types:
      key: "create_subnet:service_types"
      value: "rule:admin_api"
    neutron-get_subnet:
      key: "get_subnet"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared"
    neutron-get_subnet_segment_id:
      key: "get_subnet:segment_id"
      value: "rule:admin_api"
    neutron-update_subnet:
      key: "update_subnet"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
    neutron-update_subnet_segment_id:
      key: "update_subnet:segment_id"
      value: "rule:admin_api"
    neutron-update_subnet_service_types:
      key: "update_subnet:service_types"
      value: "rule:admin_api"
    neutron-delete_subnet:
      key: "delete_subnet"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
    neutron-shared_subnetpools:
      key: "shared_subnetpools"
      value: "field:subnetpools:shared=True"
    neutron-create_subnetpool:
      key: "create_subnetpool"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_subnetpool_shared:
      key: "create_subnetpool:shared"
      value: "rule:admin_api"
    neutron-create_subnetpool_is_default:
      key: "create_subnetpool:is_default"
      value: "rule:admin_api"
    neutron-get_subnetpool:
      key: "get_subnetpool"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
    neutron-update_subnetpool:
      key: "update_subnetpool"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-update_subnetpool_is_default:
      key: "update_subnetpool:is_default"
      value: "rule:admin_api"
    neutron-delete_subnetpool:
      key: "delete_subnetpool"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-onboard_network_subnets:
      key: "onboard_network_subnets"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-add_prefixes:
      key: "add_prefixes"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-remove_prefixes:
      key: "remove_prefixes"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-create_trunk:
      key: "create_trunk"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_trunk:
      key: "get_trunk"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-update_trunk:
      key: "update_trunk"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-delete_trunk:
      key: "delete_trunk"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-get_subports:
      key: "get_subports"
      value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
    neutron-add_subports:
      key: "add_subports"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
    neutron-remove_subports:
      key: "remove_subports"
      value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
  # The glance policies in Xena implement project-personas by default, so these
  # policies do not need to change. However, keeping them defined here with
  # GlanceApiPolicies will put them in /etc/glance/policy.yaml which will be
  # redundant with the defaults. This may change in the future as glance
  # evolves it's policies in Yoga to consume system scope.
  GlanceApiPolicies:
    glance-default:
      key: "default"
      value: ""
    glance-context_is_admin:
      key: "context_is_admin"
      value: "role:admin"
    glance-add_image:
      key: "add_image"
      value: "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
    glance-delete_image:
      key: "delete_image"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-get_image:
      key: "get_image"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
    glance-get_images:
      key: "get_images"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
    glance-modify_image:
      key: "modify_image"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-publicize_image:
      key: "publicize_image"
      value: "role:admin"
    glance-communitize_image:
      key: "communitize_image"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-download_image:
      key: "download_image"
      value: 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
    glance-upload_image:
      key: "upload_image"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-delete_image_location:
      key: "delete_image_location"
      value: "role:admin"
    glance-get_image_location:
      key: "get_image_location"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
    glance-set_image_location:
      key: "set_image_location"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-add_member:
      key: "add_member"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-delete_member:
      key: "delete_member"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-get_member:
      key: "get_member"
      value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
    glance-get_members:
      key: "get_members"
      value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
    glance-modify_member:
      key: "modify_member"
      value: "role:admin or (role:member and project_id:%(member_id)s)"
    glance-manage_image_cache:
      key: "manage_image_cache"
      value: "role:admin"
    glance-deactivate:
      key: "deactivate"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-reactivate:
      key: "reactivate"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    glance-copy_image:
      key: "copy_image"
      value: "role:admin"
    glance-get_task:
      key: "get_task"
      value: "rule:default"
    glance-get_tasks:
      key: "get_tasks"
      value: "rule:default"
    glance-add_task:
      key: "add_task"
      value: "rule:default"
    glance-modify_task:
      key: "modify_task"
      value: "rule:default"
    glance-tasks_api_access:
      key: "tasks_api_access"
      value: "role:admin"
    glance-metadef_default:
      key: "metadef_default"
      value: ""
    glance-metadef_admin:
      key: "metadef_admin"
      value: "role:admin"
    glance-get_metadef_namespace:
      key: "get_metadef_namespace"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_namespaces:
      key: "get_metadef_namespaces"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
    glance-modify_metadef_namespace:
      key: "modify_metadef_namespace"
      value: "rule:metadef_admin"
    glance-add_metadef_namespace:
      key: "add_metadef_namespace"
      value: "rule:metadef_admin"
    glance-delete_metadef_namespace:
      key: "delete_metadef_namespace"
      value: "rule:metadef_admin"
    glance-get_metadef_object:
      key: "get_metadef_object"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_objects:
      key: "get_metadef_objects"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_object:
      key: "modify_metadef_object"
      value: "rule:metadef_admin"
    glance-add_metadef_object:
      key: "add_metadef_object"
      value: "rule:metadef_admin"
    glance-delete_metadef_object:
      key: "delete_metadef_object"
      value: "rule:metadef_admin"
    glance-list_metadef_resource_types:
      key: "list_metadef_resource_types"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_resource_type:
      key: "get_metadef_resource_type"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-add_metadef_resource_type_association:
      key: "add_metadef_resource_type_association"
      value: "rule:metadef_admin"
    glance-remove_metadef_resource_type_association:
      key: "remove_metadef_resource_type_association"
      value: "rule:metadef_admin"
    glance-get_metadef_property:
      key: "get_metadef_property"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_properties:
      key: "get_metadef_properties"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_property:
      key: "modify_metadef_property"
      value: "rule:metadef_admin"
    glance-add_metadef_property:
      key: "add_metadef_property"
      value: "rule:metadef_admin"
    glance-remove_metadef_property:
      key: "remove_metadef_property"
      value: "rule:metadef_admin"
    glance-get_metadef_tag:
      key: "get_metadef_tag"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-get_metadef_tags:
      key: "get_metadef_tags"
      value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
    glance-modify_metadef_tag:
      key: "modify_metadef_tag"
      value: "rule:metadef_admin"
    glance-add_metadef_tag:
      key: "add_metadef_tag"
      value: "rule:metadef_admin"
    glance-add_metadef_tags:
      key: "add_metadef_tags"
      value: "rule:metadef_admin"
    glance-delete_metadef_tag:
      key: "delete_metadef_tag"
      value: "rule:metadef_admin"
    glance-delete_metadef_tags:
      key: "delete_metadef_tags"
      value: "rule:metadef_admin"
  DesignateApiPolicies:
    designate-default:
      key: "default"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-create_blacklist:
      key: "create_blacklist"
      value: "role:admin"
    designate-find_blacklist:
      key: "find_blacklist"
      value: "role:reader"
    designate-find_blacklists:
      key: "find_blacklists"
      value: "role:reader"
    designate-get_blacklist:
      key: "get_blacklist"
      value: "role:reader"
    designate-update_blacklist:
      key: "update_blacklist"
      value: "role:admin"
    designate-delete_blacklist:
      key: "delete_blacklist"
      value: "role:admin"
    designate-use_blacklisted_zone:
      key: "use_blacklisted_zone"
      value: "role:admin"
    designate-all_tenants:
      key: "all_tenants"
      value: "role:admin"
    designate-edit_managed_records:
      key: "edit_managed_records"
      value: "role:admin"
    designate-use_low_ttl:
      key: "use_low_ttl"
      value: "role:admin"
    designate-use_sudo:
      key: "use_sudo"
      value: "role:admin"
    designate-diagnostics_ping:
      key: "diagnostics_ping"
      value: "role:admin"
    designate-diagnostics_sync_zones:
      key: "diagnostics_sync_zones"
      value: "role:admin"
    designate-diagnostics_sync_zone:
      key: "diagnostics_sync_zone"
      value: "role:admin"
    designate-diagnostics_sync_record:
      key: "diagnostics_sync_record"
      value: "role:admin"
    designate-create_pool:
      key: "create_pool"
      value: "role:admin"
    designate-find_pools:
      key: "find_pools"
      value: "role:reader"
    designate-find_pool:
      key: "find_pool"
      value: "role:reader"
    designate-get_pool:
      key: "get_pool"
      value: "role:reader"
    designate-update_pool:
      key: "update_pool"
      value: "role:admin"
    designate-delete_pool:
      key: "delete_pool"
      value: "role:admin"
    designate-zone_create_forced_pool:
      key: "zone_create_forced_pool"
      value: "role:admin"
    designate-get_quotas:
      key: "get_quotas"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_quota:
      key: "get_quota"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
    designate-set_quota:
      key: "set_quota"
      value: "role:admin"
    designate-reset_quotas:
      key: "reset_quotas"
      value: "role:admin"
    designate-find_records:
      key: "find_records"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-count_records:
      key: "count_records"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-create_recordset:
      key: "create_recordset"
      value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
    designate-get_recordsets:
      key: "get_recordsets"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_recordset:
      key: "get_recordset"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_recordset:
      key: "find_recordset"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_recordsets:
      key: "find_recordsets"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-update_recordset:
      key: "update_recordset"
      value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
    designate-delete_recordset:
      key: "delete_recordset"
      value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
    designate-count_recordset:
      key: "count_recordset"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_service_status:
      key: "find_service_status"
      value: "role:admin"
    designate-find_service_statuses:
      key: "find_service_statuses"
      value: "role:admin"
    designate-update_service_status:
      key: "update_service_status"
      value: "role:admin"
    designate-find_tenants:
      key: "find_tenants"
      value: "role:admin"
    designate-get_tenant:
      key: "get_tenant"
      value: "role:admin"
    designate-count_tenants:
      key: "count_tenants"
      value: "role:admin"
    designate-create_tld:
      key: "create_tld"
      value: "role:admin"
    designate-find_tlds:
      key: "find_tlds"
      value: "role:admin"
    designate-get_tld:
      key: "get_tld"
      value: "role:admin"
    designate-update_tld:
      key: "update_tld"
      value: "role:admin"
    designate-delete_tld:
      key: "delete_tld"
      value: "role:admin"
    designate-create_tsigkey:
      key: "create_tsigkey"
      value: "role:admin"
    designate-find_tsigkeys:
      key: "find_tsigkeys"
      value: "role:admin"
    designate-get_tsigkey:
      key: "get_tsigkey"
      value: "role:admin"
    designate-update_tsigkey:
      key: "update_tsigkey"
      value: "role:admin"
    designate-delete_tsigkey:
      key: "delete_tsigkey"
      value: "role:admin"
    designate-create_zone:
      key: "create_zone"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-get_zones:
      key: "get_zones"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone:
      key: "get_zone"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_servers:
      key: "get_zone_servers"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_ns_records:
      key: "get_zone_ns_records"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_zones:
      key: "find_zones"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-update_zone:
      key: "update_zone"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-delete_zone:
      key: "delete_zone"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-xfr_zone:
      key: "xfr_zone"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-abandon_zone:
      key: "abandon_zone"
      value: "role:admin"
    designate-count_zones:
      key: "count_zones"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-count_zones_pending_notify:
      key: "count_zones_pending_notify"
      value: "(role:reader and project_id:%(project_id)s) or or (True:%(all_tenants)s and role:reader)"
    designate-purge_zones:
      key: "purge_zones"
      value: "role:admin"
    designate-touch_zone:
      key: "touch_zone"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-zone_export:
      key: "zone_export"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-create_zone_export:
      key: "create_zone_export"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-find_zone_exports:
      key: "find_zone_exports"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_export:
      key: "get_zone_export"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-update_zone_export:
      key: "update_zone_export"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-delete_zone_export:
      key: "delete_zone_export"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-create_zone_import:
      key: "create_zone_import"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-find_zone_imports:
      key: "find_zone_imports"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-get_zone_import:
      key: "get_zone_import"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-update_zone_import:
      key: "update_zone_import"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-delete_zone_import:
      key: "delete_zone_import"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-create_zone_transfer_accept:
      key: "create_zone_transfer_accept"
      value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
    designate-get_zone_transfer_accept:
      key: "get_zone_transfer_accept"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_zone_transfer_accepts:
      key: "find_zone_transfer_accepts"
      value: "role:admin"
    designate-find_zone_transfer_accept:
      key: "find_zone_transfer_accept"
      value: "role:admin"
    designate-update_zone_transfer_accept:
      key: "update_zone_transfer_accept"
      value: "role:admin"
    designate-delete_zone_transfer_accept:
      key: "delete_zone_transfer_accept"
      value: "role:admin"
    designate-create_zone_transfer_request:
      key: "create_zone_transfer_request"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-get_zone_transfer_request:
      key: "get_zone_transfer_request"
      value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
    designate-get_zone_transfer_request_detailed:
      key: "get_zone_transfer_request_detailed"
      value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
    designate-find_zone_transfer_requests:
      key: "find_zone_transfer_requests"
      value: "@"
    designate-find_zone_transfer_request:
      key: "find_zone_transfer_request"
      value: "@"
    designate-update_zone_transfer_request:
      key: "update_zone_transfer_request"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    designate-delete_zone_transfer_request:
      key: "delete_zone_transfer_request"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
  CinderApiPolicies:
    cinder-admin_or_owner:
      key: "admin_or_owner"
      value: "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
    cinder-system_or_domain_or_project_admin:
      key: "system_or_domain_or_project_admin"
      value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"
    cinder-context_is_admin:
      key: "context_is_admin"
      value: "role:admin"
    cinder-admin_api:
      key: "admin_api"
      value: "is_admin:True or (role:admin and is_admin_project:True)"
    cinder-system_admin_or_project_member:
      key: "system_admin_or_project_member"
      value: "role:admin or (role:member and project_id:%(project_id)s)"
    cinder-system_admin_or_project_reader:
      key: "system_admin_or_project_reader"
      value: "role:admin or (role:reader and project_id:%(project_id)s)"
    cinder-volume_attachment_create:
      key: "volume:attachment_create"
      value: "rule:system_admin_or_project_member"
    cinder-volume_attachment_update:
      key: "volume:attachment_update"
      value: "rule:system_admin_or_project_member"
    cinder-volume_attachment_delete:
      key: "volume:attachment_delete"
      value: "rule:system_admin_or_project_member"
    cinder-volume_attachment_complete:
      key: "volume:attachment_complete"
      value: "rule:system_admin_or_project_member"
    cinder-volume_multiattach_bootable_volume:
      key: "volume:multiattach_bootable_volume"
      value: "rule:system_admin_or_project_member"
    cinder-message_get_all:
      key: "message:get_all"
      value: "rule:system_admin_or_project_reader"
    cinder-message_get:
      key: "message:get"
      value: "rule:system_admin_or_project_reader"
    cinder-message_delete:
      key: "message:delete"
      value: "rule:system_admin_or_project_member"
    cinder-clusters_get_all:
      key: "clusters:get_all"
      value: "rule:admin_api"
    cinder-clusters_get:
      key: "clusters:get"
      value: "rule:admin_api"
    cinder-clusters_update:
      key: "clusters:update"
      value: "rule:admin_api"
    cinder-workers_cleanup:
      key: "workers:cleanup"
      value: "rule:admin_api"
    cinder-volume_get_snapshot_metadata:
      key: "volume:get_snapshot_metadata"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_update_snapshot_metadata:
      key: "volume:update_snapshot_metadata"
      value: "rule:system_admin_or_project_member"
    cinder-volume_delete_snapshot_metadata:
      key: "volume:delete_snapshot_metadata"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get_all_snapshots:
      key: "volume:get_all_snapshots"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_extended_snapshot_attributes:
      key: "volume_extension:extended_snapshot_attributes"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_create_snapshot:
      key: "volume:create_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get_snapshot:
      key: "volume:get_snapshot"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_update_snapshot:
      key: "volume:update_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-volume_delete_snapshot:
      key: "volume:delete_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_snapshot_admin_actions_reset_status:
      key: "volume_extension:snapshot_admin_actions:reset_status"
      value: "rule:admin_api"
    cinder-snapshot_extension_snapshot_actions_update_snapshot_status:
      key: "snapshot_extension:snapshot_actions:update_snapshot_status"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_snapshot_admin_actions_force_delete:
      key: "volume_extension:snapshot_admin_actions:force_delete"
      value: "rule:admin_api"
    cinder-snapshot_extension_list_manageable:
      key: "snapshot_extension:list_manageable"
      value: "rule:admin_api"
    cinder-snapshot_extension_snapshot_manage:
      key: "snapshot_extension:snapshot_manage"
      value: "rule:admin_api"
    cinder-snapshot_extension_snapshot_unmanage:
      key: "snapshot_extension:snapshot_unmanage"
      value: "rule:admin_api"
    cinder-backup_get_all:
      key: "backup:get_all"
      value: "rule:system_admin_or_project_reader"
    cinder-backup_backup_project_attribute:
      key: "backup:backup_project_attribute"
      value: "rule:admin_api"
    cinder-backup_create:
      key: "backup:create"
      value: "rule:system_admin_or_project_member"
    cinder-backup_get:
      key: "backup:get"
      value: "rule:system_admin_or_project_reader"
    cinder-backup_update:
      key: "backup:update"
      value: "rule:system_admin_or_project_member"
    cinder-backup_delete:
      key: "backup:delete"
      value: "rule:system_admin_or_project_member"
    cinder-backup_restore:
      key: "backup:restore"
      value: "rule:system_admin_or_project_member"
    cinder-backup_backup-import:
      key: "backup:backup-import"
      value: "rule:admin_api"
    cinder-backup_export-import:
      key: "backup:export-import"
      value: "rule:admin_api"
    cinder-volume_extension_backup_admin_actions_reset_status:
      key: "volume_extension:backup_admin_actions:reset_status"
      value: "rule:admin_api"
    cinder-volume_extension_backup_admin_actions_force_delete:
      key: "volume_extension:backup_admin_actions:force_delete"
      value: "rule:admin_api"
    cinder-group_get_all:
      key: "group:get_all"
      value: "rule:system_admin_or_project_reader"
    cinder-group_create:
      key: "group:create"
      value: "rule:system_admin_or_project_member"
    cinder-group_get:
      key: "group:get"
      value: "rule:system_admin_or_project_reader"
    cinder-group_update:
      key: "group:update"
      value: "rule:system_admin_or_project_member"
    cinder-group_group_project_attribute:
      key: "group:group_project_attribute"
      value: "rule:admin_api"
    cinder-group_group_types_create:
      key: "group:group_types:create"
      value: "rule:admin_api"
    cinder-group_group_types_update:
      key: "group:group_types:update"
      value: "rule:admin_api"
    cinder-group_group_types_delete:
      key: "group:group_types:delete"
      value: "rule:admin_api"
    cinder-group_access_group_types_specs:
      key: "group:access_group_types_specs"
      value: "rule:admin_api"
    cinder-group_group_types_specs_get:
      key: "group:group_types_specs:get"
      value: "rule:admin_api"
    cinder-group_group_types_specs_get_all:
      key: "group:group_types_specs:get_all"
      value: "rule:admin_api"
    cinder-group_group_types_specs_create:
      key: "group:group_types_specs:create"
      value: "rule:admin_api"
    cinder-group_group_types_specs_update:
      key: "group:group_types_specs:update"
      value: "rule:admin_api"
    cinder-group_group_types_specs_delete:
      key: "group:group_types_specs:delete"
      value: "rule:admin_api"
    cinder-group_get_all_group_snapshots:
      key: "group:get_all_group_snapshots"
      value: "rule:system_admin_or_project_reader"
    cinder-group_create_group_snapshot:
      key: "group:create_group_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-group_get_group_snapshot:
      key: "group:get_group_snapshot"
      value: "rule:system_admin_or_project_reader"
    cinder-group_delete_group_snapshot:
      key: "group:delete_group_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-group_update_group_snapshot:
      key: "group:update_group_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-group_group_snapshot_project_attribute:
      key: "group:group_snapshot_project_attribute"
      value: "rule:admin_api"
    cinder-group_reset_group_snapshot_status:
      key: "group:reset_group_snapshot_status"
      value: "rule:admin_api"
    cinder-group_delete:
      key: "group:delete"
      value: "rule:system_admin_or_project_member"
    cinder-group_reset_status:
      key: "group:reset_status"
      value: "rule:admin_api"
    cinder-group_enable_replication:
      key: "group:enable_replication"
      value: "rule:system_admin_or_project_member"
    cinder-group_disable_replication:
      key: "group:disable_replication"
      value: "rule:system_admin_or_project_member"
    cinder-group_failover_replication:
      key: "group:failover_replication"
      value: "rule:system_admin_or_project_member"
    cinder-group_list_replication_targets:
      key: "group:list_replication_targets"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_qos_specs_manage_get_all:
      key: "volume_extension:qos_specs_manage:get_all"
      value: "rule:admin_api"
    cinder-volume_extension_qos_specs_manage_get:
      key: "volume_extension:qos_specs_manage:get"
      value: "rule:admin_api"
    cinder-volume_extension_qos_specs_manage_create:
      key: "volume_extension:qos_specs_manage:create"
      value: "rule:admin_api"
    cinder-volume_extension_qos_specs_manage_update:
      key: "volume_extension:qos_specs_manage:update"
      value: "rule:admin_api"
    cinder-volume_extension_qos_specs_manage_delete:
      key: "volume_extension:qos_specs_manage:delete"
      value: "rule:admin_api"
    cinder-volume_extension_quota_classes_get:
      key: "volume_extension:quota_classes:get"
      value: "rule:admin_api"
    cinder-volume_extension_quota_classes_update:
      key: "volume_extension:quota_classes:update"
      value: "rule:admin_api"
    cinder-volume_extension_quotas_show:
      key: "volume_extension:quotas:show"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_quotas_update:
      key: "volume_extension:quotas:update"
      value: "rule:admin_api"
    cinder-volume_extension_quotas_delete:
      key: "volume_extension:quotas:delete"
      value: "rule:admin_api"
    cinder-volume_extension_capabilities:
      key: "volume_extension:capabilities"
      value: "rule:admin_api"
    cinder-volume_extension_services_index:
      key: "volume_extension:services:index"
      value: "rule:admin_api"
    cinder-volume_extension_services_update:
      key: "volume_extension:services:update"
      value: "rule:admin_api"
    cinder-volume_freeze_host:
      key: "volume:freeze_host"
      value: "rule:admin_api"
    cinder-volume_thaw_host:
      key: "volume:thaw_host"
      value: "rule:admin_api"
    cinder-volume_failover_host:
      key: "volume:failover_host"
      value: "rule:admin_api"
    cinder-scheduler_extension_scheduler_stats_get_pools:
      key: "scheduler_extension:scheduler_stats:get_pools"
      value: "rule:admin_api"
    cinder-volume_extension_hosts:
      key: "volume_extension:hosts"
      value: "rule:admin_api"
    cinder-limits_extension_used_limits:
      key: "limits_extension:used_limits"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_list_manageable:
      key: "volume_extension:list_manageable"
      value: "rule:admin_api"
    cinder-volume_extension_volume_manage:
      key: "volume_extension:volume_manage"
      value: "rule:admin_api"
    cinder-volume_extension_volume_unmanage:
      key: "volume_extension:volume_unmanage"
      value: "rule:admin_api"
    cinder-volume_extension_type_create:
      key: "volume_extension:type_create"
      value: "rule:admin_api"
    cinder-volume_extension_type_update:
      key: "volume_extension:type_update"
      value: "rule:admin_api"
    cinder-volume_extension_type_delete:
      key: "volume_extension:type_delete"
      value: "rule:admin_api"
    cinder-volume_extension_type_get:
      key: "volume_extension:type_get"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_type_get_all:
      key: "volume_extension:type_get_all"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_access_types_extra_specs:
      key: "volume_extension:access_types_extra_specs"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_access_types_qos_specs_id:
      key: "volume_extension:access_types_qos_specs_id"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_encryption:
      key: "volume_extension:volume_type_encryption"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_encryption_create:
      key: "volume_extension:volume_type_encryption:create"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_encryption_get:
      key: "volume_extension:volume_type_encryption:get"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_encryption_update:
      key: "volume_extension:volume_type_encryption:update"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_encryption_delete:
      key: "volume_extension:volume_type_encryption:delete"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_access:
      key: "volume_extension:volume_type_access"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_type_access_addProjectAccess:
      key: "volume_extension:volume_type_access:addProjectAccess"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_access_removeProjectAccess:
      key: "volume_extension:volume_type_access:removeProjectAccess"
      value: "rule:admin_api"
    cinder-volume_extension_volume_type_access_get_all_for_type:
      key: "volume_extension:volume_type_access:get_all_for_type"
      value: "rule:admin_api"
    cinder-volume_extend:
      key: "volume:extend"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extend_attached_volume:
      key: "volume:extend_attached_volume"
      value: "rule:system_admin_or_project_member"
    cinder-volume_revert_to_snapshot:
      key: "volume:revert_to_snapshot"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_admin_actions_reset_status:
      key: "volume_extension:volume_admin_actions:reset_status"
      value: "rule:admin_api"
    cinder-volume_retype:
      key: "volume:retype"
      value: "rule:system_admin_or_project_member"
    cinder-volume_update_readonly_flag:
      key: "volume:update_readonly_flag"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_admin_actions_force_delete:
      key: "volume_extension:volume_admin_actions:force_delete"
      value: "rule:admin_api"
    cinder-volume_extension_volume_actions_upload_public:
      key: "volume_extension:volume_actions:upload_public"
      value: "rule:admin_api"
    cinder-volume_extension_volume_actions_upload_image:
      key: "volume_extension:volume_actions:upload_image"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_admin_actions_force_detach:
      key: "volume_extension:volume_admin_actions:force_detach"
      value: "rule:admin_api"
    cinder-volume_extension_volume_admin_actions_migrate_volume:
      key: "volume_extension:volume_admin_actions:migrate_volume"
      value: "rule:admin_api"
    cinder-volume_extension_volume_admin_actions_migrate_volume_completion:
      key: "volume_extension:volume_admin_actions:migrate_volume_completion"
      value: "rule:admin_api"
    cinder-volume_extension_volume_actions_initialize_connection:
      key: "volume_extension:volume_actions:initialize_connection"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_terminate_connection:
      key: "volume_extension:volume_actions:terminate_connection"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_roll_detaching:
      key: "volume_extension:volume_actions:roll_detaching"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_reserve:
      key: "volume_extension:volume_actions:reserve"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_unreserve:
      key: "volume_extension:volume_actions:unreserve"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_begin_detaching:
      key: "volume_extension:volume_actions:begin_detaching"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_attach:
      key: "volume_extension:volume_actions:attach"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_actions_detach:
      key: "volume_extension:volume_actions:detach"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get_all_transfers:
      key: "volume:get_all_transfers"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_create_transfer:
      key: "volume:create_transfer"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get_transfer:
      key: "volume:get_transfer"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_accept_transfer:
      key: "volume:accept_transfer"
      value: "rule:system_admin_or_project_member"
    cinder-volume_delete_transfer:
      key: "volume:delete_transfer"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get_volume_metadata:
      key: "volume:get_volume_metadata"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_create_volume_metadata:
      key: "volume:create_volume_metadata"
      value: "rule:system_admin_or_project_member"
    cinder-volume_update_volume_metadata:
      key: "volume:update_volume_metadata"
      value: "rule:system_admin_or_project_member"
    cinder-volume_delete_volume_metadata:
      key: "volume:delete_volume_metadata"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_image_metadata_show:
      key: "volume_extension:volume_image_metadata:show"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_volume_image_metadata_set:
      key: "volume_extension:volume_image_metadata:set"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_volume_image_metadata_remove:
      key: "volume_extension:volume_image_metadata:remove"
      value: "rule:system_admin_or_project_member"
    cinder-volume_update_volume_admin_metadata:
      key: "volume:update_volume_admin_metadata"
      value: "rule:admin_api"
    cinder-volume_extension_types_extra_specs_index:
      key: "volume_extension:types_extra_specs:index"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_types_extra_specs_create:
      key: "volume_extension:types_extra_specs:create"
      value: "rule:admin_api"
    cinder-volume_extension_types_extra_specs_show:
      key: "volume_extension:types_extra_specs:show"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_types_extra_specs_read_sensitive:
      key: "volume_extension:types_extra_specs:read_sensitive"
      value: "rule:admin_api"
    cinder-volume_extension_types_extra_specs_update:
      key: "volume_extension:types_extra_specs:update"
      value: "rule:admin_api"
    cinder-volume_extension_types_extra_specs_delete:
      key: "volume_extension:types_extra_specs:delete"
      value: "rule:admin_api"
    cinder-volume_create:
      key: "volume:create"
      value: "rule:system_admin_or_project_member"
    cinder-volume_create_from_image:
      key: "volume:create_from_image"
      value: "rule:system_admin_or_project_member"
    cinder-volume_get:
      key: "volume:get"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_get_all:
      key: "volume:get_all"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_update:
      key: "volume:update"
      value: "rule:system_admin_or_project_member"
    cinder-volume_delete:
      key: "volume:delete"
      value: "rule:system_admin_or_project_member"
    cinder-volume_force_delete:
      key: "volume:force_delete"
      value: "rule:admin_api"
    cinder-volume_extension_volume_host_attribute:
      key: "volume_extension:volume_host_attribute"
      value: "rule:admin_api"
    cinder-volume_extension_volume_tenant_attribute:
      key: "volume_extension:volume_tenant_attribute"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_extension_volume_mig_status_attribute:
      key: "volume_extension:volume_mig_status_attribute"
      value: "rule:admin_api"
    cinder-volume_extension_volume_encryption_metadata:
      key: "volume_extension:volume_encryption_metadata"
      value: "rule:system_admin_or_project_reader"
    cinder-volume_multiattach:
      key: "volume:multiattach"
      value: "rule:system_admin_or_project_member"
    cinder-volume_extension_default_set_or_update:
      key: "volume_extension:default_set_or_update"
      value: "rule:admin_api"
    cinder-volume_extension_default_get:
      key: "volume_extension:default_get"
      value: "rule:admin_api"
    cinder-volume_extension_default_get_all:
      key: "volume_extension:default_get_all"
      value: "rule:admin_api"
    cinder-volume_extension_default_unset:
      key: "volume_extension:default_unset"
      value: "rule:admin_api"
  KeystonePolicies:
    keystone-admin_required:
      key: "admin_required"
      value: "role:admin"
    keystone-identity_get_access_rule:
      key: "identity:get_access_rule"
      value: "rule:admin_required or user_id:%(target.user.id)s"
    keystone-identity_list_access_rules:
      key: "identity:list_access_rules"
      value: "rule:admin_required or user_id:%(target.user.id)s"
    keystone-identity_delete_access_rule:
      key: "identity:delete_access_rule"
      value: "rule:admin_required or user_id:%(target.user.id)s"
    keystone-identity_authorize_request_token:
      key: "identity:authorize_request_token"
      value: "rule:admin_required"
    keystone-identity_get_access_token:
      key: "identity:get_access_token"
      value: "rule:admin_required"
    keystone-identity_get_access_token_role:
      key: "identity:get_access_token_role"
      value: "rule:admin_required"
    keystone-identity_list_access_tokens:
      key: "identity:list_access_tokens"
      value: "rule:admin_required"
    keystone-identity_list_access_token_roles:
      key: "identity:list_access_token_roles"
      value: "rule:admin_required"
    keystone-identity_delete_access_token:
      key: "identity:delete_access_token"
      value: "rule:admin_required"
    keystone-identity_get_application_credential:
      key: "identity:get_application_credential"
      value: "rule:admin_required or rule:owner"
    keystone-identity_list_application_credentials:
      key: "identity:list_application_credentials"
      value: "rule:admin_required or rule:owner"
    keystone-identity_create_application_credential:
      key: "identity:create_application_credential"
      value: "user_id:%(user_id)s"
    keystone-identity_delete_application_credential:
      key: "identity:delete_application_credential"
      value: "rule:admin_required or rule:owner"
    keystone-identity_get_auth_catalog:
      key: "identity:get_auth_catalog"
      value: ""
    keystone-identity_get_auth_projects:
      key: "identity:get_auth_projects"
      value: ""
    keystone-identity_get_auth_domains:
      key: "identity:get_auth_domains"
      value: ""
    keystone-identity_get_auth_system:
      key: "identity:get_auth_system"
      value: ""
    keystone-identity_get_consumer:
      key: "identity:get_consumer"
      value: "rule:admin_required"
    keystone-identity_list_consumers:
      key: "identity:list_consumers"
      value: "rule:admin_required"
    keystone-identity_create_consumer:
      key: "identity:create_consumer"
      value: "rule:admin_required"
    keystone-identity_update_consumer:
      key: "identity:update_consumer"
      value: "rule:admin_required"
    keystone-identity_delete_consumer:
      key: "identity:delete_consumer"
      value: "rule:admin_required"
    keystone-identity_get_credential:
      key: "identity:get_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_list_credentials:
      key: "identity:list_credentials"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_create_credential:
      key: "identity:create_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_update_credential:
      key: "identity:update_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_delete_credential:
      key: "identity:delete_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_get_domain:
      key: "identity:get_domain"
      value: "rule:admin_required or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"
    keystone-identity_list_domains:
      key: "identity:list_domains"
      value: "rule:admin_required"
    keystone-identity_create_domain:
      key: "identity:create_domain"
      value: "rule:admin_required"
    keystone-identity_update_domain:
      key: "identity:update_domain"
      value: "rule:admin_required"
    keystone-identity_delete_domain:
      key: "identity:delete_domain"
      value: "rule:admin_required"
    keystone-identity_create_domain_config:
      key: "identity:create_domain_config"
      value: "rule:admin_required"
    keystone-identity_get_domain_config:
      key: "identity:get_domain_config"
      value: "rule:admin_required"
    keystone-identity_get_security_compliance_domain_config:
      key: "identity:get_security_compliance_domain_config"
      value: ""
    keystone-identity_update_domain_config:
      key: "identity:update_domain_config"
      value: "rule:admin_required"
    keystone-identity_delete_domain_config:
      key: "identity:delete_domain_config"
      value: "rule:admin_required"
    keystone-identity_get_domain_config_default:
      key: "identity:get_domain_config_default"
      value: "rule:admin_required"
    keystone-identity_ec2_get_credential:
      key: "identity:ec2_get_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_ec2_list_credentials:
      key: "identity:ec2_list_credentials"
      value: "rule:admin_required or rule:owner"
    keystone-identity_ec2_create_credential:
      key: "identity:ec2_create_credential"
      value: "rule:admin_required or rule:owner"
    keystone-identity_ec2_delete_credential:
      key: "identity:ec2_delete_credential"
      value: "rule:admin_required or user_id:%(target.credential.user_id)s"
    keystone-identity_get_endpoint:
      key: "identity:get_endpoint"
      value: "rule:admin_required"
    keystone-identity_list_endpoints:
      key: "identity:list_endpoints"
      value: "rule:admin_required"
    keystone-identity_create_endpoint:
      key: "identity:create_endpoint"
      value: "rule:admin_required"
    keystone-identity_update_endpoint:
      key: "identity:update_endpoint"
      value: "rule:admin_required"
    keystone-identity_delete_endpoint:
      key: "identity:delete_endpoint"
      value: "rule:admin_required"
    keystone-identity_create_endpoint_group:
      key: "identity:create_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_list_endpoint_groups:
      key: "identity:list_endpoint_groups"
      value: "rule:admin_required"
    keystone-identity_get_endpoint_group:
      key: "identity:get_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_update_endpoint_group:
      key: "identity:update_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_delete_endpoint_group:
      key: "identity:delete_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_list_projects_associated_with_endpoint_group:
      key: "identity:list_projects_associated_with_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_list_endpoints_associated_with_endpoint_group:
      key: "identity:list_endpoints_associated_with_endpoint_group"
      value: "rule:admin_required"
    keystone-identity_get_endpoint_group_in_project:
      key: "identity:get_endpoint_group_in_project"
      value: "rule:admin_required"
    keystone-identity_list_endpoint_groups_for_project:
      key: "identity:list_endpoint_groups_for_project"
      value: "rule:admin_required"
    keystone-identity_add_endpoint_group_to_project:
      key: "identity:add_endpoint_group_to_project"
      value: "rule:admin_required"
    keystone-identity_remove_endpoint_group_from_project:
      key: "identity:remove_endpoint_group_from_project"
      value: "rule:admin_required"
    keystone-identity_check_grant:
      key: "identity:check_grant"
      value: "rule:admin_required or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
    keystone-identity_list_grants:
      key: "identity:list_grants"
      value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)"
    keystone-identity_create_grant:
      key: "identity:create_grant"
      value: "rule:admin_required or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
    keystone-identity_revoke_grant:
      key: "identity:revoke_grant"
      value: "rule:admin_required or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
    keystone-identity_list_system_grants_for_user:
      key: "identity:list_system_grants_for_user"
      value: "rule:admin_required"
    keystone-identity_check_system_grant_for_user:
      key: "identity:check_system_grant_for_user"
      value: "rule:admin_required"
    keystone-identity_create_system_grant_for_user:
      key: "identity:create_system_grant_for_user"
      value: "rule:admin_required"
    keystone-identity_revoke_system_grant_for_user:
      key: "identity:revoke_system_grant_for_user"
      value: "rule:admin_required"
    keystone-identity_list_system_grants_for_group:
      key: "identity:list_system_grants_for_group"
      value: "rule:admin_required"
    keystone-identity_check_system_grant_for_group:
      key: "identity:check_system_grant_for_group"
      value: "rule:admin_required"
    keystone-identity_create_system_grant_for_group:
      key: "identity:create_system_grant_for_group"
      value: "rule:admin_required"
    keystone-identity_revoke_system_grant_for_group:
      key: "identity:revoke_system_grant_for_group"
      value: "rule:admin_required"
    keystone-identity_get_group:
      key: "identity:get_group"
      value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
    keystone-identity_list_groups:
      key: "identity:list_groups"
      value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
    keystone-identity_list_groups_for_user:
      key: "identity:list_groups_for_user"
      value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"
    keystone-identity_create_group:
      key: "identity:create_group"
      value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
    keystone-identity_update_group:
      key: "identity:update_group"
      value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
    keystone-identity_delete_group:
      key: "identity:delete_group"
      value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
    keystone-identity_list_users_in_group:
      key: "identity:list_users_in_group"
      value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
    keystone-identity_remove_user_from_group:
      key: "identity:remove_user_from_group"
      value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
    keystone-identity_check_user_in_group:
      key: "identity:check_user_in_group"
      value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
    keystone-identity_add_user_to_group:
      key: "identity:add_user_to_group"
      value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
    keystone-identity_create_identity_provider:
      key: "identity:create_identity_provider"
      value: "rule:admin_required"
    keystone-identity_list_identity_providers:
      key: "identity:list_identity_providers"
      value: "rule:admin_required"
    keystone-identity_get_identity_provider:
      key: "identity:get_identity_provider"
      value: "rule:admin_required"
    keystone-identity_update_identity_provider:
      key: "identity:update_identity_provider"
      value: "rule:admin_required"
    keystone-identity_delete_identity_provider:
      key: "identity:delete_identity_provider"
      value: "rule:admin_required"
    keystone-identity_get_implied_role:
      key: "identity:get_implied_role"
      value: "rule:admin_required"
    keystone-identity_list_implied_roles:
      key: "identity:list_implied_roles"
      value: "rule:admin_required"
    keystone-identity_create_implied_role:
      key: "identity:create_implied_role"
      value: "rule:admin_required"
    keystone-identity_delete_implied_role:
      key: "identity:delete_implied_role"
      value: "rule:admin_required"
    keystone-identity_list_role_inference_rules:
      key: "identity:list_role_inference_rules"
      value: "rule:admin_required"
    keystone-identity_check_implied_role:
      key: "identity:check_implied_role"
      value: "rule:admin_required"
    keystone-identity_get_limit_model:
      key: "identity:get_limit_model"
      value: ""
    keystone-identity_get_limit:
      key: "identity:get_limit"
      value: "rule:admin_required or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"
    keystone-identity_list_limits:
      key: "identity:list_limits"
      value: ""
    keystone-identity_create_limits:
      key: "identity:create_limits"
      value: "rule:admin_required"
    keystone-identity_update_limit:
      key: "identity:update_limit"
      value: "rule:admin_required"
    keystone-identity_delete_limit:
      key: "identity:delete_limit"
      value: "rule:admin_required"
    keystone-identity_create_mapping:
      key: "identity:create_mapping"
      value: "rule:admin_required"
    keystone-identity_get_mapping:
      key: "identity:get_mapping"
      value: "rule:admin_required"
    keystone-identity_list_mappings:
      key: "identity:list_mappings"
      value: "rule:admin_required"
    keystone-identity_delete_mapping:
      key: "identity:delete_mapping"
      value: "rule:admin_required"
    keystone-identity_update_mapping:
      key: "identity:update_mapping"
      value: "rule:admin_required"
    keystone-identity_get_policy:
      key: "identity:get_policy"
      value: "rule:admin_required"
    keystone-identity_list_policies:
      key: "identity:list_policies"
      value: "rule:admin_required"
    keystone-identity_create_policy:
      key: "identity:create_policy"
      value: "rule:admin_required"
    keystone-identity_update_policy:
      key: "identity:update_policy"
      value: "rule:admin_required"
    keystone-identity_delete_policy:
      key: "identity:delete_policy"
      value: "rule:admin_required"
    keystone-identity_create_policy_association_for_endpoint:
      key: "identity:create_policy_association_for_endpoint"
      value: "rule:admin_required"
    keystone-identity_check_policy_association_for_endpoint:
      key: "identity:check_policy_association_for_endpoint"
      value: "rule:admin_required"
    keystone-identity_delete_policy_association_for_endpoint:
      key: "identity:delete_policy_association_for_endpoint"
      value: "rule:admin_required"
    keystone-identity_create_policy_association_for_service:
      key: "identity:create_policy_association_for_service"
      value: "rule:admin_required"
    keystone-identity_check_policy_association_for_service:
      key: "identity:check_policy_association_for_service"
      value: "rule:admin_required"
    keystone-identity_delete_policy_association_for_service:
      key: "identity:delete_policy_association_for_service"
      value: "rule:admin_required"
    keystone-identity_create_policy_association_for_region_and_service:
      key: "identity:create_policy_association_for_region_and_service"
      value: "rule:admin_required"
    keystone-identity_check_policy_association_for_region_and_service:
      key: "identity:check_policy_association_for_region_and_service"
      value: "rule:admin_required"
    keystone-identity_delete_policy_association_for_region_and_service:
      key: "identity:delete_policy_association_for_region_and_service"
      value: "rule:admin_required"
    keystone-identity_get_policy_for_endpoint:
      key: "identity:get_policy_for_endpoint"
      value: "rule:admin_required"
    keystone-identity_list_endpoints_for_policy:
      key: "identity:list_endpoints_for_policy"
      value: "rule:admin_required"
    keystone-identity_get_project:
      key: "identity:get_project"
      value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
    keystone-identity_list_projects:
      key: "identity:list_projects"
      value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
    keystone-identity_list_user_projects:
      key: "identity:list_user_projects"
      value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
    keystone-identity_create_project:
      key: "identity:create_project"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
    keystone-identity_update_project:
      key: "identity:update_project"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
    keystone-identity_delete_project:
      key: "identity:delete_project"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
    keystone-identity_list_project_tags:
      key: "identity:list_project_tags"
      value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
    keystone-identity_get_project_tag:
      key: "identity:get_project_tag"
      value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
    keystone-identity_update_project_tags:
      key: "identity:update_project_tags"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
    keystone-identity_create_project_tag:
      key: "identity:create_project_tag"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
    keystone-identity_delete_project_tags:
      key: "identity:delete_project_tags"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
    keystone-identity_delete_project_tag:
      key: "identity:delete_project_tag"
      value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
    keystone-identity_list_projects_for_endpoint:
      key: "identity:list_projects_for_endpoint"
      value: "rule:admin_required"
    keystone-identity_add_endpoint_to_project:
      key: "identity:add_endpoint_to_project"
      value: "rule:admin_required"
    keystone-identity_check_endpoint_in_project:
      key: "identity:check_endpoint_in_project"
      value: "rule:admin_required"
    keystone-identity_list_endpoints_for_project:
      key: "identity:list_endpoints_for_project"
      value: "rule:admin_required"
    keystone-identity_remove_endpoint_from_project:
      key: "identity:remove_endpoint_from_project"
      value: "rule:admin_required"
    keystone-identity_create_protocol:
      key: "identity:create_protocol"
      value: "rule:admin_required"
    keystone-identity_update_protocol:
      key: "identity:update_protocol"
      value: "rule:admin_required"
    keystone-identity_get_protocol:
      key: "identity:get_protocol"
      value: "rule:admin_required"
    keystone-identity_list_protocols:
      key: "identity:list_protocols"
      value: "rule:admin_required"
    keystone-identity_delete_protocol:
      key: "identity:delete_protocol"
      value: "rule:admin_required"
    keystone-identity_get_region:
      key: "identity:get_region"
      value: ""
    keystone-identity_list_regions:
      key: "identity:list_regions"
      value: ""
    keystone-identity_create_region:
      key: "identity:create_region"
      value: "rule:admin_required"
    keystone-identity_update_region:
      key: "identity:update_region"
      value: "rule:admin_required"
    keystone-identity_delete_region:
      key: "identity:delete_region"
      value: "rule:admin_required"
    keystone-identity_get_registered_limit:
      key: "identity:get_registered_limit"
      value: ""
    keystone-identity_list_registered_limits:
      key: "identity:list_registered_limits"
      value: ""
    keystone-identity_create_registered_limits:
      key: "identity:create_registered_limits"
      value: "rule:admin_required"
    keystone-identity_update_registered_limit:
      key: "identity:update_registered_limit"
      value: "rule:admin_required"
    keystone-identity_delete_registered_limit:
      key: "identity:delete_registered_limit"
      value: "rule:admin_required"
    keystone-identity_list_revoke_events:
      key: "identity:list_revoke_events"
      value: "rule:service_or_admin"
    keystone-identity_get_role:
      key: "identity:get_role"
      value: "rule:admin_required"
    keystone-identity_list_roles:
      key: "identity:list_roles"
      value: "rule:admin_required"
    keystone-identity_create_role:
      key: "identity:create_role"
      value: "rule:admin_required"
    keystone-identity_update_role:
      key: "identity:update_role"
      value: "rule:admin_required"
    keystone-identity_delete_role:
      key: "identity:delete_role"
      value: "rule:admin_required"
    keystone-identity_get_domain_role:
      key: "identity:get_domain_role"
      value: "rule:admin_required"
    keystone-identity_list_domain_roles:
      key: "identity:list_domain_roles"
      value: "rule:admin_required"
    keystone-identity_create_domain_role:
      key: "identity:create_domain_role"
      value: "rule:admin_required"
    keystone-identity_update_domain_role:
      key: "identity:update_domain_role"
      value: "rule:admin_required"
    keystone-identity_delete_domain_role:
      key: "identity:delete_domain_role"
      value: "rule:admin_required"
    keystone-identity_list_role_assignments:
      key: "identity:list_role_assignments"
      value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
    keystone-identity_list_role_assignments_for_tree:
      key: "identity:list_role_assignments_for_tree"
      value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
    keystone-identity_get_service:
      key: "identity:get_service"
      value: "rule:admin_required"
    keystone-identity_list_services:
      key: "identity:list_services"
      value: "rule:admin_required"
    keystone-identity_create_service:
      key: "identity:create_service"
      value: "rule:admin_required"
    keystone-identity_update_service:
      key: "identity:update_service"
      value: "rule:admin_required"
    keystone-identity_delete_service:
      key: "identity:delete_service"
      value: "rule:admin_required"
    keystone-identity_create_service_provider:
      key: "identity:create_service_provider"
      value: "rule:admin_required"
    keystone-identity_list_service_providers:
      key: "identity:list_service_providers"
      value: "rule:admin_required"
    keystone-identity_get_service_provider:
      key: "identity:get_service_provider"
      value: "rule:admin_required"
    keystone-identity_update_service_provider:
      key: "identity:update_service_provider"
      value: "rule:admin_required"
    keystone-identity_delete_service_provider:
      key: "identity:delete_service_provider"
      value: "rule:admin_required"
    keystone-identity_revocation_list:
      key: "identity:revocation_list"
      value: "rule:service_or_admin"
    keystone-identity_check_token:
      key: "identity:check_token"
      value: "rule:admin_required or rule:token_subject"
    keystone-identity_validate_token:
      key: "identity:validate_token"
      value: "rule:admin_required or rule:service_role or rule:token_subject"
    keystone-identity_revoke_token:
      key: "identity:revoke_token"
      value: "rule:admin_required or rule:token_subject"
    keystone-identity_create_trust:
      key: "identity:create_trust"
      value: "user_id:%(trust.trustor_user_id)s"
    keystone-identity_list_trusts:
      key: "identity:list_trusts"
      value: "rule:admin_required"
    keystone-identity_list_trusts_for_trustor:
      key: "identity:list_trusts_for_trustor"
      value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"
    keystone-identity_list_trusts_for_trustee:
      key: "identity:list_trusts_for_trustee"
      value: "rule:admin_required or user_id:%(target.trust.trustee_user_id)s"
    keystone-identity_list_roles_for_trust:
      key: "identity:list_roles_for_trust"
      value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
    keystone-identity_get_role_for_trust:
      key: "identity:get_role_for_trust"
      value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
    keystone-identity_delete_trust:
      key: "identity:delete_trust"
      value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"
    keystone-identity_get_trust:
      key: "identity:get_trust"
      value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
    keystone-identity_get_user:
      key: "identity:get_user"
      value: "rule:admin_required or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
    keystone-identity_list_users:
      key: "identity:list_users"
      value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
    keystone-identity_list_projects_for_user:
      key: "identity:list_projects_for_user"
      value: ""
    keystone-identity_list_domains_for_user:
      key: "identity:list_domains_for_user"
      value: ""
    keystone-identity_create_user:
      key: "identity:create_user"
      value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
    keystone-identity_update_user:
      key: "identity:update_user"
      value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
    keystone-identity_delete_user:
      key: "identity:delete_user"
      value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
  BarbicanPolicies:
    barbican-admin:
      key: "admin"
      value: "role:admin"
    barbican-member:
      key: "member"
      value: "role:member"
    barbican-reader:
      key: "reader"
      value: "role:reader"
    barbican-secret_owner:
      key: "secret_owner"
      value: "user_id:%(target.secret.creator_id)s"
    barbican-secret_acl_read:
      key: "secret_acl_read"
      value: "'read':%(target.secret.read)s"
    barbican-secret_is_not_private_read:
      key: "secret_is_not_private_read"
      value: "'True':%(target.secret.read_project_access)s"
    barbican-container_owner:
      key: "container_owner"
      value: "user_id:%(target.container.creator_id)s"
    barbican-container_acl_read:
      key: "container_acl_read"
      value: "'read':%(target.container.read)s"
    barbican-container_is_not_private_read:
      key: "container_is_not_private_read"
      value: "'True':%(target.container.read_project_access)s"
    barbican-secret_project_admin:
      key: "secret_project_admin"
      value: "rule:admin and project_id:%(target.secret.project_id)s"
    barbican-secret_project_member:
      key: "secret_project_member"
      value: "rule:member and project_id:%(target.secret.project_id)s"
    barbican-container_project_admin:
      key: "container_project_admin"
      value: "rule:admin and project_id:%(target.container.project_id)s"
    barbican-container_project_member:
      key: "container_project_member"
      value: "rule:member and project_id:%(target.container.project_id)s"
    barbican-secret_acls_get:
      key: "secret_acls:get"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_acls_delete:
      key: "secret_acls:delete"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_acls_put_patch:
      key: "secret_acls:put_patch"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-container_acls_get:
      key: "container_acls:get"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-container_acls_delete:
      key: "container_acls:delete"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-container_acls_put_patch:
      key: "container_acls:put_patch"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-consumer_get:
      key: "consumer:get"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-consumers_get:
      key: "consumers:get"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-consumers_post:
      key: "consumers:post"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-consumers_delete:
      key: "consumers:delete"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-containers_post:
      key: "containers:post"
      value: "rule:member"
    barbican-containers_get:
      key: "containers:get"
      value: "rule:member"
    barbican-container_get:
      key: "container:get"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_acl_read or rule:container_project_admin"
    barbican-container_delete:
      key: "container:delete"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-container_secret_post:
      key: "container_secret:post"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-container_secret_delete:
      key: "container_secret:delete"
      value: "rule:container_project_member and (rule:container_owner or rule:container_is_not_private_read) or rule:container_project_admin"
    barbican-orders_get:
      key: "orders:get"
      value: "rule:member"
    barbican-orders_post:
      key: "orders:post"
      value: "rule:member"
    barbican-orders_put:
      key: "orders:put"
      value: "rule:member"
    barbican-order_get:
      key: "order:get"
      value: "rule:member"
    barbican-order_delete:
      key: "order:delete"
      value: "rule:member"
    barbican-quotas_get:
      key: "quotas:get"
      value: "rule:reader"
    barbican-project_quotas_get:
      key: "project_quotas:get"
      value: "rule:admin"
    barbican-project_quotas_put:
      key: "project_quotas:put"
      value: "rule:admin"
    barbican-project_quotas_delete:
      key: "project_quotas:delete"
      value: "rule:admin"
    barbican-secret_meta_get:
      key: "secret_meta:get"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_acl_read or rule:secret_project_admin"
    barbican-secret_meta_post:
      key: "secret_meta:post"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_meta_put:
      key: "secret_meta:put"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_meta_delete:
      key: "secret_meta:delete"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_decrypt:
      key: "secret:decrypt"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_acl_read or rule:secret_project_admin"
    barbican-secret_get:
      key: "secret:get"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_acl_read or rule:secret_project_admin"
    barbican-secret_put:
      key: "secret:put"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secret_delete:
      key: "secret:delete"
      value: "rule:secret_project_member and (rule:secret_owner or rule:secret_is_not_private_read) or rule:secret_project_admin"
    barbican-secrets_post:
      key: "secrets:post"
      value: "rule:member"
    barbican-secrets_get:
      key: "secrets:get"
      value: "rule:member"
    barbican-secretstores_get:
      key: "secretstores:get"
      value: "rule:reader"
    barbican-secretstores_get_global_default:
      key: "secretstores:get_global_default"
      value: "rule:reader"
    barbican-secretstores_get_preferred:
      key: "secretstores:get_preferred"
      value: "rule:reader"
    barbican-secretstore_preferred_post:
      key: "secretstore_preferred:post"
      value: "rule:admin"
    barbican-secretstore_preferred_delete:
      key: "secretstore_preferred:delete"
      value: "rule:admin"
    barbican-secretstore_get:
      key: "secretstore:get"
      value: "rule:reader"
    barbican-transport_key_get:
      key: "transport_key:get"
      value: "rule:reader"
    barbican-transport_key_delete:
      key: "transport_key:delete"
      value: "rule:admin"
    barbican-transport_keys_get:
      key: "transport_keys:get"
      value: "rule:reader"
    barbican-transport_keys_post:
      key: "transport_keys:post"
      value: "rule:admin"
  ManilaApiPolicies:
    manila-system-admin:
      key: "system-admin"
      value: "role:admin and system_scope:all"
    manila-system-member:
      key: "system-member"
      value: "role:member and system_scope:all"
    manila-system-reader:
      key: "system-reader"
      value: "role:reader and system_scope:all"
    manila-project-admin:
      key: "project-admin"
      value: "role:admin and project_id:%(project_id)s"
    manila-project-member:
      key: "project-member"
      value: "role:member and project_id:%(project_id)s"
    manila-project-reader:
      key: "project-reader"
      value: "role:reader and project_id:%(project_id)s"
    manila-context_is_admin:
      key: "context_is_admin"
      value: "rule:system-admin"
    manila-admin_or_owner:
      key: "admin_or_owner"
      value: "is_admin:True or project_id:%(project_id)s"
    manila-default:
      key: "default"
      value: "rule:admin_or_owner"
    manila-admin_api:
      key: "admin_api"
      value: "role:admin"
    manila-availability_zone_index:
      key: "availability_zone:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-scheduler_stats_pools_index:
      key: "scheduler_stats:pools:index"
      value: "rule:admin_api"
    manila-scheduler_stats_pools_detail:
      key: "scheduler_stats:pools:detail"
      value: "rule:admin_api"
    manila-share_create:
      key: "share:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_create_public_share:
      key: "share:create_public_share"
      value: "rule:admin_api"
    manila-share_get:
      key: "share:get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_get_all:
      key: "share:get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_update:
      key: "share:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_set_public_share:
      key: "share:set_public_share"
      value: "rule:admin_api"
    manila-share_delete:
      key: "share:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_force_delete:
      key: "share:force_delete"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_manage:
      key: "share:manage"
      value: "rule:admin_api"
    manila-share_unmanage:
      key: "share:unmanage"
      value: "rule:admin_api"
    manila-share_list_by_host:
      key: "share:list_by_host"
      value: "rule:admin_api"
    manila-share_list_by_share_server_id:
      key: "share:list_by_share_server_id"
      value: "rule:admin_api"
    manila-share_access_get:
      key: "share:access_get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_access_get_all:
      key: "share:access_get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_extend:
      key: "share:extend"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_force_extend:
      key: "share:force_extend"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_shrink:
      key: "share:shrink"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_migration_start:
      key: "share:migration_start"
      value: "rule:admin_api"
    manila-share_migration_complete:
      key: "share:migration_complete"
      value: "rule:admin_api"
    manila-share_migration_cancel:
      key: "share:migration_cancel"
      value: "rule:admin_api"
    manila-share_migration_get_progress:
      key: "share:migration_get_progress"
      value: "rule:admin_api"
    manila-share_reset_task_state:
      key: "share:reset_task_state"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_reset_status:
      key: "share:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_revert_to_snapshot:
      key: "share:revert_to_snapshot"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_allow_access:
      key: "share:allow_access"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_deny_access:
      key: "share:deny_access"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_update_share_metadata:
      key: "share:update_share_metadata"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_delete_share_metadata:
      key: "share:delete_share_metadata"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_get_share_metadata:
      key: "share:get_share_metadata"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_create_snapshot:
      key: "share:create_snapshot"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_delete_snapshot:
      key: "share:delete_snapshot"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_snapshot_update:
      key: "share:snapshot_update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_instance_export_location_index:
      key: "share_instance_export_location:index"
      value: "rule:admin_api"
    manila-share_instance_export_location_show:
      key: "share_instance_export_location:show"
      value: "rule:admin_api"
    manila-share_type_create:
      key: "share_type:create"
      value: "rule:admin_api"
    manila-share_type_update:
      key: "share_type:update"
      value: "rule:admin_api"
    manila-share_type_show:
      key: "share_type:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_type_index:
      key: "share_type:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_type_default:
      key: "share_type:default"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_type_delete:
      key: "share_type:delete"
      value: "rule:admin_api"
    manila-share_type_list_project_access:
      key: "share_type:list_project_access"
      value: "rule:admin_api"
    manila-share_type_add_project_access:
      key: "share_type:add_project_access"
      value: "rule:admin_api"
    manila-share_type_remove_project_access:
      key: "share_type:remove_project_access"
      value: "rule:admin_api"
    manila-share_types_extra_spec_create:
      key: "share_types_extra_spec:create"
      value: "rule:admin_api"
    manila-share_types_extra_spec_show:
      key: "share_types_extra_spec:show"
      value: "rule:admin_api"
    manila-share_types_extra_spec_index:
      key: "share_types_extra_spec:index"
      value: "rule:admin_api"
    manila-share_types_extra_spec_update:
      key: "share_types_extra_spec:update"
      value: "rule:admin_api"
    manila-share_types_extra_spec_delete:
      key: "share_types_extra_spec:delete"
      value: "rule:admin_api"
    manila-share_snapshot_get_snapshot:
      key: "share_snapshot:get_snapshot"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_snapshot_get_all_snapshots:
      key: "share_snapshot:get_all_snapshots"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_snapshot_force_delete:
      key: "share_snapshot:force_delete"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_snapshot_manage_snapshot:
      key: "share_snapshot:manage_snapshot"
      value: "rule:admin_api"
    manila-share_snapshot_unmanage_snapshot:
      key: "share_snapshot:unmanage_snapshot"
      value: "rule:admin_api"
    manila-share_snapshot_reset_status:
      key: "share_snapshot:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_snapshot_access_list:
      key: "share_snapshot:access_list"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_snapshot_allow_access:
      key: "share_snapshot:allow_access"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_snapshot_deny_access:
      key: "share_snapshot:deny_access"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_snapshot_export_location_index:
      key: "share_snapshot_export_location:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_snapshot_export_location_show:
      key: "share_snapshot_export_location:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_snapshot_instance_show:
      key: "share_snapshot_instance:show"
      value: "rule:admin_api"
    manila-share_snapshot_instance_index:
      key: "share_snapshot_instance:index"
      value: "rule:admin_api"
    manila-share_snapshot_instance_detail:
      key: "share_snapshot_instance:detail"
      value: "rule:admin_api"
    manila-share_snapshot_instance_reset_status:
      key: "share_snapshot_instance:reset_status"
      value: "rule:admin_api"
    manila-share_snapshot_instance_export_location_index:
      key: "share_snapshot_instance_export_location:index"
      value: "rule:admin_api"
    manila-share_snapshot_instance_export_location_show:
      key: "share_snapshot_instance_export_location:show"
      value: "rule:admin_api"
    manila-share_server_index:
      key: "share_server:index"
      value: "rule:admin_api"
    manila-share_server_show:
      key: "share_server:show"
      value: "rule:admin_api"
    manila-share_server_details:
      key: "share_server:details"
      value: "rule:admin_api"
    manila-share_server_delete:
      key: "share_server:delete"
      value: "rule:admin_api"
    manila-share_server_manage_share_server:
      key: "share_server:manage_share_server"
      value: "rule:admin_api"
    manila-share_server_unmanage_share_server:
      key: "share_server:unmanage_share_server"
      value: "rule:admin_api"
    manila-share_server_reset_status:
      key: "share_server:reset_status"
      value: "rule:admin_api"
    manila-share_server_share_server_migration_start:
      key: "share_server:share_server_migration_start"
      value: "rule:admin_api"
    manila-share_server_share_server_migration_check:
      key: "share_server:share_server_migration_check"
      value: "rule:admin_api"
    manila-share_server_share_server_migration_complete:
      key: "share_server:share_server_migration_complete"
      value: "rule:admin_api"
    manila-share_server_share_server_migration_cancel:
      key: "share_server:share_server_migration_cancel"
      value: "rule:admin_api"
    manila-share_server_share_server_migration_get_progress:
      key: "share_server:share_server_migration_get_progress"
      value: "rule:admin_api"
    manila-share_server_share_server_reset_task_state:
      key: "share_server:share_server_reset_task_state"
      value: "rule:admin_api"
    manila-service_index:
      key: "service:index"
      value: "rule:admin_api"
    manila-service_update:
      key: "service:update"
      value: "rule:admin_api"
    manila-quota_set_update:
      key: "quota_set:update"
      value: "rule:admin_api"
    manila-quota_set_show:
      key: "quota_set:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-quota_set_delete:
      key: "quota_set:delete"
      value: "rule:admin_api"
    manila-quota_class_set_update:
      key: "quota_class_set:update"
      value: "rule:admin_api"
    manila-quota_class_set_show:
      key: "quota_class_set:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_types_spec_create:
      key: "share_group_types_spec:create"
      value: "rule:admin_api"
    manila-share_group_types_spec_index:
      key: "share_group_types_spec:index"
      value: "rule:admin_api"
    manila-share_group_types_spec_show:
      key: "share_group_types_spec:show"
      value: "rule:admin_api"
    manila-share_group_types_spec_update:
      key: "share_group_types_spec:update"
      value: "rule:admin_api"
    manila-share_group_types_spec_delete:
      key: "share_group_types_spec:delete"
      value: "rule:admin_api"
    manila-share_group_type_create:
      key: "share_group_type:create"
      value: "rule:admin_api"
    manila-share_group_type_index:
      key: "share_group_type:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_type_show:
      key: "share_group_type:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_type_default:
      key: "share_group_type:default"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_type_delete:
      key: "share_group_type:delete"
      value: "rule:admin_api"
    manila-share_group_type_list_project_access:
      key: "share_group_type:list_project_access"
      value: "rule:admin_api"
    manila-share_group_type_add_project_access:
      key: "share_group_type:add_project_access"
      value: "rule:admin_api"
    manila-share_group_type_remove_project_access:
      key: "share_group_type:remove_project_access"
      value: "rule:admin_api"
    manila-share_group_snapshot_create:
      key: "share_group_snapshot:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_snapshot_get:
      key: "share_group_snapshot:get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_snapshot_get_all:
      key: "share_group_snapshot:get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_snapshot_update:
      key: "share_group_snapshot:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_snapshot_delete:
      key: "share_group_snapshot:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_snapshot_force_delete:
      key: "share_group_snapshot:force_delete"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_group_snapshot_reset_status:
      key: "share_group_snapshot:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_group_create:
      key: "share_group:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_get:
      key: "share_group:get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_get_all:
      key: "share_group:get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_group_update:
      key: "share_group:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_delete:
      key: "share_group:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_group_force_delete:
      key: "share_group:force_delete"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_group_reset_status:
      key: "share_group:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_replica_create:
      key: "share_replica:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_replica_get_all:
      key: "share_replica:get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_replica_show:
      key: "share_replica:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_replica_delete:
      key: "share_replica:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_replica_force_delete:
      key: "share_replica:force_delete"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_replica_promote:
      key: "share_replica:promote"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_replica_resync:
      key: "share_replica:resync"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_replica_reset_replica_state:
      key: "share_replica:reset_replica_state"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_replica_reset_status:
      key: "share_replica:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_replica_export_location_index:
      key: "share_replica_export_location:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_replica_export_location_show:
      key: "share_replica_export_location:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_network_create:
      key: "share_network:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_show:
      key: "share_network:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_network_index:
      key: "share_network:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_network_detail:
      key: "share_network:detail"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_network_update:
      key: "share_network:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_delete:
      key: "share_network:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_add_security_service:
      key: "share_network:add_security_service"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_add_security_service_check:
      key: "share_network:add_security_service_check"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_remove_security_service:
      key: "share_network:remove_security_service"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_update_security_service:
      key: "share_network:update_security_service"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_update_security_service_check:
      key: "share_network:update_security_service_check"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_reset_status:
      key: "share_network:reset_status"
      value: "(rule:admin_api) or (rule:project-admin)"
    manila-share_network_get_all_share_networks:
      key: "share_network:get_all_share_networks"
      value: "rule:admin_api"
    manila-share_network_subnet_create:
      key: "share_network_subnet:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_subnet_delete:
      key: "share_network_subnet:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_network_subnet_show:
      key: "share_network_subnet:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_network_subnet_index:
      key: "share_network_subnet:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-security_service_create:
      key: "security_service:create"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-security_service_show:
      key: "security_service:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-security_service_detail:
      key: "security_service:detail"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-security_service_index:
      key: "security_service:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-security_service_update:
      key: "security_service:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-security_service_delete:
      key: "security_service:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-security_service_get_all_security_services:
      key: "security_service:get_all_security_services"
      value: "rule:admin_api"
    manila-share_export_location_index:
      key: "share_export_location:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_export_location_show:
      key: "share_export_location:show"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_instance_index:
      key: "share_instance:index"
      value: "rule:admin_api"
    manila-share_instance_show:
      key: "share_instance:show"
      value: "rule:admin_api"
    manila-share_instance_force_delete:
      key: "share_instance:force_delete"
      value: "rule:admin_api"
    manila-share_instance_reset_status:
      key: "share_instance:reset_status"
      value: "rule:admin_api"
    manila-message_get:
      key: "message:get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-message_get_all:
      key: "message:get_all"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-message_delete:
      key: "message:delete"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_access_rule_get:
      key: "share_access_rule:get"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_access_rule_index:
      key: "share_access_rule:index"
      value: "(rule:admin_api) or (rule:project-reader)"
    manila-share_access_metadata_update:
      key: "share_access_metadata:update"
      value: "(rule:admin_api) or (rule:project-member)"
    manila-share_access_metadata_delete:
      key: "share_access_metadata:delete"
      value: "(rule:admin_api) or (rule:project-member)"
  OctaviaApiPolicies:
    octavia-load-balancer_admin:
      key: "load-balancer:admin"
      value: "role:admin"
    octavia-load-balancer_read:
      key: "load-balancer:read"
      value: "role:admin or rule:project-reader"
    octavia-load-balancer_read-global:
      key: "load-balancer:read-global"
      value: "role:admin"
    octavia-load-balancer_write:
      key: "load-balancer:write"
      value: "role:admin or rule:project-member"
    octavia-load-balancer_read-quota:
      key: "load-balancer:read-quota"
      value: "role:admin or rule:project-reader"
    octavia-load-balancer_read-quota-global:
      key: "load-balancer:read-quota-global"
      value: "role:admin"
    octavia-load-balancer_write-quota:
      key: "load-balancer:write-quota"
      value: "role:admin"
  IronicApiPolicies:
    ironic-admin_api:
      key: "admin_api"
      value: "role:admin"
    ironic-public_api:
      key: "public_api"
      value: "is_public_api:True"
    ironic-show_password:
      key: "show_password"
      value: "!"
    ironic-show_instance_secrets:
      key: "show_instance_secrets"
      value: "!"
    ironic-is_member:
      key: "is_member"
      value: "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
    ironic-is_observer:
      key: "is_observer"
      value: "rule:is_member and (role:observer or role:baremetal_observer)"
    ironic-is_admin:
      key: "is_admin"
      value: "rule:admin_api or (rule:is_member and role:baremetal_admin)"
    ironic-is_node_owner:
      key: "is_node_owner"
      value: "project_id:%(node.owner)s"
    ironic-is_node_lessee:
      key: "is_node_lessee"
      value: "project_id:%(node.lessee)s"
    ironic-is_allocation_owner:
      key: "is_allocation_owner"
      value: "project_id:%(allocation.owner)s"
    ironic-baremetal_node_create:
      key: "baremetal:node:create"
      value: "rule:admin_api"
    ironic-baremetal_node_list:
      key: "baremetal:node:list"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_node_list_all:
      key: "baremetal:node:list_all"
      value: "rule:admin_api"
    ironic-baremetal_node_get:
      key: "baremetal:node:get"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_get_filter_threshold:
      key: "baremetal:node:get:filter_threshold"
      value: "rule:admin_api"
    ironic-baremetal_node_get_last_error:
      key: "baremetal:node:get:last_error"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_node_get_reservation:
      key: "baremetal:node:get:reservation"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_node_get_driver_internal_info:
      key: "baremetal:node:get:driver_internal_info"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_node_get_driver_info:
      key: "baremetal:node:get:driver_info"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_driver_info:
      key: "baremetal:node:update:driver_info"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update:
      key: "baremetal:node:update"
      value: "rule:baremetal:node:update:driver_info"
    ironic-baremetal_node_update_properties:
      key: "baremetal:node:update:properties"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_chassis_uuid:
      key: "baremetal:node:update:chassis_uuid"
      value: "rule:admin_api"
    ironic-baremetal_node_update_instance_uuid:
      key: "baremetal:node:update:instance_uuid"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_lessee:
      key: "baremetal:node:update:lessee"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_owner:
      key: "baremetal:node:update:owner"
      value: "rule:admin_api"
    ironic-baremetal_node_update_driver_interfaces:
      key: "baremetal:node:update:driver_interfaces"
      value: "rule:admin_api "
    ironic-baremetal_node_update_network_data:
      key: "baremetal:node:update:network_data"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_conductor_group:
      key: "baremetal:node:update:conductor_group"
      value: "rule:admin_api"
    ironic-baremetal_node_update_name:
      key: "baremetal:node:update:name"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_retired:
      key: "baremetal:node:update:retired"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_extra:
      key: "baremetal:node:update_extra"
      value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_update_instance_info:
      key: "baremetal:node:update_instance_info"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_update_owner_provisioned:
      key: "baremetal:node:update_owner_provisioned"
      value: "rule:admin_api"
    ironic-baremetal_node_delete:
      key: "baremetal:node:delete"
      value: "rule:admin_api"
    ironic-baremetal_node_validate:
      key: "baremetal:node:validate"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_set_maintenance:
      key: "baremetal:node:set_maintenance"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_clear_maintenance:
      key: "baremetal:node:clear_maintenance"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_get_boot_device:
      key: "baremetal:node:get_boot_device"
      value: "rule:admin_api "
    ironic-baremetal_node_set_boot_device:
      key: "baremetal:node:set_boot_device"
      value: "rule:admin_api "
    ironic-baremetal_node_get_indicator_state:
      key: "baremetal:node:get_indicator_state"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_set_indicator_state:
      key: "baremetal:node:set_indicator_state"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_inject_nmi:
      key: "baremetal:node:inject_nmi"
      value: "rule:admin_api "
    ironic-baremetal_node_get_states:
      key: "baremetal:node:get_states"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_set_power_state:
      key: "baremetal:node:set_power_state"
      value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_set_boot_mode:
      key: "baremetal:node:set_boot_mode"
      value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_set_secure_boot:
      key: "baremetal:node:set_secure_boot"
      value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_set_provision_state:
      key: "baremetal:node:set_provision_state"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_set_raid_state:
      key: "baremetal:node:set_raid_state"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_get_console:
      key: "baremetal:node:get_console"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_set_console_state:
      key: "baremetal:node:set_console_state"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_vif_list:
      key: "baremetal:node:vif:list"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_vif_attach:
      key: "baremetal:node:vif:attach"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_vif_detach:
      key: "baremetal:node:vif:detach"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_node_traits_list:
      key: "baremetal:node:traits:list"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_traits_set:
      key: "baremetal:node:traits:set"
      value: "rule:admin_api "
    ironic-baremetal_node_traits_delete:
      key: "baremetal:node:traits:delete"
      value: "rule:admin_api "
    ironic-baremetal_node_bios_get:
      key: "baremetal:node:bios:get"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_node_disable_cleaning:
      key: "baremetal:node:disable_cleaning"
      value: "rule:admin_api"
    ironic-baremetal_node_history_get:
      key: "baremetal:node:history:get"
      value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
    ironic-baremetal_port_get:
      key: "baremetal:port:get"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_port_list:
      key: "baremetal:port:list"
      value: "role:reader"
    ironic-baremetal_port_list_all:
      key: "baremetal:port:list_all"
      value: "rule:admin_api"
    ironic-baremetal_port_create:
      key: "baremetal:port:create"
      value: "rule:admin_api "
    ironic-baremetal_port_delete:
      key: "baremetal:port:delete"
      value: "rule:admin_api "
    ironic-baremetal_port_update:
      key: "baremetal:port:update"
      value: "rule:admin_api "
    ironic-baremetal_portgroup_get:
      key: "baremetal:portgroup:get"
      value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
    ironic-baremetal_portgroup_create:
      key: "baremetal:portgroup:create"
      value: "rule:admin_api "
    ironic-baremetal_portgroup_delete:
      key: "baremetal:portgroup:delete"
      value: "rule:admin_api "
    ironic-baremetal_portgroup_update:
      key: "baremetal:portgroup:update"
      value: "rule:admin_api "
    ironic-baremetal_portgroup_list:
      key: "baremetal:portgroup:list"
      value: "role:reader"
    ironic-baremetal_portgroup_list_all:
      key: "baremetal:portgroup:list_all"
      value: "rule:admin_api"
    ironic-baremetal_chassis_get:
      key: "baremetal:chassis:get"
      value: "rule:admin_api"
    ironic-baremetal_chassis_create:
      key: "baremetal:chassis:create"
      value: "rule:admin_api"
    ironic-baremetal_chassis_delete:
      key: "baremetal:chassis:delete"
      value: "rule:admin_api"
    ironic-baremetal_chassis_update:
      key: "baremetal:chassis:update"
      value: "rule:admin_api"
    ironic-baremetal_driver_get:
      key: "baremetal:driver:get"
      value: "rule:admin_api"
    ironic-baremetal_driver_get_properties:
      key: "baremetal:driver:get_properties"
      value: "rule:admin_api"
    ironic-baremetal_driver_get_raid_logical_disk_properties:
      key: "baremetal:driver:get_raid_logical_disk_properties"
      value: "rule:admin_api"
    ironic-baremetal_node_vendor_passthru:
      key: "baremetal:node:vendor_passthru"
      value: "rule:admin_api"
    ironic-baremetal_driver_vendor_passthru:
      key: "baremetal:driver:vendor_passthru"
      value: "rule:admin_api"
    ironic-baremetal_node_ipa_heartbeat:
      key: "baremetal:node:ipa_heartbeat"
      value: ""
    ironic-baremetal_driver_ipa_lookup:
      key: "baremetal:driver:ipa_lookup"
      value: ""
    ironic-baremetal_volume_list_all:
      key: "baremetal:volume:list_all"
      value: "rule:admin_api"
    ironic-baremetal_volume_get:
      key: "baremetal:volume:get"
      value: "rule:baremetal:volume:list_all"
    ironic-baremetal_volume_list:
      key: "baremetal:volume:list"
      value: "role:reader"
    ironic-baremetal_volume_create:
      key: "baremetal:volume:create"
      value: "rule:admin_api"
    ironic-baremetal_volume_delete:
      key: "baremetal:volume:delete"
      value: "rule:admin_api"
    ironic-baremetal_volume_update:
      key: "baremetal:volume:update"
      value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
    ironic-baremetal_volume_view_target_properties:
      key: "baremetal:volume:view_target_properties"
      value: "rule:admin_api"
    ironic-baremetal_conductor_get:
      key: "baremetal:conductor:get"
      value: "rule:admin_api"
    ironic-baremetal_allocation_get:
      key: "baremetal:allocation:get"
      value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)"
    ironic-baremetal_allocation_list:
      key: "baremetal:allocation:list"
      value: "role:reader"
    ironic-baremetal_allocation_list_all:
      key: "baremetal:allocation:list_all"
      value: "rule:admin_api"
    ironic-baremetal_allocation_create:
      key: "baremetal:allocation:create"
      value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
    ironic-baremetal_allocation_create_restricted:
      key: "baremetal:allocation:create_restricted"
      value: "rule:admin_api"
    ironic-baremetal_allocation_delete:
      key: "baremetal:allocation:delete"
      value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
    ironic-baremetal_allocation_update:
      key: "baremetal:allocation:update"
      value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
    ironic-baremetal_allocation_create_pre_rbac:
      key: "baremetal:allocation:create_pre_rbac"
      value: "rule:admin_api"
    ironic-baremetal_events_post:
      key: "baremetal:events:post"
      value: "rule:admin_api"
    ironic-baremetal_deploy_template_get:
      key: "baremetal:deploy_template:get"
      value: "rule:admin_api"
    ironic-baremetal_deploy_template_create:
      key: "baremetal:deploy_template:create"
      value: "rule:admin_api"
    ironic-baremetal_deploy_template_delete:
      key: "baremetal:deploy_template:delete"
      value: "rule:admin_api"
    ironic-baremetal_deploy_template_update:
      key: "baremetal:deploy_template:update"
      value: "rule:admin_api"