parameter_defaults: EnforceSecureRbac: false NovaApiPolicies: nova-context_is_admin: key: "context_is_admin" value: "role:admin" nova-admin_or_owner: key: "admin_or_owner" value: "is_admin:True or project_id:%(project_id)s" nova-admin_api: key: "admin_api" value: "is_admin:True" nova-system_admin_api: key: "system_admin_api" value: "role:admin and system_scope:all" nova-rule_admin_api: key: "rule:admin_api" value: "rule:system_admin_api" nova-system_reader_api: key: "system_reader_api" value: "role:reader and system_scope:all" nova-project_admin_api: key: "project_admin_api" value: "role:admin and project_id:%(project_id)s" nova-project_member_api: key: "project_member_api" value: "role:member and project_id:%(project_id)s" nova-rule_admin_or_owner: key: "rule:admin_or_owner" value: "rule:project_member_api" nova-project_reader_api: key: "project_reader_api" value: "role:reader and project_id:%(project_id)s" nova-system_admin_or_owner: key: "system_admin_or_owner" value: "rule:system_admin_api or rule:project_member_api" nova-system_or_project_reader: key: "system_or_project_reader" value: "rule:system_reader_api or rule:project_reader_api" nova-os_compute_api_os-admin-actions_reset_state: key: "os_compute_api:os-admin-actions:reset_state" value: "rule:system_admin_api" nova-os_compute_api_os-admin-actions_inject_network_info: key: "os_compute_api:os-admin-actions:inject_network_info" value: "rule:system_admin_api" nova-os_compute_api_os-admin-password: key: "os_compute_api:os-admin-password" value: "rule:system_admin_or_owner" nova-os_compute_api_os-aggregates_set_metadata: key: "os_compute_api:os-aggregates:set_metadata" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_add_host: key: "os_compute_api:os-aggregates:add_host" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_create: key: "os_compute_api:os-aggregates:create" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_remove_host: key: "os_compute_api:os-aggregates:remove_host" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_update: key: "os_compute_api:os-aggregates:update" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_index: key: "os_compute_api:os-aggregates:index" value: "rule:system_reader_api" nova-os_compute_api_os-aggregates_delete: key: "os_compute_api:os-aggregates:delete" value: "rule:system_admin_api" nova-os_compute_api_os-aggregates_show: key: "os_compute_api:os-aggregates:show" value: "rule:system_reader_api" nova-compute_aggregates_images: key: "compute:aggregates:images" value: "rule:system_admin_api" nova-os_compute_api_os-assisted-volume-snapshots_create: key: "os_compute_api:os-assisted-volume-snapshots:create" value: "rule:system_admin_api" nova-os_compute_api_os-assisted-volume-snapshots_delete: key: "os_compute_api:os-assisted-volume-snapshots:delete" value: "rule:system_admin_api" nova-os_compute_api_os-attach-interfaces_list: key: "os_compute_api:os-attach-interfaces:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-attach-interfaces: key: "os_compute_api:os-attach-interfaces" value: "rule:os_compute_api:os-attach-interfaces:list" nova-os_compute_api_os-attach-interfaces_show: key: "os_compute_api:os-attach-interfaces:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-attach-interfaces_create: key: "os_compute_api:os-attach-interfaces:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-attach-interfaces_delete: key: "os_compute_api:os-attach-interfaces:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-availability-zone_list: key: "os_compute_api:os-availability-zone:list" value: "@" nova-os_compute_api_os-availability-zone_detail: key: "os_compute_api:os-availability-zone:detail" value: "rule:system_reader_api" nova-os_compute_api_os-baremetal-nodes_list: key: "os_compute_api:os-baremetal-nodes:list" value: "rule:system_reader_api" nova-os_compute_api_os-baremetal-nodes: key: "os_compute_api:os-baremetal-nodes" value: "rule:os_compute_api:os-baremetal-nodes:list" nova-os_compute_api_os-baremetal-nodes_show: key: "os_compute_api:os-baremetal-nodes:show" value: "rule:system_reader_api" nova-os_compute_api_os-console-auth-tokens: key: "os_compute_api:os-console-auth-tokens" value: "rule:system_reader_api" nova-os_compute_api_os-console-output: key: "os_compute_api:os-console-output" value: "rule:system_admin_or_owner" nova-os_compute_api_os-create-backup: key: "os_compute_api:os-create-backup" value: "rule:system_admin_or_owner" nova-os_compute_api_os-deferred-delete_restore: key: "os_compute_api:os-deferred-delete:restore" value: "rule:system_admin_or_owner" nova-os_compute_api_os-deferred-delete: key: "os_compute_api:os-deferred-delete" value: "rule:os_compute_api:os-deferred-delete:restore" nova-os_compute_api_os-deferred-delete_force: key: "os_compute_api:os-deferred-delete:force" value: "rule:system_admin_or_owner" nova-os_compute_api_os-evacuate: key: "os_compute_api:os-evacuate" value: "rule:system_admin_api" nova-os_compute_api_os-extended-server-attributes: key: "os_compute_api:os-extended-server-attributes" value: "rule:system_admin_api" nova-os_compute_api_extensions: key: "os_compute_api:extensions" value: "@" nova-os_compute_api_os-flavor-access_add_tenant_access: key: "os_compute_api:os-flavor-access:add_tenant_access" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-access_remove_tenant_access: key: "os_compute_api:os-flavor-access:remove_tenant_access" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-access: key: "os_compute_api:os-flavor-access" value: "rule:system_reader_api" nova-os_compute_api_os-flavor-extra-specs_show: key: "os_compute_api:os-flavor-extra-specs:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-flavor-extra-specs_create: key: "os_compute_api:os-flavor-extra-specs:create" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-extra-specs_update: key: "os_compute_api:os-flavor-extra-specs:update" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-extra-specs_delete: key: "os_compute_api:os-flavor-extra-specs:delete" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-extra-specs_index: key: "os_compute_api:os-flavor-extra-specs:index" value: "rule:system_or_project_reader" nova-os_compute_api_os-flavor-manage_create: key: "os_compute_api:os-flavor-manage:create" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-manage_update: key: "os_compute_api:os-flavor-manage:update" value: "rule:system_admin_api" nova-os_compute_api_os-flavor-manage_delete: key: "os_compute_api:os-flavor-manage:delete" value: "rule:system_admin_api" nova-os_compute_api_os-floating-ip-pools: key: "os_compute_api:os-floating-ip-pools" value: "@" nova-os_compute_api_os-floating-ips_add: key: "os_compute_api:os-floating-ips:add" value: "rule:system_admin_or_owner" nova-os_compute_api_os-floating-ips: key: "os_compute_api:os-floating-ips" value: "rule:os_compute_api:os-floating-ips:add" nova-os_compute_api_os-floating-ips_remove: key: "os_compute_api:os-floating-ips:remove" value: "rule:system_admin_or_owner" nova-os_compute_api_os-floating-ips_list: key: "os_compute_api:os-floating-ips:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-floating-ips_create: key: "os_compute_api:os-floating-ips:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-floating-ips_show: key: "os_compute_api:os-floating-ips:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-floating-ips_delete: key: "os_compute_api:os-floating-ips:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-hosts_list: key: "os_compute_api:os-hosts:list" value: "rule:system_reader_api" nova-os_compute_api_os-hosts: key: "os_compute_api:os-hosts" value: "rule:os_compute_api:os-hosts:list" nova-os_compute_api_os-hosts_show: key: "os_compute_api:os-hosts:show" value: "rule:system_reader_api" nova-os_compute_api_os-hosts_update: key: "os_compute_api:os-hosts:update" value: "rule:system_admin_api" nova-os_compute_api_os-hosts_reboot: key: "os_compute_api:os-hosts:reboot" value: "rule:system_admin_api" nova-os_compute_api_os-hosts_shutdown: key: "os_compute_api:os-hosts:shutdown" value: "rule:system_admin_api" nova-os_compute_api_os-hosts_start: key: "os_compute_api:os-hosts:start" value: "rule:system_admin_api" nova-os_compute_api_os-hypervisors_list: key: "os_compute_api:os-hypervisors:list" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors: key: "os_compute_api:os-hypervisors" value: "rule:os_compute_api:os-hypervisors:list" nova-os_compute_api_os-hypervisors_list-detail: key: "os_compute_api:os-hypervisors:list-detail" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors_statistics: key: "os_compute_api:os-hypervisors:statistics" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors_show: key: "os_compute_api:os-hypervisors:show" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors_uptime: key: "os_compute_api:os-hypervisors:uptime" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors_search: key: "os_compute_api:os-hypervisors:search" value: "rule:system_reader_api" nova-os_compute_api_os-hypervisors_servers: key: "os_compute_api:os-hypervisors:servers" value: "rule:system_reader_api" nova-os_compute_api_os-instance-actions_events_details: key: "os_compute_api:os-instance-actions:events:details" value: "rule:system_reader_api" nova-os_compute_api_os-instance-actions_events: key: "os_compute_api:os-instance-actions:events" value: "rule:system_reader_api" nova-os_compute_api_os-instance-actions_list: key: "os_compute_api:os-instance-actions:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-instance-actions: key: "os_compute_api:os-instance-actions" value: "rule:os_compute_api:os-instance-actions:list" nova-os_compute_api_os-instance-actions_show: key: "os_compute_api:os-instance-actions:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-instance-usage-audit-log_list: key: "os_compute_api:os-instance-usage-audit-log:list" value: "rule:system_reader_api" nova-os_compute_api_os-instance-usage-audit-log: key: "os_compute_api:os-instance-usage-audit-log" value: "rule:os_compute_api:os-instance-usage-audit-log:list" nova-os_compute_api_os-instance-usage-audit-log_show: key: "os_compute_api:os-instance-usage-audit-log:show" value: "rule:system_reader_api" nova-os_compute_api_ips_show: key: "os_compute_api:ips:show" value: "rule:system_or_project_reader" nova-os_compute_api_ips_index: key: "os_compute_api:ips:index" value: "rule:system_or_project_reader" nova-os_compute_api_os-keypairs_index: key: "os_compute_api:os-keypairs:index" value: "(rule:system_reader_api) or user_id:%(user_id)s" nova-os_compute_api_os-keypairs_create: key: "os_compute_api:os-keypairs:create" value: "(rule:system_admin_api) or user_id:%(user_id)s" nova-os_compute_api_os-keypairs_delete: key: "os_compute_api:os-keypairs:delete" value: "(rule:system_admin_api) or user_id:%(user_id)s" nova-os_compute_api_os-keypairs_show: key: "os_compute_api:os-keypairs:show" value: "(rule:system_reader_api) or user_id:%(user_id)s" nova-os_compute_api_limits: key: "os_compute_api:limits" value: "@" nova-os_compute_api_limits_other_project: key: "os_compute_api:limits:other_project" value: "rule:system_reader_api" nova-os_compute_api_os-used-limits: key: "os_compute_api:os-used-limits" value: "rule:os_compute_api:limits:other_project" nova-os_compute_api_os-lock-server_lock: key: "os_compute_api:os-lock-server:lock" value: "rule:system_admin_or_owner" nova-os_compute_api_os-lock-server_unlock: key: "os_compute_api:os-lock-server:unlock" value: "rule:system_admin_or_owner" nova-os_compute_api_os-lock-server_unlock_unlock_override: key: "os_compute_api:os-lock-server:unlock:unlock_override" value: "rule:system_admin_api" nova-os_compute_api_os-migrate-server_migrate: key: "os_compute_api:os-migrate-server:migrate" value: "rule:system_admin_api" nova-os_compute_api_os-migrate-server_migrate_live: key: "os_compute_api:os-migrate-server:migrate_live" value: "rule:system_admin_api" nova-os_compute_api_os-migrations_index: key: "os_compute_api:os-migrations:index" value: "rule:system_reader_api" nova-os_compute_api_os-multinic_add: key: "os_compute_api:os-multinic:add" value: "rule:system_admin_or_owner" nova-os_compute_api_os-multinic: key: "os_compute_api:os-multinic" value: "rule:os_compute_api:os-multinic:add" nova-os_compute_api_os-multinic_remove: key: "os_compute_api:os-multinic:remove" value: "rule:system_admin_or_owner" nova-os_compute_api_os-networks_list: key: "os_compute_api:os-networks:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-networks_view: key: "os_compute_api:os-networks:view" value: "rule:os_compute_api:os-networks:list" nova-os_compute_api_os-networks_show: key: "os_compute_api:os-networks:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-pause-server_pause: key: "os_compute_api:os-pause-server:pause" value: "rule:system_admin_or_owner" nova-os_compute_api_os-pause-server_unpause: key: "os_compute_api:os-pause-server:unpause" value: "rule:system_admin_or_owner" nova-os_compute_api_os-quota-class-sets_show: key: "os_compute_api:os-quota-class-sets:show" value: "rule:system_reader_api" nova-os_compute_api_os-quota-class-sets_update: key: "os_compute_api:os-quota-class-sets:update" value: "rule:system_admin_api" nova-os_compute_api_os-quota-sets_update: key: "os_compute_api:os-quota-sets:update" value: "rule:system_admin_api" nova-os_compute_api_os-quota-sets_defaults: key: "os_compute_api:os-quota-sets:defaults" value: "@" nova-os_compute_api_os-quota-sets_show: key: "os_compute_api:os-quota-sets:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-quota-sets_delete: key: "os_compute_api:os-quota-sets:delete" value: "rule:system_admin_api" nova-os_compute_api_os-quota-sets_detail: key: "os_compute_api:os-quota-sets:detail" value: "rule:system_or_project_reader" nova-os_compute_api_os-remote-consoles: key: "os_compute_api:os-remote-consoles" value: "rule:system_admin_or_owner" nova-os_compute_api_os-rescue: key: "os_compute_api:os-rescue" value: "rule:system_admin_or_owner" nova-os_compute_api_os-unrescue: key: "os_compute_api:os-unrescue" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_get: key: "os_compute_api:os-security-groups:get" value: "rule:system_or_project_reader" nova-os_compute_api_os-security-groups: key: "os_compute_api:os-security-groups" value: "rule:os_compute_api:os-security-groups:get" nova-os_compute_api_os-security-groups_show: key: "os_compute_api:os-security-groups:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-security-groups_create: key: "os_compute_api:os-security-groups:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_update: key: "os_compute_api:os-security-groups:update" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_delete: key: "os_compute_api:os-security-groups:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_rule_create: key: "os_compute_api:os-security-groups:rule:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_rule_delete: key: "os_compute_api:os-security-groups:rule:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_list: key: "os_compute_api:os-security-groups:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-security-groups_add: key: "os_compute_api:os-security-groups:add" value: "rule:system_admin_or_owner" nova-os_compute_api_os-security-groups_remove: key: "os_compute_api:os-security-groups:remove" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-diagnostics: key: "os_compute_api:os-server-diagnostics" value: "rule:system_admin_api" nova-os_compute_api_os-server-external-events_create: key: "os_compute_api:os-server-external-events:create" value: "rule:system_admin_api" nova-os_compute_api_os-server-groups_create: key: "os_compute_api:os-server-groups:create" value: "rule:project_member_api" nova-os_compute_api_os-server-groups_delete: key: "os_compute_api:os-server-groups:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-groups_index: key: "os_compute_api:os-server-groups:index" value: "rule:system_or_project_reader" nova-os_compute_api_os-server-groups_index_all_projects: key: "os_compute_api:os-server-groups:index:all_projects" value: "rule:system_reader_api" nova-os_compute_api_os-server-groups_show: key: "os_compute_api:os-server-groups:show" value: "rule:system_or_project_reader" nova-os_compute_api_server-metadata_index: key: "os_compute_api:server-metadata:index" value: "rule:system_or_project_reader" nova-os_compute_api_server-metadata_show: key: "os_compute_api:server-metadata:show" value: "rule:system_or_project_reader" nova-os_compute_api_server-metadata_create: key: "os_compute_api:server-metadata:create" value: "rule:system_admin_or_owner" nova-os_compute_api_server-metadata_update_all: key: "os_compute_api:server-metadata:update_all" value: "rule:system_admin_or_owner" nova-os_compute_api_server-metadata_update: key: "os_compute_api:server-metadata:update" value: "rule:system_admin_or_owner" nova-os_compute_api_server-metadata_delete: key: "os_compute_api:server-metadata:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-password_show: key: "os_compute_api:os-server-password:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-server-password: key: "os_compute_api:os-server-password" value: "rule:os_compute_api:os-server-password:show" nova-os_compute_api_os-server-password_clear: key: "os_compute_api:os-server-password:clear" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-tags_delete_all: key: "os_compute_api:os-server-tags:delete_all" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-tags_index: key: "os_compute_api:os-server-tags:index" value: "rule:system_or_project_reader" nova-os_compute_api_os-server-tags_update_all: key: "os_compute_api:os-server-tags:update_all" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-tags_delete: key: "os_compute_api:os-server-tags:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-tags_update: key: "os_compute_api:os-server-tags:update" value: "rule:system_admin_or_owner" nova-os_compute_api_os-server-tags_show: key: "os_compute_api:os-server-tags:show" value: "rule:system_or_project_reader" nova-compute_server_topology_index: key: "compute:server:topology:index" value: "rule:system_or_project_reader" nova-compute_server_topology_host_index: key: "compute:server:topology:host:index" value: "rule:system_reader_api" nova-os_compute_api_servers_index: key: "os_compute_api:servers:index" value: "rule:system_or_project_reader" nova-os_compute_api_servers_detail: key: "os_compute_api:servers:detail" value: "rule:system_or_project_reader" nova-os_compute_api_servers_index_get_all_tenants: key: "os_compute_api:servers:index:get_all_tenants" value: "rule:system_reader_api" nova-os_compute_api_servers_detail_get_all_tenants: key: "os_compute_api:servers:detail:get_all_tenants" value: "rule:system_reader_api" nova-os_compute_api_servers_allow_all_filters: key: "os_compute_api:servers:allow_all_filters" value: "rule:system_reader_api" nova-os_compute_api_servers_show: key: "os_compute_api:servers:show" value: "rule:system_or_project_reader" nova-os_compute_api_servers_show_host_status: key: "os_compute_api:servers:show:host_status" value: "rule:system_admin_api" nova-os_compute_api_servers_show_host_status_unknown-only: key: "os_compute_api:servers:show:host_status:unknown-only" value: "rule:system_admin_api" nova-os_compute_api_servers_create: key: "os_compute_api:servers:create" value: "rule:project_member_api" nova-os_compute_api_servers_create_forced_host: key: "os_compute_api:servers:create:forced_host" value: "rule:project_admin_api" nova-compute_servers_create_requested_destination: key: "compute:servers:create:requested_destination" value: "rule:project_admin_api" nova-os_compute_api_servers_create_attach_volume: key: "os_compute_api:servers:create:attach_volume" value: "rule:project_member_api" nova-os_compute_api_servers_create_attach_network: key: "os_compute_api:servers:create:attach_network" value: "rule:project_member_api" nova-os_compute_api_servers_create_trusted_certs: key: "os_compute_api:servers:create:trusted_certs" value: "rule:project_member_api" nova-os_compute_api_servers_create_zero_disk_flavor: key: "os_compute_api:servers:create:zero_disk_flavor" value: "rule:project_admin_api" nova-network_attach_external_network: key: "network:attach_external_network" value: "rule:project_admin_api" nova-os_compute_api_servers_delete: key: "os_compute_api:servers:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_update: key: "os_compute_api:servers:update" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_confirm_resize: key: "os_compute_api:servers:confirm_resize" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_revert_resize: key: "os_compute_api:servers:revert_resize" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_reboot: key: "os_compute_api:servers:reboot" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_resize: key: "os_compute_api:servers:resize" value: "rule:system_admin_or_owner" nova-compute_servers_resize_cross_cell: key: "compute:servers:resize:cross_cell" value: "!" nova-os_compute_api_servers_rebuild: key: "os_compute_api:servers:rebuild" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_rebuild_trusted_certs: key: "os_compute_api:servers:rebuild:trusted_certs" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_create_image: key: "os_compute_api:servers:create_image" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_create_image_allow_volume_backed: key: "os_compute_api:servers:create_image:allow_volume_backed" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_start: key: "os_compute_api:servers:start" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_stop: key: "os_compute_api:servers:stop" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_trigger_crash_dump: key: "os_compute_api:servers:trigger_crash_dump" value: "rule:system_admin_or_owner" nova-os_compute_api_servers_migrations_show: key: "os_compute_api:servers:migrations:show" value: "rule:system_reader_api" nova-os_compute_api_servers_migrations_force_complete: key: "os_compute_api:servers:migrations:force_complete" value: "rule:system_admin_api" nova-os_compute_api_servers_migrations_delete: key: "os_compute_api:servers:migrations:delete" value: "rule:system_admin_api" nova-os_compute_api_servers_migrations_index: key: "os_compute_api:servers:migrations:index" value: "rule:system_reader_api" nova-os_compute_api_os-services_list: key: "os_compute_api:os-services:list" value: "rule:system_reader_api" nova-os_compute_api_os-services: key: "os_compute_api:os-services" value: "rule:os_compute_api:os-services:list" nova-os_compute_api_os-services_update: key: "os_compute_api:os-services:update" value: "rule:system_admin_api" nova-os_compute_api_os-services_delete: key: "os_compute_api:os-services:delete" value: "rule:system_admin_api" nova-os_compute_api_os-shelve_shelve: key: "os_compute_api:os-shelve:shelve" value: "rule:system_admin_or_owner" nova-os_compute_api_os-shelve_unshelve: key: "os_compute_api:os-shelve:unshelve" value: "rule:system_admin_or_owner" nova-os_compute_api_os-shelve_shelve_offload: key: "os_compute_api:os-shelve:shelve_offload" value: "rule:system_admin_api" nova-os_compute_api_os-simple-tenant-usage_show: key: "os_compute_api:os-simple-tenant-usage:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-simple-tenant-usage_list: key: "os_compute_api:os-simple-tenant-usage:list" value: "rule:system_reader_api" nova-os_compute_api_os-suspend-server_resume: key: "os_compute_api:os-suspend-server:resume" value: "rule:system_admin_or_owner" nova-os_compute_api_os-suspend-server_suspend: key: "os_compute_api:os-suspend-server:suspend" value: "rule:system_admin_or_owner" nova-os_compute_api_os-tenant-networks_list: key: "os_compute_api:os-tenant-networks:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-tenant-networks: key: "os_compute_api:os-tenant-networks" value: "rule:os_compute_api:os-tenant-networks:list" nova-os_compute_api_os-tenant-networks_show: key: "os_compute_api:os-tenant-networks:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_list: key: "os_compute_api:os-volumes:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes: key: "os_compute_api:os-volumes" value: "rule:os_compute_api:os-volumes:list" nova-os_compute_api_os-volumes_create: key: "os_compute_api:os-volumes:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes_detail: key: "os_compute_api:os-volumes:detail" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_show: key: "os_compute_api:os-volumes:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_delete: key: "os_compute_api:os-volumes:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes_snapshots_list: key: "os_compute_api:os-volumes:snapshots:list" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_snapshots_create: key: "os_compute_api:os-volumes:snapshots:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes_snapshots_detail: key: "os_compute_api:os-volumes:snapshots:detail" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_snapshots_show: key: "os_compute_api:os-volumes:snapshots:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes_snapshots_delete: key: "os_compute_api:os-volumes:snapshots:delete" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes-attachments_index: key: "os_compute_api:os-volumes-attachments:index" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes-attachments_create: key: "os_compute_api:os-volumes-attachments:create" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes-attachments_show: key: "os_compute_api:os-volumes-attachments:show" value: "rule:system_or_project_reader" nova-os_compute_api_os-volumes-attachments_update: key: "os_compute_api:os-volumes-attachments:update" value: "rule:system_admin_or_owner" nova-os_compute_api_os-volumes-attachments_swap: key: "os_compute_api:os-volumes-attachments:swap" value: "rule:system_admin_api" nova-os_compute_api_os-volumes-attachments_delete: key: "os_compute_api:os-volumes-attachments:delete" value: "rule:system_admin_or_owner" PlacementPolicies: placement-admin_api: key: "admin_api" value: "role:admin" placement-system_admin_api: key: "system_admin_api" value: "role:admin and system_scope:all" placement-rule_admin_api: key: "rule:admin_api" value: "rule:system_admin_api" placement-system_reader_api: key: "system_reader_api" value: "role:reader and system_scope:all" placement-project_reader_api: key: "project_reader_api" value: "role:reader and project_id:%(project_id)s" placement-system_or_project_reader: key: "system_or_project_reader" value: "rule:system_reader_api or rule:project_reader_api" placement-placement_resource_providers_list: key: "placement:resource_providers:list" value: "rule:system_reader_api" placement-placement_resource_providers_create: key: "placement:resource_providers:create" value: "rule:system_admin_api" placement-placement_resource_providers_show: key: "placement:resource_providers:show" value: "rule:system_reader_api" placement-placement_resource_providers_update: key: "placement:resource_providers:update" value: "rule:system_admin_api" placement-placement_resource_providers_delete: key: "placement:resource_providers:delete" value: "rule:system_admin_api" placement-placement_resource_classes_list: key: "placement:resource_classes:list" value: "rule:system_reader_api" placement-placement_resource_classes_create: key: "placement:resource_classes:create" value: "rule:system_admin_api" placement-placement_resource_classes_show: key: "placement:resource_classes:show" value: "rule:system_reader_api" placement-placement_resource_classes_update: key: "placement:resource_classes:update" value: "rule:system_admin_api" placement-placement_resource_classes_delete: key: "placement:resource_classes:delete" value: "rule:system_admin_api" placement-placement_resource_providers_inventories_list: key: "placement:resource_providers:inventories:list" value: "rule:system_reader_api" placement-placement_resource_providers_inventories_create: key: "placement:resource_providers:inventories:create" value: "rule:system_admin_api" placement-placement_resource_providers_inventories_show: key: "placement:resource_providers:inventories:show" value: "rule:system_reader_api" placement-placement_resource_providers_inventories_update: key: "placement:resource_providers:inventories:update" value: "rule:system_admin_api" placement-placement_resource_providers_inventories_delete: key: "placement:resource_providers:inventories:delete" value: "rule:system_admin_api" placement-placement_resource_providers_aggregates_list: key: "placement:resource_providers:aggregates:list" value: "rule:system_reader_api" placement-placement_resource_providers_aggregates_update: key: "placement:resource_providers:aggregates:update" value: "rule:system_admin_api" placement-placement_resource_providers_usages: key: "placement:resource_providers:usages" value: "rule:system_reader_api" placement-placement_usages: key: "placement:usages" value: "rule:system_or_project_reader" placement-placement_traits_list: key: "placement:traits:list" value: "rule:system_reader_api" placement-placement_traits_show: key: "placement:traits:show" value: "rule:system_reader_api" placement-placement_traits_update: key: "placement:traits:update" value: "rule:system_admin_api" placement-placement_traits_delete: key: "placement:traits:delete" value: "rule:system_admin_api" placement-placement_resource_providers_traits_list: key: "placement:resource_providers:traits:list" value: "rule:system_reader_api" placement-placement_resource_providers_traits_update: key: "placement:resource_providers:traits:update" value: "rule:system_admin_api" placement-placement_resource_providers_traits_delete: key: "placement:resource_providers:traits:delete" value: "rule:system_admin_api" placement-placement_allocations_manage: key: "placement:allocations:manage" value: "rule:system_admin_api" placement-placement_allocations_list: key: "placement:allocations:list" value: "rule:system_reader_api" placement-placement_allocations_update: key: "placement:allocations:update" value: "rule:system_admin_api" placement-placement_allocations_delete: key: "placement:allocations:delete" value: "rule:system_admin_api" placement-placement_resource_providers_allocations_list: key: "placement:resource_providers:allocations:list" value: "rule:system_reader_api" placement-placement_allocation_candidates_list: key: "placement:allocation_candidates:list" value: "rule:system_reader_api" placement-placement_reshaper_reshape: key: "placement:reshaper:reshape" value: "rule:system_admin_api" NeutronApiPolicies: neutron-context_is_admin: key: "context_is_admin" value: "role:admin" neutron-owner: key: "owner" value: "tenant_id:%(tenant_id)s" neutron-admin_or_owner: key: "admin_or_owner" value: "rule:context_is_admin or rule:owner" neutron-context_is_advsvc: key: "context_is_advsvc" value: "role:advsvc" neutron-admin_or_network_owner: key: "admin_or_network_owner" value: "rule:context_is_admin or tenant_id:%(network:tenant_id)s" neutron-admin_owner_or_network_owner: key: "admin_owner_or_network_owner" value: "rule:owner or rule:admin_or_network_owner" neutron-network_owner: key: "network_owner" value: "tenant_id:%(network:tenant_id)s" neutron-admin_only: key: "admin_only" value: "rule:context_is_admin" neutron-regular_user: key: "regular_user" value: "" neutron-shared: key: "shared" value: "field:networks:shared=True" neutron-default: key: "default" value: "rule:admin_or_owner" neutron-admin_or_ext_parent_owner: key: "admin_or_ext_parent_owner" value: "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s" neutron-ext_parent_owner: key: "ext_parent_owner" value: "tenant_id:%(ext_parent:tenant_id)s" neutron-sg_owner: key: "sg_owner" value: "tenant_id:%(security_group:tenant_id)s" neutron-shared_address_groups: key: "shared_address_groups" value: "field:address_groups:shared=True" neutron-get_address_group: key: "get_address_group" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" neutron-shared_address_scopes: key: "shared_address_scopes" value: "field:address_scopes:shared=True" neutron-create_address_scope: key: "create_address_scope" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_address_scope_shared: key: "create_address_scope:shared" value: "role:admin and system_scope:all" neutron-get_address_scope: key: "get_address_scope" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" neutron-update_address_scope: key: "update_address_scope" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_address_scope_shared: key: "update_address_scope:shared" value: "role:admin and system_scope:all" neutron-delete_address_scope: key: "delete_address_scope" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_agent: key: "get_agent" value: "role:reader and system_scope:all" neutron-update_agent: key: "update_agent" value: "role:admin and system_scope:all" neutron-delete_agent: key: "delete_agent" value: "role:admin and system_scope:all" neutron-create_dhcp-network: key: "create_dhcp-network" value: "role:admin and system_scope:all" neutron-get_dhcp-networks: key: "get_dhcp-networks" value: "role:reader and system_scope:all" neutron-delete_dhcp-network: key: "delete_dhcp-network" value: "role:admin and system_scope:all" neutron-create_l3-router: key: "create_l3-router" value: "role:admin and system_scope:all" neutron-get_l3-routers: key: "get_l3-routers" value: "role:reader and system_scope:all" neutron-delete_l3-router: key: "delete_l3-router" value: "role:admin and system_scope:all" neutron-get_dhcp-agents: key: "get_dhcp-agents" value: "role:reader and system_scope:all" neutron-get_l3-agents: key: "get_l3-agents" value: "role:reader and system_scope:all" neutron-get_auto_allocated_topology: key: "get_auto_allocated_topology" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-delete_auto_allocated_topology: key: "delete_auto_allocated_topology" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_availability_zone: key: "get_availability_zone" value: "role:reader and system_scope:all" neutron-create_flavor: key: "create_flavor" value: "role:admin and system_scope:all" neutron-get_flavor: key: "get_flavor" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-update_flavor: key: "update_flavor" value: "role:admin and system_scope:all" neutron-delete_flavor: key: "delete_flavor" value: "role:admin and system_scope:all" neutron-create_service_profile: key: "create_service_profile" value: "role:admin and system_scope:all" neutron-get_service_profile: key: "get_service_profile" value: "role:reader and system_scope:all" neutron-update_service_profile: key: "update_service_profile" value: "role:admin and system_scope:all" neutron-delete_service_profile: key: "delete_service_profile" value: "role:admin and system_scope:all" neutron-get_flavor_service_profile: key: "get_flavor_service_profile" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_flavor_service_profile: key: "create_flavor_service_profile" value: "role:admin and system_scope:all" neutron-delete_flavor_service_profile: key: "delete_flavor_service_profile" value: "role:admin and system_scope:all" neutron-create_floatingip: key: "create_floatingip" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_floatingip_floating_ip_address: key: "create_floatingip:floating_ip_address" value: "role:admin and system_scope:all" neutron-get_floatingip: key: "get_floatingip" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-update_floatingip: key: "update_floatingip" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-delete_floatingip: key: "delete_floatingip" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_floatingip_pool: key: "get_floatingip_pool" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_floatingip_port_forwarding: key: "create_floatingip_port_forwarding" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_floatingip_port_forwarding: key: "get_floatingip_port_forwarding" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_floatingip_port_forwarding: key: "update_floatingip_port_forwarding" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_floatingip_port_forwarding: key: "delete_floatingip_port_forwarding" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-create_router_conntrack_helper: key: "create_router_conntrack_helper" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_router_conntrack_helper: key: "get_router_conntrack_helper" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-update_router_conntrack_helper: key: "update_router_conntrack_helper" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-delete_router_conntrack_helper: key: "delete_router_conntrack_helper" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" neutron-get_loggable_resource: key: "get_loggable_resource" value: "role:reader and system_scope:all" neutron-create_log: key: "create_log" value: "role:admin and system_scope:all" neutron-get_log: key: "get_log" value: "role:reader and system_scope:all" neutron-update_log: key: "update_log" value: "role:admin and system_scope:all" neutron-delete_log: key: "delete_log" value: "role:admin and system_scope:all" neutron-create_metering_label: key: "create_metering_label" value: "role:admin and system_scope:all" neutron-get_metering_label: key: "get_metering_label" value: "role:reader and system_scope:all" neutron-delete_metering_label: key: "delete_metering_label" value: "role:admin and system_scope:all" neutron-create_metering_label_rule: key: "create_metering_label_rule" value: "role:admin and system_scope:all" neutron-get_metering_label_rule: key: "get_metering_label_rule" value: "role:reader and system_scope:all" neutron-delete_metering_label_rule: key: "delete_metering_label_rule" value: "role:admin and system_scope:all" neutron-external: key: "external" value: "field:networks:router:external=True" neutron-create_network: key: "create_network" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_network_shared: key: "create_network:shared" value: "role:admin and system_scope:all" neutron-create_network_router_external: key: "create_network:router:external" value: "role:admin and system_scope:all" neutron-create_network_is_default: key: "create_network:is_default" value: "role:admin and system_scope:all" neutron-create_network_port_security_enabled: key: "create_network:port_security_enabled" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_network_segments: key: "create_network:segments" value: "role:admin and system_scope:all" neutron-create_network_provider_network_type: key: "create_network:provider:network_type" value: "role:admin and system_scope:all" neutron-create_network_provider_physical_network: key: "create_network:provider:physical_network" value: "role:admin and system_scope:all" neutron-create_network_provider_segmentation_id: key: "create_network:provider:segmentation_id" value: "role:admin and system_scope:all" neutron-get_network: key: "get_network" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" neutron-get_network_router_external: key: "get_network:router:external" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-get_network_segments: key: "get_network:segments" value: "role:reader and system_scope:all" neutron-get_network_provider_network_type: key: "get_network:provider:network_type" value: "role:reader and system_scope:all" neutron-get_network_provider_physical_network: key: "get_network:provider:physical_network" value: "role:reader and system_scope:all" neutron-get_network_provider_segmentation_id: key: "get_network:provider:segmentation_id" value: "role:reader and system_scope:all" neutron-update_network: key: "update_network" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_network_segments: key: "update_network:segments" value: "role:admin and system_scope:all" neutron-update_network_shared: key: "update_network:shared" value: "role:admin and system_scope:all" neutron-update_network_provider_network_type: key: "update_network:provider:network_type" value: "role:admin and system_scope:all" neutron-update_network_provider_physical_network: key: "update_network:provider:physical_network" value: "role:admin and system_scope:all" neutron-update_network_provider_segmentation_id: key: "update_network:provider:segmentation_id" value: "role:admin and system_scope:all" neutron-update_network_router_external: key: "update_network:router:external" value: "role:admin and system_scope:all" neutron-update_network_is_default: key: "update_network:is_default" value: "role:admin and system_scope:all" neutron-update_network_port_security_enabled: key: "update_network:port_security_enabled" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-delete_network: key: "delete_network" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_network_ip_availability: key: "get_network_ip_availability" value: "role:reader and system_scope:all" neutron-create_network_segment_range: key: "create_network_segment_range" value: "role:admin and system_scope:all" neutron-get_network_segment_range: key: "get_network_segment_range" value: "role:reader and system_scope:all" neutron-update_network_segment_range: key: "update_network_segment_range" value: "role:admin and system_scope:all" neutron-delete_network_segment_range: key: "delete_network_segment_range" value: "role:admin and system_scope:all" neutron-network_device: key: "network_device" value: "field:port:device_owner=~^network:" neutron-admin_or_data_plane_int: key: "admin_or_data_plane_int" value: "rule:context_is_admin or role:data_plane_integrator" neutron-create_port: key: "create_port" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_port_device_owner: key: "create_port:device_owner" value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" neutron-create_port_mac_address: key: "create_port:mac_address" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-create_port_fixed_ips: key: "create_port:fixed_ips" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" neutron-create_port_fixed_ips_ip_address: key: "create_port:fixed_ips:ip_address" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-create_port_fixed_ips_subnet_id: key: "create_port:fixed_ips:subnet_id" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" neutron-create_port_port_security_enabled: key: "create_port:port_security_enabled" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-create_port_binding_host_id: key: "create_port:binding:host_id" value: "role:admin and system_scope:all" neutron-create_port_binding_profile: key: "create_port:binding:profile" value: "role:admin and system_scope:all" neutron-create_port_binding_vnic_type: key: "create_port:binding:vnic_type" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_port_allowed_address_pairs: key: "create_port:allowed_address_pairs" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-create_port_allowed_address_pairs_mac_address: key: "create_port:allowed_address_pairs:mac_address" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-create_port_allowed_address_pairs_ip_address: key: "create_port:allowed_address_pairs:ip_address" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-get_port: key: "get_port" value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-get_port_binding_vif_type: key: "get_port:binding:vif_type" value: "role:reader and system_scope:all" neutron-get_port_binding_vif_details: key: "get_port:binding:vif_details" value: "role:reader and system_scope:all" neutron-get_port_binding_host_id: key: "get_port:binding:host_id" value: "role:reader and system_scope:all" neutron-get_port_binding_profile: key: "get_port:binding:profile" value: "role:reader and system_scope:all" neutron-get_port_resource_request: key: "get_port:resource_request" value: "role:reader and system_scope:all" neutron-update_port: key: "update_port" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_device_owner: key: "update_port:device_owner" value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-update_port_mac_address: key: "update_port:mac_address" value: "role:admin and system_scope:all or rule:context_is_advsvc" neutron-update_port_fixed_ips: key: "update_port:fixed_ips" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-update_port_fixed_ips_ip_address: key: "update_port:fixed_ips:ip_address" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-update_port_fixed_ips_subnet_id: key: "update_port:fixed_ips:subnet_id" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" neutron-update_port_port_security_enabled: key: "update_port:port_security_enabled" value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" neutron-update_port_binding_host_id: key: "update_port:binding:host_id" value: "role:admin and system_scope:all" neutron-update_port_binding_profile: key: "update_port:binding:profile" value: "role:admin and system_scope:all" neutron-update_port_binding_vnic_type: key: "update_port:binding:vnic_type" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" neutron-update_port_allowed_address_pairs: key: "update_port:allowed_address_pairs" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-update_port_allowed_address_pairs_mac_address: key: "update_port:allowed_address_pairs:mac_address" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-update_port_allowed_address_pairs_ip_address: key: "update_port:allowed_address_pairs:ip_address" value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" neutron-update_port_data_plane_status: key: "update_port:data_plane_status" value: "role:admin and system_scope:all or role:data_plane_integrator" neutron-delete_port: key: "delete_port" value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_policy: key: "get_policy" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_policy: key: "create_policy" value: "role:admin and system_scope:all" neutron-update_policy: key: "update_policy" value: "role:admin and system_scope:all" neutron-delete_policy: key: "delete_policy" value: "role:admin and system_scope:all" neutron-get_rule_type: key: "get_rule_type" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-get_policy_bandwidth_limit_rule: key: "get_policy_bandwidth_limit_rule" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_policy_bandwidth_limit_rule: key: "create_policy_bandwidth_limit_rule" value: "role:admin and system_scope:all" neutron-update_policy_bandwidth_limit_rule: key: "update_policy_bandwidth_limit_rule" value: "role:admin and system_scope:all" neutron-delete_policy_bandwidth_limit_rule: key: "delete_policy_bandwidth_limit_rule" value: "role:admin and system_scope:all" neutron-get_policy_dscp_marking_rule: key: "get_policy_dscp_marking_rule" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_policy_dscp_marking_rule: key: "create_policy_dscp_marking_rule" value: "role:admin and system_scope:all" neutron-update_policy_dscp_marking_rule: key: "update_policy_dscp_marking_rule" value: "role:admin and system_scope:all" neutron-delete_policy_dscp_marking_rule: key: "delete_policy_dscp_marking_rule" value: "role:admin and system_scope:all" neutron-get_policy_minimum_bandwidth_rule: key: "get_policy_minimum_bandwidth_rule" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-create_policy_minimum_bandwidth_rule: key: "create_policy_minimum_bandwidth_rule" value: "role:admin and system_scope:all" neutron-update_policy_minimum_bandwidth_rule: key: "update_policy_minimum_bandwidth_rule" value: "role:admin and system_scope:all" neutron-delete_policy_minimum_bandwidth_rule: key: "delete_policy_minimum_bandwidth_rule" value: "role:admin and system_scope:all" neutron-get_alias_bandwidth_limit_rule: key: "get_alias_bandwidth_limit_rule" value: "rule:get_policy_bandwidth_limit_rule" neutron-update_alias_bandwidth_limit_rule: key: "update_alias_bandwidth_limit_rule" value: "rule:update_policy_bandwidth_limit_rule" neutron-delete_alias_bandwidth_limit_rule: key: "delete_alias_bandwidth_limit_rule" value: "rule:delete_policy_bandwidth_limit_rule" neutron-get_alias_dscp_marking_rule: key: "get_alias_dscp_marking_rule" value: "rule:get_policy_dscp_marking_rule" neutron-update_alias_dscp_marking_rule: key: "update_alias_dscp_marking_rule" value: "rule:update_policy_dscp_marking_rule" neutron-delete_alias_dscp_marking_rule: key: "delete_alias_dscp_marking_rule" value: "rule:delete_policy_dscp_marking_rule" neutron-get_alias_minimum_bandwidth_rule: key: "get_alias_minimum_bandwidth_rule" value: "rule:get_policy_minimum_bandwidth_rule" neutron-update_alias_minimum_bandwidth_rule: key: "update_alias_minimum_bandwidth_rule" value: "rule:update_policy_minimum_bandwidth_rule" neutron-delete_alias_minimum_bandwidth_rule: key: "delete_alias_minimum_bandwidth_rule" value: "rule:delete_policy_minimum_bandwidth_rule" neutron-get_quota: key: "get_quota" value: "role:reader and system_scope:all" neutron-update_quota: key: "update_quota" value: "role:admin and system_scope:all" neutron-delete_quota: key: "delete_quota" value: "role:admin and system_scope:all" neutron-restrict_wildcard: key: "restrict_wildcard" value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only" neutron-create_rbac_policy: key: "create_rbac_policy" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_rbac_policy_target_tenant: key: "create_rbac_policy:target_tenant" value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" neutron-update_rbac_policy: key: "update_rbac_policy" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_rbac_policy_target_tenant: key: "update_rbac_policy:target_tenant" value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" neutron-get_rbac_policy: key: "get_rbac_policy" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-delete_rbac_policy: key: "delete_rbac_policy" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_router: key: "create_router" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_router_distributed: key: "create_router:distributed" value: "role:admin and system_scope:all" neutron-create_router_ha: key: "create_router:ha" value: "role:admin and system_scope:all" neutron-create_router_external_gateway_info: key: "create_router:external_gateway_info" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_network_id: key: "create_router:external_gateway_info:network_id" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_router_external_gateway_info_enable_snat: key: "create_router:external_gateway_info:enable_snat" value: "role:admin and system_scope:all" neutron-create_router_external_gateway_info_external_fixed_ips: key: "create_router:external_gateway_info:external_fixed_ips" value: "role:admin and system_scope:all" neutron-get_router: key: "get_router" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-get_router_distributed: key: "get_router:distributed" value: "role:reader and system_scope:all" neutron-get_router_ha: key: "get_router:ha" value: "role:reader and system_scope:all" neutron-update_router: key: "update_router" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_router_distributed: key: "update_router:distributed" value: "role:admin and system_scope:all" neutron-update_router_ha: key: "update_router:ha" value: "role:admin and system_scope:all" neutron-update_router_external_gateway_info: key: "update_router:external_gateway_info" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_network_id: key: "update_router:external_gateway_info:network_id" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_router_external_gateway_info_enable_snat: key: "update_router:external_gateway_info:enable_snat" value: "role:admin and system_scope:all" neutron-update_router_external_gateway_info_external_fixed_ips: key: "update_router:external_gateway_info:external_fixed_ips" value: "role:admin and system_scope:all" neutron-delete_router: key: "delete_router" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-add_router_interface: key: "add_router_interface" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-remove_router_interface: key: "remove_router_interface" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-add_extraroutes: key: "add_extraroutes" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-remove_extraroutes: key: "remove_extraroutes" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-admin_or_sg_owner: key: "admin_or_sg_owner" value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s" neutron-admin_owner_or_sg_owner: key: "admin_owner_or_sg_owner" value: "rule:owner or rule:admin_or_sg_owner" neutron-create_security_group: key: "create_security_group" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_security_group: key: "get_security_group" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-update_security_group: key: "update_security_group" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-delete_security_group: key: "delete_security_group" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_security_group_rule: key: "create_security_group_rule" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_security_group_rule: key: "get_security_group_rule" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" neutron-delete_security_group_rule: key: "delete_security_group_rule" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_segment: key: "create_segment" value: "role:admin and system_scope:all" neutron-get_segment: key: "get_segment" value: "role:reader and system_scope:all" neutron-update_segment: key: "update_segment" value: "role:admin and system_scope:all" neutron-delete_segment: key: "delete_segment" value: "role:admin and system_scope:all" neutron-get_service_provider: key: "get_service_provider" value: "role:reader" neutron-create_subnet: key: "create_subnet" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-create_subnet_segment_id: key: "create_subnet:segment_id" value: "role:admin and system_scope:all" neutron-create_subnet_service_types: key: "create_subnet:service_types" value: "role:admin and system_scope:all" neutron-get_subnet: key: "get_subnet" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" neutron-get_subnet_segment_id: key: "get_subnet:segment_id" value: "role:reader and system_scope:all" neutron-update_subnet: key: "update_subnet" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-update_subnet_segment_id: key: "update_subnet:segment_id" value: "role:admin and system_scope:all" neutron-update_subnet_service_types: key: "update_subnet:service_types" value: "role:admin and system_scope:all" neutron-delete_subnet: key: "delete_subnet" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" neutron-shared_subnetpools: key: "shared_subnetpools" value: "field:subnetpools:shared=True" neutron-create_subnetpool: key: "create_subnetpool" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_subnetpool_shared: key: "create_subnetpool:shared" value: "role:admin and system_scope:all" neutron-create_subnetpool_is_default: key: "create_subnetpool:is_default" value: "role:admin and system_scope:all" neutron-get_subnetpool: key: "get_subnetpool" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" neutron-update_subnetpool: key: "update_subnetpool" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-update_subnetpool_is_default: key: "update_subnetpool:is_default" value: "role:admin and system_scope:all" neutron-delete_subnetpool: key: "delete_subnetpool" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-onboard_network_subnets: key: "onboard_network_subnets" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-add_prefixes: key: "add_prefixes" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-remove_prefixes: key: "remove_prefixes" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-create_trunk: key: "create_trunk" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_trunk: key: "get_trunk" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-update_trunk: key: "update_trunk" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-delete_trunk: key: "delete_trunk" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-get_subports: key: "get_subports" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" neutron-add_subports: key: "add_subports" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" neutron-remove_subports: key: "remove_subports" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" GlanceApiPolicies: glance-default: key: "default" value: "" glance-context_is_admin: key: "context_is_admin" value: "role:admin" glance-add_image: key: "add_image" value: "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" glance-delete_image: key: "delete_image" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-get_image: key: "get_image" value: "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" glance-get_images: key: "get_images" value: "role:admin or (role:reader and project_id:%(project_id)s)" glance-modify_image: key: "modify_image" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-publicize_image: key: "publicize_image" value: "role:admin" glance-communitize_image: key: "communitize_image" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-download_image: key: "download_image" value: "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" glance-upload_image: key: "upload_image" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-delete_image_location: key: "delete_image_location" value: "role:admin" glance-get_image_location: key: "get_image_location" value: "role:admin or (role:reader and project_id:%(project_id)s)" glance-set_image_location: key: "set_image_location" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-add_member: key: "add_member" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-delete_member: key: "delete_member" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-get_member: key: "get_member" value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" glance-get_members: key: "get_members" value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" glance-modify_member: key: "modify_member" value: "role:admin or (role:member and project_id:%(member_id)s)" glance-manage_image_cache: key: "manage_image_cache" value: "role:admin" glance-deactivate: key: "deactivate" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-reactivate: key: "reactivate" value: "role:admin or (role:member and project_id:%(project_id)s)" glance-copy_image: key: "copy_image" value: "role:admin" glance-get_task: key: "get_task" value: "rule:default" glance-get_tasks: key: "get_tasks" value: "rule:default" glance-add_task: key: "add_task" value: "rule:default" glance-modify_task: key: "modify_task" value: "rule:default" glance-tasks_api_access: key: "tasks_api_access" value: "role:admin" glance-metadef_default: key: "metadef_default" value: "" glance-metadef_admin: key: "metadef_admin" value: "role:admin" glance-get_metadef_namespace: key: "get_metadef_namespace" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-get_metadef_namespaces: key: "get_metadef_namespaces" value: "role:admin or (role:reader and project_id:%(project_id)s)" glance-modify_metadef_namespace: key: "modify_metadef_namespace" value: "rule:metadef_admin" glance-add_metadef_namespace: key: "add_metadef_namespace" value: "rule:metadef_admin" glance-delete_metadef_namespace: key: "delete_metadef_namespace" value: "rule:metadef_admin" glance-get_metadef_object: key: "get_metadef_object" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-get_metadef_objects: key: "get_metadef_objects" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-modify_metadef_object: key: "modify_metadef_object" value: "rule:metadef_admin" glance-add_metadef_object: key: "add_metadef_object" value: "rule:metadef_admin" glance-delete_metadef_object: key: "delete_metadef_object" value: "rule:metadef_admin" glance-list_metadef_resource_types: key: "list_metadef_resource_types" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-get_metadef_resource_type: key: "get_metadef_resource_type" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-add_metadef_resource_type_association: key: "add_metadef_resource_type_association" value: "rule:metadef_admin" glance-remove_metadef_resource_type_association: key: "remove_metadef_resource_type_association" value: "rule:metadef_admin" glance-get_metadef_property: key: "get_metadef_property" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-get_metadef_properties: key: "get_metadef_properties" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-modify_metadef_property: key: "modify_metadef_property" value: "rule:metadef_admin" glance-add_metadef_property: key: "add_metadef_property" value: "rule:metadef_admin" glance-remove_metadef_property: key: "remove_metadef_property" value: "rule:metadef_admin" glance-get_metadef_tag: key: "get_metadef_tag" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-get_metadef_tags: key: "get_metadef_tags" value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" glance-modify_metadef_tag: key: "modify_metadef_tag" value: "rule:metadef_admin" glance-add_metadef_tag: key: "add_metadef_tag" value: "rule:metadef_admin" glance-add_metadef_tags: key: "add_metadef_tags" value: "rule:metadef_admin" glance-delete_metadef_tag: key: "delete_metadef_tag" value: "rule:metadef_admin" glance-delete_metadef_tags: key: "delete_metadef_tags" value: "rule:metadef_admin" DesignateApiPolicies: designate-admin: key: "admin" value: "role:admin or is_admin:True" designate-primary_zone: key: "primary_zone" value: "target.zone_type:SECONDARY" designate-owner: key: "owner" value: "tenant:%(tenant_id)s" designate-admin_or_owner: key: "admin_or_owner" value: "rule:admin or rule:owner" designate-default: key: "default" value: "rule:admin_or_owner" designate-target: key: "target" value: "tenant:%(target_tenant_id)s" designate-owner_or_target: key: "owner_or_target" value: "rule:target or rule:owner" designate-admin_or_owner_or_target: key: "admin_or_owner_or_target" value: "rule:owner_or_target or rule:admin" designate-admin_or_target: key: "admin_or_target" value: "rule:admin or rule:target" designate-zone_primary_or_admin: key: "zone_primary_or_admin" value: "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)" designate-create_blacklist: key: "create_blacklist" value: "role:admin and system_scope:all" designate-find_blacklist: key: "find_blacklist" value: "role:reader and system_scope:all" designate-find_blacklists: key: "find_blacklists" value: "role:reader and system_scope:all" designate-get_blacklist: key: "get_blacklist" value: "role:reader and system_scope:all" designate-update_blacklist: key: "update_blacklist" value: "role:admin and system_scope:all" designate-delete_blacklist: key: "delete_blacklist" value: "role:admin and system_scope:all" designate-use_blacklisted_zone: key: "use_blacklisted_zone" value: "role:admin and system_scope:all" designate-all_tenants: key: "all_tenants" value: "rule:admin" designate-edit_managed_records: key: "edit_managed_records" value: "rule:admin" designate-use_low_ttl: key: "use_low_ttl" value: "rule:admin" designate-use_sudo: key: "use_sudo" value: "rule:admin" designate-diagnostics_ping: key: "diagnostics_ping" value: "rule:admin" designate-diagnostics_sync_zones: key: "diagnostics_sync_zones" value: "rule:admin" designate-diagnostics_sync_zone: key: "diagnostics_sync_zone" value: "rule:admin" designate-diagnostics_sync_record: key: "diagnostics_sync_record" value: "rule:admin" designate-create_pool: key: "create_pool" value: "role:admin and system_scope:all" designate-find_pools: key: "find_pools" value: "role:reader and system_scope:all" designate-find_pool: key: "find_pool" value: "role:reader and system_scope:all" designate-get_pool: key: "get_pool" value: "role:reader and system_scope:all" designate-update_pool: key: "update_pool" value: "role:admin and system_scope:all" designate-delete_pool: key: "delete_pool" value: "role:admin and system_scope:all" designate-zone_create_forced_pool: key: "zone_create_forced_pool" value: "role:admin and system_scope:all" designate-get_quotas: key: "get_quotas" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_quota: key: "get_quota" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-set_quota: key: "set_quota" value: "role:admin and system_scope:all" designate-reset_quotas: key: "reset_quotas" value: "role:admin and system_scope:all" designate-find_records: key: "find_records" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-count_records: key: "count_records" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-create_recordset: key: "create_recordset" value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" designate-get_recordsets: key: "get_recordsets" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_recordset: key: "get_recordset" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-update_recordset: key: "update_recordset" value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" designate-delete_recordset: key: "delete_recordset" value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)" designate-count_recordset: key: "count_recordset" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-find_service_status: key: "find_service_status" value: "role:reader and system_scope:all" designate-find_service_statuses: key: "find_service_statuses" value: "role:reader and system_scope:all" designate-update_service_status: key: "update_service_status" value: "role:admin and system_scope:all" designate-find_tenants: key: "find_tenants" value: "role:reader and system_scope:all" designate-get_tenant: key: "get_tenant" value: "role:reader and system_scope:all" designate-count_tenants: key: "count_tenants" value: "role:reader and system_scope:all" designate-create_tld: key: "create_tld" value: "role:admin and system_scope:all" designate-find_tlds: key: "find_tlds" value: "role:reader and system_scope:all" designate-get_tld: key: "get_tld" value: "role:reader and system_scope:all" designate-update_tld: key: "update_tld" value: "role:admin and system_scope:all" designate-delete_tld: key: "delete_tld" value: "role:admin and system_scope:all" designate-create_tsigkey: key: "create_tsigkey" value: "role:admin and system_scope:all" designate-find_tsigkeys: key: "find_tsigkeys" value: "role:reader and system_scope:all" designate-get_tsigkey: key: "get_tsigkey" value: "role:reader and system_scope:all" designate-update_tsigkey: key: "update_tsigkey" value: "role:admin and system_scope:all" designate-delete_tsigkey: key: "delete_tsigkey" value: "role:admin and system_scope:all" designate-create_zone: key: "create_zone" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-get_zones: key: "get_zones" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_zone: key: "get_zone" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_zone_servers: key: "get_zone_servers" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-find_zones: key: "find_zones" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-update_zone: key: "update_zone" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-delete_zone: key: "delete_zone" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-xfr_zone: key: "xfr_zone" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-abandon_zone: key: "abandon_zone" value: "role:admin and system_scope:all" designate-count_zones: key: "count_zones" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-count_zones_pending_notify: key: "count_zones_pending_notify" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-purge_zones: key: "purge_zones" value: "role:admin and system_scope:all" designate-touch_zone: key: "touch_zone" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-zone_export: key: "zone_export" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-create_zone_export: key: "create_zone_export" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-find_zone_exports: key: "find_zone_exports" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_zone_export: key: "get_zone_export" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-update_zone_export: key: "update_zone_export" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-create_zone_import: key: "create_zone_import" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-find_zone_imports: key: "find_zone_imports" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-get_zone_import: key: "get_zone_import" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-update_zone_import: key: "update_zone_import" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-delete_zone_import: key: "delete_zone_import" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-create_zone_transfer_accept: key: "create_zone_transfer_accept" value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s" designate-get_zone_transfer_accept: key: "get_zone_transfer_accept" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-find_zone_transfer_accepts: key: "find_zone_transfer_accepts" value: "role:reader and system_scope:all" designate-find_zone_transfer_accept: key: "find_zone_transfer_accept" value: "role:reader and system_scope:all" designate-update_zone_transfer_accept: key: "update_zone_transfer_accept" value: "role:admin and system_scope:all" designate-delete_zone_transfer_accept: key: "delete_zone_transfer_accept" value: "role:admin and system_scope:all" designate-create_zone_transfer_request: key: "create_zone_transfer_request" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-get_zone_transfer_request: key: "get_zone_transfer_request" value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s" designate-get_zone_transfer_request_detailed: key: "get_zone_transfer_request_detailed" value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" designate-find_zone_transfer_requests: key: "find_zone_transfer_requests" value: "@" designate-find_zone_transfer_request: key: "find_zone_transfer_request" value: "@" designate-update_zone_transfer_request: key: "update_zone_transfer_request" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" designate-delete_zone_transfer_request: key: "delete_zone_transfer_request" value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" CinderApiPolicies: cinder-admin_or_owner: key: "admin_or_owner" value: "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" cinder-system_or_domain_or_project_admin: key: "system_or_domain_or_project_admin" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)" cinder-context_is_admin: key: "context_is_admin" value: "role:admin" cinder-admin_api: key: "admin_api" value: "is_admin:True or (role:admin and is_admin_project:True)" cinder-xena_system_admin_or_project_reader: key: "xena_system_admin_or_project_reader" value: "(role:admin) or (role:reader and project_id:%(project_id)s)" cinder-xena_system_admin_or_project_member: key: "xena_system_admin_or_project_member" value: "(role:admin) or (role:member and project_id:%(project_id)s)" cinder-volume_attachment_create: key: "volume:attachment_create" value: "rule:xena_system_admin_or_project_member" cinder-volume_attachment_update: key: "volume:attachment_update" value: "rule:xena_system_admin_or_project_member" cinder-volume_attachment_delete: key: "volume:attachment_delete" value: "rule:xena_system_admin_or_project_member" cinder-volume_attachment_complete: key: "volume:attachment_complete" value: "rule:xena_system_admin_or_project_member" cinder-volume_multiattach_bootable_volume: key: "volume:multiattach_bootable_volume" value: "rule:xena_system_admin_or_project_member" cinder-message_get_all: key: "message:get_all" value: "rule:xena_system_admin_or_project_reader" cinder-message_get: key: "message:get" value: "rule:message:get_all" cinder-message_delete: key: "message:delete" value: "rule:xena_system_admin_or_project_member" cinder-clusters_get_all: key: "clusters:get_all" value: "rule:admin_api" cinder-clusters_get: key: "clusters:get" value: "rule:admin_api" cinder-clusters_update: key: "clusters:update" value: "rule:admin_api" cinder-workers_cleanup: key: "workers:cleanup" value: "rule:admin_api" cinder-volume_get_snapshot_metadata: key: "volume:get_snapshot_metadata" value: "rule:xena_system_admin_or_project_reader" cinder-volume_update_snapshot_metadata: key: "volume:update_snapshot_metadata" value: "rule:xena_system_admin_or_project_member" cinder-volume_delete_snapshot_metadata: key: "volume:delete_snapshot_metadata" value: "rule:xena_system_admin_or_project_member" cinder-volume_get_all_snapshots: key: "volume:get_all_snapshots" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_extended_snapshot_attributes: key: "volume_extension:extended_snapshot_attributes" value: "rule:xena_system_admin_or_project_reader" cinder-volume_create_snapshot: key: "volume:create_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-volume_get_snapshot: key: "volume:get_snapshot" value: "rule:xena_system_admin_or_project_reader" cinder-volume_update_snapshot: key: "volume:update_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-volume_delete_snapshot: key: "volume:delete_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_snapshot_admin_actions_reset_status: key: "volume_extension:snapshot_admin_actions:reset_status" value: "rule:admin_api" cinder-snapshot_extension_snapshot_actions_update_snapshot_status: key: "snapshot_extension:snapshot_actions:update_snapshot_status" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_snapshot_admin_actions_force_delete: key: "volume_extension:snapshot_admin_actions:force_delete" value: "rule:admin_api" cinder-snapshot_extension_list_manageable: key: "snapshot_extension:list_manageable" value: "rule:admin_api" cinder-snapshot_extension_snapshot_manage: key: "snapshot_extension:snapshot_manage" value: "rule:admin_api" cinder-snapshot_extension_snapshot_unmanage: key: "snapshot_extension:snapshot_unmanage" value: "rule:admin_api" cinder-backup_get_all: key: "backup:get_all" value: "rule:xena_system_admin_or_project_reader" cinder-backup_backup_project_attribute: key: "backup:backup_project_attribute" value: "rule:admin_api" cinder-backup_create: key: "backup:create" value: "rule:xena_system_admin_or_project_member" cinder-backup_get: key: "backup:get" value: "rule:xena_system_admin_or_project_reader" cinder-backup_update: key: "backup:update" value: "rule:xena_system_admin_or_project_member" cinder-backup_delete: key: "backup:delete" value: "rule:xena_system_admin_or_project_member" cinder-backup_restore: key: "backup:restore" value: "rule:xena_system_admin_or_project_member" cinder-backup_backup-import: key: "backup:backup-import" value: "rule:admin_api" cinder-backup_export-import: key: "backup:export-import" value: "rule:admin_api" cinder-volume_extension_backup_admin_actions_reset_status: key: "volume_extension:backup_admin_actions:reset_status" value: "rule:admin_api" cinder-volume_extension_backup_admin_actions_force_delete: key: "volume_extension:backup_admin_actions:force_delete" value: "rule:admin_api" cinder-group_get_all: key: "group:get_all" value: "rule:xena_system_admin_or_project_reader" cinder-group_create: key: "group:create" value: "rule:xena_system_admin_or_project_member" cinder-group_get: key: "group:get" value: "rule:xena_system_admin_or_project_reader" cinder-group_update: key: "group:update" value: "rule:xena_system_admin_or_project_member" cinder-group_group_project_attribute: key: "group:group_project_attribute" value: "rule:admin_api" cinder-group_group_types_create: key: "group:group_types:create" value: "rule:admin_api" cinder-group_group_types_manage: key: "group:group_types_manage" value: "rule:group:group_types:create" cinder-group_group_types_update: key: "group:group_types:update" value: "rule:admin_api" cinder-group_group_types_delete: key: "group:group_types:delete" value: "rule:admin_api" cinder-group_access_group_types_specs: key: "group:access_group_types_specs" value: "rule:admin_api" cinder-group_group_types_specs_get: key: "group:group_types_specs:get" value: "rule:admin_api" cinder-group_group_types_specs: key: "group:group_types_specs" value: "rule:group:group_types_specs:get" cinder-group_group_types_specs_get_all: key: "group:group_types_specs:get_all" value: "rule:admin_api" cinder-group_group_types_specs_create: key: "group:group_types_specs:create" value: "rule:admin_api" cinder-group_group_types_specs_update: key: "group:group_types_specs:update" value: "rule:admin_api" cinder-group_group_types_specs_delete: key: "group:group_types_specs:delete" value: "rule:admin_api" cinder-group_get_all_group_snapshots: key: "group:get_all_group_snapshots" value: "rule:xena_system_admin_or_project_reader" cinder-group_create_group_snapshot: key: "group:create_group_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-group_get_group_snapshot: key: "group:get_group_snapshot" value: "rule:xena_system_admin_or_project_reader" cinder-group_delete_group_snapshot: key: "group:delete_group_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-group_update_group_snapshot: key: "group:update_group_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-group_group_snapshot_project_attribute: key: "group:group_snapshot_project_attribute" value: "rule:admin_api" cinder-group_reset_group_snapshot_status: key: "group:reset_group_snapshot_status" value: "rule:admin_api" cinder-group_delete: key: "group:delete" value: "rule:xena_system_admin_or_project_member" cinder-group_reset_status: key: "group:reset_status" value: "rule:admin_api" cinder-group_enable_replication: key: "group:enable_replication" value: "rule:xena_system_admin_or_project_member" cinder-group_disable_replication: key: "group:disable_replication" value: "rule:xena_system_admin_or_project_member" cinder-group_failover_replication: key: "group:failover_replication" value: "rule:xena_system_admin_or_project_member" cinder-group_list_replication_targets: key: "group:list_replication_targets" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_qos_specs_manage_get_all: key: "volume_extension:qos_specs_manage:get_all" value: "rule:admin_api" cinder-volume_extension_qos_specs_manage_get: key: "volume_extension:qos_specs_manage:get" value: "rule:admin_api" cinder-volume_extension_qos_specs_manage_create: key: "volume_extension:qos_specs_manage:create" value: "rule:admin_api" cinder-volume_extension_qos_specs_manage_update: key: "volume_extension:qos_specs_manage:update" value: "rule:admin_api" cinder-volume_extension_qos_specs_manage_delete: key: "volume_extension:qos_specs_manage:delete" value: "rule:admin_api" cinder-volume_extension_quota_classes_get: key: "volume_extension:quota_classes:get" value: "rule:admin_api" cinder-volume_extension_quota_classes: key: "volume_extension:quota_classes" value: "rule:volume_extension:quota_classes:get" cinder-volume_extension_quota_classes_update: key: "volume_extension:quota_classes:update" value: "rule:admin_api" cinder-volume_extension_quotas_show: key: "volume_extension:quotas:show" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_quotas_update: key: "volume_extension:quotas:update" value: "rule:admin_api" cinder-volume_extension_quotas_delete: key: "volume_extension:quotas:delete" value: "rule:admin_api" cinder-volume_extension_capabilities: key: "volume_extension:capabilities" value: "rule:admin_api" cinder-volume_extension_services_index: key: "volume_extension:services:index" value: "rule:admin_api" cinder-volume_extension_services_update: key: "volume_extension:services:update" value: "rule:admin_api" cinder-volume_freeze_host: key: "volume:freeze_host" value: "rule:admin_api" cinder-volume_thaw_host: key: "volume:thaw_host" value: "rule:admin_api" cinder-volume_failover_host: key: "volume:failover_host" value: "rule:admin_api" cinder-scheduler_extension_scheduler_stats_get_pools: key: "scheduler_extension:scheduler_stats:get_pools" value: "rule:admin_api" cinder-volume_extension_hosts: key: "volume_extension:hosts" value: "rule:admin_api" cinder-limits_extension_used_limits: key: "limits_extension:used_limits" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_list_manageable: key: "volume_extension:list_manageable" value: "rule:admin_api" cinder-volume_extension_volume_manage: key: "volume_extension:volume_manage" value: "rule:admin_api" cinder-volume_extension_volume_unmanage: key: "volume_extension:volume_unmanage" value: "rule:admin_api" cinder-volume_extension_type_create: key: "volume_extension:type_create" value: "rule:admin_api" cinder-volume_extension_types_manage: key: "volume_extension:types_manage" value: "rule:volume_extension:type_create" cinder-volume_extension_type_update: key: "volume_extension:type_update" value: "rule:admin_api" cinder-volume_extension_type_delete: key: "volume_extension:type_delete" value: "rule:admin_api" cinder-volume_extension_type_get: key: "volume_extension:type_get" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_type_get_all: key: "volume_extension:type_get_all" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_access_types_extra_specs: key: "volume_extension:access_types_extra_specs" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_access_types_qos_specs_id: key: "volume_extension:access_types_qos_specs_id" value: "rule:admin_api" cinder-volume_extension_volume_type_encryption: key: "volume_extension:volume_type_encryption" value: "rule:admin_api" cinder-volume_extension_volume_type_encryption_create: key: "volume_extension:volume_type_encryption:create" value: "rule:admin_api" cinder-volume_extension_volume_type_encryption_get: key: "volume_extension:volume_type_encryption:get" value: "rule:admin_api" cinder-volume_extension_volume_type_encryption_update: key: "volume_extension:volume_type_encryption:update" value: "rule:admin_api" cinder-volume_extension_volume_type_encryption_delete: key: "volume_extension:volume_type_encryption:delete" value: "rule:admin_api" cinder-volume_extension_volume_type_access: key: "volume_extension:volume_type_access" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_type_access_addProjectAccess: key: "volume_extension:volume_type_access:addProjectAccess" value: "rule:admin_api" cinder-volume_extension_volume_type_access_removeProjectAccess: key: "volume_extension:volume_type_access:removeProjectAccess" value: "rule:admin_api" cinder-volume_extension_volume_type_access_get_all_for_type: key: "volume_extension:volume_type_access:get_all_for_type" value: "rule:admin_api" cinder-volume_extend: key: "volume:extend" value: "rule:xena_system_admin_or_project_member" cinder-volume_extend_attached_volume: key: "volume:extend_attached_volume" value: "rule:xena_system_admin_or_project_member" cinder-volume_revert_to_snapshot: key: "volume:revert_to_snapshot" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_admin_actions_reset_status: key: "volume_extension:volume_admin_actions:reset_status" value: "rule:admin_api" cinder-volume_retype: key: "volume:retype" value: "rule:xena_system_admin_or_project_member" cinder-volume_update_readonly_flag: key: "volume:update_readonly_flag" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_admin_actions_force_delete: key: "volume_extension:volume_admin_actions:force_delete" value: "rule:admin_api" cinder-volume_extension_volume_actions_upload_public: key: "volume_extension:volume_actions:upload_public" value: "rule:admin_api" cinder-volume_extension_volume_actions_upload_image: key: "volume_extension:volume_actions:upload_image" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_admin_actions_force_detach: key: "volume_extension:volume_admin_actions:force_detach" value: "rule:admin_api" cinder-volume_extension_volume_admin_actions_migrate_volume: key: "volume_extension:volume_admin_actions:migrate_volume" value: "rule:admin_api" cinder-volume_extension_volume_admin_actions_migrate_volume_completion: key: "volume_extension:volume_admin_actions:migrate_volume_completion" value: "rule:admin_api" cinder-volume_extension_volume_actions_initialize_connection: key: "volume_extension:volume_actions:initialize_connection" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_terminate_connection: key: "volume_extension:volume_actions:terminate_connection" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_roll_detaching: key: "volume_extension:volume_actions:roll_detaching" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_reserve: key: "volume_extension:volume_actions:reserve" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_unreserve: key: "volume_extension:volume_actions:unreserve" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_begin_detaching: key: "volume_extension:volume_actions:begin_detaching" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_attach: key: "volume_extension:volume_actions:attach" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_actions_detach: key: "volume_extension:volume_actions:detach" value: "rule:xena_system_admin_or_project_member" cinder-volume_get_all_transfers: key: "volume:get_all_transfers" value: "rule:xena_system_admin_or_project_reader" cinder-volume_create_transfer: key: "volume:create_transfer" value: "rule:xena_system_admin_or_project_member" cinder-volume_get_transfer: key: "volume:get_transfer" value: "rule:xena_system_admin_or_project_reader" cinder-volume_accept_transfer: key: "volume:accept_transfer" value: "rule:xena_system_admin_or_project_member" cinder-volume_delete_transfer: key: "volume:delete_transfer" value: "rule:xena_system_admin_or_project_member" cinder-volume_get_volume_metadata: key: "volume:get_volume_metadata" value: "rule:xena_system_admin_or_project_reader" cinder-volume_create_volume_metadata: key: "volume:create_volume_metadata" value: "rule:xena_system_admin_or_project_member" cinder-volume_update_volume_metadata: key: "volume:update_volume_metadata" value: "rule:xena_system_admin_or_project_member" cinder-volume_delete_volume_metadata: key: "volume:delete_volume_metadata" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_image_metadata_show: key: "volume_extension:volume_image_metadata:show" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_volume_image_metadata: key: "volume_extension:volume_image_metadata" value: "rule:volume_extension:volume_image_metadata:show" cinder-volume_extension_volume_image_metadata_set: key: "volume_extension:volume_image_metadata:set" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_volume_image_metadata_remove: key: "volume_extension:volume_image_metadata:remove" value: "rule:xena_system_admin_or_project_member" cinder-volume_update_volume_admin_metadata: key: "volume:update_volume_admin_metadata" value: "rule:admin_api" cinder-volume_extension_types_extra_specs_index: key: "volume_extension:types_extra_specs:index" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_types_extra_specs_create: key: "volume_extension:types_extra_specs:create" value: "rule:admin_api" cinder-volume_extension_types_extra_specs_show: key: "volume_extension:types_extra_specs:show" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_types_extra_specs_read_sensitive: key: "volume_extension:types_extra_specs:read_sensitive" value: "rule:admin_api" cinder-volume_extension_types_extra_specs_update: key: "volume_extension:types_extra_specs:update" value: "rule:admin_api" cinder-volume_extension_types_extra_specs_delete: key: "volume_extension:types_extra_specs:delete" value: "rule:admin_api" cinder-volume_create: key: "volume:create" value: "rule:xena_system_admin_or_project_member" cinder-volume_create_from_image: key: "volume:create_from_image" value: "rule:xena_system_admin_or_project_member" cinder-volume_get: key: "volume:get" value: "rule:xena_system_admin_or_project_reader" cinder-volume_get_all: key: "volume:get_all" value: "rule:xena_system_admin_or_project_reader" cinder-volume_update: key: "volume:update" value: "rule:xena_system_admin_or_project_member" cinder-volume_delete: key: "volume:delete" value: "rule:xena_system_admin_or_project_member" cinder-volume_force_delete: key: "volume:force_delete" value: "rule:admin_api" cinder-volume_extension_volume_host_attribute: key: "volume_extension:volume_host_attribute" value: "rule:admin_api" cinder-volume_extension_volume_tenant_attribute: key: "volume_extension:volume_tenant_attribute" value: "rule:xena_system_admin_or_project_reader" cinder-volume_extension_volume_mig_status_attribute: key: "volume_extension:volume_mig_status_attribute" value: "rule:admin_api" cinder-volume_extension_volume_encryption_metadata: key: "volume_extension:volume_encryption_metadata" value: "rule:xena_system_admin_or_project_reader" cinder-volume_multiattach: key: "volume:multiattach" value: "rule:xena_system_admin_or_project_member" cinder-volume_extension_default_set_or_update: key: "volume_extension:default_set_or_update" value: "rule:admin_api" cinder-volume_extension_default_get: key: "volume_extension:default_get" value: "rule:admin_api" cinder-volume_extension_default_get_all: key: "volume_extension:default_get_all" value: "rule:admin_api" cinder-volume_extension_default_unset: key: "volume_extension:default_unset" value: "rule:admin_api" KeystonePolicies: keystone-admin_required: key: "admin_required" value: "role:admin or is_admin:1" keystone-service_role: key: "service_role" value: "role:service" keystone-service_or_admin: key: "service_or_admin" value: "rule:admin_required or rule:service_role" keystone-owner: key: "owner" value: "user_id:%(user_id)s" keystone-admin_or_owner: key: "admin_or_owner" value: "rule:admin_required or rule:owner" keystone-token_subject: key: "token_subject" value: "user_id:%(target.token.user_id)s" keystone-admin_or_token_subject: key: "admin_or_token_subject" value: "rule:admin_required or rule:token_subject" keystone-service_admin_or_token_subject: key: "service_admin_or_token_subject" value: "rule:service_or_admin or rule:token_subject" keystone-identity_get_access_rule: key: "identity:get_access_rule" value: "(role:reader and system_scope:all) or user_id:%(target.user.id)s" keystone-identity_list_access_rules: key: "identity:list_access_rules" value: "(role:reader and system_scope:all) or user_id:%(target.user.id)s" keystone-identity_delete_access_rule: key: "identity:delete_access_rule" value: "(role:admin and system_scope:all) or user_id:%(target.user.id)s" keystone-identity_authorize_request_token: key: "identity:authorize_request_token" value: "rule:admin_required" keystone-identity_get_access_token: key: "identity:get_access_token" value: "rule:admin_required" keystone-identity_get_access_token_role: key: "identity:get_access_token_role" value: "rule:admin_required" keystone-identity_list_access_tokens: key: "identity:list_access_tokens" value: "rule:admin_required" keystone-identity_list_access_token_roles: key: "identity:list_access_token_roles" value: "rule:admin_required" keystone-identity_delete_access_token: key: "identity:delete_access_token" value: "rule:admin_required" keystone-identity_get_application_credential: key: "identity:get_application_credential" value: "(role:reader and system_scope:all) or rule:owner" keystone-identity_get_application_credentials: key: "identity:get_application_credentials" value: "rule:identity:get_application_credential" keystone-identity_list_application_credentials: key: "identity:list_application_credentials" value: "(role:reader and system_scope:all) or rule:owner" keystone-identity_create_application_credential: key: "identity:create_application_credential" value: "user_id:%(user_id)s" keystone-identity_delete_application_credential: key: "identity:delete_application_credential" value: "(role:admin and system_scope:all) or rule:owner" keystone-identity_delete_application_credentials: key: "identity:delete_application_credentials" value: "rule:identity:delete_application_credential" keystone-identity_get_auth_catalog: key: "identity:get_auth_catalog" value: "" keystone-identity_get_auth_projects: key: "identity:get_auth_projects" value: "" keystone-identity_get_auth_domains: key: "identity:get_auth_domains" value: "" keystone-identity_get_auth_system: key: "identity:get_auth_system" value: "" keystone-identity_get_consumer: key: "identity:get_consumer" value: "role:reader and system_scope:all" keystone-identity_list_consumers: key: "identity:list_consumers" value: "role:reader and system_scope:all" keystone-identity_create_consumer: key: "identity:create_consumer" value: "role:admin and system_scope:all" keystone-identity_update_consumer: key: "identity:update_consumer" value: "role:admin and system_scope:all" keystone-identity_delete_consumer: key: "identity:delete_consumer" value: "role:admin and system_scope:all" keystone-identity_get_credential: key: "identity:get_credential" value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_list_credentials: key: "identity:list_credentials" value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_create_credential: key: "identity:create_credential" value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_update_credential: key: "identity:update_credential" value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_delete_credential: key: "identity:delete_credential" value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_get_domain: key: "identity:get_domain" value: "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" keystone-identity_list_domains: key: "identity:list_domains" value: "role:reader and system_scope:all" keystone-identity_create_domain: key: "identity:create_domain" value: "role:admin and system_scope:all" keystone-identity_update_domain: key: "identity:update_domain" value: "role:admin and system_scope:all" keystone-identity_delete_domain: key: "identity:delete_domain" value: "role:admin and system_scope:all" keystone-identity_create_domain_config: key: "identity:create_domain_config" value: "role:admin and system_scope:all" keystone-identity_get_domain_config: key: "identity:get_domain_config" value: "role:reader and system_scope:all" keystone-identity_get_security_compliance_domain_config: key: "identity:get_security_compliance_domain_config" value: "" keystone-identity_update_domain_config: key: "identity:update_domain_config" value: "role:admin and system_scope:all" keystone-identity_delete_domain_config: key: "identity:delete_domain_config" value: "role:admin and system_scope:all" keystone-identity_get_domain_config_default: key: "identity:get_domain_config_default" value: "role:reader and system_scope:all" keystone-identity_ec2_get_credential: key: "identity:ec2_get_credential" value: "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_ec2_list_credentials: key: "identity:ec2_list_credentials" value: "(role:reader and system_scope:all) or rule:owner" keystone-identity_ec2_create_credential: key: "identity:ec2_create_credential" value: "(role:admin and system_scope:all) or rule:owner" keystone-identity_ec2_create_credentials: key: "identity:ec2_create_credentials" value: "rule:identity:ec2_create_credential" keystone-identity_ec2_delete_credential: key: "identity:ec2_delete_credential" value: "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" keystone-identity_ec2_delete_credentials: key: "identity:ec2_delete_credentials" value: "rule:identity:ec2_delete_credential" keystone-identity_get_endpoint: key: "identity:get_endpoint" value: "role:reader and system_scope:all" keystone-identity_list_endpoints: key: "identity:list_endpoints" value: "role:reader and system_scope:all" keystone-identity_create_endpoint: key: "identity:create_endpoint" value: "role:admin and system_scope:all" keystone-identity_update_endpoint: key: "identity:update_endpoint" value: "role:admin and system_scope:all" keystone-identity_delete_endpoint: key: "identity:delete_endpoint" value: "role:admin and system_scope:all" keystone-identity_create_endpoint_group: key: "identity:create_endpoint_group" value: "role:admin and system_scope:all" keystone-identity_list_endpoint_groups: key: "identity:list_endpoint_groups" value: "role:reader and system_scope:all" keystone-identity_get_endpoint_group: key: "identity:get_endpoint_group" value: "role:reader and system_scope:all" keystone-identity_update_endpoint_group: key: "identity:update_endpoint_group" value: "role:admin and system_scope:all" keystone-identity_delete_endpoint_group: key: "identity:delete_endpoint_group" value: "role:admin and system_scope:all" keystone-identity_list_projects_associated_with_endpoint_group: key: "identity:list_projects_associated_with_endpoint_group" value: "role:reader and system_scope:all" keystone-identity_list_endpoints_associated_with_endpoint_group: key: "identity:list_endpoints_associated_with_endpoint_group" value: "role:reader and system_scope:all" keystone-identity_get_endpoint_group_in_project: key: "identity:get_endpoint_group_in_project" value: "role:reader and system_scope:all" keystone-identity_list_endpoint_groups_for_project: key: "identity:list_endpoint_groups_for_project" value: "role:reader and system_scope:all" keystone-identity_add_endpoint_group_to_project: key: "identity:add_endpoint_group_to_project" value: "role:admin and system_scope:all" keystone-identity_remove_endpoint_group_from_project: key: "identity:remove_endpoint_group_from_project" value: "role:admin and system_scope:all" keystone-identity_check_grant: key: "identity:check_grant" value: "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" keystone-identity_list_grants: key: "identity:list_grants" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" keystone-identity_create_grant: key: "identity:create_grant" value: "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" keystone-identity_revoke_grant: key: "identity:revoke_grant" value: "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" keystone-identity_list_system_grants_for_user: key: "identity:list_system_grants_for_user" value: "role:reader and system_scope:all" keystone-identity_check_system_grant_for_user: key: "identity:check_system_grant_for_user" value: "role:reader and system_scope:all" keystone-identity_create_system_grant_for_user: key: "identity:create_system_grant_for_user" value: "role:admin and system_scope:all" keystone-identity_revoke_system_grant_for_user: key: "identity:revoke_system_grant_for_user" value: "role:admin and system_scope:all" keystone-identity_list_system_grants_for_group: key: "identity:list_system_grants_for_group" value: "role:reader and system_scope:all" keystone-identity_check_system_grant_for_group: key: "identity:check_system_grant_for_group" value: "role:reader and system_scope:all" keystone-identity_create_system_grant_for_group: key: "identity:create_system_grant_for_group" value: "role:admin and system_scope:all" keystone-identity_revoke_system_grant_for_group: key: "identity:revoke_system_grant_for_group" value: "role:admin and system_scope:all" keystone-identity_get_group: key: "identity:get_group" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" keystone-identity_list_groups: key: "identity:list_groups" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" keystone-identity_list_groups_for_user: key: "identity:list_groups_for_user" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" keystone-identity_create_group: key: "identity:create_group" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" keystone-identity_update_group: key: "identity:update_group" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" keystone-identity_delete_group: key: "identity:delete_group" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" keystone-identity_list_users_in_group: key: "identity:list_users_in_group" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" keystone-identity_remove_user_from_group: key: "identity:remove_user_from_group" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" keystone-identity_check_user_in_group: key: "identity:check_user_in_group" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" keystone-identity_add_user_to_group: key: "identity:add_user_to_group" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" keystone-identity_create_identity_provider: key: "identity:create_identity_provider" value: "role:admin and system_scope:all" keystone-identity_list_identity_providers: key: "identity:list_identity_providers" value: "role:reader and system_scope:all" keystone-identity_get_identity_provider: key: "identity:get_identity_provider" value: "role:reader and system_scope:all" keystone-identity_update_identity_provider: key: "identity:update_identity_provider" value: "role:admin and system_scope:all" keystone-identity_delete_identity_provider: key: "identity:delete_identity_provider" value: "role:admin and system_scope:all" keystone-identity_get_implied_role: key: "identity:get_implied_role" value: "role:reader and system_scope:all" keystone-identity_list_implied_roles: key: "identity:list_implied_roles" value: "role:reader and system_scope:all" keystone-identity_create_implied_role: key: "identity:create_implied_role" value: "role:admin and system_scope:all" keystone-identity_delete_implied_role: key: "identity:delete_implied_role" value: "role:admin and system_scope:all" keystone-identity_list_role_inference_rules: key: "identity:list_role_inference_rules" value: "role:reader and system_scope:all" keystone-identity_check_implied_role: key: "identity:check_implied_role" value: "role:reader and system_scope:all" keystone-identity_get_limit_model: key: "identity:get_limit_model" value: "" keystone-identity_get_limit: key: "identity:get_limit" value: "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" keystone-identity_list_limits: key: "identity:list_limits" value: "" keystone-identity_create_limits: key: "identity:create_limits" value: "role:admin and system_scope:all" keystone-identity_update_limit: key: "identity:update_limit" value: "role:admin and system_scope:all" keystone-identity_delete_limit: key: "identity:delete_limit" value: "role:admin and system_scope:all" keystone-identity_create_mapping: key: "identity:create_mapping" value: "role:admin and system_scope:all" keystone-identity_get_mapping: key: "identity:get_mapping" value: "role:reader and system_scope:all" keystone-identity_list_mappings: key: "identity:list_mappings" value: "role:reader and system_scope:all" keystone-identity_delete_mapping: key: "identity:delete_mapping" value: "role:admin and system_scope:all" keystone-identity_update_mapping: key: "identity:update_mapping" value: "role:admin and system_scope:all" keystone-identity_get_policy: key: "identity:get_policy" value: "role:reader and system_scope:all" keystone-identity_list_policies: key: "identity:list_policies" value: "role:reader and system_scope:all" keystone-identity_create_policy: key: "identity:create_policy" value: "role:admin and system_scope:all" keystone-identity_update_policy: key: "identity:update_policy" value: "role:admin and system_scope:all" keystone-identity_delete_policy: key: "identity:delete_policy" value: "role:admin and system_scope:all" keystone-identity_create_policy_association_for_endpoint: key: "identity:create_policy_association_for_endpoint" value: "role:admin and system_scope:all" keystone-identity_check_policy_association_for_endpoint: key: "identity:check_policy_association_for_endpoint" value: "role:reader and system_scope:all" keystone-identity_delete_policy_association_for_endpoint: key: "identity:delete_policy_association_for_endpoint" value: "role:admin and system_scope:all" keystone-identity_create_policy_association_for_service: key: "identity:create_policy_association_for_service" value: "role:admin and system_scope:all" keystone-identity_check_policy_association_for_service: key: "identity:check_policy_association_for_service" value: "role:reader and system_scope:all" keystone-identity_delete_policy_association_for_service: key: "identity:delete_policy_association_for_service" value: "role:admin and system_scope:all" keystone-identity_create_policy_association_for_region_and_service: key: "identity:create_policy_association_for_region_and_service" value: "role:admin and system_scope:all" keystone-identity_check_policy_association_for_region_and_service: key: "identity:check_policy_association_for_region_and_service" value: "role:reader and system_scope:all" keystone-identity_delete_policy_association_for_region_and_service: key: "identity:delete_policy_association_for_region_and_service" value: "role:admin and system_scope:all" keystone-identity_get_policy_for_endpoint: key: "identity:get_policy_for_endpoint" value: "role:reader and system_scope:all" keystone-identity_list_endpoints_for_policy: key: "identity:list_endpoints_for_policy" value: "role:reader and system_scope:all" keystone-identity_get_project: key: "identity:get_project" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" keystone-identity_list_projects: key: "identity:list_projects" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" keystone-identity_list_user_projects: key: "identity:list_user_projects" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" keystone-identity_create_project: key: "identity:create_project" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" keystone-identity_update_project: key: "identity:update_project" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" keystone-identity_delete_project: key: "identity:delete_project" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" keystone-identity_list_project_tags: key: "identity:list_project_tags" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" keystone-identity_get_project_tag: key: "identity:get_project_tag" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" keystone-identity_update_project_tags: key: "identity:update_project_tags" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" keystone-identity_create_project_tag: key: "identity:create_project_tag" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" keystone-identity_delete_project_tags: key: "identity:delete_project_tags" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" keystone-identity_delete_project_tag: key: "identity:delete_project_tag" value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" keystone-identity_list_projects_for_endpoint: key: "identity:list_projects_for_endpoint" value: "role:reader and system_scope:all" keystone-identity_add_endpoint_to_project: key: "identity:add_endpoint_to_project" value: "role:admin and system_scope:all" keystone-identity_check_endpoint_in_project: key: "identity:check_endpoint_in_project" value: "role:reader and system_scope:all" keystone-identity_list_endpoints_for_project: key: "identity:list_endpoints_for_project" value: "role:reader and system_scope:all" keystone-identity_remove_endpoint_from_project: key: "identity:remove_endpoint_from_project" value: "role:admin and system_scope:all" keystone-identity_create_protocol: key: "identity:create_protocol" value: "role:admin and system_scope:all" keystone-identity_update_protocol: key: "identity:update_protocol" value: "role:admin and system_scope:all" keystone-identity_get_protocol: key: "identity:get_protocol" value: "role:reader and system_scope:all" keystone-identity_list_protocols: key: "identity:list_protocols" value: "role:reader and system_scope:all" keystone-identity_delete_protocol: key: "identity:delete_protocol" value: "role:admin and system_scope:all" keystone-identity_get_region: key: "identity:get_region" value: "" keystone-identity_list_regions: key: "identity:list_regions" value: "" keystone-identity_create_region: key: "identity:create_region" value: "role:admin and system_scope:all" keystone-identity_update_region: key: "identity:update_region" value: "role:admin and system_scope:all" keystone-identity_delete_region: key: "identity:delete_region" value: "role:admin and system_scope:all" keystone-identity_get_registered_limit: key: "identity:get_registered_limit" value: "" keystone-identity_list_registered_limits: key: "identity:list_registered_limits" value: "" keystone-identity_create_registered_limits: key: "identity:create_registered_limits" value: "role:admin and system_scope:all" keystone-identity_update_registered_limit: key: "identity:update_registered_limit" value: "role:admin and system_scope:all" keystone-identity_delete_registered_limit: key: "identity:delete_registered_limit" value: "role:admin and system_scope:all" keystone-identity_list_revoke_events: key: "identity:list_revoke_events" value: "rule:service_or_admin" keystone-identity_get_role: key: "identity:get_role" value: "role:reader and system_scope:all" keystone-identity_list_roles: key: "identity:list_roles" value: "role:reader and system_scope:all" keystone-identity_create_role: key: "identity:create_role" value: "role:admin and system_scope:all" keystone-identity_update_role: key: "identity:update_role" value: "role:admin and system_scope:all" keystone-identity_delete_role: key: "identity:delete_role" value: "role:admin and system_scope:all" keystone-identity_get_domain_role: key: "identity:get_domain_role" value: "role:reader and system_scope:all" keystone-identity_list_domain_roles: key: "identity:list_domain_roles" value: "role:reader and system_scope:all" keystone-identity_create_domain_role: key: "identity:create_domain_role" value: "role:admin and system_scope:all" keystone-identity_update_domain_role: key: "identity:update_domain_role" value: "role:admin and system_scope:all" keystone-identity_delete_domain_role: key: "identity:delete_domain_role" value: "role:admin and system_scope:all" keystone-identity_list_role_assignments: key: "identity:list_role_assignments" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" keystone-identity_list_role_assignments_for_tree: key: "identity:list_role_assignments_for_tree" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" keystone-identity_get_service: key: "identity:get_service" value: "role:reader and system_scope:all" keystone-identity_list_services: key: "identity:list_services" value: "role:reader and system_scope:all" keystone-identity_create_service: key: "identity:create_service" value: "role:admin and system_scope:all" keystone-identity_update_service: key: "identity:update_service" value: "role:admin and system_scope:all" keystone-identity_delete_service: key: "identity:delete_service" value: "role:admin and system_scope:all" keystone-identity_create_service_provider: key: "identity:create_service_provider" value: "role:admin and system_scope:all" keystone-identity_list_service_providers: key: "identity:list_service_providers" value: "role:reader and system_scope:all" keystone-identity_get_service_provider: key: "identity:get_service_provider" value: "role:reader and system_scope:all" keystone-identity_update_service_provider: key: "identity:update_service_provider" value: "role:admin and system_scope:all" keystone-identity_delete_service_provider: key: "identity:delete_service_provider" value: "role:admin and system_scope:all" keystone-identity_revocation_list: key: "identity:revocation_list" value: "rule:service_or_admin" keystone-identity_check_token: key: "identity:check_token" value: "(role:reader and system_scope:all) or rule:token_subject" keystone-identity_validate_token: key: "identity:validate_token" value: "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" keystone-identity_revoke_token: key: "identity:revoke_token" value: "(role:admin and system_scope:all) or rule:token_subject" keystone-identity_create_trust: key: "identity:create_trust" value: "user_id:%(trust.trustor_user_id)s" keystone-identity_list_trusts: key: "identity:list_trusts" value: "role:reader and system_scope:all" keystone-identity_list_trusts_for_trustor: key: "identity:list_trusts_for_trustor" value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" keystone-identity_list_trusts_for_trustee: key: "identity:list_trusts_for_trustee" value: "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" keystone-identity_list_roles_for_trust: key: "identity:list_roles_for_trust" value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" keystone-identity_get_role_for_trust: key: "identity:get_role_for_trust" value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" keystone-identity_delete_trust: key: "identity:delete_trust" value: "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" keystone-identity_get_trust: key: "identity:get_trust" value: "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" keystone-identity_get_user: key: "identity:get_user" value: "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" keystone-identity_list_users: key: "identity:list_users" value: "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" keystone-identity_list_projects_for_user: key: "identity:list_projects_for_user" value: "" keystone-identity_list_domains_for_user: key: "identity:list_domains_for_user" value: "" keystone-identity_create_user: key: "identity:create_user" value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" keystone-identity_update_user: key: "identity:update_user" value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" keystone-identity_delete_user: key: "identity:delete_user" value: "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" BarbicanPolicies: barbican-admin: key: "admin" value: "role:admin" barbican-observer: key: "observer" value: "role:observer" barbican-creator: key: "creator" value: "role:creator" barbican-audit: key: "audit" value: "role:audit" barbican-service_admin: key: "service_admin" value: "role:key-manager:service-admin" barbican-admin_or_creator: key: "admin_or_creator" value: "rule:admin or rule:creator" barbican-all_but_audit: key: "all_but_audit" value: "rule:admin or rule:observer or rule:creator" barbican-all_users: key: "all_users" value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin" barbican-secret_project_match: key: "secret_project_match" value: "project_id:%(target.secret.project_id)s" barbican-secret_acl_read: key: "secret_acl_read" value: "'read':%(target.secret.read)s" barbican-secret_private_read: key: "secret_private_read" value: "'False':%(target.secret.read_project_access)s" barbican-secret_creator_user: key: "secret_creator_user" value: "user_id:%(target.secret.creator_id)s" barbican-container_project_match: key: "container_project_match" value: "project_id:%(target.container.project_id)s" barbican-container_acl_read: key: "container_acl_read" value: "'read':%(target.container.read)s" barbican-container_private_read: key: "container_private_read" value: "'False':%(target.container.read_project_access)s" barbican-container_creator_user: key: "container_creator_user" value: "user_id:%(target.container.creator_id)s" barbican-secret_non_private_read: key: "secret_non_private_read" value: "rule:all_users and rule:secret_project_match and not rule:secret_private_read" barbican-secret_decrypt_non_private_read: key: "secret_decrypt_non_private_read" value: "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read" barbican-container_non_private_read: key: "container_non_private_read" value: "rule:all_users and rule:container_project_match and not rule:container_private_read" barbican-secret_project_admin: key: "secret_project_admin" value: "rule:admin and rule:secret_project_match" barbican-secret_project_creator: key: "secret_project_creator" value: "rule:creator and rule:secret_project_match and rule:secret_creator_user" barbican-container_project_admin: key: "container_project_admin" value: "rule:admin and rule:container_project_match" barbican-container_project_creator: key: "container_project_creator" value: "rule:creator and rule:container_project_match and rule:container_creator_user" barbican-secret_acls_get: key: "secret_acls:get" value: "(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secret_acls_delete: key: "secret_acls:delete" value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secret_acls_put_patch: key: "secret_acls:put_patch" value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-container_acls_get: key: "container_acls:get" value: "(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-container_acls_delete: key: "container_acls:delete" value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-container_acls_put_patch: key: "container_acls:put_patch" value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-consumer_get: key: "consumer:get" value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" barbican-consumers_get: key: "consumers:get" value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" barbican-consumers_post: key: "consumers:post" value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" barbican-consumers_delete: key: "consumers:delete" value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all" barbican-containers_post: key: "containers:post" value: "rule:admin_or_creator or role:member" barbican-containers_get: key: "containers:get" value: "rule:all_but_audit or role:member" barbican-container_get: key: "container:get" value: "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-container_delete: key: "container:delete" value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-container_secret_post: key: "container_secret:post" value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-container_secret_delete: key: "container_secret:delete" value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s" barbican-orders_get: key: "orders:get" value: "rule:all_but_audit or role:member" barbican-orders_post: key: "orders:post" value: "rule:admin_or_creator or role:member" barbican-orders_put: key: "orders:put" value: "rule:admin_or_creator or role:member" barbican-order_get: key: "order:get" value: "rule:all_users or role:member" barbican-order_delete: key: "order:delete" value: "rule:admin or role:member" barbican-quotas_get: key: "quotas:get" value: "rule:all_users or role:reader" barbican-project_quotas_get: key: "project_quotas:get" value: "rule:service_admin or role:reader and system_scope:all" barbican-project_quotas_put: key: "project_quotas:put" value: "rule:service_admin or role:admin and system_scope:all" barbican-project_quotas_delete: key: "project_quotas:delete" value: "rule:service_admin or role:admin and system_scope:all" barbican-secret_meta_get: key: "secret_meta:get" value: "rule:all_but_audit or role:member" barbican-secret_meta_post: key: "secret_meta:post" value: "rule:admin_or_creator or role:member" barbican-secret_meta_put: key: "secret_meta:put" value: "rule:admin_or_creator or role:member" barbican-secret_meta_delete: key: "secret_meta:delete" value: "rule:admin_or_creator or role:member" barbican-secret_decrypt: key: "secret:decrypt" value: "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secret_get: key: "secret:get" value: "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secret_put: key: "secret:put" value: "rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secret_delete: key: "secret:delete" value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s" barbican-secrets_post: key: "secrets:post" value: "rule:admin_or_creator or role:member" barbican-secrets_get: key: "secrets:get" value: "rule:all_but_audit or role:member" barbican-secretstores_get: key: "secretstores:get" value: "rule:all_users or role:reader" barbican-secretstores_get_global_default: key: "secretstores:get_global_default" value: "rule:all_users or role:reader" barbican-secretstores_get_preferred: key: "secretstores:get_preferred" value: "rule:all_users or role:reader" barbican-secretstore_preferred_post: key: "secretstore_preferred:post" value: "rule:admin" barbican-secretstore_preferred_delete: key: "secretstore_preferred:delete" value: "rule:admin" barbican-secretstore_get: key: "secretstore:get" value: "rule:all_users or role:reader" barbican-transport_key_get: key: "transport_key:get" value: "rule:all_users or role:reader" barbican-transport_key_delete: key: "transport_key:delete" value: "role:admin and system_scope:all" barbican-transport_keys_get: key: "transport_keys:get" value: "rule:all_users or role:reader" barbican-transport_keys_post: key: "transport_keys:post" value: "role:admin and system_scope:all" ManilaApiPolicies: manila-system-admin: key: "system-admin" value: "role:admin and system_scope:all" manila-system-member: key: "system-member" value: "role:member and system_scope:all" manila-system-reader: key: "system-reader" value: "role:reader and system_scope:all" manila-project-admin: key: "project-admin" value: "role:admin and project_id:%(project_id)s" manila-project-member: key: "project-member" value: "role:member and project_id:%(project_id)s" manila-project-reader: key: "project-reader" value: "role:reader and project_id:%(project_id)s" manila-context_is_admin: key: "context_is_admin" value: "role:admin" manila-admin_or_owner: key: "admin_or_owner" value: "is_admin:True or project_id:%(project_id)s" manila-default: key: "default" value: "rule:admin_or_owner" manila-admin_api: key: "admin_api" value: "role:admin" manila-availability_zone_index: key: "availability_zone:index" value: "(rule:admin_api) or (rule:project-reader)" manila-scheduler_stats_pools_index: key: "scheduler_stats:pools:index" value: "rule:admin_api" manila-scheduler_stats_pools_detail: key: "scheduler_stats:pools:detail" value: "rule:admin_api" manila-share_create: key: "share:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_create_public_share: key: "share:create_public_share" value: "rule:admin_api" manila-share_get: key: "share:get" value: "(rule:admin_api) or (rule:project-reader)" manila-share_get_all: key: "share:get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-share_update: key: "share:update" value: "(rule:admin_api) or (rule:project-member)" manila-share_set_public_share: key: "share:set_public_share" value: "rule:admin_api" manila-share_delete: key: "share:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_force_delete: key: "share:force_delete" value: "(rule:admin_api) or (rule:project-admin)" manila-share_manage: key: "share:manage" value: "rule:admin_api" manila-share_unmanage: key: "share:unmanage" value: "rule:admin_api" manila-share_list_by_host: key: "share:list_by_host" value: "rule:admin_api" manila-share_list_by_share_server_id: key: "share:list_by_share_server_id" value: "rule:admin_api" manila-share_access_get: key: "share:access_get" value: "(rule:admin_api) or (rule:project-reader)" manila-share_access_get_all: key: "share:access_get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-share_extend: key: "share:extend" value: "(rule:admin_api) or (rule:project-member)" manila-share_shrink: key: "share:shrink" value: "(rule:admin_api) or (rule:project-member)" manila-share_migration_start: key: "share:migration_start" value: "rule:admin_api" manila-share_migration_complete: key: "share:migration_complete" value: "rule:admin_api" manila-share_migration_cancel: key: "share:migration_cancel" value: "rule:admin_api" manila-share_migration_get_progress: key: "share:migration_get_progress" value: "rule:admin_api" manila-share_reset_task_state: key: "share:reset_task_state" value: "(rule:admin_api) or (rule:project-admin)" manila-share_reset_status: key: "share:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_revert_to_snapshot: key: "share:revert_to_snapshot" value: "(rule:admin_api) or (rule:project-member)" manila-share_allow_access: key: "share:allow_access" value: "(rule:admin_api) or (rule:project-member)" manila-share_deny_access: key: "share:deny_access" value: "(rule:admin_api) or (rule:project-member)" manila-share_update_share_metadata: key: "share:update_share_metadata" value: "(rule:admin_api) or (rule:project-member)" manila-share_delete_share_metadata: key: "share:delete_share_metadata" value: "(rule:admin_api) or (rule:project-member)" manila-share_get_share_metadata: key: "share:get_share_metadata" value: "(rule:admin_api) or (rule:project-reader)" manila-share_create_snapshot: key: "share:create_snapshot" value: "(rule:admin_api) or (rule:project-member)" manila-share_delete_snapshot: key: "share:delete_snapshot" value: "(rule:admin_api) or (rule:project-member)" manila-share_snapshot_update: key: "share:snapshot_update" value: "(rule:admin_api) or (rule:project-member)" manila-share_instance_export_location_index: key: "share_instance_export_location:index" value: "rule:admin_api" manila-share_instance_export_location_show: key: "share_instance_export_location:show" value: "rule:admin_api" manila-share_type_create: key: "share_type:create" value: "rule:admin_api" manila-share_type_update: key: "share_type:update" value: "rule:admin_api" manila-share_type_show: key: "share_type:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_type_index: key: "share_type:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_type_default: key: "share_type:default" value: "(rule:admin_api) or (rule:project-reader)" manila-share_type_delete: key: "share_type:delete" value: "rule:admin_api" manila-share_type_list_project_access: key: "share_type:list_project_access" value: "rule:admin_api" manila-share_type_add_project_access: key: "share_type:add_project_access" value: "rule:admin_api" manila-share_type_remove_project_access: key: "share_type:remove_project_access" value: "rule:admin_api" manila-share_types_extra_spec_create: key: "share_types_extra_spec:create" value: "rule:admin_api" manila-share_types_extra_spec_show: key: "share_types_extra_spec:show" value: "rule:admin_api" manila-share_types_extra_spec_index: key: "share_types_extra_spec:index" value: "rule:admin_api" manila-share_types_extra_spec_update: key: "share_types_extra_spec:update" value: "rule:admin_api" manila-share_types_extra_spec_delete: key: "share_types_extra_spec:delete" value: "rule:admin_api" manila-share_snapshot_get_snapshot: key: "share_snapshot:get_snapshot" value: "(rule:admin_api) or (rule:project-reader)" manila-share_snapshot_get_all_snapshots: key: "share_snapshot:get_all_snapshots" value: "(rule:admin_api) or (rule:project-reader)" manila-share_snapshot_force_delete: key: "share_snapshot:force_delete" value: "(rule:admin_api) or (rule:project-admin)" manila-share_snapshot_manage_snapshot: key: "share_snapshot:manage_snapshot" value: "rule:admin_api" manila-share_snapshot_unmanage_snapshot: key: "share_snapshot:unmanage_snapshot" value: "rule:admin_api" manila-share_snapshot_reset_status: key: "share_snapshot:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_snapshot_access_list: key: "share_snapshot:access_list" value: "(rule:admin_api) or (rule:project-reader)" manila-share_snapshot_allow_access: key: "share_snapshot:allow_access" value: "(rule:admin_api) or (rule:project-member)" manila-share_snapshot_deny_access: key: "share_snapshot:deny_access" value: "(rule:admin_api) or (rule:project-member)" manila-share_snapshot_export_location_index: key: "share_snapshot_export_location:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_snapshot_export_location_show: key: "share_snapshot_export_location:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_snapshot_instance_show: key: "share_snapshot_instance:show" value: "rule:admin_api" manila-share_snapshot_instance_index: key: "share_snapshot_instance:index" value: "rule:admin_api" manila-share_snapshot_instance_detail: key: "share_snapshot_instance:detail" value: "rule:admin_api" manila-share_snapshot_instance_reset_status: key: "share_snapshot_instance:reset_status" value: "rule:admin_api" manila-share_snapshot_instance_export_location_index: key: "share_snapshot_instance_export_location:index" value: "rule:admin_api" manila-share_snapshot_instance_export_location_show: key: "share_snapshot_instance_export_location:show" value: "rule:admin_api" manila-share_server_index: key: "share_server:index" value: "rule:admin_api" manila-share_server_show: key: "share_server:show" value: "rule:admin_api" manila-share_server_details: key: "share_server:details" value: "rule:admin_api" manila-share_server_delete: key: "share_server:delete" value: "rule:admin_api" manila-share_server_manage_share_server: key: "share_server:manage_share_server" value: "rule:admin_api" manila-share_server_unmanage_share_server: key: "share_server:unmanage_share_server" value: "rule:admin_api" manila-share_server_reset_status: key: "share_server:reset_status" value: "rule:admin_api" manila-share_server_share_server_migration_start: key: "share_server:share_server_migration_start" value: "rule:admin_api" manila-share_server_share_server_migration_check: key: "share_server:share_server_migration_check" value: "rule:admin_api" manila-share_server_share_server_migration_complete: key: "share_server:share_server_migration_complete" value: "rule:admin_api" manila-share_server_share_server_migration_cancel: key: "share_server:share_server_migration_cancel" value: "rule:admin_api" manila-share_server_share_server_migration_get_progress: key: "share_server:share_server_migration_get_progress" value: "rule:admin_api" manila-share_server_share_server_reset_task_state: key: "share_server:share_server_reset_task_state" value: "rule:admin_api" manila-service_index: key: "service:index" value: "rule:admin_api" manila-service_update: key: "service:update" value: "rule:admin_api" manila-quota_set_update: key: "quota_set:update" value: "rule:admin_api" manila-quota_set_show: key: "quota_set:show" value: "(rule:admin_api) or (rule:project-reader)" manila-quota_set_delete: key: "quota_set:delete" value: "rule:admin_api" manila-quota_class_set_update: key: "quota_class_set:update" value: "rule:admin_api" manila-quota_class_set_show: key: "quota_class_set:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_types_spec_create: key: "share_group_types_spec:create" value: "rule:admin_api" manila-share_group_types_spec_index: key: "share_group_types_spec:index" value: "rule:admin_api" manila-share_group_types_spec_show: key: "share_group_types_spec:show" value: "rule:admin_api" manila-share_group_types_spec_update: key: "share_group_types_spec:update" value: "rule:admin_api" manila-share_group_types_spec_delete: key: "share_group_types_spec:delete" value: "rule:admin_api" manila-share_group_type_create: key: "share_group_type:create" value: "rule:admin_api" manila-share_group_type_index: key: "share_group_type:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_type_show: key: "share_group_type:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_type_default: key: "share_group_type:default" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_type_delete: key: "share_group_type:delete" value: "rule:admin_api" manila-share_group_type_list_project_access: key: "share_group_type:list_project_access" value: "rule:admin_api" manila-share_group_type_add_project_access: key: "share_group_type:add_project_access" value: "rule:admin_api" manila-share_group_type_remove_project_access: key: "share_group_type:remove_project_access" value: "rule:admin_api" manila-share_group_snapshot_create: key: "share_group_snapshot:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_snapshot_get: key: "share_group_snapshot:get" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_snapshot_get_all: key: "share_group_snapshot:get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_snapshot_update: key: "share_group_snapshot:update" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_snapshot_delete: key: "share_group_snapshot:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_snapshot_force_delete: key: "share_group_snapshot:force_delete" value: "(rule:admin_api) or (rule:project-admin)" manila-share_group_snapshot_reset_status: key: "share_group_snapshot:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_group_create: key: "share_group:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_get: key: "share_group:get" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_get_all: key: "share_group:get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-share_group_update: key: "share_group:update" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_delete: key: "share_group:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_group_force_delete: key: "share_group:force_delete" value: "(rule:admin_api) or (rule:project-admin)" manila-share_group_reset_status: key: "share_group:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_replica_create: key: "share_replica:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_replica_get_all: key: "share_replica:get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-share_replica_show: key: "share_replica:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_replica_delete: key: "share_replica:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_replica_force_delete: key: "share_replica:force_delete" value: "(rule:admin_api) or (rule:project-admin)" manila-share_replica_promote: key: "share_replica:promote" value: "(rule:admin_api) or (rule:project-member)" manila-share_replica_resync: key: "share_replica:resync" value: "(rule:admin_api) or (rule:project-admin)" manila-share_replica_reset_replica_state: key: "share_replica:reset_replica_state" value: "(rule:admin_api) or (rule:project-admin)" manila-share_replica_reset_status: key: "share_replica:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_replica_export_location_index: key: "share_replica_export_location:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_replica_export_location_show: key: "share_replica_export_location:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_network_create: key: "share_network:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_show: key: "share_network:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_network_index: key: "share_network:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_network_detail: key: "share_network:detail" value: "(rule:admin_api) or (rule:project-reader)" manila-share_network_update: key: "share_network:update" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_delete: key: "share_network:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_add_security_service: key: "share_network:add_security_service" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_add_security_service_check: key: "share_network:add_security_service_check" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_remove_security_service: key: "share_network:remove_security_service" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_update_security_service: key: "share_network:update_security_service" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_update_security_service_check: key: "share_network:update_security_service_check" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_reset_status: key: "share_network:reset_status" value: "(rule:admin_api) or (rule:project-admin)" manila-share_network_get_all_share_networks: key: "share_network:get_all_share_networks" value: "rule:admin_api" manila-share_network_subnet_create: key: "share_network_subnet:create" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_subnet_delete: key: "share_network_subnet:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_network_subnet_show: key: "share_network_subnet:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_network_subnet_index: key: "share_network_subnet:index" value: "(rule:admin_api) or (rule:project-reader)" manila-security_service_create: key: "security_service:create" value: "(rule:admin_api) or (rule:project-member)" manila-security_service_show: key: "security_service:show" value: "(rule:admin_api) or (rule:project-reader)" manila-security_service_detail: key: "security_service:detail" value: "(rule:admin_api) or (rule:project-reader)" manila-security_service_index: key: "security_service:index" value: "(rule:admin_api) or (rule:project-reader)" manila-security_service_update: key: "security_service:update" value: "(rule:admin_api) or (rule:project-member)" manila-security_service_delete: key: "security_service:delete" value: "(rule:admin_api) or (rule:project-member)" manila-security_service_get_all_security_services: key: "security_service:get_all_security_services" value: "rule:admin_api" manila-share_export_location_index: key: "share_export_location:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_export_location_show: key: "share_export_location:show" value: "(rule:admin_api) or (rule:project-reader)" manila-share_instance_index: key: "share_instance:index" value: "rule:admin_api" manila-share_instance_show: key: "share_instance:show" value: "rule:admin_api" manila-share_instance_force_delete: key: "share_instance:force_delete" value: "rule:admin_api" manila-share_instance_reset_status: key: "share_instance:reset_status" value: "rule:admin_api" manila-message_get: key: "message:get" value: "(rule:admin_api) or (rule:project-reader)" manila-message_get_all: key: "message:get_all" value: "(rule:admin_api) or (rule:project-reader)" manila-message_delete: key: "message:delete" value: "(rule:admin_api) or (rule:project-member)" manila-share_access_rule_get: key: "share_access_rule:get" value: "(rule:admin_api) or (rule:project-reader)" manila-share_access_rule_index: key: "share_access_rule:index" value: "(rule:admin_api) or (rule:project-reader)" manila-share_access_metadata_update: key: "share_access_metadata:update" value: "(rule:admin_api) or (rule:project-member)" manila-share_access_metadata_delete: key: "share_access_metadata:delete" value: "(rule:admin_api) or (rule:project-member)" OctaviaApiPolicies: octavia-load-balancer_admin: key: "load-balancer:admin" value: "role:admin" octavia-load-balancer_read: key: "load-balancer:read" value: "role:admin or rule:project-reader" octavia-load-balancer_read-global: key: "load-balancer:read-global" value: "role:admin" octavia-load-balancer_write: key: "load-balancer:write" value: "role:admin or rule:project-member" octavia-load-balancer_read-quota: key: "load-balancer:read-quota" value: "role:admin or rule:project-reader" octavia-load-balancer_read-quota-global: key: "load-balancer:read-quota-global" value: "role:admin" octavia-load-balancer_write-quota: key: "load-balancer:write-quota" value: "role:admin" IronicApiPolicies: ironic-admin_api: key: "admin_api" value: "role:admin" ironic-public_api: key: "public_api" value: "is_public_api:True" ironic-show_password: key: "show_password" value: "!" ironic-show_instance_secrets: key: "show_instance_secrets" value: "!" ironic-is_member: key: "is_member" value: "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)" ironic-is_observer: key: "is_observer" value: "rule:is_member and (role:observer or role:baremetal_observer)" ironic-is_admin: key: "is_admin" value: "rule:admin_api or (rule:is_member and role:baremetal_admin)" ironic-is_node_owner: key: "is_node_owner" value: "project_id:%(node.owner)s" ironic-is_node_lessee: key: "is_node_lessee" value: "project_id:%(node.lessee)s" ironic-is_allocation_owner: key: "is_allocation_owner" value: "project_id:%(allocation.owner)s" ironic-baremetal_node_create: key: "baremetal:node:create" value: "rule:admin_api" ironic-baremetal_node_list: key: "baremetal:node:list" value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_list_all: key: "baremetal:node:list_all" value: "rule:admin_api" ironic-baremetal_node_get: key: "baremetal:node:get" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_get_filter_threshold: key: "baremetal:node:get:filter_threshold" value: "rule:admin_api" ironic-baremetal_node_get_last_error: key: "baremetal:node:get:last_error" value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_reservation: key: "baremetal:node:get:reservation" value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_driver_internal_info: key: "baremetal:node:get:driver_internal_info" value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_get_driver_info: key: "baremetal:node:get:driver_info" value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)" ironic-baremetal_node_update_driver_info: key: "baremetal:node:update:driver_info" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update: key: "baremetal:node:update" value: "rule:baremetal:node:update:driver_info" ironic-baremetal_node_update_properties: key: "baremetal:node:update:properties" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_chassis_uuid: key: "baremetal:node:update:chassis_uuid" value: "rule:admin_api" ironic-baremetal_node_update_instance_uuid: key: "baremetal:node:update:instance_uuid" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_lessee: key: "baremetal:node:update:lessee" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_owner: key: "baremetal:node:update:owner" value: "rule:admin_api" ironic-baremetal_node_update_driver_interfaces: key: "baremetal:node:update:driver_interfaces" value: "rule:admin_api " ironic-baremetal_node_update_network_data: key: "baremetal:node:update:network_data" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_conductor_group: key: "baremetal:node:update:conductor_group" value: "rule:admin_api" ironic-baremetal_node_update_name: key: "baremetal:node:update:name" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_retired: key: "baremetal:node:update:retired" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_extra: key: "baremetal:node:update_extra" value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_update_instance_info: key: "baremetal:node:update_instance_info" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_update_owner_provisioned: key: "baremetal:node:update_owner_provisioned" value: "rule:admin_api" ironic-baremetal_node_delete: key: "baremetal:node:delete" value: "rule:admin_api" ironic-baremetal_node_validate: key: "baremetal:node:validate" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_maintenance: key: "baremetal:node:set_maintenance" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_clear_maintenance: key: "baremetal:node:clear_maintenance" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_get_boot_device: key: "baremetal:node:get_boot_device" value: "rule:admin_api " ironic-baremetal_node_set_boot_device: key: "baremetal:node:set_boot_device" value: "rule:admin_api " ironic-baremetal_node_get_indicator_state: key: "baremetal:node:get_indicator_state" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_indicator_state: key: "baremetal:node:set_indicator_state" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_inject_nmi: key: "baremetal:node:inject_nmi" value: "rule:admin_api " ironic-baremetal_node_get_states: key: "baremetal:node:get_states" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_power_state: key: "baremetal:node:set_power_state" value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_set_provision_state: key: "baremetal:node:set_provision_state" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_raid_state: key: "baremetal:node:set_raid_state" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_get_console: key: "baremetal:node:get_console" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_set_console_state: key: "baremetal:node:set_console_state" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_vif_list: key: "baremetal:node:vif:list" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_vif_attach: key: "baremetal:node:vif:attach" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_vif_detach: key: "baremetal:node:vif:detach" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_node_traits_list: key: "baremetal:node:traits:list" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_traits_set: key: "baremetal:node:traits:set" value: "rule:admin_api " ironic-baremetal_node_traits_delete: key: "baremetal:node:traits:delete" value: "rule:admin_api " ironic-baremetal_node_bios_get: key: "baremetal:node:bios:get" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_node_disable_cleaning: key: "baremetal:node:disable_cleaning" value: "rule:admin_api" ironic-baremetal_port_get: key: "baremetal:port:get" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_port_list: key: "baremetal:port:list" value: "role:reader" ironic-baremetal_port_list_all: key: "baremetal:port:list_all" value: "rule:admin_api" ironic-baremetal_port_create: key: "baremetal:port:create" value: "rule:admin_api " ironic-baremetal_port_delete: key: "baremetal:port:delete" value: "rule:admin_api " ironic-baremetal_port_update: key: "baremetal:port:update" value: "rule:admin_api " ironic-baremetal_portgroup_get: key: "baremetal:portgroup:get" value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))" ironic-baremetal_portgroup_create: key: "baremetal:portgroup:create" value: "rule:admin_api " ironic-baremetal_portgroup_delete: key: "baremetal:portgroup:delete" value: "rule:admin_api " ironic-baremetal_portgroup_update: key: "baremetal:portgroup:update" value: "rule:admin_api " ironic-baremetal_portgroup_list: key: "baremetal:portgroup:list" value: "role:reader" ironic-baremetal_portgroup_list_all: key: "baremetal:portgroup:list_all" value: "rule:admin_api" ironic-baremetal_chassis_get: key: "baremetal:chassis:get" value: "rule:admin_api" ironic-baremetal_chassis_create: key: "baremetal:chassis:create" value: "rule:admin_api" ironic-baremetal_chassis_delete: key: "baremetal:chassis:delete" value: "rule:admin_api" ironic-baremetal_chassis_update: key: "baremetal:chassis:update" value: "rule:admin_api" ironic-baremetal_driver_get: key: "baremetal:driver:get" value: "rule:admin_api" ironic-baremetal_driver_get_properties: key: "baremetal:driver:get_properties" value: "rule:admin_api" ironic-baremetal_driver_get_raid_logical_disk_properties: key: "baremetal:driver:get_raid_logical_disk_properties" value: "rule:admin_api" ironic-baremetal_node_vendor_passthru: key: "baremetal:node:vendor_passthru" value: "rule:admin_api" ironic-baremetal_driver_vendor_passthru: key: "baremetal:driver:vendor_passthru" value: "rule:admin_api" ironic-baremetal_node_ipa_heartbeat: key: "baremetal:node:ipa_heartbeat" value: "" ironic-baremetal_driver_ipa_lookup: key: "baremetal:driver:ipa_lookup" value: "" ironic-baremetal_volume_list_all: key: "baremetal:volume:list_all" value: "rule:admin_api" ironic-baremetal_volume_get: key: "baremetal:volume:get" value: "rule:baremetal:volume:list_all" ironic-baremetal_volume_list: key: "baremetal:volume:list" value: "role:reader" ironic-baremetal_volume_create: key: "baremetal:volume:create" value: "rule:admin_api" ironic-baremetal_volume_delete: key: "baremetal:volume:delete" value: "rule:admin_api" ironic-baremetal_volume_update: key: "baremetal:volume:update" value: "rule:admin_api or (role:member and project_id:%(node.owner)s)" ironic-baremetal_volume_view_target_properties: key: "baremetal:volume:view_target_properties" value: "rule:admin_api" ironic-baremetal_conductor_get: key: "baremetal:conductor:get" value: "rule:admin_api" ironic-baremetal_allocation_get: key: "baremetal:allocation:get" value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_list: key: "baremetal:allocation:list" value: "role:reader" ironic-baremetal_allocation_list_all: key: "baremetal:allocation:list_all" value: "rule:admin_api" ironic-baremetal_allocation_create: key: "baremetal:allocation:create" value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_create_restricted: key: "baremetal:allocation:create_restricted" value: "rule:admin_api" ironic-baremetal_allocation_delete: key: "baremetal:allocation:delete" value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_update: key: "baremetal:allocation:update" value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)" ironic-baremetal_allocation_create_pre_rbac: key: "baremetal:allocation:create_pre_rbac" value: "rule:admin_api" ironic-baremetal_events_post: key: "baremetal:events:post" value: "rule:admin_api" ironic-baremetal_deploy_template_get: key: "baremetal:deploy_template:get" value: "rule:admin_api" ironic-baremetal_deploy_template_create: key: "baremetal:deploy_template:create" value: "rule:admin_api" ironic-baremetal_deploy_template_delete: key: "baremetal:deploy_template:delete" value: "rule:admin_api" ironic-baremetal_deploy_template_update: key: "baremetal:deploy_template:update" value: "rule:admin_api"