tripleo-heat-templates/environments/enable-secure-rbac.yaml

4064 lines
178 KiB
YAML

parameter_defaults:
EnforceSecureRbac: false
NovaApiPolicies:
nova-context_is_admin:
key: "context_is_admin"
value: "role:admin"
nova-admin_or_owner:
key: "admin_or_owner"
value: "is_admin:True or project_id:%(project_id)s"
nova-admin_api:
key: "admin_api"
value: "role:admin"
nova-system_admin_api:
key: "system_admin_api"
value: "role:admin and system_scope:all"
nova-system_reader_api:
key: "system_reader_api"
value: "role:reader and system_scope:all"
nova-project_admin_api:
key: "project_admin_api"
value: "role:admin and project_id:%(project_id)s"
nova-project_member_api:
key: "project_member_api"
value: "role:member and project_id:%(project_id)s"
nova-rule_admin_or_owner:
key: "rule:admin_or_owner"
value: "rule:project_member_api"
nova-project_reader_api:
key: "project_reader_api"
value: "role:reader and project_id:%(project_id)s"
nova-system_admin_or_owner:
key: "system_admin_or_owner"
value: "rule:system_admin_api or rule:project_member_api"
nova-system_or_project_reader:
key: "system_or_project_reader"
value: "rule:system_reader_api or rule:project_reader_api"
nova-os_compute_api_os-admin-actions_reset_state:
key: "os_compute_api:os-admin-actions:reset_state"
value: "rule:admin_api"
nova-os_compute_api_os-admin-actions_inject_network_info:
key: "os_compute_api:os-admin-actions:inject_network_info"
value: "rule:admin_api"
nova-os_compute_api_os-admin-password:
key: "os_compute_api:os-admin-password"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-aggregates_set_metadata:
key: "os_compute_api:os-aggregates:set_metadata"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_add_host:
key: "os_compute_api:os-aggregates:add_host"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_create:
key: "os_compute_api:os-aggregates:create"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_remove_host:
key: "os_compute_api:os-aggregates:remove_host"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_update:
key: "os_compute_api:os-aggregates:update"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_index:
key: "os_compute_api:os-aggregates:index"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_delete:
key: "os_compute_api:os-aggregates:delete"
value: "rule:admin_api"
nova-os_compute_api_os-aggregates_show:
key: "os_compute_api:os-aggregates:show"
value: "rule:admin_api"
nova-compute_aggregates_images:
key: "compute:aggregates:images"
value: "rule:admin_api"
nova-os_compute_api_os-assisted-volume-snapshots_create:
key: "os_compute_api:os-assisted-volume-snapshots:create"
value: "rule:admin_api"
nova-os_compute_api_os-assisted-volume-snapshots_delete:
key: "os_compute_api:os-assisted-volume-snapshots:delete"
value: "rule:admin_api"
nova-os_compute_api_os-attach-interfaces_list:
key: "os_compute_api:os-attach-interfaces:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-attach-interfaces:
key: "os_compute_api:os-attach-interfaces"
value: "rule:os_compute_api:os-attach-interfaces:list"
nova-os_compute_api_os-attach-interfaces_show:
key: "os_compute_api:os-attach-interfaces:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-attach-interfaces_create:
key: "os_compute_api:os-attach-interfaces:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-attach-interfaces_delete:
key: "os_compute_api:os-attach-interfaces:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-availability-zone_list:
key: "os_compute_api:os-availability-zone:list"
value: "@"
nova-os_compute_api_os-availability-zone_detail:
key: "os_compute_api:os-availability-zone:detail"
value: "rule:admin_api"
nova-os_compute_api_os-baremetal-nodes_list:
key: "os_compute_api:os-baremetal-nodes:list"
value: "rule:admin_api"
nova-os_compute_api_os-baremetal-nodes:
key: "os_compute_api:os-baremetal-nodes"
value: "rule:os_compute_api:os-baremetal-nodes:list"
nova-os_compute_api_os-baremetal-nodes_show:
key: "os_compute_api:os-baremetal-nodes:show"
value: "rule:admin_api"
nova-os_compute_api_os-console-auth-tokens:
key: "os_compute_api:os-console-auth-tokens"
value: "rule:admin_api"
nova-os_compute_api_os-console-output:
key: "os_compute_api:os-console-output"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-create-backup:
key: "os_compute_api:os-create-backup"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-deferred-delete_restore:
key: "os_compute_api:os-deferred-delete:restore"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-deferred-delete:
key: "os_compute_api:os-deferred-delete"
value: "rule:os_compute_api:os-deferred-delete:restore"
nova-os_compute_api_os-deferred-delete_force:
key: "os_compute_api:os-deferred-delete:force"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-evacuate:
key: "os_compute_api:os-evacuate"
value: "rule:admin_api"
nova-os_compute_api_os-extended-server-attributes:
key: "os_compute_api:os-extended-server-attributes"
value: "rule:admin_api"
nova-os_compute_api_extensions:
key: "os_compute_api:extensions"
value: "@"
nova-os_compute_api_os-flavor-access_add_tenant_access:
key: "os_compute_api:os-flavor-access:add_tenant_access"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-access_remove_tenant_access:
key: "os_compute_api:os-flavor-access:remove_tenant_access"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-access:
key: "os_compute_api:os-flavor-access"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-extra-specs_show:
key: "os_compute_api:os-flavor-extra-specs:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-flavor-extra-specs_create:
key: "os_compute_api:os-flavor-extra-specs:create"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-extra-specs_update:
key: "os_compute_api:os-flavor-extra-specs:update"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-extra-specs_delete:
key: "os_compute_api:os-flavor-extra-specs:delete"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-extra-specs_index:
key: "os_compute_api:os-flavor-extra-specs:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-flavor-manage_create:
key: "os_compute_api:os-flavor-manage:create"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-manage_update:
key: "os_compute_api:os-flavor-manage:update"
value: "rule:admin_api"
nova-os_compute_api_os-flavor-manage_delete:
key: "os_compute_api:os-flavor-manage:delete"
value: "rule:admin_api"
nova-os_compute_api_os-floating-ip-pools:
key: "os_compute_api:os-floating-ip-pools"
value: "@"
nova-os_compute_api_os-floating-ips_add:
key: "os_compute_api:os-floating-ips:add"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-floating-ips:
key: "os_compute_api:os-floating-ips"
value: "rule:os_compute_api:os-floating-ips:add"
nova-os_compute_api_os-floating-ips_remove:
key: "os_compute_api:os-floating-ips:remove"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-floating-ips_list:
key: "os_compute_api:os-floating-ips:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-floating-ips_create:
key: "os_compute_api:os-floating-ips:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-floating-ips_show:
key: "os_compute_api:os-floating-ips:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-floating-ips_delete:
key: "os_compute_api:os-floating-ips:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-hosts_list:
key: "os_compute_api:os-hosts:list"
value: "rule:admin_api"
nova-os_compute_api_os-hosts:
key: "os_compute_api:os-hosts"
value: "rule:os_compute_api:os-hosts:list"
nova-os_compute_api_os-hosts_show:
key: "os_compute_api:os-hosts:show"
value: "rule:admin_api"
nova-os_compute_api_os-hosts_update:
key: "os_compute_api:os-hosts:update"
value: "rule:admin_api"
nova-os_compute_api_os-hosts_reboot:
key: "os_compute_api:os-hosts:reboot"
value: "rule:admin_api"
nova-os_compute_api_os-hosts_shutdown:
key: "os_compute_api:os-hosts:shutdown"
value: "rule:admin_api"
nova-os_compute_api_os-hosts_start:
key: "os_compute_api:os-hosts:start"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_list:
key: "os_compute_api:os-hypervisors:list"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors:
key: "os_compute_api:os-hypervisors"
value: "rule:os_compute_api:os-hypervisors:list"
nova-os_compute_api_os-hypervisors_list-detail:
key: "os_compute_api:os-hypervisors:list-detail"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_statistics:
key: "os_compute_api:os-hypervisors:statistics"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_show:
key: "os_compute_api:os-hypervisors:show"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_uptime:
key: "os_compute_api:os-hypervisors:uptime"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_search:
key: "os_compute_api:os-hypervisors:search"
value: "rule:admin_api"
nova-os_compute_api_os-hypervisors_servers:
key: "os_compute_api:os-hypervisors:servers"
value: "rule:admin_api"
nova-os_compute_api_os-instance-actions_events_details:
key: "os_compute_api:os-instance-actions:events:details"
value: "rule:admin_api"
nova-os_compute_api_os-instance-actions_events:
key: "os_compute_api:os-instance-actions:events"
value: "rule:admin_api"
nova-os_compute_api_os-instance-actions_list:
key: "os_compute_api:os-instance-actions:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-instance-actions:
key: "os_compute_api:os-instance-actions"
value: "rule:os_compute_api:os-instance-actions:list"
nova-os_compute_api_os-instance-actions_show:
key: "os_compute_api:os-instance-actions:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-instance-usage-audit-log_list:
key: "os_compute_api:os-instance-usage-audit-log:list"
value: "rule:admin_api"
nova-os_compute_api_os-instance-usage-audit-log:
key: "os_compute_api:os-instance-usage-audit-log"
value: "rule:os_compute_api:os-instance-usage-audit-log:list"
nova-os_compute_api_os-instance-usage-audit-log_show:
key: "os_compute_api:os-instance-usage-audit-log:show"
value: "rule:admin_api"
nova-os_compute_api_ips_show:
key: "os_compute_api:ips:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_ips_index:
key: "os_compute_api:ips:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-keypairs_index:
key: "os_compute_api:os-keypairs:index"
value: "rule:admin_api or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_create:
key: "os_compute_api:os-keypairs:create"
value: "rule:admin_api or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_delete:
key: "os_compute_api:os-keypairs:delete"
value: "rule:admin_api or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_show:
key: "os_compute_api:os-keypairs:show"
value: "rule:admin_api or user_id:%(user_id)s"
nova-os_compute_api_limits:
key: "os_compute_api:limits"
value: "@"
nova-os_compute_api_limits_other_project:
key: "os_compute_api:limits:other_project"
value: "rule:admin_api"
nova-os_compute_api_os-used-limits:
key: "os_compute_api:os-used-limits"
value: "rule:os_compute_api:limits:other_project"
nova-os_compute_api_os-lock-server_lock:
key: "os_compute_api:os-lock-server:lock"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-lock-server_unlock:
key: "os_compute_api:os-lock-server:unlock"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-lock-server_unlock_unlock_override:
key: "os_compute_api:os-lock-server:unlock:unlock_override"
value: "rule:admin_api"
nova-os_compute_api_os-migrate-server_migrate:
key: "os_compute_api:os-migrate-server:migrate"
value: "rule:admin_api"
nova-os_compute_api_os-migrate-server_migrate_live:
key: "os_compute_api:os-migrate-server:migrate_live"
value: "rule:admin_api"
nova-os_compute_api_os-migrations_index:
key: "os_compute_api:os-migrations:index"
value: "rule:admin_api"
nova-os_compute_api_os-multinic_add:
key: "os_compute_api:os-multinic:add"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-multinic:
key: "os_compute_api:os-multinic"
value: "rule:os_compute_api:os-multinic:add"
nova-os_compute_api_os-multinic_remove:
key: "os_compute_api:os-multinic:remove"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-networks_list:
key: "os_compute_api:os-networks:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-networks_view:
key: "os_compute_api:os-networks:view"
value: "rule:os_compute_api:os-networks:list"
nova-os_compute_api_os-networks_show:
key: "os_compute_api:os-networks:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-pause-server_pause:
key: "os_compute_api:os-pause-server:pause"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-pause-server_unpause:
key: "os_compute_api:os-pause-server:unpause"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-quota-class-sets_show:
key: "os_compute_api:os-quota-class-sets:show"
value: "rule:admin_api"
nova-os_compute_api_os-quota-class-sets_update:
key: "os_compute_api:os-quota-class-sets:update"
value: "rule:admin_api"
nova-os_compute_api_os-quota-sets_update:
key: "os_compute_api:os-quota-sets:update"
value: "rule:admin_api"
nova-os_compute_api_os-quota-sets_defaults:
key: "os_compute_api:os-quota-sets:defaults"
value: "@"
nova-os_compute_api_os-quota-sets_show:
key: "os_compute_api:os-quota-sets:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-quota-sets_delete:
key: "os_compute_api:os-quota-sets:delete"
value: "rule:admin_api"
nova-os_compute_api_os-quota-sets_detail:
key: "os_compute_api:os-quota-sets:detail"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-remote-consoles:
key: "os_compute_api:os-remote-consoles"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-rescue:
key: "os_compute_api:os-rescue"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-unrescue:
key: "os_compute_api:os-unrescue"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_get:
key: "os_compute_api:os-security-groups:get"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-security-groups:
key: "os_compute_api:os-security-groups"
value: "rule:os_compute_api:os-security-groups:get"
nova-os_compute_api_os-security-groups_show:
key: "os_compute_api:os-security-groups:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-security-groups_create:
key: "os_compute_api:os-security-groups:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_update:
key: "os_compute_api:os-security-groups:update"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_delete:
key: "os_compute_api:os-security-groups:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_rule_create:
key: "os_compute_api:os-security-groups:rule:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_rule_delete:
key: "os_compute_api:os-security-groups:rule:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_list:
key: "os_compute_api:os-security-groups:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-security-groups_add:
key: "os_compute_api:os-security-groups:add"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-security-groups_remove:
key: "os_compute_api:os-security-groups:remove"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-diagnostics:
key: "os_compute_api:os-server-diagnostics"
value: "rule:admin_api"
nova-os_compute_api_os-server-external-events_create:
key: "os_compute_api:os-server-external-events:create"
value: "rule:admin_api"
nova-os_compute_api_os-server-groups_create:
key: "os_compute_api:os-server-groups:create"
value: "rule:project_member_api"
nova-os_compute_api_os-server-groups_delete:
key: "os_compute_api:os-server-groups:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-groups_index:
key: "os_compute_api:os-server-groups:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-server-groups_index_all_projects:
key: "os_compute_api:os-server-groups:index:all_projects"
value: "rule:admin_api"
nova-os_compute_api_os-server-groups_show:
key: "os_compute_api:os-server-groups:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_server-metadata_index:
key: "os_compute_api:server-metadata:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_server-metadata_show:
key: "os_compute_api:server-metadata:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_server-metadata_create:
key: "os_compute_api:server-metadata:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_server-metadata_update_all:
key: "os_compute_api:server-metadata:update_all"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_server-metadata_update:
key: "os_compute_api:server-metadata:update"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_server-metadata_delete:
key: "os_compute_api:server-metadata:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-password_show:
key: "os_compute_api:os-server-password:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-server-password:
key: "os_compute_api:os-server-password"
value: "rule:os_compute_api:os-server-password:show"
nova-os_compute_api_os-server-password_clear:
key: "os_compute_api:os-server-password:clear"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-tags_delete_all:
key: "os_compute_api:os-server-tags:delete_all"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-tags_index:
key: "os_compute_api:os-server-tags:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-server-tags_update_all:
key: "os_compute_api:os-server-tags:update_all"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-tags_delete:
key: "os_compute_api:os-server-tags:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-tags_update:
key: "os_compute_api:os-server-tags:update"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-server-tags_show:
key: "os_compute_api:os-server-tags:show"
value: "rule:admin_api or rule:project_reader_api"
nova-compute_server_topology_index:
key: "compute:server:topology:index"
value: "rule:admin_api or rule:project_reader_api"
nova-compute_server_topology_host_index:
key: "compute:server:topology:host:index"
value: "rule:admin_api"
nova-os_compute_api_servers_index:
key: "os_compute_api:servers:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_servers_detail:
key: "os_compute_api:servers:detail"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_servers_index_get_all_tenants:
key: "os_compute_api:servers:index:get_all_tenants"
value: "rule:admin_api"
nova-os_compute_api_servers_detail_get_all_tenants:
key: "os_compute_api:servers:detail:get_all_tenants"
value: "rule:admin_api"
nova-os_compute_api_servers_allow_all_filters:
key: "os_compute_api:servers:allow_all_filters"
value: "rule:admin_api"
nova-os_compute_api_servers_show:
key: "os_compute_api:servers:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_servers_show_host_status:
key: "os_compute_api:servers:show:host_status"
value: "rule:admin_api"
nova-os_compute_api_servers_show_host_status_unknown-only:
key: "os_compute_api:servers:show:host_status:unknown-only"
value: "rule:admin_api"
nova-os_compute_api_servers_create:
key: "os_compute_api:servers:create"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_forced_host:
key: "os_compute_api:servers:create:forced_host"
value: "rule:admin_api"
nova-compute_servers_create_requested_destination:
key: "compute:servers:create:requested_destination"
value: "rule:admin_api"
nova-os_compute_api_servers_create_attach_volume:
key: "os_compute_api:servers:create:attach_volume"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_attach_network:
key: "os_compute_api:servers:create:attach_network"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_trusted_certs:
key: "os_compute_api:servers:create:trusted_certs"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_zero_disk_flavor:
key: "os_compute_api:servers:create:zero_disk_flavor"
value: "rule:admin_api"
nova-network_attach_external_network:
key: "network:attach_external_network"
value: "rule:admin_api"
nova-os_compute_api_servers_delete:
key: "os_compute_api:servers:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_update:
key: "os_compute_api:servers:update"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_confirm_resize:
key: "os_compute_api:servers:confirm_resize"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_revert_resize:
key: "os_compute_api:servers:revert_resize"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_reboot:
key: "os_compute_api:servers:reboot"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_resize:
key: "os_compute_api:servers:resize"
value: "rule:admin_api or rule:project_member_api"
nova-compute_servers_resize_cross_cell:
key: "compute:servers:resize:cross_cell"
value: "!"
nova-os_compute_api_servers_rebuild:
key: "os_compute_api:servers:rebuild"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_rebuild_trusted_certs:
key: "os_compute_api:servers:rebuild:trusted_certs"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_create_image:
key: "os_compute_api:servers:create_image"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_create_image_allow_volume_backed:
key: "os_compute_api:servers:create_image:allow_volume_backed"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_start:
key: "os_compute_api:servers:start"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_stop:
key: "os_compute_api:servers:stop"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_trigger_crash_dump:
key: "os_compute_api:servers:trigger_crash_dump"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_servers_migrations_show:
key: "os_compute_api:servers:migrations:show"
value: "rule:admin_api"
nova-os_compute_api_servers_migrations_force_complete:
key: "os_compute_api:servers:migrations:force_complete"
value: "rule:admin_api"
nova-os_compute_api_servers_migrations_delete:
key: "os_compute_api:servers:migrations:delete"
value: "rule:admin_api"
nova-os_compute_api_servers_migrations_index:
key: "os_compute_api:servers:migrations:index"
value: "rule:admin_api"
nova-os_compute_api_os-services_list:
key: "os_compute_api:os-services:list"
value: "rule:admin_api"
nova-os_compute_api_os-services:
key: "os_compute_api:os-services"
value: "rule:os_compute_api:os-services:list"
nova-os_compute_api_os-services_update:
key: "os_compute_api:os-services:update"
value: "rule:admin_api"
nova-os_compute_api_os-services_delete:
key: "os_compute_api:os-services:delete"
value: "rule:admin_api"
nova-os_compute_api_os-shelve_shelve:
key: "os_compute_api:os-shelve:shelve"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-shelve_unshelve:
key: "os_compute_api:os-shelve:unshelve"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-shelve_shelve_offload:
key: "os_compute_api:os-shelve:shelve_offload"
value: "rule:admin_api"
nova-os_compute_api_os-simple-tenant-usage_show:
key: "os_compute_api:os-simple-tenant-usage:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-simple-tenant-usage_list:
key: "os_compute_api:os-simple-tenant-usage:list"
value: "rule:admin_api"
nova-os_compute_api_os-suspend-server_resume:
key: "os_compute_api:os-suspend-server:resume"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-suspend-server_suspend:
key: "os_compute_api:os-suspend-server:suspend"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-tenant-networks_list:
key: "os_compute_api:os-tenant-networks:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-tenant-networks:
key: "os_compute_api:os-tenant-networks"
value: "rule:os_compute_api:os-tenant-networks:list"
nova-os_compute_api_os-tenant-networks_show:
key: "os_compute_api:os-tenant-networks:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_list:
key: "os_compute_api:os-volumes:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes:
key: "os_compute_api:os-volumes"
value: "rule:os_compute_api:os-volumes:list"
nova-os_compute_api_os-volumes_create:
key: "os_compute_api:os-volumes:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes_detail:
key: "os_compute_api:os-volumes:detail"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_show:
key: "os_compute_api:os-volumes:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_delete:
key: "os_compute_api:os-volumes:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes_snapshots_list:
key: "os_compute_api:os-volumes:snapshots:list"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_snapshots_create:
key: "os_compute_api:os-volumes:snapshots:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes_snapshots_detail:
key: "os_compute_api:os-volumes:snapshots:detail"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_snapshots_show:
key: "os_compute_api:os-volumes:snapshots:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes_snapshots_delete:
key: "os_compute_api:os-volumes:snapshots:delete"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes-attachments_index:
key: "os_compute_api:os-volumes-attachments:index"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes-attachments_create:
key: "os_compute_api:os-volumes-attachments:create"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes-attachments_show:
key: "os_compute_api:os-volumes-attachments:show"
value: "rule:admin_api or rule:project_reader_api"
nova-os_compute_api_os-volumes-attachments_update:
key: "os_compute_api:os-volumes-attachments:update"
value: "rule:admin_api or rule:project_member_api"
nova-os_compute_api_os-volumes-attachments_swap:
key: "os_compute_api:os-volumes-attachments:swap"
value: "rule:admin_api"
nova-os_compute_api_os-volumes-attachments_delete:
key: "os_compute_api:os-volumes-attachments:delete"
value: "rule:admin_api or rule:project_member_api"
PlacementPolicies:
placement-placement_resource_providers_list:
key: "placement:resource_providers:list"
value: "rule:admin_api"
placement-placement_resource_providers_create:
key: "placement:resource_providers:create"
value: "rule:admin_api"
placement-placement_resource_providers_show:
key: "placement:resource_providers:show"
value: "rule:admin_api"
placement-placement_resource_providers_update:
key: "placement:resource_providers:update"
value: "rule:admin_api"
placement-placement_resource_providers_delete:
key: "placement:resource_providers:delete"
value: "rule:admin_api"
placement-placement_resource_classes_list:
key: "placement:resource_classes:list"
value: "rule:admin_api"
placement-placement_resource_classes_create:
key: "placement:resource_classes:create"
value: "rule:admin_api"
placement-placement_resource_classes_show:
key: "placement:resource_classes:show"
value: "rule:admin_api"
placement-placement_resource_classes_update:
key: "placement:resource_classes:update"
value: "rule:admin_api"
placement-placement_resource_classes_delete:
key: "placement:resource_classes:delete"
value: "rule:admin_api"
placement-placement_resource_providers_inventories_list:
key: "placement:resource_providers:inventories:list"
value: "rule:admin_api"
placement-placement_resource_providers_inventories_create:
key: "placement:resource_providers:inventories:create"
value: "rule:admin_api"
placement-placement_resource_providers_inventories_show:
key: "placement:resource_providers:inventories:show"
value: "rule:admin_api"
placement-placement_resource_providers_inventories_update:
key: "placement:resource_providers:inventories:update"
value: "rule:admin_api"
placement-placement_resource_providers_inventories_delete:
key: "placement:resource_providers:inventories:delete"
value: "rule:admin_api"
placement-placement_resource_providers_aggregates_list:
key: "placement:resource_providers:aggregates:list"
value: "rule:admin_api"
placement-placement_resource_providers_aggregates_update:
key: "placement:resource_providers:aggregates:update"
value: "rule:admin_api"
placement-placement_resource_providers_usages:
key: "placement:resource_providers:usages"
value: "rule:admin_api"
placement-placement_usages:
key: "placement:usages"
value: "rule:admin_api or rule:project_reader_api"
placement-placement_traits_list:
key: "placement:traits:list"
value: "rule:admin_api"
placement-placement_traits_show:
key: "placement:traits:show"
value: "rule:admin_api"
placement-placement_traits_update:
key: "placement:traits:update"
value: "rule:admin_api"
placement-placement_traits_delete:
key: "placement:traits:delete"
value: "rule:admin_api"
placement-placement_resource_providers_traits_list:
key: "placement:resource_providers:traits:list"
value: "rule:admin_api"
placement-placement_resource_providers_traits_update:
key: "placement:resource_providers:traits:update"
value: "rule:admin_api"
placement-placement_resource_providers_traits_delete:
key: "placement:resource_providers:traits:delete"
value: "rule:admin_api"
placement-placement_allocations_manage:
key: "placement:allocations:manage"
value: "rule:admin_api"
placement-placement_allocations_list:
key: "placement:allocations:list"
value: "rule:admin_api"
placement-placement_allocations_update:
key: "placement:allocations:update"
value: "rule:admin_api"
placement-placement_allocations_delete:
key: "placement:allocations:delete"
value: "rule:admin_api"
placement-placement_resource_providers_allocations_list:
key: "placement:resource_providers:allocations:list"
value: "rule:admin_api"
placement-placement_allocation_candidates_list:
key: "placement:allocation_candidates:list"
value: "rule:admin_api"
placement-placement_reshaper_reshape:
key: "placement:reshaper:reshape"
value: "rule:admin_api"
NeutronApiPolicies:
neutron-context_is_admin:
key: "context_is_admin"
value: "role:admin"
neutron-owner:
key: "owner"
value: "tenant_id:%(tenant_id)s"
neutron-admin_or_owner:
key: "admin_or_owner"
value: "rule:context_is_admin or rule:owner"
neutron-context_is_advsvc:
key: "context_is_advsvc"
value: "role:advsvc"
neutron-admin_or_network_owner:
key: "admin_or_network_owner"
value: "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
neutron-admin_owner_or_network_owner:
key: "admin_owner_or_network_owner"
value: "rule:owner or rule:admin_or_network_owner"
neutron-network_owner:
key: "network_owner"
value: "tenant_id:%(network:tenant_id)s"
neutron-admin_only:
key: "admin_only"
value: "rule:context_is_admin"
neutron-admin_api:
key: "admin_api"
value: "role:admin"
neutron-regular_user:
key: "regular_user"
value: ""
neutron-shared:
key: "shared"
value: "field:networks:shared=True"
neutron-default:
key: "default"
value: "rule:admin_or_owner"
neutron-admin_or_ext_parent_owner:
key: "admin_or_ext_parent_owner"
value: "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
neutron-ext_parent_owner:
key: "ext_parent_owner"
value: "tenant_id:%(ext_parent:tenant_id)s"
neutron-sg_owner:
key: "sg_owner"
value: "tenant_id:%(security_group:tenant_id)s"
neutron-shared_address_groups:
key: "shared_address_groups"
value: "field:address_groups:shared=True"
neutron-get_address_group:
key: "get_address_group"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"
neutron-shared_address_scopes:
key: "shared_address_scopes"
value: "field:address_scopes:shared=True"
neutron-create_address_scope:
key: "create_address_scope"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_address_scope_shared:
key: "create_address_scope:shared"
value: "rule:admin_api"
neutron-get_address_scope:
key: "get_address_scope"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes"
neutron-update_address_scope:
key: "update_address_scope"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_address_scope_shared:
key: "update_address_scope:shared"
value: "rule:admin_api"
neutron-delete_address_scope:
key: "delete_address_scope"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_agent:
key: "get_agent"
value: "rule:admin_api"
neutron-update_agent:
key: "update_agent"
value: "rule:admin_api"
neutron-delete_agent:
key: "delete_agent"
value: "rule:admin_api"
neutron-create_dhcp-network:
key: "create_dhcp-network"
value: "rule:admin_api"
neutron-get_dhcp-networks:
key: "get_dhcp-networks"
value: "rule:admin_api"
neutron-delete_dhcp-network:
key: "delete_dhcp-network"
value: "rule:admin_api"
neutron-create_l3-router:
key: "create_l3-router"
value: "rule:admin_api"
neutron-get_l3-routers:
key: "get_l3-routers"
value: "rule:admin_api"
neutron-delete_l3-router:
key: "delete_l3-router"
value: "rule:admin_api"
neutron-get_dhcp-agents:
key: "get_dhcp-agents"
value: "rule:admin_api"
neutron-get_l3-agents:
key: "get_l3-agents"
value: "rule:admin_api"
neutron-get_auto_allocated_topology:
key: "get_auto_allocated_topology"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-delete_auto_allocated_topology:
key: "delete_auto_allocated_topology"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_availability_zone:
key: "get_availability_zone"
value: "rule:admin_api"
neutron-create_flavor:
key: "create_flavor"
value: "rule:admin_api"
neutron-get_flavor:
key: "get_flavor"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-update_flavor:
key: "update_flavor"
value: "rule:admin_api"
neutron-delete_flavor:
key: "delete_flavor"
value: "rule:admin_api"
neutron-create_service_profile:
key: "create_service_profile"
value: "rule:admin_api"
neutron-get_service_profile:
key: "get_service_profile"
value: "rule:admin_api"
neutron-update_service_profile:
key: "update_service_profile"
value: "rule:admin_api"
neutron-delete_service_profile:
key: "delete_service_profile"
value: "rule:admin_api"
neutron-get_flavor_service_profile:
key: "get_flavor_service_profile"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_flavor_service_profile:
key: "create_flavor_service_profile"
value: "rule:admin_api"
neutron-delete_flavor_service_profile:
key: "delete_flavor_service_profile"
value: "rule:admin_api"
neutron-create_floatingip:
key: "create_floatingip"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_floatingip_floating_ip_address:
key: "create_floatingip:floating_ip_address"
value: "rule:admin_api"
neutron-get_floatingip:
key: "get_floatingip"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-update_floatingip:
key: "update_floatingip"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-delete_floatingip:
key: "delete_floatingip"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_floatingip_pool:
key: "get_floatingip_pool"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_floatingip_port_forwarding:
key: "create_floatingip_port_forwarding"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_floatingip_port_forwarding:
key: "get_floatingip_port_forwarding"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-update_floatingip_port_forwarding:
key: "update_floatingip_port_forwarding"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-delete_floatingip_port_forwarding:
key: "delete_floatingip_port_forwarding"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-create_router_conntrack_helper:
key: "create_router_conntrack_helper"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_router_conntrack_helper:
key: "get_router_conntrack_helper"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-update_router_conntrack_helper:
key: "update_router_conntrack_helper"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-delete_router_conntrack_helper:
key: "delete_router_conntrack_helper"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_loggable_resource:
key: "get_loggable_resource"
value: "rule:admin_api"
neutron-create_log:
key: "create_log"
value: "rule:admin_api"
neutron-get_log:
key: "get_log"
value: "rule:admin_api"
neutron-update_log:
key: "update_log"
value: "rule:admin_api"
neutron-delete_log:
key: "delete_log"
value: "rule:admin_api"
neutron-create_metering_label:
key: "create_metering_label"
value: "rule:admin_api"
neutron-get_metering_label:
key: "get_metering_label"
value: "rule:admin_api"
neutron-delete_metering_label:
key: "delete_metering_label"
value: "rule:admin_api"
neutron-create_metering_label_rule:
key: "create_metering_label_rule"
value: "rule:admin_api"
neutron-get_metering_label_rule:
key: "get_metering_label_rule"
value: "rule:admin_api"
neutron-delete_metering_label_rule:
key: "delete_metering_label_rule"
value: "rule:admin_api"
neutron-external:
key: "external"
value: "field:networks:router:external=True"
neutron-create_network:
key: "create_network"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_network_shared:
key: "create_network:shared"
value: "rule:admin_api"
neutron-create_network_router_external:
key: "create_network:router:external"
value: "rule:admin_api"
neutron-create_network_is_default:
key: "create_network:is_default"
value: "rule:admin_api"
neutron-create_network_port_security_enabled:
key: "create_network:port_security_enabled"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_network_segments:
key: "create_network:segments"
value: "rule:admin_api"
neutron-create_network_provider_network_type:
key: "create_network:provider:network_type"
value: "rule:admin_api"
neutron-create_network_provider_physical_network:
key: "create_network:provider:physical_network"
value: "rule:admin_api"
neutron-create_network_provider_segmentation_id:
key: "create_network:provider:segmentation_id"
value: "rule:admin_api"
neutron-get_network:
key: "get_network"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
neutron-get_network_router_external:
key: "get_network:router:external"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-get_network_segments:
key: "get_network:segments"
value: "rule:admin_api"
neutron-get_network_provider_network_type:
key: "get_network:provider:network_type"
value: "rule:admin_api"
neutron-get_network_provider_physical_network:
key: "get_network:provider:physical_network"
value: "rule:admin_api"
neutron-get_network_provider_segmentation_id:
key: "get_network:provider:segmentation_id"
value: "rule:admin_api"
neutron-update_network:
key: "update_network"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_network_segments:
key: "update_network:segments"
value: "rule:admin_api"
neutron-update_network_shared:
key: "update_network:shared"
value: "rule:admin_api"
neutron-update_network_provider_network_type:
key: "update_network:provider:network_type"
value: "rule:admin_api"
neutron-update_network_provider_physical_network:
key: "update_network:provider:physical_network"
value: "rule:admin_api"
neutron-update_network_provider_segmentation_id:
key: "update_network:provider:segmentation_id"
value: "rule:admin_api"
neutron-update_network_router_external:
key: "update_network:router:external"
value: "rule:admin_api"
neutron-update_network_is_default:
key: "update_network:is_default"
value: "rule:admin_api"
neutron-update_network_port_security_enabled:
key: "update_network:port_security_enabled"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-delete_network:
key: "delete_network"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_network_ip_availability:
key: "get_network_ip_availability"
value: "rule:admin_api"
neutron-create_network_segment_range:
key: "create_network_segment_range"
value: "rule:admin_api"
neutron-get_network_segment_range:
key: "get_network_segment_range"
value: "rule:admin_api"
neutron-update_network_segment_range:
key: "update_network_segment_range"
value: "rule:admin_api"
neutron-delete_network_segment_range:
key: "delete_network_segment_range"
value: "rule:admin_api"
neutron-network_device:
key: "network_device"
value: "field:port:device_owner=~^network:"
neutron-admin_or_data_plane_int:
key: "admin_or_data_plane_int"
value: "rule:context_is_admin or role:data_plane_integrator"
neutron-create_port:
key: "create_port"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_port_device_owner:
key: "create_port:device_owner"
value: "not rule:network_device or rule:admin_api or rule:context_is_advsvc or rule:network_owner"
neutron-create_port_mac_address:
key: "create_port:mac_address"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-create_port_fixed_ips:
key: "create_port:fixed_ips"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
neutron-create_port_fixed_ips_ip_address:
key: "create_port:fixed_ips:ip_address"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-create_port_fixed_ips_subnet_id:
key: "create_port:fixed_ips:subnet_id"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
neutron-create_port_port_security_enabled:
key: "create_port:port_security_enabled"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-create_port_binding_host_id:
key: "create_port:binding:host_id"
value: "rule:admin_api"
neutron-create_port_binding_profile:
key: "create_port:binding:profile"
value: "rule:admin_api"
neutron-create_port_binding_vnic_type:
key: "create_port:binding:vnic_type"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_port_allowed_address_pairs:
key: "create_port:allowed_address_pairs"
value: "rule:admin_api or rule:network_owner"
neutron-create_port_allowed_address_pairs_mac_address:
key: "create_port:allowed_address_pairs:mac_address"
value: "rule:admin_api or rule:network_owner"
neutron-create_port_allowed_address_pairs_ip_address:
key: "create_port:allowed_address_pairs:ip_address"
value: "rule:admin_api or rule:network_owner"
neutron-get_port:
key: "get_port"
value: "rule:context_is_advsvc or rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-get_port_binding_vif_type:
key: "get_port:binding:vif_type"
value: "rule:admin_api"
neutron-get_port_binding_vif_details:
key: "get_port:binding:vif_details"
value: "rule:admin_api"
neutron-get_port_binding_host_id:
key: "get_port:binding:host_id"
value: "rule:admin_api"
neutron-get_port_binding_profile:
key: "get_port:binding:profile"
value: "rule:admin_api"
neutron-get_port_resource_request:
key: "get_port:resource_request"
value: "rule:admin_api"
neutron-update_port:
key: "update_port"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
neutron-update_port_device_owner:
key: "update_port:device_owner"
value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-update_port_mac_address:
key: "update_port:mac_address"
value: "rule:admin_api or rule:context_is_advsvc"
neutron-update_port_fixed_ips:
key: "update_port:fixed_ips"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-update_port_fixed_ips_ip_address:
key: "update_port:fixed_ips:ip_address"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-update_port_fixed_ips_subnet_id:
key: "update_port:fixed_ips:subnet_id"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api or rule:shared"
neutron-update_port_port_security_enabled:
key: "update_port:port_security_enabled"
value: "rule:context_is_advsvc or rule:network_owner or rule:admin_api"
neutron-update_port_binding_host_id:
key: "update_port:binding:host_id"
value: "rule:admin_api"
neutron-update_port_binding_profile:
key: "update_port:binding:profile"
value: "rule:admin_api"
neutron-update_port_binding_vnic_type:
key: "update_port:binding:vnic_type"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
neutron-update_port_allowed_address_pairs:
key: "update_port:allowed_address_pairs"
value: "rule:admin_api or rule:network_owner"
neutron-update_port_allowed_address_pairs_mac_address:
key: "update_port:allowed_address_pairs:mac_address"
value: "rule:admin_api or rule:network_owner"
neutron-update_port_allowed_address_pairs_ip_address:
key: "update_port:allowed_address_pairs:ip_address"
value: "rule:admin_api or rule:network_owner"
neutron-update_port_data_plane_status:
key: "update_port:data_plane_status"
value: "rule:admin_api or role:data_plane_integrator"
neutron-delete_port:
key: "delete_port"
value: "rule:context_is_advsvc or rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_policy:
key: "get_policy"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_policy:
key: "create_policy"
value: "rule:admin_api"
neutron-update_policy:
key: "update_policy"
value: "rule:admin_api"
neutron-delete_policy:
key: "delete_policy"
value: "rule:admin_api"
neutron-get_rule_type:
key: "get_rule_type"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-get_policy_bandwidth_limit_rule:
key: "get_policy_bandwidth_limit_rule"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_bandwidth_limit_rule:
key: "create_policy_bandwidth_limit_rule"
value: "rule:admin_api"
neutron-update_policy_bandwidth_limit_rule:
key: "update_policy_bandwidth_limit_rule"
value: "rule:admin_api"
neutron-delete_policy_bandwidth_limit_rule:
key: "delete_policy_bandwidth_limit_rule"
value: "rule:admin_api"
neutron-get_policy_dscp_marking_rule:
key: "get_policy_dscp_marking_rule"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_dscp_marking_rule:
key: "create_policy_dscp_marking_rule"
value: "rule:admin_api"
neutron-update_policy_dscp_marking_rule:
key: "update_policy_dscp_marking_rule"
value: "rule:admin_api"
neutron-delete_policy_dscp_marking_rule:
key: "delete_policy_dscp_marking_rule"
value: "rule:admin_api"
neutron-get_policy_minimum_bandwidth_rule:
key: "get_policy_minimum_bandwidth_rule"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_minimum_bandwidth_rule:
key: "create_policy_minimum_bandwidth_rule"
value: "rule:admin_api"
neutron-update_policy_minimum_bandwidth_rule:
key: "update_policy_minimum_bandwidth_rule"
value: "rule:admin_api"
neutron-delete_policy_minimum_bandwidth_rule:
key: "delete_policy_minimum_bandwidth_rule"
value: "rule:admin_api"
neutron-get_alias_bandwidth_limit_rule:
key: "get_alias_bandwidth_limit_rule"
value: "rule:get_policy_bandwidth_limit_rule"
neutron-update_alias_bandwidth_limit_rule:
key: "update_alias_bandwidth_limit_rule"
value: "rule:update_policy_bandwidth_limit_rule"
neutron-delete_alias_bandwidth_limit_rule:
key: "delete_alias_bandwidth_limit_rule"
value: "rule:delete_policy_bandwidth_limit_rule"
neutron-get_alias_dscp_marking_rule:
key: "get_alias_dscp_marking_rule"
value: "rule:get_policy_dscp_marking_rule"
neutron-update_alias_dscp_marking_rule:
key: "update_alias_dscp_marking_rule"
value: "rule:update_policy_dscp_marking_rule"
neutron-delete_alias_dscp_marking_rule:
key: "delete_alias_dscp_marking_rule"
value: "rule:delete_policy_dscp_marking_rule"
neutron-get_alias_minimum_bandwidth_rule:
key: "get_alias_minimum_bandwidth_rule"
value: "rule:get_policy_minimum_bandwidth_rule"
neutron-update_alias_minimum_bandwidth_rule:
key: "update_alias_minimum_bandwidth_rule"
value: "rule:update_policy_minimum_bandwidth_rule"
neutron-delete_alias_minimum_bandwidth_rule:
key: "delete_alias_minimum_bandwidth_rule"
value: "rule:delete_policy_minimum_bandwidth_rule"
neutron-get_quota:
key: "get_quota"
value: "rule:admin_api"
neutron-update_quota:
key: "update_quota"
value: "rule:admin_api"
neutron-delete_quota:
key: "delete_quota"
value: "rule:admin_api"
neutron-restrict_wildcard:
key: "restrict_wildcard"
value: "(not field:rbac_policy:target_tenant=*) or rule:admin_api"
neutron-create_rbac_policy:
key: "create_rbac_policy"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_rbac_policy_target_tenant:
key: "create_rbac_policy:target_tenant"
value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
neutron-update_rbac_policy:
key: "update_rbac_policy"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_rbac_policy_target_tenant:
key: "update_rbac_policy:target_tenant"
value: "rule:admin_api or (not field:rbac_policy:target_tenant=*)"
neutron-get_rbac_policy:
key: "get_rbac_policy"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-delete_rbac_policy:
key: "delete_rbac_policy"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_router:
key: "create_router"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_router_distributed:
key: "create_router:distributed"
value: "rule:admin_api"
neutron-create_router_ha:
key: "create_router:ha"
value: "rule:admin_api"
neutron-create_router_external_gateway_info:
key: "create_router:external_gateway_info"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_router_external_gateway_info_network_id:
key: "create_router:external_gateway_info:network_id"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_router_external_gateway_info_enable_snat:
key: "create_router:external_gateway_info:enable_snat"
value: "rule:admin_api"
neutron-create_router_external_gateway_info_external_fixed_ips:
key: "create_router:external_gateway_info:external_fixed_ips"
value: "rule:admin_api"
neutron-get_router:
key: "get_router"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-get_router_distributed:
key: "get_router:distributed"
value: "rule:admin_api"
neutron-get_router_ha:
key: "get_router:ha"
value: "rule:admin_api"
neutron-update_router:
key: "update_router"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_router_distributed:
key: "update_router:distributed"
value: "rule:admin_api"
neutron-update_router_ha:
key: "update_router:ha"
value: "rule:admin_api"
neutron-update_router_external_gateway_info:
key: "update_router:external_gateway_info"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_router_external_gateway_info_network_id:
key: "update_router:external_gateway_info:network_id"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_router_external_gateway_info_enable_snat:
key: "update_router:external_gateway_info:enable_snat"
value: "rule:admin_api"
neutron-update_router_external_gateway_info_external_fixed_ips:
key: "update_router:external_gateway_info:external_fixed_ips"
value: "rule:admin_api"
neutron-delete_router:
key: "delete_router"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-add_router_interface:
key: "add_router_interface"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-remove_router_interface:
key: "remove_router_interface"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-add_extraroutes:
key: "add_extraroutes"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-remove_extraroutes:
key: "remove_extraroutes"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-admin_or_sg_owner:
key: "admin_or_sg_owner"
value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
neutron-admin_owner_or_sg_owner:
key: "admin_owner_or_sg_owner"
value: "rule:owner or rule:admin_or_sg_owner"
neutron-create_security_group:
key: "create_security_group"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_security_group:
key: "get_security_group"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-update_security_group:
key: "update_security_group"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-delete_security_group:
key: "delete_security_group"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_security_group_rule:
key: "create_security_group_rule"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_security_group_rule:
key: "get_security_group_rule"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:sg_owner"
neutron-delete_security_group_rule:
key: "delete_security_group_rule"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_segment:
key: "create_segment"
value: "rule:admin_api"
neutron-get_segment:
key: "get_segment"
value: "rule:admin_api"
neutron-update_segment:
key: "update_segment"
value: "rule:admin_api"
neutron-delete_segment:
key: "delete_segment"
value: "rule:admin_api"
neutron-get_service_provider:
key: "get_service_provider"
value: "role:reader"
neutron-create_subnet:
key: "create_subnet"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-create_subnet_segment_id:
key: "create_subnet:segment_id"
value: "rule:admin_api"
neutron-create_subnet_service_types:
key: "create_subnet:service_types"
value: "rule:admin_api"
neutron-get_subnet:
key: "get_subnet"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared"
neutron-get_subnet_segment_id:
key: "get_subnet:segment_id"
value: "rule:admin_api"
neutron-update_subnet:
key: "update_subnet"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-update_subnet_segment_id:
key: "update_subnet:segment_id"
value: "rule:admin_api"
neutron-update_subnet_service_types:
key: "update_subnet:service_types"
value: "rule:admin_api"
neutron-delete_subnet:
key: "delete_subnet"
value: "rule:admin_api or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-shared_subnetpools:
key: "shared_subnetpools"
value: "field:subnetpools:shared=True"
neutron-create_subnetpool:
key: "create_subnetpool"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_subnetpool_shared:
key: "create_subnetpool:shared"
value: "rule:admin_api"
neutron-create_subnetpool_is_default:
key: "create_subnetpool:is_default"
value: "rule:admin_api"
neutron-get_subnetpool:
key: "get_subnetpool"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
neutron-update_subnetpool:
key: "update_subnetpool"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-update_subnetpool_is_default:
key: "update_subnetpool:is_default"
value: "rule:admin_api"
neutron-delete_subnetpool:
key: "delete_subnetpool"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-onboard_network_subnets:
key: "onboard_network_subnets"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-add_prefixes:
key: "add_prefixes"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-remove_prefixes:
key: "remove_prefixes"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-create_trunk:
key: "create_trunk"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_trunk:
key: "get_trunk"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-update_trunk:
key: "update_trunk"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-delete_trunk:
key: "delete_trunk"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-get_subports:
key: "get_subports"
value: "rule:admin_api or (role:reader and project_id:%(project_id)s)"
neutron-add_subports:
key: "add_subports"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
neutron-remove_subports:
key: "remove_subports"
value: "rule:admin_api or (role:member and project_id:%(project_id)s)"
# The glance policies in Xena implement project-personas by default, so these
# policies do not need to change. However, keeping them defined here with
# GlanceApiPolicies will put them in /etc/glance/policy.yaml which will be
# redundant with the defaults. This may change in the future as glance
# evolves it's policies in Yoga to consume system scope.
GlanceApiPolicies:
glance-default:
key: "default"
value: ""
glance-context_is_admin:
key: "context_is_admin"
value: "role:admin"
glance-add_image:
key: "add_image"
value: "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
glance-delete_image:
key: "delete_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-get_image:
key: "get_image"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
glance-get_images:
key: "get_images"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-modify_image:
key: "modify_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-publicize_image:
key: "publicize_image"
value: "role:admin"
glance-communitize_image:
key: "communitize_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-download_image:
key: "download_image"
value: 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))'
glance-upload_image:
key: "upload_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-delete_image_location:
key: "delete_image_location"
value: "role:admin"
glance-get_image_location:
key: "get_image_location"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-set_image_location:
key: "set_image_location"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-add_member:
key: "add_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-delete_member:
key: "delete_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-get_member:
key: "get_member"
value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
glance-get_members:
key: "get_members"
value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
glance-modify_member:
key: "modify_member"
value: "role:admin or (role:member and project_id:%(member_id)s)"
glance-manage_image_cache:
key: "manage_image_cache"
value: "role:admin"
glance-deactivate:
key: "deactivate"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-reactivate:
key: "reactivate"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-copy_image:
key: "copy_image"
value: "role:admin"
glance-get_task:
key: "get_task"
value: "rule:default"
glance-get_tasks:
key: "get_tasks"
value: "rule:default"
glance-add_task:
key: "add_task"
value: "rule:default"
glance-modify_task:
key: "modify_task"
value: "rule:default"
glance-tasks_api_access:
key: "tasks_api_access"
value: "role:admin"
glance-metadef_default:
key: "metadef_default"
value: ""
glance-metadef_admin:
key: "metadef_admin"
value: "role:admin"
glance-get_metadef_namespace:
key: "get_metadef_namespace"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-get_metadef_namespaces:
key: "get_metadef_namespaces"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-modify_metadef_namespace:
key: "modify_metadef_namespace"
value: "rule:metadef_admin"
glance-add_metadef_namespace:
key: "add_metadef_namespace"
value: "rule:metadef_admin"
glance-delete_metadef_namespace:
key: "delete_metadef_namespace"
value: "rule:metadef_admin"
glance-get_metadef_object:
key: "get_metadef_object"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-get_metadef_objects:
key: "get_metadef_objects"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-modify_metadef_object:
key: "modify_metadef_object"
value: "rule:metadef_admin"
glance-add_metadef_object:
key: "add_metadef_object"
value: "rule:metadef_admin"
glance-delete_metadef_object:
key: "delete_metadef_object"
value: "rule:metadef_admin"
glance-list_metadef_resource_types:
key: "list_metadef_resource_types"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-get_metadef_resource_type:
key: "get_metadef_resource_type"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-add_metadef_resource_type_association:
key: "add_metadef_resource_type_association"
value: "rule:metadef_admin"
glance-remove_metadef_resource_type_association:
key: "remove_metadef_resource_type_association"
value: "rule:metadef_admin"
glance-get_metadef_property:
key: "get_metadef_property"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-get_metadef_properties:
key: "get_metadef_properties"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-modify_metadef_property:
key: "modify_metadef_property"
value: "rule:metadef_admin"
glance-add_metadef_property:
key: "add_metadef_property"
value: "rule:metadef_admin"
glance-remove_metadef_property:
key: "remove_metadef_property"
value: "rule:metadef_admin"
glance-get_metadef_tag:
key: "get_metadef_tag"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-get_metadef_tags:
key: "get_metadef_tags"
value: 'role:admin or (role:reader and (project_id:%(project_id)s or "public":%(visibility)s))'
glance-modify_metadef_tag:
key: "modify_metadef_tag"
value: "rule:metadef_admin"
glance-add_metadef_tag:
key: "add_metadef_tag"
value: "rule:metadef_admin"
glance-add_metadef_tags:
key: "add_metadef_tags"
value: "rule:metadef_admin"
glance-delete_metadef_tag:
key: "delete_metadef_tag"
value: "rule:metadef_admin"
glance-delete_metadef_tags:
key: "delete_metadef_tags"
value: "rule:metadef_admin"
DesignateApiPolicies:
designate-default:
key: "default"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-create_blacklist:
key: "create_blacklist"
value: "role:admin"
designate-find_blacklist:
key: "find_blacklist"
value: "role:reader"
designate-find_blacklists:
key: "find_blacklists"
value: "role:reader"
designate-get_blacklist:
key: "get_blacklist"
value: "role:reader"
designate-update_blacklist:
key: "update_blacklist"
value: "role:admin"
designate-delete_blacklist:
key: "delete_blacklist"
value: "role:admin"
designate-use_blacklisted_zone:
key: "use_blacklisted_zone"
value: "role:admin"
designate-all_tenants:
key: "all_tenants"
value: "role:admin"
designate-edit_managed_records:
key: "edit_managed_records"
value: "role:admin"
designate-use_low_ttl:
key: "use_low_ttl"
value: "role:admin"
designate-use_sudo:
key: "use_sudo"
value: "role:admin"
designate-diagnostics_ping:
key: "diagnostics_ping"
value: "role:admin"
designate-diagnostics_sync_zones:
key: "diagnostics_sync_zones"
value: "role:admin"
designate-diagnostics_sync_zone:
key: "diagnostics_sync_zone"
value: "role:admin"
designate-diagnostics_sync_record:
key: "diagnostics_sync_record"
value: "role:admin"
designate-create_pool:
key: "create_pool"
value: "role:admin"
designate-find_pools:
key: "find_pools"
value: "role:reader"
designate-find_pool:
key: "find_pool"
value: "role:reader"
designate-get_pool:
key: "get_pool"
value: "role:reader"
designate-update_pool:
key: "update_pool"
value: "role:admin"
designate-delete_pool:
key: "delete_pool"
value: "role:admin"
designate-zone_create_forced_pool:
key: "zone_create_forced_pool"
value: "role:admin"
designate-get_quotas:
key: "get_quotas"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_quota:
key: "get_quota"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
designate-set_quota:
key: "set_quota"
value: "role:admin"
designate-reset_quotas:
key: "reset_quotas"
value: "role:admin"
designate-find_records:
key: "find_records"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-count_records:
key: "count_records"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-create_recordset:
key: "create_recordset"
value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
designate-get_recordsets:
key: "get_recordsets"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_recordset:
key: "get_recordset"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_recordset:
key: "find_recordset"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_recordsets:
key: "find_recordsets"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-update_recordset:
key: "update_recordset"
value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
designate-delete_recordset:
key: "delete_recordset"
value: "(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and ('PRIMARY':%(zone_type)s)) or (role:admin and ('SECONDARY':%(zone_type)s))"
designate-count_recordset:
key: "count_recordset"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_service_status:
key: "find_service_status"
value: "role:admin"
designate-find_service_statuses:
key: "find_service_statuses"
value: "role:admin"
designate-update_service_status:
key: "update_service_status"
value: "role:admin"
designate-find_tenants:
key: "find_tenants"
value: "role:admin"
designate-get_tenant:
key: "get_tenant"
value: "role:admin"
designate-count_tenants:
key: "count_tenants"
value: "role:admin"
designate-create_tld:
key: "create_tld"
value: "role:admin"
designate-find_tlds:
key: "find_tlds"
value: "role:admin"
designate-get_tld:
key: "get_tld"
value: "role:admin"
designate-update_tld:
key: "update_tld"
value: "role:admin"
designate-delete_tld:
key: "delete_tld"
value: "role:admin"
designate-create_tsigkey:
key: "create_tsigkey"
value: "role:admin"
designate-find_tsigkeys:
key: "find_tsigkeys"
value: "role:admin"
designate-get_tsigkey:
key: "get_tsigkey"
value: "role:admin"
designate-update_tsigkey:
key: "update_tsigkey"
value: "role:admin"
designate-delete_tsigkey:
key: "delete_tsigkey"
value: "role:admin"
designate-create_zone:
key: "create_zone"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-get_zones:
key: "get_zones"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_zone:
key: "get_zone"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_zone_servers:
key: "get_zone_servers"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_zone_ns_records:
key: "get_zone_ns_records"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_zones:
key: "find_zones"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-update_zone:
key: "update_zone"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-delete_zone:
key: "delete_zone"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-xfr_zone:
key: "xfr_zone"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-abandon_zone:
key: "abandon_zone"
value: "role:admin"
designate-count_zones:
key: "count_zones"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-count_zones_pending_notify:
key: "count_zones_pending_notify"
value: "(role:reader and project_id:%(project_id)s) or or (True:%(all_tenants)s and role:reader)"
designate-purge_zones:
key: "purge_zones"
value: "role:admin"
designate-touch_zone:
key: "touch_zone"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-zone_export:
key: "zone_export"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-create_zone_export:
key: "create_zone_export"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-find_zone_exports:
key: "find_zone_exports"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_zone_export:
key: "get_zone_export"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-update_zone_export:
key: "update_zone_export"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-delete_zone_export:
key: "delete_zone_export"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-create_zone_import:
key: "create_zone_import"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-find_zone_imports:
key: "find_zone_imports"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-get_zone_import:
key: "get_zone_import"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-update_zone_import:
key: "update_zone_import"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-delete_zone_import:
key: "delete_zone_import"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-create_zone_transfer_accept:
key: "create_zone_transfer_accept"
value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
designate-get_zone_transfer_accept:
key: "get_zone_transfer_accept"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_zone_transfer_accepts:
key: "find_zone_transfer_accepts"
value: "role:admin"
designate-find_zone_transfer_accept:
key: "find_zone_transfer_accept"
value: "role:admin"
designate-update_zone_transfer_accept:
key: "update_zone_transfer_accept"
value: "role:admin"
designate-delete_zone_transfer_accept:
key: "delete_zone_transfer_accept"
value: "role:admin"
designate-create_zone_transfer_request:
key: "create_zone_transfer_request"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-get_zone_transfer_request:
key: "get_zone_transfer_request"
value: "(role:admin or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s"
designate-get_zone_transfer_request_detailed:
key: "get_zone_transfer_request_detailed"
value: "(role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)"
designate-find_zone_transfer_requests:
key: "find_zone_transfer_requests"
value: "@"
designate-find_zone_transfer_request:
key: "find_zone_transfer_request"
value: "@"
designate-update_zone_transfer_request:
key: "update_zone_transfer_request"
value: "role:admin or (role:member and project_id:%(project_id)s)"
designate-delete_zone_transfer_request:
key: "delete_zone_transfer_request"
value: "role:admin or (role:member and project_id:%(project_id)s)"
CinderApiPolicies:
cinder-admin_or_owner:
key: "admin_or_owner"
value: "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
cinder-system_or_domain_or_project_admin:
key: "system_or_domain_or_project_admin"
value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"
cinder-context_is_admin:
key: "context_is_admin"
value: "role:admin"
cinder-admin_api:
key: "admin_api"
value: "is_admin:True or (role:admin and is_admin_project:True)"
cinder-system_admin_or_project_member:
key: "system_admin_or_project_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
cinder-system_admin_or_project_reader:
key: "system_admin_or_project_reader"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
cinder-volume_attachment_create:
key: "volume:attachment_create"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_update:
key: "volume:attachment_update"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_delete:
key: "volume:attachment_delete"
value: "rule:system_admin_or_project_member"
cinder-volume_attachment_complete:
key: "volume:attachment_complete"
value: "rule:system_admin_or_project_member"
cinder-volume_multiattach_bootable_volume:
key: "volume:multiattach_bootable_volume"
value: "rule:system_admin_or_project_member"
cinder-message_get_all:
key: "message:get_all"
value: "rule:system_admin_or_project_reader"
cinder-message_get:
key: "message:get"
value: "rule:system_admin_or_project_reader"
cinder-message_delete:
key: "message:delete"
value: "rule:system_admin_or_project_member"
cinder-clusters_get_all:
key: "clusters:get_all"
value: "rule:admin_api"
cinder-clusters_get:
key: "clusters:get"
value: "rule:admin_api"
cinder-clusters_update:
key: "clusters:update"
value: "rule:admin_api"
cinder-workers_cleanup:
key: "workers:cleanup"
value: "rule:admin_api"
cinder-volume_get_snapshot_metadata:
key: "volume:get_snapshot_metadata"
value: "rule:system_admin_or_project_reader"
cinder-volume_update_snapshot_metadata:
key: "volume:update_snapshot_metadata"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_snapshot_metadata:
key: "volume:delete_snapshot_metadata"
value: "rule:system_admin_or_project_member"
cinder-volume_get_all_snapshots:
key: "volume:get_all_snapshots"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_extended_snapshot_attributes:
key: "volume_extension:extended_snapshot_attributes"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_snapshot:
key: "volume:create_snapshot"
value: "rule:system_admin_or_project_member"
cinder-volume_get_snapshot:
key: "volume:get_snapshot"
value: "rule:system_admin_or_project_reader"
cinder-volume_update_snapshot:
key: "volume:update_snapshot"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_snapshot:
key: "volume:delete_snapshot"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_reset_status:
key: "volume_extension:snapshot_admin_actions:reset_status"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_actions_update_snapshot_status:
key: "snapshot_extension:snapshot_actions:update_snapshot_status"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_force_delete:
key: "volume_extension:snapshot_admin_actions:force_delete"
value: "rule:admin_api"
cinder-snapshot_extension_list_manageable:
key: "snapshot_extension:list_manageable"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_manage:
key: "snapshot_extension:snapshot_manage"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_unmanage:
key: "snapshot_extension:snapshot_unmanage"
value: "rule:admin_api"
cinder-backup_get_all:
key: "backup:get_all"
value: "rule:system_admin_or_project_reader"
cinder-backup_backup_project_attribute:
key: "backup:backup_project_attribute"
value: "rule:admin_api"
cinder-backup_create:
key: "backup:create"
value: "rule:system_admin_or_project_member"
cinder-backup_get:
key: "backup:get"
value: "rule:system_admin_or_project_reader"
cinder-backup_update:
key: "backup:update"
value: "rule:system_admin_or_project_member"
cinder-backup_delete:
key: "backup:delete"
value: "rule:system_admin_or_project_member"
cinder-backup_restore:
key: "backup:restore"
value: "rule:system_admin_or_project_member"
cinder-backup_backup-import:
key: "backup:backup-import"
value: "rule:admin_api"
cinder-backup_export-import:
key: "backup:export-import"
value: "rule:admin_api"
cinder-volume_extension_backup_admin_actions_reset_status:
key: "volume_extension:backup_admin_actions:reset_status"
value: "rule:admin_api"
cinder-volume_extension_backup_admin_actions_force_delete:
key: "volume_extension:backup_admin_actions:force_delete"
value: "rule:admin_api"
cinder-group_get_all:
key: "group:get_all"
value: "rule:system_admin_or_project_reader"
cinder-group_create:
key: "group:create"
value: "rule:system_admin_or_project_member"
cinder-group_get:
key: "group:get"
value: "rule:system_admin_or_project_reader"
cinder-group_update:
key: "group:update"
value: "rule:system_admin_or_project_member"
cinder-group_group_project_attribute:
key: "group:group_project_attribute"
value: "rule:admin_api"
cinder-group_group_types_create:
key: "group:group_types:create"
value: "rule:admin_api"
cinder-group_group_types_update:
key: "group:group_types:update"
value: "rule:admin_api"
cinder-group_group_types_delete:
key: "group:group_types:delete"
value: "rule:admin_api"
cinder-group_access_group_types_specs:
key: "group:access_group_types_specs"
value: "rule:admin_api"
cinder-group_group_types_specs_get:
key: "group:group_types_specs:get"
value: "rule:admin_api"
cinder-group_group_types_specs_get_all:
key: "group:group_types_specs:get_all"
value: "rule:admin_api"
cinder-group_group_types_specs_create:
key: "group:group_types_specs:create"
value: "rule:admin_api"
cinder-group_group_types_specs_update:
key: "group:group_types_specs:update"
value: "rule:admin_api"
cinder-group_group_types_specs_delete:
key: "group:group_types_specs:delete"
value: "rule:admin_api"
cinder-group_get_all_group_snapshots:
key: "group:get_all_group_snapshots"
value: "rule:system_admin_or_project_reader"
cinder-group_create_group_snapshot:
key: "group:create_group_snapshot"
value: "rule:system_admin_or_project_member"
cinder-group_get_group_snapshot:
key: "group:get_group_snapshot"
value: "rule:system_admin_or_project_reader"
cinder-group_delete_group_snapshot:
key: "group:delete_group_snapshot"
value: "rule:system_admin_or_project_member"
cinder-group_update_group_snapshot:
key: "group:update_group_snapshot"
value: "rule:system_admin_or_project_member"
cinder-group_group_snapshot_project_attribute:
key: "group:group_snapshot_project_attribute"
value: "rule:admin_api"
cinder-group_reset_group_snapshot_status:
key: "group:reset_group_snapshot_status"
value: "rule:admin_api"
cinder-group_delete:
key: "group:delete"
value: "rule:system_admin_or_project_member"
cinder-group_reset_status:
key: "group:reset_status"
value: "rule:admin_api"
cinder-group_enable_replication:
key: "group:enable_replication"
value: "rule:system_admin_or_project_member"
cinder-group_disable_replication:
key: "group:disable_replication"
value: "rule:system_admin_or_project_member"
cinder-group_failover_replication:
key: "group:failover_replication"
value: "rule:system_admin_or_project_member"
cinder-group_list_replication_targets:
key: "group:list_replication_targets"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_qos_specs_manage_get_all:
key: "volume_extension:qos_specs_manage:get_all"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_get:
key: "volume_extension:qos_specs_manage:get"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_create:
key: "volume_extension:qos_specs_manage:create"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_update:
key: "volume_extension:qos_specs_manage:update"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_delete:
key: "volume_extension:qos_specs_manage:delete"
value: "rule:admin_api"
cinder-volume_extension_quota_classes_get:
key: "volume_extension:quota_classes:get"
value: "rule:admin_api"
cinder-volume_extension_quota_classes_update:
key: "volume_extension:quota_classes:update"
value: "rule:admin_api"
cinder-volume_extension_quotas_show:
key: "volume_extension:quotas:show"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_quotas_update:
key: "volume_extension:quotas:update"
value: "rule:admin_api"
cinder-volume_extension_quotas_delete:
key: "volume_extension:quotas:delete"
value: "rule:admin_api"
cinder-volume_extension_capabilities:
key: "volume_extension:capabilities"
value: "rule:admin_api"
cinder-volume_extension_services_index:
key: "volume_extension:services:index"
value: "rule:admin_api"
cinder-volume_extension_services_update:
key: "volume_extension:services:update"
value: "rule:admin_api"
cinder-volume_freeze_host:
key: "volume:freeze_host"
value: "rule:admin_api"
cinder-volume_thaw_host:
key: "volume:thaw_host"
value: "rule:admin_api"
cinder-volume_failover_host:
key: "volume:failover_host"
value: "rule:admin_api"
cinder-scheduler_extension_scheduler_stats_get_pools:
key: "scheduler_extension:scheduler_stats:get_pools"
value: "rule:admin_api"
cinder-volume_extension_hosts:
key: "volume_extension:hosts"
value: "rule:admin_api"
cinder-limits_extension_used_limits:
key: "limits_extension:used_limits"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_list_manageable:
key: "volume_extension:list_manageable"
value: "rule:admin_api"
cinder-volume_extension_volume_manage:
key: "volume_extension:volume_manage"
value: "rule:admin_api"
cinder-volume_extension_volume_unmanage:
key: "volume_extension:volume_unmanage"
value: "rule:admin_api"
cinder-volume_extension_type_create:
key: "volume_extension:type_create"
value: "rule:admin_api"
cinder-volume_extension_type_update:
key: "volume_extension:type_update"
value: "rule:admin_api"
cinder-volume_extension_type_delete:
key: "volume_extension:type_delete"
value: "rule:admin_api"
cinder-volume_extension_type_get:
key: "volume_extension:type_get"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_type_get_all:
key: "volume_extension:type_get_all"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_access_types_extra_specs:
key: "volume_extension:access_types_extra_specs"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_access_types_qos_specs_id:
key: "volume_extension:access_types_qos_specs_id"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption:
key: "volume_extension:volume_type_encryption"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_create:
key: "volume_extension:volume_type_encryption:create"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_get:
key: "volume_extension:volume_type_encryption:get"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_update:
key: "volume_extension:volume_type_encryption:update"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_delete:
key: "volume_extension:volume_type_encryption:delete"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access:
key: "volume_extension:volume_type_access"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_type_access_addProjectAccess:
key: "volume_extension:volume_type_access:addProjectAccess"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access_removeProjectAccess:
key: "volume_extension:volume_type_access:removeProjectAccess"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access_get_all_for_type:
key: "volume_extension:volume_type_access:get_all_for_type"
value: "rule:admin_api"
cinder-volume_extend:
key: "volume:extend"
value: "rule:system_admin_or_project_member"
cinder-volume_extend_attached_volume:
key: "volume:extend_attached_volume"
value: "rule:system_admin_or_project_member"
cinder-volume_revert_to_snapshot:
key: "volume:revert_to_snapshot"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_reset_status:
key: "volume_extension:volume_admin_actions:reset_status"
value: "rule:admin_api"
cinder-volume_retype:
key: "volume:retype"
value: "rule:system_admin_or_project_member"
cinder-volume_update_readonly_flag:
key: "volume:update_readonly_flag"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_delete:
key: "volume_extension:volume_admin_actions:force_delete"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_upload_public:
key: "volume_extension:volume_actions:upload_public"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_upload_image:
key: "volume_extension:volume_actions:upload_image"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_detach:
key: "volume_extension:volume_admin_actions:force_detach"
value: "rule:admin_api"
cinder-volume_extension_volume_admin_actions_migrate_volume:
key: "volume_extension:volume_admin_actions:migrate_volume"
value: "rule:admin_api"
cinder-volume_extension_volume_admin_actions_migrate_volume_completion:
key: "volume_extension:volume_admin_actions:migrate_volume_completion"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_initialize_connection:
key: "volume_extension:volume_actions:initialize_connection"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_terminate_connection:
key: "volume_extension:volume_actions:terminate_connection"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_roll_detaching:
key: "volume_extension:volume_actions:roll_detaching"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_reserve:
key: "volume_extension:volume_actions:reserve"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_unreserve:
key: "volume_extension:volume_actions:unreserve"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_begin_detaching:
key: "volume_extension:volume_actions:begin_detaching"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_attach:
key: "volume_extension:volume_actions:attach"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_actions_detach:
key: "volume_extension:volume_actions:detach"
value: "rule:system_admin_or_project_member"
cinder-volume_get_all_transfers:
key: "volume:get_all_transfers"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_transfer:
key: "volume:create_transfer"
value: "rule:system_admin_or_project_member"
cinder-volume_get_transfer:
key: "volume:get_transfer"
value: "rule:system_admin_or_project_reader"
cinder-volume_accept_transfer:
key: "volume:accept_transfer"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_transfer:
key: "volume:delete_transfer"
value: "rule:system_admin_or_project_member"
cinder-volume_get_volume_metadata:
key: "volume:get_volume_metadata"
value: "rule:system_admin_or_project_reader"
cinder-volume_create_volume_metadata:
key: "volume:create_volume_metadata"
value: "rule:system_admin_or_project_member"
cinder-volume_update_volume_metadata:
key: "volume:update_volume_metadata"
value: "rule:system_admin_or_project_member"
cinder-volume_delete_volume_metadata:
key: "volume:delete_volume_metadata"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_show:
key: "volume_extension:volume_image_metadata:show"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_volume_image_metadata_set:
key: "volume_extension:volume_image_metadata:set"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_remove:
key: "volume_extension:volume_image_metadata:remove"
value: "rule:system_admin_or_project_member"
cinder-volume_update_volume_admin_metadata:
key: "volume:update_volume_admin_metadata"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_index:
key: "volume_extension:types_extra_specs:index"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_create:
key: "volume_extension:types_extra_specs:create"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_show:
key: "volume_extension:types_extra_specs:show"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_read_sensitive:
key: "volume_extension:types_extra_specs:read_sensitive"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_update:
key: "volume_extension:types_extra_specs:update"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_delete:
key: "volume_extension:types_extra_specs:delete"
value: "rule:admin_api"
cinder-volume_create:
key: "volume:create"
value: "rule:system_admin_or_project_member"
cinder-volume_create_from_image:
key: "volume:create_from_image"
value: "rule:system_admin_or_project_member"
cinder-volume_get:
key: "volume:get"
value: "rule:system_admin_or_project_reader"
cinder-volume_get_all:
key: "volume:get_all"
value: "rule:system_admin_or_project_reader"
cinder-volume_update:
key: "volume:update"
value: "rule:system_admin_or_project_member"
cinder-volume_delete:
key: "volume:delete"
value: "rule:system_admin_or_project_member"
cinder-volume_force_delete:
key: "volume:force_delete"
value: "rule:admin_api"
cinder-volume_extension_volume_host_attribute:
key: "volume_extension:volume_host_attribute"
value: "rule:admin_api"
cinder-volume_extension_volume_tenant_attribute:
key: "volume_extension:volume_tenant_attribute"
value: "rule:system_admin_or_project_reader"
cinder-volume_extension_volume_mig_status_attribute:
key: "volume_extension:volume_mig_status_attribute"
value: "rule:admin_api"
cinder-volume_extension_volume_encryption_metadata:
key: "volume_extension:volume_encryption_metadata"
value: "rule:system_admin_or_project_reader"
cinder-volume_multiattach:
key: "volume:multiattach"
value: "rule:system_admin_or_project_member"
cinder-volume_extension_default_set_or_update:
key: "volume_extension:default_set_or_update"
value: "rule:admin_api"
cinder-volume_extension_default_get:
key: "volume_extension:default_get"
value: "rule:admin_api"
cinder-volume_extension_default_get_all:
key: "volume_extension:default_get_all"
value: "rule:admin_api"
cinder-volume_extension_default_unset:
key: "volume_extension:default_unset"
value: "rule:admin_api"
KeystonePolicies:
keystone-admin_required:
key: "admin_required"
value: "role:admin"
keystone-identity_get_access_rule:
key: "identity:get_access_rule"
value: "rule:admin_required or user_id:%(target.user.id)s"
keystone-identity_list_access_rules:
key: "identity:list_access_rules"
value: "rule:admin_required or user_id:%(target.user.id)s"
keystone-identity_delete_access_rule:
key: "identity:delete_access_rule"
value: "rule:admin_required or user_id:%(target.user.id)s"
keystone-identity_authorize_request_token:
key: "identity:authorize_request_token"
value: "rule:admin_required"
keystone-identity_get_access_token:
key: "identity:get_access_token"
value: "rule:admin_required"
keystone-identity_get_access_token_role:
key: "identity:get_access_token_role"
value: "rule:admin_required"
keystone-identity_list_access_tokens:
key: "identity:list_access_tokens"
value: "rule:admin_required"
keystone-identity_list_access_token_roles:
key: "identity:list_access_token_roles"
value: "rule:admin_required"
keystone-identity_delete_access_token:
key: "identity:delete_access_token"
value: "rule:admin_required"
keystone-identity_get_application_credential:
key: "identity:get_application_credential"
value: "rule:admin_required or rule:owner"
keystone-identity_list_application_credentials:
key: "identity:list_application_credentials"
value: "rule:admin_required or rule:owner"
keystone-identity_create_application_credential:
key: "identity:create_application_credential"
value: "user_id:%(user_id)s"
keystone-identity_delete_application_credential:
key: "identity:delete_application_credential"
value: "rule:admin_required or rule:owner"
keystone-identity_get_auth_catalog:
key: "identity:get_auth_catalog"
value: ""
keystone-identity_get_auth_projects:
key: "identity:get_auth_projects"
value: ""
keystone-identity_get_auth_domains:
key: "identity:get_auth_domains"
value: ""
keystone-identity_get_auth_system:
key: "identity:get_auth_system"
value: ""
keystone-identity_get_consumer:
key: "identity:get_consumer"
value: "rule:admin_required"
keystone-identity_list_consumers:
key: "identity:list_consumers"
value: "rule:admin_required"
keystone-identity_create_consumer:
key: "identity:create_consumer"
value: "rule:admin_required"
keystone-identity_update_consumer:
key: "identity:update_consumer"
value: "rule:admin_required"
keystone-identity_delete_consumer:
key: "identity:delete_consumer"
value: "rule:admin_required"
keystone-identity_get_credential:
key: "identity:get_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_list_credentials:
key: "identity:list_credentials"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_create_credential:
key: "identity:create_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_update_credential:
key: "identity:update_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_delete_credential:
key: "identity:delete_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_get_domain:
key: "identity:get_domain"
value: "rule:admin_required or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"
keystone-identity_list_domains:
key: "identity:list_domains"
value: "rule:admin_required"
keystone-identity_create_domain:
key: "identity:create_domain"
value: "rule:admin_required"
keystone-identity_update_domain:
key: "identity:update_domain"
value: "rule:admin_required"
keystone-identity_delete_domain:
key: "identity:delete_domain"
value: "rule:admin_required"
keystone-identity_create_domain_config:
key: "identity:create_domain_config"
value: "rule:admin_required"
keystone-identity_get_domain_config:
key: "identity:get_domain_config"
value: "rule:admin_required"
keystone-identity_get_security_compliance_domain_config:
key: "identity:get_security_compliance_domain_config"
value: ""
keystone-identity_update_domain_config:
key: "identity:update_domain_config"
value: "rule:admin_required"
keystone-identity_delete_domain_config:
key: "identity:delete_domain_config"
value: "rule:admin_required"
keystone-identity_get_domain_config_default:
key: "identity:get_domain_config_default"
value: "rule:admin_required"
keystone-identity_ec2_get_credential:
key: "identity:ec2_get_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_ec2_list_credentials:
key: "identity:ec2_list_credentials"
value: "rule:admin_required or rule:owner"
keystone-identity_ec2_create_credential:
key: "identity:ec2_create_credential"
value: "rule:admin_required or rule:owner"
keystone-identity_ec2_delete_credential:
key: "identity:ec2_delete_credential"
value: "rule:admin_required or user_id:%(target.credential.user_id)s"
keystone-identity_get_endpoint:
key: "identity:get_endpoint"
value: "rule:admin_required"
keystone-identity_list_endpoints:
key: "identity:list_endpoints"
value: "rule:admin_required"
keystone-identity_create_endpoint:
key: "identity:create_endpoint"
value: "rule:admin_required"
keystone-identity_update_endpoint:
key: "identity:update_endpoint"
value: "rule:admin_required"
keystone-identity_delete_endpoint:
key: "identity:delete_endpoint"
value: "rule:admin_required"
keystone-identity_create_endpoint_group:
key: "identity:create_endpoint_group"
value: "rule:admin_required"
keystone-identity_list_endpoint_groups:
key: "identity:list_endpoint_groups"
value: "rule:admin_required"
keystone-identity_get_endpoint_group:
key: "identity:get_endpoint_group"
value: "rule:admin_required"
keystone-identity_update_endpoint_group:
key: "identity:update_endpoint_group"
value: "rule:admin_required"
keystone-identity_delete_endpoint_group:
key: "identity:delete_endpoint_group"
value: "rule:admin_required"
keystone-identity_list_projects_associated_with_endpoint_group:
key: "identity:list_projects_associated_with_endpoint_group"
value: "rule:admin_required"
keystone-identity_list_endpoints_associated_with_endpoint_group:
key: "identity:list_endpoints_associated_with_endpoint_group"
value: "rule:admin_required"
keystone-identity_get_endpoint_group_in_project:
key: "identity:get_endpoint_group_in_project"
value: "rule:admin_required"
keystone-identity_list_endpoint_groups_for_project:
key: "identity:list_endpoint_groups_for_project"
value: "rule:admin_required"
keystone-identity_add_endpoint_group_to_project:
key: "identity:add_endpoint_group_to_project"
value: "rule:admin_required"
keystone-identity_remove_endpoint_group_from_project:
key: "identity:remove_endpoint_group_from_project"
value: "rule:admin_required"
keystone-identity_check_grant:
key: "identity:check_grant"
value: "rule:admin_required or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
keystone-identity_list_grants:
key: "identity:list_grants"
value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)"
keystone-identity_create_grant:
key: "identity:create_grant"
value: "rule:admin_required or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
keystone-identity_revoke_grant:
key: "identity:revoke_grant"
value: "rule:admin_required or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
keystone-identity_list_system_grants_for_user:
key: "identity:list_system_grants_for_user"
value: "rule:admin_required"
keystone-identity_check_system_grant_for_user:
key: "identity:check_system_grant_for_user"
value: "rule:admin_required"
keystone-identity_create_system_grant_for_user:
key: "identity:create_system_grant_for_user"
value: "rule:admin_required"
keystone-identity_revoke_system_grant_for_user:
key: "identity:revoke_system_grant_for_user"
value: "rule:admin_required"
keystone-identity_list_system_grants_for_group:
key: "identity:list_system_grants_for_group"
value: "rule:admin_required"
keystone-identity_check_system_grant_for_group:
key: "identity:check_system_grant_for_group"
value: "rule:admin_required"
keystone-identity_create_system_grant_for_group:
key: "identity:create_system_grant_for_group"
value: "rule:admin_required"
keystone-identity_revoke_system_grant_for_group:
key: "identity:revoke_system_grant_for_group"
value: "rule:admin_required"
keystone-identity_get_group:
key: "identity:get_group"
value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
keystone-identity_list_groups:
key: "identity:list_groups"
value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
keystone-identity_list_groups_for_user:
key: "identity:list_groups_for_user"
value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"
keystone-identity_create_group:
key: "identity:create_group"
value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
keystone-identity_update_group:
key: "identity:update_group"
value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
keystone-identity_delete_group:
key: "identity:delete_group"
value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s)"
keystone-identity_list_users_in_group:
key: "identity:list_users_in_group"
value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s)"
keystone-identity_remove_user_from_group:
key: "identity:remove_user_from_group"
value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
keystone-identity_check_user_in_group:
key: "identity:check_user_in_group"
value: "rule:admin_required or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
keystone-identity_add_user_to_group:
key: "identity:add_user_to_group"
value: "rule:admin_required or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
keystone-identity_create_identity_provider:
key: "identity:create_identity_provider"
value: "rule:admin_required"
keystone-identity_list_identity_providers:
key: "identity:list_identity_providers"
value: "rule:admin_required"
keystone-identity_get_identity_provider:
key: "identity:get_identity_provider"
value: "rule:admin_required"
keystone-identity_update_identity_provider:
key: "identity:update_identity_provider"
value: "rule:admin_required"
keystone-identity_delete_identity_provider:
key: "identity:delete_identity_provider"
value: "rule:admin_required"
keystone-identity_get_implied_role:
key: "identity:get_implied_role"
value: "rule:admin_required"
keystone-identity_list_implied_roles:
key: "identity:list_implied_roles"
value: "rule:admin_required"
keystone-identity_create_implied_role:
key: "identity:create_implied_role"
value: "rule:admin_required"
keystone-identity_delete_implied_role:
key: "identity:delete_implied_role"
value: "rule:admin_required"
keystone-identity_list_role_inference_rules:
key: "identity:list_role_inference_rules"
value: "rule:admin_required"
keystone-identity_check_implied_role:
key: "identity:check_implied_role"
value: "rule:admin_required"
keystone-identity_get_limit_model:
key: "identity:get_limit_model"
value: ""
keystone-identity_get_limit:
key: "identity:get_limit"
value: "rule:admin_required or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"
keystone-identity_list_limits:
key: "identity:list_limits"
value: ""
keystone-identity_create_limits:
key: "identity:create_limits"
value: "rule:admin_required"
keystone-identity_update_limit:
key: "identity:update_limit"
value: "rule:admin_required"
keystone-identity_delete_limit:
key: "identity:delete_limit"
value: "rule:admin_required"
keystone-identity_create_mapping:
key: "identity:create_mapping"
value: "rule:admin_required"
keystone-identity_get_mapping:
key: "identity:get_mapping"
value: "rule:admin_required"
keystone-identity_list_mappings:
key: "identity:list_mappings"
value: "rule:admin_required"
keystone-identity_delete_mapping:
key: "identity:delete_mapping"
value: "rule:admin_required"
keystone-identity_update_mapping:
key: "identity:update_mapping"
value: "rule:admin_required"
keystone-identity_get_policy:
key: "identity:get_policy"
value: "rule:admin_required"
keystone-identity_list_policies:
key: "identity:list_policies"
value: "rule:admin_required"
keystone-identity_create_policy:
key: "identity:create_policy"
value: "rule:admin_required"
keystone-identity_update_policy:
key: "identity:update_policy"
value: "rule:admin_required"
keystone-identity_delete_policy:
key: "identity:delete_policy"
value: "rule:admin_required"
keystone-identity_create_policy_association_for_endpoint:
key: "identity:create_policy_association_for_endpoint"
value: "rule:admin_required"
keystone-identity_check_policy_association_for_endpoint:
key: "identity:check_policy_association_for_endpoint"
value: "rule:admin_required"
keystone-identity_delete_policy_association_for_endpoint:
key: "identity:delete_policy_association_for_endpoint"
value: "rule:admin_required"
keystone-identity_create_policy_association_for_service:
key: "identity:create_policy_association_for_service"
value: "rule:admin_required"
keystone-identity_check_policy_association_for_service:
key: "identity:check_policy_association_for_service"
value: "rule:admin_required"
keystone-identity_delete_policy_association_for_service:
key: "identity:delete_policy_association_for_service"
value: "rule:admin_required"
keystone-identity_create_policy_association_for_region_and_service:
key: "identity:create_policy_association_for_region_and_service"
value: "rule:admin_required"
keystone-identity_check_policy_association_for_region_and_service:
key: "identity:check_policy_association_for_region_and_service"
value: "rule:admin_required"
keystone-identity_delete_policy_association_for_region_and_service:
key: "identity:delete_policy_association_for_region_and_service"
value: "rule:admin_required"
keystone-identity_get_policy_for_endpoint:
key: "identity:get_policy_for_endpoint"
value: "rule:admin_required"
keystone-identity_list_endpoints_for_policy:
key: "identity:list_endpoints_for_policy"
value: "rule:admin_required"
keystone-identity_get_project:
key: "identity:get_project"
value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
keystone-identity_list_projects:
key: "identity:list_projects"
value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
keystone-identity_list_user_projects:
key: "identity:list_user_projects"
value: "rule:admin_required or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
keystone-identity_create_project:
key: "identity:create_project"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
keystone-identity_update_project:
key: "identity:update_project"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
keystone-identity_delete_project:
key: "identity:delete_project"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s)"
keystone-identity_list_project_tags:
key: "identity:list_project_tags"
value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
keystone-identity_get_project_tag:
key: "identity:get_project_tag"
value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
keystone-identity_update_project_tags:
key: "identity:update_project_tags"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
keystone-identity_create_project_tag:
key: "identity:create_project_tag"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
keystone-identity_delete_project_tags:
key: "identity:delete_project_tags"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
keystone-identity_delete_project_tag:
key: "identity:delete_project_tag"
value: "rule:admin_required or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
keystone-identity_list_projects_for_endpoint:
key: "identity:list_projects_for_endpoint"
value: "rule:admin_required"
keystone-identity_add_endpoint_to_project:
key: "identity:add_endpoint_to_project"
value: "rule:admin_required"
keystone-identity_check_endpoint_in_project:
key: "identity:check_endpoint_in_project"
value: "rule:admin_required"
keystone-identity_list_endpoints_for_project:
key: "identity:list_endpoints_for_project"
value: "rule:admin_required"
keystone-identity_remove_endpoint_from_project:
key: "identity:remove_endpoint_from_project"
value: "rule:admin_required"
keystone-identity_create_protocol:
key: "identity:create_protocol"
value: "rule:admin_required"
keystone-identity_update_protocol:
key: "identity:update_protocol"
value: "rule:admin_required"
keystone-identity_get_protocol:
key: "identity:get_protocol"
value: "rule:admin_required"
keystone-identity_list_protocols:
key: "identity:list_protocols"
value: "rule:admin_required"
keystone-identity_delete_protocol:
key: "identity:delete_protocol"
value: "rule:admin_required"
keystone-identity_get_region:
key: "identity:get_region"
value: ""
keystone-identity_list_regions:
key: "identity:list_regions"
value: ""
keystone-identity_create_region:
key: "identity:create_region"
value: "rule:admin_required"
keystone-identity_update_region:
key: "identity:update_region"
value: "rule:admin_required"
keystone-identity_delete_region:
key: "identity:delete_region"
value: "rule:admin_required"
keystone-identity_get_registered_limit:
key: "identity:get_registered_limit"
value: ""
keystone-identity_list_registered_limits:
key: "identity:list_registered_limits"
value: ""
keystone-identity_create_registered_limits:
key: "identity:create_registered_limits"
value: "rule:admin_required"
keystone-identity_update_registered_limit:
key: "identity:update_registered_limit"
value: "rule:admin_required"
keystone-identity_delete_registered_limit:
key: "identity:delete_registered_limit"
value: "rule:admin_required"
keystone-identity_list_revoke_events:
key: "identity:list_revoke_events"
value: "rule:service_or_admin"
keystone-identity_get_role:
key: "identity:get_role"
value: "rule:admin_required"
keystone-identity_list_roles:
key: "identity:list_roles"
value: "rule:admin_required"
keystone-identity_create_role:
key: "identity:create_role"
value: "rule:admin_required"
keystone-identity_update_role:
key: "identity:update_role"
value: "rule:admin_required"
keystone-identity_delete_role:
key: "identity:delete_role"
value: "rule:admin_required"
keystone-identity_get_domain_role:
key: "identity:get_domain_role"
value: "rule:admin_required"
keystone-identity_list_domain_roles:
key: "identity:list_domain_roles"
value: "rule:admin_required"
keystone-identity_create_domain_role:
key: "identity:create_domain_role"
value: "rule:admin_required"
keystone-identity_update_domain_role:
key: "identity:update_domain_role"
value: "rule:admin_required"
keystone-identity_delete_domain_role:
key: "identity:delete_domain_role"
value: "rule:admin_required"
keystone-identity_list_role_assignments:
key: "identity:list_role_assignments"
value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
keystone-identity_list_role_assignments_for_tree:
key: "identity:list_role_assignments_for_tree"
value: "rule:admin_required or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)"
keystone-identity_get_service:
key: "identity:get_service"
value: "rule:admin_required"
keystone-identity_list_services:
key: "identity:list_services"
value: "rule:admin_required"
keystone-identity_create_service:
key: "identity:create_service"
value: "rule:admin_required"
keystone-identity_update_service:
key: "identity:update_service"
value: "rule:admin_required"
keystone-identity_delete_service:
key: "identity:delete_service"
value: "rule:admin_required"
keystone-identity_create_service_provider:
key: "identity:create_service_provider"
value: "rule:admin_required"
keystone-identity_list_service_providers:
key: "identity:list_service_providers"
value: "rule:admin_required"
keystone-identity_get_service_provider:
key: "identity:get_service_provider"
value: "rule:admin_required"
keystone-identity_update_service_provider:
key: "identity:update_service_provider"
value: "rule:admin_required"
keystone-identity_delete_service_provider:
key: "identity:delete_service_provider"
value: "rule:admin_required"
keystone-identity_revocation_list:
key: "identity:revocation_list"
value: "rule:service_or_admin"
keystone-identity_check_token:
key: "identity:check_token"
value: "rule:admin_required or rule:token_subject"
keystone-identity_validate_token:
key: "identity:validate_token"
value: "rule:admin_required or rule:service_role or rule:token_subject"
keystone-identity_revoke_token:
key: "identity:revoke_token"
value: "rule:admin_required or rule:token_subject"
keystone-identity_create_trust:
key: "identity:create_trust"
value: "user_id:%(trust.trustor_user_id)s"
keystone-identity_list_trusts:
key: "identity:list_trusts"
value: "rule:admin_required"
keystone-identity_list_trusts_for_trustor:
key: "identity:list_trusts_for_trustor"
value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"
keystone-identity_list_trusts_for_trustee:
key: "identity:list_trusts_for_trustee"
value: "rule:admin_required or user_id:%(target.trust.trustee_user_id)s"
keystone-identity_list_roles_for_trust:
key: "identity:list_roles_for_trust"
value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
keystone-identity_get_role_for_trust:
key: "identity:get_role_for_trust"
value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
keystone-identity_delete_trust:
key: "identity:delete_trust"
value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"
keystone-identity_get_trust:
key: "identity:get_trust"
value: "rule:admin_required or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s"
keystone-identity_get_user:
key: "identity:get_user"
value: "rule:admin_required or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
keystone-identity_list_users:
key: "identity:list_users"
value: "rule:admin_required or (role:reader and domain_id:%(target.domain_id)s)"
keystone-identity_list_projects_for_user:
key: "identity:list_projects_for_user"
value: ""
keystone-identity_list_domains_for_user:
key: "identity:list_domains_for_user"
value: ""
keystone-identity_create_user:
key: "identity:create_user"
value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
keystone-identity_update_user:
key: "identity:update_user"
value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
keystone-identity_delete_user:
key: "identity:delete_user"
value: "rule:admin_required or (role:admin and token.domain.id:%(target.user.domain_id)s)"
BarbicanPolicies:
barbican-admin:
key: "admin"
value: "role:admin"
barbican-observer:
key: "observer"
value: "role:observer"
barbican-creator:
key: "creator"
value: "role:creator"
barbican-audit:
key: "audit"
value: "role:audit"
barbican-service_admin:
key: "service_admin"
value: "role:key-manager:service-admin"
barbican-admin_or_creator:
key: "admin_or_creator"
value: "rule:admin or rule:creator"
barbican-all_but_audit:
key: "all_but_audit"
value: "rule:admin or rule:observer or rule:creator"
barbican-all_users:
key: "all_users"
value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
barbican-secret_project_match:
key: "secret_project_match"
value: "project_id:%(target.secret.project_id)s"
barbican-secret_acl_read:
key: "secret_acl_read"
value: "'read':%(target.secret.read)s"
barbican-secret_private_read:
key: "secret_private_read"
value: "'False':%(target.secret.read_project_access)s"
barbican-secret_creator_user:
key: "secret_creator_user"
value: "user_id:%(target.secret.creator_id)s"
barbican-container_project_match:
key: "container_project_match"
value: "project_id:%(target.container.project_id)s"
barbican-container_acl_read:
key: "container_acl_read"
value: "'read':%(target.container.read)s"
barbican-container_private_read:
key: "container_private_read"
value: "'False':%(target.container.read_project_access)s"
barbican-container_creator_user:
key: "container_creator_user"
value: "user_id:%(target.container.creator_id)s"
barbican-secret_non_private_read:
key: "secret_non_private_read"
value: "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
barbican-secret_decrypt_non_private_read:
key: "secret_decrypt_non_private_read"
value: "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
barbican-container_non_private_read:
key: "container_non_private_read"
value: "rule:all_users and rule:container_project_match and not rule:container_private_read"
barbican-secret_project_admin:
key: "secret_project_admin"
value: "rule:admin and rule:secret_project_match"
barbican-secret_project_creator:
key: "secret_project_creator"
value: "rule:creator and rule:secret_project_match and rule:secret_creator_user"
barbican-container_project_admin:
key: "container_project_admin"
value: "rule:admin and rule:container_project_match"
barbican-container_project_creator:
key: "container_project_creator"
value: "rule:creator and rule:container_project_match and rule:container_creator_user"
barbican-secret_acls_get:
key: "secret_acls:get"
value: "(rule:all_but_audit and rule:secret_project_match) or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secret_acls_delete:
key: "secret_acls:delete"
value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secret_acls_put_patch:
key: "secret_acls:put_patch"
value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-container_acls_get:
key: "container_acls:get"
value: "(rule:all_but_audit and rule:container_project_match) or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-container_acls_delete:
key: "container_acls:delete"
value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-container_acls_put_patch:
key: "container_acls:put_patch"
value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-consumer_get:
key: "consumer:get"
value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
barbican-consumers_get:
key: "consumers:get"
value: "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
barbican-consumers_post:
key: "consumers:post"
value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
barbican-consumers_delete:
key: "consumers:delete"
value: "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s or role:admin and system_scope:all"
barbican-containers_post:
key: "containers:post"
value: "rule:admin_or_creator or role:member"
barbican-containers_get:
key: "containers:get"
value: "rule:all_but_audit or role:member"
barbican-container_get:
key: "container:get"
value: "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-container_delete:
key: "container:delete"
value: "rule:container_project_admin or rule:container_project_creator or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-container_secret_post:
key: "container_secret:post"
value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-container_secret_delete:
key: "container_secret:delete"
value: "rule:admin or (role:member and project_id:%(target.container.project_id)s and (user_id:%(target.container.creator_id)s or True:%(target.container.read_project_access)s)) or role:admin and project_id:%(target.container.project_id)s"
barbican-orders_get:
key: "orders:get"
value: "rule:all_but_audit or role:member"
barbican-orders_post:
key: "orders:post"
value: "rule:admin_or_creator or role:member"
barbican-orders_put:
key: "orders:put"
value: "rule:admin_or_creator or role:member"
barbican-order_get:
key: "order:get"
value: "rule:all_users or role:member"
barbican-order_delete:
key: "order:delete"
value: "rule:admin or role:member"
barbican-quotas_get:
key: "quotas:get"
value: "rule:all_users or role:reader"
barbican-project_quotas_get:
key: "project_quotas:get"
value: "rule:service_admin or role:reader and system_scope:all"
barbican-project_quotas_put:
key: "project_quotas:put"
value: "rule:service_admin or role:admin and system_scope:all"
barbican-project_quotas_delete:
key: "project_quotas:delete"
value: "rule:service_admin or role:admin and system_scope:all"
barbican-secret_meta_get:
key: "secret_meta:get"
value: "rule:all_but_audit or role:member"
barbican-secret_meta_post:
key: "secret_meta:post"
value: "rule:admin_or_creator or role:member"
barbican-secret_meta_put:
key: "secret_meta:put"
value: "rule:admin_or_creator or role:member"
barbican-secret_meta_delete:
key: "secret_meta:delete"
value: "rule:admin_or_creator or role:member"
barbican-secret_decrypt:
key: "secret:decrypt"
value: "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secret_get:
key: "secret:get"
value: "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secret_put:
key: "secret:put"
value: "rule:admin_or_creator and rule:secret_project_match or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secret_delete:
key: "secret:delete"
value: "rule:secret_project_admin or rule:secret_project_creator or (role:member and project_id:%(target.secret.project_id)s and (user_id:%(target.secret.creator_id)s or True:%(target.secret.read_project_access)s)) or role:admin and project_id:%(target.secret.project_id)s"
barbican-secrets_post:
key: "secrets:post"
value: "rule:admin_or_creator or role:member"
barbican-secrets_get:
key: "secrets:get"
value: "rule:all_but_audit or role:member"
barbican-secretstores_get:
key: "secretstores:get"
value: "rule:all_users or role:reader"
barbican-secretstores_get_global_default:
key: "secretstores:get_global_default"
value: "rule:all_users or role:reader"
barbican-secretstores_get_preferred:
key: "secretstores:get_preferred"
value: "rule:all_users or role:reader"
barbican-secretstore_preferred_post:
key: "secretstore_preferred:post"
value: "rule:admin"
barbican-secretstore_preferred_delete:
key: "secretstore_preferred:delete"
value: "rule:admin"
barbican-secretstore_get:
key: "secretstore:get"
value: "rule:all_users or role:reader"
barbican-transport_key_get:
key: "transport_key:get"
value: "rule:all_users or role:reader"
barbican-transport_key_delete:
key: "transport_key:delete"
value: "role:admin and system_scope:all"
barbican-transport_keys_get:
key: "transport_keys:get"
value: "rule:all_users or role:reader"
barbican-transport_keys_post:
key: "transport_keys:post"
value: "role:admin and system_scope:all"
ManilaApiPolicies:
manila-system-admin:
key: "system-admin"
value: "role:admin and system_scope:all"
manila-system-member:
key: "system-member"
value: "role:member and system_scope:all"
manila-system-reader:
key: "system-reader"
value: "role:reader and system_scope:all"
manila-project-admin:
key: "project-admin"
value: "role:admin and project_id:%(project_id)s"
manila-project-member:
key: "project-member"
value: "role:member and project_id:%(project_id)s"
manila-project-reader:
key: "project-reader"
value: "role:reader and project_id:%(project_id)s"
manila-context_is_admin:
key: "context_is_admin"
value: "rule:system-admin"
manila-admin_or_owner:
key: "admin_or_owner"
value: "is_admin:True or project_id:%(project_id)s"
manila-default:
key: "default"
value: "rule:admin_or_owner"
manila-admin_api:
key: "admin_api"
value: "role:admin"
manila-availability_zone_index:
key: "availability_zone:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-scheduler_stats_pools_index:
key: "scheduler_stats:pools:index"
value: "rule:admin_api"
manila-scheduler_stats_pools_detail:
key: "scheduler_stats:pools:detail"
value: "rule:admin_api"
manila-share_create:
key: "share:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_create_public_share:
key: "share:create_public_share"
value: "rule:admin_api"
manila-share_get:
key: "share:get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_get_all:
key: "share:get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_update:
key: "share:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_set_public_share:
key: "share:set_public_share"
value: "rule:admin_api"
manila-share_delete:
key: "share:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_force_delete:
key: "share:force_delete"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_manage:
key: "share:manage"
value: "rule:admin_api"
manila-share_unmanage:
key: "share:unmanage"
value: "rule:admin_api"
manila-share_list_by_host:
key: "share:list_by_host"
value: "rule:admin_api"
manila-share_list_by_share_server_id:
key: "share:list_by_share_server_id"
value: "rule:admin_api"
manila-share_access_get:
key: "share:access_get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_access_get_all:
key: "share:access_get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_extend:
key: "share:extend"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_force_extend:
key: "share:force_extend"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_shrink:
key: "share:shrink"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_migration_start:
key: "share:migration_start"
value: "rule:admin_api"
manila-share_migration_complete:
key: "share:migration_complete"
value: "rule:admin_api"
manila-share_migration_cancel:
key: "share:migration_cancel"
value: "rule:admin_api"
manila-share_migration_get_progress:
key: "share:migration_get_progress"
value: "rule:admin_api"
manila-share_reset_task_state:
key: "share:reset_task_state"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_reset_status:
key: "share:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_revert_to_snapshot:
key: "share:revert_to_snapshot"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_allow_access:
key: "share:allow_access"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_deny_access:
key: "share:deny_access"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_update_share_metadata:
key: "share:update_share_metadata"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_delete_share_metadata:
key: "share:delete_share_metadata"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_get_share_metadata:
key: "share:get_share_metadata"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_create_snapshot:
key: "share:create_snapshot"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_delete_snapshot:
key: "share:delete_snapshot"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_snapshot_update:
key: "share:snapshot_update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_instance_export_location_index:
key: "share_instance_export_location:index"
value: "rule:admin_api"
manila-share_instance_export_location_show:
key: "share_instance_export_location:show"
value: "rule:admin_api"
manila-share_type_create:
key: "share_type:create"
value: "rule:admin_api"
manila-share_type_update:
key: "share_type:update"
value: "rule:admin_api"
manila-share_type_show:
key: "share_type:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_type_index:
key: "share_type:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_type_default:
key: "share_type:default"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_type_delete:
key: "share_type:delete"
value: "rule:admin_api"
manila-share_type_list_project_access:
key: "share_type:list_project_access"
value: "rule:admin_api"
manila-share_type_add_project_access:
key: "share_type:add_project_access"
value: "rule:admin_api"
manila-share_type_remove_project_access:
key: "share_type:remove_project_access"
value: "rule:admin_api"
manila-share_types_extra_spec_create:
key: "share_types_extra_spec:create"
value: "rule:admin_api"
manila-share_types_extra_spec_show:
key: "share_types_extra_spec:show"
value: "rule:admin_api"
manila-share_types_extra_spec_index:
key: "share_types_extra_spec:index"
value: "rule:admin_api"
manila-share_types_extra_spec_update:
key: "share_types_extra_spec:update"
value: "rule:admin_api"
manila-share_types_extra_spec_delete:
key: "share_types_extra_spec:delete"
value: "rule:admin_api"
manila-share_snapshot_get_snapshot:
key: "share_snapshot:get_snapshot"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_snapshot_get_all_snapshots:
key: "share_snapshot:get_all_snapshots"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_snapshot_force_delete:
key: "share_snapshot:force_delete"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_snapshot_manage_snapshot:
key: "share_snapshot:manage_snapshot"
value: "rule:admin_api"
manila-share_snapshot_unmanage_snapshot:
key: "share_snapshot:unmanage_snapshot"
value: "rule:admin_api"
manila-share_snapshot_reset_status:
key: "share_snapshot:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_snapshot_access_list:
key: "share_snapshot:access_list"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_snapshot_allow_access:
key: "share_snapshot:allow_access"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_snapshot_deny_access:
key: "share_snapshot:deny_access"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_snapshot_export_location_index:
key: "share_snapshot_export_location:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_snapshot_export_location_show:
key: "share_snapshot_export_location:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_snapshot_instance_show:
key: "share_snapshot_instance:show"
value: "rule:admin_api"
manila-share_snapshot_instance_index:
key: "share_snapshot_instance:index"
value: "rule:admin_api"
manila-share_snapshot_instance_detail:
key: "share_snapshot_instance:detail"
value: "rule:admin_api"
manila-share_snapshot_instance_reset_status:
key: "share_snapshot_instance:reset_status"
value: "rule:admin_api"
manila-share_snapshot_instance_export_location_index:
key: "share_snapshot_instance_export_location:index"
value: "rule:admin_api"
manila-share_snapshot_instance_export_location_show:
key: "share_snapshot_instance_export_location:show"
value: "rule:admin_api"
manila-share_server_index:
key: "share_server:index"
value: "rule:admin_api"
manila-share_server_show:
key: "share_server:show"
value: "rule:admin_api"
manila-share_server_details:
key: "share_server:details"
value: "rule:admin_api"
manila-share_server_delete:
key: "share_server:delete"
value: "rule:admin_api"
manila-share_server_manage_share_server:
key: "share_server:manage_share_server"
value: "rule:admin_api"
manila-share_server_unmanage_share_server:
key: "share_server:unmanage_share_server"
value: "rule:admin_api"
manila-share_server_reset_status:
key: "share_server:reset_status"
value: "rule:admin_api"
manila-share_server_share_server_migration_start:
key: "share_server:share_server_migration_start"
value: "rule:admin_api"
manila-share_server_share_server_migration_check:
key: "share_server:share_server_migration_check"
value: "rule:admin_api"
manila-share_server_share_server_migration_complete:
key: "share_server:share_server_migration_complete"
value: "rule:admin_api"
manila-share_server_share_server_migration_cancel:
key: "share_server:share_server_migration_cancel"
value: "rule:admin_api"
manila-share_server_share_server_migration_get_progress:
key: "share_server:share_server_migration_get_progress"
value: "rule:admin_api"
manila-share_server_share_server_reset_task_state:
key: "share_server:share_server_reset_task_state"
value: "rule:admin_api"
manila-service_index:
key: "service:index"
value: "rule:admin_api"
manila-service_update:
key: "service:update"
value: "rule:admin_api"
manila-quota_set_update:
key: "quota_set:update"
value: "rule:admin_api"
manila-quota_set_show:
key: "quota_set:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-quota_set_delete:
key: "quota_set:delete"
value: "rule:admin_api"
manila-quota_class_set_update:
key: "quota_class_set:update"
value: "rule:admin_api"
manila-quota_class_set_show:
key: "quota_class_set:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_types_spec_create:
key: "share_group_types_spec:create"
value: "rule:admin_api"
manila-share_group_types_spec_index:
key: "share_group_types_spec:index"
value: "rule:admin_api"
manila-share_group_types_spec_show:
key: "share_group_types_spec:show"
value: "rule:admin_api"
manila-share_group_types_spec_update:
key: "share_group_types_spec:update"
value: "rule:admin_api"
manila-share_group_types_spec_delete:
key: "share_group_types_spec:delete"
value: "rule:admin_api"
manila-share_group_type_create:
key: "share_group_type:create"
value: "rule:admin_api"
manila-share_group_type_index:
key: "share_group_type:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_type_show:
key: "share_group_type:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_type_default:
key: "share_group_type:default"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_type_delete:
key: "share_group_type:delete"
value: "rule:admin_api"
manila-share_group_type_list_project_access:
key: "share_group_type:list_project_access"
value: "rule:admin_api"
manila-share_group_type_add_project_access:
key: "share_group_type:add_project_access"
value: "rule:admin_api"
manila-share_group_type_remove_project_access:
key: "share_group_type:remove_project_access"
value: "rule:admin_api"
manila-share_group_snapshot_create:
key: "share_group_snapshot:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_snapshot_get:
key: "share_group_snapshot:get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_snapshot_get_all:
key: "share_group_snapshot:get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_snapshot_update:
key: "share_group_snapshot:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_snapshot_delete:
key: "share_group_snapshot:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_snapshot_force_delete:
key: "share_group_snapshot:force_delete"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_group_snapshot_reset_status:
key: "share_group_snapshot:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_group_create:
key: "share_group:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_get:
key: "share_group:get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_get_all:
key: "share_group:get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_group_update:
key: "share_group:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_delete:
key: "share_group:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_group_force_delete:
key: "share_group:force_delete"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_group_reset_status:
key: "share_group:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_replica_create:
key: "share_replica:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_replica_get_all:
key: "share_replica:get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_replica_show:
key: "share_replica:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_replica_delete:
key: "share_replica:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_replica_force_delete:
key: "share_replica:force_delete"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_replica_promote:
key: "share_replica:promote"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_replica_resync:
key: "share_replica:resync"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_replica_reset_replica_state:
key: "share_replica:reset_replica_state"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_replica_reset_status:
key: "share_replica:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_replica_export_location_index:
key: "share_replica_export_location:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_replica_export_location_show:
key: "share_replica_export_location:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_network_create:
key: "share_network:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_show:
key: "share_network:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_network_index:
key: "share_network:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_network_detail:
key: "share_network:detail"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_network_update:
key: "share_network:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_delete:
key: "share_network:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_add_security_service:
key: "share_network:add_security_service"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_add_security_service_check:
key: "share_network:add_security_service_check"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_remove_security_service:
key: "share_network:remove_security_service"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_update_security_service:
key: "share_network:update_security_service"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_update_security_service_check:
key: "share_network:update_security_service_check"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_reset_status:
key: "share_network:reset_status"
value: "(rule:admin_api) or (rule:project-admin)"
manila-share_network_get_all_share_networks:
key: "share_network:get_all_share_networks"
value: "rule:admin_api"
manila-share_network_subnet_create:
key: "share_network_subnet:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_subnet_delete:
key: "share_network_subnet:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_network_subnet_show:
key: "share_network_subnet:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_network_subnet_index:
key: "share_network_subnet:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-security_service_create:
key: "security_service:create"
value: "(rule:admin_api) or (rule:project-member)"
manila-security_service_show:
key: "security_service:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-security_service_detail:
key: "security_service:detail"
value: "(rule:admin_api) or (rule:project-reader)"
manila-security_service_index:
key: "security_service:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-security_service_update:
key: "security_service:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-security_service_delete:
key: "security_service:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-security_service_get_all_security_services:
key: "security_service:get_all_security_services"
value: "rule:admin_api"
manila-share_export_location_index:
key: "share_export_location:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_export_location_show:
key: "share_export_location:show"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_instance_index:
key: "share_instance:index"
value: "rule:admin_api"
manila-share_instance_show:
key: "share_instance:show"
value: "rule:admin_api"
manila-share_instance_force_delete:
key: "share_instance:force_delete"
value: "rule:admin_api"
manila-share_instance_reset_status:
key: "share_instance:reset_status"
value: "rule:admin_api"
manila-message_get:
key: "message:get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-message_get_all:
key: "message:get_all"
value: "(rule:admin_api) or (rule:project-reader)"
manila-message_delete:
key: "message:delete"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_access_rule_get:
key: "share_access_rule:get"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_access_rule_index:
key: "share_access_rule:index"
value: "(rule:admin_api) or (rule:project-reader)"
manila-share_access_metadata_update:
key: "share_access_metadata:update"
value: "(rule:admin_api) or (rule:project-member)"
manila-share_access_metadata_delete:
key: "share_access_metadata:delete"
value: "(rule:admin_api) or (rule:project-member)"
OctaviaApiPolicies:
octavia-load-balancer_admin:
key: "load-balancer:admin"
value: "role:admin"
octavia-load-balancer_read:
key: "load-balancer:read"
value: "role:admin or rule:project-reader"
octavia-load-balancer_read-global:
key: "load-balancer:read-global"
value: "role:admin"
octavia-load-balancer_write:
key: "load-balancer:write"
value: "role:admin or rule:project-member"
octavia-load-balancer_read-quota:
key: "load-balancer:read-quota"
value: "role:admin or rule:project-reader"
octavia-load-balancer_read-quota-global:
key: "load-balancer:read-quota-global"
value: "role:admin"
octavia-load-balancer_write-quota:
key: "load-balancer:write-quota"
value: "role:admin"
IronicApiPolicies:
ironic-admin_api:
key: "admin_api"
value: "role:admin"
ironic-public_api:
key: "public_api"
value: "is_public_api:True"
ironic-show_password:
key: "show_password"
value: "!"
ironic-show_instance_secrets:
key: "show_instance_secrets"
value: "!"
ironic-is_member:
key: "is_member"
value: "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
ironic-is_observer:
key: "is_observer"
value: "rule:is_member and (role:observer or role:baremetal_observer)"
ironic-is_admin:
key: "is_admin"
value: "rule:admin_api or (rule:is_member and role:baremetal_admin)"
ironic-is_node_owner:
key: "is_node_owner"
value: "project_id:%(node.owner)s"
ironic-is_node_lessee:
key: "is_node_lessee"
value: "project_id:%(node.lessee)s"
ironic-is_allocation_owner:
key: "is_allocation_owner"
value: "project_id:%(allocation.owner)s"
ironic-baremetal_node_create:
key: "baremetal:node:create"
value: "rule:admin_api"
ironic-baremetal_node_list:
key: "baremetal:node:list"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_list_all:
key: "baremetal:node:list_all"
value: "rule:admin_api"
ironic-baremetal_node_get:
key: "baremetal:node:get"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_get_filter_threshold:
key: "baremetal:node:get:filter_threshold"
value: "rule:admin_api"
ironic-baremetal_node_get_last_error:
key: "baremetal:node:get:last_error"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_reservation:
key: "baremetal:node:get:reservation"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_driver_internal_info:
key: "baremetal:node:get:driver_internal_info"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_get_driver_info:
key: "baremetal:node:get:driver_info"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_node_update_driver_info:
key: "baremetal:node:update:driver_info"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update:
key: "baremetal:node:update"
value: "rule:baremetal:node:update:driver_info"
ironic-baremetal_node_update_properties:
key: "baremetal:node:update:properties"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_chassis_uuid:
key: "baremetal:node:update:chassis_uuid"
value: "rule:admin_api"
ironic-baremetal_node_update_instance_uuid:
key: "baremetal:node:update:instance_uuid"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_lessee:
key: "baremetal:node:update:lessee"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_owner:
key: "baremetal:node:update:owner"
value: "rule:admin_api"
ironic-baremetal_node_update_driver_interfaces:
key: "baremetal:node:update:driver_interfaces"
value: "rule:admin_api "
ironic-baremetal_node_update_network_data:
key: "baremetal:node:update:network_data"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_conductor_group:
key: "baremetal:node:update:conductor_group"
value: "rule:admin_api"
ironic-baremetal_node_update_name:
key: "baremetal:node:update:name"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_retired:
key: "baremetal:node:update:retired"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_extra:
key: "baremetal:node:update_extra"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_update_instance_info:
key: "baremetal:node:update_instance_info"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_update_owner_provisioned:
key: "baremetal:node:update_owner_provisioned"
value: "rule:admin_api"
ironic-baremetal_node_delete:
key: "baremetal:node:delete"
value: "rule:admin_api"
ironic-baremetal_node_validate:
key: "baremetal:node:validate"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_maintenance:
key: "baremetal:node:set_maintenance"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_clear_maintenance:
key: "baremetal:node:clear_maintenance"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_get_boot_device:
key: "baremetal:node:get_boot_device"
value: "rule:admin_api "
ironic-baremetal_node_set_boot_device:
key: "baremetal:node:set_boot_device"
value: "rule:admin_api "
ironic-baremetal_node_get_indicator_state:
key: "baremetal:node:get_indicator_state"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_indicator_state:
key: "baremetal:node:set_indicator_state"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_inject_nmi:
key: "baremetal:node:inject_nmi"
value: "rule:admin_api "
ironic-baremetal_node_get_states:
key: "baremetal:node:get_states"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_power_state:
key: "baremetal:node:set_power_state"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_boot_mode:
key: "baremetal:node:set_boot_mode"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_secure_boot:
key: "baremetal:node:set_secure_boot"
value: "rule:admin_api or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_set_provision_state:
key: "baremetal:node:set_provision_state"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_raid_state:
key: "baremetal:node:set_raid_state"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_get_console:
key: "baremetal:node:get_console"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_set_console_state:
key: "baremetal:node:set_console_state"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_vif_list:
key: "baremetal:node:vif:list"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_vif_attach:
key: "baremetal:node:vif:attach"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_vif_detach:
key: "baremetal:node:vif:detach"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_node_traits_list:
key: "baremetal:node:traits:list"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_traits_set:
key: "baremetal:node:traits:set"
value: "rule:admin_api "
ironic-baremetal_node_traits_delete:
key: "baremetal:node:traits:delete"
value: "rule:admin_api "
ironic-baremetal_node_bios_get:
key: "baremetal:node:bios:get"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_node_disable_cleaning:
key: "baremetal:node:disable_cleaning"
value: "rule:admin_api"
ironic-baremetal_node_history_get:
key: "baremetal:node:history:get"
value: "rule:admin_api or (role:reader and project_id:%(node.owner)s)"
ironic-baremetal_port_get:
key: "baremetal:port:get"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_port_list:
key: "baremetal:port:list"
value: "role:reader"
ironic-baremetal_port_list_all:
key: "baremetal:port:list_all"
value: "rule:admin_api"
ironic-baremetal_port_create:
key: "baremetal:port:create"
value: "rule:admin_api "
ironic-baremetal_port_delete:
key: "baremetal:port:delete"
value: "rule:admin_api "
ironic-baremetal_port_update:
key: "baremetal:port:update"
value: "rule:admin_api "
ironic-baremetal_portgroup_get:
key: "baremetal:portgroup:get"
value: "rule:admin_api or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s))"
ironic-baremetal_portgroup_create:
key: "baremetal:portgroup:create"
value: "rule:admin_api "
ironic-baremetal_portgroup_delete:
key: "baremetal:portgroup:delete"
value: "rule:admin_api "
ironic-baremetal_portgroup_update:
key: "baremetal:portgroup:update"
value: "rule:admin_api "
ironic-baremetal_portgroup_list:
key: "baremetal:portgroup:list"
value: "role:reader"
ironic-baremetal_portgroup_list_all:
key: "baremetal:portgroup:list_all"
value: "rule:admin_api"
ironic-baremetal_chassis_get:
key: "baremetal:chassis:get"
value: "rule:admin_api"
ironic-baremetal_chassis_create:
key: "baremetal:chassis:create"
value: "rule:admin_api"
ironic-baremetal_chassis_delete:
key: "baremetal:chassis:delete"
value: "rule:admin_api"
ironic-baremetal_chassis_update:
key: "baremetal:chassis:update"
value: "rule:admin_api"
ironic-baremetal_driver_get:
key: "baremetal:driver:get"
value: "rule:admin_api"
ironic-baremetal_driver_get_properties:
key: "baremetal:driver:get_properties"
value: "rule:admin_api"
ironic-baremetal_driver_get_raid_logical_disk_properties:
key: "baremetal:driver:get_raid_logical_disk_properties"
value: "rule:admin_api"
ironic-baremetal_node_vendor_passthru:
key: "baremetal:node:vendor_passthru"
value: "rule:admin_api"
ironic-baremetal_driver_vendor_passthru:
key: "baremetal:driver:vendor_passthru"
value: "rule:admin_api"
ironic-baremetal_node_ipa_heartbeat:
key: "baremetal:node:ipa_heartbeat"
value: ""
ironic-baremetal_driver_ipa_lookup:
key: "baremetal:driver:ipa_lookup"
value: ""
ironic-baremetal_volume_list_all:
key: "baremetal:volume:list_all"
value: "rule:admin_api"
ironic-baremetal_volume_get:
key: "baremetal:volume:get"
value: "rule:baremetal:volume:list_all"
ironic-baremetal_volume_list:
key: "baremetal:volume:list"
value: "role:reader"
ironic-baremetal_volume_create:
key: "baremetal:volume:create"
value: "rule:admin_api"
ironic-baremetal_volume_delete:
key: "baremetal:volume:delete"
value: "rule:admin_api"
ironic-baremetal_volume_update:
key: "baremetal:volume:update"
value: "rule:admin_api or (role:member and project_id:%(node.owner)s)"
ironic-baremetal_volume_view_target_properties:
key: "baremetal:volume:view_target_properties"
value: "rule:admin_api"
ironic-baremetal_conductor_get:
key: "baremetal:conductor:get"
value: "rule:admin_api"
ironic-baremetal_allocation_get:
key: "baremetal:allocation:get"
value: "rule:admin_api or (role:reader and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_list:
key: "baremetal:allocation:list"
value: "role:reader"
ironic-baremetal_allocation_list_all:
key: "baremetal:allocation:list_all"
value: "rule:admin_api"
ironic-baremetal_allocation_create:
key: "baremetal:allocation:create"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_create_restricted:
key: "baremetal:allocation:create_restricted"
value: "rule:admin_api"
ironic-baremetal_allocation_delete:
key: "baremetal:allocation:delete"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_update:
key: "baremetal:allocation:update"
value: "rule:admin_api or (role:member and project_id:%(allocation.owner)s)"
ironic-baremetal_allocation_create_pre_rbac:
key: "baremetal:allocation:create_pre_rbac"
value: "rule:admin_api"
ironic-baremetal_events_post:
key: "baremetal:events:post"
value: "rule:admin_api"
ironic-baremetal_deploy_template_get:
key: "baremetal:deploy_template:get"
value: "rule:admin_api"
ironic-baremetal_deploy_template_create:
key: "baremetal:deploy_template:create"
value: "rule:admin_api"
ironic-baremetal_deploy_template_delete:
key: "baremetal:deploy_template:delete"
value: "rule:admin_api"
ironic-baremetal_deploy_template_update:
key: "baremetal:deploy_template:update"
value: "rule:admin_api"