Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
tripleo-heat-templates/environments/enable-secure-rbac.yaml

4127 lines
187 KiB

parameter_defaults:
EnforceSecureRbac: false
NovaApiPolicies:
nova-context_is_admin:
key: "context_is_admin"
value: "role:admin"
nova-admin_or_owner:
key: "admin_or_owner"
value: "is_admin:True or project_id:%(project_id)s"
nova-admin_api:
key: "admin_api"
value: "is_admin:True"
nova-system_admin_api:
key: "system_admin_api"
value: "role:admin and system_scope:all"
nova-rule_admin_api:
key: "rule:admin_api"
value: "rule:system_admin_api"
nova-system_reader_api:
key: "system_reader_api"
value: "role:reader and system_scope:all"
nova-project_admin_api:
key: "project_admin_api"
value: "role:admin and project_id:%(project_id)s"
nova-project_member_api:
key: "project_member_api"
value: "role:member and project_id:%(project_id)s"
nova-rule_admin_or_owner:
key: "rule:admin_or_owner"
value: "rule:project_member_api"
nova-project_reader_api:
key: "project_reader_api"
value: "role:reader and project_id:%(project_id)s"
nova-system_admin_or_owner:
key: "system_admin_or_owner"
value: "rule:system_admin_api or rule:project_member_api"
nova-system_or_project_reader:
key: "system_or_project_reader"
value: "rule:system_reader_api or rule:project_reader_api"
nova-os_compute_api_os-admin-actions_reset_state:
key: "os_compute_api:os-admin-actions:reset_state"
value: "rule:system_admin_api"
nova-os_compute_api_os-admin-actions_inject_network_info:
key: "os_compute_api:os-admin-actions:inject_network_info"
value: "rule:system_admin_api"
nova-os_compute_api_os-admin-password:
key: "os_compute_api:os-admin-password"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-aggregates_set_metadata:
key: "os_compute_api:os-aggregates:set_metadata"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_add_host:
key: "os_compute_api:os-aggregates:add_host"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_create:
key: "os_compute_api:os-aggregates:create"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_remove_host:
key: "os_compute_api:os-aggregates:remove_host"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_update:
key: "os_compute_api:os-aggregates:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_index:
key: "os_compute_api:os-aggregates:index"
value: "rule:system_reader_api"
nova-os_compute_api_os-aggregates_delete:
key: "os_compute_api:os-aggregates:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-aggregates_show:
key: "os_compute_api:os-aggregates:show"
value: "rule:system_reader_api"
nova-compute_aggregates_images:
key: "compute:aggregates:images"
value: "rule:system_admin_api"
nova-os_compute_api_os-assisted-volume-snapshots_create:
key: "os_compute_api:os-assisted-volume-snapshots:create"
value: "rule:system_admin_api"
nova-os_compute_api_os-assisted-volume-snapshots_delete:
key: "os_compute_api:os-assisted-volume-snapshots:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-attach-interfaces_list:
key: "os_compute_api:os-attach-interfaces:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-attach-interfaces:
key: "os_compute_api:os-attach-interfaces"
value: "rule:os_compute_api:os-attach-interfaces:list"
nova-os_compute_api_os-attach-interfaces_show:
key: "os_compute_api:os-attach-interfaces:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-attach-interfaces_create:
key: "os_compute_api:os-attach-interfaces:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-attach-interfaces_delete:
key: "os_compute_api:os-attach-interfaces:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-availability-zone_list:
key: "os_compute_api:os-availability-zone:list"
value: "@"
nova-os_compute_api_os-availability-zone_detail:
key: "os_compute_api:os-availability-zone:detail"
value: "rule:system_reader_api"
nova-os_compute_api_os-baremetal-nodes_list:
key: "os_compute_api:os-baremetal-nodes:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-baremetal-nodes:
key: "os_compute_api:os-baremetal-nodes"
value: "rule:os_compute_api:os-baremetal-nodes:list"
nova-os_compute_api_os-baremetal-nodes_show:
key: "os_compute_api:os-baremetal-nodes:show"
value: "rule:system_reader_api"
nova-os_compute_api_os-console-auth-tokens:
key: "os_compute_api:os-console-auth-tokens"
value: "rule:system_reader_api"
nova-os_compute_api_os-console-output:
key: "os_compute_api:os-console-output"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-create-backup:
key: "os_compute_api:os-create-backup"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-deferred-delete_restore:
key: "os_compute_api:os-deferred-delete:restore"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-deferred-delete:
key: "os_compute_api:os-deferred-delete"
value: "rule:os_compute_api:os-deferred-delete:restore"
nova-os_compute_api_os-deferred-delete_force:
key: "os_compute_api:os-deferred-delete:force"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-evacuate:
key: "os_compute_api:os-evacuate"
value: "rule:system_admin_api"
nova-os_compute_api_os-extended-server-attributes:
key: "os_compute_api:os-extended-server-attributes"
value: "rule:system_admin_api"
nova-os_compute_api_extensions:
key: "os_compute_api:extensions"
value: "@"
nova-os_compute_api_os-flavor-access_add_tenant_access:
key: "os_compute_api:os-flavor-access:add_tenant_access"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-access_remove_tenant_access:
key: "os_compute_api:os-flavor-access:remove_tenant_access"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-access:
key: "os_compute_api:os-flavor-access"
value: "rule:system_reader_api"
nova-os_compute_api_os-flavor-extra-specs_show:
key: "os_compute_api:os-flavor-extra-specs:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-flavor-extra-specs_create:
key: "os_compute_api:os-flavor-extra-specs:create"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-extra-specs_update:
key: "os_compute_api:os-flavor-extra-specs:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-extra-specs_delete:
key: "os_compute_api:os-flavor-extra-specs:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-extra-specs_index:
key: "os_compute_api:os-flavor-extra-specs:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-flavor-manage_create:
key: "os_compute_api:os-flavor-manage:create"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-manage_update:
key: "os_compute_api:os-flavor-manage:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-flavor-manage_delete:
key: "os_compute_api:os-flavor-manage:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-floating-ip-pools:
key: "os_compute_api:os-floating-ip-pools"
value: "@"
nova-os_compute_api_os-floating-ips_add:
key: "os_compute_api:os-floating-ips:add"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-floating-ips:
key: "os_compute_api:os-floating-ips"
value: "rule:os_compute_api:os-floating-ips:add"
nova-os_compute_api_os-floating-ips_remove:
key: "os_compute_api:os-floating-ips:remove"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-floating-ips_list:
key: "os_compute_api:os-floating-ips:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-floating-ips_create:
key: "os_compute_api:os-floating-ips:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-floating-ips_show:
key: "os_compute_api:os-floating-ips:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-floating-ips_delete:
key: "os_compute_api:os-floating-ips:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-hosts_list:
key: "os_compute_api:os-hosts:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-hosts:
key: "os_compute_api:os-hosts"
value: "rule:os_compute_api:os-hosts:list"
nova-os_compute_api_os-hosts_show:
key: "os_compute_api:os-hosts:show"
value: "rule:system_reader_api"
nova-os_compute_api_os-hosts_update:
key: "os_compute_api:os-hosts:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-hosts_reboot:
key: "os_compute_api:os-hosts:reboot"
value: "rule:system_admin_api"
nova-os_compute_api_os-hosts_shutdown:
key: "os_compute_api:os-hosts:shutdown"
value: "rule:system_admin_api"
nova-os_compute_api_os-hosts_start:
key: "os_compute_api:os-hosts:start"
value: "rule:system_admin_api"
nova-os_compute_api_os-hypervisors_list:
key: "os_compute_api:os-hypervisors:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors:
key: "os_compute_api:os-hypervisors"
value: "rule:os_compute_api:os-hypervisors:list"
nova-os_compute_api_os-hypervisors_list-detail:
key: "os_compute_api:os-hypervisors:list-detail"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors_statistics:
key: "os_compute_api:os-hypervisors:statistics"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors_show:
key: "os_compute_api:os-hypervisors:show"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors_uptime:
key: "os_compute_api:os-hypervisors:uptime"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors_search:
key: "os_compute_api:os-hypervisors:search"
value: "rule:system_reader_api"
nova-os_compute_api_os-hypervisors_servers:
key: "os_compute_api:os-hypervisors:servers"
value: "rule:system_reader_api"
nova-os_compute_api_os-instance-actions_events_details:
key: "os_compute_api:os-instance-actions:events:details"
value: "rule:system_reader_api"
nova-os_compute_api_os-instance-actions_events:
key: "os_compute_api:os-instance-actions:events"
value: "rule:system_reader_api"
nova-os_compute_api_os-instance-actions_list:
key: "os_compute_api:os-instance-actions:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-instance-actions:
key: "os_compute_api:os-instance-actions"
value: "rule:os_compute_api:os-instance-actions:list"
nova-os_compute_api_os-instance-actions_show:
key: "os_compute_api:os-instance-actions:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-instance-usage-audit-log_list:
key: "os_compute_api:os-instance-usage-audit-log:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-instance-usage-audit-log:
key: "os_compute_api:os-instance-usage-audit-log"
value: "rule:os_compute_api:os-instance-usage-audit-log:list"
nova-os_compute_api_os-instance-usage-audit-log_show:
key: "os_compute_api:os-instance-usage-audit-log:show"
value: "rule:system_reader_api"
nova-os_compute_api_ips_show:
key: "os_compute_api:ips:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_ips_index:
key: "os_compute_api:ips:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-keypairs_index:
key: "os_compute_api:os-keypairs:index"
value: "(rule:system_reader_api) or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_create:
key: "os_compute_api:os-keypairs:create"
value: "(rule:system_admin_api) or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_delete:
key: "os_compute_api:os-keypairs:delete"
value: "(rule:system_admin_api) or user_id:%(user_id)s"
nova-os_compute_api_os-keypairs_show:
key: "os_compute_api:os-keypairs:show"
value: "(rule:system_reader_api) or user_id:%(user_id)s"
nova-os_compute_api_limits:
key: "os_compute_api:limits"
value: "@"
nova-os_compute_api_limits_other_project:
key: "os_compute_api:limits:other_project"
value: "rule:system_reader_api"
nova-os_compute_api_os-used-limits:
key: "os_compute_api:os-used-limits"
value: "rule:os_compute_api:limits:other_project"
nova-os_compute_api_os-lock-server_lock:
key: "os_compute_api:os-lock-server:lock"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-lock-server_unlock:
key: "os_compute_api:os-lock-server:unlock"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-lock-server_unlock_unlock_override:
key: "os_compute_api:os-lock-server:unlock:unlock_override"
value: "rule:system_admin_api"
nova-os_compute_api_os-migrate-server_migrate:
key: "os_compute_api:os-migrate-server:migrate"
value: "rule:system_admin_api"
nova-os_compute_api_os-migrate-server_migrate_live:
key: "os_compute_api:os-migrate-server:migrate_live"
value: "rule:system_admin_api"
nova-os_compute_api_os-migrations_index:
key: "os_compute_api:os-migrations:index"
value: "rule:system_reader_api"
nova-os_compute_api_os-multinic_add:
key: "os_compute_api:os-multinic:add"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-multinic:
key: "os_compute_api:os-multinic"
value: "rule:os_compute_api:os-multinic:add"
nova-os_compute_api_os-multinic_remove:
key: "os_compute_api:os-multinic:remove"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-networks_list:
key: "os_compute_api:os-networks:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-networks_view:
key: "os_compute_api:os-networks:view"
value: "rule:os_compute_api:os-networks:list"
nova-os_compute_api_os-networks_show:
key: "os_compute_api:os-networks:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-pause-server_pause:
key: "os_compute_api:os-pause-server:pause"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-pause-server_unpause:
key: "os_compute_api:os-pause-server:unpause"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-quota-class-sets_show:
key: "os_compute_api:os-quota-class-sets:show"
value: "rule:system_reader_api"
nova-os_compute_api_os-quota-class-sets_update:
key: "os_compute_api:os-quota-class-sets:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-quota-sets_update:
key: "os_compute_api:os-quota-sets:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-quota-sets_defaults:
key: "os_compute_api:os-quota-sets:defaults"
value: "@"
nova-os_compute_api_os-quota-sets_show:
key: "os_compute_api:os-quota-sets:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-quota-sets_delete:
key: "os_compute_api:os-quota-sets:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-quota-sets_detail:
key: "os_compute_api:os-quota-sets:detail"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-remote-consoles:
key: "os_compute_api:os-remote-consoles"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-rescue:
key: "os_compute_api:os-rescue"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-unrescue:
key: "os_compute_api:os-unrescue"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_get:
key: "os_compute_api:os-security-groups:get"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-security-groups:
key: "os_compute_api:os-security-groups"
value: "rule:os_compute_api:os-security-groups:get"
nova-os_compute_api_os-security-groups_show:
key: "os_compute_api:os-security-groups:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-security-groups_create:
key: "os_compute_api:os-security-groups:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_update:
key: "os_compute_api:os-security-groups:update"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_delete:
key: "os_compute_api:os-security-groups:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_rule_create:
key: "os_compute_api:os-security-groups:rule:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_rule_delete:
key: "os_compute_api:os-security-groups:rule:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_list:
key: "os_compute_api:os-security-groups:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-security-groups_add:
key: "os_compute_api:os-security-groups:add"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-security-groups_remove:
key: "os_compute_api:os-security-groups:remove"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-diagnostics:
key: "os_compute_api:os-server-diagnostics"
value: "rule:system_admin_api"
nova-os_compute_api_os-server-external-events_create:
key: "os_compute_api:os-server-external-events:create"
value: "rule:system_admin_api"
nova-os_compute_api_os-server-groups_create:
key: "os_compute_api:os-server-groups:create"
value: "rule:project_member_api"
nova-os_compute_api_os-server-groups_delete:
key: "os_compute_api:os-server-groups:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-groups_index:
key: "os_compute_api:os-server-groups:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-server-groups_index_all_projects:
key: "os_compute_api:os-server-groups:index:all_projects"
value: "rule:system_reader_api"
nova-os_compute_api_os-server-groups_show:
key: "os_compute_api:os-server-groups:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_server-metadata_index:
key: "os_compute_api:server-metadata:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_server-metadata_show:
key: "os_compute_api:server-metadata:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_server-metadata_create:
key: "os_compute_api:server-metadata:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_server-metadata_update_all:
key: "os_compute_api:server-metadata:update_all"
value: "rule:system_admin_or_owner"
nova-os_compute_api_server-metadata_update:
key: "os_compute_api:server-metadata:update"
value: "rule:system_admin_or_owner"
nova-os_compute_api_server-metadata_delete:
key: "os_compute_api:server-metadata:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-password_show:
key: "os_compute_api:os-server-password:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-server-password:
key: "os_compute_api:os-server-password"
value: "rule:os_compute_api:os-server-password:show"
nova-os_compute_api_os-server-password_clear:
key: "os_compute_api:os-server-password:clear"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-tags_delete_all:
key: "os_compute_api:os-server-tags:delete_all"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-tags_index:
key: "os_compute_api:os-server-tags:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-server-tags_update_all:
key: "os_compute_api:os-server-tags:update_all"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-tags_delete:
key: "os_compute_api:os-server-tags:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-tags_update:
key: "os_compute_api:os-server-tags:update"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-server-tags_show:
key: "os_compute_api:os-server-tags:show"
value: "rule:system_or_project_reader"
nova-compute_server_topology_index:
key: "compute:server:topology:index"
value: "rule:system_or_project_reader"
nova-compute_server_topology_host_index:
key: "compute:server:topology:host:index"
value: "rule:system_reader_api"
nova-os_compute_api_servers_index:
key: "os_compute_api:servers:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_servers_detail:
key: "os_compute_api:servers:detail"
value: "rule:system_or_project_reader"
nova-os_compute_api_servers_index_get_all_tenants:
key: "os_compute_api:servers:index:get_all_tenants"
value: "rule:system_reader_api"
nova-os_compute_api_servers_detail_get_all_tenants:
key: "os_compute_api:servers:detail:get_all_tenants"
value: "rule:system_reader_api"
nova-os_compute_api_servers_allow_all_filters:
key: "os_compute_api:servers:allow_all_filters"
value: "rule:system_reader_api"
nova-os_compute_api_servers_show:
key: "os_compute_api:servers:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_servers_show_host_status:
key: "os_compute_api:servers:show:host_status"
value: "rule:system_admin_api"
nova-os_compute_api_servers_show_host_status_unknown-only:
key: "os_compute_api:servers:show:host_status:unknown-only"
value: "rule:system_admin_api"
nova-os_compute_api_servers_create:
key: "os_compute_api:servers:create"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_forced_host:
key: "os_compute_api:servers:create:forced_host"
value: "rule:project_admin_api"
nova-compute_servers_create_requested_destination:
key: "compute:servers:create:requested_destination"
value: "rule:project_admin_api"
nova-os_compute_api_servers_create_attach_volume:
key: "os_compute_api:servers:create:attach_volume"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_attach_network:
key: "os_compute_api:servers:create:attach_network"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_trusted_certs:
key: "os_compute_api:servers:create:trusted_certs"
value: "rule:project_member_api"
nova-os_compute_api_servers_create_zero_disk_flavor:
key: "os_compute_api:servers:create:zero_disk_flavor"
value: "rule:project_admin_api"
nova-network_attach_external_network:
key: "network:attach_external_network"
value: "rule:project_admin_api"
nova-os_compute_api_servers_delete:
key: "os_compute_api:servers:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_update:
key: "os_compute_api:servers:update"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_confirm_resize:
key: "os_compute_api:servers:confirm_resize"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_revert_resize:
key: "os_compute_api:servers:revert_resize"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_reboot:
key: "os_compute_api:servers:reboot"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_resize:
key: "os_compute_api:servers:resize"
value: "rule:system_admin_or_owner"
nova-compute_servers_resize_cross_cell:
key: "compute:servers:resize:cross_cell"
value: "!"
nova-os_compute_api_servers_rebuild:
key: "os_compute_api:servers:rebuild"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_rebuild_trusted_certs:
key: "os_compute_api:servers:rebuild:trusted_certs"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_create_image:
key: "os_compute_api:servers:create_image"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_create_image_allow_volume_backed:
key: "os_compute_api:servers:create_image:allow_volume_backed"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_start:
key: "os_compute_api:servers:start"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_stop:
key: "os_compute_api:servers:stop"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_trigger_crash_dump:
key: "os_compute_api:servers:trigger_crash_dump"
value: "rule:system_admin_or_owner"
nova-os_compute_api_servers_migrations_show:
key: "os_compute_api:servers:migrations:show"
value: "rule:system_reader_api"
nova-os_compute_api_servers_migrations_force_complete:
key: "os_compute_api:servers:migrations:force_complete"
value: "rule:system_admin_api"
nova-os_compute_api_servers_migrations_delete:
key: "os_compute_api:servers:migrations:delete"
value: "rule:system_admin_api"
nova-os_compute_api_servers_migrations_index:
key: "os_compute_api:servers:migrations:index"
value: "rule:system_reader_api"
nova-os_compute_api_os-services_list:
key: "os_compute_api:os-services:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-services:
key: "os_compute_api:os-services"
value: "rule:os_compute_api:os-services:list"
nova-os_compute_api_os-services_update:
key: "os_compute_api:os-services:update"
value: "rule:system_admin_api"
nova-os_compute_api_os-services_delete:
key: "os_compute_api:os-services:delete"
value: "rule:system_admin_api"
nova-os_compute_api_os-shelve_shelve:
key: "os_compute_api:os-shelve:shelve"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-shelve_unshelve:
key: "os_compute_api:os-shelve:unshelve"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-shelve_shelve_offload:
key: "os_compute_api:os-shelve:shelve_offload"
value: "rule:system_admin_api"
nova-os_compute_api_os-simple-tenant-usage_show:
key: "os_compute_api:os-simple-tenant-usage:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-simple-tenant-usage_list:
key: "os_compute_api:os-simple-tenant-usage:list"
value: "rule:system_reader_api"
nova-os_compute_api_os-suspend-server_resume:
key: "os_compute_api:os-suspend-server:resume"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-suspend-server_suspend:
key: "os_compute_api:os-suspend-server:suspend"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-tenant-networks_list:
key: "os_compute_api:os-tenant-networks:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-tenant-networks:
key: "os_compute_api:os-tenant-networks"
value: "rule:os_compute_api:os-tenant-networks:list"
nova-os_compute_api_os-tenant-networks_show:
key: "os_compute_api:os-tenant-networks:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_list:
key: "os_compute_api:os-volumes:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes:
key: "os_compute_api:os-volumes"
value: "rule:os_compute_api:os-volumes:list"
nova-os_compute_api_os-volumes_create:
key: "os_compute_api:os-volumes:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes_detail:
key: "os_compute_api:os-volumes:detail"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_show:
key: "os_compute_api:os-volumes:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_delete:
key: "os_compute_api:os-volumes:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes_snapshots_list:
key: "os_compute_api:os-volumes:snapshots:list"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_snapshots_create:
key: "os_compute_api:os-volumes:snapshots:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes_snapshots_detail:
key: "os_compute_api:os-volumes:snapshots:detail"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_snapshots_show:
key: "os_compute_api:os-volumes:snapshots:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes_snapshots_delete:
key: "os_compute_api:os-volumes:snapshots:delete"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes-attachments_index:
key: "os_compute_api:os-volumes-attachments:index"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes-attachments_create:
key: "os_compute_api:os-volumes-attachments:create"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes-attachments_show:
key: "os_compute_api:os-volumes-attachments:show"
value: "rule:system_or_project_reader"
nova-os_compute_api_os-volumes-attachments_update:
key: "os_compute_api:os-volumes-attachments:update"
value: "rule:system_admin_or_owner"
nova-os_compute_api_os-volumes-attachments_swap:
key: "os_compute_api:os-volumes-attachments:swap"
value: "rule:system_admin_api"
nova-os_compute_api_os-volumes-attachments_delete:
key: "os_compute_api:os-volumes-attachments:delete"
value: "rule:system_admin_or_owner"
PlacementPolicies:
placement-admin_api:
key: "admin_api"
value: "role:admin"
placement-system_admin_api:
key: "system_admin_api"
value: "role:admin and system_scope:all"
placement-rule_admin_api:
key: "rule:admin_api"
value: "rule:system_admin_api"
placement-system_reader_api:
key: "system_reader_api"
value: "role:reader and system_scope:all"
placement-project_reader_api:
key: "project_reader_api"
value: "role:reader and project_id:%(project_id)s"
placement-system_or_project_reader:
key: "system_or_project_reader"
value: "rule:system_reader_api or rule:project_reader_api"
placement-placement_resource_providers_list:
key: "placement:resource_providers:list"
value: "rule:system_reader_api"
placement-placement_resource_providers_create:
key: "placement:resource_providers:create"
value: "rule:system_admin_api"
placement-placement_resource_providers_show:
key: "placement:resource_providers:show"
value: "rule:system_reader_api"
placement-placement_resource_providers_update:
key: "placement:resource_providers:update"
value: "rule:system_admin_api"
placement-placement_resource_providers_delete:
key: "placement:resource_providers:delete"
value: "rule:system_admin_api"
placement-placement_resource_classes_list:
key: "placement:resource_classes:list"
value: "rule:system_reader_api"
placement-placement_resource_classes_create:
key: "placement:resource_classes:create"
value: "rule:system_admin_api"
placement-placement_resource_classes_show:
key: "placement:resource_classes:show"
value: "rule:system_reader_api"
placement-placement_resource_classes_update:
key: "placement:resource_classes:update"
value: "rule:system_admin_api"
placement-placement_resource_classes_delete:
key: "placement:resource_classes:delete"
value: "rule:system_admin_api"
placement-placement_resource_providers_inventories_list:
key: "placement:resource_providers:inventories:list"
value: "rule:system_reader_api"
placement-placement_resource_providers_inventories_create:
key: "placement:resource_providers:inventories:create"
value: "rule:system_admin_api"
placement-placement_resource_providers_inventories_show:
key: "placement:resource_providers:inventories:show"
value: "rule:system_reader_api"
placement-placement_resource_providers_inventories_update:
key: "placement:resource_providers:inventories:update"
value: "rule:system_admin_api"
placement-placement_resource_providers_inventories_delete:
key: "placement:resource_providers:inventories:delete"
value: "rule:system_admin_api"
placement-placement_resource_providers_aggregates_list:
key: "placement:resource_providers:aggregates:list"
value: "rule:system_reader_api"
placement-placement_resource_providers_aggregates_update:
key: "placement:resource_providers:aggregates:update"
value: "rule:system_admin_api"
placement-placement_resource_providers_usages:
key: "placement:resource_providers:usages"
value: "rule:system_reader_api"
placement-placement_usages:
key: "placement:usages"
value: "rule:system_or_project_reader"
placement-placement_traits_list:
key: "placement:traits:list"
value: "rule:system_reader_api"
placement-placement_traits_show:
key: "placement:traits:show"
value: "rule:system_reader_api"
placement-placement_traits_update:
key: "placement:traits:update"
value: "rule:system_admin_api"
placement-placement_traits_delete:
key: "placement:traits:delete"
value: "rule:system_admin_api"
placement-placement_resource_providers_traits_list:
key: "placement:resource_providers:traits:list"
value: "rule:system_reader_api"
placement-placement_resource_providers_traits_update:
key: "placement:resource_providers:traits:update"
value: "rule:system_admin_api"
placement-placement_resource_providers_traits_delete:
key: "placement:resource_providers:traits:delete"
value: "rule:system_admin_api"
placement-placement_allocations_manage:
key: "placement:allocations:manage"
value: "rule:system_admin_api"
placement-placement_allocations_list:
key: "placement:allocations:list"
value: "rule:system_reader_api"
placement-placement_allocations_update:
key: "placement:allocations:update"
value: "rule:system_admin_api"
placement-placement_allocations_delete:
key: "placement:allocations:delete"
value: "rule:system_admin_api"
placement-placement_resource_providers_allocations_list:
key: "placement:resource_providers:allocations:list"
value: "rule:system_reader_api"
placement-placement_allocation_candidates_list:
key: "placement:allocation_candidates:list"
value: "rule:system_reader_api"
placement-placement_reshaper_reshape:
key: "placement:reshaper:reshape"
value: "rule:system_admin_api"
NeutronApiPolicies:
neutron-context_is_admin:
key: "context_is_admin"
value: "role:admin"
neutron-owner:
key: "owner"
value: "tenant_id:%(tenant_id)s"
neutron-admin_or_owner:
key: "admin_or_owner"
value: "rule:context_is_admin or rule:owner"
neutron-context_is_advsvc:
key: "context_is_advsvc"
value: "role:advsvc"
neutron-admin_or_network_owner:
key: "admin_or_network_owner"
value: "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
neutron-admin_owner_or_network_owner:
key: "admin_owner_or_network_owner"
value: "rule:owner or rule:admin_or_network_owner"
neutron-network_owner:
key: "network_owner"
value: "tenant_id:%(network:tenant_id)s"
neutron-admin_only:
key: "admin_only"
value: "rule:context_is_admin"
neutron-regular_user:
key: "regular_user"
value: ""
neutron-shared:
key: "shared"
value: "field:networks:shared=True"
neutron-default:
key: "default"
value: "rule:admin_or_owner"
neutron-admin_or_ext_parent_owner:
key: "admin_or_ext_parent_owner"
value: "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
neutron-ext_parent_owner:
key: "ext_parent_owner"
value: "tenant_id:%(ext_parent:tenant_id)s"
neutron-sg_owner:
key: "sg_owner"
value: "tenant_id:%(security_group:tenant_id)s"
neutron-shared_address_groups:
key: "shared_address_groups"
value: "field:address_groups:shared=True"
neutron-get_address_group:
key: "get_address_group"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups"
neutron-shared_address_scopes:
key: "shared_address_scopes"
value: "field:address_scopes:shared=True"
neutron-create_address_scope:
key: "create_address_scope"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_address_scope_shared:
key: "create_address_scope:shared"
value: "role:admin and system_scope:all"
neutron-get_address_scope:
key: "get_address_scope"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes"
neutron-update_address_scope:
key: "update_address_scope"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_address_scope_shared:
key: "update_address_scope:shared"
value: "role:admin and system_scope:all"
neutron-delete_address_scope:
key: "delete_address_scope"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_agent:
key: "get_agent"
value: "role:reader and system_scope:all"
neutron-update_agent:
key: "update_agent"
value: "role:admin and system_scope:all"
neutron-delete_agent:
key: "delete_agent"
value: "role:admin and system_scope:all"
neutron-create_dhcp-network:
key: "create_dhcp-network"
value: "role:admin and system_scope:all"
neutron-get_dhcp-networks:
key: "get_dhcp-networks"
value: "role:reader and system_scope:all"
neutron-delete_dhcp-network:
key: "delete_dhcp-network"
value: "role:admin and system_scope:all"
neutron-create_l3-router:
key: "create_l3-router"
value: "role:admin and system_scope:all"
neutron-get_l3-routers:
key: "get_l3-routers"
value: "role:reader and system_scope:all"
neutron-delete_l3-router:
key: "delete_l3-router"
value: "role:admin and system_scope:all"
neutron-get_dhcp-agents:
key: "get_dhcp-agents"
value: "role:reader and system_scope:all"
neutron-get_l3-agents:
key: "get_l3-agents"
value: "role:reader and system_scope:all"
neutron-get_auto_allocated_topology:
key: "get_auto_allocated_topology"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-delete_auto_allocated_topology:
key: "delete_auto_allocated_topology"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_availability_zone:
key: "get_availability_zone"
value: "role:reader and system_scope:all"
neutron-create_flavor:
key: "create_flavor"
value: "role:admin and system_scope:all"
neutron-get_flavor:
key: "get_flavor"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-update_flavor:
key: "update_flavor"
value: "role:admin and system_scope:all"
neutron-delete_flavor:
key: "delete_flavor"
value: "role:admin and system_scope:all"
neutron-create_service_profile:
key: "create_service_profile"
value: "role:admin and system_scope:all"
neutron-get_service_profile:
key: "get_service_profile"
value: "role:reader and system_scope:all"
neutron-update_service_profile:
key: "update_service_profile"
value: "role:admin and system_scope:all"
neutron-delete_service_profile:
key: "delete_service_profile"
value: "role:admin and system_scope:all"
neutron-get_flavor_service_profile:
key: "get_flavor_service_profile"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_flavor_service_profile:
key: "create_flavor_service_profile"
value: "role:admin and system_scope:all"
neutron-delete_flavor_service_profile:
key: "delete_flavor_service_profile"
value: "role:admin and system_scope:all"
neutron-create_floatingip:
key: "create_floatingip"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_floatingip_floating_ip_address:
key: "create_floatingip:floating_ip_address"
value: "role:admin and system_scope:all"
neutron-get_floatingip:
key: "get_floatingip"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-update_floatingip:
key: "update_floatingip"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-delete_floatingip:
key: "delete_floatingip"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_floatingip_pool:
key: "get_floatingip_pool"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_floatingip_port_forwarding:
key: "create_floatingip_port_forwarding"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_floatingip_port_forwarding:
key: "get_floatingip_port_forwarding"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-update_floatingip_port_forwarding:
key: "update_floatingip_port_forwarding"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-delete_floatingip_port_forwarding:
key: "delete_floatingip_port_forwarding"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-create_router_conntrack_helper:
key: "create_router_conntrack_helper"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_router_conntrack_helper:
key: "get_router_conntrack_helper"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-update_router_conntrack_helper:
key: "update_router_conntrack_helper"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-delete_router_conntrack_helper:
key: "delete_router_conntrack_helper"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner"
neutron-get_loggable_resource:
key: "get_loggable_resource"
value: "role:reader and system_scope:all"
neutron-create_log:
key: "create_log"
value: "role:admin and system_scope:all"
neutron-get_log:
key: "get_log"
value: "role:reader and system_scope:all"
neutron-update_log:
key: "update_log"
value: "role:admin and system_scope:all"
neutron-delete_log:
key: "delete_log"
value: "role:admin and system_scope:all"
neutron-create_metering_label:
key: "create_metering_label"
value: "role:admin and system_scope:all"
neutron-get_metering_label:
key: "get_metering_label"
value: "role:reader and system_scope:all"
neutron-delete_metering_label:
key: "delete_metering_label"
value: "role:admin and system_scope:all"
neutron-create_metering_label_rule:
key: "create_metering_label_rule"
value: "role:admin and system_scope:all"
neutron-get_metering_label_rule:
key: "get_metering_label_rule"
value: "role:reader and system_scope:all"
neutron-delete_metering_label_rule:
key: "delete_metering_label_rule"
value: "role:admin and system_scope:all"
neutron-external:
key: "external"
value: "field:networks:router:external=True"
neutron-create_network:
key: "create_network"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_network_shared:
key: "create_network:shared"
value: "role:admin and system_scope:all"
neutron-create_network_router_external:
key: "create_network:router:external"
value: "role:admin and system_scope:all"
neutron-create_network_is_default:
key: "create_network:is_default"
value: "role:admin and system_scope:all"
neutron-create_network_port_security_enabled:
key: "create_network:port_security_enabled"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_network_segments:
key: "create_network:segments"
value: "role:admin and system_scope:all"
neutron-create_network_provider_network_type:
key: "create_network:provider:network_type"
value: "role:admin and system_scope:all"
neutron-create_network_provider_physical_network:
key: "create_network:provider:physical_network"
value: "role:admin and system_scope:all"
neutron-create_network_provider_segmentation_id:
key: "create_network:provider:segmentation_id"
value: "role:admin and system_scope:all"
neutron-get_network:
key: "get_network"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc"
neutron-get_network_router_external:
key: "get_network:router:external"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-get_network_segments:
key: "get_network:segments"
value: "role:reader and system_scope:all"
neutron-get_network_provider_network_type:
key: "get_network:provider:network_type"
value: "role:reader and system_scope:all"
neutron-get_network_provider_physical_network:
key: "get_network:provider:physical_network"
value: "role:reader and system_scope:all"
neutron-get_network_provider_segmentation_id:
key: "get_network:provider:segmentation_id"
value: "role:reader and system_scope:all"
neutron-update_network:
key: "update_network"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_network_segments:
key: "update_network:segments"
value: "role:admin and system_scope:all"
neutron-update_network_shared:
key: "update_network:shared"
value: "role:admin and system_scope:all"
neutron-update_network_provider_network_type:
key: "update_network:provider:network_type"
value: "role:admin and system_scope:all"
neutron-update_network_provider_physical_network:
key: "update_network:provider:physical_network"
value: "role:admin and system_scope:all"
neutron-update_network_provider_segmentation_id:
key: "update_network:provider:segmentation_id"
value: "role:admin and system_scope:all"
neutron-update_network_router_external:
key: "update_network:router:external"
value: "role:admin and system_scope:all"
neutron-update_network_is_default:
key: "update_network:is_default"
value: "role:admin and system_scope:all"
neutron-update_network_port_security_enabled:
key: "update_network:port_security_enabled"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-delete_network:
key: "delete_network"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_network_ip_availability:
key: "get_network_ip_availability"
value: "role:reader and system_scope:all"
neutron-create_network_segment_range:
key: "create_network_segment_range"
value: "role:admin and system_scope:all"
neutron-get_network_segment_range:
key: "get_network_segment_range"
value: "role:reader and system_scope:all"
neutron-update_network_segment_range:
key: "update_network_segment_range"
value: "role:admin and system_scope:all"
neutron-delete_network_segment_range:
key: "delete_network_segment_range"
value: "role:admin and system_scope:all"
neutron-network_device:
key: "network_device"
value: "field:port:device_owner=~^network:"
neutron-admin_or_data_plane_int:
key: "admin_or_data_plane_int"
value: "rule:context_is_admin or role:data_plane_integrator"
neutron-create_port:
key: "create_port"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_port_device_owner:
key: "create_port:device_owner"
value: "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner"
neutron-create_port_mac_address:
key: "create_port:mac_address"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-create_port_fixed_ips:
key: "create_port:fixed_ips"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
neutron-create_port_fixed_ips_ip_address:
key: "create_port:fixed_ips:ip_address"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-create_port_fixed_ips_subnet_id:
key: "create_port:fixed_ips:subnet_id"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
neutron-create_port_port_security_enabled:
key: "create_port:port_security_enabled"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-create_port_binding_host_id:
key: "create_port:binding:host_id"
value: "role:admin and system_scope:all"
neutron-create_port_binding_profile:
key: "create_port:binding:profile"
value: "role:admin and system_scope:all"
neutron-create_port_binding_vnic_type:
key: "create_port:binding:vnic_type"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_port_allowed_address_pairs:
key: "create_port:allowed_address_pairs"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-create_port_allowed_address_pairs_mac_address:
key: "create_port:allowed_address_pairs:mac_address"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-create_port_allowed_address_pairs_ip_address:
key: "create_port:allowed_address_pairs:ip_address"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-get_port:
key: "get_port"
value: "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-get_port_binding_vif_type:
key: "get_port:binding:vif_type"
value: "role:reader and system_scope:all"
neutron-get_port_binding_vif_details:
key: "get_port:binding:vif_details"
value: "role:reader and system_scope:all"
neutron-get_port_binding_host_id:
key: "get_port:binding:host_id"
value: "role:reader and system_scope:all"
neutron-get_port_binding_profile:
key: "get_port:binding:profile"
value: "role:reader and system_scope:all"
neutron-get_port_resource_request:
key: "get_port:resource_request"
value: "role:reader and system_scope:all"
neutron-update_port:
key: "update_port"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
neutron-update_port_device_owner:
key: "update_port:device_owner"
value: "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-update_port_mac_address:
key: "update_port:mac_address"
value: "role:admin and system_scope:all or rule:context_is_advsvc"
neutron-update_port_fixed_ips:
key: "update_port:fixed_ips"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-update_port_fixed_ips_ip_address:
key: "update_port:fixed_ips:ip_address"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-update_port_fixed_ips_subnet_id:
key: "update_port:fixed_ips:subnet_id"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared"
neutron-update_port_port_security_enabled:
key: "update_port:port_security_enabled"
value: "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s"
neutron-update_port_binding_host_id:
key: "update_port:binding:host_id"
value: "role:admin and system_scope:all"
neutron-update_port_binding_profile:
key: "update_port:binding:profile"
value: "role:admin and system_scope:all"
neutron-update_port_binding_vnic_type:
key: "update_port:binding:vnic_type"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc"
neutron-update_port_allowed_address_pairs:
key: "update_port:allowed_address_pairs"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-update_port_allowed_address_pairs_mac_address:
key: "update_port:allowed_address_pairs:mac_address"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-update_port_allowed_address_pairs_ip_address:
key: "update_port:allowed_address_pairs:ip_address"
value: "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner"
neutron-update_port_data_plane_status:
key: "update_port:data_plane_status"
value: "role:admin and system_scope:all or role:data_plane_integrator"
neutron-delete_port:
key: "delete_port"
value: "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_policy:
key: "get_policy"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_policy:
key: "create_policy"
value: "role:admin and system_scope:all"
neutron-update_policy:
key: "update_policy"
value: "role:admin and system_scope:all"
neutron-delete_policy:
key: "delete_policy"
value: "role:admin and system_scope:all"
neutron-get_rule_type:
key: "get_rule_type"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-get_policy_bandwidth_limit_rule:
key: "get_policy_bandwidth_limit_rule"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_bandwidth_limit_rule:
key: "create_policy_bandwidth_limit_rule"
value: "role:admin and system_scope:all"
neutron-update_policy_bandwidth_limit_rule:
key: "update_policy_bandwidth_limit_rule"
value: "role:admin and system_scope:all"
neutron-delete_policy_bandwidth_limit_rule:
key: "delete_policy_bandwidth_limit_rule"
value: "role:admin and system_scope:all"
neutron-get_policy_dscp_marking_rule:
key: "get_policy_dscp_marking_rule"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_dscp_marking_rule:
key: "create_policy_dscp_marking_rule"
value: "role:admin and system_scope:all"
neutron-update_policy_dscp_marking_rule:
key: "update_policy_dscp_marking_rule"
value: "role:admin and system_scope:all"
neutron-delete_policy_dscp_marking_rule:
key: "delete_policy_dscp_marking_rule"
value: "role:admin and system_scope:all"
neutron-get_policy_minimum_bandwidth_rule:
key: "get_policy_minimum_bandwidth_rule"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-create_policy_minimum_bandwidth_rule:
key: "create_policy_minimum_bandwidth_rule"
value: "role:admin and system_scope:all"
neutron-update_policy_minimum_bandwidth_rule:
key: "update_policy_minimum_bandwidth_rule"
value: "role:admin and system_scope:all"
neutron-delete_policy_minimum_bandwidth_rule:
key: "delete_policy_minimum_bandwidth_rule"
value: "role:admin and system_scope:all"
neutron-get_alias_bandwidth_limit_rule:
key: "get_alias_bandwidth_limit_rule"
value: "rule:get_policy_bandwidth_limit_rule"
neutron-update_alias_bandwidth_limit_rule:
key: "update_alias_bandwidth_limit_rule"
value: "rule:update_policy_bandwidth_limit_rule"
neutron-delete_alias_bandwidth_limit_rule:
key: "delete_alias_bandwidth_limit_rule"
value: "rule:delete_policy_bandwidth_limit_rule"
neutron-get_alias_dscp_marking_rule:
key: "get_alias_dscp_marking_rule"
value: "rule:get_policy_dscp_marking_rule"
neutron-update_alias_dscp_marking_rule:
key: "update_alias_dscp_marking_rule"
value: "rule:update_policy_dscp_marking_rule"
neutron-delete_alias_dscp_marking_rule:
key: "delete_alias_dscp_marking_rule"
value: "rule:delete_policy_dscp_marking_rule"
neutron-get_alias_minimum_bandwidth_rule:
key: "get_alias_minimum_bandwidth_rule"
value: "rule:get_policy_minimum_bandwidth_rule"
neutron-update_alias_minimum_bandwidth_rule:
key: "update_alias_minimum_bandwidth_rule"
value: "rule:update_policy_minimum_bandwidth_rule"
neutron-delete_alias_minimum_bandwidth_rule:
key: "delete_alias_minimum_bandwidth_rule"
value: "rule:delete_policy_minimum_bandwidth_rule"
neutron-get_quota:
key: "get_quota"
value: "role:reader and system_scope:all"
neutron-update_quota:
key: "update_quota"
value: "role:admin and system_scope:all"
neutron-delete_quota:
key: "delete_quota"
value: "role:admin and system_scope:all"
neutron-restrict_wildcard:
key: "restrict_wildcard"
value: "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
neutron-create_rbac_policy:
key: "create_rbac_policy"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_rbac_policy_target_tenant:
key: "create_rbac_policy:target_tenant"
value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
neutron-update_rbac_policy:
key: "update_rbac_policy"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_rbac_policy_target_tenant:
key: "update_rbac_policy:target_tenant"
value: "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)"
neutron-get_rbac_policy:
key: "get_rbac_policy"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-delete_rbac_policy:
key: "delete_rbac_policy"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_router:
key: "create_router"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_router_distributed:
key: "create_router:distributed"
value: "role:admin and system_scope:all"
neutron-create_router_ha:
key: "create_router:ha"
value: "role:admin and system_scope:all"
neutron-create_router_external_gateway_info:
key: "create_router:external_gateway_info"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_router_external_gateway_info_network_id:
key: "create_router:external_gateway_info:network_id"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_router_external_gateway_info_enable_snat:
key: "create_router:external_gateway_info:enable_snat"
value: "role:admin and system_scope:all"
neutron-create_router_external_gateway_info_external_fixed_ips:
key: "create_router:external_gateway_info:external_fixed_ips"
value: "role:admin and system_scope:all"
neutron-get_router:
key: "get_router"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-get_router_distributed:
key: "get_router:distributed"
value: "role:reader and system_scope:all"
neutron-get_router_ha:
key: "get_router:ha"
value: "role:reader and system_scope:all"
neutron-update_router:
key: "update_router"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_router_distributed:
key: "update_router:distributed"
value: "role:admin and system_scope:all"
neutron-update_router_ha:
key: "update_router:ha"
value: "role:admin and system_scope:all"
neutron-update_router_external_gateway_info:
key: "update_router:external_gateway_info"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_router_external_gateway_info_network_id:
key: "update_router:external_gateway_info:network_id"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_router_external_gateway_info_enable_snat:
key: "update_router:external_gateway_info:enable_snat"
value: "role:admin and system_scope:all"
neutron-update_router_external_gateway_info_external_fixed_ips:
key: "update_router:external_gateway_info:external_fixed_ips"
value: "role:admin and system_scope:all"
neutron-delete_router:
key: "delete_router"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-add_router_interface:
key: "add_router_interface"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-remove_router_interface:
key: "remove_router_interface"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-add_extraroutes:
key: "add_extraroutes"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-remove_extraroutes:
key: "remove_extraroutes"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-admin_or_sg_owner:
key: "admin_or_sg_owner"
value: "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
neutron-admin_owner_or_sg_owner:
key: "admin_owner_or_sg_owner"
value: "rule:owner or rule:admin_or_sg_owner"
neutron-create_security_group:
key: "create_security_group"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_security_group:
key: "get_security_group"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-update_security_group:
key: "update_security_group"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-delete_security_group:
key: "delete_security_group"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_security_group_rule:
key: "create_security_group_rule"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_security_group_rule:
key: "get_security_group_rule"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner"
neutron-delete_security_group_rule:
key: "delete_security_group_rule"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_segment:
key: "create_segment"
value: "role:admin and system_scope:all"
neutron-get_segment:
key: "get_segment"
value: "role:reader and system_scope:all"
neutron-update_segment:
key: "update_segment"
value: "role:admin and system_scope:all"
neutron-delete_segment:
key: "delete_segment"
value: "role:admin and system_scope:all"
neutron-get_service_provider:
key: "get_service_provider"
value: "role:reader"
neutron-create_subnet:
key: "create_subnet"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-create_subnet_segment_id:
key: "create_subnet:segment_id"
value: "role:admin and system_scope:all"
neutron-create_subnet_service_types:
key: "create_subnet:service_types"
value: "role:admin and system_scope:all"
neutron-get_subnet:
key: "get_subnet"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared"
neutron-get_subnet_segment_id:
key: "get_subnet:segment_id"
value: "role:reader and system_scope:all"
neutron-update_subnet:
key: "update_subnet"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-update_subnet_segment_id:
key: "update_subnet:segment_id"
value: "role:admin and system_scope:all"
neutron-update_subnet_service_types:
key: "update_subnet:service_types"
value: "role:admin and system_scope:all"
neutron-delete_subnet:
key: "delete_subnet"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner"
neutron-shared_subnetpools:
key: "shared_subnetpools"
value: "field:subnetpools:shared=True"
neutron-create_subnetpool:
key: "create_subnetpool"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_subnetpool_shared:
key: "create_subnetpool:shared"
value: "role:admin and system_scope:all"
neutron-create_subnetpool_is_default:
key: "create_subnetpool:is_default"
value: "role:admin and system_scope:all"
neutron-get_subnetpool:
key: "get_subnetpool"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools"
neutron-update_subnetpool:
key: "update_subnetpool"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-update_subnetpool_is_default:
key: "update_subnetpool:is_default"
value: "role:admin and system_scope:all"
neutron-delete_subnetpool:
key: "delete_subnetpool"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-onboard_network_subnets:
key: "onboard_network_subnets"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-add_prefixes:
key: "add_prefixes"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-remove_prefixes:
key: "remove_prefixes"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-create_trunk:
key: "create_trunk"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_trunk:
key: "get_trunk"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-update_trunk:
key: "update_trunk"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-delete_trunk:
key: "delete_trunk"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-get_subports:
key: "get_subports"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
neutron-add_subports:
key: "add_subports"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
neutron-remove_subports:
key: "remove_subports"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
GlanceApiPolicies:
glance-default:
key: "default"
value: ""
glance-context_is_admin:
key: "context_is_admin"
value: "role:admin"
glance-add_image:
key: "add_image"
value: "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)"
glance-delete_image:
key: "delete_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-get_image:
key: "get_image"
value: "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
glance-get_images:
key: "get_images"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-modify_image:
key: "modify_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-publicize_image:
key: "publicize_image"
value: "role:admin"
glance-communitize_image:
key: "communitize_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-download_image:
key: "download_image"
value: "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
glance-upload_image:
key: "upload_image"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-delete_image_location:
key: "delete_image_location"
value: "role:admin"
glance-get_image_location:
key: "get_image_location"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-set_image_location:
key: "set_image_location"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-add_member:
key: "add_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-delete_member:
key: "delete_member"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-get_member:
key: "get_member"
value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
glance-get_members:
key: "get_members"
value: "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)"
glance-modify_member:
key: "modify_member"
value: "role:admin or (role:member and project_id:%(member_id)s)"
glance-manage_image_cache:
key: "manage_image_cache"
value: "role:admin"
glance-deactivate:
key: "deactivate"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-reactivate:
key: "reactivate"
value: "role:admin or (role:member and project_id:%(project_id)s)"
glance-copy_image:
key: "copy_image"
value: "role:admin"
glance-get_task:
key: "get_task"
value: "rule:default"
glance-get_tasks:
key: "get_tasks"
value: "rule:default"
glance-add_task:
key: "add_task"
value: "rule:default"
glance-modify_task:
key: "modify_task"
value: "rule:default"
glance-tasks_api_access:
key: "tasks_api_access"
value: "role:admin"
glance-metadef_default:
key: "metadef_default"
value: ""
glance-metadef_admin:
key: "metadef_admin"
value: "role:admin"
glance-get_metadef_namespace:
key: "get_metadef_namespace"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-get_metadef_namespaces:
key: "get_metadef_namespaces"
value: "role:admin or (role:reader and project_id:%(project_id)s)"
glance-modify_metadef_namespace:
key: "modify_metadef_namespace"
value: "rule:metadef_admin"
glance-add_metadef_namespace:
key: "add_metadef_namespace"
value: "rule:metadef_admin"
glance-delete_metadef_namespace:
key: "delete_metadef_namespace"
value: "rule:metadef_admin"
glance-get_metadef_object:
key: "get_metadef_object"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-get_metadef_objects:
key: "get_metadef_objects"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-modify_metadef_object:
key: "modify_metadef_object"
value: "rule:metadef_admin"
glance-add_metadef_object:
key: "add_metadef_object"
value: "rule:metadef_admin"
glance-delete_metadef_object:
key: "delete_metadef_object"
value: "rule:metadef_admin"
glance-list_metadef_resource_types:
key: "list_metadef_resource_types"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-get_metadef_resource_type:
key: "get_metadef_resource_type"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-add_metadef_resource_type_association:
key: "add_metadef_resource_type_association"
value: "rule:metadef_admin"
glance-remove_metadef_resource_type_association:
key: "remove_metadef_resource_type_association"
value: "rule:metadef_admin"
glance-get_metadef_property:
key: "get_metadef_property"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-get_metadef_properties:
key: "get_metadef_properties"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-modify_metadef_property:
key: "modify_metadef_property"
value: "rule:metadef_admin"
glance-add_metadef_property:
key: "add_metadef_property"
value: "rule:metadef_admin"
glance-remove_metadef_property:
key: "remove_metadef_property"
value: "rule:metadef_admin"
glance-get_metadef_tag:
key: "get_metadef_tag"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-get_metadef_tags:
key: "get_metadef_tags"
value: "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))"
glance-modify_metadef_tag:
key: "modify_metadef_tag"
value: "rule:metadef_admin"
glance-add_metadef_tag:
key: "add_metadef_tag"
value: "rule:metadef_admin"
glance-add_metadef_tags:
key: "add_metadef_tags"
value: "rule:metadef_admin"
glance-delete_metadef_tag:
key: "delete_metadef_tag"
value: "rule:metadef_admin"
glance-delete_metadef_tags:
key: "delete_metadef_tags"
value: "rule:metadef_admin"
DesignateApiPolicies:
designate-admin:
key: "admin"
value: "role:admin or is_admin:True"
designate-primary_zone:
key: "primary_zone"
value: "target.zone_type:SECONDARY"
designate-owner:
key: "owner"
value: "tenant:%(tenant_id)s"
designate-admin_or_owner:
key: "admin_or_owner"
value: "rule:admin or rule:owner"
designate-default:
key: "default"
value: "rule:admin_or_owner"
designate-target:
key: "target"
value: "tenant:%(target_tenant_id)s"
designate-owner_or_target:
key: "owner_or_target"
value: "rule:target or rule:owner"
designate-admin_or_owner_or_target:
key: "admin_or_owner_or_target"
value: "rule:owner_or_target or rule:admin"
designate-admin_or_target:
key: "admin_or_target"
value: "rule:admin or rule:target"
designate-zone_primary_or_admin:
key: "zone_primary_or_admin"
value: "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
designate-create_blacklist:
key: "create_blacklist"
value: "role:admin and system_scope:all"
designate-find_blacklist:
key: "find_blacklist"
value: "role:reader and system_scope:all"
designate-find_blacklists:
key: "find_blacklists"
value: "role:reader and system_scope:all"
designate-get_blacklist:
key: "get_blacklist"
value: "role:reader and system_scope:all"
designate-update_blacklist:
key: "update_blacklist"
value: "role:admin and system_scope:all"
designate-delete_blacklist:
key: "delete_blacklist"
value: "role:admin and system_scope:all"
designate-use_blacklisted_zone:
key: "use_blacklisted_zone"
value: "role:admin and system_scope:all"
designate-all_tenants:
key: "all_tenants"
value: "rule:admin"
designate-edit_managed_records:
key: "edit_managed_records"
value: "rule:admin"
designate-use_low_ttl:
key: "use_low_ttl"
value: "rule:admin"
designate-use_sudo:
key: "use_sudo"
value: "rule:admin"
designate-diagnostics_ping:
key: "diagnostics_ping"
value: "rule:admin"
designate-diagnostics_sync_zones:
key: "diagnostics_sync_zones"
value: "rule:admin"
designate-diagnostics_sync_zone:
key: "diagnostics_sync_zone"
value: "rule:admin"
designate-diagnostics_sync_record:
key: "diagnostics_sync_record"
value: "rule:admin"
designate-create_pool:
key: "create_pool"
value: "role:admin and system_scope:all"
designate-find_pools:
key: "find_pools"
value: "role:reader and system_scope:all"
designate-find_pool:
key: "find_pool"
value: "role:reader and system_scope:all"
designate-get_pool:
key: "get_pool"
value: "role:reader and system_scope:all"
designate-update_pool:
key: "update_pool"
value: "role:admin and system_scope:all"
designate-delete_pool:
key: "delete_pool"
value: "role:admin and system_scope:all"
designate-zone_create_forced_pool:
key: "zone_create_forced_pool"
value: "role:admin and system_scope:all"
designate-get_quotas:
key: "get_quotas"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_quota:
key: "get_quota"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-set_quota:
key: "set_quota"
value: "role:admin and system_scope:all"
designate-reset_quotas:
key: "reset_quotas"
value: "role:admin and system_scope:all"
designate-find_records:
key: "find_records"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-count_records:
key: "count_records"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-create_recordset:
key: "create_recordset"
value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)"
designate-get_recordsets:
key: "get_recordsets"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_recordset:
key: "get_recordset"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-update_recordset:
key: "update_recordset"
value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)"
designate-delete_recordset:
key: "delete_recordset"
value: "(role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)"
designate-count_recordset:
key: "count_recordset"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-find_service_status:
key: "find_service_status"
value: "role:reader and system_scope:all"
designate-find_service_statuses:
key: "find_service_statuses"
value: "role:reader and system_scope:all"
designate-update_service_status:
key: "update_service_status"
value: "role:admin and system_scope:all"
designate-find_tenants:
key: "find_tenants"
value: "role:reader and system_scope:all"
designate-get_tenant:
key: "get_tenant"
value: "role:reader and system_scope:all"
designate-count_tenants:
key: "count_tenants"
value: "role:reader and system_scope:all"
designate-create_tld:
key: "create_tld"
value: "role:admin and system_scope:all"
designate-find_tlds:
key: "find_tlds"
value: "role:reader and system_scope:all"
designate-get_tld:
key: "get_tld"
value: "role:reader and system_scope:all"
designate-update_tld:
key: "update_tld"
value: "role:admin and system_scope:all"
designate-delete_tld:
key: "delete_tld"
value: "role:admin and system_scope:all"
designate-create_tsigkey:
key: "create_tsigkey"
value: "role:admin and system_scope:all"
designate-find_tsigkeys:
key: "find_tsigkeys"
value: "role:reader and system_scope:all"
designate-get_tsigkey:
key: "get_tsigkey"
value: "role:reader and system_scope:all"
designate-update_tsigkey:
key: "update_tsigkey"
value: "role:admin and system_scope:all"
designate-delete_tsigkey:
key: "delete_tsigkey"
value: "role:admin and system_scope:all"
designate-create_zone:
key: "create_zone"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-get_zones:
key: "get_zones"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_zone:
key: "get_zone"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_zone_servers:
key: "get_zone_servers"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-find_zones:
key: "find_zones"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-update_zone:
key: "update_zone"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-delete_zone:
key: "delete_zone"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-xfr_zone:
key: "xfr_zone"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-abandon_zone:
key: "abandon_zone"
value: "role:admin and system_scope:all"
designate-count_zones:
key: "count_zones"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-count_zones_pending_notify:
key: "count_zones_pending_notify"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-purge_zones:
key: "purge_zones"
value: "role:admin and system_scope:all"
designate-touch_zone:
key: "touch_zone"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-zone_export:
key: "zone_export"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-create_zone_export:
key: "create_zone_export"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-find_zone_exports:
key: "find_zone_exports"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_zone_export:
key: "get_zone_export"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-update_zone_export:
key: "update_zone_export"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-create_zone_import:
key: "create_zone_import"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-find_zone_imports:
key: "find_zone_imports"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-get_zone_import:
key: "get_zone_import"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-update_zone_import:
key: "update_zone_import"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-delete_zone_import:
key: "delete_zone_import"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-create_zone_transfer_accept:
key: "create_zone_transfer_accept"
value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
designate-get_zone_transfer_accept:
key: "get_zone_transfer_accept"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-find_zone_transfer_accepts:
key: "find_zone_transfer_accepts"
value: "role:reader and system_scope:all"
designate-find_zone_transfer_accept:
key: "find_zone_transfer_accept"
value: "role:reader and system_scope:all"
designate-update_zone_transfer_accept:
key: "update_zone_transfer_accept"
value: "role:admin and system_scope:all"
designate-delete_zone_transfer_accept:
key: "delete_zone_transfer_accept"
value: "role:admin and system_scope:all"
designate-create_zone_transfer_request:
key: "create_zone_transfer_request"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-get_zone_transfer_request:
key: "get_zone_transfer_request"
value: "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
designate-get_zone_transfer_request_detailed:
key: "get_zone_transfer_request_detailed"
value: "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
designate-find_zone_transfer_requests:
key: "find_zone_transfer_requests"
value: "@"
designate-find_zone_transfer_request:
key: "find_zone_transfer_request"
value: "@"
designate-update_zone_transfer_request:
key: "update_zone_transfer_request"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
designate-delete_zone_transfer_request:
key: "delete_zone_transfer_request"
value: "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"
CinderApiPolicies:
cinder-admin_or_owner:
key: "admin_or_owner"
value: "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
cinder-system_or_domain_or_project_admin:
key: "system_or_domain_or_project_admin"
value: "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"
cinder-context_is_admin:
key: "context_is_admin"
value: "role:admin"
cinder-admin_api:
key: "admin_api"
value: "is_admin:True or (role:admin and is_admin_project:True)"
cinder-xena_system_admin_or_project_reader:
key: "xena_system_admin_or_project_reader"
value: "(role:admin) or (role:reader and project_id:%(project_id)s)"
cinder-xena_system_admin_or_project_member:
key: "xena_system_admin_or_project_member"
value: "(role:admin) or (role:member and project_id:%(project_id)s)"
cinder-volume_attachment_create:
key: "volume:attachment_create"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_attachment_update:
key: "volume:attachment_update"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_attachment_delete:
key: "volume:attachment_delete"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_attachment_complete:
key: "volume:attachment_complete"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_multiattach_bootable_volume:
key: "volume:multiattach_bootable_volume"
value: "rule:xena_system_admin_or_project_member"
cinder-message_get_all:
key: "message:get_all"
value: "rule:xena_system_admin_or_project_reader"
cinder-message_get:
key: "message:get"
value: "rule:message:get_all"
cinder-message_delete:
key: "message:delete"
value: "rule:xena_system_admin_or_project_member"
cinder-clusters_get_all:
key: "clusters:get_all"
value: "rule:admin_api"
cinder-clusters_get:
key: "clusters:get"
value: "rule:admin_api"
cinder-clusters_update:
key: "clusters:update"
value: "rule:admin_api"
cinder-workers_cleanup:
key: "workers:cleanup"
value: "rule:admin_api"
cinder-volume_get_snapshot_metadata:
key: "volume:get_snapshot_metadata"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_update_snapshot_metadata:
key: "volume:update_snapshot_metadata"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_delete_snapshot_metadata:
key: "volume:delete_snapshot_metadata"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get_all_snapshots:
key: "volume:get_all_snapshots"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_extended_snapshot_attributes:
key: "volume_extension:extended_snapshot_attributes"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_create_snapshot:
key: "volume:create_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get_snapshot:
key: "volume:get_snapshot"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_update_snapshot:
key: "volume:update_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_delete_snapshot:
key: "volume:delete_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_reset_status:
key: "volume_extension:snapshot_admin_actions:reset_status"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_actions_update_snapshot_status:
key: "snapshot_extension:snapshot_actions:update_snapshot_status"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_snapshot_admin_actions_force_delete:
key: "volume_extension:snapshot_admin_actions:force_delete"
value: "rule:admin_api"
cinder-snapshot_extension_list_manageable:
key: "snapshot_extension:list_manageable"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_manage:
key: "snapshot_extension:snapshot_manage"
value: "rule:admin_api"
cinder-snapshot_extension_snapshot_unmanage:
key: "snapshot_extension:snapshot_unmanage"
value: "rule:admin_api"
cinder-backup_get_all:
key: "backup:get_all"
value: "rule:xena_system_admin_or_project_reader"
cinder-backup_backup_project_attribute:
key: "backup:backup_project_attribute"
value: "rule:admin_api"
cinder-backup_create:
key: "backup:create"
value: "rule:xena_system_admin_or_project_member"
cinder-backup_get:
key: "backup:get"
value: "rule:xena_system_admin_or_project_reader"
cinder-backup_update:
key: "backup:update"
value: "rule:xena_system_admin_or_project_member"
cinder-backup_delete:
key: "backup:delete"
value: "rule:xena_system_admin_or_project_member"
cinder-backup_restore:
key: "backup:restore"
value: "rule:xena_system_admin_or_project_member"
cinder-backup_backup-import:
key: "backup:backup-import"
value: "rule:admin_api"
cinder-backup_export-import:
key: "backup:export-import"
value: "rule:admin_api"
cinder-volume_extension_backup_admin_actions_reset_status:
key: "volume_extension:backup_admin_actions:reset_status"
value: "rule:admin_api"
cinder-volume_extension_backup_admin_actions_force_delete:
key: "volume_extension:backup_admin_actions:force_delete"
value: "rule:admin_api"
cinder-group_get_all:
key: "group:get_all"
value: "rule:xena_system_admin_or_project_reader"
cinder-group_create:
key: "group:create"
value: "rule:xena_system_admin_or_project_member"
cinder-group_get:
key: "group:get"
value: "rule:xena_system_admin_or_project_reader"
cinder-group_update:
key: "group:update"
value: "rule:xena_system_admin_or_project_member"
cinder-group_group_project_attribute:
key: "group:group_project_attribute"
value: "rule:admin_api"
cinder-group_group_types_create:
key: "group:group_types:create"
value: "rule:admin_api"
cinder-group_group_types_manage:
key: "group:group_types_manage"
value: "rule:group:group_types:create"
cinder-group_group_types_update:
key: "group:group_types:update"
value: "rule:admin_api"
cinder-group_group_types_delete:
key: "group:group_types:delete"
value: "rule:admin_api"
cinder-group_access_group_types_specs:
key: "group:access_group_types_specs"
value: "rule:admin_api"
cinder-group_group_types_specs_get:
key: "group:group_types_specs:get"
value: "rule:admin_api"
cinder-group_group_types_specs:
key: "group:group_types_specs"
value: "rule:group:group_types_specs:get"
cinder-group_group_types_specs_get_all:
key: "group:group_types_specs:get_all"
value: "rule:admin_api"
cinder-group_group_types_specs_create:
key: "group:group_types_specs:create"
value: "rule:admin_api"
cinder-group_group_types_specs_update:
key: "group:group_types_specs:update"
value: "rule:admin_api"
cinder-group_group_types_specs_delete:
key: "group:group_types_specs:delete"
value: "rule:admin_api"
cinder-group_get_all_group_snapshots:
key: "group:get_all_group_snapshots"
value: "rule:xena_system_admin_or_project_reader"
cinder-group_create_group_snapshot:
key: "group:create_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-group_get_group_snapshot:
key: "group:get_group_snapshot"
value: "rule:xena_system_admin_or_project_reader"
cinder-group_delete_group_snapshot:
key: "group:delete_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-group_update_group_snapshot:
key: "group:update_group_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-group_group_snapshot_project_attribute:
key: "group:group_snapshot_project_attribute"
value: "rule:admin_api"
cinder-group_reset_group_snapshot_status:
key: "group:reset_group_snapshot_status"
value: "rule:admin_api"
cinder-group_delete:
key: "group:delete"
value: "rule:xena_system_admin_or_project_member"
cinder-group_reset_status:
key: "group:reset_status"
value: "rule:admin_api"
cinder-group_enable_replication:
key: "group:enable_replication"
value: "rule:xena_system_admin_or_project_member"
cinder-group_disable_replication:
key: "group:disable_replication"
value: "rule:xena_system_admin_or_project_member"
cinder-group_failover_replication:
key: "group:failover_replication"
value: "rule:xena_system_admin_or_project_member"
cinder-group_list_replication_targets:
key: "group:list_replication_targets"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_qos_specs_manage_get_all:
key: "volume_extension:qos_specs_manage:get_all"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_get:
key: "volume_extension:qos_specs_manage:get"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_create:
key: "volume_extension:qos_specs_manage:create"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_update:
key: "volume_extension:qos_specs_manage:update"
value: "rule:admin_api"
cinder-volume_extension_qos_specs_manage_delete:
key: "volume_extension:qos_specs_manage:delete"
value: "rule:admin_api"
cinder-volume_extension_quota_classes_get:
key: "volume_extension:quota_classes:get"
value: "rule:admin_api"
cinder-volume_extension_quota_classes:
key: "volume_extension:quota_classes"
value: "rule:volume_extension:quota_classes:get"
cinder-volume_extension_quota_classes_update:
key: "volume_extension:quota_classes:update"
value: "rule:admin_api"
cinder-volume_extension_quotas_show:
key: "volume_extension:quotas:show"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_quotas_update:
key: "volume_extension:quotas:update"
value: "rule:admin_api"
cinder-volume_extension_quotas_delete:
key: "volume_extension:quotas:delete"
value: "rule:admin_api"
cinder-volume_extension_capabilities:
key: "volume_extension:capabilities"
value: "rule:admin_api"
cinder-volume_extension_services_index:
key: "volume_extension:services:index"
value: "rule:admin_api"
cinder-volume_extension_services_update:
key: "volume_extension:services:update"
value: "rule:admin_api"
cinder-volume_freeze_host:
key: "volume:freeze_host"
value: "rule:admin_api"
cinder-volume_thaw_host:
key: "volume:thaw_host"
value: "rule:admin_api"
cinder-volume_failover_host:
key: "volume:failover_host"
value: "rule:admin_api"
cinder-scheduler_extension_scheduler_stats_get_pools:
key: "scheduler_extension:scheduler_stats:get_pools"
value: "rule:admin_api"
cinder-volume_extension_hosts:
key: "volume_extension:hosts"
value: "rule:admin_api"
cinder-limits_extension_used_limits:
key: "limits_extension:used_limits"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_list_manageable:
key: "volume_extension:list_manageable"
value: "rule:admin_api"
cinder-volume_extension_volume_manage:
key: "volume_extension:volume_manage"
value: "rule:admin_api"
cinder-volume_extension_volume_unmanage:
key: "volume_extension:volume_unmanage"
value: "rule:admin_api"
cinder-volume_extension_type_create:
key: "volume_extension:type_create"
value: "rule:admin_api"
cinder-volume_extension_types_manage:
key: "volume_extension:types_manage"
value: "rule:volume_extension:type_create"
cinder-volume_extension_type_update:
key: "volume_extension:type_update"
value: "rule:admin_api"
cinder-volume_extension_type_delete:
key: "volume_extension:type_delete"
value: "rule:admin_api"
cinder-volume_extension_type_get:
key: "volume_extension:type_get"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_type_get_all:
key: "volume_extension:type_get_all"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_access_types_extra_specs:
key: "volume_extension:access_types_extra_specs"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_access_types_qos_specs_id:
key: "volume_extension:access_types_qos_specs_id"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption:
key: "volume_extension:volume_type_encryption"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_create:
key: "volume_extension:volume_type_encryption:create"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_get:
key: "volume_extension:volume_type_encryption:get"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_update:
key: "volume_extension:volume_type_encryption:update"
value: "rule:admin_api"
cinder-volume_extension_volume_type_encryption_delete:
key: "volume_extension:volume_type_encryption:delete"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access:
key: "volume_extension:volume_type_access"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_type_access_addProjectAccess:
key: "volume_extension:volume_type_access:addProjectAccess"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access_removeProjectAccess:
key: "volume_extension:volume_type_access:removeProjectAccess"
value: "rule:admin_api"
cinder-volume_extension_volume_type_access_get_all_for_type:
key: "volume_extension:volume_type_access:get_all_for_type"
value: "rule:admin_api"
cinder-volume_extend:
key: "volume:extend"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extend_attached_volume:
key: "volume:extend_attached_volume"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_revert_to_snapshot:
key: "volume:revert_to_snapshot"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_reset_status:
key: "volume_extension:volume_admin_actions:reset_status"
value: "rule:admin_api"
cinder-volume_retype:
key: "volume:retype"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_update_readonly_flag:
key: "volume:update_readonly_flag"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_delete:
key: "volume_extension:volume_admin_actions:force_delete"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_upload_public:
key: "volume_extension:volume_actions:upload_public"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_upload_image:
key: "volume_extension:volume_actions:upload_image"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_admin_actions_force_detach:
key: "volume_extension:volume_admin_actions:force_detach"
value: "rule:admin_api"
cinder-volume_extension_volume_admin_actions_migrate_volume:
key: "volume_extension:volume_admin_actions:migrate_volume"
value: "rule:admin_api"
cinder-volume_extension_volume_admin_actions_migrate_volume_completion:
key: "volume_extension:volume_admin_actions:migrate_volume_completion"
value: "rule:admin_api"
cinder-volume_extension_volume_actions_initialize_connection:
key: "volume_extension:volume_actions:initialize_connection"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_terminate_connection:
key: "volume_extension:volume_actions:terminate_connection"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_roll_detaching:
key: "volume_extension:volume_actions:roll_detaching"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_reserve:
key: "volume_extension:volume_actions:reserve"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_unreserve:
key: "volume_extension:volume_actions:unreserve"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_begin_detaching:
key: "volume_extension:volume_actions:begin_detaching"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_attach:
key: "volume_extension:volume_actions:attach"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_actions_detach:
key: "volume_extension:volume_actions:detach"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get_all_transfers:
key: "volume:get_all_transfers"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_create_transfer:
key: "volume:create_transfer"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get_transfer:
key: "volume:get_transfer"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_accept_transfer:
key: "volume:accept_transfer"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_delete_transfer:
key: "volume:delete_transfer"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get_volume_metadata:
key: "volume:get_volume_metadata"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_create_volume_metadata:
key: "volume:create_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_update_volume_metadata:
key: "volume:update_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_delete_volume_metadata:
key: "volume:delete_volume_metadata"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_show:
key: "volume_extension:volume_image_metadata:show"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_volume_image_metadata:
key: "volume_extension:volume_image_metadata"
value: "rule:volume_extension:volume_image_metadata:show"
cinder-volume_extension_volume_image_metadata_set:
key: "volume_extension:volume_image_metadata:set"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_volume_image_metadata_remove:
key: "volume_extension:volume_image_metadata:remove"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_update_volume_admin_metadata:
key: "volume:update_volume_admin_metadata"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_index:
key: "volume_extension:types_extra_specs:index"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_create:
key: "volume_extension:types_extra_specs:create"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_show:
key: "volume_extension:types_extra_specs:show"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_types_extra_specs_read_sensitive:
key: "volume_extension:types_extra_specs:read_sensitive"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_update:
key: "volume_extension:types_extra_specs:update"
value: "rule:admin_api"
cinder-volume_extension_types_extra_specs_delete:
key: "volume_extension:types_extra_specs:delete"
value: "rule:admin_api"
cinder-volume_create:
key: "volume:create"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_create_from_image:
key: "volume:create_from_image"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_get:
key: "volume:get"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_get_all:
key: "volume:get_all"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_update:
key: "volume:update"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_delete:
key: "volume:delete"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_force_delete:
key: "volume:force_delete"
value: "rule:admin_api"
cinder-volume_extension_volume_host_attribute:
key: "volume_extension:volume_host_attribute"
value: "rule:admin_api"
cinder-volume_extension_volume_tenant_attribute:
key: "volume_extension:volume_tenant_attribute"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_extension_volume_mig_status_attribute:
key: "volume_extension:volume_mig_status_attribute"
value: "rule:admin_api"
cinder-volume_extension_volume_encryption_metadata:
key: "volume_extension:volume_encryption_metadata"
value: "rule:xena_system_admin_or_project_reader"
cinder-volume_multiattach:
key: "volume:multiattach"
value: "rule:xena_system_admin_or_project_member"
cinder-volume_extension_default_set_or_update:
key: "volume_extension:default_set_or_update"
value: "rule:admin_api"
cinder-volume_extension_default_get:
key: "volume_extension:default_get"
value: "rule:admin_api"
cinder-volume_extension_default_get_all:
key: "volume_extension:default_get_all"
value: "rule:admin_api"
cinder-volume_extension_default_unset:
key: "volume_extension:default_unset"
value: "rule:admin_api"
KeystonePolicies:
keystone-admin_required:
key: "admin_required"
value: "role:admin or is_admin:1"
keystone-service_role:
key: "service_role"
value: "role:service"
keystone-service_or_admin: