| |
@@ -0,0 +1,816 @@
|
| |
+ # Reset the state of a given server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (os-resetState)
|
| |
+ "os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
|
| |
+ # Inject network information into the server
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (injectNetworkInfo)
|
| |
+ "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
|
| |
+ # Reset networking on a server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (resetNetwork)
|
| |
+ "os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
|
| |
+ # Change the administrative password for a server
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (changePassword)
|
| |
+ "os_compute_api:os-admin-password": "rule:admin_or_owner"
|
| |
+ # Create, list, update, and delete guest agent builds
|
| |
+ #
|
| |
+ #This is XenAPI
|
| |
+ # driver specific. It is used to force the upgrade of the
|
| |
+ #XenAPI guest
|
| |
+ # agent on instance boot.
|
| |
+ #
|
| |
+ #GET /os-agents
|
| |
+ #POST /os-agents
|
| |
+ #PUT /os-
|
| |
+ # agents/{agent_build_id}
|
| |
+ #DELETE /os-agents/{agent_build_id}
|
| |
+ "os_compute_api:os-agents": "rule:admin_api"
|
| |
+ # Create or replace metadata for an aggregate
|
| |
+ #POST /os-
|
| |
+ # aggregates/{aggregate_id}/action (set_metadata)
|
| |
+ "os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
|
| |
+ # Add a host to an aggregate.
|
| |
+ #POST /os-
|
| |
+ # aggregates/{aggregate_id}/action (add_host)
|
| |
+ "os_compute_api:os-aggregates:add_host": "rule:admin_api"
|
| |
+ # Create an aggregate
|
| |
+ #POST /os-aggregates
|
| |
+ "os_compute_api:os-aggregates:create": "rule:admin_api"
|
| |
+ # Remove a host from an aggregate
|
| |
+ #POST /os-
|
| |
+ # aggregates/{aggregate_id}/action (remove_host)
|
| |
+ "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
|
| |
+ # Update name and/or availability zone for an aggregate
|
| |
+ #PUT /os-
|
| |
+ # aggregates/{aggregate_id}
|
| |
+ "os_compute_api:os-aggregates:update": "rule:admin_api"
|
| |
+ # List all aggregates
|
| |
+ #GET /os-aggregates
|
| |
+ "os_compute_api:os-aggregates:index": "rule:admin_api"
|
| |
+ # Delete an aggregate
|
| |
+ #DELETE /os-aggregates/{aggregate_id}
|
| |
+ "os_compute_api:os-aggregates:delete": "rule:admin_api"
|
| |
+ # Show details for an aggregate.
|
| |
+ #GET /os-aggregates/{aggregate_id}
|
| |
+ "os_compute_api:os-aggregates:show": "rule:admin_api"
|
| |
+ # Create an assisted volume snapshot
|
| |
+ #POST /os-assisted-volume-
|
| |
+ # snapshots
|
| |
+ "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
|
| |
+ # Delete an assisted volume snapshot
|
| |
+ #DELETE /os-assisted-volume-
|
| |
+ # snapshots/{snapshot_id}
|
| |
+ "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
|
| |
+ # List port interfaces or show details of a port interface attached to
|
| |
+ # a server
|
| |
+ #GET /servers/{server_id}/os-interface
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/os-interface/{port_id}
|
| |
+ "os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
|
| |
+ # Attach an interface to a server
|
| |
+ #POST /servers/{server_id}/os-
|
| |
+ # interface
|
| |
+ "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
|
| |
+ # Detach an interface from a server
|
| |
+ #DELETE /servers/{server_id}/os-
|
| |
+ # interface/{port_id}
|
| |
+ "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
|
| |
+ # Lists availability zone information without host information
|
| |
+ #GET os-
|
| |
+ # availability-zone
|
| |
+ "os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
|
| |
+ # Lists detailed availability zone information with host information
|
| |
+ # GET /os-availability-zone/detail
|
| |
+ "os_compute_api:os-availability-zone:detail": "rule:admin_api"
|
| |
+ # List and show details of bare metal nodes.
|
| |
+ #
|
| |
+ #These APIs are proxy
|
| |
+ # calls to the Ironic service and are deprecated.
|
| |
+ #
|
| |
+ #GET /os-baremetal-
|
| |
+ # nodes
|
| |
+ #GET /os-baremetal-nodes/{node_id}
|
| |
+ "os_compute_api:os-baremetal-nodes": "rule:admin_api"
|
| |
+ #
|
| |
+ "context_is_admin": "role:admin"
|
| |
+ #
|
| |
+ "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
|
| |
+ #
|
| |
+ "admin_api": "is_admin:True"
|
| |
+ #
|
| |
+ "network:attach_external_network": "is_admin:True"
|
| |
+ # Update an existing cell
|
| |
+ #PUT /os-cells/{cell_id}
|
| |
+ "os_compute_api:os-cells:update": "rule:admin_api"
|
| |
+ # Create a new cell
|
| |
+ #POST /os-cells
|
| |
+ "os_compute_api:os-cells:create": "rule:admin_api"
|
| |
+ # List and get detailed info of a given cell or all cells
|
| |
+ #GET /os-
|
| |
+ # cells
|
| |
+ #GET /os-cells/detail
|
| |
+ #GET /os-cells/info
|
| |
+ #GET /os-
|
| |
+ # cells/capacities
|
| |
+ #GET /os-cells/{cell_id}
|
| |
+ "os_compute_api:os-cells": "rule:admin_api"
|
| |
+ # Sync instances info in all cells
|
| |
+ #POST /os-cells/sync_instances
|
| |
+ "os_compute_api:os-cells:sync_instances": "rule:admin_api"
|
| |
+ # Remove a cell
|
| |
+ #DELETE /os-cells/{cell_id}
|
| |
+ "os_compute_api:os-cells:delete": "rule:admin_api"
|
| |
+ # Different cell filter to route a build away from a particular cell
|
| |
+ # This policy is read by nova-scheduler process.
|
| |
+ "cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
|
| |
+ # Target cell filter to route a build to a particular cell
|
| |
+ #
|
| |
+ #This
|
| |
+ # policy is read by nova-scheduler process.
|
| |
+ "cells_scheduler_filter:TargetCellFilter": "is_admin:True"
|
| |
+ # Add 'config_drive' attribute in the server response.
|
| |
+ #GET
|
| |
+ # /servers/{id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:os-config-drive": "rule:admin_or_owner"
|
| |
+ # Show console connection information for a given console
|
| |
+ # authentication token
|
| |
+ #GET /os-console-auth-tokens/{console_token}
|
| |
+ "os_compute_api:os-console-auth-tokens": "rule:admin_api"
|
| |
+ # Show console output for a server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (os-getConsoleOutput)
|
| |
+ "os_compute_api:os-console-output": "rule:admin_or_owner"
|
| |
+ # Create a console for a server instance
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/consoles
|
| |
+ "os_compute_api:os-consoles:create": "rule:admin_or_owner"
|
| |
+ # Show console details for a server instance
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/consoles/{console_id}
|
| |
+ "os_compute_api:os-consoles:show": "rule:admin_or_owner"
|
| |
+ # Delete a console for a server instance
|
| |
+ #DELETE
|
| |
+ # /servers/{server_id}/consoles/{console_id}
|
| |
+ "os_compute_api:os-consoles:delete": "rule:admin_or_owner"
|
| |
+ # List all consoles for a server instance
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/consoles
|
| |
+ "os_compute_api:os-consoles:index": "rule:admin_or_owner"
|
| |
+ # Create a back up of a server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (createBackup)
|
| |
+ "os_compute_api:os-create-backup": "rule:admin_or_owner"
|
| |
+ # Restore a soft deleted server or force delete a server before
|
| |
+ # deferred cleanup
|
| |
+ #POST /servers/{server_id}/action (restore)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (forceDelete)
|
| |
+ "os_compute_api:os-deferred-delete": "rule:admin_or_owner"
|
| |
+ # Evacuate a server from a failed host to a new host
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (evacuate)
|
| |
+ "os_compute_api:os-evacuate": "rule:admin_api"
|
| |
+ # Add `OS-EXT-AZ:availability_zone` into the server response.
|
| |
+ #GET
|
| |
+ # /servers/{id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
|
| |
+ # Return extended attributes for server.
|
| |
+ #
|
| |
+ #This rule will control the
|
| |
+ # visibility for a set of servers attributes:
|
| |
+ # OS-EXT-SRV-ATTR:host
|
| |
+ # OS-EXT-SRV-ATTR:instance_name
|
| |
+ # OS-EXT-SRV-ATTR:reservation_id
|
| |
+ # (since microversion 2.3)
|
| |
+ # OS-EXT-SRV-ATTR:launch_index (since
|
| |
+ # microversion 2.3)
|
| |
+ # OS-EXT-SRV-ATTR:hostname (since microversion
|
| |
+ # 2.3)
|
| |
+ # OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)
|
| |
+ # OS-
|
| |
+ # EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)
|
| |
+ # OS-EXT-SRV-
|
| |
+ # ATTR:root_device_name (since microversion 2.3)
|
| |
+ # OS-EXT-SRV-
|
| |
+ # ATTR:user_data (since microversion 2.3)
|
| |
+ #GET /servers/{id}
|
| |
+ #GET
|
| |
+ # /servers/detail
|
| |
+ "os_compute_api:os-extended-server-attributes": "rule:admin_api"
|
| |
+ # Return extended status in the response of server.
|
| |
+ #
|
| |
+ #This policy will
|
| |
+ # control the visibility for a set of attributes:
|
| |
+ # OS-EXT-
|
| |
+ # STS:task_state
|
| |
+ # OS-EXT-STS:vm_state
|
| |
+ # OS-EXT-STS:power_state
|
| |
+ # GET /servers/{id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:os-extended-status": "rule:admin_or_owner"
|
| |
+ # Return 'os-extended-volumes:volumes_attached' in the response of
|
| |
+ # server.
|
| |
+ #GET /servers/{id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
|
| |
+ # Lists available extensions and shows information for an extension by
|
| |
+ # alias.
|
| |
+ #GET /extensions
|
| |
+ #GET /extensions/{alias}
|
| |
+ "os_compute_api:extensions": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:os-fixed-ips": "rule:admin_api"
|
| |
+ # Add flavor access to a tenant
|
| |
+ #POST /flavors/{flavor_id}/action
|
| |
+ # (addTenantAccess)
|
| |
+ "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
|
| |
+ # Remove flavor access from a tenant
|
| |
+ #POST /flavors/{flavor_id}/action
|
| |
+ # (removeTenantAccess)
|
| |
+ "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
|
| |
+ # Allow the listing of flavor access information
|
| |
+ #
|
| |
+ #Adds the os-flavor-
|
| |
+ # access:is_public key into several flavor APIs.
|
| |
+ #
|
| |
+ #It also allows
|
| |
+ # access to the full list of tenants that have access
|
| |
+ #to a flavor via
|
| |
+ # an os-flavor-access API.
|
| |
+ #
|
| |
+ #GET /flavors/{flavor_id}/os-flavor-access
|
| |
+ # GET /flavors/detail
|
| |
+ #GET /flavors/{flavor_id}
|
| |
+ #POST /flavors
|
| |
+ "os_compute_api:os-flavor-access": "rule:admin_or_owner"
|
| |
+ # Show an extra spec for a flavor
|
| |
+ #GET /flavors/{flavor_id}/os-
|
| |
+ # extra_specs/{flavor_extra_spec_key}
|
| |
+ "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
|
| |
+ # Create extra specs for a flavor
|
| |
+ #POST /flavors/{flavor_id}/os-
|
| |
+ # extra_specs/
|
| |
+ "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
|
| |
+ # Update an extra spec for a flavor
|
| |
+ #PUT /flavors/{flavor_id}/os-
|
| |
+ # extra_specs/{flavor_extra_spec_key}
|
| |
+ "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
|
| |
+ # Delete an extra spec for a flavor
|
| |
+ #DELETE /flavors/{flavor_id}/os-
|
| |
+ # extra_specs/{flavor_extra_spec_key}
|
| |
+ "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
|
| |
+ # List extra specs for a flavor
|
| |
+ #GET /flavors/{flavor_id}/os-
|
| |
+ # extra_specs/
|
| |
+ "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
|
| |
+ # Create and delete Flavors
|
| |
+ #POST /flavors
|
| |
+ #DELETE /flavors/{flavor_id}
|
| |
+ "os_compute_api:os-flavor-manage": "rule:admin_api"
|
| |
+ # Adds the rxtx_factor key into some Flavor APIs
|
| |
+ #GET /flavors/detail
|
| |
+ # GET /flavors/{flavor_id}
|
| |
+ #POST /flavors
|
| |
+ "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:flavors": "rule:admin_or_owner"
|
| |
+ # List registered DNS domains, and CRUD actions on domain names.
|
| |
+ #
|
| |
+ #Note
|
| |
+ # this only works with nova-network and this API is deprecated.
|
| |
+ #GET
|
| |
+ # /os-floating-ip-dns
|
| |
+ #GET /os-floating-ip-dns/{domain}/entries/{ip}
|
| |
+ # GET /os-floating-ip-dns/{domain}/entries/{name}
|
| |
+ #PUT /os-floating-ip-
|
| |
+ # dns/{domain}/entries/{name}
|
| |
+ #DELETE /os-floating-ip-
|
| |
+ # dns/{domain}/entries/{name}
|
| |
+ "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
|
| |
+ # Create or update a DNS domain.
|
| |
+ #PUT /os-floating-ip-dns/{domain}
|
| |
+ "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
|
| |
+ # Delete a DNS domain.
|
| |
+ #DELETE /os-floating-ip-dns/{domain}
|
| |
+ "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
|
| |
+ # List floating IP pools. This API is deprecated.
|
| |
+ #GET /os-floating-ip-
|
| |
+ # pools
|
| |
+ "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
|
| |
+ # Manage a project's floating IPs. These APIs are all deprecated.
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (addFloatingIp)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (removeFloatingIp)
|
| |
+ #GET /os-floating-ips
|
| |
+ # POST /os-floating-ips
|
| |
+ #GET /os-floating-ips/{floating_ip_id}
|
| |
+ #DELETE
|
| |
+ # /os-floating-ips/{floating_ip_id}
|
| |
+ "os_compute_api:os-floating-ips": "rule:admin_or_owner"
|
| |
+ # Bulk-create, delete, and list floating IPs. API is deprecated.
|
| |
+ #GET
|
| |
+ # /os-floating-ips-bulk
|
| |
+ #POST /os-floating-ips-bulk
|
| |
+ #PUT /os-floating-
|
| |
+ # ips-bulk/delete
|
| |
+ #GET /os-floating-ips-bulk/{host_name}
|
| |
+ "os_compute_api:os-floating-ips-bulk": "rule:admin_api"
|
| |
+ # Pings instances for all projects and reports which instances
|
| |
+ #are
|
| |
+ # alive.
|
| |
+ #
|
| |
+ #os-fping API is deprecated as this works only with nova-
|
| |
+ # network
|
| |
+ #which itself is deprecated.
|
| |
+ #GET /os-fping?all_tenants=true
|
| |
+ "os_compute_api:os-fping:all_tenants": "rule:admin_api"
|
| |
+ # Pings instances, particular instance and reports which instances
|
| |
+ #are
|
| |
+ # alive.
|
| |
+ #
|
| |
+ #os-fping API is deprecated as this works only with nova-
|
| |
+ # network
|
| |
+ #which itself is deprecated.
|
| |
+ #GET /os-fping
|
| |
+ #GET /os-
|
| |
+ # fping/{instance_id}
|
| |
+ "os_compute_api:os-fping": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:os-hide-server-addresses": "is_admin:False"
|
| |
+ #
|
| |
+ "os_compute_api:os-hosts": "rule:admin_api"
|
| |
+ # Policy rule for hypervisor related APIs.
|
| |
+ #
|
| |
+ #This rule will be checked
|
| |
+ # for the following APIs:
|
| |
+ #
|
| |
+ #List all hypervisors, list all hypervisors
|
| |
+ # with details, show
|
| |
+ #summary statistics for all hypervisors over all
|
| |
+ # compute nodes,
|
| |
+ #show details for a hypervisor, show the uptime of a
|
| |
+ # hypervisor,
|
| |
+ #search hypervisor by hypervisor_hostname pattern and
|
| |
+ # list all
|
| |
+ #servers on hypervisors that can match the provided
|
| |
+ # hypervisor_hostname
|
| |
+ #pattern.
|
| |
+ #GET /os-hypervisors
|
| |
+ #GET /os-
|
| |
+ # hypervisors/details
|
| |
+ #GET /os-hypervisors/statistics
|
| |
+ #GET /os-
|
| |
+ # hypervisors/{hypervisor_id}
|
| |
+ #GET /os-
|
| |
+ # hypervisors/{hypervisor_id}/uptime
|
| |
+ #GET /os-
|
| |
+ # hypervisors/{hypervisor_hostname_pattern}/search
|
| |
+ #GET /os-
|
| |
+ # hypervisors/{hypervisor_hostname_pattern}/servers
|
| |
+ "os_compute_api:os-hypervisors": "rule:admin_api"
|
| |
+ # Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.
|
| |
+ #GET
|
| |
+ # /images/{id}
|
| |
+ #GET /images/detail
|
| |
+ "os_compute_api:image-size": "rule:admin_or_owner"
|
| |
+ # Add events details in action details for a server.
|
| |
+ #
|
| |
+ #This check is
|
| |
+ # performed only after the check
|
| |
+ #os_compute_api:os-instance-actions
|
| |
+ # passes
|
| |
+ #GET /servers/{server_id}/os-instance-actions/{request_id}
|
| |
+ "os_compute_api:os-instance-actions:events": "rule:admin_api"
|
| |
+ # List actions and show action details for a server.
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/os-instance-actions
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/os-instance-actions/{request_id}
|
| |
+ "os_compute_api:os-instance-actions": "rule:admin_or_owner"
|
| |
+ # Lists all usage audits and that occurred before a specified time
|
| |
+ #for
|
| |
+ # all servers on all compute hosts where usage auditing is configured.
|
| |
+ # GET /os-instance_usage_audit_log
|
| |
+ #GET /os-
|
| |
+ # instance_usage_audit_log/{before_timestamp}
|
| |
+ "os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
|
| |
+ # Shows IP addresses details for a network label of a server.
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/ips/{network_label}
|
| |
+ "os_compute_api:ips:show": "rule:admin_or_owner"
|
| |
+ # Lists IP addresses that are assigned to a server.
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/ips
|
| |
+ "os_compute_api:ips:index": "rule:admin_or_owner"
|
| |
+ # List all keypairs
|
| |
+ #GET /os-keypairs
|
| |
+ "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
|
| |
+ # Create a keypair
|
| |
+ #POST /os-keypairs
|
| |
+ "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
|
| |
+ # Delete a keypair
|
| |
+ #DELETE /os-keypairs/{keypair_name}
|
| |
+ "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
|
| |
+ # Show details of a keypair
|
| |
+ #GET /os-keypairs/{keypair_name}
|
| |
+ "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
|
| |
+ # Return 'key_name' in the response of server.
|
| |
+ #GET /servers/{id}
|
| |
+ #GET
|
| |
+ # /servers/detail
|
| |
+ "os_compute_api:os-keypairs": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:limits": "rule:admin_or_owner"
|
| |
+ # Lock a server
|
| |
+ #POST /servers/{server_id}/action (lock)
|
| |
+ "os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
|
| |
+ # Unlock a server
|
| |
+ #POST /servers/{server_id}/action (unlock)
|
| |
+ "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
|
| |
+ # Unlock a server, regardless who locked the server.
|
| |
+ #
|
| |
+ # This
|
| |
+ # check is performed only after the check
|
| |
+ # os_compute_api:os-
|
| |
+ # lock-server:unlock passes
|
| |
+ #POST /servers/{server_id}/action (unlock)
|
| |
+ "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
|
| |
+ # Cold migrate a server to a host
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (migrate)
|
| |
+ "os_compute_api:os-migrate-server:migrate": "rule:admin_api"
|
| |
+ # Live migrate a server to a new host without a reboot
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (os-migrateLive)
|
| |
+ "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
|
| |
+ # List migrations
|
| |
+ #GET /os-migrations
|
| |
+ "os_compute_api:os-migrations:index": "rule:admin_api"
|
| |
+ #
|
| |
+ "os_compute_api:os-multinic": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:os-networks": "rule:admin_api"
|
| |
+ #
|
| |
+ "os_compute_api:os-networks:view": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:os-networks-associate": "rule:admin_api"
|
| |
+ # Pause a server.
|
| |
+ #POST /servers/{server_id}/action (pause)
|
| |
+ "os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
|
| |
+ # Unpause a paused server.
|
| |
+ #POST /servers/{server_id}/action (unpause)
|
| |
+ "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
|
| |
+ # List quotas for specific quota classs
|
| |
+ #GET /os-quota-class-
|
| |
+ # sets/{quota_class}
|
| |
+ "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
|
| |
+ # Update quotas for specific quota class
|
| |
+ #PUT /os-quota-class-
|
| |
+ # sets/{quota_class}
|
| |
+ "os_compute_api:os-quota-class-sets:update": "rule:admin_api"
|
| |
+ # Update the quotas
|
| |
+ #PUT /os-quota-sets/{tenant_id}
|
| |
+ "os_compute_api:os-quota-sets:update": "rule:admin_api"
|
| |
+ # List default quotas
|
| |
+ #GET /os-quota-sets/{tenant_id}/defaults
|
| |
+ "os_compute_api:os-quota-sets:defaults": "@"
|
| |
+ # Show a quota
|
| |
+ #GET /os-quota-sets/{tenant_id}
|
| |
+ "os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
|
| |
+ # Revert quotas to defaults
|
| |
+ #DELETE /os-quota-sets/{tenant_id}
|
| |
+ "os_compute_api:os-quota-sets:delete": "rule:admin_api"
|
| |
+ # Show the detail of quota
|
| |
+ #GET /os-quota-sets/{tenant_id}/detail
|
| |
+ "os_compute_api:os-quota-sets:detail": "rule:admin_api"
|
| |
+ # Generates a URL to access remove server console
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (os-getRDPConsole)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (os-getSerialConsole)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (os-getSPICEConsole)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (os-getVNCConsole)
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/remote-consoles
|
| |
+ "os_compute_api:os-remote-consoles": "rule:admin_or_owner"
|
| |
+ # Rescue/unrescue a server
|
| |
+ #POST /servers/{server_id}/action (rescue)
|
| |
+ # POST /servers/{server_id}/action (unrescue)
|
| |
+ "os_compute_api:os-rescue": "rule:admin_or_owner"
|
| |
+ # Lists, shows information for, creates and deletes default security
|
| |
+ # group rules.
|
| |
+ #
|
| |
+ #These API's are only available with nova-network which
|
| |
+ # is now deprecated.
|
| |
+ #GET /os-security-group-default-rules
|
| |
+ #GET /os-
|
| |
+ # security-group-default-rules/{security_group_default_rule_id}
|
| |
+ #POST
|
| |
+ # /os-security-group-default-rules
|
| |
+ #DELETE /os-security-group-default-
|
| |
+ # rules/{security_group_default_rule_id}
|
| |
+ "os_compute_api:os-security-group-default-rules": "rule:admin_api"
|
| |
+ # This policy checks permission on security groups related APIs.
|
| |
+ #
|
| |
+ #APIs
|
| |
+ # which are directly related to security groups resource are
|
| |
+ # deprecated:
|
| |
+ #Lists, shows information for, creates, updates and
|
| |
+ # deletes
|
| |
+ #security groups. Creates and deletes security group rules.
|
| |
+ # All these
|
| |
+ #API's are deprecated.
|
| |
+ #
|
| |
+ #APIs which are related to server
|
| |
+ # resource are not deprecated:
|
| |
+ #Lists Security Groups for a server. Add
|
| |
+ # Security Group to a server
|
| |
+ #and remove security group from a server.
|
| |
+ # Expand security_groups in
|
| |
+ #server representation
|
| |
+ #GET /os-security-
|
| |
+ # groups
|
| |
+ #GET /os-security-groups/{security_group_id}
|
| |
+ #POST /os-
|
| |
+ # security-groups
|
| |
+ #PUT /os-security-groups/{security_group_id}
|
| |
+ #DELETE
|
| |
+ # /os-security-groups/{security_group_id}
|
| |
+ #GET /servers/{server_id}/os-
|
| |
+ # security-groups
|
| |
+ #POST /servers/{server_id}/action (addSecurityGroup)
|
| |
+ # POST /servers/{server_id}/action (removeSecurityGroup)
|
| |
+ #POST /servers
|
| |
+ # GET /servers/{server_id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:os-security-groups": "rule:admin_or_owner"
|
| |
+ # Shows the usage data for a server
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/diagnostics
|
| |
+ "os_compute_api:os-server-diagnostics": "rule:admin_api"
|
| |
+ # Creates one or more external events
|
| |
+ #POST /os-server-external-events
|
| |
+ "os_compute_api:os-server-external-events:create": "rule:admin_api"
|
| |
+ #
|
| |
+ "os_compute_api:os-server-groups": "rule:admin_or_owner"
|
| |
+ # Create a new server group
|
| |
+ #POST /os-server-groups
|
| |
+ "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
|
| |
+ # Delete a server group
|
| |
+ #DELETE /os-server-groups/{server_group_id}
|
| |
+ "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
|
| |
+ # List all server groups
|
| |
+ #GET /os-server-groups
|
| |
+ "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
|
| |
+ # Show details of a server group
|
| |
+ #GET /os-server-
|
| |
+ # groups/{server_group_id}
|
| |
+ "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"
|
| |
+ # List all metadata of a server
|
| |
+ #GET /servers/server_id/metadata
|
| |
+ "os_compute_api:server-metadata:index": "rule:admin_or_owner"
|
| |
+ # Show metadata for a server
|
| |
+ #GET /servers/server_id/metadata/{key}
|
| |
+ "os_compute_api:server-metadata:show": "rule:admin_or_owner"
|
| |
+ # Create metadata for a server
|
| |
+ #POST /servers/server_id/metadata
|
| |
+ "os_compute_api:server-metadata:create": "rule:admin_or_owner"
|
| |
+ # Replace metadata for a server
|
| |
+ #PUT /servers/server_id/metadata
|
| |
+ "os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
|
| |
+ # Update metadata from a server
|
| |
+ #PUT /servers/server_id/metadata/{key}
|
| |
+ "os_compute_api:server-metadata:update": "rule:admin_or_owner"
|
| |
+ # Delete metadata from a server
|
| |
+ #DELETE
|
| |
+ # /servers/server_id/metadata/{key}
|
| |
+ "os_compute_api:server-metadata:delete": "rule:admin_or_owner"
|
| |
+ # Show and clear the encrypted administrative password of a server
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/os-server-password
|
| |
+ #DELETE
|
| |
+ # /servers/{server_id}/os-server-password
|
| |
+ "os_compute_api:os-server-password": "rule:admin_or_owner"
|
| |
+ # Delete all the server tags
|
| |
+ #DELETE /servers/{server_id}/tags
|
| |
+ "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"
|
| |
+ # List all tags for given server
|
| |
+ #GET /servers/{server_id}/tags
|
| |
+ "os_compute_api:os-server-tags:index": "rule:admin_or_owner"
|
| |
+ # Replace all tags on specified server with the new set of tags.
|
| |
+ #PUT
|
| |
+ # /servers/{server_id}/tags
|
| |
+ "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"
|
| |
+ # Delete a single tag from the specified server
|
| |
+ #DELETE
|
| |
+ # /servers/{server_id}/tags/{tag}
|
| |
+ "os_compute_api:os-server-tags:delete": "rule:admin_or_owner"
|
| |
+ # Add a single tag to the server if server has no specified tag
|
| |
+ #PUT
|
| |
+ # /servers/{server_id}/tags/{tag}
|
| |
+ "os_compute_api:os-server-tags:update": "rule:admin_or_owner"
|
| |
+ # Check tag existence on the server.
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/tags/{tag}
|
| |
+ "os_compute_api:os-server-tags:show": "rule:admin_or_owner"
|
| |
+ #
|
| |
+ "os_compute_api:os-server-usage": "rule:admin_or_owner"
|
| |
+ # List all servers
|
| |
+ #GET /servers
|
| |
+ "os_compute_api:servers:index": "rule:admin_or_owner"
|
| |
+ # List all servers with detailed information
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:servers:detail": "rule:admin_or_owner"
|
| |
+ # List all servers for all projects
|
| |
+ #GET /servers
|
| |
+ "os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
|
| |
+ # List all servers with detailed information for all projects
|
| |
+ #GET
|
| |
+ # /servers/detail
|
| |
+ "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
|
| |
+ # Show a server
|
| |
+ #GET /servers/{server_id}
|
| |
+ "os_compute_api:servers:show": "rule:admin_or_owner"
|
| |
+ # Show a server with additional host status information
|
| |
+ #GET
|
| |
+ # /servers/{server_id}
|
| |
+ #GET /servers/detail
|
| |
+ "os_compute_api:servers:show:host_status": "rule:admin_api"
|
| |
+ # Create a server
|
| |
+ #POST /servers
|
| |
+ "os_compute_api:servers:create": "rule:admin_or_owner"
|
| |
+ # Create a server on the specified host
|
| |
+ #POST /servers
|
| |
+ "os_compute_api:servers:create:forced_host": "rule:admin_api"
|
| |
+ # Create a server with the requested volume attached to it
|
| |
+ #POST
|
| |
+ # /servers
|
| |
+ "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
|
| |
+ # Create a server with the requested network attached to it
|
| |
+ #POST
|
| |
+ # /servers
|
| |
+ "os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
|
| |
+ # Delete a server
|
| |
+ #DELETE /servers/{server_id}
|
| |
+ "os_compute_api:servers:delete": "rule:admin_or_owner"
|
| |
+ # Update a server
|
| |
+ #PUT /servers/{server_id}
|
| |
+ "os_compute_api:servers:update": "rule:admin_or_owner"
|
| |
+ # Confirm a server resize
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (confirmResize)
|
| |
+ "os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
|
| |
+ # Revert a server resize
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (revertResize)
|
| |
+ "os_compute_api:servers:revert_resize": "rule:admin_or_owner"
|
| |
+ # Reboot a server
|
| |
+ #POST /servers/{server_id}/action (reboot)
|
| |
+ "os_compute_api:servers:reboot": "rule:admin_or_owner"
|
| |
+ # Resize a server
|
| |
+ #POST /servers/{server_id}/action (resize)
|
| |
+ "os_compute_api:servers:resize": "rule:admin_or_owner"
|
| |
+ # Rebuild a server
|
| |
+ #POST /servers/{server_id}/action (rebuild)
|
| |
+ "os_compute_api:servers:rebuild": "rule:admin_or_owner"
|
| |
+ # Create an image from a server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (createImage)
|
| |
+ "os_compute_api:servers:create_image": "rule:admin_or_owner"
|
| |
+ # Create an image from a volume backed server
|
| |
+ #POST
|
| |
+ # /servers/{server_id}/action (createImage)
|
| |
+ "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
|
| |
+ # Start a server
|
| |
+ #POST /servers/{server_id}/action (os-start)
|
| |
+ "os_compute_api:servers:start": "rule:admin_or_owner"
|
| |
+ # Stop a server
|
| |
+ #POST /servers/{server_id}/action (os-stop)
|
| |
+ "os_compute_api:servers:stop": "rule:admin_or_owner"
|
| |
+ # Trigger crash dump in a server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (trigger_crash_dump)
|
| |
+ "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
|
| |
+ # Show details for an in-progress live migration for a given server
|
| |
+ # GET /servers/{server_id}/migrations/{migration_id}
|
| |
+ "os_compute_api:servers:migrations:show": "rule:admin_api"
|
| |
+ # Force an in-progress live migration for a given server to complete
|
| |
+ # POST /servers/{server_id}/migrations/{migration_id}/action
|
| |
+ # (force_complete)
|
| |
+ "os_compute_api:servers:migrations:force_complete": "rule:admin_api"
|
| |
+ # Delete(Abort) an in-progress live migration
|
| |
+ #DELETE
|
| |
+ # /servers/{server_id}/migrations/{migration_id}
|
| |
+ "os_compute_api:servers:migrations:delete": "rule:admin_api"
|
| |
+ # Lists in-progress live migrations for a given server
|
| |
+ #GET
|
| |
+ # /servers/{server_id}/migrations
|
| |
+ "os_compute_api:servers:migrations:index": "rule:admin_api"
|
| |
+ # Lists all running Compute services in a region, enables or disables
|
| |
+ # scheduling for a Compute service, logs disabled Compute service
|
| |
+ # information, set or unset forced_down flag for the compute service
|
| |
+ # and deletes a Compute service.
|
| |
+ #GET /os-services
|
| |
+ #PUT /os-
|
| |
+ # services/enable
|
| |
+ #PUT /os-services/disable
|
| |
+ #PUT /os-services/disable-
|
| |
+ # log-reason
|
| |
+ #PUT /os-services/force-down
|
| |
+ #DELETE /os-
|
| |
+ # services/{service_id}
|
| |
+ "os_compute_api:os-services": "rule:admin_api"
|
| |
+ # Shelve Server
|
| |
+ #POST /servers/{server_id}/action (shelve)
|
| |
+ "os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
|
| |
+ # Unshelve (Restore) Shelved Server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (unshelve)
|
| |
+ "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
|
| |
+ # Shelf-Offload (Remove) Server
|
| |
+ #POST /servers/{server_id}/action
|
| |
+ # (shelveOffload)
|
| |
+ "os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
|
| |
+ # Show usage statistics for a specific tenant.
|
| |
+ #GET /os-simple-tenant-
|
| |
+ # usage/{tenant_id}
|
| |
+ "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
|
| |
+ # List per tenant usage statistics for all tenants.
|
| |
+ #GET /os-simple-
|
| |
+ # tenant-usage
|
| |
+ "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
|
| |
+ # Resume suspended server
|
| |
+ #POST /servers/{server_id}/action (resume)
|
| |
+ "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
|
| |
+ # Suspend server
|
| |
+ #POST /servers/{server_id}/action (suspend)
|
| |
+ "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
|
| |
+ # Creates, lists, shows information for, and deletes
|
| |
+ #project networks.
|
| |
+ # These APIs are proxy calls to the Network service. These are all
|
| |
+ # deprecated.
|
| |
+ #GET /os-tenant-networks
|
| |
+ #POST /os-tenant-networks
|
| |
+ #GET
|
| |
+ # /os-tenant-networks/{network_id}
|
| |
+ #DELETE /os-tenant-
|
| |
+ # networks/{network_id}
|
| |
+ "os_compute_api:os-tenant-networks": "rule:admin_or_owner"
|
| |
+ # Shows rate and absolute limits for the project.
|
| |
+ #
|
| |
+ #This policy only
|
| |
+ # checks if the user has access to the requested
|
| |
+ #project limits. And
|
| |
+ # this check is performed only after the check
|
| |
+ #os_compute_api:limits
|
| |
+ # passes
|
| |
+ #GET /limits
|
| |
+ "os_compute_api:os-used-limits": "rule:admin_api"
|
| |
+ # List Virtual Interfaces.
|
| |
+ #
|
| |
+ #This works only with the nova-network
|
| |
+ # service, which is now deprecated
|
| |
+ #GET /servers/{server_id}/os-
|
| |
+ # virtual-interfaces
|
| |
+ "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
|
| |
+ # Manages volumes for use with the Compute API.
|
| |
+ #
|
| |
+ #Lists, shows details,
|
| |
+ # creates, and deletes volumes. These APIs are proxy calls
|
| |
+ #to the
|
| |
+ # Volume service. These are all deprecated.
|
| |
+ #GET /os-volumes
|
| |
+ #POST /os-
|
| |
+ # volumes
|
| |
+ #GET /os-volumes/detail
|
| |
+ #GET /os-volumes/{volume_id}
|
| |
+ #DELETE
|
| |
+ # /os-volumes/{volume_id}
|
| |
+ "os_compute_api:os-volumes": "rule:admin_or_owner"
|
| |
+ # List volume attachments for an instance
|
| |
+ #GET /servers/{server_id}/os-
|
| |
+ # volume_attachments
|
| |
+ "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
|
| |
+ # Attach a volume to an instance
|
| |
+ #POST /servers/{server_id}/os-
|
| |
+ # volume_attachments
|
| |
+ "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
|
| |
+ # Show details of a volume attachment
|
| |
+ #GET /servers/{server_id}/os-
|
| |
+ # volume_attachments/{attachment_id}
|
| |
+ "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
|
| |
+ # Update a volume attachment
|
| |
+ #PUT /servers/{server_id}/os-
|
| |
+ # volume_attachments/{attachment_id}
|
| |
+ "os_compute_api:os-volumes-attachments:update": "rule:admin_api"
|
| |
+ # Detach a volume from an instance
|
| |
+ #DELETE /servers/{server_id}/os-
|
| |
+ # volume_attachments/{attachment_id}
|
| |
+ "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
|
| |
Add stock policy from the services and show the difference in applying the policy whatn used with the different access data tokens