blob: 012a88bfd9c32231b8234211e1d2c5886204370f [file] [log] [blame]
Ivan Berezovskiy30d60742020-01-16 16:47:02 +04001parameters:
2 _param:
3 barbican_default_policy_ocata: {}
4 barbican_default_policy_pike:
5 "admin": "role:admin"
6 "admin_or_creator": "rule:admin or rule:creator"
7 "admin_or_user": "rule:admin or project_id:%(project_id)s"
8 "admin_or_user_does_not_work": "project_id:%(project_id)s"
9 "all_but_audit": "rule:admin or rule:observer or rule:creator"
10 "all_users": "rule:admin or rule:observer or rule:creator or rule:audit or rule:service_admin"
11 "audit": "role:audit"
12 "certificate_authorities:get_all": "rule:admin"
13 "certificate_authorities:get_global_preferred_ca": "rule:service_admin"
14 "certificate_authorities:get_limited": "rule:all_users"
15 "certificate_authorities:get_preferred_ca": "rule:all_users"
16 "certificate_authorities:post": "rule:admin"
17 "certificate_authorities:unset_global_preferred": "rule:service_admin"
18 "certificate_authority:add_to_project": "rule:admin"
19 "certificate_authority:delete": "rule:admin"
20 "certificate_authority:get": "rule:all_users"
21 "certificate_authority:get_ca_cert_chain": "rule:all_users"
22 "certificate_authority:get_cacert": "rule:all_users"
23 "certificate_authority:get_projects": "rule:service_admin"
24 "certificate_authority:remove_from_project": "rule:admin"
25 "certificate_authority:set_global_preferred": "rule:service_admin"
26 "certificate_authority:set_preferred": "rule:admin"
27 "consumer:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
28 "consumers:delete": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
29 "consumers:get": "rule:admin or rule:observer or rule:creator or rule:audit or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
30 "consumers:post": "rule:admin or rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
31 "container:delete": "rule:container_project_admin or rule:container_project_creator"
32 "container:get": "rule:container_non_private_read or rule:container_project_creator or rule:container_project_admin or rule:container_acl_read"
33 "container_acl_read": "'read':%(target.container.read)s"
34 "container_acls:delete": "rule:container_project_admin or rule:container_project_creator"
35 "container_acls:get": "rule:all_but_audit and rule:container_project_match"
36 "container_acls:put_patch": "rule:container_project_admin or rule:container_project_creator"
37 "container_creator_user": "user:%(target.container.creator_id)s"
38 "container_non_private_read": "rule:all_users and rule:container_project_match and not rule:container_private_read"
39 "container_private_read": "'False':%(target.container.read_project_access)s"
40 "container_project_admin": "rule:admin and rule:container_project_match"
41 "container_project_creator": "rule:creator and rule:container_project_match and rule:container_creator_user"
42 "container_project_match": "project:%(target.container.project_id)s"
43 "container_secret:delete": "rule:admin"
44 "container_secret:post": "rule:admin"
45 "containers:get": "rule:all_but_audit"
46 "containers:post": "rule:admin_or_creator"
47 "creator": "role:creator"
48 "observer": "role:observer"
49 "order:delete": "rule:admin"
50 "order:get": "rule:all_users"
51 "order:put": "rule:admin_or_creator"
52 "orders:get": "rule:all_but_audit"
53 "orders:post": "rule:admin_or_creator"
54 "project_quotas:delete": "rule:service_admin"
55 "project_quotas:get": "rule:service_admin"
56 "project_quotas:put": "rule:service_admin"
57 "quotas:get": "rule:all_users"
58 "secret:decrypt": "rule:secret_decrypt_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
59 "secret:delete": "rule:secret_project_admin or rule:secret_project_creator"
60 "secret:get": "rule:secret_non_private_read or rule:secret_project_creator or rule:secret_project_admin or rule:secret_acl_read"
61 "secret:put": "rule:admin_or_creator and rule:secret_project_match"
62 "secret_acl_read": "'read':%(target.secret.read)s"
63 "secret_acls:delete": "rule:secret_project_admin or rule:secret_project_creator"
64 "secret_acls:get": "rule:all_but_audit and rule:secret_project_match"
65 "secret_acls:put_patch": "rule:secret_project_admin or rule:secret_project_creator"
66 "secret_creator_user": "user:%(target.secret.creator_id)s"
67 "secret_decrypt_non_private_read": "rule:all_but_audit and rule:secret_project_match and not rule:secret_private_read"
68 "secret_meta:delete": "rule:admin_or_creator"
69 "secret_meta:get": "rule:all_but_audit"
70 "secret_meta:post": "rule:admin_or_creator"
71 "secret_meta:put": "rule:admin_or_creator"
72 "secret_non_private_read": "rule:all_users and rule:secret_project_match and not rule:secret_private_read"
73 "secret_private_read": "'False':%(target.secret.read_project_access)s"
74 "secret_project_admin": "rule:admin and rule:secret_project_match"
75 "secret_project_creator": "rule:creator and rule:secret_project_match and rule:secret_creator_user"
76 "secret_project_match": "project:%(target.secret.project_id)s"
77 "secrets:get": "rule:all_but_audit"
78 "secrets:post": "rule:admin_or_creator"
79 "secretstore:get": "rule:admin"
80 "secretstore_preferred:delete": "rule:admin"
81 "secretstore_preferred:post": "rule:admin"
82 "secretstores:get": "rule:admin"
83 "secretstores:get_global_default": "rule:admin"
84 "secretstores:get_preferred": "rule:admin"
85 "service_admin": "role:key-manager:service-admin"
86 "transport_key:delete": "rule:admin"
87 "transport_key:get": "rule:all_users"
88 "transport_keys:get": "rule:all_users"
89 "transport_keys:post": "rule:admin"
90 "version:get": "@"
91 barbican_default_policy_queens: ${_param:barbican_default_policy_pike}
92 bgppvn_default_policy_ocata: {}
93 bgppvn_default_policy_pike:
94 "create_bgpvpn": "rule:admin_only"
95 "create_bgpvpn_network_association": "rule:admin_or_owner"
96 "create_bgpvpn_port_association": "rule:admin_or_owner"
97 "create_bgpvpn_router_association": "rule:admin_or_owner"
98 "delete_bgpvpn": "rule:admin_only"
99 "delete_bgpvpn_network_association": "rule:admin_or_owner"
100 "delete_bgpvpn_port_association": "rule:admin_or_owner"
101 "delete_bgpvpn_router_association": "rule:admin_or_owner"
102 "get_bgpvpn": "rule:admin_or_owner"
103 "get_bgpvpn:export_targets": "rule:admin_only"
104 "get_bgpvpn:import_targets": "rule:admin_only"
105 "get_bgpvpn:route_distinguishers": "rule:admin_only"
106 "get_bgpvpn:route_targets": "rule:admin_only"
107 "get_bgpvpn:tenant_id": "rule:admin_only"
108 "get_bgpvpn_network_association": "rule:admin_or_owner"
109 "get_bgpvpn_network_association:tenant_id": "rule:admin_only"
110 "get_bgpvpn_network_associations": "rule:admin_or_owner"
111 "get_bgpvpn_port_association": "rule:admin_or_owner"
112 "get_bgpvpn_port_association:tenant_id": "rule:admin_only"
113 "get_bgpvpn_port_associations": "rule:admin_or_owner"
114 "get_bgpvpn_router_association": "rule:admin_or_owner"
115 "get_bgpvpn_router_association:tenant_id": "rule:admin_only"
116 "get_bgpvpn_router_associations": "rule:admin_or_owner"
117 "update_bgpvpn": "rule:admin_or_owner"
118 "update_bgpvpn:export_targets": "rule:admin_only"
119 "update_bgpvpn:import_targets": "rule:admin_only"
120 "update_bgpvpn:route_distinguishers": "rule:admin_only"
121 "update_bgpvpn:route_targets": "rule:admin_only"
122 "update_bgpvpn:tenant_id": "rule:admin_only"
123 "update_bgpvpn_network_association": "rule:admin_or_owner"
124 "update_bgpvpn_port_association": "rule:admin_or_owner"
125 "update_bgpvpn_router_association": "rule:admin_or_owner"
126 bgpvpn_default_policy_queens: ${_param:bgppvn_default_policy_pike}
127 cinder_default_policy_ocata: {}
128 cinder_default_policy_pike:
129 "admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
130 "admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
131 "backup:backup-export": "rule:admin_api"
132 "backup:backup-import": "rule:admin_api"
133 "backup:backup_project_attribute": "rule:admin_api"
134 "backup:create": ""
135 "backup:delete": "rule:admin_or_owner"
136 "backup:get_all": "rule:admin_or_owner"
137 "backup:get": "rule:admin_or_owner"
138 "backup:restore": "rule:admin_or_owner"
139 "backup:update": "rule:admin_or_owner"
140 "clusters:get_all": "rule:admin_api"
141 "clusters:get": "rule:admin_api"
142 "clusters:update": "rule:admin_api"
143 "consistencygroup:create_cgsnapshot": "group:nobody"
144 "consistencygroup:create": "group:nobody"
145 "consistencygroup:delete_cgsnapshot": "group:nobody"
146 "consistencygroup:delete": "group:nobody"
147 "consistencygroup:get_all_cgsnapshots": "group:nobody"
148 "consistencygroup:get_all": "group:nobody"
149 "consistencygroup:get_cgsnapshot": "group:nobody"
150 "consistencygroup:get": "group:nobody"
151 "consistencygroup:update": "group:nobody"
152 "default": "rule:admin_or_owner"
153 "group:access_group_types_specs": "rule:admin_api"
154 "group:create": ""
155 "group:create_group_snapshot": ""
156 "group:delete_group_snapshot": "rule:admin_or_owner"
157 "group:delete": "rule:admin_or_owner"
158 "group:disable_replication": "rule:admin_or_owner"
159 "group:enable_replication": "rule:admin_or_owner"
160 "group:failover_replication": "rule:admin_or_owner"
161 "group:get_all_group_snapshots": "rule:admin_or_owner"
162 "group:get_all": "rule:admin_or_owner"
163 "group:get_group_snapshot": "rule:admin_or_owner"
164 "group:get": "rule:admin_or_owner"
165 "group:group_type_access": "rule:admin_or_owner"
166 "group:group_types_manage": "rule:admin_api"
167 "group:group_types_specs": "rule:admin_api"
168 "group:list_replication_targets": "rule:admin_or_owner"
169 "group:reset_group_snapshot_status": "rule:admin_api"
170 "group:reset_status": "rule:admin_api"
171 "group:update_group_snapshot": "rule:admin_or_owner"
172 "group:update": "rule:admin_or_owner"
173 "message:delete": "rule:admin_or_owner"
174 "message:get_all": "rule:admin_or_owner"
175 "message:get": "rule:admin_or_owner"
176 "scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
177 "snapshot_extension:list_manageable": "rule:admin_api"
178 "snapshot_extension:snapshot_actions:update_snapshot_status": ""
179 "snapshot_extension:snapshot_manage": "rule:admin_api"
180 "snapshot_extension:snapshot_unmanage": "rule:admin_api"
181 "volume:accept_transfer": ""
182 "volume:attachment_create": ""
183 "volume:attachment_delete": "rule:admin_or_owner"
184 "volume:attachment_update": "rule:admin_or_owner"
185 "volume:create": ""
186 "volume:create_from_image": ""
187 "volume:create_snapshot": "rule:admin_or_owner"
188 "volume:create_transfer": "rule:admin_or_owner"
189 "volume:create_volume_metadata": "rule:admin_or_owner"
190 "volume:delete": "rule:admin_or_owner"
191 "volume:delete_snapshot_metadata": "rule:admin_or_owner"
192 "volume:delete_snapshot": "rule:admin_or_owner"
193 "volume:delete_transfer": "rule:admin_or_owner"
194 "volume:delete_volume_metadata": "rule:admin_or_owner"
195 "volume:extend_attached_volume": "rule:admin_or_owner"
196 "volume:extend": "rule:admin_or_owner"
197 "volume_extension:access_types_extra_specs": "rule:admin_api"
198 "volume_extension:access_types_qos_specs_id": "rule:admin_api"
199 "volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
200 "volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
201 "volume_extension:capabilities": "rule:admin_api"
202 "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
203 "volume_extension:hosts": "rule:admin_api"
204 "volume_extension:list_manageable": "rule:admin_api"
205 "volume_extension:qos_specs_manage:create": "rule:admin_api"
206 "volume_extension:qos_specs_manage:delete": "rule:admin_api"
207 "volume_extension:qos_specs_manage:get_all": "rule:admin_api"
208 "volume_extension:qos_specs_manage:get": "rule:admin_api"
209 "volume_extension:qos_specs_manage:update": "rule:admin_api"
210 "volume_extension:quota_classes": "rule:admin_api"
211 "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
212 "volume_extension:quotas:delete": "rule:admin_api"
213 "volume_extension:quotas:show": ""
214 "volume_extension:quotas:update": "rule:admin_api"
215 "volume_extension:services:index": "rule:admin_api"
216 "volume_extension:services:update": "rule:admin_api"
217 "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
218 "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
219 "volume_extension:types_extra_specs:create": "rule:admin_api"
220 "volume_extension:types_extra_specs:delete": "rule:admin_api"
221 "volume_extension:types_extra_specs:index": "rule:admin_api"
222 "volume_extension:types_extra_specs:show": "rule:admin_api"
223 "volume_extension:types_extra_specs:update": "rule:admin_api"
224 "volume_extension:types_manage": "rule:admin_api"
225 "volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
226 "volume_extension:volume_actions:upload_public": "rule:admin_api"
227 "volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
228 "volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
229 "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
230 "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
231 "volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
232 "volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
233 "volume_extension:volume_host_attribute": "rule:admin_api"
234 "volume_extension:volume_image_metadata": "rule:admin_or_owner"
235 "volume_extension:volume_manage": "rule:admin_api"
236 "volume_extension:volume_mig_status_attribute": "rule:admin_api"
237 "volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
238 "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
239 "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
240 "volume_extension:volume_type_access": "rule:admin_or_owner"
241 "volume_extension:volume_type_encryption": "rule:admin_api"
242 "volume_extension:volume_unmanage": "rule:admin_api"
243 "volume:failover_host": "rule:admin_api"
244 "volume:force_delete": "rule:admin_api"
245 "volume:freeze_host": "rule:admin_api"
246 "volume:get_all": "rule:admin_or_owner"
247 "volume:get_all_snapshots": "rule:admin_or_owner"
248 "volume:get_all_transfers": "rule:admin_or_owner"
249 "volume:get": "rule:admin_or_owner"
250 "volume:get_snapshot_metadata": "rule:admin_or_owner"
251 "volume:get_snapshot": "rule:admin_or_owner"
252 "volume:get_transfer": "rule:admin_or_owner"
253 "volume:get_volume_admin_metadata": "rule:admin_api"
254 "volume:get_volume_metadata": "rule:admin_or_owner"
255 "volume:retype": "rule:admin_or_owner"
256 "volume:revert_to_snapshot": "rule:admin_or_owner"
257 "volume:thaw_host": "rule:admin_api"
258 "volume:update_readonly_flag": "rule:admin_or_owner"
259 "volume:update": "rule:admin_or_owner"
260 "volume:update_snapshot_metadata": "rule:admin_or_owner"
261 "volume:update_snapshot": "rule:admin_or_owner"
262 "volume:update_volume_admin_metadata": "rule:admin_api"
263 "volume:update_volume_metadata": "rule:admin_or_owner"
264 "workers:cleanup": "rule:admin_api"
265 cinder_default_policy_queens: ${_param:cinder_default_policy_pike}
266 designate_default_policy_ocata: {}
267 designate_default_policy_pike: &designate_default_policy_pike
268 "abandon_zone": "rule:admin"
269 "admin": "role:admin or is_admin:True"
270 "admin_or_owner": "rule:admin or rule:owner"
271 "admin_or_owner_or_target": "rule:owner_or_target or rule:admin"
272 "admin_or_target": "rule:admin or rule:target"
273 "all_tenants": "rule:admin"
274 "count_records": "rule:admin_or_owner"
275 "count_recordset": "rule:admin_or_owner"
276 "count_tenants": "rule:admin"
277 "count_zones": "rule:admin_or_owner"
278 "count_zones_pending_notify": "rule:admin_or_owner"
279 "create_blacklist": "rule:admin"
280 "create_pool": "rule:admin"
281 "create_record": "rule:admin_or_owner"
282 "create_recordset": "rule:zone_primary_or_admin"
283 "create_tld": "rule:admin"
284 "create_tsigkey": "rule:admin"
285 "create_zone": "rule:admin_or_owner"
286 "create_zone_export": "rule:admin_or_owner"
287 "create_zone_import": "rule:admin_or_owner"
288 "create_zone_transfer_accept": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
289 "create_zone_transfer_request": "rule:admin_or_owner"
290 "default": "rule:admin_or_owner"
291 "delete_blacklist": "rule:admin"
292 "delete_pool": "rule:admin"
293 "delete_record": "rule:admin_or_owner"
294 "delete_recordset": "rule:zone_primary_or_admin"
295 "delete_tld": "rule:admin"
296 "delete_tsigkey": "rule:admin"
297 "delete_zone": "rule:admin_or_owner"
298 "delete_zone_import": "rule:admin_or_owner"
299 "delete_zone_transfer_accept": "rule:admin"
300 "delete_zone_transfer_request": "rule:admin_or_owner"
301 "diagnostics_ping": "rule:admin"
302 "diagnostics_sync_record": "rule:admin"
303 "diagnostics_sync_zone": "rule:admin"
304 "diagnostics_sync_zones": "rule:admin"
305 "edit_managed_records": "rule:admin"
306 "find_blacklist": "rule:admin"
307 "find_blacklists": "rule:admin"
308 "find_pool": "rule:admin"
309 "find_pools": "rule:admin"
310 "find_record": "rule:admin_or_owner"
311 "find_records": "rule:admin_or_owner"
312 "find_recordset": "rule:admin_or_owner"
313 "find_recordsets": "rule:admin_or_owner"
314 "find_service_status": "rule:admin"
315 "find_service_statuses": "rule:admin"
316 "find_tenants": "rule:admin"
317 "find_tlds": "rule:admin"
318 "find_tsigkeys": "rule:admin"
319 "find_zone": "rule:admin_or_owner"
320 "find_zone_exports": "rule:admin_or_owner"
321 "find_zone_imports": "rule:admin_or_owner"
322 "find_zone_transfer_accept": "rule:admin"
323 "find_zone_transfer_accepts": "rule:admin"
324 "find_zone_transfer_request": "@"
325 "find_zone_transfer_requests": "@"
326 "find_zones": "rule:admin_or_owner"
327 "get_blacklist": "rule:admin"
328 "get_pool": "rule:admin"
329 "get_quota": "rule:admin_or_owner"
330 "get_quotas": "rule:admin_or_owner"
331 "get_record": "rule:admin_or_owner"
332 "get_records": "rule:admin_or_owner"
333 "get_recordset": "rule:admin_or_owner"
334 "get_recordsets": "rule:admin_or_owner"
335 "get_tenant": "rule:admin"
336 "get_tld": "rule:admin"
337 "get_tsigkey": "rule:admin"
338 "get_zone": "rule:admin_or_owner"
339 "get_zone_export": "rule:admin_or_owner"
340 "get_zone_import": "rule:admin_or_owner"
341 "get_zone_servers": "rule:admin_or_owner"
342 "get_zone_transfer_accept": "rule:admin_or_owner"
343 "get_zone_transfer_request": "rule:admin_or_owner or tenant:%(target_tenant_id)s or None:%(target_tenant_id)s"
344 "get_zone_transfer_request_detailed": "rule:admin_or_owner"
345 "get_zones": "rule:admin_or_owner"
346 "owner": "tenant:%(tenant_id)s"
347 "owner_or_target": "rule:target or rule:owner"
348 "primary_zone": "target.zone_type:SECONDARY"
349 "purge_zones": "rule:admin"
350 "reset_quotas": "rule:admin"
351 "set_quota": "rule:admin"
352 "target": "tenant:%(target_tenant_id)s"
353 "touch_zone": "rule:admin_or_owner"
354 "update_blacklist": "rule:admin"
355 "update_pool": "rule:admin"
356 "update_record": "rule:admin_or_owner"
357 "update_recordset": "rule:zone_primary_or_admin"
358 "update_service_service_status": "rule:admin"
359 "update_tld": "rule:admin"
360 "update_tsigkey": "rule:admin"
361 "update_zone": "rule:admin_or_owner"
362 "update_zone_export": "rule:admin_or_owner"
363 "update_zone_import": "rule:admin_or_owner"
364 "update_zone_transfer_accept": "rule:admin"
365 "update_zone_transfer_request": "rule:admin_or_owner"
366 "use_blacklisted_zone": "rule:admin"
367 "use_low_ttl": "rule:admin"
368 "use_sudo": "rule:admin"
369 "xfr_zone": "rule:admin_or_owner"
370 "zone_create_forced_pool": "rule:admin"
371 "zone_export": "rule:admin_or_owner"
372 "zone_primary_or_admin": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
373 designate_default_policy_queens:
374 << : *designate_default_policy_pike
375 "create_record":
376 "create_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
377 "create_zone_transfer_accept": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
378 "delete_record":
379 "delete_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
380 "find_record":
381 "find_records": "rule:admin_or_owner"
382 "find_recordset":
383 "find_recordsets":
384 "find_zone":
385 "get_record":
386 "get_records":
387 "get_zone_transfer_request": "rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s"
388 "update_record":
389 "update_recordset": "('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)"
390 "update_service_status": "rule:admin"
391 "update_service_service_status":
392 glance_default_policy_ocata: {}
393 glance_default_policy_pike:
394 "add_image": ""
395 "add_member": ""
396 "add_metadef_namespace": ""
397 "add_metadef_object": ""
398 "add_metadef_property": ""
399 "add_metadef_resource_type_association": ""
400 "add_metadef_tag": ""
401 "add_metadef_tags": ""
402 "add_task": ""
403 "communitize_image": ""
404 "context_is_admin": "role:admin"
405 "copy_from": ""
406 "deactivate": ""
407 "default": "role:admin"
408 "delete_image": ""
409 "delete_image_location": ""
410 "delete_member": ""
411 "download_image": ""
412 "get_image": ""
413 "get_image_location": ""
414 "get_images": ""
415 "get_member": ""
416 "get_members": ""
417 "get_metadef_namespace": ""
418 "get_metadef_namespaces": ""
419 "get_metadef_object": ""
420 "get_metadef_objects": ""
421 "get_metadef_properties": ""
422 "get_metadef_property": ""
423 "get_metadef_resource_type": ""
424 "get_metadef_tag": ""
425 "get_metadef_tags": ""
426 "get_task": ""
427 "get_tasks": ""
428 "list_metadef_resource_types": ""
429 "manage_image_cache": "role:admin"
430 "modify_image": ""
431 "modify_member": ""
432 "modify_metadef_namespace": ""
433 "modify_metadef_object": ""
434 "modify_metadef_property": ""
435 "modify_metadef_tag": ""
436 "modify_task": ""
437 "publicize_image": "role:admin"
438 "reactivate": ""
439 "set_image_location": ""
440 "tasks_api_access": "role:admin"
441 "upload_image": ""
442 glance_default_policy_queens: ${_param:glance_default_policy_pike}
443 heat_default_policy_ocata: {}
444 heat_default_policy_pike:
445 "actions:action": "rule:deny_stack_user"
446 "build_info:build_info": "rule:deny_stack_user"
447 "cloudformation:CancelUpdateStack": "rule:deny_stack_user"
448 "cloudformation:CreateStack": "rule:deny_stack_user"
449 "cloudformation:DeleteStack": "rule:deny_stack_user"
450 "cloudformation:DescribeStackEvents": "rule:deny_stack_user"
451 "cloudformation:DescribeStackResource": ""
452 "cloudformation:DescribeStackResources": "rule:deny_stack_user"
453 "cloudformation:DescribeStacks": "rule:deny_stack_user"
454 "cloudformation:EstimateTemplateCost": "rule:deny_stack_user"
455 "cloudformation:GetTemplate": "rule:deny_stack_user"
456 "cloudformation:ListStackResources": "rule:deny_stack_user"
457 "cloudformation:ListStacks": "rule:deny_stack_user"
458 "cloudformation:UpdateStack": "rule:deny_stack_user"
459 "cloudformation:ValidateTemplate": "rule:deny_stack_user"
460 "cloudwatch:DeleteAlarms": "rule:deny_stack_user"
461 "cloudwatch:DescribeAlarmHistory": "rule:deny_stack_user"
462 "cloudwatch:DescribeAlarms": "rule:deny_stack_user"
463 "cloudwatch:DescribeAlarmsForMetric": "rule:deny_stack_user"
464 "cloudwatch:DisableAlarmActions": "rule:deny_stack_user"
465 "cloudwatch:EnableAlarmActions": "rule:deny_stack_user"
466 "cloudwatch:GetMetricStatistics": "rule:deny_stack_user"
467 "cloudwatch:ListMetrics": "rule:deny_stack_user"
468 "cloudwatch:PutMetricAlarm": "rule:deny_stack_user"
469 "cloudwatch:PutMetricData": ""
470 "cloudwatch:SetAlarmState": "rule:deny_stack_user"
471 "context_is_admin": "role:admin and is_admin_project:True"
472 "deny_everybody": "!"
473 "deny_stack_user": "not role:heat_stack_user"
474 "events:index": "rule:deny_stack_user"
475 "events:show": "rule:deny_stack_user"
476 "project_admin": "role:admin"
477 "resource:index": "rule:deny_stack_user"
478 "resource:mark_unhealthy": "rule:deny_stack_user"
479 "resource:metadata": ""
480 "resource:show": "rule:deny_stack_user"
481 "resource:signal": ""
482 "resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
483 "resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
484 "resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
485 "resource_types:OS::Cinder::Quota": "rule:project_admin"
486 "resource_types:OS::Cinder::VolumeType": "rule:project_admin"
487 "resource_types:OS::Keystone::*": "rule:project_admin"
488 "resource_types:OS::Manila::ShareType": "rule:project_admin"
489 "resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
490 "resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
491 "resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
492 "resource_types:OS::Neutron::Quota": "rule:project_admin"
493 "resource_types:OS::Neutron::Segment": "rule:project_admin"
494 "resource_types:OS::Nova::Flavor": "rule:project_admin"
495 "resource_types:OS::Nova::HostAggregate": "rule:project_admin"
496 "resource_types:OS::Nova::Quota": "rule:project_admin"
497 "service:index": "rule:context_is_admin"
498 "software_configs:create": "rule:deny_stack_user"
499 "software_configs:delete": "rule:deny_stack_user"
500 "software_configs:global_index": "rule:deny_everybody"
501 "software_configs:index": "rule:deny_stack_user"
502 "software_configs:show": "rule:deny_stack_user"
503 "software_deployments:create": "rule:deny_stack_user"
504 "software_deployments:delete": "rule:deny_stack_user"
505 "software_deployments:index": "rule:deny_stack_user"
506 "software_deployments:metadata": ""
507 "software_deployments:show": "rule:deny_stack_user"
508 "software_deployments:update": "rule:deny_stack_user"
509 "stacks:abandon": "rule:deny_stack_user"
510 "stacks:create": "rule:deny_stack_user"
511 "stacks:delete": "rule:deny_stack_user"
512 "stacks:delete_snapshot": "rule:deny_stack_user"
513 "stacks:detail": "rule:deny_stack_user"
514 "stacks:environment": "rule:deny_stack_user"
515 "stacks:export": "rule:deny_stack_user"
516 "stacks:files": "rule:deny_stack_user"
517 "stacks:generate_template": "rule:deny_stack_user"
518 "stacks:global_index": "rule:deny_everybody"
519 "stacks:index": "rule:deny_stack_user"
520 "stacks:list_outputs": "rule:deny_stack_user"
521 "stacks:list_resource_types": "rule:deny_stack_user"
522 "stacks:list_snapshots": "rule:deny_stack_user"
523 "stacks:list_template_functions": "rule:deny_stack_user"
524 "stacks:list_template_versions": "rule:deny_stack_user"
525 "stacks:lookup": ""
526 "stacks:preview": "rule:deny_stack_user"
527 "stacks:preview_update": "rule:deny_stack_user"
528 "stacks:preview_update_patch": "rule:deny_stack_user"
529 "stacks:resource_schema": "rule:deny_stack_user"
530 "stacks:restore_snapshot": "rule:deny_stack_user"
531 "stacks:show": "rule:deny_stack_user"
532 "stacks:show_output": "rule:deny_stack_user"
533 "stacks:show_snapshot": "rule:deny_stack_user"
534 "stacks:snapshot": "rule:deny_stack_user"
535 "stacks:template": "rule:deny_stack_user"
536 "stacks:update": "rule:deny_stack_user"
537 "stacks:update_patch": "rule:deny_stack_user"
538 "stacks:validate_template": "rule:deny_stack_user"
539 heat_default_policy_queens: ${_param:heat_default_policy_pike}
Ivan Berezovskiy4dd3be72020-03-26 20:25:52 +0400540 ironic_default_policy_ocata: {}
541 ironic_default_policy_pike: &ironic_default_policy_pike
542 "admin_api": "role:admin or role:administrator"
543 "baremetal:chassis:create": "rule:is_admin"
544 "baremetal:chassis:delete": "rule:is_admin"
545 "baremetal:chassis:get": "rule:is_admin or rule:is_observer"
546 "baremetal:chassis:update": "rule:is_admin"
547 "baremetal:driver:get": "rule:is_admin or rule:is_observer"
548 "baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
549 "baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
550 "baremetal:driver:ipa_lookup": "rule:public_api"
551 "baremetal:driver:vendor_passthru": "rule:is_admin"
552 "baremetal:node:clear_maintenance": "rule:is_admin"
553 "baremetal:node:create": "rule:is_admin"
554 "baremetal:node:delete": "rule:is_admin"
555 "baremetal:node:get": "rule:is_admin or rule:is_observer"
556 "baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
557 "baremetal:node:get_console": "rule:is_admin"
558 "baremetal:node:get_states": "rule:is_admin or rule:is_observer"
559 "baremetal:node:inject_nmi": "rule:is_admin"
560 "baremetal:node:ipa_heartbeat": "rule:public_api"
561 "baremetal:node:set_boot_device": "rule:is_admin"
562 "baremetal:node:set_console_state": "rule:is_admin"
563 "baremetal:node:set_maintenance": "rule:is_admin"
564 "baremetal:node:set_power_state": "rule:is_admin"
565 "baremetal:node:set_provision_state": "rule:is_admin"
566 "baremetal:node:set_raid_state": "rule:is_admin"
567 "baremetal:node:update": "rule:is_admin"
568 "baremetal:node:validate": "rule:is_admin"
569 "baremetal:node:vendor_passthru": "rule:is_admin"
570 "baremetal:node:vif:attach": "rule:is_admin"
571 "baremetal:node:vif:detach": "rule:is_admin"
572 "baremetal:node:vif:list": "rule:is_admin"
573 "baremetal:port:create": "rule:is_admin"
574 "baremetal:port:delete": "rule:is_admin"
575 "baremetal:port:get": "rule:is_admin or rule:is_observer"
576 "baremetal:port:update": "rule:is_admin"
577 "baremetal:portgroup:create": "rule:is_admin"
578 "baremetal:portgroup:delete": "rule:is_admin"
579 "baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
580 "baremetal:portgroup:update": "rule:is_admin"
581 "baremetal:volume:create": "rule:is_admin"
582 "baremetal:volume:delete": "rule:is_admin"
583 "baremetal:volume:get": "rule:is_admin or rule:is_observer"
584 "baremetal:volume:update": "rule:is_admin"
585 "is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
586 "is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
587 "is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
588 "public_api": "is_public_api:True"
589 "show_instance_secrets": "!"
590 "show_password": "!"
591 ironic_default_policy_queens:
592 << : *ironic_default_policy_pike
593 "baremetal:node:traits:delete": "rule:is_admin"
594 "baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
595 "baremetal:node:traits:set": "rule:is_admin"
Ivan Berezovskiy30d60742020-01-16 16:47:02 +0400596 keystone_default_policy_ocata: {}
597 keystone_default_policy_pike: &keystone_default_policy_pike
598 "admin_or_owner": "rule:admin_required or rule:owner"
599 "admin_or_token_subject": "rule:admin_required or rule:token_subject"
600 "admin_required": "role:admin or is_admin:1"
601 "identity:add_endpoint_group_to_project": "rule:admin_required"
602 "identity:add_endpoint_to_project": "rule:admin_required"
603 "identity:add_user_to_group": "rule:admin_required"
604 "identity:authorize_request_token": "rule:admin_required"
605 "identity:check_endpoint_in_project": "rule:admin_required"
606 "identity:check_grant": "rule:admin_required"
607 "identity:check_implied_role": "rule:admin_required"
608 "identity:check_policy_association_for_endpoint": "rule:admin_required"
609 "identity:check_policy_association_for_region_and_service": "rule:admin_required"
610 "identity:check_policy_association_for_service": "rule:admin_required"
611 "identity:check_token": "rule:admin_or_token_subject"
612 "identity:check_user_in_group": "rule:admin_required"
613 "identity:create_consumer": "rule:admin_required"
614 "identity:create_credential": "rule:admin_required"
615 "identity:create_domain": "rule:admin_required"
616 "identity:create_domain_config": "rule:admin_required"
617 "identity:create_domain_role": "rule:admin_required"
618 "identity:create_endpoint": "rule:admin_required"
619 "identity:create_endpoint_group": "rule:admin_required"
620 "identity:create_grant": "rule:admin_required"
621 "identity:create_group": "rule:admin_required"
622 "identity:create_identity_provider": "rule:admin_required"
623 "identity:create_implied_role": "rule:admin_required"
624 "identity:create_mapping": "rule:admin_required"
625 "identity:create_policy": "rule:admin_required"
626 "identity:create_policy_association_for_endpoint": "rule:admin_required"
627 "identity:create_policy_association_for_region_and_service": "rule:admin_required"
628 "identity:create_policy_association_for_service": "rule:admin_required"
629 "identity:create_project": "rule:admin_required"
630 "identity:create_protocol": "rule:admin_required"
631 "identity:create_region": "rule:admin_required"
632 "identity:create_role": "rule:admin_required"
633 "identity:create_service": "rule:admin_required"
634 "identity:create_service_provider": "rule:admin_required"
635 "identity:create_trust": "user_id:%(trust.trustor_user_id)s"
636 "identity:create_user": "rule:admin_required"
637 "identity:delete_access_token": "rule:admin_required"
638 "identity:delete_consumer": "rule:admin_required"
639 "identity:delete_credential": "rule:admin_required"
640 "identity:delete_domain": "rule:admin_required"
641 "identity:delete_domain_config": "rule:admin_required"
642 "identity:delete_domain_role": "rule:admin_required"
643 "identity:delete_endpoint": "rule:admin_required"
644 "identity:delete_endpoint_group": "rule:admin_required"
645 "identity:delete_group": "rule:admin_required"
646 "identity:delete_identity_provider": "rule:admin_required"
647 "identity:delete_implied_role": "rule:admin_required"
648 "identity:delete_mapping": "rule:admin_required"
649 "identity:delete_policy": "rule:admin_required"
650 "identity:delete_policy_association_for_endpoint": "rule:admin_required"
651 "identity:delete_policy_association_for_region_and_service": "rule:admin_required"
652 "identity:delete_policy_association_for_service": "rule:admin_required"
653 "identity:delete_project": "rule:admin_required"
654 "identity:delete_protocol": "rule:admin_required"
655 "identity:delete_region": "rule:admin_required"
656 "identity:delete_role": "rule:admin_required"
657 "identity:delete_service": "rule:admin_required"
658 "identity:delete_service_provider": "rule:admin_required"
659 "identity:delete_trust": ""
660 "identity:delete_user": "rule:admin_required"
661 "identity:ec2_create_credential": "rule:admin_or_owner"
662 "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
663 "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
664 "identity:ec2_list_credentials": "rule:admin_or_owner"
665 "identity:get_access_token": "rule:admin_required"
666 "identity:get_access_token_role": "rule:admin_required"
667 "identity:get_auth_catalog": ""
668 "identity:get_auth_domains": ""
669 "identity:get_auth_projects": ""
670 "identity:get_consumer": "rule:admin_required"
671 "identity:get_credential": "rule:admin_required"
672 "identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"
673 "identity:get_domain_config": "rule:admin_required"
674 "identity:get_domain_config_default": "rule:admin_required"
675 "identity:get_domain_role": "rule:admin_required"
676 "identity:get_endpoint": "rule:admin_required"
677 "identity:get_endpoint_group": "rule:admin_required"
678 "identity:get_endpoint_group_in_project": "rule:admin_required"
679 "identity:get_group": "rule:admin_required"
680 "identity:get_identity_provider": "rule:admin_required"
681 "identity:get_implied_role": "rule:admin_required"
682 "identity:get_mapping": "rule:admin_required"
683 "identity:get_policy": "rule:admin_required"
684 "identity:get_policy_for_endpoint": "rule:admin_required"
685 "identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"
686 "identity:get_protocol": "rule:admin_required"
687 "identity:get_region": ""
688 "identity:get_role": "rule:admin_required"
689 "identity:get_role_for_trust": ""
690 "identity:get_security_compliance_domain_config": ""
691 "identity:get_service": "rule:admin_required"
692 "identity:get_service_provider": "rule:admin_required"
693 "identity:get_trust": ""
694 "identity:get_user": "rule:admin_or_owner"
695 "identity:list_access_token_roles": "rule:admin_required"
696 "identity:list_access_tokens": "rule:admin_required"
697 "identity:list_consumers": "rule:admin_required"
698 "identity:list_credentials": "rule:admin_required"
699 "identity:list_domain_roles": "rule:admin_required"
700 "identity:list_domains": "rule:admin_required"
701 "identity:list_domains_for_user": ""
702 "identity:list_endpoint_groups": "rule:admin_required"
703 "identity:list_endpoint_groups_for_project": "rule:admin_required"
704 "identity:list_endpoints": "rule:admin_required"
705 "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"
706 "identity:list_endpoints_for_policy": "rule:admin_required"
707 "identity:list_endpoints_for_project": "rule:admin_required"
708 "identity:list_grants": "rule:admin_required"
709 "identity:list_groups": "rule:admin_required"
710 "identity:list_groups_for_user": "rule:admin_or_owner"
711 "identity:list_identity_providers": "rule:admin_required"
712 "identity:list_implied_roles": "rule:admin_required"
713 "identity:list_mappings": "rule:admin_required"
714 "identity:list_policies": "rule:admin_required"
715 "identity:list_projects": "rule:admin_required"
716 "identity:list_projects_associated_with_endpoint_group": "rule:admin_required"
717 "identity:list_projects_for_endpoint": "rule:admin_required"
718 "identity:list_projects_for_user": ""
719 "identity:list_protocols": "rule:admin_required"
720 "identity:list_regions": ""
721 "identity:list_revoke_events": "rule:service_or_admin"
722 "identity:list_role_assignments": "rule:admin_required"
723 "identity:list_role_assignments_for_tree": "rule:admin_required"
724 "identity:list_role_inference_rules": "rule:admin_required"
725 "identity:list_roles": "rule:admin_required"
726 "identity:list_roles_for_trust": ""
727 "identity:list_service_providers": "rule:admin_required"
728 "identity:list_services": "rule:admin_required"
729 "identity:list_trusts": ""
730 "identity:list_user_projects": "rule:admin_or_owner"
731 "identity:list_users": "rule:admin_required"
732 "identity:list_users_in_group": "rule:admin_required"
733 "identity:remove_endpoint_from_project": "rule:admin_required"
734 "identity:remove_endpoint_group_from_project": "rule:admin_required"
735 "identity:remove_user_from_group": "rule:admin_required"
736 "identity:revocation_list": "rule:service_or_admin"
737 "identity:revoke_grant": "rule:admin_required"
738 "identity:revoke_token": "rule:admin_or_token_subject"
739 "identity:update_consumer": "rule:admin_required"
740 "identity:update_credential": "rule:admin_required"
741 "identity:update_domain": "rule:admin_required"
742 "identity:update_domain_config": "rule:admin_required"
743 "identity:update_domain_role": "rule:admin_required"
744 "identity:update_endpoint": "rule:admin_required"
745 "identity:update_endpoint_group": "rule:admin_required"
746 "identity:update_group": "rule:admin_required"
747 "identity:update_identity_provider": "rule:admin_required"
748 "identity:update_mapping": "rule:admin_required"
749 "identity:update_policy": "rule:admin_required"
750 "identity:update_project": "rule:admin_required"
751 "identity:update_protocol": "rule:admin_required"
752 "identity:update_region": "rule:admin_required"
753 "identity:update_role": "rule:admin_required"
754 "identity:update_service": "rule:admin_required"
755 "identity:update_service_provider": "rule:admin_required"
756 "identity:update_user": "rule:admin_required"
757 "identity:validate_token": "rule:service_admin_or_token_subject"
758 "identity:validate_token_head": "rule:service_or_admin"
759 "owner": "user_id:%(user_id)s"
760 "service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
761 "service_or_admin": "rule:admin_required or rule:service_role"
762 "service_role": "role:service"
763 "token_subject": "user_id:%(target.token.user_id)s"
764 keystone_default_policy_queens:
765 << : *keystone_default_policy_pike
766 "identity:check_system_grant_for_group": "rule:admin_required"
767 "identity:check_system_grant_for_user": "rule:admin_required"
768 "identity:create_application_credential": "rule:admin_or_owner"
769 "identity:create_limits": "rule:admin_required"
770 "identity:create_project_tag": "rule:admin_required"
771 "identity:create_registered_limits": "rule:admin_required"
772 "identity:create_system_grant_for_group": "rule:admin_required"
773 "identity:create_system_grant_for_user": "rule:admin_required"
774 "identity:delete_application_credential": "rule:admin_or_owner"
775 "identity:delete_limit": "rule:admin_required"
776 "identity:delete_project_tag": "rule:admin_required"
777 "identity:delete_project_tags": "rule:admin_required"
778 "identity:delete_registered_limit": "rule:admin_required"
779 "identity:get_application_credential": "rule:admin_or_owner"
780 "identity:get_auth_system": ""
781 "identity:get_limit": ""
782 "identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s"
783 "identity:get_registered_limit": ""
784 "identity:list_application_credentials": "rule:admin_or_owner"
785 "identity:list_limits": ""
786 "identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s"
787 "identity:list_registered_limits": ""
788 "identity:list_system_grants_for_group": "rule:admin_required"
789 "identity:list_system_grants_for_user": "rule:admin_required"
790 "identity:revoke_system_grant_for_group": "rule:admin_required"
791 "identity:revoke_system_grant_for_user": "rule:admin_required"
792 "identity:update_limits": "rule:admin_required"
793 "identity:update_project_tags": "rule:admin_required"
794 "identity:update_registered_limits": "rule:admin_required"
795 "identity:validate_token_head":
796 manila_default_policy_ocata: {}
797 manila_default_policy_pike:
798 "admin_api": "is_admin:True"
799 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
800 "availability_zone:index": "rule:default"
801 "context_is_admin": "role:admin"
802 "default": "rule:admin_or_owner"
803 "message:delete": "rule:default"
804 "message:get_all": "rule:default"
805 "message:get": "rule:default"
806 "quota_class_set:show": "rule:default"
807 "quota_class_set:update": "rule:admin_api"
808 "quota_set:delete": "rule:admin_api"
809 "quota_set:show": "rule:default"
810 "quota_set:update": "rule:admin_api"
811 "scheduler_stats:pools:detail": "rule:admin_api"
812 "scheduler_stats:pools:index": "rule:admin_api"
813 "security_service:create": "rule:default"
814 "security_service:delete": "rule:default"
815 "security_service:detail": "rule:default"
816 "security_service:get_all_security_services": "rule:admin_api"
817 "security_service:index": "rule:default"
818 "security_service:show": "rule:default"
819 "security_service:update": "rule:default"
820 "service:index": "rule:admin_api"
821 "service:update": "rule:admin_api"
822 "share:access_get_all": "rule:default"
823 "share:access_get": "rule:default"
824 "share:allow_access": "rule:default"
825 "share:create": ""
826 "share:create_snapshot": "rule:default"
827 "share:delete": "rule:default"
828 "share:delete_share_metadata": "rule:default"
829 "share:delete_snapshot": "rule:default"
830 "share:deny_access": "rule:default"
831 "share_export_location:index": "rule:default"
832 "share_export_location:show": "rule:default"
833 "share:extend": "rule:default"
834 "share:force_delete": "rule:admin_api"
835 "share:get_all": "rule:default"
836 "share:get": "rule:default"
837 "share:get_share_metadata": "rule:default"
838 "share_group:create": "rule:default"
839 "share_group:delete": "rule:default"
840 "share_group:force_delete": "rule:admin_api"
841 "share_group:get_all": "rule:default"
842 "share_group:get": "rule:default"
843 "share_group:reset_status": "rule:admin_api"
844 "share_group_snapshot:create": "rule:default"
845 "share_group_snapshot:delete": "rule:default"
846 "share_group_snapshot:force_delete": "rule:admin_api"
847 "share_group_snapshot:get_all": "rule:default"
848 "share_group_snapshot:get": "rule:default"
849 "share_group_snapshot:reset_status": "rule:admin_api"
850 "share_group_snapshot:update": "rule:default"
851 "share_group_type:add_project_access": "rule:admin_api"
852 "share_group_type:create": "rule:admin_api"
853 "share_group_type:default": "rule:default"
854 "share_group_type:delete": "rule:admin_api"
855 "share_group_type:index": "rule:default"
856 "share_group_type:list_project_access": "rule:admin_api"
857 "share_group_type:remove_project_access": "rule:admin_api"
858 "share_group_type:show": "rule:default"
859 "share_group_types_spec:create": "rule:admin_api"
860 "share_group_types_spec:delete": "rule:admin_api"
861 "share_group_types_spec:index": "rule:admin_api"
862 "share_group_types_spec:show": "rule:admin_api"
863 "share_group_types_spec:update": "rule:admin_api"
864 "share_group:update": "rule:default"
865 "share_instance_export_location:index": "rule:admin_api"
866 "share_instance_export_location:show": "rule:admin_api"
867 "share_instance:force_delete": "rule:admin_api"
868 "share_instance:index": "rule:admin_api"
869 "share_instance:reset_status": "rule:admin_api"
870 "share_instance:show": "rule:admin_api"
871 "share:list_by_host": "rule:admin_api"
872 "share:list_by_share_server_id": "rule:admin_api"
873 "share:manage": "rule:admin_api"
874 "share:migration_cancel": "rule:admin_api"
875 "share:migration_complete": "rule:admin_api"
876 "share:migration_get_progress": "rule:admin_api"
877 "share:migration_start": "rule:admin_api"
878 "share_network:add_security_service": "rule:default"
879 "share_network:create": "rule:default"
880 "share_network:delete": "rule:default"
881 "share_network:detail": "rule:default"
882 "share_network:get_all_share_networks": "rule:admin_api"
883 "share_network:index": "rule:default"
884 "share_network:remove_security_service": "rule:default"
885 "share_network:show": "rule:default"
886 "share_network:update": "rule:default"
887 "share_replica:create": "rule:default"
888 "share_replica:delete": "rule:default"
889 "share_replica:force_delete": "rule:admin_api"
890 "share_replica:get_all": "rule:default"
891 "share_replica:promote": "rule:default"
892 "share_replica:reset_replica_state": "rule:admin_api"
893 "share_replica:reset_status": "rule:admin_api"
894 "share_replica:resync": "rule:admin_api"
895 "share_replica:show": "rule:default"
896 "share:reset_status": "rule:admin_api"
897 "share:reset_task_state": "rule:admin_api"
898 "share:revert_to_snapshot": "rule:default"
899 "share_server:delete": "rule:admin_api"
900 "share_server:details": "rule:admin_api"
901 "share_server:index": "rule:admin_api"
902 "share_server:show": "rule:admin_api"
903 "share:shrink": "rule:default"
904 "share_snapshot:access_list": "rule:default"
905 "share_snapshot:allow_access": "rule:default"
906 "share_snapshot:deny_access": "rule:default"
907 "share_snapshot_export_location:index": "rule:default"
908 "share_snapshot_export_location:show": "rule:default"
909 "share_snapshot:force_delete": "rule:admin_api"
910 "share_snapshot:get_all_snapshots": "rule:default"
911 "share_snapshot:get_snapshot": "rule:default"
912 "share_snapshot_instance:detail": "rule:admin_api"
913 "share_snapshot_instance_export_location:index": "rule:admin_api"
914 "share_snapshot_instance_export_location:show": "rule:admin_api"
915 "share_snapshot_instance:index": "rule:admin_api"
916 "share_snapshot_instance:reset_status": "rule:admin_api"
917 "share_snapshot_instance:show": "rule:admin_api"
918 "share_snapshot:manage_snapshot": "rule:admin_api"
919 "share_snapshot:reset_status": "rule:admin_api"
920 "share_snapshot:unmanage_snapshot": "rule:admin_api"
921 "share:snapshot_update": "rule:default"
922 "share_type:add_project_access": "rule:admin_api"
923 "share_type:create": "rule:admin_api"
924 "share_type:default": "rule:default"
925 "share_type:delete": "rule:admin_api"
926 "share_type:index": "rule:default"
927 "share_type:list_project_access": "rule:admin_api"
928 "share_type:remove_project_access": "rule:admin_api"
929 "share_types_extra_spec:create": "rule:admin_api"
930 "share_types_extra_spec:delete": "rule:admin_api"
931 "share_types_extra_spec:index": "rule:admin_api"
932 "share_types_extra_spec:show": "rule:admin_api"
933 "share_types_extra_spec:update": "rule:admin_api"
934 "share_type:show": "rule:default"
935 "share:unmanage": "rule:admin_api"
936 "share:update": "rule:default"
937 "share:update_share_metadata": "rule:default"
938 manila_default_policy_queens: ${_param:manila_default_policy_pike}
939 neutron_default_policy_ocata: {}
940 neutron_default_policy_pike: &neutron_default_policy_pike
941 "add_router_interface": "rule:admin_or_owner"
942 "add_subports": "rule:admin_or_owner"
943 "admin_only": "rule:context_is_admin"
944 "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
945 "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
946 "admin_or_owner": "rule:context_is_admin or rule:owner"
947 "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
948 "context_is_admin": "role:admin"
949 "context_is_advsvc": "role:advsvc"
950 "create_address_scope": ""
951 "create_address_scope:shared": "rule:admin_only"
952 "create_dhcp-network": "rule:admin_only"
953 "create_flavor": "rule:admin_only"
954 "create_flavor_service_profile": "rule:admin_only"
955 "create_floatingip": "rule:regular_user"
956 "create_floatingip:floating_ip_address": "rule:admin_only"
957 "create_l3-router": "rule:admin_only"
958 "create_log": "rule:admin_only"
959 "create_lsn": "rule:admin_only"
960 "create_metering_label": "rule:admin_only"
961 "create_metering_label_rule": "rule:admin_only"
962 "create_network": ""
963 "create_network:is_default": "rule:admin_only"
964 "create_network:provider:network_type": "rule:admin_only"
965 "create_network:provider:physical_network": "rule:admin_only"
966 "create_network:provider:segmentation_id": "rule:admin_only"
967 "create_network:router:external": "rule:admin_only"
968 "create_network:segments": "rule:admin_only"
969 "create_network:shared": "rule:admin_only"
970 "create_network_profile": "rule:admin_only"
971 "create_policy": "rule:admin_only"
972 "create_policy_bandwidth_limit_rule": "rule:admin_only"
973 "create_policy_dscp_marking_rule": "rule:admin_only"
974 "create_policy_minimum_bandwidth_rule": "rule:admin_only"
975 "create_port": ""
976 "create_port:allowed_address_pairs": "rule:admin_or_network_owner"
977 "create_port:binding:host_id": "rule:admin_only"
978 "create_port:binding:profile": "rule:admin_only"
979 "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
980 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
981 "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
982 "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
983 "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
984 "create_qos_queue": "rule:admin_only"
985 "create_rbac_policy": ""
986 "create_rbac_policy:target_tenant": "rule:restrict_wildcard"
987 "create_router": "rule:regular_user"
988 "create_router:distributed": "rule:admin_only"
989 "create_router:external_gateway_info:enable_snat": "rule:admin_only"
990 "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
991 "create_router:ha": "rule:admin_only"
992 "create_security_group": "rule:admin_or_owner"
993 "create_security_group_rule": "rule:admin_or_owner"
994 "create_segment": "rule:admin_only"
995 "create_service_profile": "rule:admin_only"
996 "create_subnet": "rule:admin_or_network_owner"
997 "create_subnet:segment_id": "rule:admin_only"
998 "create_subnet:service_types": "rule:admin_only"
999 "create_subnetpool": ""
1000 "create_subnetpool:is_default": "rule:admin_only"
1001 "create_subnetpool:shared": "rule:admin_only"
1002 "create_trunk": "rule:regular_user"
1003 "default": "rule:admin_or_owner"
1004 "delete_address_scope": "rule:admin_or_owner"
1005 "delete_agent": "rule:admin_only"
1006 "delete_dhcp-network": "rule:admin_only"
1007 "delete_flavor": "rule:admin_only"
1008 "delete_flavor_service_profile": "rule:admin_only"
1009 "delete_floatingip": "rule:admin_or_owner"
1010 "delete_l3-router": "rule:admin_only"
1011 "delete_log": "rule:admin_only"
1012 "delete_metering_label": "rule:admin_only"
1013 "delete_metering_label_rule": "rule:admin_only"
1014 "delete_network": "rule:admin_or_owner"
1015 "delete_network_profile": "rule:admin_only"
1016 "delete_policy": "rule:admin_only"
1017 "delete_policy_bandwidth_limit_rule": "rule:admin_only"
1018 "delete_policy_dscp_marking_rule": "rule:admin_only"
1019 "delete_policy_minimum_bandwidth_rule": "rule:admin_only"
1020 "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
1021 "delete_rbac_policy": "rule:admin_or_owner"
1022 "delete_router": "rule:admin_or_owner"
1023 "delete_security_group": "rule:admin_or_owner"
1024 "delete_security_group_rule": "rule:admin_or_owner"
1025 "delete_segment": "rule:admin_only"
1026 "delete_service_profile": "rule:admin_only"
1027 "delete_subnet": "rule:admin_or_network_owner"
1028 "delete_subnetpool": "rule:admin_or_owner"
1029 "delete_trunk": "rule:admin_or_owner"
1030 "external": "field:networks:router:external=True"
1031 "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
1032 "get_agent": "rule:admin_only"
1033 "get_agent-loadbalancers": "rule:admin_only"
1034 "get_auto_allocated_topology": "rule:admin_or_owner"
1035 "get_dhcp-agents": "rule:admin_only"
1036 "get_dhcp-networks": "rule:admin_only"
1037 "get_flavor": "rule:regular_user"
1038 "get_flavor_service_profile": "rule:regular_user"
1039 "get_flavors": "rule:regular_user"
1040 "get_floatingip": "rule:admin_or_owner"
1041 "get_l3-agents": "rule:admin_only"
1042 "get_l3-routers": "rule:admin_only"
1043 "get_loadbalancer-agent": "rule:admin_only"
1044 "get_loadbalancer-hosting-agent": "rule:admin_only"
1045 "get_loadbalancer-pools": "rule:admin_only"
1046 "get_log": "rule:admin_only"
1047 "get_loggable_resources": "rule:admin_only"
1048 "get_logs": "rule:admin_only"
1049 "get_lsn": "rule:admin_only"
1050 "get_metering_label": "rule:admin_only"
1051 "get_metering_label_rule": "rule:admin_only"
1052 "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
1053 "get_network:provider:network_type": "rule:admin_only"
1054 "get_network:provider:physical_network": "rule:admin_only"
1055 "get_network:provider:segmentation_id": "rule:admin_only"
1056 "get_network:queue_id": "rule:admin_only"
1057 "get_network:router:external": "rule:regular_user"
1058 "get_network:segments": "rule:admin_only"
1059 "get_network_ip_availabilities": "rule:admin_only"
1060 "get_network_ip_availability": "rule:admin_only"
1061 "get_network_profile": ""
1062 "get_network_profiles": ""
1063 "get_policy": "rule:regular_user"
1064 "get_policy_bandwidth_limit_rule": "rule:regular_user"
1065 "get_policy_dscp_marking_rule": "rule:regular_user"
1066 "get_policy_minimum_bandwidth_rule": "rule:regular_user"
1067 "get_policy_profile": ""
1068 "get_policy_profiles": ""
1069 "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
1070 "get_port:binding:host_id": "rule:admin_only"
1071 "get_port:binding:profile": "rule:admin_only"
1072 "get_port:binding:vif_details": "rule:admin_only"
1073 "get_port:binding:vif_type": "rule:admin_only"
1074 "get_port:queue_id": "rule:admin_only"
1075 "get_qos_queue": "rule:admin_only"
1076 "get_rbac_policy": "rule:admin_or_owner"
1077 "get_router": "rule:admin_or_owner"
1078 "get_router:distributed": "rule:admin_only"
1079 "get_router:ha": "rule:admin_only"
1080 "get_rule_type": "rule:regular_user"
1081 "get_security_group": "rule:admin_or_owner"
1082 "get_security_group_rule": "rule:admin_or_owner"
1083 "get_security_group_rules": "rule:admin_or_owner"
1084 "get_security_groups": "rule:admin_or_owner"
1085 "get_segment": "rule:admin_only"
1086 "get_service_profile": "rule:admin_only"
1087 "get_service_profiles": "rule:admin_only"
1088 "get_service_provider": "rule:regular_user"
1089 "get_subnet": "rule:admin_or_owner or rule:shared"
1090 "get_subnet:segment_id": "rule:admin_only"
1091 "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
1092 "get_subports": ""
1093 "get_trunk": "rule:admin_or_owner"
1094 "network_device": "field:port:device_owner=~^network:"
1095 "owner": "tenant_id:%(tenant_id)s"
1096 "regular_user": ""
1097 "remove_router_interface": "rule:admin_or_owner"
1098 "remove_subports": "rule:admin_or_owner"
1099 "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
1100 "shared": "field:networks:shared=True"
1101 "shared_address_scopes": "field:address_scopes:shared=True"
1102 "shared_subnetpools": "field:subnetpools:shared=True"
1103 "update_address_scope": "rule:admin_or_owner"
1104 "update_address_scope:shared": "rule:admin_only"
1105 "update_agent": "rule:admin_only"
1106 "update_flavor": "rule:admin_only"
1107 "update_floatingip": "rule:admin_or_owner"
1108 "update_log": "rule:admin_only"
1109 "update_network": "rule:admin_or_owner"
1110 "update_network:provider:network_type": "rule:admin_only"
1111 "update_network:provider:physical_network": "rule:admin_only"
1112 "update_network:provider:segmentation_id": "rule:admin_only"
1113 "update_network:router:external": "rule:admin_only"
1114 "update_network:segments": "rule:admin_only"
1115 "update_network:shared": "rule:admin_only"
1116 "update_network_profile": "rule:admin_only"
1117 "update_policy": "rule:admin_only"
1118 "update_policy_bandwidth_limit_rule": "rule:admin_only"
1119 "update_policy_dscp_marking_rule": "rule:admin_only"
1120 "update_policy_minimum_bandwidth_rule": "rule:admin_only"
1121 "update_policy_profiles": "rule:admin_only"
1122 "update_port": "rule:admin_or_owner or rule:context_is_advsvc"
1123 "update_port:allowed_address_pairs": "rule:admin_or_network_owner"
1124 "update_port:binding:host_id": "rule:admin_only"
1125 "update_port:binding:profile": "rule:admin_only"
1126 "update_port:data_plane_status": "rule:admin_or_data_plane_int"
1127 "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
1128 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
1129 "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
1130 "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1131 "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
1132 "update_rbac_policy": "rule:admin_or_owner"
1133 "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
1134 "update_router": "rule:admin_or_owner"
1135 "update_router:distributed": "rule:admin_only"
1136 "update_router:external_gateway_info": "rule:admin_or_owner"
1137 "update_router:external_gateway_info:enable_snat": "rule:admin_only"
1138 "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
1139 "update_router:external_gateway_info:network_id": "rule:admin_or_owner"
1140 "update_router:ha": "rule:admin_only"
1141 "update_security_group": "rule:admin_or_owner"
1142 "update_segment": "rule:admin_only"
1143 "update_service_profile": "rule:admin_only"
1144 "update_subnet": "rule:admin_or_network_owner"
1145 "update_subnet:service_types": "rule:admin_only"
1146 "update_subnetpool": "rule:admin_or_owner"
1147 "update_subnetpool:is_default": "rule:admin_only"
1148 neutron_default_policy_queens:
1149 << : *neutron_default_policy_pike
1150 "create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1151 "create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1152 "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1153 "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1154 "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1155 "create_router:external_gateway_info": "rule:admin_or_owner"
1156 "create_router:external_gateway_info:network_id": "rule:admin_or_owner"
1157 "update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
1158 "update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
1159 "update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1160 "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
1161 "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
1162 nova_default_policy_ocata: {}
1163 nova_default_policy_pike: &nova_default_policy_pike
1164 "admin_api": "is_admin:True"
1165 "admin_or_owner": "is_admin:True or project_id:%(project_id)s"
1166 "cells_scheduler_filter:DifferentCellFilter": "is_admin:True"
1167 "cells_scheduler_filter:TargetCellFilter": "is_admin:True"
1168 "context_is_admin": "role:admin"
1169 "network:attach_external_network": "is_admin:True"
1170 "os_compute_api:extensions": "rule:admin_or_owner"
1171 "os_compute_api:flavors": "rule:admin_or_owner"
1172 "os_compute_api:image-size": "rule:admin_or_owner"
1173 "os_compute_api:ips:index": "rule:admin_or_owner"
1174 "os_compute_api:ips:show": "rule:admin_or_owner"
1175 "os_compute_api:limits": "rule:admin_or_owner"
1176 "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"
1177 "os_compute_api:os-admin-actions:reset_network": "rule:admin_api"
1178 "os_compute_api:os-admin-actions:reset_state": "rule:admin_api"
1179 "os_compute_api:os-admin-password": "rule:admin_or_owner"
1180 "os_compute_api:os-agents": "rule:admin_api"
1181 "os_compute_api:os-aggregates:add_host": "rule:admin_api"
1182 "os_compute_api:os-aggregates:create": "rule:admin_api"
1183 "os_compute_api:os-aggregates:delete": "rule:admin_api"
1184 "os_compute_api:os-aggregates:index": "rule:admin_api"
1185 "os_compute_api:os-aggregates:remove_host": "rule:admin_api"
1186 "os_compute_api:os-aggregates:set_metadata": "rule:admin_api"
1187 "os_compute_api:os-aggregates:show": "rule:admin_api"
1188 "os_compute_api:os-aggregates:update": "rule:admin_api"
1189 "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"
1190 "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"
1191 "os_compute_api:os-attach-interfaces": "rule:admin_or_owner"
1192 "os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"
1193 "os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"
1194 "os_compute_api:os-availability-zone:detail": "rule:admin_api"
1195 "os_compute_api:os-availability-zone:list": "rule:admin_or_owner"
1196 "os_compute_api:os-baremetal-nodes": "rule:admin_api"
1197 "os_compute_api:os-cells": "rule:admin_api"
1198 "os_compute_api:os-cells:create": "rule:admin_api"
1199 "os_compute_api:os-cells:delete": "rule:admin_api"
1200 "os_compute_api:os-cells:sync_instances": "rule:admin_api"
1201 "os_compute_api:os-cells:update": "rule:admin_api"
1202 "os_compute_api:os-config-drive": "rule:admin_or_owner"
1203 "os_compute_api:os-console-auth-tokens": "rule:admin_api"
1204 "os_compute_api:os-console-output": "rule:admin_or_owner"
1205 "os_compute_api:os-consoles:create": "rule:admin_or_owner"
1206 "os_compute_api:os-consoles:delete": "rule:admin_or_owner"
1207 "os_compute_api:os-consoles:index": "rule:admin_or_owner"
1208 "os_compute_api:os-consoles:show": "rule:admin_or_owner"
1209 "os_compute_api:os-create-backup": "rule:admin_or_owner"
1210 "os_compute_api:os-deferred-delete": "rule:admin_or_owner"
1211 "os_compute_api:os-evacuate": "rule:admin_api"
1212 "os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"
1213 "os_compute_api:os-extended-server-attributes": "rule:admin_api"
1214 "os_compute_api:os-extended-status": "rule:admin_or_owner"
1215 "os_compute_api:os-extended-volumes": "rule:admin_or_owner"
1216 "os_compute_api:os-fixed-ips": "rule:admin_api"
1217 "os_compute_api:os-flavor-access": "rule:admin_or_owner"
1218 "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"
1219 "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"
1220 "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"
1221 "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"
1222 "os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"
1223 "os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"
1224 "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"
1225 "os_compute_api:os-flavor-manage": "rule:admin_api"
1226 "os_compute_api:os-flavor-manage:create": "rule:os_compute_api:os-flavor-manage"
1227 "os_compute_api:os-flavor-manage:delete": "rule:os_compute_api:os-flavor-manage"
1228 "os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"
1229 "os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"
1230 "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"
1231 "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"
1232 "os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"
1233 "os_compute_api:os-floating-ips": "rule:admin_or_owner"
1234 "os_compute_api:os-floating-ips-bulk": "rule:admin_api"
1235 "os_compute_api:os-fping": "rule:admin_or_owner"
1236 "os_compute_api:os-fping:all_tenants": "rule:admin_api"
1237 "os_compute_api:os-hide-server-addresses": "is_admin:False"
1238 "os_compute_api:os-hosts": "rule:admin_api"
1239 "os_compute_api:os-hypervisors": "rule:admin_api"
1240 "os_compute_api:os-instance-actions": "rule:admin_or_owner"
1241 "os_compute_api:os-instance-actions:events": "rule:admin_api"
1242 "os_compute_api:os-instance-usage-audit-log": "rule:admin_api"
1243 "os_compute_api:os-keypairs": "rule:admin_or_owner"
1244 "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"
1245 "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"
1246 "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"
1247 "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"
1248 "os_compute_api:os-lock-server:lock": "rule:admin_or_owner"
1249 "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"
1250 "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"
1251 "os_compute_api:os-migrate-server:migrate": "rule:admin_api"
1252 "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"
1253 "os_compute_api:os-migrations:index": "rule:admin_api"
1254 "os_compute_api:os-multinic": "rule:admin_or_owner"
1255 "os_compute_api:os-networks": "rule:admin_api"
1256 "os_compute_api:os-networks-associate": "rule:admin_api"
1257 "os_compute_api:os-networks:view": "rule:admin_or_owner"
1258 "os_compute_api:os-pause-server:pause": "rule:admin_or_owner"
1259 "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"
1260 "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"
1261 "os_compute_api:os-quota-class-sets:update": "rule:admin_api"
1262 "os_compute_api:os-quota-sets:defaults": "@"
1263 "os_compute_api:os-quota-sets:delete": "rule:admin_api"
1264 "os_compute_api:os-quota-sets:detail": "rule:admin_or_owner"
1265 "os_compute_api:os-quota-sets:show": "rule:admin_or_owner"
1266 "os_compute_api:os-quota-sets:update": "rule:admin_api"
1267 "os_compute_api:os-remote-consoles": "rule:admin_or_owner"
1268 "os_compute_api:os-rescue": "rule:admin_or_owner"
1269 "os_compute_api:os-security-group-default-rules": "rule:admin_api"
1270 "os_compute_api:os-security-groups": "rule:admin_or_owner"
1271 "os_compute_api:os-server-diagnostics": "rule:admin_api"
1272 "os_compute_api:os-server-external-events:create": "rule:admin_api"
1273 "os_compute_api:os-server-groups": "rule:admin_or_owner"
1274 "os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"
1275 "os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"
1276 "os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"
1277 "os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"
1278 "os_compute_api:os-server-password": "rule:admin_or_owner"
1279 "os_compute_api:os-server-tags:delete": "rule:admin_or_owner"
1280 "os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"
1281 "os_compute_api:os-server-tags:index": "rule:admin_or_owner"
1282 "os_compute_api:os-server-tags:show": "rule:admin_or_owner"
1283 "os_compute_api:os-server-tags:update": "rule:admin_or_owner"
1284 "os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"
1285 "os_compute_api:os-server-usage": "rule:admin_or_owner"
1286 "os_compute_api:os-services": "rule:admin_api"
1287 "os_compute_api:os-shelve:shelve": "rule:admin_or_owner"
1288 "os_compute_api:os-shelve:shelve_offload": "rule:admin_api"
1289 "os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"
1290 "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"
1291 "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"
1292 "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"
1293 "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"
1294 "os_compute_api:os-tenant-networks": "rule:admin_or_owner"
1295 "os_compute_api:os-used-limits": "rule:admin_api"
1296 "os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"
1297 "os_compute_api:os-volumes": "rule:admin_or_owner"
1298 "os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"
1299 "os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"
1300 "os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"
1301 "os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"
1302 "os_compute_api:os-volumes-attachments:update": "rule:admin_api"
1303 "os_compute_api:server-metadata:create": "rule:admin_or_owner"
1304 "os_compute_api:server-metadata:delete": "rule:admin_or_owner"
1305 "os_compute_api:server-metadata:index": "rule:admin_or_owner"
1306 "os_compute_api:server-metadata:show": "rule:admin_or_owner"
1307 "os_compute_api:server-metadata:update": "rule:admin_or_owner"
1308 "os_compute_api:server-metadata:update_all": "rule:admin_or_owner"
1309 "os_compute_api:servers:confirm_resize": "rule:admin_or_owner"
1310 "os_compute_api:servers:create": "rule:admin_or_owner"
1311 "os_compute_api:servers:create:attach_network": "rule:admin_or_owner"
1312 "os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"
1313 "os_compute_api:servers:create:forced_host": "rule:admin_api"
1314 "os_compute_api:servers:create:zero_disk_flavor": "rule:admin_or_owner"
1315 "os_compute_api:servers:create_image": "rule:admin_or_owner"
1316 "os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"
1317 "os_compute_api:servers:delete": "rule:admin_or_owner"
1318 "os_compute_api:servers:detail": "rule:admin_or_owner"
1319 "os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"
1320 "os_compute_api:servers:index": "rule:admin_or_owner"
1321 "os_compute_api:servers:index:get_all_tenants": "rule:admin_api"
1322 "os_compute_api:servers:migrations:delete": "rule:admin_api"
1323 "os_compute_api:servers:migrations:force_complete": "rule:admin_api"
1324 "os_compute_api:servers:migrations:index": "rule:admin_api"
1325 "os_compute_api:servers:migrations:show": "rule:admin_api"
1326 "os_compute_api:servers:reboot": "rule:admin_or_owner"
1327 "os_compute_api:servers:rebuild": "rule:admin_or_owner"
1328 "os_compute_api:servers:resize": "rule:admin_or_owner"
1329 "os_compute_api:servers:revert_resize": "rule:admin_or_owner"
1330 "os_compute_api:servers:show": "rule:admin_or_owner"
1331 "os_compute_api:servers:show:host_status": "rule:admin_api"
1332 "os_compute_api:servers:start": "rule:admin_or_owner"
1333 "os_compute_api:servers:stop": "rule:admin_or_owner"
1334 "os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"
1335 "os_compute_api:servers:update": "rule:admin_or_owner"
1336 nova_default_policy_queens:
1337 << : *nova_default_policy_pike
1338 "os_compute_api:os-flavor-manage:update": "rule:admin_api"
1339 octavia_default_policy_ocata: {}
1340 octavia_default_policy_pike: &octavia_default_policy_pike
1341 "context_is_admin": "role:admin or role:load-balancer_admin"
1342 "load-balancer:owner": "project_id:%(project_id)s"
1343 "load-balancer:observer_and_owner": "role:load-balancer_observer and rule:load-balancer:owner"
1344 "load-balancer:global_observer": "role:load-balancer_global_observer"
1345 "load-balancer:member_and_owner": "role:load-balancer_member and rule:load-balancer:owner"
1346 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or is_admin:True"
1347 "load-balancer:read-global": "rule:load-balancer:global_observer or is_admin:True"
1348 "load-balancer:write": "rule:load-balancer:member_and_owner or is_admin:True"
1349 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or is_admin:True"
1350 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or is_admin:True"
1351 "load-balancer:write-quota": "role:load-balancer_quota_admin or is_admin:True"
1352 "os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
1353 "os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
1354 "os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
1355 "os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
1356 "os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
1357 "os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
1358 "os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
1359 "os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
1360 "os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
1361 "os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
1362 "os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
1363 "os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
1364 "os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
1365 "os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
1366 "os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
1367 "os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
1368 "os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
1369 "os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
1370 "os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
1371 "os_load-balancer_api:listener:post": "rule:load-balancer:write"
1372 "os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
1373 "os_load-balancer_api:listener:put": "rule:load-balancer:write"
1374 "os_load-balancer_api:listener:delete": "rule:load-balancer:write"
1375 "os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
1376 "os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
1377 "os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
1378 "os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
1379 "os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
1380 "os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
1381 "os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
1382 "os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
1383 "os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
1384 "os_load-balancer_api:member:get_all": "rule:load-balancer:read"
1385 "os_load-balancer_api:member:post": "rule:load-balancer:write"
1386 "os_load-balancer_api:member:get_one": "rule:load-balancer:read"
1387 "os_load-balancer_api:member:put": "rule:load-balancer:write"
1388 "os_load-balancer_api:member:delete": "rule:load-balancer:write"
1389 "os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
1390 "os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
1391 "os_load-balancer_api:pool:post": "rule:load-balancer:write"
1392 "os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
1393 "os_load-balancer_api:pool:put": "rule:load-balancer:write"
1394 "os_load-balancer_api:pool:delete": "rule:load-balancer:write"
1395 "os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
1396 "os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
1397 "os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
1398 "os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
1399 "os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
1400 "os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
1401 octavia_default_policy_queens:
1402 << : *octavia_default_policy_pike
1403 "load-balancer:admin": "is_admin:True or role:admin or role:load-balancer_admin"
1404 "load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1405 "load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
1406 "load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
1407 "load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"
1408 "load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"
1409 "load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"
1410 "os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
1411 telemetry_default_policy_ocata: {}
1412 telemetry_default_policy_pike:
1413 "context_is_admin": "role:admin"
1414 "segregation": "rule:context_is_admin"
1415 "telemetry:compute_statistics": ""
1416 "telemetry:create_samples": ""
1417 "telemetry:get_meters": ""
1418 "telemetry:get_resource": ""
1419 "telemetry:get_resources": ""
1420 "telemetry:get_sample": ""
1421 "telemetry:get_samples": ""
1422 "telemetry:query_sample": ""
1423 telemetry_default_policy_queens: ${_param:telemetry_default_policy_pike}