diff options
| author | manchandavishal <manchandavishal143@gmail.com> | 2022-09-06 17:46:05 +0530 |
|---|---|---|
| committer | manchandavishal <manchandavishal143@gmail.com> | 2022-09-06 17:49:24 +0530 |
| commit | a8f2153b253ae9bcc7593aec5497e8e6bfd04f31 (patch) | |
| tree | 019f737fa2a7eab3ecc151cc11f4ee7b921d887e | |
| parent | 58f83295377f566a764b23e954a3eb402650a416 (diff) | |
| download | horizon-a8f2153b253ae9bcc7593aec5497e8e6bfd04f31.tar.gz | |
Sync default policy rules
This patch updates default policy-in-code rules in horizon based on
nova/neutron/glance RC deliverables. It doesn't update policy
rules for cinder and keystone as I have found no changes in their
policy rules.
Change-Id: Ifcf911d9bc649f61cc8522ccea60d30cf7f013be
| -rw-r--r-- | openstack_dashboard/conf/default_policies/glance.yaml | 53 | ||||
| -rw-r--r-- | openstack_dashboard/conf/default_policies/neutron.yaml | 520 | ||||
| -rw-r--r-- | openstack_dashboard/conf/default_policies/nova.yaml | 390 | ||||
| -rw-r--r-- | openstack_dashboard/conf/glance_policy.yaml | 106 | ||||
| -rw-r--r-- | openstack_dashboard/conf/neutron_policy.yaml | 1273 | ||||
| -rw-r--r-- | openstack_dashboard/conf/nova_policy.yaml | 1256 |
6 files changed, 2081 insertions, 1517 deletions
diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml index 0dc1846f6..9e03ed5c0 100644 --- a/openstack_dashboard/conf/default_policies/glance.yaml +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -26,7 +26,6 @@ - method: POST path: /v2/images scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -40,7 +39,6 @@ - method: DELETE path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) @@ -55,7 +53,6 @@ - method: GET path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null @@ -69,7 +66,6 @@ - method: GET path: /v2/images scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -83,7 +79,6 @@ - method: PATCH path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin description: Publicize given image @@ -92,7 +87,6 @@ - method: PATCH path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -106,7 +100,6 @@ - method: PATCH path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) @@ -121,7 +114,6 @@ - method: GET path: /v2/images/{image_id}/file scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -135,7 +127,6 @@ - method: PUT path: /v2/images/{image_id}/file scope_types: - - system - project - check_str: role:admin deprecated_reason: null @@ -149,7 +140,6 @@ - method: PATCH path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null @@ -163,7 +153,6 @@ - method: GET path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -177,7 +166,6 @@ - method: PATCH path: /v2/images/{image_id} scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -191,7 +179,6 @@ - method: POST path: /v2/images/{image_id}/members scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -205,7 +192,6 @@ - method: DELETE path: /v2/images/{image_id}/members/{member_id} scope_types: - - system - project - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) deprecated_reason: null @@ -219,7 +205,6 @@ - method: GET path: /v2/images/{image_id}/members/{member_id} scope_types: - - system - project - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) deprecated_reason: null @@ -233,7 +218,6 @@ - method: GET path: /v2/images/{image_id}/members scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(member_id)s) deprecated_reason: null @@ -247,14 +231,12 @@ - method: PUT path: /v2/images/{image_id}/members/{member_id} scope_types: - - system - project - check_str: role:admin description: Manage image cache name: manage_image_cache operations: [] scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -268,7 +250,6 @@ - method: POST path: /v2/images/{image_id}/actions/deactivate scope_types: - - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) deprecated_reason: null @@ -282,7 +263,6 @@ - method: POST path: /v2/images/{image_id}/actions/reactivate scope_types: - - system - project - check_str: role:admin description: Copy existing image to other stores @@ -291,7 +271,6 @@ - method: POST path: /v2/images/{image_id}/import scope_types: - - system - project - check_str: rule:default deprecated_reason: null @@ -320,7 +299,6 @@ - method: GET path: /v2/tasks/{task_id} scope_types: - - system - project - check_str: rule:default deprecated_reason: null @@ -349,7 +327,6 @@ - method: GET path: /v2/tasks scope_types: - - system - project - check_str: rule:default deprecated_reason: null @@ -378,7 +355,6 @@ - method: POST path: /v2/tasks scope_types: - - system - project - check_str: rule:default deprecated_for_removal: true @@ -396,7 +372,6 @@ - method: DELETE path: /v2/tasks/{task_id} scope_types: - - system - project - check_str: role:admin description: ' @@ -419,7 +394,6 @@ - method: DELETE path: /v2/tasks/{task_id} scope_types: - - system - project - check_str: '' description: null @@ -443,7 +417,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name} scope_types: - - system - project - check_str: role:admin or (role:reader and project_id:%(project_id)s) deprecated_reason: null @@ -457,7 +430,6 @@ - method: GET path: /v2/metadefs/namespaces scope_types: - - system - project - check_str: rule:metadef_admin description: Modify an existing namespace. @@ -466,7 +438,6 @@ - method: PUT path: /v2/metadefs/namespaces/{namespace_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Create a namespace. @@ -475,7 +446,6 @@ - method: POST path: /v2/metadefs/namespaces scope_types: - - system - project - check_str: rule:metadef_admin description: Delete a namespace. @@ -484,7 +454,6 @@ - method: DELETE path: /v2/metadefs/namespaces/{namespace_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -498,7 +467,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -512,7 +480,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/objects scope_types: - - system - project - check_str: rule:metadef_admin description: Update an object within a namespace. @@ -521,7 +488,6 @@ - method: PUT path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Create an object within a namespace. @@ -530,7 +496,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/objects scope_types: - - system - project - check_str: rule:metadef_admin description: Delete an object within a namespace. @@ -539,7 +504,6 @@ - method: DELETE path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -553,7 +517,6 @@ - method: GET path: /v2/metadefs/resource_types scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -567,7 +530,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/resource_types scope_types: - - system - project - check_str: rule:metadef_admin description: Create meta definition resource types association. @@ -576,7 +538,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/resource_types scope_types: - - system - project - check_str: rule:metadef_admin description: Delete meta definition resource types association. @@ -585,7 +546,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -599,7 +559,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -613,7 +572,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/properties scope_types: - - system - project - check_str: rule:metadef_admin description: Update meta definition property. @@ -622,7 +580,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Create meta definition property. @@ -631,7 +588,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/properties scope_types: - - system - project - check_str: rule:metadef_admin description: Delete meta definition property. @@ -640,7 +596,6 @@ - method: DELETE path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -654,7 +609,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} scope_types: - - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) deprecated_reason: null @@ -668,7 +622,6 @@ - method: GET path: /v2/metadefs/namespaces/{namespace_name}/tags scope_types: - - system - project - check_str: rule:metadef_admin description: Update tag definition. @@ -677,7 +630,6 @@ - method: PUT path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Add tag definition. @@ -686,7 +638,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Create tag definitions. @@ -695,7 +646,6 @@ - method: POST path: /v2/metadefs/namespaces/{namespace_name}/tags scope_types: - - system - project - check_str: rule:metadef_admin description: Delete tag definition. @@ -704,7 +654,6 @@ - method: DELETE path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} scope_types: - - system - project - check_str: rule:metadef_admin description: Delete tag definitions. @@ -713,7 +662,6 @@ - method: DELETE path: /v2/metadefs/namespaces/{namespace_name}/tags scope_types: - - system - project - check_str: role:admin deprecated_reason: null @@ -763,5 +711,4 @@ - method: GET path: /v2/info/stores/detail scope_types: - - system - project diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index d26ccac42..403f35923 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -93,7 +93,7 @@ name: shared_address_scopes operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -106,7 +106,7 @@ path: /address-scopes scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -119,7 +119,7 @@ path: /address-scopes scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:shared_address_scopes +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_scopes @@ -134,7 +134,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -147,7 +147,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -160,7 +160,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -173,7 +173,7 @@ path: /address-scopes/{id} scope_types: - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -187,8 +187,8 @@ - method: GET path: /agents/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -200,8 +200,8 @@ - method: PUT path: /agents/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -213,8 +213,8 @@ - method: DELETE path: /agents/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -226,8 +226,8 @@ - method: POST path: /agents/{agent_id}/dhcp-networks scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -239,8 +239,8 @@ - method: GET path: /agents/{agent_id}/dhcp-networks scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -252,8 +252,8 @@ - method: DELETE path: /agents/{agent_id}/dhcp-networks/{network_id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -265,8 +265,8 @@ - method: POST path: /agents/{agent_id}/l3-routers scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -278,8 +278,8 @@ - method: GET path: /agents/{agent_id}/l3-routers scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -291,8 +291,8 @@ - method: DELETE path: /agents/{agent_id}/l3-routers/{router_id} scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -304,8 +304,8 @@ - method: GET path: /networks/{network_id}/dhcp-agents scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -317,7 +317,7 @@ - method: GET path: /routers/{router_id}/l3-agents scope_types: - - system + - project - check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: @@ -344,7 +344,7 @@ path: /auto-allocated-topology/{project_id} scope_types: - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -356,8 +356,8 @@ - method: GET path: /availability_zones scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -369,8 +369,8 @@ - method: POST path: /flavors scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -384,9 +384,8 @@ - method: GET path: /flavors/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -398,8 +397,8 @@ - method: PUT path: /flavors/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -411,8 +410,8 @@ - method: DELETE path: /flavors/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -424,8 +423,8 @@ - method: POST path: /service_profiles scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -439,8 +438,8 @@ - method: GET path: /service_profiles/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -452,8 +451,8 @@ - method: PUT path: /service_profiles/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -465,8 +464,8 @@ - method: DELETE path: /service_profiles/{id} scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -478,9 +477,8 @@ name: get_flavor_service_profile operations: [] scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -492,8 +490,8 @@ - method: POST path: /flavors/{flavor_id}/service_profiles scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -505,8 +503,8 @@ - method: DELETE path: /flavors/{flavor_id}/service_profiles/{profile_id} scope_types: - - system -- check_str: role:member and project_id:%(project_id)s + - project +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -519,7 +517,7 @@ path: /floatingips scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -532,7 +530,7 @@ path: /floatingips scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -547,7 +545,7 @@ path: /floatingips/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -560,7 +558,7 @@ path: /floatingips/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -789,7 +787,7 @@ path: /local_ips/{local_ip_id}/port_associations/{fixed_port_id} scope_types: - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -801,8 +799,8 @@ - method: GET path: /log/loggable-resources scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -814,8 +812,8 @@ - method: POST path: /log/logs scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -829,8 +827,8 @@ - method: GET path: /log/logs/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -842,8 +840,8 @@ - method: PUT path: /log/logs/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -855,8 +853,8 @@ - method: DELETE path: /log/logs/{id} scope_types: - - system -- check_str: role:admin and project_id:%(project_id)s + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -869,7 +867,7 @@ path: /metering/metering-labels scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -884,7 +882,7 @@ path: /metering/metering-labels/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -897,7 +895,7 @@ path: /metering/metering-labels/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -910,7 +908,7 @@ path: /metering/metering-label-rules scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -925,7 +923,7 @@ path: /metering/metering-label-rules/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -997,7 +995,7 @@ name: external operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1010,7 +1008,7 @@ path: /networks scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1021,7 +1019,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1032,7 +1030,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1043,7 +1041,7 @@ operations: *id001 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1054,7 +1052,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1065,7 +1063,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1076,7 +1074,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1087,7 +1085,7 @@ operations: *id001 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1098,8 +1096,8 @@ operations: *id001 scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:shared or rule:external - or rule:context_is_advsvc +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared + or rule:external or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc @@ -1114,7 +1112,7 @@ path: /networks/{id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1125,7 +1123,7 @@ operations: *id002 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1136,7 +1134,7 @@ operations: *id002 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1147,7 +1145,7 @@ operations: *id002 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1158,7 +1156,7 @@ operations: *id002 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1169,7 +1167,7 @@ operations: *id002 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1182,7 +1180,7 @@ path: /networks/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1193,7 +1191,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1204,7 +1202,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1215,7 +1213,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1226,7 +1224,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1237,7 +1235,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1248,7 +1246,7 @@ operations: *id003 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1259,7 +1257,7 @@ operations: *id003 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1270,7 +1268,7 @@ operations: *id003 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1283,7 +1281,7 @@ path: /networks/{id} scope_types: - project -- check_str: role:reader and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1297,8 +1295,8 @@ - method: GET path: /network-ip-availabilities/{network_id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1310,8 +1308,8 @@ - method: POST path: /network_segment_ranges scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1325,8 +1323,8 @@ - method: GET path: /network_segment_ranges/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1338,8 +1336,8 @@ - method: PUT path: /network_segment_ranges/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1351,7 +1349,7 @@ - method: DELETE path: /network_segment_ranges/{id} scope_types: - - system + - project - check_str: 'field:port:device_owner=~^network:' description: Definition of port with network device_owner name: network_device @@ -1362,7 +1360,7 @@ name: admin_or_data_plane_int operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1375,19 +1373,19 @@ path: /ports scope_types: - project -- check_str: not rule:network_device or role:admin and project_id:%(project_id)s or - rule:context_is_advsvc or rule:network_owner +- check_str: not rule:network_device or rule:admin_only or rule:context_is_advsvc + or rule:network_owner deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner name: create_port:device_owner deprecated_since: null - description: Specify ``device_owner`` attribute when creting a port + description: Specify ``device_owner`` attribute when creating a port name: create_port:device_owner operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1398,8 +1396,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s - or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1410,7 +1407,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1421,8 +1418,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s - or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1433,7 +1429,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1444,7 +1440,7 @@ operations: *id004 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1455,7 +1451,7 @@ operations: *id004 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1466,7 +1462,7 @@ operations: *id004 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1477,7 +1473,7 @@ operations: *id004 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1488,7 +1484,7 @@ operations: *id004 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1500,7 +1496,7 @@ operations: *id004 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1512,7 +1508,7 @@ operations: *id004 scope_types: - project -- check_str: rule:context_is_advsvc or role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or rule:context_is_advsvc or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1527,7 +1523,7 @@ path: /ports/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1538,7 +1534,7 @@ operations: *id005 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1549,7 +1545,7 @@ operations: *id005 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1560,7 +1556,7 @@ operations: *id005 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1571,7 +1567,7 @@ operations: *id005 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1582,7 +1578,7 @@ operations: *id005 scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:context_is_advsvc +- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1596,7 +1592,7 @@ scope_types: - project - check_str: not rule:network_device or rule:context_is_advsvc or rule:network_owner - or role:admin and project_id:%(project_id)s + or rule:admin_only deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1607,7 +1603,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:context_is_advsvc +- check_str: rule:admin_only or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_only or rule:context_is_advsvc @@ -1618,7 +1614,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1629,7 +1625,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1640,8 +1636,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s - or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1652,7 +1647,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1663,7 +1658,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1674,7 +1669,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1685,7 +1680,7 @@ operations: *id006 scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:context_is_advsvc +- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1696,7 +1691,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1707,7 +1702,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1719,7 +1714,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1730,7 +1725,7 @@ operations: *id006 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or role:data_plane_integrator +- check_str: rule:admin_only or role:data_plane_integrator deprecated_reason: null deprecated_rule: check_str: rule:admin_or_data_plane_int @@ -1741,7 +1736,7 @@ operations: *id006 scope_types: - project -- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s +- check_str: rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1754,7 +1749,7 @@ path: /ports/{id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1769,7 +1764,7 @@ path: /qos/policies/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1782,7 +1777,7 @@ path: /qos/policies scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1795,7 +1790,7 @@ path: /qos/policies/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1808,7 +1803,7 @@ path: /qos/policies/{id} scope_types: - project -- check_str: role:admin or role:reader and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1822,9 +1817,8 @@ - method: GET path: /qos/rule-types/{rule_type} scope_types: - - system - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1839,7 +1833,7 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1852,7 +1846,7 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1865,7 +1859,7 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1878,7 +1872,41 @@ path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s + description: Get a QoS packet rate limit rule + name: get_policy_packet_rate_limit_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/packet_rate_limit_rules + - method: GET + path: /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} + scope_types: + - project +- check_str: rule:admin_only + description: Create a QoS packet rate limit rule + name: create_policy_packet_rate_limit_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/packet_rate_limit_rules + scope_types: + - project +- check_str: rule:admin_only + description: Update a QoS packet rate limit rule + name: update_policy_packet_rate_limit_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} + scope_types: + - project +- check_str: rule:admin_only + description: Delete a QoS packet rate limit rule + name: delete_policy_packet_rate_limit_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} + scope_types: + - project +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1893,7 +1921,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1906,7 +1934,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1919,7 +1947,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1932,7 +1960,7 @@ path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1947,7 +1975,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1960,7 +1988,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1973,7 +2001,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1986,7 +2014,7 @@ path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s description: Get a QoS minimum packet rate rule name: get_policy_minimum_packet_rate_rule operations: @@ -1996,7 +2024,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only description: Create a QoS minimum packet rate rule name: create_policy_minimum_packet_rate_rule operations: @@ -2004,7 +2032,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only description: Update a QoS minimum packet rate rule name: update_policy_minimum_packet_rate_rule operations: @@ -2012,7 +2040,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only description: Delete a QoS minimum packet rate rule name: delete_policy_minimum_packet_rate_rule operations: @@ -2020,7 +2048,7 @@ path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2033,7 +2061,7 @@ path: /qos/alias_bandwidth_limit_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2046,7 +2074,7 @@ path: /qos/alias_bandwidth_limit_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2059,7 +2087,7 @@ path: /qos/alias_bandwidth_limit_rules/{rule_id}/ scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2072,7 +2100,7 @@ path: /qos/alias_dscp_marking_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2085,7 +2113,7 @@ path: /qos/alias_dscp_marking_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2098,7 +2126,7 @@ path: /qos/alias_dscp_marking_rules/{rule_id}/ scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2111,7 +2139,7 @@ path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2124,7 +2152,7 @@ path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2143,22 +2171,25 @@ operations: - method: GET path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ - scope_types: null + scope_types: + - project - check_str: rule:update_policy_minimum_packet_rate_rule description: Update a QoS minimum packet rate rule through alias name: update_alias_minimum_packet_rate_rule operations: - method: PUT path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ - scope_types: null + scope_types: + - project - check_str: rule:delete_policy_minimum_packet_rate_rule description: Delete a QoS minimum packet rate rule through alias name: delete_alias_minimum_packet_rate_rule operations: - method: DELETE path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ - scope_types: null -- check_str: role:reader and system_scope:all + scope_types: + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2172,8 +2203,8 @@ - method: GET path: /quota/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2185,8 +2216,8 @@ - method: PUT path: /quota/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2198,14 +2229,14 @@ - method: DELETE path: /quota/{id} scope_types: - - system + - project - check_str: (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only description: Definition of a wildcard target_project name: restrict_wildcard operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2218,8 +2249,7 @@ path: /rbac-policies scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* - and not field:rbac_policy:target_project=*) +- check_str: rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard @@ -2232,7 +2262,7 @@ path: /rbac-policies scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2245,8 +2275,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* - and not field:rbac_policy:target_project=*) +- check_str: rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard and rule:admin_or_owner @@ -2259,7 +2288,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2274,7 +2303,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2287,7 +2316,7 @@ path: /rbac-policies/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2300,7 +2329,7 @@ path: /routers scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2311,7 +2340,7 @@ operations: *id007 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2322,7 +2351,7 @@ operations: *id007 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2333,7 +2362,7 @@ operations: *id007 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2345,7 +2374,7 @@ operations: *id007 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2357,7 +2386,7 @@ operations: *id007 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2369,7 +2398,7 @@ operations: *id007 scope_types: - project -- check_str: role:reader and project_id:%(project_id)s +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2384,7 +2413,7 @@ path: /routers/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2395,7 +2424,7 @@ operations: *id008 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2406,7 +2435,7 @@ operations: *id008 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2419,7 +2448,7 @@ path: /routers/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2430,7 +2459,7 @@ operations: *id009 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2441,7 +2470,7 @@ operations: *id009 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2452,7 +2481,7 @@ operations: *id009 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2464,7 +2493,7 @@ operations: *id009 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2476,7 +2505,7 @@ operations: *id009 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2488,7 +2517,7 @@ operations: *id009 scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2501,7 +2530,7 @@ path: /routers/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2514,7 +2543,7 @@ path: /routers/{id}/add_router_interface scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2527,7 +2556,7 @@ path: /routers/{id}/remove_router_interface scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2540,7 +2569,7 @@ path: /routers/{id}/add_extraroutes scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2658,7 +2687,7 @@ path: /security-group-rules/{id} scope_types: - project -- check_str: role:admin and system_scope:all +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2670,8 +2699,8 @@ - method: POST path: /segments scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2685,8 +2714,8 @@ - method: GET path: /segments/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2698,8 +2727,8 @@ - method: PUT path: /segments/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2711,7 +2740,7 @@ - method: DELETE path: /segments/{id} scope_types: - - system + - project - check_str: role:reader deprecated_reason: null deprecated_rule: @@ -2724,9 +2753,8 @@ - method: GET path: /service-providers scope_types: - - system - project -- check_str: role:member and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2739,7 +2767,7 @@ path: /subnets scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2750,7 +2778,7 @@ operations: *id010 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2761,7 +2789,7 @@ operations: *id010 scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:shared +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared @@ -2776,7 +2804,7 @@ path: /subnets/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2787,7 +2815,7 @@ operations: *id011 scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2800,7 +2828,7 @@ path: /subnets/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2811,7 +2839,7 @@ operations: *id012 scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2822,7 +2850,7 @@ operations: *id012 scope_types: - project -- check_str: role:member and project_id:%(project_id)s or rule:network_owner +- check_str: rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2840,7 +2868,7 @@ name: shared_subnetpools operations: [] scope_types: null -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2853,7 +2881,7 @@ path: /subnetpools scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2866,7 +2894,7 @@ path: /subnetpools scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2879,7 +2907,7 @@ path: /subnetpools scope_types: - project -- check_str: role:reader and project_id:%(project_id)s or rule:shared_subnetpools +- check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_subnetpools deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_subnetpools @@ -2894,7 +2922,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2907,7 +2935,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: role:admin and project_id:%(project_id)s +- check_str: rule:admin_only deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2920,7 +2948,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2933,7 +2961,7 @@ path: /subnetpools/{id} scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2946,7 +2974,7 @@ path: /subnetpools/{id}/onboard_network_subnets scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2959,7 +2987,7 @@ path: /subnetpools/{id}/add_prefixes scope_types: - project -- check_str: role:member and project_id:%(project_id)s +- check_str: rule:admin_only or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 35132129b..016f30a4c 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -40,16 +40,6 @@ name: admin_api operations: [] scope_types: null -- check_str: role:admin and project_id:%(project_id)s - deprecated_reason: null - deprecated_rule: - check_str: is_admin:True - name: rule:admin_api - deprecated_since: null - description: Default rule for Project level admin APIs. - name: project_admin_api - operations: [] - scope_types: null - check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: @@ -70,17 +60,27 @@ name: project_reader_api operations: [] scope_types: null +- check_str: rule:project_member_api or rule:context_is_admin + deprecated_reason: null + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: null + description: Default rule for Project Member or admin APIs. + name: project_member_or_admin + operations: [] + scope_types: null - check_str: rule:project_reader_api or rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s name: rule:admin_or_owner deprecated_since: null - description: Default rule for Project reader and admin APIs. + description: Default rule for Project reader or admin APIs. name: project_reader_or_admin operations: [] scope_types: null -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Reset the state of a given server name: os_compute_api:os-admin-actions:reset_state operations: @@ -88,7 +88,7 @@ path: /servers/{server_id}/action (os-resetState) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Inject network information into the server name: os_compute_api:os-admin-actions:inject_network_info operations: @@ -96,7 +96,7 @@ path: /servers/{server_id}/action (injectNetworkInfo) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Change the administrative password for a server name: os_compute_api:os-admin-password operations: @@ -111,7 +111,7 @@ - method: POST path: /os-aggregates/{aggregate_id}/action (set_metadata) scope_types: - - system + - project - check_str: rule:context_is_admin description: Add a host to an aggregate name: os_compute_api:os-aggregates:add_host @@ -119,7 +119,7 @@ - method: POST path: /os-aggregates/{aggregate_id}/action (add_host) scope_types: - - system + - project - check_str: rule:context_is_admin description: Create an aggregate name: os_compute_api:os-aggregates:create @@ -127,7 +127,7 @@ - method: POST path: /os-aggregates scope_types: - - system + - project - check_str: rule:context_is_admin description: Remove a host from an aggregate name: os_compute_api:os-aggregates:remove_host @@ -135,7 +135,7 @@ - method: POST path: /os-aggregates/{aggregate_id}/action (remove_host) scope_types: - - system + - project - check_str: rule:context_is_admin description: Update name and/or availability zone for an aggregate name: os_compute_api:os-aggregates:update @@ -143,7 +143,7 @@ - method: PUT path: /os-aggregates/{aggregate_id} scope_types: - - system + - project - check_str: rule:context_is_admin description: List all aggregates name: os_compute_api:os-aggregates:index @@ -151,7 +151,7 @@ - method: GET path: /os-aggregates scope_types: - - system + - project - check_str: rule:context_is_admin description: Delete an aggregate name: os_compute_api:os-aggregates:delete @@ -159,7 +159,7 @@ - method: DELETE path: /os-aggregates/{aggregate_id} scope_types: - - system + - project - check_str: rule:context_is_admin description: Show details for an aggregate name: os_compute_api:os-aggregates:show @@ -167,7 +167,7 @@ - method: GET path: /os-aggregates/{aggregate_id} scope_types: - - system + - project - check_str: rule:context_is_admin description: Request image caching for an aggregate name: compute:aggregates:images @@ -175,7 +175,7 @@ - method: POST path: /os-aggregates/{aggregate_id}/images scope_types: - - system + - project - check_str: rule:context_is_admin description: Create an assisted volume snapshot name: os_compute_api:os-assisted-volume-snapshots:create @@ -192,7 +192,7 @@ path: /os-assisted-volume-snapshots/{snapshot_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -205,7 +205,7 @@ path: /servers/{server_id}/os-interface scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -218,7 +218,7 @@ path: /servers/{server_id}/os-interface/{port_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -231,7 +231,7 @@ path: /servers/{server_id}/os-interface scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -251,7 +251,6 @@ - method: GET path: /os-availability-zone scope_types: - - system - project - check_str: rule:context_is_admin description: List detailed availability zone information with host information @@ -260,7 +259,7 @@ - method: GET path: /os-availability-zone/detail scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -278,7 +277,7 @@ - method: GET path: /os-baremetal-nodes scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -291,8 +290,8 @@ - method: GET path: /os-baremetal-nodes/{node_id} scope_types: - - system -- check_str: rule:project_admin_api + - project +- check_str: rule:context_is_admin description: Show console connection information for a given console authentication token name: os_compute_api:os-console-auth-tokens @@ -301,7 +300,7 @@ path: /os-console-auth-tokens/{console_token} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Show console output for a server name: os_compute_api:os-console-output operations: @@ -309,7 +308,7 @@ path: /servers/{server_id}/action (os-getConsoleOutput) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a back up of a server name: os_compute_api:os-create-backup operations: @@ -317,7 +316,7 @@ path: /servers/{server_id}/action (createBackup) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -330,7 +329,7 @@ path: /servers/{server_id}/action (restore) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -343,7 +342,7 @@ path: /servers/{server_id}/action (forceDelete) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Evacuate a server from a failed host to a new host name: os_compute_api:os-evacuate operations: @@ -351,7 +350,7 @@ path: /servers/{server_id}/action (evacuate) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: 'Return extended attributes for server. @@ -415,7 +414,6 @@ - method: GET path: /extensions/{alias} scope_types: - - system - project - check_str: rule:context_is_admin description: Add flavor access to a tenant @@ -424,7 +422,7 @@ - method: POST path: /flavors/{flavor_id}/action (addTenantAccess) scope_types: - - system + - project - check_str: rule:context_is_admin description: Remove flavor access from a tenant name: os_compute_api:os-flavor-access:remove_tenant_access @@ -432,7 +430,7 @@ - method: POST path: /flavors/{flavor_id}/action (removeTenantAccess) scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -452,7 +450,7 @@ - method: GET path: /flavors/{flavor_id}/os-flavor-access scope_types: - - system + - project - check_str: rule:project_reader_or_admin description: Show an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:show @@ -460,7 +458,6 @@ - method: GET path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} scope_types: - - system - project - check_str: rule:context_is_admin description: Create extra specs for a flavor @@ -469,7 +466,7 @@ - method: POST path: /flavors/{flavor_id}/os-extra_specs/ scope_types: - - system + - project - check_str: rule:context_is_admin description: Update an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:update @@ -477,7 +474,7 @@ - method: PUT path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} scope_types: - - system + - project - check_str: rule:context_is_admin description: Delete an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:delete @@ -485,7 +482,7 @@ - method: DELETE path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} scope_types: - - system + - project - check_str: rule:project_reader_or_admin description: List extra specs for a flavor. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource. @@ -502,7 +499,6 @@ - method: PUT path: /flavors/{flavor_id} scope_types: - - system - project - check_str: rule:context_is_admin description: Create a flavor @@ -511,7 +507,7 @@ - method: POST path: /flavors scope_types: - - system + - project - check_str: rule:context_is_admin description: Update a flavor name: os_compute_api:os-flavor-manage:update @@ -519,7 +515,7 @@ - method: PUT path: /flavors/{flavor_id} scope_types: - - system + - project - check_str: rule:context_is_admin description: Delete a flavor name: os_compute_api:os-flavor-manage:delete @@ -527,7 +523,7 @@ - method: DELETE path: /flavors/{flavor_id} scope_types: - - system + - project - check_str: '@' description: List floating IP pools. This API is deprecated. name: os_compute_api:os-floating-ip-pools @@ -535,9 +531,8 @@ - method: GET path: /os-floating-ip-pools scope_types: - - system - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -550,7 +545,7 @@ path: /servers/{server_id}/action (addFloatingIp) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -563,7 +558,7 @@ path: /servers/{server_id}/action (removeFloatingIp) scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -576,7 +571,7 @@ path: /os-floating-ips scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -589,7 +584,7 @@ path: /os-floating-ips scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -602,7 +597,7 @@ path: /os-floating-ips/{floating_ip_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -630,7 +625,7 @@ - method: GET path: /os-hosts scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -646,7 +641,7 @@ - method: GET path: /os-hosts/{host_name} scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -662,7 +657,7 @@ - method: PUT path: /os-hosts/{host_name} scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -678,7 +673,7 @@ - method: GET path: /os-hosts/{host_name}/reboot scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -694,7 +689,7 @@ - method: GET path: /os-hosts/{host_name}/shutdown scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -710,7 +705,7 @@ - method: GET path: /os-hosts/{host_name}/startup scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -723,7 +718,7 @@ - method: GET path: /os-hypervisors scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -736,7 +731,7 @@ - method: GET path: /os-hypervisors/details scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -749,7 +744,7 @@ - method: GET path: /os-hypervisors/statistics scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -762,7 +757,7 @@ - method: GET path: /os-hypervisors/{hypervisor_id} scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -775,7 +770,7 @@ - method: GET path: /os-hypervisors/{hypervisor_id}/uptime scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -788,7 +783,7 @@ - method: GET path: /os-hypervisors/{hypervisor_hostname_pattern}/search scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -802,8 +797,8 @@ - method: GET path: /os-hypervisors/{hypervisor_hostname_pattern}/servers scope_types: - - system -- check_str: rule:project_admin_api + - project +- check_str: rule:context_is_admin description: 'Add "details" key in action events for a server. @@ -830,7 +825,7 @@ path: /servers/{server_id}/os-instance-actions/{request_id} scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: 'Add events details in action details for a server. This check is performed only after the check @@ -850,7 +845,7 @@ path: /servers/{server_id}/os-instance-actions/{request_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -863,7 +858,7 @@ path: /servers/{server_id}/os-instance-actions scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -888,7 +883,7 @@ - method: GET path: /os-instance_usage_audit_log scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -902,8 +897,8 @@ - method: GET path: /os-instance_usage_audit_log/{before_timestamp} scope_types: - - system -- check_str: rule:project_reader_api + - project +- check_str: rule:project_reader_or_admin description: Show IP addresses details for a network label of a server name: os_compute_api:ips:show operations: @@ -911,7 +906,7 @@ path: /servers/{server_id}/ips/{network_label} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List IP addresses that are assigned to a server name: os_compute_api:ips:index operations: @@ -926,7 +921,6 @@ - method: GET path: /os-keypairs scope_types: - - system - project - check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Create a keypair @@ -935,7 +929,6 @@ - method: POST path: /os-keypairs scope_types: - - system - project - check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Delete a keypair @@ -944,7 +937,6 @@ - method: DELETE path: /os-keypairs/{keypair_name} scope_types: - - system - project - check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Show details of a keypair @@ -953,7 +945,6 @@ - method: GET path: /os-keypairs/{keypair_name} scope_types: - - system - project - check_str: '@' description: Show rate and absolute limits for the current user project @@ -963,7 +954,7 @@ path: /limits scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_api @@ -983,7 +974,7 @@ path: /limits scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Lock a server name: os_compute_api:os-lock-server:lock operations: @@ -991,7 +982,7 @@ path: /servers/{server_id}/action (lock) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Unlock a server name: os_compute_api:os-lock-server:unlock operations: @@ -999,7 +990,7 @@ path: /servers/{server_id}/action (unlock) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: 'Unlock a server, regardless who locked the server. @@ -1012,7 +1003,7 @@ path: /servers/{server_id}/action (unlock) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Cold migrate a server to a host name: os_compute_api:os-migrate-server:migrate operations: @@ -1020,7 +1011,7 @@ path: /servers/{server_id}/action (migrate) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Live migrate a server to a new host without a reboot name: os_compute_api:os-migrate-server:migrate_live operations: @@ -1028,7 +1019,7 @@ path: /servers/{server_id}/action (os-migrateLive) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: List migrations name: os_compute_api:os-migrations:index operations: @@ -1036,7 +1027,7 @@ path: /os-migrations scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1054,7 +1045,7 @@ path: /servers/{server_id}/action (addFixedIp) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1072,7 +1063,7 @@ path: /servers/{server_id}/action (removeFixedIp) scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1088,7 +1079,7 @@ path: /os-networks scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1104,7 +1095,7 @@ path: /os-networks/{network_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Pause a server name: os_compute_api:os-pause-server:pause operations: @@ -1112,7 +1103,7 @@ path: /servers/{server_id}/action (pause) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Unpause a paused server name: os_compute_api:os-pause-server:unpause operations: @@ -1127,7 +1118,7 @@ - method: GET path: /os-quota-class-sets/{quota_class} scope_types: - - system + - project - check_str: rule:context_is_admin description: Update quotas for specific quota class name: os_compute_api:os-quota-class-sets:update @@ -1135,8 +1126,8 @@ - method: PUT path: /os-quota-class-sets/{quota_class} scope_types: - - system -- check_str: rule:project_admin_api + - project +- check_str: rule:context_is_admin description: Update the quotas name: os_compute_api:os-quota-sets:update operations: @@ -1151,9 +1142,8 @@ - method: GET path: /os-quota-sets/{tenant_id}/defaults scope_types: - - system - project -- check_str: (rule:project_reader_api) or role:admin +- check_str: rule:project_reader_or_admin description: Show a quota name: os_compute_api:os-quota-sets:show operations: @@ -1161,7 +1151,7 @@ path: /os-quota-sets/{tenant_id} scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Revert quotas to defaults name: os_compute_api:os-quota-sets:delete operations: @@ -1169,7 +1159,7 @@ path: /os-quota-sets/{tenant_id} scope_types: - project -- check_str: (rule:project_reader_api) or role:admin +- check_str: rule:project_reader_or_admin description: Show the detail of quota name: os_compute_api:os-quota-sets:detail operations: @@ -1177,7 +1167,7 @@ path: /os-quota-sets/{tenant_id}/detail scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: 'Generate a URL to access remove server console. @@ -1207,7 +1197,7 @@ path: /servers/{server_id}/remote-consoles scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Rescue a server name: os_compute_api:os-rescue operations: @@ -1215,7 +1205,7 @@ path: /servers/{server_id}/action (rescue) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1228,7 +1218,7 @@ path: /servers/{server_id}/action (unrescue) scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1241,7 +1231,7 @@ path: /os-security-groups scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1254,7 +1244,7 @@ path: /os-security-groups/{security_group_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1267,7 +1257,7 @@ path: /os-security-groups scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1280,7 +1270,7 @@ path: /os-security-groups/{security_group_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1293,7 +1283,7 @@ path: /os-security-groups/{security_group_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1306,7 +1296,7 @@ path: /os-security-group-rules scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1319,7 +1309,7 @@ path: /os-security-group-rules/{security_group_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1332,7 +1322,7 @@ path: /servers/{server_id}/os-security-groups scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1345,7 +1335,7 @@ path: /servers/{server_id}/action (addSecurityGroup) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1358,7 +1348,7 @@ path: /servers/{server_id}/action (removeSecurityGroup) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Show the usage data for a server name: os_compute_api:os-server-diagnostics operations: @@ -1374,7 +1364,7 @@ path: /os-server-external-events scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a new server group name: os_compute_api:os-server-groups:create operations: @@ -1382,7 +1372,7 @@ path: /os-server-groups scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Delete a server group name: os_compute_api:os-server-groups:delete operations: @@ -1390,7 +1380,7 @@ path: /os-server-groups/{server_group_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List all server groups name: os_compute_api:os-server-groups:index operations: @@ -1398,7 +1388,7 @@ path: /os-server-groups scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: List all server groups for all projects name: os_compute_api:os-server-groups:index:all_projects operations: @@ -1406,7 +1396,7 @@ path: /os-server-groups scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show details of a server group name: os_compute_api:os-server-groups:show operations: @@ -1414,7 +1404,7 @@ path: /os-server-groups/{server_group_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List all metadata of a server name: os_compute_api:server-metadata:index operations: @@ -1422,7 +1412,7 @@ path: /servers/{server_id}/metadata scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show metadata for a server name: os_compute_api:server-metadata:show operations: @@ -1430,7 +1420,7 @@ path: /servers/{server_id}/metadata/{key} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create metadata for a server name: os_compute_api:server-metadata:create operations: @@ -1438,7 +1428,7 @@ path: /servers/{server_id}/metadata scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Replace metadata for a server name: os_compute_api:server-metadata:update_all operations: @@ -1446,7 +1436,7 @@ path: /servers/{server_id}/metadata scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Update metadata from a server name: os_compute_api:server-metadata:update operations: @@ -1454,7 +1444,7 @@ path: /servers/{server_id}/metadata/{key} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Delete metadata from a server name: os_compute_api:server-metadata:delete operations: @@ -1462,7 +1452,7 @@ path: /servers/{server_id}/metadata/{key} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1475,7 +1465,7 @@ path: /servers/{server_id}/os-server-password scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1488,7 +1478,7 @@ path: /servers/{server_id}/os-server-password scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Delete all the server tags name: os_compute_api:os-server-tags:delete_all operations: @@ -1496,7 +1486,7 @@ path: /servers/{server_id}/tags scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List all tags for given server name: os_compute_api:os-server-tags:index operations: @@ -1504,7 +1494,7 @@ path: /servers/{server_id}/tags scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Replace all tags on specified server with the new set of tags. name: os_compute_api:os-server-tags:update_all operations: @@ -1512,7 +1502,7 @@ path: /servers/{server_id}/tags scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Delete a single tag from the specified server name: os_compute_api:os-server-tags:delete operations: @@ -1520,7 +1510,7 @@ path: /servers/{server_id}/tags/{tag} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Add a single tag to the server if server has no specified tag name: os_compute_api:os-server-tags:update operations: @@ -1528,7 +1518,7 @@ path: /servers/{server_id}/tags/{tag} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Check tag existence on the server. name: os_compute_api:os-server-tags:show operations: @@ -1536,7 +1526,7 @@ path: /servers/{server_id}/tags/{tag} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show the NUMA topology data for a server name: compute:server:topology:index operations: @@ -1544,7 +1534,7 @@ path: /servers/{server_id}/topology scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Show the NUMA topology data for a server with host NUMA ID and CPU pinning information name: compute:server:topology:host:index @@ -1553,7 +1543,7 @@ path: /servers/{server_id}/topology scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List all servers name: os_compute_api:servers:index operations: @@ -1561,7 +1551,7 @@ path: /servers scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List all servers with detailed information name: os_compute_api:servers:detail operations: @@ -1569,7 +1559,7 @@ path: /servers/detail scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: List all servers for all projects name: os_compute_api:servers:index:get_all_tenants operations: @@ -1577,7 +1567,7 @@ path: /servers scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: List all servers with detailed information for all projects name: os_compute_api:servers:detail:get_all_tenants operations: @@ -1585,7 +1575,7 @@ path: /servers/detail scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Allow all filters when listing servers name: os_compute_api:servers:allow_all_filters operations: @@ -1595,7 +1585,7 @@ path: /servers/detail scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show a server name: os_compute_api:servers:show operations: @@ -1603,7 +1593,7 @@ path: /servers/{server_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: ' Policies for showing flavor extra specs in server APIs response is @@ -1632,7 +1622,7 @@ path: /servers/{server_id}/action (rebuild) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: ' Show a server with additional host status information. @@ -1666,7 +1656,7 @@ path: /servers/{server_id}/action (rebuild) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: ' Show a server with additional host status information, only if host status is @@ -1699,7 +1689,7 @@ path: /servers/{server_id}/action (rebuild) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a server name: os_compute_api:servers:create operations: @@ -1707,7 +1697,7 @@ path: /servers scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: ' Create a server on the specified host and/or node. @@ -1726,7 +1716,7 @@ path: /servers scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: ' Create a server on the requested compute service host and/or @@ -1747,7 +1737,7 @@ path: /servers scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a server with the requested volume attached to it name: os_compute_api:servers:create:attach_volume operations: @@ -1755,7 +1745,7 @@ path: /servers scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a server with the requested network attached to it name: os_compute_api:servers:create:attach_network operations: @@ -1763,7 +1753,7 @@ path: /servers scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create a server with trusted image certificate IDs name: os_compute_api:servers:create:trusted_certs operations: @@ -1771,7 +1761,7 @@ path: /servers scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: ' This rule controls the compute API validation behavior of creating a server @@ -1805,7 +1795,7 @@ path: /servers scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Attach an unshared external network to a server name: network:attach_external_network operations: @@ -1815,7 +1805,7 @@ path: /servers/{server_id}/os-interface scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Delete a server name: os_compute_api:servers:delete operations: @@ -1823,7 +1813,7 @@ path: /servers/{server_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Update a server name: os_compute_api:servers:update operations: @@ -1831,7 +1821,7 @@ path: /servers/{server_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Confirm a server resize name: os_compute_api:servers:confirm_resize operations: @@ -1839,7 +1829,7 @@ path: /servers/{server_id}/action (confirmResize) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Revert a server resize name: os_compute_api:servers:revert_resize operations: @@ -1847,7 +1837,7 @@ path: /servers/{server_id}/action (revertResize) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Reboot a server name: os_compute_api:servers:reboot operations: @@ -1855,7 +1845,7 @@ path: /servers/{server_id}/action (reboot) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Resize a server name: os_compute_api:servers:resize operations: @@ -1874,7 +1864,7 @@ path: /servers/{server_id}/action (resize) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Rebuild a server name: os_compute_api:servers:rebuild operations: @@ -1882,7 +1872,7 @@ path: /servers/{server_id}/action (rebuild) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Rebuild a server with trusted image certificate IDs name: os_compute_api:servers:rebuild:trusted_certs operations: @@ -1890,7 +1880,7 @@ path: /servers/{server_id}/action (rebuild) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create an image from a server name: os_compute_api:servers:create_image operations: @@ -1898,7 +1888,7 @@ path: /servers/{server_id}/action (createImage) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Create an image from a volume backed server name: os_compute_api:servers:create_image:allow_volume_backed operations: @@ -1906,7 +1896,7 @@ path: /servers/{server_id}/action (createImage) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Start a server name: os_compute_api:servers:start operations: @@ -1914,7 +1904,7 @@ path: /servers/{server_id}/action (os-start) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Stop a server name: os_compute_api:servers:stop operations: @@ -1922,7 +1912,7 @@ path: /servers/{server_id}/action (os-stop) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Trigger crash dump in a server name: os_compute_api:servers:trigger_crash_dump operations: @@ -1930,7 +1920,7 @@ path: /servers/{server_id}/action (trigger_crash_dump) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Show details for an in-progress live migration for a given server name: os_compute_api:servers:migrations:show operations: @@ -1938,7 +1928,7 @@ path: /servers/{server_id}/migrations/{migration_id} scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Force an in-progress live migration for a given server to complete name: os_compute_api:servers:migrations:force_complete operations: @@ -1946,7 +1936,7 @@ path: /servers/{server_id}/migrations/{migration_id}/action (force_complete) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Delete(Abort) an in-progress live migration name: os_compute_api:servers:migrations:delete operations: @@ -1954,7 +1944,7 @@ path: /servers/{server_id}/migrations/{migration_id} scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: Lists in-progress live migrations for a given server name: os_compute_api:servers:migrations:index operations: @@ -1974,7 +1964,7 @@ - method: GET path: /os-services scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -1987,7 +1977,7 @@ - method: PUT path: /os-services/{service_id} scope_types: - - system + - project - check_str: rule:context_is_admin deprecated_reason: null deprecated_rule: @@ -2000,8 +1990,8 @@ - method: DELETE path: /os-services/{service_id} scope_types: - - system -- check_str: rule:project_member_api + - project +- check_str: rule:project_member_or_admin description: Shelve server name: os_compute_api:os-shelve:shelve operations: @@ -2009,7 +1999,7 @@ path: /servers/{server_id}/action (shelve) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Unshelve (restore) shelved server name: os_compute_api:os-shelve:unshelve operations: @@ -2017,7 +2007,15 @@ path: /servers/{server_id}/action (unshelve) scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin + description: Unshelve (restore) shelve offloaded server to a specific host + name: os_compute_api:os-shelve:unshelve_to_host + operations: + - method: POST + path: /servers/{server_id}/action (unshelve) + scope_types: + - project +- check_str: rule:context_is_admin description: Shelf-offload (remove) server name: os_compute_api:os-shelve:shelve_offload operations: @@ -2025,7 +2023,7 @@ path: /servers/{server_id}/action (shelveOffload) scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show usage statistics for a specific tenant name: os_compute_api:os-simple-tenant-usage:show operations: @@ -2033,7 +2031,7 @@ path: /os-simple-tenant-usage/{tenant_id} scope_types: - project -- check_str: rule:project_admin_api +- check_str: rule:context_is_admin description: List per tenant usage statistics for all tenants name: os_compute_api:os-simple-tenant-usage:list operations: @@ -2041,7 +2039,7 @@ path: /os-simple-tenant-usage scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Resume suspended server name: os_compute_api:os-suspend-server:resume operations: @@ -2049,7 +2047,7 @@ path: /servers/{server_id}/action (resume) scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Suspend server name: os_compute_api:os-suspend-server:suspend operations: @@ -2089,7 +2087,7 @@ path: /os-tenant-networks/{network_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2105,7 +2103,7 @@ path: /os-volumes scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2121,7 +2119,7 @@ path: /os-volumes scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2137,7 +2135,7 @@ path: /os-volumes/detail scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2153,7 +2151,7 @@ path: /os-volumes/{volume_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2169,7 +2167,7 @@ path: /os-volumes/{volume_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2185,7 +2183,7 @@ path: /os-snapshots scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2201,7 +2199,7 @@ path: /os-snapshots scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2217,7 +2215,7 @@ path: /os-snapshots/detail scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2233,7 +2231,7 @@ path: /os-snapshots/{snapshot_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2249,7 +2247,7 @@ path: /os-snapshots/{snapshot_id} scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: List volume attachments for an instance name: os_compute_api:os-volumes-attachments:index operations: @@ -2257,7 +2255,7 @@ path: /servers/{server_id}/os-volume_attachments scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Attach a volume to an instance name: os_compute_api:os-volumes-attachments:create operations: @@ -2265,7 +2263,7 @@ path: /servers/{server_id}/os-volume_attachments scope_types: - project -- check_str: rule:project_reader_api +- check_str: rule:project_reader_or_admin description: Show details of a volume attachment name: os_compute_api:os-volumes-attachments:show operations: @@ -2273,7 +2271,7 @@ path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: 'Update a volume attachment. New ''update'' policy about ''swap + update'' request (which is possible @@ -2297,7 +2295,7 @@ path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - project -- check_str: rule:project_member_api +- check_str: rule:project_member_or_admin description: Detach a volume from an instance name: os_compute_api:os-volumes-attachments:delete operations: diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml index 17e10fb52..0e889b9a4 100644 --- a/openstack_dashboard/conf/glance_policy.yaml +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -17,7 +17,7 @@ # Create new image # POST /v2/images -# Intended scope(s): system, project +# Intended scope(s): project #"add_image": "role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)" # DEPRECATED @@ -28,7 +28,7 @@ # Deletes the image # DELETE /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_image": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -39,7 +39,7 @@ # Get specified image # GET /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED @@ -52,7 +52,7 @@ # Get all available images # GET /v2/images -# Intended scope(s): system, project +# Intended scope(s): project #"get_images": "role:admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED @@ -63,7 +63,7 @@ # Updates given image # PATCH /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_image": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -74,12 +74,12 @@ # Publicize given image # PATCH /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"publicize_image": "role:admin" # Communitize given image # PATCH /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"communitize_image": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -90,7 +90,7 @@ # Downloads given image # GET /v2/images/{image_id}/file -# Intended scope(s): system, project +# Intended scope(s): project #"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED @@ -103,7 +103,7 @@ # Uploads data to specified image # PUT /v2/images/{image_id}/file -# Intended scope(s): system, project +# Intended scope(s): project #"upload_image": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -114,7 +114,7 @@ # Deletes the location of given image # PATCH /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_image_location": "role:admin" # DEPRECATED @@ -124,7 +124,7 @@ # Reads the location of the image # GET /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"get_image_location": "role:admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED @@ -135,7 +135,7 @@ # Sets location URI to given image # PATCH /v2/images/{image_id} -# Intended scope(s): system, project +# Intended scope(s): project #"set_image_location": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -146,7 +146,7 @@ # Create image member # POST /v2/images/{image_id}/members -# Intended scope(s): system, project +# Intended scope(s): project #"add_member": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -157,7 +157,7 @@ # Delete image member # DELETE /v2/images/{image_id}/members/{member_id} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_member": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -168,7 +168,7 @@ # Show image member details # GET /v2/images/{image_id}/members/{member_id} -# Intended scope(s): system, project +# Intended scope(s): project #"get_member": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED @@ -179,7 +179,7 @@ # List image members # GET /v2/images/{image_id}/members -# Intended scope(s): system, project +# Intended scope(s): project #"get_members": "role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)" # DEPRECATED @@ -190,7 +190,7 @@ # Update image member # PUT /v2/images/{image_id}/members/{member_id} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_member": "role:admin or (role:member and project_id:%(member_id)s)" # DEPRECATED @@ -200,12 +200,12 @@ # The image API now supports roles. # Manage image cache -# Intended scope(s): system, project +# Intended scope(s): project #"manage_image_cache": "role:admin" # Deactivate image # POST /v2/images/{image_id}/actions/deactivate -# Intended scope(s): system, project +# Intended scope(s): project #"deactivate": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -216,7 +216,7 @@ # Reactivate image # POST /v2/images/{image_id}/actions/reactivate -# Intended scope(s): system, project +# Intended scope(s): project #"reactivate": "role:admin or (role:member and project_id:%(project_id)s)" # DEPRECATED @@ -227,7 +227,7 @@ # Copy existing image to other stores # POST /v2/images/{image_id}/import -# Intended scope(s): system, project +# Intended scope(s): project #"copy_image": "role:admin" # Get an image task. @@ -240,7 +240,7 @@ # external tasks API should be restricted as desired by the # tasks_api_access policy. This may change in the future. # GET /v2/tasks/{task_id} -# Intended scope(s): system, project +# Intended scope(s): project #"get_task": "rule:default" # DEPRECATED @@ -262,7 +262,7 @@ # external tasks API should be restricted as desired by the # tasks_api_access policy. This may change in the future. # GET /v2/tasks -# Intended scope(s): system, project +# Intended scope(s): project #"get_tasks": "rule:default" # DEPRECATED @@ -284,7 +284,7 @@ # external tasks API should be restricted as desired by the # tasks_api_access policy. This may change in the future. # POST /v2/tasks -# Intended scope(s): system, project +# Intended scope(s): project #"add_task": "rule:default" # DEPRECATED @@ -302,7 +302,7 @@ # removed in a future release. # This policy is not used. # DELETE /v2/tasks/{task_id} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_task": "rule:default" # This is a generic blanket policy for protecting all task APIs. It is @@ -312,7 +312,7 @@ # GET /v2/tasks # POST /v2/tasks # DELETE /v2/tasks/{task_id} -# Intended scope(s): system, project +# Intended scope(s): project #"tasks_api_access": "role:admin" #"metadef_default": "" @@ -321,7 +321,7 @@ # Get a specific namespace. # GET /v2/metadefs/namespaces/{namespace_name} -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_namespace": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -333,7 +333,7 @@ # List namespace. # GET /v2/metadefs/namespaces -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_namespaces": "role:admin or (role:reader and project_id:%(project_id)s)" # DEPRECATED @@ -344,22 +344,22 @@ # Modify an existing namespace. # PUT /v2/metadefs/namespaces/{namespace_name} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_metadef_namespace": "rule:metadef_admin" # Create a namespace. # POST /v2/metadefs/namespaces -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_namespace": "rule:metadef_admin" # Delete a namespace. # DELETE /v2/metadefs/namespaces/{namespace_name} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_metadef_namespace": "rule:metadef_admin" # Get a specific object from a namespace. # GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_object": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -370,7 +370,7 @@ # Get objects from a namespace. # GET /v2/metadefs/namespaces/{namespace_name}/objects -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_objects": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -382,22 +382,22 @@ # Update an object within a namespace. # PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_metadef_object": "rule:metadef_admin" # Create an object within a namespace. # POST /v2/metadefs/namespaces/{namespace_name}/objects -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_object": "rule:metadef_admin" # Delete an object within a namespace. # DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_metadef_object": "rule:metadef_admin" # List meta definition resource types. # GET /v2/metadefs/resource_types -# Intended scope(s): system, project +# Intended scope(s): project #"list_metadef_resource_types": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -409,7 +409,7 @@ # Get meta definition resource types associations. # GET /v2/metadefs/namespaces/{namespace_name}/resource_types -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_resource_type": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -421,17 +421,17 @@ # Create meta definition resource types association. # POST /v2/metadefs/namespaces/{namespace_name}/resource_types -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_resource_type_association": "rule:metadef_admin" # Delete meta definition resource types association. # POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name} -# Intended scope(s): system, project +# Intended scope(s): project #"remove_metadef_resource_type_association": "rule:metadef_admin" # Get a specific meta definition property. # GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_property": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -443,7 +443,7 @@ # List meta definition properties. # GET /v2/metadefs/namespaces/{namespace_name}/properties -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_properties": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -455,22 +455,22 @@ # Update meta definition property. # GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_metadef_property": "rule:metadef_admin" # Create meta definition property. # POST /v2/metadefs/namespaces/{namespace_name}/properties -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_property": "rule:metadef_admin" # Delete meta definition property. # DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} -# Intended scope(s): system, project +# Intended scope(s): project #"remove_metadef_property": "rule:metadef_admin" # Get tag definition. # GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_tag": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -481,7 +481,7 @@ # List tag definitions. # GET /v2/metadefs/namespaces/{namespace_name}/tags -# Intended scope(s): system, project +# Intended scope(s): project #"get_metadef_tags": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" # DEPRECATED @@ -492,27 +492,27 @@ # Update tag definition. # PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} -# Intended scope(s): system, project +# Intended scope(s): project #"modify_metadef_tag": "rule:metadef_admin" # Add tag definition. # POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_tag": "rule:metadef_admin" # Create tag definitions. # POST /v2/metadefs/namespaces/{namespace_name}/tags -# Intended scope(s): system, project +# Intended scope(s): project #"add_metadef_tags": "rule:metadef_admin" # Delete tag definition. # DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} -# Intended scope(s): system, project +# Intended scope(s): project #"delete_metadef_tag": "rule:metadef_admin" # Delete tag definitions. # DELETE /v2/metadefs/namespaces/{namespace_name}/tags -# Intended scope(s): system, project +# Intended scope(s): project #"delete_metadef_tags": "rule:metadef_admin" # Queue image for caching @@ -548,6 +548,6 @@ # Expose store specific information # GET /v2/info/stores/detail -# Intended scope(s): system, project +# Intended scope(s): project #"stores_info_detail": "role:admin" diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index 5b1b0f015..92f13daa8 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -62,181 +62,179 @@ # Create an address scope # POST /address-scopes # Intended scope(s): project -#"create_address_scope": "role:member and project_id:%(project_id)s" +#"create_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_address_scope":"rule:regular_user" has been deprecated since -# W in favor of "create_address_scope":"role:member and -# project_id:%(project_id)s". +# W in favor of "create_address_scope":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Create a shared address scope # POST /address-scopes # Intended scope(s): project -#"create_address_scope:shared": "role:admin and project_id:%(project_id)s" +#"create_address_scope:shared": "rule:admin_only" # DEPRECATED # "create_address_scope:shared":"rule:admin_only" has been deprecated -# since W in favor of "create_address_scope:shared":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_address_scope:shared":"rule:admin_only". # The Address scope API now supports system scope and default roles. # Get an address scope # GET /address-scopes # GET /address-scopes/{id} # Intended scope(s): project -#"get_address_scope": "role:reader and project_id:%(project_id)s or rule:shared_address_scopes" +#"get_address_scope": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes" # DEPRECATED # "get_address_scope":"rule:admin_or_owner or # rule:shared_address_scopes" has been deprecated since W in favor of -# "get_address_scope":"role:reader and project_id:%(project_id)s or -# rule:shared_address_scopes". +# "get_address_scope":"rule:admin_only or role:reader and +# project_id:%(project_id)s or rule:shared_address_scopes". # The Address scope API now supports system scope and default roles. # Update an address scope # PUT /address-scopes/{id} # Intended scope(s): project -#"update_address_scope": "role:member and project_id:%(project_id)s" +#"update_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "update_address_scope":"role:member and -# project_id:%(project_id)s". +# since W in favor of "update_address_scope":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Update ``shared`` attribute of an address scope # PUT /address-scopes/{id} # Intended scope(s): project -#"update_address_scope:shared": "role:admin and project_id:%(project_id)s" +#"update_address_scope:shared": "rule:admin_only" # DEPRECATED # "update_address_scope:shared":"rule:admin_only" has been deprecated -# since W in favor of "update_address_scope:shared":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_address_scope:shared":"rule:admin_only". # The Address scope API now supports system scope and default roles. # Delete an address scope # DELETE /address-scopes/{id} # Intended scope(s): project -#"delete_address_scope": "role:member and project_id:%(project_id)s" +#"delete_address_scope": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "delete_address_scope":"role:member and -# project_id:%(project_id)s". +# since W in favor of "delete_address_scope":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Get an agent # GET /agents # GET /agents/{id} -# Intended scope(s): system -#"get_agent": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_agent": "rule:admin_only" # DEPRECATED # "get_agent":"rule:admin_only" has been deprecated since W in favor -# of "get_agent":"role:reader and system_scope:all". -# The Agent API now supports system scope and default roles. +# of "get_agent":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Update an agent # PUT /agents/{id} -# Intended scope(s): system -#"update_agent": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_agent": "rule:admin_only" # DEPRECATED # "update_agent":"rule:admin_only" has been deprecated since W in -# favor of "update_agent":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "update_agent":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Delete an agent # DELETE /agents/{id} -# Intended scope(s): system -#"delete_agent": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_agent": "rule:admin_only" # DEPRECATED # "delete_agent":"rule:admin_only" has been deprecated since W in -# favor of "delete_agent":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "delete_agent":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Add a network to a DHCP agent # POST /agents/{agent_id}/dhcp-networks -# Intended scope(s): system -#"create_dhcp-network": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_dhcp-network": "rule:admin_only" # DEPRECATED # "create_dhcp-network":"rule:admin_only" has been deprecated since W -# in favor of "create_dhcp-network":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# in favor of "create_dhcp-network":"rule:admin_only". +# The Agent API now supports project scope and default roles. # List networks on a DHCP agent # GET /agents/{agent_id}/dhcp-networks -# Intended scope(s): system -#"get_dhcp-networks": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_dhcp-networks": "rule:admin_only" # DEPRECATED # "get_dhcp-networks":"rule:admin_only" has been deprecated since W in -# favor of "get_dhcp-networks":"role:reader and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "get_dhcp-networks":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Remove a network from a DHCP agent # DELETE /agents/{agent_id}/dhcp-networks/{network_id} -# Intended scope(s): system -#"delete_dhcp-network": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_dhcp-network": "rule:admin_only" # DEPRECATED # "delete_dhcp-network":"rule:admin_only" has been deprecated since W -# in favor of "delete_dhcp-network":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# in favor of "delete_dhcp-network":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Add a router to an L3 agent # POST /agents/{agent_id}/l3-routers -# Intended scope(s): system -#"create_l3-router": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_l3-router": "rule:admin_only" # DEPRECATED # "create_l3-router":"rule:admin_only" has been deprecated since W in -# favor of "create_l3-router":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "create_l3-router":"rule:admin_only". +# The Agent API now supports project scope and default roles. # List routers on an L3 agent # GET /agents/{agent_id}/l3-routers -# Intended scope(s): system -#"get_l3-routers": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_l3-routers": "rule:admin_only" # DEPRECATED # "get_l3-routers":"rule:admin_only" has been deprecated since W in -# favor of "get_l3-routers":"role:reader and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "get_l3-routers":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Remove a router from an L3 agent # DELETE /agents/{agent_id}/l3-routers/{router_id} -# Intended scope(s): system -#"delete_l3-router": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_l3-router": "rule:admin_only" # DEPRECATED # "delete_l3-router":"rule:admin_only" has been deprecated since W in -# favor of "delete_l3-router":"role:admin and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "delete_l3-router":"rule:admin_only". +# The Agent API now supports project scope and default roles. # List DHCP agents hosting a network # GET /networks/{network_id}/dhcp-agents -# Intended scope(s): system -#"get_dhcp-agents": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_dhcp-agents": "rule:admin_only" # DEPRECATED # "get_dhcp-agents":"rule:admin_only" has been deprecated since W in -# favor of "get_dhcp-agents":"role:reader and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "get_dhcp-agents":"rule:admin_only". +# The Agent API now supports project scope and default roles. # List L3 agents hosting a router # GET /routers/{router_id}/l3-agents -# Intended scope(s): system -#"get_l3-agents": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_l3-agents": "rule:admin_only" # DEPRECATED # "get_l3-agents":"rule:admin_only" has been deprecated since W in -# favor of "get_l3-agents":"role:reader and system_scope:all". -# The Agent API now supports system scope and default roles. +# favor of "get_l3-agents":"rule:admin_only". +# The Agent API now supports project scope and default roles. # Get a project's auto-allocated topology # GET /auto-allocated-topology/{project_id} @@ -266,192 +264,186 @@ # List availability zones # GET /availability_zones -# Intended scope(s): system -#"get_availability_zone": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_availability_zone": "rule:admin_only" # DEPRECATED # "get_availability_zone":"rule:regular_user" has been deprecated -# since W in favor of "get_availability_zone":"role:reader and -# system_scope:all". -# The Availability Zone API now supports system scope and default +# since W in favor of "get_availability_zone":"rule:admin_only". +# The Availability Zone API now supports project scope and default # roles. # Create a flavor # POST /flavors -# Intended scope(s): system -#"create_flavor": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_flavor": "rule:admin_only" # DEPRECATED # "create_flavor":"rule:admin_only" has been deprecated since W in -# favor of "create_flavor":"role:admin and system_scope:all". -# The flavor API now supports system scope and default roles. +# favor of "create_flavor":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Get a flavor # GET /flavors # GET /flavors/{id} -# Intended scope(s): system, project -#"get_flavor": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_flavor": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_flavor":"rule:regular_user" has been deprecated since W in -# favor of "get_flavor":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". -# The flavor API now supports system scope and default roles. +# favor of "get_flavor":"(rule:admin_only) or (role:reader and +# project_id:%(project_id)s)". +# The flavor API now supports project scope and default roles. # Update a flavor # PUT /flavors/{id} -# Intended scope(s): system -#"update_flavor": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_flavor": "rule:admin_only" # DEPRECATED # "update_flavor":"rule:admin_only" has been deprecated since W in -# favor of "update_flavor":"role:admin and system_scope:all". -# The flavor API now supports system scope and default roles. +# favor of "update_flavor":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Delete a flavor # DELETE /flavors/{id} -# Intended scope(s): system -#"delete_flavor": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_flavor": "rule:admin_only" # DEPRECATED # "delete_flavor":"rule:admin_only" has been deprecated since W in -# favor of "delete_flavor":"role:admin and system_scope:all". -# The flavor API now supports system scope and default roles. +# favor of "delete_flavor":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Create a service profile # POST /service_profiles -# Intended scope(s): system -#"create_service_profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_service_profile": "rule:admin_only" # DEPRECATED # "create_service_profile":"rule:admin_only" has been deprecated since -# W in favor of "create_service_profile":"role:admin and -# system_scope:all". -# The flavor API now supports system scope and default roles. +# W in favor of "create_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Get a service profile # GET /service_profiles # GET /service_profiles/{id} -# Intended scope(s): system -#"get_service_profile": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_service_profile": "rule:admin_only" # DEPRECATED # "get_service_profile":"rule:admin_only" has been deprecated since W -# in favor of "get_service_profile":"role:reader and -# system_scope:all". -# The flavor API now supports system scope and default roles. +# in favor of "get_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Update a service profile # PUT /service_profiles/{id} -# Intended scope(s): system -#"update_service_profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_service_profile": "rule:admin_only" # DEPRECATED # "update_service_profile":"rule:admin_only" has been deprecated since -# W in favor of "update_service_profile":"role:admin and -# system_scope:all". -# The flavor API now supports system scope and default roles. +# W in favor of "update_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Delete a service profile # DELETE /service_profiles/{id} -# Intended scope(s): system -#"delete_service_profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_service_profile": "rule:admin_only" # DEPRECATED # "delete_service_profile":"rule:admin_only" has been deprecated since -# W in favor of "delete_service_profile":"role:admin and -# system_scope:all". -# The flavor API now supports system scope and default roles. +# W in favor of "delete_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Get a flavor associated with a given service profiles. There is no # corresponding GET operations in API currently. This rule is # currently referred only in the DELETE of flavor_service_profile. -# Intended scope(s): system, project -#"get_flavor_service_profile": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_flavor_service_profile": "(rule:admin_only) or (role:reader and project_id:%(project_id)s)" # DEPRECATED # "get_flavor_service_profile":"rule:regular_user" has been deprecated -# since W in favor of "get_flavor_service_profile":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". -# The flavor API now supports system scope and default roles. +# since W in favor of "get_flavor_service_profile":"(rule:admin_only) +# or (role:reader and project_id:%(project_id)s)". +# The flavor API now supports project scope and default roles. # Associate a flavor with a service profile # POST /flavors/{flavor_id}/service_profiles -# Intended scope(s): system -#"create_flavor_service_profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_flavor_service_profile": "rule:admin_only" # DEPRECATED # "create_flavor_service_profile":"rule:admin_only" has been # deprecated since W in favor of -# "create_flavor_service_profile":"role:admin and system_scope:all". -# The flavor API now supports system scope and default roles. +# "create_flavor_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Disassociate a flavor with a service profile # DELETE /flavors/{flavor_id}/service_profiles/{profile_id} -# Intended scope(s): system -#"delete_flavor_service_profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_flavor_service_profile": "rule:admin_only" # DEPRECATED # "delete_flavor_service_profile":"rule:admin_only" has been # deprecated since W in favor of -# "delete_flavor_service_profile":"role:admin and system_scope:all". -# The flavor API now supports system scope and default roles. +# "delete_flavor_service_profile":"rule:admin_only". +# The flavor API now supports project scope and default roles. # Create a floating IP # POST /floatingips # Intended scope(s): project -#"create_floatingip": "role:member and project_id:%(project_id)s" +#"create_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_floatingip":"rule:regular_user" has been deprecated since W -# in favor of "create_floatingip":"role:member and +# in favor of "create_floatingip":"rule:admin_only or role:member and # project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Create a floating IP with a specific IP address # POST /floatingips # Intended scope(s): project -#"create_floatingip:floating_ip_address": "role:admin and project_id:%(project_id)s" +#"create_floatingip:floating_ip_address": "rule:admin_only" # DEPRECATED # "create_floatingip:floating_ip_address":"rule:admin_only" has been # deprecated since W in favor of -# "create_floatingip:floating_ip_address":"role:admin and -# project_id:%(project_id)s". +# "create_floatingip:floating_ip_address":"rule:admin_only". # The Floating IP API now supports system scope and default roles. # Get a floating IP # GET /floatingips # GET /floatingips/{id} # Intended scope(s): project -#"get_floatingip": "role:reader and project_id:%(project_id)s" +#"get_floatingip": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_floatingip":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_floatingip":"role:reader and +# in favor of "get_floatingip":"rule:admin_only or role:reader and # project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Update a floating IP # PUT /floatingips/{id} # Intended scope(s): project -#"update_floatingip": "role:member and project_id:%(project_id)s" +#"update_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_floatingip":"role:member and -# project_id:%(project_id)s". +# W in favor of "update_floatingip":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Delete a floating IP # DELETE /floatingips/{id} # Intended scope(s): project -#"delete_floatingip": "role:member and project_id:%(project_id)s" +#"delete_floatingip": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_floatingip":"role:member and -# project_id:%(project_id)s". +# W in favor of "delete_floatingip":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Get floating IP pools @@ -655,122 +647,117 @@ # Get loggable resources # GET /log/loggable-resources -# Intended scope(s): system -#"get_loggable_resource": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_loggable_resource": "rule:admin_only" # DEPRECATED # "get_loggable_resource":"rule:admin_only" has been deprecated since -# W in favor of "get_loggable_resource":"role:reader and -# system_scope:all". -# The logging API now supports system scope and default roles. +# W in favor of "get_loggable_resource":"rule:admin_only". +# The logging API now supports project scope and default roles. # Create a network log # POST /log/logs -# Intended scope(s): system -#"create_log": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_log": "rule:admin_only" # DEPRECATED # "create_log":"rule:admin_only" has been deprecated since W in favor -# of "create_log":"role:admin and system_scope:all". -# The logging API now supports system scope and default roles. +# of "create_log":"rule:admin_only". +# The logging API now supports project scope and default roles. # Get a network log # GET /log/logs # GET /log/logs/{id} -# Intended scope(s): system -#"get_log": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_log": "rule:admin_only" # DEPRECATED # "get_log":"rule:admin_only" has been deprecated since W in favor of -# "get_log":"role:reader and system_scope:all". -# The logging API now supports system scope and default roles. +# "get_log":"rule:admin_only". +# The logging API now supports project scope and default roles. # Update a network log # PUT /log/logs/{id} -# Intended scope(s): system -#"update_log": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_log": "rule:admin_only" # DEPRECATED # "update_log":"rule:admin_only" has been deprecated since W in favor -# of "update_log":"role:admin and system_scope:all". -# The logging API now supports system scope and default roles. +# of "update_log":"rule:admin_only". +# The logging API now supports project scope and default roles. # Delete a network log # DELETE /log/logs/{id} -# Intended scope(s): system -#"delete_log": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_log": "rule:admin_only" # DEPRECATED # "delete_log":"rule:admin_only" has been deprecated since W in favor -# of "delete_log":"role:admin and system_scope:all". -# The logging API now supports system scope and default roles. +# of "delete_log":"rule:admin_only". +# The logging API now supports project scope and default roles. # Create a metering label # POST /metering/metering-labels # Intended scope(s): project -#"create_metering_label": "role:admin and project_id:%(project_id)s" +#"create_metering_label": "rule:admin_only" # DEPRECATED # "create_metering_label":"rule:admin_only" has been deprecated since -# W in favor of "create_metering_label":"role:admin and -# project_id:%(project_id)s". +# W in favor of "create_metering_label":"rule:admin_only". # The metering API now supports system scope and default roles. # Get a metering label # GET /metering/metering-labels # GET /metering/metering-labels/{id} # Intended scope(s): project -#"get_metering_label": "role:reader and project_id:%(project_id)s" +#"get_metering_label": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_metering_label":"rule:admin_only" has been deprecated since W -# in favor of "get_metering_label":"role:reader and +# in favor of "get_metering_label":"rule:admin_only or role:reader and # project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Delete a metering label # DELETE /metering/metering-labels/{id} # Intended scope(s): project -#"delete_metering_label": "role:admin and project_id:%(project_id)s" +#"delete_metering_label": "rule:admin_only" # DEPRECATED # "delete_metering_label":"rule:admin_only" has been deprecated since -# W in favor of "delete_metering_label":"role:admin and -# project_id:%(project_id)s". +# W in favor of "delete_metering_label":"rule:admin_only". # The metering API now supports system scope and default roles. # Create a metering label rule # POST /metering/metering-label-rules # Intended scope(s): project -#"create_metering_label_rule": "role:admin and project_id:%(project_id)s" +#"create_metering_label_rule": "rule:admin_only" # DEPRECATED # "create_metering_label_rule":"rule:admin_only" has been deprecated -# since W in favor of "create_metering_label_rule":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_metering_label_rule":"rule:admin_only". # The metering API now supports system scope and default roles. # Get a metering label rule # GET /metering/metering-label-rules # GET /metering/metering-label-rules/{id} # Intended scope(s): project -#"get_metering_label_rule": "role:reader and project_id:%(project_id)s" +#"get_metering_label_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_metering_label_rule":"rule:admin_only" has been deprecated -# since W in favor of "get_metering_label_rule":"role:reader and -# project_id:%(project_id)s". +# since W in favor of "get_metering_label_rule":"rule:admin_only or +# role:reader and project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Delete a metering label rule # DELETE /metering/metering-label-rules/{id} # Intended scope(s): project -#"delete_metering_label_rule": "role:admin and project_id:%(project_id)s" +#"delete_metering_label_rule": "rule:admin_only" # DEPRECATED # "delete_metering_label_rule":"rule:admin_only" has been deprecated -# since W in favor of "delete_metering_label_rule":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "delete_metering_label_rule":"rule:admin_only". # The metering API now supports system scope and default roles. # Create a ndp proxy @@ -824,130 +811,124 @@ # Create a network # POST /networks # Intended scope(s): project -#"create_network": "role:member and project_id:%(project_id)s" +#"create_network": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_network":"rule:regular_user" has been deprecated since W in -# favor of "create_network":"role:member and +# favor of "create_network":"rule:admin_only or role:member and # project_id:%(project_id)s". # The network API now supports system scope and default roles. # Create a shared network # POST /networks # Intended scope(s): project -#"create_network:shared": "role:admin and project_id:%(project_id)s" +#"create_network:shared": "rule:admin_only" # DEPRECATED # "create_network:shared":"rule:admin_only" has been deprecated since -# W in favor of "create_network:shared":"role:admin and -# project_id:%(project_id)s". +# W in favor of "create_network:shared":"rule:admin_only". # The network API now supports system scope and default roles. # Create an external network # POST /networks # Intended scope(s): project -#"create_network:router:external": "role:admin and project_id:%(project_id)s" +#"create_network:router:external": "rule:admin_only" # DEPRECATED # "create_network:router:external":"rule:admin_only" has been # deprecated since W in favor of -# "create_network:router:external":"role:admin and -# project_id:%(project_id)s". +# "create_network:router:external":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a network # POST /networks # Intended scope(s): project -#"create_network:is_default": "role:admin and project_id:%(project_id)s" +#"create_network:is_default": "rule:admin_only" # DEPRECATED # "create_network:is_default":"rule:admin_only" has been deprecated -# since W in favor of "create_network:is_default":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_network:is_default":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``port_security_enabled`` attribute when creating a network # POST /networks # Intended scope(s): project -#"create_network:port_security_enabled": "role:member and project_id:%(project_id)s" +#"create_network:port_security_enabled": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_network:port_security_enabled":"rule:regular_user" has been # deprecated since W in favor of -# "create_network:port_security_enabled":"role:member and -# project_id:%(project_id)s". +# "create_network:port_security_enabled":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``segments`` attribute when creating a network # POST /networks # Intended scope(s): project -#"create_network:segments": "role:admin and project_id:%(project_id)s" +#"create_network:segments": "rule:admin_only" # DEPRECATED # "create_network:segments":"rule:admin_only" has been deprecated -# since W in favor of "create_network:segments":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:network_type`` when creating a network # POST /networks # Intended scope(s): project -#"create_network:provider:network_type": "role:admin and project_id:%(project_id)s" +#"create_network:provider:network_type": "rule:admin_only" # DEPRECATED # "create_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of -# "create_network:provider:network_type":"role:admin and -# project_id:%(project_id)s". +# "create_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:physical_network`` when creating a network # POST /networks # Intended scope(s): project -#"create_network:provider:physical_network": "role:admin and project_id:%(project_id)s" +#"create_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "create_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of -# "create_network:provider:physical_network":"role:admin and -# project_id:%(project_id)s". +# "create_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Specify ``provider:segmentation_id`` when creating a network # POST /networks # Intended scope(s): project -#"create_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" +#"create_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "create_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of -# "create_network:provider:segmentation_id":"role:admin and -# project_id:%(project_id)s". +# "create_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Get a network # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network": "role:reader and project_id:%(project_id)s or rule:shared or rule:external or rule:context_is_advsvc" +#"get_network": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared or rule:external or rule:context_is_advsvc" # DEPRECATED # "get_network":"rule:admin_or_owner or rule:shared or rule:external # or rule:context_is_advsvc" has been deprecated since W in favor of -# "get_network":"role:reader and project_id:%(project_id)s or -# rule:shared or rule:external or rule:context_is_advsvc". +# "get_network":"rule:admin_only or role:reader and +# project_id:%(project_id)s or rule:shared or rule:external or +# rule:context_is_advsvc". # The network API now supports system scope and default roles. # Get ``router:external`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network:router:external": "role:reader and project_id:%(project_id)s" +#"get_network:router:external": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_network:router:external":"rule:regular_user" has been # deprecated since W in favor of -# "get_network:router:external":"role:reader and +# "get_network:router:external":"rule:admin_only or role:reader and # project_id:%(project_id)s". # The network API now supports system scope and default roles. @@ -955,228 +936,215 @@ # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network:segments": "role:admin and project_id:%(project_id)s" +#"get_network:segments": "rule:admin_only" # DEPRECATED # "get_network:segments":"rule:admin_only" has been deprecated since W -# in favor of "get_network:segments":"role:admin and -# project_id:%(project_id)s". +# in favor of "get_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:network_type`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network:provider:network_type": "role:admin and project_id:%(project_id)s" +#"get_network:provider:network_type": "rule:admin_only" # DEPRECATED # "get_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:network_type":"role:admin and -# project_id:%(project_id)s". +# "get_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:physical_network`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network:provider:physical_network": "role:admin and project_id:%(project_id)s" +#"get_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "get_network:provider:physical_network":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:physical_network":"role:admin and -# project_id:%(project_id)s". +# "get_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Get ``provider:segmentation_id`` attribute of a network # GET /networks # GET /networks/{id} # Intended scope(s): project -#"get_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" +#"get_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "get_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:segmentation_id":"role:admin and -# project_id:%(project_id)s". +# "get_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Update a network # PUT /networks/{id} # Intended scope(s): project -#"update_network": "role:member and project_id:%(project_id)s" +#"update_network": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "update_network":"role:member and +# in favor of "update_network":"rule:admin_only or role:member and # project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``segments`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:segments": "role:admin and project_id:%(project_id)s" +#"update_network:segments": "rule:admin_only" # DEPRECATED # "update_network:segments":"rule:admin_only" has been deprecated -# since W in favor of "update_network:segments":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_network:segments":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``shared`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:shared": "role:admin and project_id:%(project_id)s" +#"update_network:shared": "rule:admin_only" # DEPRECATED # "update_network:shared":"rule:admin_only" has been deprecated since -# W in favor of "update_network:shared":"role:admin and -# project_id:%(project_id)s". +# W in favor of "update_network:shared":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:network_type`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:provider:network_type": "role:admin and project_id:%(project_id)s" +#"update_network:provider:network_type": "rule:admin_only" # DEPRECATED # "update_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of -# "update_network:provider:network_type":"role:admin and -# project_id:%(project_id)s". +# "update_network:provider:network_type":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:physical_network`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:provider:physical_network": "role:admin and project_id:%(project_id)s" +#"update_network:provider:physical_network": "rule:admin_only" # DEPRECATED # "update_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of -# "update_network:provider:physical_network":"role:admin and -# project_id:%(project_id)s". +# "update_network:provider:physical_network":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``provider:segmentation_id`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" +#"update_network:provider:segmentation_id": "rule:admin_only" # DEPRECATED # "update_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of -# "update_network:provider:segmentation_id":"role:admin and -# project_id:%(project_id)s". +# "update_network:provider:segmentation_id":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``router:external`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:router:external": "role:admin and project_id:%(project_id)s" +#"update_network:router:external": "rule:admin_only" # DEPRECATED # "update_network:router:external":"rule:admin_only" has been # deprecated since W in favor of -# "update_network:router:external":"role:admin and -# project_id:%(project_id)s". +# "update_network:router:external":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``is_default`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:is_default": "role:admin and project_id:%(project_id)s" +#"update_network:is_default": "rule:admin_only" # DEPRECATED # "update_network:is_default":"rule:admin_only" has been deprecated -# since W in favor of "update_network:is_default":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_network:is_default":"rule:admin_only". # The network API now supports system scope and default roles. # Update ``port_security_enabled`` attribute of a network # PUT /networks/{id} # Intended scope(s): project -#"update_network:port_security_enabled": "role:member and project_id:%(project_id)s" +#"update_network:port_security_enabled": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_network:port_security_enabled":"rule:admin_or_owner" has # been deprecated since W in favor of -# "update_network:port_security_enabled":"role:member and -# project_id:%(project_id)s". +# "update_network:port_security_enabled":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The network API now supports system scope and default roles. # Delete a network # DELETE /networks/{id} # Intended scope(s): project -#"delete_network": "role:member and project_id:%(project_id)s" +#"delete_network": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "delete_network":"role:member and +# in favor of "delete_network":"rule:admin_only or role:member and # project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get network IP availability # GET /network-ip-availabilities # GET /network-ip-availabilities/{network_id} -# Intended scope(s): system -#"get_network_ip_availability": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network_ip_availability": "rule:admin_only" # DEPRECATED # "get_network_ip_availability":"rule:admin_only" has been deprecated -# since W in favor of "get_network_ip_availability":"role:reader and -# system_scope:all". -# The network IP availability API now support system scope and default -# roles. +# since W in favor of "get_network_ip_availability":"rule:admin_only". +# The network IP availability API now support project scope and +# default roles. # Create a network segment range # POST /network_segment_ranges -# Intended scope(s): system -#"create_network_segment_range": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network_segment_range": "rule:admin_only" # DEPRECATED # "create_network_segment_range":"rule:admin_only" has been deprecated -# since W in favor of "create_network_segment_range":"role:admin and -# system_scope:all". -# The network segment range API now supports system scope and default +# since W in favor of +# "create_network_segment_range":"rule:admin_only". +# The network segment range API now supports project scope and default # roles. # Get a network segment range # GET /network_segment_ranges # GET /network_segment_ranges/{id} -# Intended scope(s): system -#"get_network_segment_range": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network_segment_range": "rule:admin_only" # DEPRECATED # "get_network_segment_range":"rule:admin_only" has been deprecated -# since W in favor of "get_network_segment_range":"role:reader and -# system_scope:all". -# The network segment range API now supports system scope and default +# since W in favor of "get_network_segment_range":"rule:admin_only". +# The network segment range API now supports project scope and default # roles. # Update a network segment range # PUT /network_segment_ranges/{id} -# Intended scope(s): system -#"update_network_segment_range": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network_segment_range": "rule:admin_only" # DEPRECATED # "update_network_segment_range":"rule:admin_only" has been deprecated -# since W in favor of "update_network_segment_range":"role:admin and -# system_scope:all". -# The network segment range API now supports system scope and default +# since W in favor of +# "update_network_segment_range":"rule:admin_only". +# The network segment range API now supports project scope and default # roles. # Delete a network segment range # DELETE /network_segment_ranges/{id} -# Intended scope(s): system -#"delete_network_segment_range": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_network_segment_range": "rule:admin_only" # DEPRECATED # "delete_network_segment_range":"rule:admin_only" has been deprecated -# since W in favor of "delete_network_segment_range":"role:admin and -# system_scope:all". -# The network segment range API now supports system scope and default +# since W in favor of +# "delete_network_segment_range":"rule:admin_only". +# The network segment range API now supports project scope and default # roles. # Definition of port with network device_owner @@ -1188,787 +1156,787 @@ # Create a port # POST /ports # Intended scope(s): project -#"create_port": "role:member and project_id:%(project_id)s" +#"create_port": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_port":"rule:regular_user" has been deprecated since W in -# favor of "create_port":"role:member and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# favor of "create_port":"rule:admin_only or role:member and +# project_id:%(project_id)s". +# The port API now supports project scope and default roles. -# Specify ``device_owner`` attribute when creting a port +# Specify ``device_owner`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:device_owner": "not rule:network_device or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" +#"create_port:device_owner": "not rule:network_device or rule:admin_only or rule:context_is_advsvc or rule:network_owner" # DEPRECATED # "create_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "create_port:device_owner":"not -# rule:network_device or role:admin and project_id:%(project_id)s or -# rule:context_is_advsvc or rule:network_owner". -# The port API now supports system scope and default roles. +# rule:network_device or rule:admin_only or rule:context_is_advsvc or +# rule:network_owner". +# The port API now supports project scope and default roles. # Specify ``mac_address`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:mac_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"create_port:mac_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "create_port:mac_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:mac_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" +#"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" # DEPRECATED # "create_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of "create_port:fixed_ips":"rule:context_is_advsvc -# or rule:network_owner or role:admin and project_id:%(project_id)s or -# rule:shared". -# The port API now supports system scope and default roles. +# or rule:network_owner or rule:admin_only or rule:shared". +# The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` when creating a port # POST /ports # Intended scope(s): project -#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" +#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" # DEPRECATED # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s or -# rule:shared". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only or rule:shared". +# The port API now supports project scope and default roles. # Specify ``port_security_enabled`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "create_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Specify ``binding:host_id`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:host_id": "role:admin and project_id:%(project_id)s" +#"create_port:binding:host_id": "rule:admin_only" # DEPRECATED # "create_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "create_port:binding:host_id":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "create_port:binding:host_id":"rule:admin_only". +# The port API now supports project scope and default roles. # Specify ``binding:profile`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:profile": "role:admin and project_id:%(project_id)s" +#"create_port:binding:profile": "rule:admin_only" # DEPRECATED # "create_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "create_port:binding:profile":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "create_port:binding:profile":"rule:admin_only". +# The port API now supports project scope and default roles. # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:binding:vnic_type": "role:member and project_id:%(project_id)s" +#"create_port:binding:vnic_type": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_port:binding:vnic_type":"rule:regular_user" has been # deprecated since W in favor of -# "create_port:binding:vnic_type":"role:member and +# "create_port:binding:vnic_type":"rule:admin_only or role:member and # project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# The port API now supports project scope and default roles. # Specify ``allowed_address_pairs`` attribute when creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"create_port:allowed_address_pairs": "rule:admin_only or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "create_port:allowed_address_pairs":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "create_port:allowed_address_pairs":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Specify ``mac_address` of `allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs:mac_address": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"create_port:allowed_address_pairs:mac_address": "rule:admin_only or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of -# "create_port:allowed_address_pairs:mac_address":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "create_port:allowed_address_pairs:mac_address":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Specify ``ip_address`` of ``allowed_address_pairs`` attribute when # creating a port # POST /ports # Intended scope(s): project -#"create_port:allowed_address_pairs:ip_address": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"create_port:allowed_address_pairs:ip_address": "rule:admin_only or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of -# "create_port:allowed_address_pairs:ip_address":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "create_port:allowed_address_pairs:ip_address":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Get a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port": "rule:context_is_advsvc or role:reader and project_id:%(project_id)s" +#"get_port": "rule:admin_only or rule:context_is_advsvc or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "get_port":"rule:context_is_advsvc or role:reader and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# favor of "get_port":"rule:admin_only or rule:context_is_advsvc or +# role:reader and project_id:%(project_id)s". +# The port API now supports project scope and default roles. # Get ``binding:vif_type`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:vif_type": "role:admin and project_id:%(project_id)s" +#"get_port:binding:vif_type": "rule:admin_only" # DEPRECATED # "get_port:binding:vif_type":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:vif_type":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "get_port:binding:vif_type":"rule:admin_only". +# The port API now supports project scope and default roles. # Get ``binding:vif_details`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:vif_details": "role:admin and project_id:%(project_id)s" +#"get_port:binding:vif_details": "rule:admin_only" # DEPRECATED # "get_port:binding:vif_details":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:vif_details":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of +# "get_port:binding:vif_details":"rule:admin_only". +# The port API now supports project scope and default roles. # Get ``binding:host_id`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:host_id": "role:admin and project_id:%(project_id)s" +#"get_port:binding:host_id": "rule:admin_only" # DEPRECATED # "get_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:host_id":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "get_port:binding:host_id":"rule:admin_only". +# The port API now supports project scope and default roles. # Get ``binding:profile`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:binding:profile": "role:admin and project_id:%(project_id)s" +#"get_port:binding:profile": "rule:admin_only" # DEPRECATED # "get_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:profile":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "get_port:binding:profile":"rule:admin_only". +# The port API now supports project scope and default roles. # Get ``resource_request`` attribute of a port # GET /ports # GET /ports/{id} # Intended scope(s): project -#"get_port:resource_request": "role:admin and project_id:%(project_id)s" +#"get_port:resource_request": "rule:admin_only" # DEPRECATED # "get_port:resource_request":"rule:admin_only" has been deprecated -# since W in favor of "get_port:resource_request":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "get_port:resource_request":"rule:admin_only". +# The port API now supports project scope and default roles. # Update a port # PUT /ports/{id} # Intended scope(s): project -#"update_port": "role:member and project_id:%(project_id)s or rule:context_is_advsvc" +#"update_port": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc" # DEPRECATED # "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has -# been deprecated since W in favor of "update_port":"role:member and -# project_id:%(project_id)s or rule:context_is_advsvc". -# The port API now supports system scope and default roles. +# been deprecated since W in favor of "update_port":"rule:admin_only +# or role:member and project_id:%(project_id)s or +# rule:context_is_advsvc". +# The port API now supports project scope and default roles. # Update ``device_owner`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "update_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "update_port:device_owner":"not # rule:network_device or rule:context_is_advsvc or rule:network_owner -# or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# or rule:admin_only". +# The port API now supports project scope and default roles. # Update ``mac_address`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:mac_address": "role:admin and project_id:%(project_id)s or rule:context_is_advsvc" +#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc" # DEPRECATED # "update_port:mac_address":"rule:admin_only or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:mac_address":"role:admin and project_id:%(project_id)s -# or rule:context_is_advsvc". -# The port API now supports system scope and default roles. +# "update_port:mac_address":"rule:admin_only or +# rule:context_is_advsvc". +# The port API now supports project scope and default roles. # Specify ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"update_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "update_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Specify IP address in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Specify subnet ID in ``fixed_ips`` information when updating a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" +#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared" # DEPRECATED # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s or -# rule:shared". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only or rule:shared". +# The port API now supports project scope and default roles. # Update ``port_security_enabled`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" +#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only" # DEPRECATED # "update_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or role:admin and project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# rule:network_owner or rule:admin_only". +# The port API now supports project scope and default roles. # Update ``binding:host_id`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:host_id": "role:admin and project_id:%(project_id)s" +#"update_port:binding:host_id": "rule:admin_only" # DEPRECATED # "update_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "update_port:binding:host_id":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "update_port:binding:host_id":"rule:admin_only". +# The port API now supports project scope and default roles. # Update ``binding:profile`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:profile": "role:admin and project_id:%(project_id)s" +#"update_port:binding:profile": "rule:admin_only" # DEPRECATED # "update_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "update_port:binding:profile":"role:admin and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# since W in favor of "update_port:binding:profile":"rule:admin_only". +# The port API now supports project scope and default roles. # Update ``binding:vnic_type`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:binding:vnic_type": "role:member and project_id:%(project_id)s or rule:context_is_advsvc" +#"update_port:binding:vnic_type": "rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc" # DEPRECATED # "update_port:binding:vnic_type":"rule:admin_or_owner or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:binding:vnic_type":"role:member and +# "update_port:binding:vnic_type":"rule:admin_only or role:member and # project_id:%(project_id)s or rule:context_is_advsvc". -# The port API now supports system scope and default roles. +# The port API now supports project scope and default roles. # Update ``allowed_address_pairs`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"update_port:allowed_address_pairs": "rule:admin_only or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "update_port:allowed_address_pairs":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "update_port:allowed_address_pairs":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Update ``mac_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs:mac_address": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"update_port:allowed_address_pairs:mac_address": "rule:admin_only or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of -# "update_port:allowed_address_pairs:mac_address":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "update_port:allowed_address_pairs:mac_address":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Update ``ip_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} # Intended scope(s): project -#"update_port:allowed_address_pairs:ip_address": "role:admin and project_id:%(project_id)s or rule:network_owner" +#"update_port:allowed_address_pairs:ip_address": "rule:admin_only or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of -# "update_port:allowed_address_pairs:ip_address":"role:admin and -# project_id:%(project_id)s or rule:network_owner". -# The port API now supports system scope and default roles. +# "update_port:allowed_address_pairs:ip_address":"rule:admin_only or +# rule:network_owner". +# The port API now supports project scope and default roles. # Update ``data_plane_status`` attribute of a port # PUT /ports/{id} # Intended scope(s): project -#"update_port:data_plane_status": "role:admin and project_id:%(project_id)s or role:data_plane_integrator" +#"update_port:data_plane_status": "rule:admin_only or role:data_plane_integrator" # DEPRECATED # "update_port:data_plane_status":"rule:admin_or_data_plane_int" has # been deprecated since W in favor of -# "update_port:data_plane_status":"role:admin and -# project_id:%(project_id)s or role:data_plane_integrator". -# The port API now supports system scope and default roles. +# "update_port:data_plane_status":"rule:admin_only or +# role:data_plane_integrator". +# The port API now supports project scope and default roles. # Delete a port # DELETE /ports/{id} # Intended scope(s): project -#"delete_port": "rule:context_is_advsvc or role:member and project_id:%(project_id)s" +#"delete_port": "rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "delete_port":"rule:context_is_advsvc or role:member and -# project_id:%(project_id)s". -# The port API now supports system scope and default roles. +# favor of "delete_port":"rule:admin_only or rule:context_is_advsvc or +# role:member and project_id:%(project_id)s". +# The port API now supports project scope and default roles. # Get QoS policies # GET /qos/policies # GET /qos/policies/{id} # Intended scope(s): project -#"get_policy": "role:reader and project_id:%(project_id)s" +#"get_policy": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy":"rule:regular_user" has been deprecated since W in -# favor of "get_policy":"role:reader and project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# favor of "get_policy":"rule:admin_only or role:reader and +# project_id:%(project_id)s". +# The QoS API now supports project scope and default roles. # Create a QoS policy # POST /qos/policies # Intended scope(s): project -#"create_policy": "role:admin and project_id:%(project_id)s" +#"create_policy": "rule:admin_only" # DEPRECATED # "create_policy":"rule:admin_only" has been deprecated since W in -# favor of "create_policy":"role:admin and project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# favor of "create_policy":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Update a QoS policy # PUT /qos/policies/{id} # Intended scope(s): project -#"update_policy": "role:admin and project_id:%(project_id)s" +#"update_policy": "rule:admin_only" # DEPRECATED # "update_policy":"rule:admin_only" has been deprecated since W in -# favor of "update_policy":"role:admin and project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# favor of "update_policy":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS policy # DELETE /qos/policies/{id} # Intended scope(s): project -#"delete_policy": "role:admin and project_id:%(project_id)s" +#"delete_policy": "rule:admin_only" # DEPRECATED # "delete_policy":"rule:admin_only" has been deprecated since W in -# favor of "delete_policy":"role:admin and project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# favor of "delete_policy":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get available QoS rule types # GET /qos/rule-types # GET /qos/rule-types/{rule_type} -# Intended scope(s): system, project -#"get_rule_type": "role:admin or role:reader and system_scope:all" +# Intended scope(s): project +#"get_rule_type": "rule:admin_only" # DEPRECATED # "get_rule_type":"rule:regular_user" has been deprecated since W in -# favor of "get_rule_type":"role:admin or role:reader and -# system_scope:all". -# The QoS API now supports system scope and default roles. +# favor of "get_rule_type":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS bandwidth limit rule # GET /qos/policies/{policy_id}/bandwidth_limit_rules # GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project -#"get_policy_bandwidth_limit_rule": "role:reader and project_id:%(project_id)s" +#"get_policy_bandwidth_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_bandwidth_limit_rule":"role:reader and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "get_policy_bandwidth_limit_rule":"rule:admin_only or role:reader +# and project_id:%(project_id)s". +# The QoS API now supports project scope and default roles. # Create a QoS bandwidth limit rule # POST /qos/policies/{policy_id}/bandwidth_limit_rules # Intended scope(s): project -#"create_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" +#"create_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "create_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of -# "create_policy_bandwidth_limit_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "create_policy_bandwidth_limit_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule # PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project -#"update_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" +#"update_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "update_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_policy_bandwidth_limit_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_policy_bandwidth_limit_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS bandwidth limit rule # DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} # Intended scope(s): project -#"delete_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" +#"delete_policy_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "delete_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_policy_bandwidth_limit_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_policy_bandwidth_limit_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. + +# Get a QoS packet rate limit rule +# GET /qos/policies/{policy_id}/packet_rate_limit_rules +# GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} +# Intended scope(s): project +#"get_policy_packet_rate_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" + +# Create a QoS packet rate limit rule +# POST /qos/policies/{policy_id}/packet_rate_limit_rules +# Intended scope(s): project +#"create_policy_packet_rate_limit_rule": "rule:admin_only" + +# Update a QoS packet rate limit rule +# PUT /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} +# Intended scope(s): project +#"update_policy_packet_rate_limit_rule": "rule:admin_only" + +# Delete a QoS packet rate limit rule +# DELETE /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id} +# Intended scope(s): project +#"delete_policy_packet_rate_limit_rule": "rule:admin_only" # Get a QoS DSCP marking rule # GET /qos/policies/{policy_id}/dscp_marking_rules # GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project -#"get_policy_dscp_marking_rule": "role:reader and project_id:%(project_id)s" +#"get_policy_dscp_marking_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_dscp_marking_rule":"role:reader and +# "get_policy_dscp_marking_rule":"rule:admin_only or role:reader and # project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# The QoS API now supports project scope and default roles. # Create a QoS DSCP marking rule # POST /qos/policies/{policy_id}/dscp_marking_rules # Intended scope(s): project -#"create_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" +#"create_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "create_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "create_policy_dscp_marking_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "create_policy_dscp_marking_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule # PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project -#"update_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" +#"update_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "update_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_policy_dscp_marking_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_policy_dscp_marking_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS DSCP marking rule # DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} # Intended scope(s): project -#"delete_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" +#"delete_policy_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "delete_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_policy_dscp_marking_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_policy_dscp_marking_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS minimum bandwidth rule # GET /qos/policies/{policy_id}/minimum_bandwidth_rules # GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_bandwidth_rule": "role:reader and project_id:%(project_id)s" +#"get_policy_minimum_bandwidth_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_minimum_bandwidth_rule":"role:reader and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "get_policy_minimum_bandwidth_rule":"rule:admin_only or role:reader +# and project_id:%(project_id)s". +# The QoS API now supports project scope and default roles. # Create a QoS minimum bandwidth rule # POST /qos/policies/{policy_id}/minimum_bandwidth_rules # Intended scope(s): project -#"create_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" +#"create_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "create_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of -# "create_policy_minimum_bandwidth_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "create_policy_minimum_bandwidth_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule # PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project -#"update_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" +#"update_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "update_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_policy_minimum_bandwidth_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_policy_minimum_bandwidth_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS minimum bandwidth rule # DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} # Intended scope(s): project -#"delete_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" +#"delete_policy_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "delete_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_policy_minimum_bandwidth_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_policy_minimum_bandwidth_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS minimum packet rate rule # GET /qos/policies/{policy_id}/minimum_packet_rate_rules # GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project -#"get_policy_minimum_packet_rate_rule": "role:reader and project_id:%(project_id)s" +#"get_policy_minimum_packet_rate_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # Create a QoS minimum packet rate rule # POST /qos/policies/{policy_id}/minimum_packet_rate_rules # Intended scope(s): project -#"create_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" +#"create_policy_minimum_packet_rate_rule": "rule:admin_only" # Update a QoS minimum packet rate rule # PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project -#"update_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" +#"update_policy_minimum_packet_rate_rule": "rule:admin_only" # Delete a QoS minimum packet rate rule # DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} # Intended scope(s): project -#"delete_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" +#"delete_policy_minimum_packet_rate_rule": "rule:admin_only" # Get a QoS bandwidth limit rule through alias # GET /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_bandwidth_limit_rule": "role:reader and project_id:%(project_id)s" +#"get_alias_bandwidth_limit_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_alias_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_bandwidth_limit_rule":"role:reader and +# "get_alias_bandwidth_limit_rule":"rule:admin_only or role:reader and # project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# The QoS API now supports project scope and default roles. # Update a QoS bandwidth limit rule through alias # PUT /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project -#"update_alias_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" +#"update_alias_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "update_alias_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_alias_bandwidth_limit_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_alias_bandwidth_limit_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS bandwidth limit rule through alias # DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/ # Intended scope(s): project -#"delete_alias_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" +#"delete_alias_bandwidth_limit_rule": "rule:admin_only" # DEPRECATED # "delete_alias_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_alias_bandwidth_limit_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_alias_bandwidth_limit_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS DSCP marking rule through alias # GET /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_dscp_marking_rule": "role:reader and project_id:%(project_id)s" +#"get_alias_dscp_marking_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_alias_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_dscp_marking_rule":"role:reader and +# "get_alias_dscp_marking_rule":"rule:admin_only or role:reader and # project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# The QoS API now supports project scope and default roles. # Update a QoS DSCP marking rule through alias # PUT /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project -#"update_alias_dscp_marking_rule": "role:admin and project_id:%(project_id)s" +#"update_alias_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "update_alias_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_alias_dscp_marking_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_alias_dscp_marking_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS DSCP marking rule through alias # DELETE /qos/alias_dscp_marking_rules/{rule_id}/ # Intended scope(s): project -#"delete_alias_dscp_marking_rule": "role:admin and project_id:%(project_id)s" +#"delete_alias_dscp_marking_rule": "rule:admin_only" # DEPRECATED # "delete_alias_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_alias_dscp_marking_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_alias_dscp_marking_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS minimum bandwidth rule through alias # GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project -#"get_alias_minimum_bandwidth_rule": "role:reader and project_id:%(project_id)s" +#"get_alias_minimum_bandwidth_rule": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_alias_minimum_bandwidth_rule":"role:reader and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "get_alias_minimum_bandwidth_rule":"rule:admin_only or role:reader +# and project_id:%(project_id)s". +# The QoS API now supports project scope and default roles. # Update a QoS minimum bandwidth rule through alias # PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project -#"update_alias_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" +#"update_alias_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "update_alias_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_alias_minimum_bandwidth_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "update_alias_minimum_bandwidth_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Delete a QoS minimum bandwidth rule through alias # DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/ # Intended scope(s): project -#"delete_alias_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" +#"delete_alias_minimum_bandwidth_rule": "rule:admin_only" # DEPRECATED # "delete_alias_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_alias_minimum_bandwidth_rule":"role:admin and -# project_id:%(project_id)s". -# The QoS API now supports system scope and default roles. +# "delete_alias_minimum_bandwidth_rule":"rule:admin_only". +# The QoS API now supports project scope and default roles. # Get a QoS minimum packet rate rule through alias # GET /qos/alias_minimum_packet_rate_rules/{rule_id}/ +# Intended scope(s): project #"get_alias_minimum_packet_rate_rule": "rule:get_policy_minimum_packet_rate_rule" # Update a QoS minimum packet rate rule through alias # PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/ +# Intended scope(s): project #"update_alias_minimum_packet_rate_rule": "rule:update_policy_minimum_packet_rate_rule" # Delete a QoS minimum packet rate rule through alias # DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/ +# Intended scope(s): project #"delete_alias_minimum_packet_rate_rule": "rule:delete_policy_minimum_packet_rate_rule" # Get a resource quota # GET /quota # GET /quota/{id} -# Intended scope(s): system -#"get_quota": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_quota": "rule:admin_only" # DEPRECATED # "get_quota":"rule:admin_only" has been deprecated since W in favor -# of "get_quota":"role:reader and system_scope:all". -# The quotas API now supports system scope and default roles. +# of "get_quota":"rule:admin_only". +# The quotas API now supports project scope and default roles. # Update a resource quota # PUT /quota/{id} -# Intended scope(s): system -#"update_quota": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_quota": "rule:admin_only" # DEPRECATED # "update_quota":"rule:admin_only" has been deprecated since W in -# favor of "update_quota":"role:admin and system_scope:all". -# The quotas API now supports system scope and default roles. +# favor of "update_quota":"rule:admin_only". +# The quotas API now supports project scope and default roles. # Delete a resource quota # DELETE /quota/{id} -# Intended scope(s): system -#"delete_quota": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_quota": "rule:admin_only" # DEPRECATED # "delete_quota":"rule:admin_only" has been deprecated since W in -# favor of "delete_quota":"role:admin and system_scope:all". -# The quotas API now supports system scope and default roles. +# favor of "delete_quota":"rule:admin_only". +# The quotas API now supports project scope and default roles. # Definition of a wildcard target_project #"restrict_wildcard": "(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only" @@ -1976,329 +1944,321 @@ # Create an RBAC policy # POST /rbac-policies # Intended scope(s): project -#"create_rbac_policy": "role:member and project_id:%(project_id)s" +#"create_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_rbac_policy":"rule:regular_user" has been deprecated since W -# in favor of "create_rbac_policy":"role:member and +# in favor of "create_rbac_policy":"rule:admin_only or role:member and # project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Specify ``target_tenant`` when creating an RBAC policy # POST /rbac-policies # Intended scope(s): project -#"create_rbac_policy:target_tenant": "role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" +#"create_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been # deprecated since W in favor of -# "create_rbac_policy:target_tenant":"role:admin and -# project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* -# and not field:rbac_policy:target_project=*)". +# "create_rbac_policy:target_tenant":"rule:admin_only or (not +# field:rbac_policy:target_tenant=* and not +# field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Update an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): project -#"update_rbac_policy": "role:member and project_id:%(project_id)s" +#"update_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_rbac_policy":"role:member and -# project_id:%(project_id)s". +# W in favor of "update_rbac_policy":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Update ``target_tenant`` attribute of an RBAC policy # PUT /rbac-policies/{id} # Intended scope(s): project -#"update_rbac_policy:target_tenant": "role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" +#"update_rbac_policy:target_tenant": "rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "update_rbac_policy:target_tenant":"rule:restrict_wildcard and # rule:admin_or_owner" has been deprecated since W in favor of -# "update_rbac_policy:target_tenant":"role:admin and -# project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* -# and not field:rbac_policy:target_project=*)". +# "update_rbac_policy:target_tenant":"rule:admin_only or (not +# field:rbac_policy:target_tenant=* and not +# field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Get an RBAC policy # GET /rbac-policies # GET /rbac-policies/{id} # Intended scope(s): project -#"get_rbac_policy": "role:reader and project_id:%(project_id)s" +#"get_rbac_policy": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_rbac_policy":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_rbac_policy":"role:reader and +# in favor of "get_rbac_policy":"rule:admin_only or role:reader and # project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Delete an RBAC policy # DELETE /rbac-policies/{id} # Intended scope(s): project -#"delete_rbac_policy": "role:member and project_id:%(project_id)s" +#"delete_rbac_policy": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_rbac_policy":"role:member and -# project_id:%(project_id)s". +# W in favor of "delete_rbac_policy":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Create a router # POST /routers # Intended scope(s): project -#"create_router": "role:member and project_id:%(project_id)s" +#"create_router": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_router":"rule:regular_user" has been deprecated since W in -# favor of "create_router":"role:member and +# favor of "create_router":"rule:admin_only or role:member and # project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``distributed`` attribute when creating a router # POST /routers # Intended scope(s): project -#"create_router:distributed": "role:admin and project_id:%(project_id)s" +#"create_router:distributed": "rule:admin_only" # DEPRECATED # "create_router:distributed":"rule:admin_only" has been deprecated -# since W in favor of "create_router:distributed":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``ha`` attribute when creating a router # POST /routers # Intended scope(s): project -#"create_router:ha": "role:admin and project_id:%(project_id)s" +#"create_router:ha": "rule:admin_only" # DEPRECATED # "create_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "create_router:ha":"role:admin and -# project_id:%(project_id)s". +# favor of "create_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``external_gateway_info`` information when creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info": "role:member and project_id:%(project_id)s" +#"create_router:external_gateway_info": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "create_router:external_gateway_info":"role:member and -# project_id:%(project_id)s". +# "create_router:external_gateway_info":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``network_id`` in ``external_gateway_info`` information when # creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info:network_id": "role:member and project_id:%(project_id)s" +#"create_router:external_gateway_info:network_id": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "create_router:external_gateway_info:network_id":"role:member and -# project_id:%(project_id)s". +# "create_router:external_gateway_info:network_id":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``enable_snat`` in ``external_gateway_info`` information # when creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info:enable_snat": "role:admin and project_id:%(project_id)s" +#"create_router:external_gateway_info:enable_snat": "rule:admin_only" # DEPRECATED # "create_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of -# "create_router:external_gateway_info:enable_snat":"role:admin and -# project_id:%(project_id)s". +# "create_router:external_gateway_info:enable_snat":"rule:admin_only". # The router API now supports system scope and default roles. # Specify ``external_fixed_ips`` in ``external_gateway_info`` # information when creating a router # POST /routers # Intended scope(s): project -#"create_router:external_gateway_info:external_fixed_ips": "role:admin and project_id:%(project_id)s" +#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only" # DEPRECATED # "create_router:external_gateway_info:external_fixed_ips":"rule:admin -# _only" has been deprecated since W in favor of -# "create_router:external_gateway_info:external_fixed_ips":"role:admin -# and project_id:%(project_id)s". +# _only" has been deprecated since W in favor of "create_router:extern +# al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. # Get a router # GET /routers # GET /routers/{id} # Intended scope(s): project -#"get_router": "role:reader and project_id:%(project_id)s" +#"get_router": "rule:admin_only or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_router":"role:reader and project_id:%(project_id)s". +# favor of "get_router":"rule:admin_only or role:reader and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Get ``distributed`` attribute of a router # GET /routers # GET /routers/{id} # Intended scope(s): project -#"get_router:distributed": "role:admin and project_id:%(project_id)s" +#"get_router:distributed": "rule:admin_only" # DEPRECATED # "get_router:distributed":"rule:admin_only" has been deprecated since -# W in favor of "get_router:distributed":"role:admin and -# project_id:%(project_id)s". +# W in favor of "get_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Get ``ha`` attribute of a router # GET /routers # GET /routers/{id} # Intended scope(s): project -#"get_router:ha": "role:admin and project_id:%(project_id)s" +#"get_router:ha": "rule:admin_only" # DEPRECATED # "get_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "get_router:ha":"role:admin and project_id:%(project_id)s". +# favor of "get_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Update a router # PUT /routers/{id} # Intended scope(s): project -#"update_router": "role:member and project_id:%(project_id)s" +#"update_router": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "update_router":"role:member and +# favor of "update_router":"rule:admin_only or role:member and # project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``distributed`` attribute of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:distributed": "role:admin and project_id:%(project_id)s" +#"update_router:distributed": "rule:admin_only" # DEPRECATED # "update_router:distributed":"rule:admin_only" has been deprecated -# since W in favor of "update_router:distributed":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_router:distributed":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``ha`` attribute of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:ha": "role:admin and project_id:%(project_id)s" +#"update_router:ha": "rule:admin_only" # DEPRECATED # "update_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "update_router:ha":"role:admin and -# project_id:%(project_id)s". +# favor of "update_router:ha":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``external_gateway_info`` information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info": "role:member and project_id:%(project_id)s" +#"update_router:external_gateway_info": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "update_router:external_gateway_info":"role:member and -# project_id:%(project_id)s". +# "update_router:external_gateway_info":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``network_id`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info:network_id": "role:member and project_id:%(project_id)s" +#"update_router:external_gateway_info:network_id": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "update_router:external_gateway_info:network_id":"role:member and -# project_id:%(project_id)s". +# "update_router:external_gateway_info:network_id":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``enable_snat`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info:enable_snat": "role:admin and project_id:%(project_id)s" +#"update_router:external_gateway_info:enable_snat": "rule:admin_only" # DEPRECATED # "update_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of -# "update_router:external_gateway_info:enable_snat":"role:admin and -# project_id:%(project_id)s". +# "update_router:external_gateway_info:enable_snat":"rule:admin_only". # The router API now supports system scope and default roles. # Update ``external_fixed_ips`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} # Intended scope(s): project -#"update_router:external_gateway_info:external_fixed_ips": "role:admin and project_id:%(project_id)s" +#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only" # DEPRECATED # "update_router:external_gateway_info:external_fixed_ips":"rule:admin -# _only" has been deprecated since W in favor of -# "update_router:external_gateway_info:external_fixed_ips":"role:admin -# and project_id:%(project_id)s". +# _only" has been deprecated since W in favor of "update_router:extern +# al_gateway_info:external_fixed_ips":"rule:admin_only". # The router API now supports system scope and default roles. # Delete a router # DELETE /routers/{id} # Intended scope(s): project -#"delete_router": "role:member and project_id:%(project_id)s" +#"delete_router": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "delete_router":"role:member and +# favor of "delete_router":"rule:admin_only or role:member and # project_id:%(project_id)s". # The router API now supports system scope and default roles. # Add an interface to a router # PUT /routers/{id}/add_router_interface # Intended scope(s): project -#"add_router_interface": "role:member and project_id:%(project_id)s" +#"add_router_interface": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "add_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "add_router_interface":"role:member and -# project_id:%(project_id)s". +# since W in favor of "add_router_interface":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Remove an interface from a router # PUT /routers/{id}/remove_router_interface # Intended scope(s): project -#"remove_router_interface": "role:member and project_id:%(project_id)s" +#"remove_router_interface": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "remove_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "remove_router_interface":"role:member and -# project_id:%(project_id)s". +# since W in favor of "remove_router_interface":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Add extra route to a router # PUT /routers/{id}/add_extraroutes # Intended scope(s): project -#"add_extraroutes": "role:member and project_id:%(project_id)s" +#"add_extraroutes": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "add_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "add_extraroutes":"role:member and -# project_id:%(project_id)s". +# Xena in favor of "add_extraroutes":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Remove extra route from a router # PUT /routers/{id}/remove_extraroutes # Intended scope(s): project -#"remove_extraroutes": "role:member and project_id:%(project_id)s" +#"remove_extraroutes": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "remove_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "remove_extraroutes":"role:member and -# project_id:%(project_id)s". +# Xena in favor of "remove_extraroutes":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Rule for admin or security group owner access @@ -2391,155 +2351,150 @@ # Create a segment # POST /segments -# Intended scope(s): system -#"create_segment": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_segment": "rule:admin_only" # DEPRECATED # "create_segment":"rule:admin_only" has been deprecated since W in -# favor of "create_segment":"role:admin and system_scope:all". -# The segment API now supports system scope and default roles. +# favor of "create_segment":"rule:admin_only". +# The segment API now supports project scope and default roles. # Get a segment # GET /segments # GET /segments/{id} -# Intended scope(s): system -#"get_segment": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_segment": "rule:admin_only" # DEPRECATED # "get_segment":"rule:admin_only" has been deprecated since W in favor -# of "get_segment":"role:reader and system_scope:all". -# The segment API now supports system scope and default roles. +# of "get_segment":"rule:admin_only". +# The segment API now supports project scope and default roles. # Update a segment # PUT /segments/{id} -# Intended scope(s): system -#"update_segment": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_segment": "rule:admin_only" # DEPRECATED # "update_segment":"rule:admin_only" has been deprecated since W in -# favor of "update_segment":"role:admin and system_scope:all". -# The segment API now supports system scope and default roles. +# favor of "update_segment":"rule:admin_only". +# The segment API now supports project scope and default roles. # Delete a segment # DELETE /segments/{id} -# Intended scope(s): system -#"delete_segment": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_segment": "rule:admin_only" # DEPRECATED # "delete_segment":"rule:admin_only" has been deprecated since W in -# favor of "delete_segment":"role:admin and system_scope:all". -# The segment API now supports system scope and default roles. +# favor of "delete_segment":"rule:admin_only". +# The segment API now supports project scope and default roles. # Get service providers # GET /service-providers -# Intended scope(s): system, project +# Intended scope(s): project #"get_service_provider": "role:reader" # DEPRECATED # "get_service_provider":"rule:regular_user" has been deprecated since # W in favor of "get_service_provider":"role:reader". -# The Service Providers API now supports system scope and default +# The Service Providers API now supports project scope and default # roles. # Create a subnet # POST /subnets # Intended scope(s): project -#"create_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" +#"create_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "create_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "create_subnet":"role:member and -# project_id:%(project_id)s or rule:network_owner". +# since W in favor of "create_subnet":"rule:admin_only or role:member +# and project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Specify ``segment_id`` attribute when creating a subnet # POST /subnets # Intended scope(s): project -#"create_subnet:segment_id": "role:admin and project_id:%(project_id)s" +#"create_subnet:segment_id": "rule:admin_only" # DEPRECATED # "create_subnet:segment_id":"rule:admin_only" has been deprecated -# since W in favor of "create_subnet:segment_id":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Specify ``service_types`` attribute when creating a subnet # POST /subnets # Intended scope(s): project -#"create_subnet:service_types": "role:admin and project_id:%(project_id)s" +#"create_subnet:service_types": "rule:admin_only" # DEPRECATED # "create_subnet:service_types":"rule:admin_only" has been deprecated -# since W in favor of "create_subnet:service_types":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_subnet:service_types":"rule:admin_only". # The subnet API now supports system scope and default roles. # Get a subnet # GET /subnets # GET /subnets/{id} # Intended scope(s): project -#"get_subnet": "role:reader and project_id:%(project_id)s or rule:shared" +#"get_subnet": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared" # DEPRECATED # "get_subnet":"rule:admin_or_owner or rule:shared" has been -# deprecated since W in favor of "get_subnet":"role:reader and -# project_id:%(project_id)s or rule:shared". +# deprecated since W in favor of "get_subnet":"rule:admin_only or +# role:reader and project_id:%(project_id)s or rule:shared". # The subnet API now supports system scope and default roles. # Get ``segment_id`` attribute of a subnet # GET /subnets # GET /subnets/{id} # Intended scope(s): project -#"get_subnet:segment_id": "role:admin and project_id:%(project_id)s" +#"get_subnet:segment_id": "rule:admin_only" # DEPRECATED # "get_subnet:segment_id":"rule:admin_only" has been deprecated since -# W in favor of "get_subnet:segment_id":"role:admin and -# project_id:%(project_id)s". +# W in favor of "get_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Update a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" +#"update_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "update_subnet":"role:member and -# project_id:%(project_id)s or rule:network_owner". +# since W in favor of "update_subnet":"rule:admin_only or role:member +# and project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet:segment_id": "role:admin and project_id:%(project_id)s" +#"update_subnet:segment_id": "rule:admin_only" # DEPRECATED # "update_subnet:segment_id":"rule:admin_only" has been deprecated -# since W in favor of "update_subnet:segment_id":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_subnet:segment_id":"rule:admin_only". # The subnet API now supports system scope and default roles. # Update ``service_types`` attribute of a subnet # PUT /subnets/{id} # Intended scope(s): project -#"update_subnet:service_types": "role:admin and project_id:%(project_id)s" +#"update_subnet:service_types": "rule:admin_only" # DEPRECATED # "update_subnet:service_types":"rule:admin_only" has been deprecated -# since W in favor of "update_subnet:service_types":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "update_subnet:service_types":"rule:admin_only". # The subnet API now supports system scope and default roles. # Delete a subnet # DELETE /subnets/{id} # Intended scope(s): project -#"delete_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" +#"delete_subnet": "rule:admin_only or role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "delete_subnet":"role:member and -# project_id:%(project_id)s or rule:network_owner". +# since W in favor of "delete_subnet":"rule:admin_only or role:member +# and project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Definition of a shared subnetpool @@ -2548,111 +2503,111 @@ # Create a subnetpool # POST /subnetpools # Intended scope(s): project -#"create_subnetpool": "role:member and project_id:%(project_id)s" +#"create_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "create_subnetpool":"rule:regular_user" has been deprecated since W -# in favor of "create_subnetpool":"role:member and +# in favor of "create_subnetpool":"rule:admin_only or role:member and # project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Create a shared subnetpool # POST /subnetpools # Intended scope(s): project -#"create_subnetpool:shared": "role:admin and project_id:%(project_id)s" +#"create_subnetpool:shared": "rule:admin_only" # DEPRECATED # "create_subnetpool:shared":"rule:admin_only" has been deprecated -# since W in favor of "create_subnetpool:shared":"role:admin and -# project_id:%(project_id)s". +# since W in favor of "create_subnetpool:shared":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a subnetpool # POST /subnetpools # Intended scope(s): project -#"create_subnetpool:is_default": "role:admin and project_id:%(project_id)s" +#"create_subnetpool:is_default": "rule:admin_only" # DEPRECATED # "create_subnetpool:is_default":"rule:admin_only" has been deprecated -# since W in favor of "create_subnetpool:is_default":"role:admin and -# project_id:%(project_id)s". +# since W in favor of +# "create_subnetpool:is_default":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Get a subnetpool # GET /subnetpools # GET /subnetpools/{id} # Intended scope(s): project -#"get_subnetpool": "role:reader and project_id:%(project_id)s or rule:shared_subnetpools" +#"get_subnetpool": "rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_subnetpools" # DEPRECATED # "get_subnetpool":"rule:admin_or_owner or rule:shared_subnetpools" # has been deprecated since W in favor of -# "get_subnetpool":"role:reader and project_id:%(project_id)s or -# rule:shared_subnetpools". +# "get_subnetpool":"rule:admin_only or role:reader and +# project_id:%(project_id)s or rule:shared_subnetpools". # The subnet pool API now supports system scope and default roles. # Update a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project -#"update_subnetpool": "role:member and project_id:%(project_id)s" +#"update_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "update_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_subnetpool":"role:member and -# project_id:%(project_id)s". +# W in favor of "update_subnetpool":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Update ``is_default`` attribute of a subnetpool # PUT /subnetpools/{id} # Intended scope(s): project -#"update_subnetpool:is_default": "role:admin and project_id:%(project_id)s" +#"update_subnetpool:is_default": "rule:admin_only" # DEPRECATED # "update_subnetpool:is_default":"rule:admin_only" has been deprecated -# since W in favor of "update_subnetpool:is_default":"role:admin and -# project_id:%(project_id)s". +# since W in favor of +# "update_subnetpool:is_default":"rule:admin_only". # The subnet pool API now supports system scope and default roles. # Delete a subnetpool # DELETE /subnetpools/{id} # Intended scope(s): project -#"delete_subnetpool": "role:member and project_id:%(project_id)s" +#"delete_subnetpool": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_subnetpool":"role:member and -# project_id:%(project_id)s". +# W in favor of "delete_subnetpool":"rule:admin_only or role:member +# and project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Onboard existing subnet into a subnetpool # PUT /subnetpools/{id}/onboard_network_subnets # Intended scope(s): project -#"onboard_network_subnets": "role:member and project_id:%(project_id)s" +#"onboard_network_subnets": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "onboard_network_subnets":"rule:admin_or_owner" has been deprecated -# since W in favor of "onboard_network_subnets":"role:member and -# project_id:%(project_id)s". +# since W in favor of "onboard_network_subnets":"rule:admin_only or +# role:member and project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Add prefixes to a subnetpool # PUT /subnetpools/{id}/add_prefixes # Intended scope(s): project -#"add_prefixes": "role:member and project_id:%(project_id)s" +#"add_prefixes": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "add_prefixes":"rule:admin_or_owner" has been deprecated since W in -# favor of "add_prefixes":"role:member and project_id:%(project_id)s". +# favor of "add_prefixes":"rule:admin_only or role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Remove unallocated prefixes from a subnetpool # PUT /subnetpools/{id}/remove_prefixes # Intended scope(s): project -#"remove_prefixes": "role:member and project_id:%(project_id)s" +#"remove_prefixes": "rule:admin_only or role:member and project_id:%(project_id)s" # DEPRECATED # "remove_prefixes":"rule:admin_or_owner" has been deprecated since W -# in favor of "remove_prefixes":"role:member and +# in favor of "remove_prefixes":"rule:admin_only or role:member and # project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index faed1abf0..824854b54 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -7,7 +7,16 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"rule:admin_api": "rule:context_is_admin" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "rule:admin_api": "rule:context_is_admin" # DEPRECATED # "admin_or_owner" has been deprecated since 21.0.0. @@ -25,18 +34,6 @@ # Default rule for most Admin APIs. #"admin_api": "is_admin:True" -# Default rule for Project level admin APIs. -#"project_admin_api": "role:admin and project_id:%(project_id)s" - -# DEPRECATED -# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in -# favor of "project_admin_api":"role:admin and -# project_id:%(project_id)s". -# Nova API policies are introducing new default roles with scope_type -# capabilities. Old policies are deprecated and silently going to be -# ignored in nova 23.0.0 release. -#"rule:admin_api": "rule:project_admin_api" - # Default rule for Project level non admin APIs. #"project_member_api": "role:member and project_id:%(project_id)s" @@ -47,7 +44,16 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"rule:admin_or_owner": "rule:project_member_api" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "rule:admin_or_owner": "rule:project_member_api" # Default rule for Project level read only APIs. #"project_reader_api": "role:reader and project_id:%(project_id)s" @@ -59,9 +65,40 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"rule:admin_or_owner": "rule:project_reader_api" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "rule:admin_or_owner": "rule:project_reader_api" + +# Default rule for Project Member or admin APIs. +#"project_member_or_admin": "rule:project_member_api or rule:context_is_admin" + +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "project_member_or_admin":"rule:project_member_api or +# rule:context_is_admin". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "rule:admin_or_owner": "rule:project_member_or_admin" -# Default rule for Project reader and admin APIs. +# Default rule for Project reader or admin APIs. #"project_reader_or_admin": "rule:project_reader_api or rule:context_is_admin" # DEPRECATED @@ -72,66 +109,75 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"rule:admin_or_owner": "rule:project_reader_or_admin" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "rule:admin_or_owner": "rule:project_reader_or_admin" # Reset the state of a given server # POST /servers/{server_id}/action (os-resetState) # Intended scope(s): project -#"os_compute_api:os-admin-actions:reset_state": "rule:project_admin_api" +#"os_compute_api:os-admin-actions:reset_state": "rule:context_is_admin" # Inject network information into the server # POST /servers/{server_id}/action (injectNetworkInfo) # Intended scope(s): project -#"os_compute_api:os-admin-actions:inject_network_info": "rule:project_admin_api" +#"os_compute_api:os-admin-actions:inject_network_info": "rule:context_is_admin" # Change the administrative password for a server # POST /servers/{server_id}/action (changePassword) # Intended scope(s): project -#"os_compute_api:os-admin-password": "rule:project_member_api" +#"os_compute_api:os-admin-password": "rule:project_member_or_admin" # Create or replace metadata for an aggregate # POST /os-aggregates/{aggregate_id}/action (set_metadata) -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:set_metadata": "rule:context_is_admin" # Add a host to an aggregate # POST /os-aggregates/{aggregate_id}/action (add_host) -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:add_host": "rule:context_is_admin" # Create an aggregate # POST /os-aggregates -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:create": "rule:context_is_admin" # Remove a host from an aggregate # POST /os-aggregates/{aggregate_id}/action (remove_host) -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:remove_host": "rule:context_is_admin" # Update name and/or availability zone for an aggregate # PUT /os-aggregates/{aggregate_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:update": "rule:context_is_admin" # List all aggregates # GET /os-aggregates -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:index": "rule:context_is_admin" # Delete an aggregate # DELETE /os-aggregates/{aggregate_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:delete": "rule:context_is_admin" # Show details for an aggregate # GET /os-aggregates/{aggregate_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-aggregates:show": "rule:context_is_admin" # Request image caching for an aggregate # POST /os-aggregates/{aggregate_id}/images -# Intended scope(s): system +# Intended scope(s): project #"compute:aggregates:images": "rule:context_is_admin" # Create an assisted volume snapshot @@ -147,74 +193,110 @@ # List port interfaces attached to a server # GET /servers/{server_id}/os-interface # Intended scope(s): project -#"os_compute_api:os-attach-interfaces:list": "rule:project_reader_api" +#"os_compute_api:os-attach-interfaces:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:list":"rule:project_reader_api". +# interfaces:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list" # Show details of a port interface attached to a server # GET /servers/{server_id}/os-interface/{port_id} # Intended scope(s): project -#"os_compute_api:os-attach-interfaces:show": "rule:project_reader_api" +#"os_compute_api:os-attach-interfaces:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:show":"rule:project_reader_api". +# interfaces:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show" # Attach an interface to a server # POST /servers/{server_id}/os-interface # Intended scope(s): project -#"os_compute_api:os-attach-interfaces:create": "rule:project_member_api" +#"os_compute_api:os-attach-interfaces:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:create":"rule:project_member_api". +# interfaces:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create" # Detach an interface from a server # DELETE /servers/{server_id}/os-interface/{port_id} # Intended scope(s): project -#"os_compute_api:os-attach-interfaces:delete": "rule:project_member_api" +#"os_compute_api:os-attach-interfaces:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:delete":"rule:project_member_api". +# interfaces:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete" # List availability zone information without host information # GET /os-availability-zone -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-availability-zone:list": "@" # List detailed availability zone information with host information # GET /os-availability-zone/detail -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-availability-zone:detail": "rule:context_is_admin" # List and show details of bare metal nodes. # # These APIs are proxy calls to the Ironic service and are deprecated. # GET /os-baremetal-nodes -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-baremetal-nodes:list": "rule:context_is_admin" # DEPRECATED @@ -224,11 +306,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:list" # Show action details for a server. # GET /os-baremetal-nodes/{node_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-baremetal-nodes:show": "rule:context_is_admin" # DEPRECATED @@ -238,56 +329,83 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-baremetal-nodes": "rule:os_compute_api:os-baremetal-nodes:show" # Show console connection information for a given console # authentication token # GET /os-console-auth-tokens/{console_token} # Intended scope(s): project -#"os_compute_api:os-console-auth-tokens": "rule:project_admin_api" +#"os_compute_api:os-console-auth-tokens": "rule:context_is_admin" # Show console output for a server # POST /servers/{server_id}/action (os-getConsoleOutput) # Intended scope(s): project -#"os_compute_api:os-console-output": "rule:project_member_api" +#"os_compute_api:os-console-output": "rule:project_member_or_admin" # Create a back up of a server # POST /servers/{server_id}/action (createBackup) # Intended scope(s): project -#"os_compute_api:os-create-backup": "rule:project_member_api" +#"os_compute_api:os-create-backup": "rule:project_member_or_admin" # Restore a soft deleted server # POST /servers/{server_id}/action (restore) # Intended scope(s): project -#"os_compute_api:os-deferred-delete:restore": "rule:project_member_api" +#"os_compute_api:os-deferred-delete:restore": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- -# delete:restore":"rule:project_member_api". +# delete:restore":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore" # Force delete a server before deferred cleanup # POST /servers/{server_id}/action (forceDelete) # Intended scope(s): project -#"os_compute_api:os-deferred-delete:force": "rule:project_member_api" +#"os_compute_api:os-deferred-delete:force": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- -# delete:force":"rule:project_member_api". +# delete:force":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force" # Evacuate a server from a failed host to a new host # POST /servers/{server_id}/action (evacuate) # Intended scope(s): project -#"os_compute_api:os-evacuate": "rule:project_admin_api" +#"os_compute_api:os-evacuate": "rule:context_is_admin" # Return extended attributes for server. # @@ -318,23 +436,23 @@ # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:os-extended-server-attributes": "rule:project_admin_api" +#"os_compute_api:os-extended-server-attributes": "rule:context_is_admin" # List available extensions and show information for an extension by # alias # GET /extensions # GET /extensions/{alias} -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:extensions": "@" # Add flavor access to a tenant # POST /flavors/{flavor_id}/action (addTenantAccess) -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-access:add_tenant_access": "rule:context_is_admin" # Remove flavor access from a tenant # POST /flavors/{flavor_id}/action (removeTenantAccess) -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-access:remove_tenant_access": "rule:context_is_admin" # List flavor access information @@ -342,7 +460,7 @@ # Allows access to the full list of tenants that have access to a # flavor via an os-flavor-access API. # GET /flavors/{flavor_id}/os-flavor-access -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-access": "rule:context_is_admin" # DEPRECATED @@ -355,22 +473,22 @@ # Show an extra spec for a flavor # GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:show": "rule:project_reader_or_admin" # Create extra specs for a flavor # POST /flavors/{flavor_id}/os-extra_specs/ -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:create": "rule:context_is_admin" # Update an extra spec for a flavor # PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:update": "rule:context_is_admin" # Delete an extra spec for a flavor # DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:delete": "rule:context_is_admin" # List extra specs for a flavor. Starting with microversion 2.61, @@ -380,118 +498,172 @@ # GET /flavors/detail # GET /flavors/{flavor_id} # PUT /flavors/{flavor_id} -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-flavor-extra-specs:index": "rule:project_reader_or_admin" # Create a flavor # POST /flavors -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-manage:create": "rule:context_is_admin" # Update a flavor # PUT /flavors/{flavor_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-manage:update": "rule:context_is_admin" # Delete a flavor # DELETE /flavors/{flavor_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-flavor-manage:delete": "rule:context_is_admin" # List floating IP pools. This API is deprecated. # GET /os-floating-ip-pools -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-floating-ip-pools": "@" # Associate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (addFloatingIp) # Intended scope(s): project -#"os_compute_api:os-floating-ips:add": "rule:project_member_api" +#"os_compute_api:os-floating-ips:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:add":"rule:project_member_api". +# ips:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:add" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:add" # Disassociate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (removeFloatingIp) # Intended scope(s): project -#"os_compute_api:os-floating-ips:remove": "rule:project_member_api" +#"os_compute_api:os-floating-ips:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:remove":"rule:project_member_api". +# ips:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:remove" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:remove" # List floating IPs. This API is deprecated. # GET /os-floating-ips # Intended scope(s): project -#"os_compute_api:os-floating-ips:list": "rule:project_reader_api" +#"os_compute_api:os-floating-ips:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:list":"rule:project_reader_api". +# ips:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:list" # Create floating IPs. This API is deprecated. # POST /os-floating-ips # Intended scope(s): project -#"os_compute_api:os-floating-ips:create": "rule:project_member_api" +#"os_compute_api:os-floating-ips:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:create":"rule:project_member_api". +# ips:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:create" # Show floating IPs. This API is deprecated. # GET /os-floating-ips/{floating_ip_id} # Intended scope(s): project -#"os_compute_api:os-floating-ips:show": "rule:project_reader_api" +#"os_compute_api:os-floating-ips:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:show":"rule:project_reader_api". +# ips:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:show" # Delete floating IPs. This API is deprecated. # DELETE /os-floating-ips/{floating_ip_id} # Intended scope(s): project -#"os_compute_api:os-floating-ips:delete": "rule:project_member_api" +#"os_compute_api:os-floating-ips:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:delete":"rule:project_member_api". +# ips:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-floating-ips": "rule:os_compute_api:os-floating-ips:delete" # List physical hosts. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:list": "rule:context_is_admin" # DEPRECATED @@ -501,13 +673,22 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:list" # Show physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:show": "rule:context_is_admin" # DEPRECATED @@ -517,13 +698,22 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:show" # Update physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # PUT /os-hosts/{host_name} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:update": "rule:context_is_admin" # DEPRECATED @@ -533,13 +723,22 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:update" # Reboot physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/reboot -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:reboot": "rule:context_is_admin" # DEPRECATED @@ -549,13 +748,22 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:reboot" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:reboot" # Shutdown physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/shutdown -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:shutdown": "rule:context_is_admin" # DEPRECATED @@ -565,13 +773,22 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:shutdown" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:shutdown" # Start physical host. # # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/startup -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hosts:start": "rule:context_is_admin" # DEPRECATED @@ -581,11 +798,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:start" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hosts": "rule:os_compute_api:os-hosts:start" # List all hypervisors. # GET /os-hypervisors -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:list": "rule:context_is_admin" # DEPRECATED @@ -595,11 +821,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list" # List all hypervisors with details # GET /os-hypervisors/details -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:list-detail": "rule:context_is_admin" # DEPRECATED @@ -609,11 +844,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail" # Show summary statistics for all hypervisors over all compute nodes. # GET /os-hypervisors/statistics -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:statistics": "rule:context_is_admin" # DEPRECATED @@ -623,11 +867,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics" # Show details for a hypervisor. # GET /os-hypervisors/{hypervisor_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:show": "rule:context_is_admin" # DEPRECATED @@ -637,11 +890,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show" # Show the uptime of a hypervisor. # GET /os-hypervisors/{hypervisor_id}/uptime -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:uptime": "rule:context_is_admin" # DEPRECATED @@ -651,11 +913,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime" # Search hypervisor by hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/search -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:search": "rule:context_is_admin" # DEPRECATED @@ -665,12 +936,21 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search" # List all servers on hypervisors that can match the provided # hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/servers -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-hypervisors:servers": "rule:context_is_admin" # DEPRECATED @@ -680,7 +960,16 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers" # Add "details" key in action events for a server. # @@ -694,7 +983,7 @@ # information about the deployment (e.g. the type of the hypervisor). # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project -#"os_compute_api:os-instance-actions:events:details": "rule:project_admin_api" +#"os_compute_api:os-instance-actions:events:details": "rule:context_is_admin" # Add events details in action details for a server. This check is # performed only after the check os_compute_api:os-instance- @@ -705,39 +994,57 @@ # enforcement passes, the name of the host. # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project -#"os_compute_api:os-instance-actions:events": "rule:project_admin_api" +#"os_compute_api:os-instance-actions:events": "rule:context_is_admin" # List actions for a server. # GET /servers/{server_id}/os-instance-actions # Intended scope(s): project -#"os_compute_api:os-instance-actions:list": "rule:project_reader_api" +#"os_compute_api:os-instance-actions:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- -# actions:list":"rule:project_reader_api". +# actions:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list" # Show action details for a server. # GET /servers/{server_id}/os-instance-actions/{request_id} # Intended scope(s): project -#"os_compute_api:os-instance-actions:show": "rule:project_reader_api" +#"os_compute_api:os-instance-actions:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- -# actions:show":"rule:project_reader_api". +# actions:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show" # List all usage audits. # GET /os-instance_usage_audit_log -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-instance-usage-audit-log:list": "rule:context_is_admin" # DEPRECATED @@ -747,12 +1054,21 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list" # List all usage audits occurred before a specified time for all # servers on all compute hosts where usage auditing is configured # GET /os-instance_usage_audit_log/{before_timestamp} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-instance-usage-audit-log:show": "rule:context_is_admin" # DEPRECATED @@ -762,36 +1078,45 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show" # Show IP addresses details for a network label of a server # GET /servers/{server_id}/ips/{network_label} # Intended scope(s): project -#"os_compute_api:ips:show": "rule:project_reader_api" +#"os_compute_api:ips:show": "rule:project_reader_or_admin" # List IP addresses that are assigned to a server # GET /servers/{server_id}/ips # Intended scope(s): project -#"os_compute_api:ips:index": "rule:project_reader_api" +#"os_compute_api:ips:index": "rule:project_reader_or_admin" # List all keypairs # GET /os-keypairs -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-keypairs:index": "(rule:context_is_admin) or user_id:%(user_id)s" # Create a keypair # POST /os-keypairs -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-keypairs:create": "(rule:context_is_admin) or user_id:%(user_id)s" # Delete a keypair # DELETE /os-keypairs/{keypair_name} -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-keypairs:delete": "(rule:context_is_admin) or user_id:%(user_id)s" # Show details of a keypair # GET /os-keypairs/{keypair_name} -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-keypairs:show": "(rule:context_is_admin) or user_id:%(user_id)s" # Show rate and absolute limits for the current user project @@ -806,26 +1131,35 @@ # os_compute_api:limits passes # GET /limits # Intended scope(s): project -#"os_compute_api:limits:other_project": "rule:project_admin_api" +#"os_compute_api:limits:other_project": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-used-limits":"rule:admin_api" has been deprecated # since 21.0.0 in favor of -# "os_compute_api:limits:other_project":"rule:project_admin_api". +# "os_compute_api:limits:other_project":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project" # Lock a server # POST /servers/{server_id}/action (lock) # Intended scope(s): project -#"os_compute_api:os-lock-server:lock": "rule:project_member_api" +#"os_compute_api:os-lock-server:lock": "rule:project_member_or_admin" # Unlock a server # POST /servers/{server_id}/action (unlock) # Intended scope(s): project -#"os_compute_api:os-lock-server:unlock": "rule:project_member_api" +#"os_compute_api:os-lock-server:unlock": "rule:project_member_or_admin" # Unlock a server, regardless who locked the server. # @@ -833,131 +1167,167 @@ # server:unlock passes # POST /servers/{server_id}/action (unlock) # Intended scope(s): project -#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:project_admin_api" +#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:context_is_admin" # Cold migrate a server to a host # POST /servers/{server_id}/action (migrate) # Intended scope(s): project -#"os_compute_api:os-migrate-server:migrate": "rule:project_admin_api" +#"os_compute_api:os-migrate-server:migrate": "rule:context_is_admin" # Live migrate a server to a new host without a reboot # POST /servers/{server_id}/action (os-migrateLive) # Intended scope(s): project -#"os_compute_api:os-migrate-server:migrate_live": "rule:project_admin_api" +#"os_compute_api:os-migrate-server:migrate_live": "rule:context_is_admin" # List migrations # GET /os-migrations # Intended scope(s): project -#"os_compute_api:os-migrations:index": "rule:project_admin_api" +#"os_compute_api:os-migrations:index": "rule:context_is_admin" # Add a fixed IP address to a server. # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (addFixedIp) # Intended scope(s): project -#"os_compute_api:os-multinic:add": "rule:project_member_api" +#"os_compute_api:os-multinic:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# multinic:add":"rule:project_member_api". +# multinic:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:add" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:add" # Remove a fixed IP address from a server. # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (removeFixedIp) # Intended scope(s): project -#"os_compute_api:os-multinic:remove": "rule:project_member_api" +#"os_compute_api:os-multinic:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# multinic:remove":"rule:project_member_api". +# multinic:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:remove" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-multinic": "rule:os_compute_api:os-multinic:remove" # List networks for the project. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks # Intended scope(s): project -#"os_compute_api:os-networks:list": "rule:project_reader_api" +#"os_compute_api:os-networks:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# networks:list":"rule:project_reader_api". +# networks:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:list" # Show network details. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks/{network_id} # Intended scope(s): project -#"os_compute_api:os-networks:show": "rule:project_reader_api" +#"os_compute_api:os-networks:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# networks:show":"rule:project_reader_api". +# networks:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-networks:view": "rule:os_compute_api:os-networks:show" # Pause a server # POST /servers/{server_id}/action (pause) # Intended scope(s): project -#"os_compute_api:os-pause-server:pause": "rule:project_member_api" +#"os_compute_api:os-pause-server:pause": "rule:project_member_or_admin" # Unpause a paused server # POST /servers/{server_id}/action (unpause) # Intended scope(s): project -#"os_compute_api:os-pause-server:unpause": "rule:project_member_api" +#"os_compute_api:os-pause-server:unpause": "rule:project_member_or_admin" # List quotas for specific quota classs # GET /os-quota-class-sets/{quota_class} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-quota-class-sets:show": "rule:context_is_admin" # Update quotas for specific quota class # PUT /os-quota-class-sets/{quota_class} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-quota-class-sets:update": "rule:context_is_admin" # Update the quotas # PUT /os-quota-sets/{tenant_id} # Intended scope(s): project -#"os_compute_api:os-quota-sets:update": "rule:project_admin_api" +#"os_compute_api:os-quota-sets:update": "rule:context_is_admin" # List default quotas # GET /os-quota-sets/{tenant_id}/defaults -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:os-quota-sets:defaults": "@" # Show a quota # GET /os-quota-sets/{tenant_id} # Intended scope(s): project -#"os_compute_api:os-quota-sets:show": "(rule:project_reader_api) or role:admin" +#"os_compute_api:os-quota-sets:show": "rule:project_reader_or_admin" # Revert quotas to defaults # DELETE /os-quota-sets/{tenant_id} # Intended scope(s): project -#"os_compute_api:os-quota-sets:delete": "rule:project_admin_api" +#"os_compute_api:os-quota-sets:delete": "rule:context_is_admin" # Show the detail of quota # GET /os-quota-sets/{tenant_id}/detail # Intended scope(s): project -#"os_compute_api:os-quota-sets:detail": "(rule:project_reader_api) or role:admin" +#"os_compute_api:os-quota-sets:detail": "rule:project_reader_or_admin" # Generate a URL to access remove server console. # @@ -972,170 +1342,269 @@ # POST /servers/{server_id}/action (os-getVNCConsole) # POST /servers/{server_id}/remote-consoles # Intended scope(s): project -#"os_compute_api:os-remote-consoles": "rule:project_member_api" +#"os_compute_api:os-remote-consoles": "rule:project_member_or_admin" # Rescue a server # POST /servers/{server_id}/action (rescue) # Intended scope(s): project -#"os_compute_api:os-rescue": "rule:project_member_api" +#"os_compute_api:os-rescue": "rule:project_member_or_admin" # Unrescue a server # POST /servers/{server_id}/action (unrescue) # Intended scope(s): project -#"os_compute_api:os-unrescue": "rule:project_member_api" +#"os_compute_api:os-unrescue": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-rescue":"rule:admin_or_owner" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# unrescue":"rule:project_member_api". +# unrescue":"rule:project_member_or_admin". # Rescue/Unrescue API policies are made granular with new policy for # unrescue and keeping old policy for rescue. -#"os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" # List security groups. This API is deprecated. # GET /os-security-groups # Intended scope(s): project -#"os_compute_api:os-security-groups:get": "rule:project_reader_api" +#"os_compute_api:os-security-groups:get": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:get":"rule:project_reader_api". +# groups:get":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:get" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:get" # Show security group. This API is deprecated. # GET /os-security-groups/{security_group_id} # Intended scope(s): project -#"os_compute_api:os-security-groups:show": "rule:project_reader_api" +#"os_compute_api:os-security-groups:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:show":"rule:project_reader_api". +# groups:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:show" # Create security group. This API is deprecated. # POST /os-security-groups # Intended scope(s): project -#"os_compute_api:os-security-groups:create": "rule:project_member_api" +#"os_compute_api:os-security-groups:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:create":"rule:project_member_api". +# groups:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:create" # Update security group. This API is deprecated. # PUT /os-security-groups/{security_group_id} # Intended scope(s): project -#"os_compute_api:os-security-groups:update": "rule:project_member_api" +#"os_compute_api:os-security-groups:update": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:update":"rule:project_member_api". +# groups:update":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:update" # Delete security group. This API is deprecated. # DELETE /os-security-groups/{security_group_id} # Intended scope(s): project -#"os_compute_api:os-security-groups:delete": "rule:project_member_api" +#"os_compute_api:os-security-groups:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:delete":"rule:project_member_api". +# groups:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:delete" # Create security group Rule. This API is deprecated. # POST /os-security-group-rules # Intended scope(s): project -#"os_compute_api:os-security-groups:rule:create": "rule:project_member_api" +#"os_compute_api:os-security-groups:rule:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:rule:create":"rule:project_member_api". +# groups:rule:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:create" # Delete security group Rule. This API is deprecated. # DELETE /os-security-group-rules/{security_group_id} # Intended scope(s): project -#"os_compute_api:os-security-groups:rule:delete": "rule:project_member_api" +#"os_compute_api:os-security-groups:rule:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:rule:delete":"rule:project_member_api". +# groups:rule:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:rule:delete" # List security groups of server. # GET /servers/{server_id}/os-security-groups # Intended scope(s): project -#"os_compute_api:os-security-groups:list": "rule:project_reader_api" +#"os_compute_api:os-security-groups:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:list":"rule:project_reader_api". +# groups:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list" # Add security groups to server. # POST /servers/{server_id}/action (addSecurityGroup) # Intended scope(s): project -#"os_compute_api:os-security-groups:add": "rule:project_member_api" +#"os_compute_api:os-security-groups:add": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:add":"rule:project_member_api". +# groups:add":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add" # Remove security groups from server. # POST /servers/{server_id}/action (removeSecurityGroup) # Intended scope(s): project -#"os_compute_api:os-security-groups:remove": "rule:project_member_api" +#"os_compute_api:os-security-groups:remove": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:remove":"rule:project_member_api". +# groups:remove":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove" # Show the usage data for a server # GET /servers/{server_id}/diagnostics # Intended scope(s): project -#"os_compute_api:os-server-diagnostics": "rule:project_admin_api" +#"os_compute_api:os-server-diagnostics": "rule:context_is_admin" # Create one or more external events # POST /os-server-external-events @@ -1145,157 +1614,175 @@ # Create a new server group # POST /os-server-groups # Intended scope(s): project -#"os_compute_api:os-server-groups:create": "rule:project_member_api" +#"os_compute_api:os-server-groups:create": "rule:project_member_or_admin" # Delete a server group # DELETE /os-server-groups/{server_group_id} # Intended scope(s): project -#"os_compute_api:os-server-groups:delete": "rule:project_member_api" +#"os_compute_api:os-server-groups:delete": "rule:project_member_or_admin" # List all server groups # GET /os-server-groups # Intended scope(s): project -#"os_compute_api:os-server-groups:index": "rule:project_reader_api" +#"os_compute_api:os-server-groups:index": "rule:project_reader_or_admin" # List all server groups for all projects # GET /os-server-groups # Intended scope(s): project -#"os_compute_api:os-server-groups:index:all_projects": "rule:project_admin_api" +#"os_compute_api:os-server-groups:index:all_projects": "rule:context_is_admin" # Show details of a server group # GET /os-server-groups/{server_group_id} # Intended scope(s): project -#"os_compute_api:os-server-groups:show": "rule:project_reader_api" +#"os_compute_api:os-server-groups:show": "rule:project_reader_or_admin" # List all metadata of a server # GET /servers/{server_id}/metadata # Intended scope(s): project -#"os_compute_api:server-metadata:index": "rule:project_reader_api" +#"os_compute_api:server-metadata:index": "rule:project_reader_or_admin" # Show metadata for a server # GET /servers/{server_id}/metadata/{key} # Intended scope(s): project -#"os_compute_api:server-metadata:show": "rule:project_reader_api" +#"os_compute_api:server-metadata:show": "rule:project_reader_or_admin" # Create metadata for a server # POST /servers/{server_id}/metadata # Intended scope(s): project -#"os_compute_api:server-metadata:create": "rule:project_member_api" +#"os_compute_api:server-metadata:create": "rule:project_member_or_admin" # Replace metadata for a server # PUT /servers/{server_id}/metadata # Intended scope(s): project -#"os_compute_api:server-metadata:update_all": "rule:project_member_api" +#"os_compute_api:server-metadata:update_all": "rule:project_member_or_admin" # Update metadata from a server # PUT /servers/{server_id}/metadata/{key} # Intended scope(s): project -#"os_compute_api:server-metadata:update": "rule:project_member_api" +#"os_compute_api:server-metadata:update": "rule:project_member_or_admin" # Delete metadata from a server # DELETE /servers/{server_id}/metadata/{key} # Intended scope(s): project -#"os_compute_api:server-metadata:delete": "rule:project_member_api" +#"os_compute_api:server-metadata:delete": "rule:project_member_or_admin" # Show the encrypted administrative password of a server # GET /servers/{server_id}/os-server-password # Intended scope(s): project -#"os_compute_api:os-server-password:show": "rule:project_reader_api" +#"os_compute_api:os-server-password:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- -# password:show":"rule:project_reader_api". +# password:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show" # Clear the encrypted administrative password of a server # DELETE /servers/{server_id}/os-server-password # Intended scope(s): project -#"os_compute_api:os-server-password:clear": "rule:project_member_api" +#"os_compute_api:os-server-password:clear": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- -# password:clear":"rule:project_member_api". +# password:clear":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear" # Delete all the server tags # DELETE /servers/{server_id}/tags # Intended scope(s): project -#"os_compute_api:os-server-tags:delete_all": "rule:project_member_api" +#"os_compute_api:os-server-tags:delete_all": "rule:project_member_or_admin" # List all tags for given server # GET /servers/{server_id}/tags # Intended scope(s): project -#"os_compute_api:os-server-tags:index": "rule:project_reader_api" +#"os_compute_api:os-server-tags:index": "rule:project_reader_or_admin" # Replace all tags on specified server with the new set of tags. # PUT /servers/{server_id}/tags # Intended scope(s): project -#"os_compute_api:os-server-tags:update_all": "rule:project_member_api" +#"os_compute_api:os-server-tags:update_all": "rule:project_member_or_admin" # Delete a single tag from the specified server # DELETE /servers/{server_id}/tags/{tag} # Intended scope(s): project -#"os_compute_api:os-server-tags:delete": "rule:project_member_api" +#"os_compute_api:os-server-tags:delete": "rule:project_member_or_admin" # Add a single tag to the server if server has no specified tag # PUT /servers/{server_id}/tags/{tag} # Intended scope(s): project -#"os_compute_api:os-server-tags:update": "rule:project_member_api" +#"os_compute_api:os-server-tags:update": "rule:project_member_or_admin" # Check tag existence on the server. # GET /servers/{server_id}/tags/{tag} # Intended scope(s): project -#"os_compute_api:os-server-tags:show": "rule:project_reader_api" +#"os_compute_api:os-server-tags:show": "rule:project_reader_or_admin" # Show the NUMA topology data for a server # GET /servers/{server_id}/topology # Intended scope(s): project -#"compute:server:topology:index": "rule:project_reader_api" +#"compute:server:topology:index": "rule:project_reader_or_admin" # Show the NUMA topology data for a server with host NUMA ID and CPU # pinning information # GET /servers/{server_id}/topology # Intended scope(s): project -#"compute:server:topology:host:index": "rule:project_admin_api" +#"compute:server:topology:host:index": "rule:context_is_admin" # List all servers # GET /servers # Intended scope(s): project -#"os_compute_api:servers:index": "rule:project_reader_api" +#"os_compute_api:servers:index": "rule:project_reader_or_admin" # List all servers with detailed information # GET /servers/detail # Intended scope(s): project -#"os_compute_api:servers:detail": "rule:project_reader_api" +#"os_compute_api:servers:detail": "rule:project_reader_or_admin" # List all servers for all projects # GET /servers # Intended scope(s): project -#"os_compute_api:servers:index:get_all_tenants": "rule:project_admin_api" +#"os_compute_api:servers:index:get_all_tenants": "rule:context_is_admin" # List all servers with detailed information for all projects # GET /servers/detail # Intended scope(s): project -#"os_compute_api:servers:detail:get_all_tenants": "rule:project_admin_api" +#"os_compute_api:servers:detail:get_all_tenants": "rule:context_is_admin" # Allow all filters when listing servers # GET /servers # GET /servers/detail # Intended scope(s): project -#"os_compute_api:servers:allow_all_filters": "rule:project_admin_api" +#"os_compute_api:servers:allow_all_filters": "rule:context_is_admin" # Show a server # GET /servers/{server_id} # Intended scope(s): project -#"os_compute_api:servers:show": "rule:project_reader_api" +#"os_compute_api:servers:show": "rule:project_reader_or_admin" # Starting with microversion 2.47, the flavor and its extra specs used # for a server is also returned in the response when showing server @@ -1305,17 +1792,26 @@ # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:servers:show:flavor-extra-specs": "rule:project_reader_api" +#"os_compute_api:servers:show:flavor-extra-specs": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-flavor-extra-specs:index":"rule:admin_or_owner" # has been deprecated since 25.0.0 in favor of # "os_compute_api:servers:show:flavor-extra- -# specs":"rule:project_reader_api". +# specs":"rule:project_reader_or_admin". # Policies for showing flavor extra specs in server APIs response is # seprated as new policy. This policy is deprecated only for that but # not for list extra specs and showing it in flavor API response. -#"os_compute_api:os-flavor-extra-specs:index": "rule:os_compute_api:servers:show:flavor-extra-specs" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-flavor-extra-specs:index": "rule:os_compute_api:servers:show:flavor-extra-specs" # Show a server with additional host status information. # @@ -1333,7 +1829,7 @@ # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:servers:show:host_status": "rule:project_admin_api" +#"os_compute_api:servers:show:host_status": "rule:context_is_admin" # Show a server with additional host status information, only if host # status is UNKNOWN. @@ -1350,12 +1846,12 @@ # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:servers:show:host_status:unknown-only": "rule:project_admin_api" +#"os_compute_api:servers:show:host_status:unknown-only": "rule:context_is_admin" # Create a server # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create": "rule:project_member_api" +#"os_compute_api:servers:create": "rule:project_member_or_admin" # Create a server on the specified host and/or node. # @@ -1364,7 +1860,7 @@ # ``compute:servers:create:requested_destination`` rule. # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create:forced_host": "rule:project_admin_api" +#"os_compute_api:servers:create:forced_host": "rule:context_is_admin" # Create a server on the requested compute service host and/or # hypervisor_hostname. @@ -1374,22 +1870,22 @@ # ``os_compute_api:servers:create:forced_host`` rule. # POST /servers # Intended scope(s): project -#"compute:servers:create:requested_destination": "rule:project_admin_api" +#"compute:servers:create:requested_destination": "rule:context_is_admin" # Create a server with the requested volume attached to it # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create:attach_volume": "rule:project_member_api" +#"os_compute_api:servers:create:attach_volume": "rule:project_member_or_admin" # Create a server with the requested network attached to it # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create:attach_network": "rule:project_member_api" +#"os_compute_api:servers:create:attach_network": "rule:project_member_or_admin" # Create a server with trusted image certificate IDs # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create:trusted_certs": "rule:project_member_api" +#"os_compute_api:servers:create:trusted_certs": "rule:project_member_or_admin" # This rule controls the compute API validation behavior of creating a # server with a flavor that has 0 disk, indicating the server should @@ -1408,43 +1904,43 @@ # https://bugs.launchpad.net/nova/+bug/1739646 for details. # POST /servers # Intended scope(s): project -#"os_compute_api:servers:create:zero_disk_flavor": "rule:project_admin_api" +#"os_compute_api:servers:create:zero_disk_flavor": "rule:context_is_admin" # Attach an unshared external network to a server # POST /servers # POST /servers/{server_id}/os-interface # Intended scope(s): project -#"network:attach_external_network": "rule:project_admin_api" +#"network:attach_external_network": "rule:context_is_admin" # Delete a server # DELETE /servers/{server_id} # Intended scope(s): project -#"os_compute_api:servers:delete": "rule:project_member_api" +#"os_compute_api:servers:delete": "rule:project_member_or_admin" # Update a server # PUT /servers/{server_id} # Intended scope(s): project -#"os_compute_api:servers:update": "rule:project_member_api" +#"os_compute_api:servers:update": "rule:project_member_or_admin" # Confirm a server resize # POST /servers/{server_id}/action (confirmResize) # Intended scope(s): project -#"os_compute_api:servers:confirm_resize": "rule:project_member_api" +#"os_compute_api:servers:confirm_resize": "rule:project_member_or_admin" # Revert a server resize # POST /servers/{server_id}/action (revertResize) # Intended scope(s): project -#"os_compute_api:servers:revert_resize": "rule:project_member_api" +#"os_compute_api:servers:revert_resize": "rule:project_member_or_admin" # Reboot a server # POST /servers/{server_id}/action (reboot) # Intended scope(s): project -#"os_compute_api:servers:reboot": "rule:project_member_api" +#"os_compute_api:servers:reboot": "rule:project_member_or_admin" # Resize a server # POST /servers/{server_id}/action (resize) # Intended scope(s): project -#"os_compute_api:servers:resize": "rule:project_member_api" +#"os_compute_api:servers:resize": "rule:project_member_or_admin" # Resize a server across cells. By default, this is disabled for all # users and recommended to be tested in a deployment for admin users @@ -1457,61 +1953,61 @@ # Rebuild a server # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:servers:rebuild": "rule:project_member_api" +#"os_compute_api:servers:rebuild": "rule:project_member_or_admin" # Rebuild a server with trusted image certificate IDs # POST /servers/{server_id}/action (rebuild) # Intended scope(s): project -#"os_compute_api:servers:rebuild:trusted_certs": "rule:project_member_api" +#"os_compute_api:servers:rebuild:trusted_certs": "rule:project_member_or_admin" # Create an image from a server # POST /servers/{server_id}/action (createImage) # Intended scope(s): project -#"os_compute_api:servers:create_image": "rule:project_member_api" +#"os_compute_api:servers:create_image": "rule:project_member_or_admin" # Create an image from a volume backed server # POST /servers/{server_id}/action (createImage) # Intended scope(s): project -#"os_compute_api:servers:create_image:allow_volume_backed": "rule:project_member_api" +#"os_compute_api:servers:create_image:allow_volume_backed": "rule:project_member_or_admin" # Start a server # POST /servers/{server_id}/action (os-start) # Intended scope(s): project -#"os_compute_api:servers:start": "rule:project_member_api" +#"os_compute_api:servers:start": "rule:project_member_or_admin" # Stop a server # POST /servers/{server_id}/action (os-stop) # Intended scope(s): project -#"os_compute_api:servers:stop": "rule:project_member_api" +#"os_compute_api:servers:stop": "rule:project_member_or_admin" # Trigger crash dump in a server # POST /servers/{server_id}/action (trigger_crash_dump) # Intended scope(s): project -#"os_compute_api:servers:trigger_crash_dump": "rule:project_member_api" +#"os_compute_api:servers:trigger_crash_dump": "rule:project_member_or_admin" # Show details for an in-progress live migration for a given server # GET /servers/{server_id}/migrations/{migration_id} # Intended scope(s): project -#"os_compute_api:servers:migrations:show": "rule:project_admin_api" +#"os_compute_api:servers:migrations:show": "rule:context_is_admin" # Force an in-progress live migration for a given server to complete # POST /servers/{server_id}/migrations/{migration_id}/action (force_complete) # Intended scope(s): project -#"os_compute_api:servers:migrations:force_complete": "rule:project_admin_api" +#"os_compute_api:servers:migrations:force_complete": "rule:context_is_admin" # Delete(Abort) an in-progress live migration # DELETE /servers/{server_id}/migrations/{migration_id} # Intended scope(s): project -#"os_compute_api:servers:migrations:delete": "rule:project_admin_api" +#"os_compute_api:servers:migrations:delete": "rule:context_is_admin" # Lists in-progress live migrations for a given server # GET /servers/{server_id}/migrations # Intended scope(s): project -#"os_compute_api:servers:migrations:index": "rule:project_admin_api" +#"os_compute_api:servers:migrations:index": "rule:context_is_admin" # List all running Compute services in a region. # GET /os-services -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-services:list": "rule:context_is_admin" # DEPRECATED @@ -1521,11 +2017,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-services": "rule:os_compute_api:os-services:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-services": "rule:os_compute_api:os-services:list" # Update a Compute service. # PUT /os-services/{service_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-services:update": "rule:context_is_admin" # DEPRECATED @@ -1535,11 +2040,20 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-services": "rule:os_compute_api:os-services:update" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-services": "rule:os_compute_api:os-services:update" # Delete a Compute service. # DELETE /os-services/{service_id} -# Intended scope(s): system +# Intended scope(s): project #"os_compute_api:os-services:delete": "rule:context_is_admin" # DEPRECATED @@ -1549,42 +2063,56 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-services": "rule:os_compute_api:os-services:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-services": "rule:os_compute_api:os-services:delete" # Shelve server # POST /servers/{server_id}/action (shelve) # Intended scope(s): project -#"os_compute_api:os-shelve:shelve": "rule:project_member_api" +#"os_compute_api:os-shelve:shelve": "rule:project_member_or_admin" # Unshelve (restore) shelved server # POST /servers/{server_id}/action (unshelve) # Intended scope(s): project -#"os_compute_api:os-shelve:unshelve": "rule:project_member_api" +#"os_compute_api:os-shelve:unshelve": "rule:project_member_or_admin" + +# Unshelve (restore) shelve offloaded server to a specific host +# POST /servers/{server_id}/action (unshelve) +# Intended scope(s): project +#"os_compute_api:os-shelve:unshelve_to_host": "rule:context_is_admin" # Shelf-offload (remove) server # POST /servers/{server_id}/action (shelveOffload) # Intended scope(s): project -#"os_compute_api:os-shelve:shelve_offload": "rule:project_admin_api" +#"os_compute_api:os-shelve:shelve_offload": "rule:context_is_admin" # Show usage statistics for a specific tenant # GET /os-simple-tenant-usage/{tenant_id} # Intended scope(s): project -#"os_compute_api:os-simple-tenant-usage:show": "rule:project_reader_api" +#"os_compute_api:os-simple-tenant-usage:show": "rule:project_reader_or_admin" # List per tenant usage statistics for all tenants # GET /os-simple-tenant-usage # Intended scope(s): project -#"os_compute_api:os-simple-tenant-usage:list": "rule:project_admin_api" +#"os_compute_api:os-simple-tenant-usage:list": "rule:context_is_admin" # Resume suspended server # POST /servers/{server_id}/action (resume) # Intended scope(s): project -#"os_compute_api:os-suspend-server:resume": "rule:project_member_api" +#"os_compute_api:os-suspend-server:resume": "rule:project_member_or_admin" # Suspend server # POST /servers/{server_id}/action (suspend) # Intended scope(s): project -#"os_compute_api:os-suspend-server:suspend": "rule:project_member_api" +#"os_compute_api:os-suspend-server:suspend": "rule:project_member_or_admin" # List project networks. # @@ -1600,7 +2128,16 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:list" # Show project network details. # @@ -1616,182 +2153,281 @@ # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-tenant-networks": "rule:os_compute_api:os-tenant-networks:show" # List volumes. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes # Intended scope(s): project -#"os_compute_api:os-volumes:list": "rule:project_reader_api" +#"os_compute_api:os-volumes:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:list":"rule:project_reader_api". +# volumes:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:list" # Create volume. # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-volumes # Intended scope(s): project -#"os_compute_api:os-volumes:create": "rule:project_member_api" +#"os_compute_api:os-volumes:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:create":"rule:project_member_api". +# volumes:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:create" # List volumes detail. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/detail # Intended scope(s): project -#"os_compute_api:os-volumes:detail": "rule:project_reader_api" +#"os_compute_api:os-volumes:detail": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:detail":"rule:project_reader_api". +# volumes:detail":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:detail" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:detail" # Show volume. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/{volume_id} # Intended scope(s): project -#"os_compute_api:os-volumes:show": "rule:project_reader_api" +#"os_compute_api:os-volumes:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:show":"rule:project_reader_api". +# volumes:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:show" # Delete volume. # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-volumes/{volume_id} # Intended scope(s): project -#"os_compute_api:os-volumes:delete": "rule:project_member_api" +#"os_compute_api:os-volumes:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:delete":"rule:project_member_api". +# volumes:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:delete" # List snapshots. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots # Intended scope(s): project -#"os_compute_api:os-volumes:snapshots:list": "rule:project_reader_api" +#"os_compute_api:os-volumes:snapshots:list": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:list":"rule:project_reader_api". +# volumes:snapshots:list":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:list" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:list" # Create snapshots. # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-snapshots # Intended scope(s): project -#"os_compute_api:os-volumes:snapshots:create": "rule:project_member_api" +#"os_compute_api:os-volumes:snapshots:create": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:create":"rule:project_member_api". +# volumes:snapshots:create":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:create" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:create" # List snapshots details. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/detail # Intended scope(s): project -#"os_compute_api:os-volumes:snapshots:detail": "rule:project_reader_api" +#"os_compute_api:os-volumes:snapshots:detail": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:detail":"rule:project_reader_api". +# volumes:snapshots:detail":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:detail" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:detail" # Show snapshot. # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/{snapshot_id} # Intended scope(s): project -#"os_compute_api:os-volumes:snapshots:show": "rule:project_reader_api" +#"os_compute_api:os-volumes:snapshots:show": "rule:project_reader_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:show":"rule:project_reader_api". +# volumes:snapshots:show":"rule:project_reader_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:show" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:show" # Delete snapshot. # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-snapshots/{snapshot_id} # Intended scope(s): project -#"os_compute_api:os-volumes:snapshots:delete": "rule:project_member_api" +#"os_compute_api:os-volumes:snapshots:delete": "rule:project_member_or_admin" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:delete":"rule:project_member_api". +# volumes:snapshots:delete":"rule:project_member_or_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:delete" +# WARNING: A rule name change has been identified. +# This may be an artifact of new rules being +# included which require legacy fallback +# rules to ensure proper policy behavior. +# Alternatively, this may just be an alias. +# Please evaluate on a case by case basis +# keeping in mind the format for aliased +# rules is: +# "old_rule_name": "new_rule_name". +# "os_compute_api:os-volumes": "rule:os_compute_api:os-volumes:snapshots:delete" # List volume attachments for an instance # GET /servers/{server_id}/os-volume_attachments # Intended scope(s): project -#"os_compute_api:os-volumes-attachments:index": "rule:project_reader_api" +#"os_compute_api:os-volumes-attachments:index": "rule:project_reader_or_admin" # Attach a volume to an instance # POST /servers/{server_id}/os-volume_attachments # Intended scope(s): project -#"os_compute_api:os-volumes-attachments:create": "rule:project_member_api" +#"os_compute_api:os-volumes-attachments:create": "rule:project_member_or_admin" # Show details of a volume attachment # GET /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project -#"os_compute_api:os-volumes-attachments:show": "rule:project_reader_api" +#"os_compute_api:os-volumes-attachments:show": "rule:project_reader_or_admin" # Update a volume attachment. New 'update' policy about 'swap + # update' request (which is possible only >2.85) only <swap policy> is @@ -1799,7 +2435,7 @@ # policy permission. # PUT /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project -#"os_compute_api:os-volumes-attachments:update": "rule:project_member_api" +#"os_compute_api:os-volumes-attachments:update": "rule:project_member_or_admin" # Update a volume attachment with a different volumeId # PUT /servers/{server_id}/os-volume_attachments/{volume_id} @@ -1809,5 +2445,5 @@ # Detach a volume from an instance # DELETE /servers/{server_id}/os-volume_attachments/{volume_id} # Intended scope(s): project -#"os_compute_api:os-volumes-attachments:delete": "rule:project_member_api" +#"os_compute_api:os-volumes-attachments:delete": "rule:project_member_or_admin" |