Policy configuration¶
Configuration¶
The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.
magnum¶
context_is_admin- Default
role:admin
(no description provided)
admin_or_owner- Default
is_admin:True or project_id:%(project_id)s
(no description provided)
admin_api- Default
rule:context_is_admin
(no description provided)
admin_or_user- Default
is_admin:True or user_id:%(user_id)s
(no description provided)
cluster_user- Default
user_id:%(trustee_user_id)s
(no description provided)
deny_cluster_user- Default
not domain_id:%(trustee_domain_id)s
(no description provided)
bay:create- Default
rule:deny_cluster_user- Operations
POST
/v1/bays
Create a new bay.
bay:delete- Default
rule:deny_cluster_user- Operations
DELETE
/v1/bays/{bay_ident}
Delete a bay.
bay:detail- Default
rule:deny_cluster_user- Operations
GET
/v1/bays
Retrieve a list of bays with detail.
bay:get- Default
rule:deny_cluster_user- Operations
GET
/v1/bays/{bay_ident}
Retrieve information about the given bay.
bay:get_all- Default
rule:deny_cluster_user- Operations
GET
/v1/bays/
Retrieve a list of bays.
bay:update- Default
rule:deny_cluster_user- Operations
PATCH
/v1/bays/{bay_ident}
Update an existing bay.
baymodel:create- Default
rule:deny_cluster_user- Operations
POST
/v1/baymodels
Create a new baymodel.
baymodel:delete- Default
rule:deny_cluster_user- Operations
DELETE
/v1/baymodels/{baymodel_ident}
Delete a baymodel.
baymodel:detail- Default
rule:deny_cluster_user- Operations
GET
/v1/baymodels
Retrieve a list of baymodel with detail.
baymodel:get- Default
rule:deny_cluster_user- Operations
GET
/v1/baymodels/{baymodel_ident}
Retrieve information about the given baymodel.
baymodel:get_all- Default
rule:deny_cluster_user- Operations
GET
/v1/baymodels
Retrieve a list of baymodel.
baymodel:update- Default
rule:deny_cluster_user- Operations
PATCH
/v1/baymodels/{baymodel_ident}
Update an existing baymodel.
baymodel:publish- Default
rule:admin_api- Operations
POST
/v1/baymodelsPATCH
/v1/baymodels
Publish an existing baymodel.
certificate:create- Default
rule:admin_or_user or rule:cluster_user- Operations
POST
/v1/certificates
Sign a new certificate by the CA.
certificate:get- Default
rule:admin_or_user or rule:cluster_user- Operations
GET
/v1/certificates/{bay_uuid/cluster_uuid}
Retrieve CA information about the given bay/cluster.
certificate:rotate_ca- Default
rule:admin_or_owner- Operations
PATCH
/v1/certificates/{bay_uuid/cluster_uuid}
Rotate the CA certificate on the given bay/cluster.
cluster:create- Default
rule:deny_cluster_user- Operations
POST
/v1/clusters
Create a new cluster.
cluster:delete- Default
rule:deny_cluster_user- Operations
DELETE
/v1/clusters/{cluster_ident}
Delete a cluster.
cluster:delete_all_projects- Default
rule:admin_api- Operations
DELETE
/v1/clusters/{cluster_ident}
Delete a cluster from any project.
cluster:detail- Default
rule:deny_cluster_user- Operations
GET
/v1/clusters
Retrieve a list of clusters with detail.
cluster:detail_all_projects- Default
rule:admin_api- Operations
GET
/v1/clusters
Retrieve a list of clusters with detail across projects.
cluster:get- Default
rule:deny_cluster_user- Operations
GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster.
cluster:get_one_all_projects- Default
rule:admin_api- Operations
GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster across projects.
cluster:get_all- Default
rule:deny_cluster_user- Operations
GET
/v1/clusters/
Retrieve a list of clusters.
cluster:get_all_all_projects- Default
rule:admin_api- Operations
GET
/v1/clusters/
Retrieve a list of all clusters across projects.
cluster:update- Default
rule:deny_cluster_user- Operations
PATCH
/v1/clusters/{cluster_ident}
Update an existing cluster.
cluster:update_health_status- Default
rule:admin_or_user or rule:cluster_user- Operations
PATCH
/v1/clusters/{cluster_ident}
Update the health status of an existing cluster.
cluster:update_all_projects- Default
rule:admin_api- Operations
PATCH
/v1/clusters/{cluster_ident}
Update an existing cluster.
cluster:resize- Default
rule:deny_cluster_user- Operations
POST
/v1/clusters/{cluster_ident}/actions/resize
Resize an existing cluster.
cluster:upgrade- Default
rule:deny_cluster_user- Operations
POST
/v1/clusters/{cluster_ident}/actions/upgrade
Upgrade an existing cluster.
cluster:upgrade_all_projects- Default
rule:admin_api- Operations
POST
/v1/clusters/{cluster_ident}/actions/upgrade
Upgrade an existing cluster across all projects.
clustertemplate:create- Default
rule:deny_cluster_user- Operations
POST
/v1/clustertemplates
Create a new cluster template.
clustertemplate:delete- Default
rule:deny_cluster_user- Operations
DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template.
clustertemplate:delete_all_projects- Default
rule:admin_api- Operations
DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template from any project.
clustertemplate:detail_all_projects- Default
rule:admin_api- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail across projects.
clustertemplate:detail- Default
rule:deny_cluster_user- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail.
clustertemplate:get- Default
rule:deny_cluster_user- Operations
GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template.
clustertemplate:get_one_all_projects- Default
rule:admin_api- Operations
GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template across project.
clustertemplate:get_all- Default
rule:deny_cluster_user- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates.
clustertemplate:get_all_all_projects- Default
rule:admin_api- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates across projects.
clustertemplate:update- Default
rule:deny_cluster_user- Operations
PATCH
/v1/clustertemplate/{clustertemplate_ident}
Update an existing cluster template.
clustertemplate:update_all_projects- Default
rule:admin_api- Operations
PATCH
/v1/clustertemplate/{clustertemplate_ident}
Update an existing cluster template.
clustertemplate:publish- Default
rule:admin_api- Operations
POST
/v1/clustertemplatesPATCH
/v1/clustertemplates
Publish an existing cluster template.
federation:create- Default
rule:deny_cluster_user- Operations
POST
/v1/federations
Create a new federation.
federation:delete- Default
rule:deny_cluster_user- Operations
DELETE
/v1/federations/{federation_ident}
Delete a federation.
federation:detail- Default
rule:deny_cluster_user- Operations
GET
/v1/federations
Retrieve a list of federations with detail.
federation:get- Default
rule:deny_cluster_user- Operations
GET
/v1/federations/{federation_ident}
Retrieve information about the given federation.
federation:get_all- Default
rule:deny_cluster_user- Operations
GET
/v1/federations/
Retrieve a list of federations.
federation:update- Default
rule:deny_cluster_user- Operations
PATCH
/v1/federations/{federation_ident}
Update an existing federation.
magnum-service:get_all- Default
rule:admin_api- Operations
GET
/v1/mservices
Retrieve a list of magnum-services.
quota:create- Default
rule:admin_api- Operations
POST
/v1/quotas
Create quota.
quota:delete- Default
rule:admin_api- Operations
DELETE
/v1/quotas/{project_id}/{resource}
Delete quota for a given project_id and resource.
quota:get- Default
rule:admin_or_owner- Operations
GET
/v1/quotas/{project_id}/{resource}
Retrieve Quota information for the given project_id.
quota:get_all- Default
rule:admin_api- Operations
GET
/v1/quotas
Retrieve a list of quotas.
quota:update- Default
rule:admin_api- Operations
PATCH
/v1/quotas/{project_id}/{resource}
Update quota for a given project_id.
stats:get_all- Default
rule:admin_or_owner- Operations
GET
/v1/stats
Retrieve magnum stats.
nodegroup:get- Default
rule:admin_or_owner- Operations
GET
/v1/clusters/{cluster_id}/nodegroup/{nodegroup}
Retrieve information about the given nodegroup.
nodegroup:get_all- Default
rule:admin_or_owner- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/
Retrieve a list of nodegroups that belong to a cluster.
nodegroup:get_all_all_projects- Default
rule:admin_api- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/
Retrieve a list of nodegroups across projects.
nodegroup:get_one_all_projects- Default
rule:admin_api- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Retrieve infornation for a given nodegroup.
nodegroup:create- Default
rule:admin_or_owner- Operations
POST
/v1/clusters/{cluster_id}/nodegroups/
Create a new nodegroup.
nodegroup:delete- Default
rule:admin_or_owner- Operations
DELETE
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Delete a nodegroup.
nodegroup:update- Default
rule:admin_or_owner- Operations
PATCH
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Update an existing nodegroup.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.