Policy configuration¶
Configuration¶
The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.
cinder¶
admin_or_owner
- Default:
is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.
system_or_domain_or_project_admin
- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)
DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.
context_is_admin
- Default:
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_api
- Default:
is_admin:True or (role:admin and is_admin_project:True)
Default rule for most Admin APIs.
xena_system_admin_or_project_reader
- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
NOTE: this purely role-based rule recognizes only project scope
xena_system_admin_or_project_member
- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
NOTE: this purely role-based rule recognizes only project scope
volume:attachment_create
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/attachments
Create attachment.
volume:attachment_update
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/attachments/{attachment_id}
Update attachment.
volume:attachment_delete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/attachments/{attachment_id}
Delete attachment.
volume:attachment_complete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
volume:multiattach_bootable_volume
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/attachments
Allow multiattach of bootable volumes.
message:get_all
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/messages
List messages.
message:get
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/messages/{message_id}
Show message.
message:delete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/messages/{message_id}
Delete message.
clusters:get_all
- Default:
rule:admin_api
- Operations:
GET
/clusters
GET
/clusters/detail
List clusters.
clusters:get
- Default:
rule:admin_api
- Operations:
GET
/clusters/{cluster_id}
Show cluster.
clusters:update
- Default:
rule:admin_api
- Operations:
PUT
/clusters/{cluster_id}
Update cluster.
workers:cleanup
- Default:
rule:admin_api
- Operations:
POST
/workers/cleanup
Clean up workers.
volume:get_snapshot_metadata
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/snapshots/{snapshot_id}/metadata
GET
/snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
volume:update_snapshot_metadata
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/snapshots/{snapshot_id}/metadata
PUT
/snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
volume:delete_snapshot_metadata
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
volume:get_all_snapshots
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/snapshots
GET
/snapshots/detail
List snapshots.
volume_extension:extended_snapshot_attributes
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/snapshots/{snapshot_id}
GET
/snapshots/detail
List or show snapshots with extended attributes.
volume:create_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/snapshots
Create snapshot.
volume:get_snapshot
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/snapshots/{snapshot_id}
Show snapshot.
volume:update_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/snapshots/{snapshot_id}
Update snapshot.
volume:delete_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/snapshots/{snapshot_id}
Delete snapshot.
volume_extension:snapshot_admin_actions:reset_status
- Default:
rule:admin_api
- Operations:
POST
/snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
snapshot_extension:snapshot_actions:update_snapshot_status
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
volume_extension:snapshot_admin_actions:force_delete
- Default:
rule:admin_api
- Operations:
POST
/snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
snapshot_extension:list_manageable
- Default:
rule:admin_api
- Operations:
GET
/manageable_snapshots
GET
/manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
snapshot_extension:snapshot_manage
- Default:
rule:admin_api
- Operations:
POST
/manageable_snapshots
Manage an existing snapshot.
snapshot_extension:snapshot_unmanage
- Default:
rule:admin_api
- Operations:
POST
/snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
backup:get_all
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/backups
GET
/backups/detail
List backups.
backup:backup_project_attribute
- Default:
rule:admin_api
- Operations:
GET
/backups/{backup_id}
GET
/backups/detail
List backups or show backup with project attributes.
backup:create
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/backups
Create backup.
backup:get
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/backups/{backup_id}
Show backup.
backup:update
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/backups/{backup_id}
Update backup.
backup:delete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/backups/{backup_id}
Delete backup.
backup:restore
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/backups/{backup_id}/restore
Restore backup.
backup:backup-import
- Default:
rule:admin_api
- Operations:
POST
/backups/{backup_id}/import_record
Import backup.
backup:export-import
- Default:
rule:admin_api
- Operations:
POST
/backups/{backup_id}/export_record
Export backup.
volume_extension:backup_admin_actions:reset_status
- Default:
rule:admin_api
- Operations:
POST
/backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
volume_extension:backup_admin_actions:force_delete
- Default:
rule:admin_api
- Operations:
POST
/backups/{backup_id}/action (os-force_delete)
Force delete a backup.
group:get_all
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/groups
GET
/groups/detail
List groups.
group:create
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups
Create group.
group:get
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/groups/{group_id}
Show group.
group:update
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/groups/{group_id}
Update group.
group:group_project_attribute
- Default:
rule:admin_api
- Operations:
GET
/groups/{group_id}
GET
/groups/detail
List groups or show group with project attributes.
group:group_types:create
- Default:
rule:admin_api
- Operations:
POST
/group_types/
Create a group type.
group:group_types:update
- Default:
rule:admin_api
- Operations:
PUT
/group_types/{group_type_id}
Update a group type.
group:group_types:delete
- Default:
rule:admin_api
- Operations:
DELETE
/group_types/{group_type_id}
Delete a group type.
group:access_group_types_specs
- Default:
rule:admin_api
- Operations:
GET
/group_types/{group_type_id}
Show group type with type specs attributes.
group:group_types_specs:get
- Default:
rule:admin_api
- Operations:
GET
/group_types/{group_type_id}/group_specs/{g_spec_id}
Show a group type spec.
group:group_types_specs:get_all
- Default:
rule:admin_api
- Operations:
GET
/group_types/{group_type_id}/group_specs
List group type specs.
group:group_types_specs:create
- Default:
rule:admin_api
- Operations:
POST
/group_types/{group_type_id}/group_specs
Create a group type spec.
group:group_types_specs:update
- Default:
rule:admin_api
- Operations:
PUT
/group_types/{group_type_id}/group_specs/{g_spec_id}
Update a group type spec.
group:group_types_specs:delete
- Default:
rule:admin_api
- Operations:
DELETE
/group_types/{group_type_id}/group_specs/{g_spec_id}
Delete a group type spec.
group:get_all_group_snapshots
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/group_snapshots
GET
/group_snapshots/detail
List group snapshots.
group:create_group_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/group_snapshots
Create group snapshot.
group:get_group_snapshot
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/group_snapshots/{group_snapshot_id}
Show group snapshot.
group:delete_group_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/group_snapshots/{group_snapshot_id}
Delete group snapshot.
group:update_group_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/group_snapshots/{group_snapshot_id}
Update group snapshot.
group:group_snapshot_project_attribute
- Default:
rule:admin_api
- Operations:
GET
/group_snapshots/{group_snapshot_id}
GET
/group_snapshots/detail
List group snapshots or show group snapshot with project attributes.
group:reset_group_snapshot_status
- Default:
rule:admin_api
- Operations:
POST
/group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
group:delete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups/{group_id}/action (delete)
Delete group.
group:reset_status
- Default:
rule:admin_api
- Operations:
POST
/groups/{group_id}/action (reset_status)
Reset status of group.
group:enable_replication
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups/{group_id}/action (enable_replication)
Enable replication.
group:disable_replication
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups/{group_id}/action (disable_replication)
Disable replication.
group:failover_replication
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups/{group_id}/action (failover_replication)
Fail over replication.
group:list_replication_targets
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/groups/{group_id}/action (list_replication_targets)
List failover replication.
volume_extension:qos_specs_manage:get_all
- Default:
rule:admin_api
- Operations:
GET
/qos-specs
GET
/qos-specs/{qos_id}/associations
List qos specs or list all associations.
volume_extension:qos_specs_manage:get
- Default:
rule:admin_api
- Operations:
GET
/qos-specs/{qos_id}
Show qos specs.
volume_extension:qos_specs_manage:create
- Default:
rule:admin_api
- Operations:
POST
/qos-specs
Create qos specs.
volume_extension:qos_specs_manage:update
- Default:
rule:admin_api
- Operations:
PUT
/qos-specs/{qos_id}
GET
/qos-specs/{qos_id}/disassociate_all
GET
/qos-specs/{qos_id}/associate
GET
/qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
volume_extension:qos_specs_manage:delete
- Default:
rule:admin_api
- Operations:
DELETE
/qos-specs/{qos_id}
PUT
/qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
volume_extension:quota_classes:get
- Default:
rule:admin_api
- Operations:
GET
/os-quota-class-sets/{project_id}
Show project quota class.
volume_extension:quota_classes:update
- Default:
rule:admin_api
- Operations:
PUT
/os-quota-class-sets/{project_id}
Update project quota class.
volume_extension:quotas:show
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/os-quota-sets/{project_id}
GET
/os-quota-sets/{project_id}/default
GET
/os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
volume_extension:quotas:update
- Default:
rule:admin_api
- Operations:
PUT
/os-quota-sets/{project_id}
Update project quota.
volume_extension:quotas:delete
- Default:
rule:admin_api
- Operations:
DELETE
/os-quota-sets/{project_id}
Delete project quota.
volume_extension:capabilities
- Default:
rule:admin_api
- Operations:
GET
/capabilities/{host_name}
Show backend capabilities.
volume_extension:services:index
- Default:
rule:admin_api
- Operations:
GET
/os-services
List all services.
volume_extension:services:update
- Default:
rule:admin_api
- Operations:
PUT
/os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
volume:freeze_host
- Default:
rule:admin_api
- Operations:
PUT
/os-services/freeze
Freeze a backend host.
volume:thaw_host
- Default:
rule:admin_api
- Operations:
PUT
/os-services/thaw
Thaw a backend host.
volume:failover_host
- Default:
rule:admin_api
- Operations:
PUT
/os-services/failover_host
Failover a backend host.
scheduler_extension:scheduler_stats:get_pools
- Default:
rule:admin_api
- Operations:
GET
/scheduler-stats/get_pools
List all backend pools.
volume_extension:hosts
- Default:
rule:admin_api
- Operations:
GET
/os-hosts
PUT
/os-hosts/{host_name}
GET
/os-hosts/{host_id}
List, update or show hosts for a project.
limits_extension:used_limits
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/limits
Show limits with used limit attributes.
volume_extension:list_manageable
- Default:
rule:admin_api
- Operations:
GET
/manageable_volumes
GET
/manageable_volumes/detail
List (in detail) of volumes which are available to manage.
volume_extension:volume_manage
- Default:
rule:admin_api
- Operations:
POST
/manageable_volumes
Manage existing volumes.
volume_extension:volume_unmanage
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
volume_extension:type_create
- Default:
rule:admin_api
- Operations:
POST
/types
Create volume type.
volume_extension:type_update
- Default:
rule:admin_api
- Operations:
PUT
/types
Update volume type.
volume_extension:type_delete
- Default:
rule:admin_api
- Operations:
DELETE
/types
Delete volume type.
volume_extension:type_get
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/types/{type_id}
Get one specific volume type.
volume_extension:type_get_all
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/types/
List volume types.
volume_extension:access_types_extra_specs
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/types/{type_id}
GET
/types
Include the volume type’s extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.
volume_extension:access_types_qos_specs_id
- Default:
rule:admin_api
- Operations:
GET
/types/{type_id}
GET
/types
Include the volume type’s QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.
volume_extension:volume_type_encryption
- Default:
rule:admin_api
DEPRECATED: This rule will be removed in the Yoga release.
volume_extension:volume_type_encryption:create
- Default:
rule:admin_api
- Operations:
POST
/types/{type_id}/encryption
Create volume type encryption.
volume_extension:volume_type_encryption:get
- Default:
rule:admin_api
- Operations:
GET
/types/{type_id}/encryption
GET
/types/{type_id}/encryption/{key}
Show a volume type’s encryption type, show an encryption specs item.
volume_extension:volume_type_encryption:update
- Default:
rule:admin_api
- Operations:
PUT
/types/{type_id}/encryption/{encryption_id}
Update volume type encryption.
volume_extension:volume_type_encryption:delete
- Default:
rule:admin_api
- Operations:
DELETE
/types/{type_id}/encryption/{encryption_id}
Delete volume type encryption.
volume_extension:volume_type_access
- Default:
rule:xena_system_admin_or_project_member
- Operations:
GET
/types
GET
/types/{type_id}
POST
/types
Adds the boolean field ‘os-volume-type-access:is_public’ to the responses for these API calls. The ability to make these calls is governed by other policies.
volume_extension:volume_type_access:addProjectAccess
- Default:
rule:admin_api
- Operations:
POST
/types/{type_id}/action (addProjectAccess)
Add volume type access for project.
volume_extension:volume_type_access:removeProjectAccess
- Default:
rule:admin_api
- Operations:
POST
/types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
volume_extension:volume_type_access:get_all_for_type
- Default:
rule:admin_api
- Operations:
GET
/types/{type_id}/os-volume-type-access
List private volume type access detail, that is, list the projects that have access to this volume type.
volume:extend
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-extend)
Extend a volume.
volume:extend_attached_volume
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-extend)
Extend a attached volume.
volume_extension:volume_admin_actions:extend_volume_completion
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-extend_volume_completion)
Complete a volume extend operation.
volume:revert_to_snapshot
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
volume_extension:volume_admin_actions:reset_status
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
volume:retype
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-retype)
Retype a volume.
volume:update_readonly_flag
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
volume_extension:volume_admin_actions:force_delete
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
volume_extension:volume_actions:upload_public
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
volume_extension:volume_actions:upload_image
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
volume_extension:volume_admin_actions:force_detach
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
volume_extension:volume_admin_actions:migrate_volume
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
volume_extension:volume_admin_actions:migrate_volume_completion
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
volume_extension:volume_actions:initialize_connection
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
volume_extension:volume_actions:terminate_connection
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
volume_extension:volume_actions:roll_detaching
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
volume_extension:volume_actions:reserve
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
volume_extension:volume_actions:unreserve
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
volume_extension:volume_actions:begin_detaching
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
volume_extension:volume_actions:attach
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-attach)
Add attachment metadata.
volume_extension:volume_actions:detach
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
volume:reimage
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-reimage)
Reimage a volume in ‘available’ or ‘error’ status.
volume:reimage_reserved
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-reimage)
Reimage a volume in ‘reserved’ status.
volume:get_all_transfers
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/os-volume-transfer
GET
/os-volume-transfer/detail
GET
/volume_transfers
GET
/volume-transfers/detail
List volume transfer.
volume:create_transfer
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/os-volume-transfer
POST
/volume_transfers
Create a volume transfer.
volume:get_transfer
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/os-volume-transfer/{transfer_id}
GET
/volume-transfers/{transfer_id}
Show one specified volume transfer.
volume:accept_transfer
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/os-volume-transfer/{transfer_id}/accept
POST
/volume-transfers/{transfer_id}/accept
Accept a volume transfer.
volume:delete_transfer
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/os-volume-transfer/{transfer_id}
DELETE
/volume-transfers/{transfer_id}
Delete volume transfer.
volume:get_volume_metadata
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes/{volume_id}/metadata
GET
/volumes/{volume_id}/metadata/{key}
POST
/volumes/{volume_id}/action (os-show_image_metadata)
Show volume’s metadata or one specified metadata with a given key.
volume:create_volume_metadata
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/metadata
Create volume metadata.
volume:update_volume_metadata
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/volumes/{volume_id}/metadata
PUT
/volumes/{volume_id}/metadata/{key}
Replace a volume’s metadata dictionary or update a single metadatum with a given key.
volume:delete_volume_metadata
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/volumes/{volume_id}/metadata/{key}
Delete a volume’s metadatum with the given key.
volume_extension:volume_image_metadata:show
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes/detail
GET
/volumes/{volume_id}
Include a volume’s image metadata in volume detail responses. The ability to make these calls is governed by other policies.
volume_extension:volume_image_metadata:set
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-set_image_metadata)
Set image metadata for a volume
volume_extension:volume_image_metadata:remove
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes/{volume_id}/action (os-unset_image_metadata)
Remove specific image metadata from a volume
volume:update_volume_admin_metadata
- Default:
rule:admin_api
- Operations:
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
POST
/volumes/{volume_id}/action (os-attach)
Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.
volume_extension:types_extra_specs:index
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/types/{type_id}/extra_specs
List type extra specs.
volume_extension:types_extra_specs:create
- Default:
rule:admin_api
- Operations:
POST
/types/{type_id}/extra_specs
Create type extra specs.
volume_extension:types_extra_specs:show
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
volume_extension:types_extra_specs:read_sensitive
- Default:
rule:admin_api
- Operations:
GET
/types
GET
/types/{type_id}
GET
/types/{type_id}/extra_specs
GET
/types/{type_id}/extra_specs/{extra_spec_key}
Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.
volume_extension:types_extra_specs:update
- Default:
rule:admin_api
- Operations:
PUT
/types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
volume_extension:types_extra_specs:delete
- Default:
rule:admin_api
- Operations:
DELETE
/types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
volume:create
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes
Create volume.
volume:create_from_image
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes
Create volume from image.
volume:get
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes/{volume_id}
Show volume.
volume:get_all
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes
GET
/volumes/detail
GET
/volumes/summary
List volumes or get summary of volumes.
volume:update
- Default:
rule:xena_system_admin_or_project_member
- Operations:
PUT
/volumes
POST
/volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
volume:delete
- Default:
rule:xena_system_admin_or_project_member
- Operations:
DELETE
/volumes/{volume_id}
Delete volume.
volume:force_delete
- Default:
rule:admin_api
- Operations:
DELETE
/volumes/{volume_id}
Force Delete a volume.
volume_extension:volume_host_attribute
- Default:
rule:admin_api
- Operations:
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with host attribute.
volume_extension:volume_tenant_attribute
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with tenant attribute.
volume_extension:volume_mig_status_attribute
- Default:
rule:admin_api
- Operations:
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with migration status attribute.
volume_extension:volume_encryption_metadata
- Default:
rule:xena_system_admin_or_project_reader
- Operations:
GET
/volumes/{volume_id}/encryption
GET
/volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
volume:multiattach
- Default:
rule:xena_system_admin_or_project_member
- Operations:
POST
/volumes
Create multiattach capable volume.
volume_extension:default_set_or_update
- Default:
rule:admin_api
- Operations:
PUT
/default-types
Set or update default volume type.
volume_extension:default_get
- Default:
rule:admin_api
- Operations:
GET
/default-types/{project-id}
Get default types.
volume_extension:default_get_all
- Default:
rule:admin_api
- Operations:
GET
/default-types/
Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.
volume_extension:default_unset
- Default:
rule:admin_api
- Operations:
DELETE
/default-types/{project-id}
Unset default type.