Policy configuration

Configuration

The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.

cinder

admin_or_owner
Default:

is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s

DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.

system_or_domain_or_project_admin
Default:

(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)

DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.

context_is_admin
Default:

role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_api
Default:

is_admin:True or (role:admin and is_admin_project:True)

Default rule for most Admin APIs.

xena_system_admin_or_project_reader
Default:

(role:admin) or (role:reader and project_id:%(project_id)s)

NOTE: this purely role-based rule recognizes only project scope

xena_system_admin_or_project_member
Default:

(role:admin) or (role:member and project_id:%(project_id)s)

NOTE: this purely role-based rule recognizes only project scope

volume:attachment_create
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /attachments

Create attachment.

volume:attachment_update
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /attachments/{attachment_id}

Update attachment.

volume:attachment_delete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /attachments/{attachment_id}

Delete attachment.

volume:attachment_complete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /attachments/{attachment_id}/action (os-complete)

Mark a volume attachment process as completed (in-use)

volume:multiattach_bootable_volume
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /attachments

Allow multiattach of bootable volumes.

message:get_all
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /messages

List messages.

message:get
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /messages/{message_id}

Show message.

message:delete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /messages/{message_id}

Delete message.

clusters:get_all
Default:

rule:admin_api

Operations:
  • GET /clusters

  • GET /clusters/detail

List clusters.

clusters:get
Default:

rule:admin_api

Operations:
  • GET /clusters/{cluster_id}

Show cluster.

clusters:update
Default:

rule:admin_api

Operations:
  • PUT /clusters/{cluster_id}

Update cluster.

workers:cleanup
Default:

rule:admin_api

Operations:
  • POST /workers/cleanup

Clean up workers.

volume:get_snapshot_metadata
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /snapshots/{snapshot_id}/metadata

  • GET /snapshots/{snapshot_id}/metadata/{key}

Show snapshot’s metadata or one specified metadata with a given key.

volume:update_snapshot_metadata
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /snapshots/{snapshot_id}/metadata

  • PUT /snapshots/{snapshot_id}/metadata/{key}

Update snapshot’s metadata or one specified metadata with a given key.

volume:delete_snapshot_metadata
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /snapshots/{snapshot_id}/metadata/{key}

Delete snapshot’s specified metadata with a given key.

volume:get_all_snapshots
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /snapshots

  • GET /snapshots/detail

List snapshots.

volume_extension:extended_snapshot_attributes
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /snapshots/{snapshot_id}

  • GET /snapshots/detail

List or show snapshots with extended attributes.

volume:create_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /snapshots

Create snapshot.

volume:get_snapshot
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /snapshots/{snapshot_id}

Show snapshot.

volume:update_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /snapshots/{snapshot_id}

Update snapshot.

volume:delete_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /snapshots/{snapshot_id}

Delete snapshot.

volume_extension:snapshot_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-reset_status)

Reset status of a snapshot.

snapshot_extension:snapshot_actions:update_snapshot_status
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /snapshots/{snapshot_id}/action (update_snapshot_status)

Update database fields of snapshot.

volume_extension:snapshot_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-force_delete)

Force delete a snapshot.

snapshot_extension:list_manageable
Default:

rule:admin_api

Operations:
  • GET /manageable_snapshots

  • GET /manageable_snapshots/detail

List (in detail) of snapshots which are available to manage.

snapshot_extension:snapshot_manage
Default:

rule:admin_api

Operations:
  • POST /manageable_snapshots

Manage an existing snapshot.

snapshot_extension:snapshot_unmanage
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-unmanage)

Stop managing a snapshot.

backup:get_all
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /backups

  • GET /backups/detail

List backups.

backup:backup_project_attribute
Default:

rule:admin_api

Operations:
  • GET /backups/{backup_id}

  • GET /backups/detail

List backups or show backup with project attributes.

backup:create
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /backups

Create backup.

backup:get
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /backups/{backup_id}

Show backup.

backup:update
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /backups/{backup_id}

Update backup.

backup:delete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /backups/{backup_id}

Delete backup.

backup:restore
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /backups/{backup_id}/restore

Restore backup.

backup:backup-import
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/import_record

Import backup.

backup:export-import
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/export_record

Export backup.

volume_extension:backup_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/action (os-reset_status)

Reset status of a backup.

volume_extension:backup_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/action (os-force_delete)

Force delete a backup.

group:get_all
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /groups

  • GET /groups/detail

List groups.

group:create
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups

Create group.

group:get
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /groups/{group_id}

Show group.

group:update
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /groups/{group_id}

Update group.

group:group_project_attribute
Default:

rule:admin_api

Operations:
  • GET /groups/{group_id}

  • GET /groups/detail

List groups or show group with project attributes.

group:group_types:create
Default:

rule:admin_api

Operations:
  • POST /group_types/

Create a group type.

group:group_types:update
Default:

rule:admin_api

Operations:
  • PUT /group_types/{group_type_id}

Update a group type.

group:group_types:delete
Default:

rule:admin_api

Operations:
  • DELETE /group_types/{group_type_id}

Delete a group type.

group:access_group_types_specs
Default:

rule:admin_api

Operations:
  • GET /group_types/{group_type_id}

Show group type with type specs attributes.

group:group_types_specs:get
Default:

rule:admin_api

Operations:
  • GET /group_types/{group_type_id}/group_specs/{g_spec_id}

Show a group type spec.

group:group_types_specs:get_all
Default:

rule:admin_api

Operations:
  • GET /group_types/{group_type_id}/group_specs

List group type specs.

group:group_types_specs:create
Default:

rule:admin_api

Operations:
  • POST /group_types/{group_type_id}/group_specs

Create a group type spec.

group:group_types_specs:update
Default:

rule:admin_api

Operations:
  • PUT /group_types/{group_type_id}/group_specs/{g_spec_id}

Update a group type spec.

group:group_types_specs:delete
Default:

rule:admin_api

Operations:
  • DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}

Delete a group type spec.

group:get_all_group_snapshots
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /group_snapshots

  • GET /group_snapshots/detail

List group snapshots.

group:create_group_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /group_snapshots

Create group snapshot.

group:get_group_snapshot
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /group_snapshots/{group_snapshot_id}

Show group snapshot.

group:delete_group_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /group_snapshots/{group_snapshot_id}

Delete group snapshot.

group:update_group_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /group_snapshots/{group_snapshot_id}

Update group snapshot.

group:group_snapshot_project_attribute
Default:

rule:admin_api

Operations:
  • GET /group_snapshots/{group_snapshot_id}

  • GET /group_snapshots/detail

List group snapshots or show group snapshot with project attributes.

group:reset_group_snapshot_status
Default:

rule:admin_api

Operations:
  • POST /group_snapshots/{g_snapshot_id}/action (reset_status)

Reset status of group snapshot.

group:delete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups/{group_id}/action (delete)

Delete group.

group:reset_status
Default:

rule:admin_api

Operations:
  • POST /groups/{group_id}/action (reset_status)

Reset status of group.

group:enable_replication
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups/{group_id}/action (enable_replication)

Enable replication.

group:disable_replication
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups/{group_id}/action (disable_replication)

Disable replication.

group:failover_replication
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups/{group_id}/action (failover_replication)

Fail over replication.

group:list_replication_targets
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /groups/{group_id}/action (list_replication_targets)

List failover replication.

volume_extension:qos_specs_manage:get_all
Default:

rule:admin_api

Operations:
  • GET /qos-specs

  • GET /qos-specs/{qos_id}/associations

List qos specs or list all associations.

volume_extension:qos_specs_manage:get
Default:

rule:admin_api

Operations:
  • GET /qos-specs/{qos_id}

Show qos specs.

volume_extension:qos_specs_manage:create
Default:

rule:admin_api

Operations:
  • POST /qos-specs

Create qos specs.

volume_extension:qos_specs_manage:update
Default:

rule:admin_api

Operations:
  • PUT /qos-specs/{qos_id}

  • GET /qos-specs/{qos_id}/disassociate_all

  • GET /qos-specs/{qos_id}/associate

  • GET /qos-specs/{qos_id}/disassociate

Update qos specs (including updating association).

volume_extension:qos_specs_manage:delete
Default:

rule:admin_api

Operations:
  • DELETE /qos-specs/{qos_id}

  • PUT /qos-specs/{qos_id}/delete_keys

delete qos specs or unset one specified qos key.

volume_extension:quota_classes:get
Default:

rule:admin_api

Operations:
  • GET /os-quota-class-sets/{project_id}

Show project quota class.

volume_extension:quota_classes:update
Default:

rule:admin_api

Operations:
  • PUT /os-quota-class-sets/{project_id}

Update project quota class.

volume_extension:quotas:show
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /os-quota-sets/{project_id}

  • GET /os-quota-sets/{project_id}/default

  • GET /os-quota-sets/{project_id}?usage=True

Show project quota (including usage and default).

volume_extension:quotas:update
Default:

rule:admin_api

Operations:
  • PUT /os-quota-sets/{project_id}

Update project quota.

volume_extension:quotas:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-quota-sets/{project_id}

Delete project quota.

volume_extension:capabilities
Default:

rule:admin_api

Operations:
  • GET /capabilities/{host_name}

Show backend capabilities.

volume_extension:services:index
Default:

rule:admin_api

Operations:
  • GET /os-services

List all services.

volume_extension:services:update
Default:

rule:admin_api

Operations:
  • PUT /os-services/{action}

Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.

volume:freeze_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/freeze

Freeze a backend host.

volume:thaw_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/thaw

Thaw a backend host.

volume:failover_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/failover_host

Failover a backend host.

scheduler_extension:scheduler_stats:get_pools
Default:

rule:admin_api

Operations:
  • GET /scheduler-stats/get_pools

List all backend pools.

volume_extension:hosts
Default:

rule:admin_api

Operations:
  • GET /os-hosts

  • PUT /os-hosts/{host_name}

  • GET /os-hosts/{host_id}

List, update or show hosts for a project.

limits_extension:used_limits
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /limits

Show limits with used limit attributes.

volume_extension:list_manageable
Default:

rule:admin_api

Operations:
  • GET /manageable_volumes

  • GET /manageable_volumes/detail

List (in detail) of volumes which are available to manage.

volume_extension:volume_manage
Default:

rule:admin_api

Operations:
  • POST /manageable_volumes

Manage existing volumes.

volume_extension:volume_unmanage
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-unmanage)

Stop managing a volume.

volume_extension:type_create
Default:

rule:admin_api

Operations:
  • POST /types

Create volume type.

volume_extension:type_update
Default:

rule:admin_api

Operations:
  • PUT /types

Update volume type.

volume_extension:type_delete
Default:

rule:admin_api

Operations:
  • DELETE /types

Delete volume type.

volume_extension:type_get
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /types/{type_id}

Get one specific volume type.

volume_extension:type_get_all
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /types/

List volume types.

volume_extension:access_types_extra_specs
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /types/{type_id}

  • GET /types

Include the volume type’s extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.

volume_extension:access_types_qos_specs_id
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}

  • GET /types

Include the volume type’s QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.

volume_extension:volume_type_encryption
Default:

rule:admin_api

DEPRECATED: This rule will be removed in the Yoga release.

volume_extension:volume_type_encryption:create
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/encryption

Create volume type encryption.

volume_extension:volume_type_encryption:get
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}/encryption

  • GET /types/{type_id}/encryption/{key}

Show a volume type’s encryption type, show an encryption specs item.

volume_extension:volume_type_encryption:update
Default:

rule:admin_api

Operations:
  • PUT /types/{type_id}/encryption/{encryption_id}

Update volume type encryption.

volume_extension:volume_type_encryption:delete
Default:

rule:admin_api

Operations:
  • DELETE /types/{type_id}/encryption/{encryption_id}

Delete volume type encryption.

volume_extension:volume_type_access
Default:

rule:xena_system_admin_or_project_member

Operations:
  • GET /types

  • GET /types/{type_id}

  • POST /types

Adds the boolean field ‘os-volume-type-access:is_public’ to the responses for these API calls. The ability to make these calls is governed by other policies.

volume_extension:volume_type_access:addProjectAccess
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/action (addProjectAccess)

Add volume type access for project.

volume_extension:volume_type_access:removeProjectAccess
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/action (removeProjectAccess)

Remove volume type access for project.

volume_extension:volume_type_access:get_all_for_type
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}/os-volume-type-access

List private volume type access detail, that is, list the projects that have access to this volume type.

volume:extend
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-extend)

Extend a volume.

volume:extend_attached_volume
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-extend)

Extend a attached volume.

volume_extension:volume_admin_actions:extend_volume_completion
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-extend_volume_completion)

Complete a volume extend operation.

volume:revert_to_snapshot
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (revert)

Revert a volume to a snapshot.

volume_extension:volume_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-reset_status)

Reset status of a volume.

volume:retype
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-retype)

Retype a volume.

volume:update_readonly_flag
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

Update a volume’s readonly flag.

volume_extension:volume_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-force_delete)

Force delete a volume.

volume_extension:volume_actions:upload_public
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image with public visibility.

volume_extension:volume_actions:upload_image
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image.

volume_extension:volume_admin_actions:force_detach
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-force_detach)

Force detach a volume.

volume_extension:volume_admin_actions:migrate_volume
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-migrate_volume)

migrate a volume to a specified host.

volume_extension:volume_admin_actions:migrate_volume_completion
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-migrate_volume_completion)

Complete a volume migration.

volume_extension:volume_actions:initialize_connection
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-initialize_connection)

Initialize volume attachment.

volume_extension:volume_actions:terminate_connection
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-terminate_connection)

Terminate volume attachment.

volume_extension:volume_actions:roll_detaching
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-roll_detaching)

Roll back volume status to ‘in-use’.

volume_extension:volume_actions:reserve
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-reserve)

Mark volume as reserved.

volume_extension:volume_actions:unreserve
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-unreserve)

Unmark volume as reserved.

volume_extension:volume_actions:begin_detaching
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-begin_detaching)

Begin detach volumes.

volume_extension:volume_actions:attach
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-attach)

Add attachment metadata.

volume_extension:volume_actions:detach
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-detach)

Clear attachment metadata.

volume:reimage
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-reimage)

Reimage a volume in ‘available’ or ‘error’ status.

volume:reimage_reserved
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-reimage)

Reimage a volume in ‘reserved’ status.

volume:get_all_transfers
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /os-volume-transfer

  • GET /os-volume-transfer/detail

  • GET /volume_transfers

  • GET /volume-transfers/detail

List volume transfer.

volume:create_transfer
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /os-volume-transfer

  • POST /volume_transfers

Create a volume transfer.

volume:get_transfer
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /os-volume-transfer/{transfer_id}

  • GET /volume-transfers/{transfer_id}

Show one specified volume transfer.

volume:accept_transfer
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /os-volume-transfer/{transfer_id}/accept

  • POST /volume-transfers/{transfer_id}/accept

Accept a volume transfer.

volume:delete_transfer
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /os-volume-transfer/{transfer_id}

  • DELETE /volume-transfers/{transfer_id}

Delete volume transfer.

volume:get_volume_metadata
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes/{volume_id}/metadata

  • GET /volumes/{volume_id}/metadata/{key}

  • POST /volumes/{volume_id}/action  (os-show_image_metadata)

Show volume’s metadata or one specified metadata with a given key.

volume:create_volume_metadata
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/metadata

Create volume metadata.

volume:update_volume_metadata
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /volumes/{volume_id}/metadata

  • PUT /volumes/{volume_id}/metadata/{key}

Replace a volume’s metadata dictionary or update a single metadatum with a given key.

volume:delete_volume_metadata
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /volumes/{volume_id}/metadata/{key}

Delete a volume’s metadatum with the given key.

volume_extension:volume_image_metadata:show
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes/detail

  • GET /volumes/{volume_id}

Include a volume’s image metadata in volume detail responses. The ability to make these calls is governed by other policies.

volume_extension:volume_image_metadata:set
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-set_image_metadata)

Set image metadata for a volume

volume_extension:volume_image_metadata:remove
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes/{volume_id}/action (os-unset_image_metadata)

Remove specific image metadata from a volume

volume:update_volume_admin_metadata
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

  • POST /volumes/{volume_id}/action (os-attach)

Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.

volume_extension:types_extra_specs:index
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /types/{type_id}/extra_specs

List type extra specs.

volume_extension:types_extra_specs:create
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/extra_specs

Create type extra specs.

volume_extension:types_extra_specs:show
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /types/{type_id}/extra_specs/{extra_spec_key}

Show one specified type extra specs.

volume_extension:types_extra_specs:read_sensitive
Default:

rule:admin_api

Operations:
  • GET /types

  • GET /types/{type_id}

  • GET /types/{type_id}/extra_specs

  • GET /types/{type_id}/extra_specs/{extra_spec_key}

Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.

volume_extension:types_extra_specs:update
Default:

rule:admin_api

Operations:
  • PUT /types/{type_id}/extra_specs/{extra_spec_key}

Update type extra specs.

volume_extension:types_extra_specs:delete
Default:

rule:admin_api

Operations:
  • DELETE /types/{type_id}/extra_specs/{extra_spec_key}

Delete type extra specs.

volume:create
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes

Create volume.

volume:create_from_image
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes

Create volume from image.

volume:get
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes/{volume_id}

Show volume.

volume:get_all
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes

  • GET /volumes/detail

  • GET /volumes/summary

List volumes or get summary of volumes.

volume:update
Default:

rule:xena_system_admin_or_project_member

Operations:
  • PUT /volumes

  • POST /volumes/{volume_id}/action (os-set_bootable)

Update volume or update a volume’s bootable status.

volume:delete
Default:

rule:xena_system_admin_or_project_member

Operations:
  • DELETE /volumes/{volume_id}

Delete volume.

volume:force_delete
Default:

rule:admin_api

Operations:
  • DELETE /volumes/{volume_id}

Force Delete a volume.

volume_extension:volume_host_attribute
Default:

rule:admin_api

Operations:
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with host attribute.

volume_extension:volume_tenant_attribute
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with tenant attribute.

volume_extension:volume_mig_status_attribute
Default:

rule:admin_api

Operations:
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with migration status attribute.

volume_extension:volume_encryption_metadata
Default:

rule:xena_system_admin_or_project_reader

Operations:
  • GET /volumes/{volume_id}/encryption

  • GET /volumes/{volume_id}/encryption/{encryption_key}

Show volume’s encryption metadata.

volume:multiattach
Default:

rule:xena_system_admin_or_project_member

Operations:
  • POST /volumes

Create multiattach capable volume.

volume_extension:default_set_or_update
Default:

rule:admin_api

Operations:
  • PUT /default-types

Set or update default volume type.

volume_extension:default_get
Default:

rule:admin_api

Operations:
  • GET /default-types/{project-id}

Get default types.

volume_extension:default_get_all
Default:

rule:admin_api

Operations:
  • GET /default-types/

Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.

volume_extension:default_unset
Default:

rule:admin_api

Operations:
  • DELETE /default-types/{project-id}

Unset default type.