Policy configuration¶
Configuration¶
The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.
cinder¶
admin_or_owner- Default:
is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.
system_or_domain_or_project_admin- Default:
(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)
DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.
context_is_admin- Default:
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_api- Default:
is_admin:True or (role:admin and is_admin_project:True)
Default rule for most Admin APIs.
xena_system_admin_or_project_reader- Default:
(role:admin) or (role:reader and project_id:%(project_id)s)
NOTE: this purely role-based rule recognizes only project scope
xena_system_admin_or_project_member- Default:
(role:admin) or (role:member and project_id:%(project_id)s)
NOTE: this purely role-based rule recognizes only project scope
volume:attachment_create- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/attachments
Create attachment.
volume:attachment_update- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/attachments/{attachment_id}
Update attachment.
volume:attachment_delete- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/attachments/{attachment_id}
Delete attachment.
volume:attachment_complete- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
volume:multiattach_bootable_volume- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/attachments
Allow multiattach of bootable volumes.
message:get_all- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/messages
List messages.
message:get- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/messages/{message_id}
Show message.
message:delete- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/messages/{message_id}
Delete message.
clusters:get_all- Default:
rule:admin_api- Operations:
GET
/clustersGET
/clusters/detail
List clusters.
clusters:get- Default:
rule:admin_api- Operations:
GET
/clusters/{cluster_id}
Show cluster.
clusters:update- Default:
rule:admin_api- Operations:
PUT
/clusters/{cluster_id}
Update cluster.
workers:cleanup- Default:
rule:admin_api- Operations:
POST
/workers/cleanup
Clean up workers.
volume:get_snapshot_metadata- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/snapshots/{snapshot_id}/metadataGET
/snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
volume:update_snapshot_metadata- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/snapshots/{snapshot_id}/metadataPUT
/snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
volume:delete_snapshot_metadata- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
volume:get_all_snapshots- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/snapshotsGET
/snapshots/detail
List snapshots.
volume_extension:extended_snapshot_attributes- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/snapshots/{snapshot_id}GET
/snapshots/detail
List or show snapshots with extended attributes.
volume:create_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/snapshots
Create snapshot.
volume:get_snapshot- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/snapshots/{snapshot_id}
Show snapshot.
volume:update_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/snapshots/{snapshot_id}
Update snapshot.
volume:delete_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/snapshots/{snapshot_id}
Delete snapshot.
volume_extension:snapshot_admin_actions:reset_status- Default:
rule:admin_api- Operations:
POST
/snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
snapshot_extension:snapshot_actions:update_snapshot_status- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
volume_extension:snapshot_admin_actions:force_delete- Default:
rule:admin_api- Operations:
POST
/snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
snapshot_extension:list_manageable- Default:
rule:admin_api- Operations:
GET
/manageable_snapshotsGET
/manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
snapshot_extension:snapshot_manage- Default:
rule:admin_api- Operations:
POST
/manageable_snapshots
Manage an existing snapshot.
snapshot_extension:snapshot_unmanage- Default:
rule:admin_api- Operations:
POST
/snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
backup:get_all- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/backupsGET
/backups/detail
List backups.
backup:backup_project_attribute- Default:
rule:admin_api- Operations:
GET
/backups/{backup_id}GET
/backups/detail
List backups or show backup with project attributes.
backup:create- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/backups
Create backup.
backup:get- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/backups/{backup_id}
Show backup.
backup:update- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/backups/{backup_id}
Update backup.
backup:delete- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/backups/{backup_id}
Delete backup.
backup:restore- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/backups/{backup_id}/restore
Restore backup.
backup:backup-import- Default:
rule:admin_api- Operations:
POST
/backups/{backup_id}/import_record
Import backup.
backup:export-import- Default:
rule:admin_api- Operations:
POST
/backups/{backup_id}/export_record
Export backup.
volume_extension:backup_admin_actions:reset_status- Default:
rule:admin_api- Operations:
POST
/backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
volume_extension:backup_admin_actions:force_delete- Default:
rule:admin_api- Operations:
POST
/backups/{backup_id}/action (os-force_delete)
Force delete a backup.
group:get_all- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/groupsGET
/groups/detail
List groups.
group:create- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups
Create group.
group:get- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/groups/{group_id}
Show group.
group:update- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/groups/{group_id}
Update group.
group:group_project_attribute- Default:
rule:admin_api- Operations:
GET
/groups/{group_id}GET
/groups/detail
List groups or show group with project attributes.
group:group_types:create- Default:
rule:admin_api- Operations:
POST
/group_types/
Create a group type.
group:group_types:update- Default:
rule:admin_api- Operations:
PUT
/group_types/{group_type_id}
Update a group type.
group:group_types:delete- Default:
rule:admin_api- Operations:
DELETE
/group_types/{group_type_id}
Delete a group type.
group:access_group_types_specs- Default:
rule:admin_api- Operations:
GET
/group_types/{group_type_id}
Show group type with type specs attributes.
group:group_types_specs:get- Default:
rule:admin_api- Operations:
GET
/group_types/{group_type_id}/group_specs/{g_spec_id}
Show a group type spec.
group:group_types_specs:get_all- Default:
rule:admin_api- Operations:
GET
/group_types/{group_type_id}/group_specs
List group type specs.
group:group_types_specs:create- Default:
rule:admin_api- Operations:
POST
/group_types/{group_type_id}/group_specs
Create a group type spec.
group:group_types_specs:update- Default:
rule:admin_api- Operations:
PUT
/group_types/{group_type_id}/group_specs/{g_spec_id}
Update a group type spec.
group:group_types_specs:delete- Default:
rule:admin_api- Operations:
DELETE
/group_types/{group_type_id}/group_specs/{g_spec_id}
Delete a group type spec.
group:get_all_group_snapshots- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/group_snapshotsGET
/group_snapshots/detail
List group snapshots.
group:create_group_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/group_snapshots
Create group snapshot.
group:get_group_snapshot- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/group_snapshots/{group_snapshot_id}
Show group snapshot.
group:delete_group_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/group_snapshots/{group_snapshot_id}
Delete group snapshot.
group:update_group_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/group_snapshots/{group_snapshot_id}
Update group snapshot.
group:group_snapshot_project_attribute- Default:
rule:admin_api- Operations:
GET
/group_snapshots/{group_snapshot_id}GET
/group_snapshots/detail
List group snapshots or show group snapshot with project attributes.
group:reset_group_snapshot_status- Default:
rule:admin_api- Operations:
POST
/group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
group:delete- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups/{group_id}/action (delete)
Delete group.
group:reset_status- Default:
rule:admin_api- Operations:
POST
/groups/{group_id}/action (reset_status)
Reset status of group.
group:enable_replication- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups/{group_id}/action (enable_replication)
Enable replication.
group:disable_replication- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups/{group_id}/action (disable_replication)
Disable replication.
group:failover_replication- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups/{group_id}/action (failover_replication)
Fail over replication.
group:list_replication_targets- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/groups/{group_id}/action (list_replication_targets)
List failover replication.
volume_extension:qos_specs_manage:get_all- Default:
rule:admin_api- Operations:
GET
/qos-specsGET
/qos-specs/{qos_id}/associations
List qos specs or list all associations.
volume_extension:qos_specs_manage:get- Default:
rule:admin_api- Operations:
GET
/qos-specs/{qos_id}
Show qos specs.
volume_extension:qos_specs_manage:create- Default:
rule:admin_api- Operations:
POST
/qos-specs
Create qos specs.
volume_extension:qos_specs_manage:update- Default:
rule:admin_api- Operations:
PUT
/qos-specs/{qos_id}GET
/qos-specs/{qos_id}/disassociate_allGET
/qos-specs/{qos_id}/associateGET
/qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
volume_extension:qos_specs_manage:delete- Default:
rule:admin_api- Operations:
DELETE
/qos-specs/{qos_id}PUT
/qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
volume_extension:quota_classes:get- Default:
rule:admin_api- Operations:
GET
/os-quota-class-sets/{project_id}
Show project quota class.
volume_extension:quota_classes:update- Default:
rule:admin_api- Operations:
PUT
/os-quota-class-sets/{project_id}
Update project quota class.
volume_extension:quotas:show- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/os-quota-sets/{project_id}GET
/os-quota-sets/{project_id}/defaultGET
/os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
volume_extension:quotas:update- Default:
rule:admin_api- Operations:
PUT
/os-quota-sets/{project_id}
Update project quota.
volume_extension:quotas:delete- Default:
rule:admin_api- Operations:
DELETE
/os-quota-sets/{project_id}
Delete project quota.
volume_extension:capabilities- Default:
rule:admin_api- Operations:
GET
/capabilities/{host_name}
Show backend capabilities.
volume_extension:services:index- Default:
rule:admin_api- Operations:
GET
/os-services
List all services.
volume_extension:services:update- Default:
rule:admin_api- Operations:
PUT
/os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
volume:freeze_host- Default:
rule:admin_api- Operations:
PUT
/os-services/freeze
Freeze a backend host.
volume:thaw_host- Default:
rule:admin_api- Operations:
PUT
/os-services/thaw
Thaw a backend host.
volume:failover_host- Default:
rule:admin_api- Operations:
PUT
/os-services/failover_host
Failover a backend host.
scheduler_extension:scheduler_stats:get_pools- Default:
rule:admin_api- Operations:
GET
/scheduler-stats/get_pools
List all backend pools.
volume_extension:hosts- Default:
rule:admin_api- Operations:
GET
/os-hostsPUT
/os-hosts/{host_name}GET
/os-hosts/{host_id}
List, update or show hosts for a project.
limits_extension:used_limits- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/limits
Show limits with used limit attributes.
volume_extension:list_manageable- Default:
rule:admin_api- Operations:
GET
/manageable_volumesGET
/manageable_volumes/detail
List (in detail) of volumes which are available to manage.
volume_extension:volume_manage- Default:
rule:admin_api- Operations:
POST
/manageable_volumes
Manage existing volumes.
volume_extension:volume_unmanage- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
volume_extension:type_create- Default:
rule:admin_api- Operations:
POST
/types
Create volume type.
volume_extension:type_update- Default:
rule:admin_api- Operations:
PUT
/types
Update volume type.
volume_extension:type_delete- Default:
rule:admin_api- Operations:
DELETE
/types
Delete volume type.
volume_extension:type_get- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/types/{type_id}
Get one specific volume type.
volume_extension:type_get_all- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/types/
List volume types.
volume_extension:access_types_extra_specs- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/types/{type_id}GET
/types
Include the volume type’s extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.
volume_extension:access_types_qos_specs_id- Default:
rule:admin_api- Operations:
GET
/types/{type_id}GET
/types
Include the volume type’s QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies.
volume_extension:volume_type_encryption- Default:
rule:admin_api
DEPRECATED: This rule will be removed in the Yoga release.
volume_extension:volume_type_encryption:create- Default:
rule:admin_api- Operations:
POST
/types/{type_id}/encryption
Create volume type encryption.
volume_extension:volume_type_encryption:get- Default:
rule:admin_api- Operations:
GET
/types/{type_id}/encryptionGET
/types/{type_id}/encryption/{key}
Show a volume type’s encryption type, show an encryption specs item.
volume_extension:volume_type_encryption:update- Default:
rule:admin_api- Operations:
PUT
/types/{type_id}/encryption/{encryption_id}
Update volume type encryption.
volume_extension:volume_type_encryption:delete- Default:
rule:admin_api- Operations:
DELETE
/types/{type_id}/encryption/{encryption_id}
Delete volume type encryption.
volume_extension:volume_type_access- Default:
rule:xena_system_admin_or_project_member- Operations:
GET
/typesGET
/types/{type_id}POST
/types
Adds the boolean field ‘os-volume-type-access:is_public’ to the responses for these API calls. The ability to make these calls is governed by other policies.
volume_extension:volume_type_access:addProjectAccess- Default:
rule:admin_api- Operations:
POST
/types/{type_id}/action (addProjectAccess)
Add volume type access for project.
volume_extension:volume_type_access:removeProjectAccess- Default:
rule:admin_api- Operations:
POST
/types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
volume_extension:volume_type_access:get_all_for_type- Default:
rule:admin_api- Operations:
GET
/types/{type_id}/os-volume-type-access
List private volume type access detail, that is, list the projects that have access to this volume type.
volume:extend- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-extend)
Extend a volume.
volume:extend_attached_volume- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-extend)
Extend a attached volume.
volume_extension:volume_admin_actions:extend_volume_completion- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-extend_volume_completion)
Complete a volume extend operation.
volume:revert_to_snapshot- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
volume_extension:volume_admin_actions:reset_status- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
volume:retype- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-retype)
Retype a volume.
volume:update_readonly_flag- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
volume_extension:volume_admin_actions:force_delete- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
volume_extension:volume_actions:upload_public- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
volume_extension:volume_actions:upload_image- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
volume_extension:volume_admin_actions:force_detach- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
volume_extension:volume_admin_actions:migrate_volume- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
volume_extension:volume_admin_actions:migrate_volume_completion- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
volume_extension:volume_actions:initialize_connection- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
volume_extension:volume_actions:terminate_connection- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
volume_extension:volume_actions:roll_detaching- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
volume_extension:volume_actions:reserve- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
volume_extension:volume_actions:unreserve- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
volume_extension:volume_actions:begin_detaching- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
volume_extension:volume_actions:attach- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-attach)
Add attachment metadata.
volume_extension:volume_actions:detach- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
volume:reimage- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-reimage)
Reimage a volume in ‘available’ or ‘error’ status.
volume:reimage_reserved- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-reimage)
Reimage a volume in ‘reserved’ status.
volume:get_all_transfers- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/os-volume-transferGET
/os-volume-transfer/detailGET
/volume_transfersGET
/volume-transfers/detail
List volume transfer.
volume:create_transfer- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/os-volume-transferPOST
/volume_transfers
Create a volume transfer.
volume:get_transfer- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/os-volume-transfer/{transfer_id}GET
/volume-transfers/{transfer_id}
Show one specified volume transfer.
volume:accept_transfer- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/os-volume-transfer/{transfer_id}/acceptPOST
/volume-transfers/{transfer_id}/accept
Accept a volume transfer.
volume:delete_transfer- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/os-volume-transfer/{transfer_id}DELETE
/volume-transfers/{transfer_id}
Delete volume transfer.
volume:get_volume_metadata- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumes/{volume_id}/metadataGET
/volumes/{volume_id}/metadata/{key}POST
/volumes/{volume_id}/action (os-show_image_metadata)
Show volume’s metadata or one specified metadata with a given key.
volume:create_volume_metadata- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/metadata
Create volume metadata.
volume:update_volume_metadata- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/volumes/{volume_id}/metadataPUT
/volumes/{volume_id}/metadata/{key}
Replace a volume’s metadata dictionary or update a single metadatum with a given key.
volume:delete_volume_metadata- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/volumes/{volume_id}/metadata/{key}
Delete a volume’s metadatum with the given key.
volume_extension:volume_image_metadata:show- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumes/detailGET
/volumes/{volume_id}
Include a volume’s image metadata in volume detail responses. The ability to make these calls is governed by other policies.
volume_extension:volume_image_metadata:set- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-set_image_metadata)
Set image metadata for a volume
volume_extension:volume_image_metadata:remove- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes/{volume_id}/action (os-unset_image_metadata)
Remove specific image metadata from a volume
volume:update_volume_admin_metadata- Default:
rule:admin_api- Operations:
POST
/volumes/{volume_id}/action (os-update_readonly_flag)POST
/volumes/{volume_id}/action (os-attach)
Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies.
volume_extension:types_extra_specs:index- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/types/{type_id}/extra_specs
List type extra specs.
volume_extension:types_extra_specs:create- Default:
rule:admin_api- Operations:
POST
/types/{type_id}/extra_specs
Create type extra specs.
volume_extension:types_extra_specs:show- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
volume_extension:types_extra_specs:read_sensitive- Default:
rule:admin_api- Operations:
GET
/typesGET
/types/{type_id}GET
/types/{type_id}/extra_specsGET
/types/{type_id}/extra_specs/{extra_spec_key}
Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies.
volume_extension:types_extra_specs:update- Default:
rule:admin_api- Operations:
PUT
/types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
volume_extension:types_extra_specs:delete- Default:
rule:admin_api- Operations:
DELETE
/types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
volume:create- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes
Create volume.
volume:create_from_image- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes
Create volume from image.
volume:get- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumes/{volume_id}
Show volume.
volume:get_all- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumesGET
/volumes/detailGET
/volumes/summary
List volumes or get summary of volumes.
volume:update- Default:
rule:xena_system_admin_or_project_member- Operations:
PUT
/volumesPOST
/volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
volume:delete- Default:
rule:xena_system_admin_or_project_member- Operations:
DELETE
/volumes/{volume_id}
Delete volume.
volume:force_delete- Default:
rule:admin_api- Operations:
DELETE
/volumes/{volume_id}
Force Delete a volume.
volume_extension:volume_host_attribute- Default:
rule:admin_api- Operations:
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with host attribute.
volume_extension:volume_tenant_attribute- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with tenant attribute.
volume_extension:volume_mig_status_attribute- Default:
rule:admin_api- Operations:
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with migration status attribute.
volume_extension:volume_encryption_metadata- Default:
rule:xena_system_admin_or_project_reader- Operations:
GET
/volumes/{volume_id}/encryptionGET
/volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
volume:multiattach- Default:
rule:xena_system_admin_or_project_member- Operations:
POST
/volumes
Create multiattach capable volume.
volume_extension:default_set_or_update- Default:
rule:admin_api- Operations:
PUT
/default-types
Set or update default volume type.
volume_extension:default_get- Default:
rule:admin_api- Operations:
GET
/default-types/{project-id}
Get default types.
volume_extension:default_get_all- Default:
rule:admin_api- Operations:
GET
/default-types/
Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.
volume_extension:default_unset- Default:
rule:admin_api- Operations:
DELETE
/default-types/{project-id}
Unset default type.
