The following is a sample Cinder policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary. It is here to help explain which policy operations protect specific Cinder API, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default. For instance, if you want to change the default value of “volume:create”, you only need to keep this single rule in your policy config file (/etc/cinder/policy.json).
The sample policy file can also be viewed in file form.
# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Create attachment.
# POST /attachments
#"volume:attachment_create": ""
# Update attachment.
# PUT /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"
# Delete attachment.
# DELETE /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"
# Mark a volume attachment process as completed (in-use)
# POST /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"
# Allow multiattach of bootable volumes.
# POST /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"
# List messages.
# GET /messages
#"message:get_all": "rule:admin_or_owner"
# Show message.
# GET /messages/{message_id}
#"message:get": "rule:admin_or_owner"
# Delete message.
# DELETE /messages/{message_id}
#"message:delete": "rule:admin_or_owner"
# List clusters.
# GET /clusters
# GET /clusters/detail
#"clusters:get_all": "rule:admin_api"
# Show cluster.
# GET /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"
# Update cluster.
# PUT /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"
# Clean up workers.
# POST /workers/cleanup
#"workers:cleanup": "rule:admin_api"
# Show snapshot's metadata or one specified metadata with a given key.
# GET /snapshots/{snapshot_id}/metadata
# GET /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"
# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT /snapshots/{snapshot_id}/metadata
# PUT /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"
# Delete snapshot's specified metadata with a given key.
# DELETE /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"
# List snapshots.
# GET /snapshots
# GET /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"
# List snapshots with extended attributes.
# GET /snapshots
# GET /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"
# Create snapshot.
# POST /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"
# Show snapshot.
# GET /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"
# Update snapshot.
# PUT /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"
# Delete snapshot.
# DELETE /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"
# Reset status of a snapshot.
# POST /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"
# Update database fields of snapshot.
# POST /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""
# Force delete a snapshot.
# POST /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"
# List (in detail) of snapshots which are available to manage.
# GET /manageable_snapshots
# GET /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"
# Manage an existing snapshot.
# POST /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"
# Stop managing a snapshot.
# POST /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"
# List backups.
# GET /backups
# GET /backups/detail
#"backup:get_all": "rule:admin_or_owner"
# List backups or show backup with project attributes.
# GET /backups/{backup_id}
# GET /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"
# Create backup.
# POST /backups
#"backup:create": ""
# Show backup.
# GET /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"
# Update backup.
# PUT /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"
# Delete backup.
# DELETE /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"
# Restore backup.
# POST /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"
# Import backup.
# POST /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"
# Export backup.
# POST /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"
# Reset status of a backup.
# POST /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"
# Force delete a backup.
# POST /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"
# List groups.
# GET /groups
# GET /groups/detail
#"group:get_all": "rule:admin_or_owner"
# Create group.
# POST /groups
#"group:create": ""
# Show group.
# GET /groups/{group_id}
#"group:get": "rule:admin_or_owner"
# Update group.
# PUT /groups/{group_id}
#"group:update": "rule:admin_or_owner"
# Create, update or delete a group type.
# POST /group_types/
# PUT /group_types/{group_type_id}
# DELETE /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"
# Show group type with type specs attributes.
# GET /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"
# Create, show, update and delete group type spec.
# GET /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET /group_types/{group_type_id}/group_specs
# POST /group_types/{group_type_id}/group_specs
# PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"
# List group snapshots.
# GET /group_snapshots
# GET /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"
# Create group snapshot.
# POST /group_snapshots
#"group:create_group_snapshot": ""
# Show group snapshot.
# GET /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"
# Delete group snapshot.
# DELETE /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"
# Update group snapshot.
# PUT /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"
# Reset status of group snapshot.
# POST /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_api"
# Delete group.
# POST /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"
# Reset status of group.
# POST /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"
# Enable replication.
# POST /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"
# Disable replication.
# POST /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"
# Fail over replication.
# POST /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"
# List failover replication.
# POST /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"
# List qos specs or list all associations.
# GET /qos-specs
# GET /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"
# Show qos specs.
# GET /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"
# Create qos specs.
# POST /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"
# Update qos specs (including updating association).
# PUT /qos-specs/{qos_id}
# GET /qos-specs/{qos_id}/disassociate_all
# GET /qos-specs/{qos_id}/associate
# GET /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"
# delete qos specs or unset one specified qos key.
# DELETE /qos-specs/{qos_id}
# PUT /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"
# Show or update project quota class.
# GET /os-quota-class-sets/{project_id}
# PUT /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"
# Show project quota (including usage and default).
# GET /os-quota-sets/{project_id}
# GET /os-quota-sets/{project_id}/default
# GET /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"
# Update project quota.
# PUT /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"
# Delete project quota.
# DELETE /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"
# Validate setup for nested quota.
# GET /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"
# Show backend capabilities.
# GET /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"
# List all services.
# GET /os-services
#"volume_extension:services:index": "rule:admin_api"
# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"
# Freeze a backend host.
# PUT /os-services/freeze
#"volume:freeze_host": "rule:admin_api"
# Thaw a backend host.
# PUT /os-services/thaw
#"volume:thaw_host": "rule:admin_api"
# Failover a backend host.
# PUT /os-services/failover_host
#"volume:failover_host": "rule:admin_api"
# List all backend pools.
# GET /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"
# List, update or show hosts for a project.
# GET /os-hosts
# PUT /os-hosts/{host_name}
# GET /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"
# Show limits with used limit attributes.
# GET /limits
#"limits_extension:used_limits": "rule:admin_or_owner"
# List (in detail) of volumes which are available to manage.
# GET /manageable_volumes
# GET /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"
# Manage existing volumes.
# POST /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"
# Stop managing a volume.
# POST /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"
# Create, update and delete volume type.
# POST /types
# PUT /types
# DELETE /types
#"volume_extension:types_manage": "rule:admin_api"
# List, show, create, update and delete volume type encryption.
# POST /types/{type_id}/encryption
# PUT /types/{type_id}/encryption/{encryption_id}
# GET /types/{type_id}/encryption
# GET /types/{type_id}/encryption/{encryption_id}
# DELETE /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"
# List or show volume type with access type extra specs attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"
# List or show volume type with access type qos specs id attribute.
# GET /types/{type_id}
# GET /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"
# Volume type access related APIs.
# GET /types
# GET /types/detail
# GET /types/{type_id}
# POST /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"
# Add volume type access for project.
# POST /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"
# Remove volume type access for project.
# POST /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"
# Extend a volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"
# Extend a attached volume.
# POST /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"
# Revert a volume to a snapshot.
# POST /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"
# Reset status of a volume.
# POST /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"
# Retype a volume.
# POST /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"
# Update a volume's readonly flag.
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"
# Force delete a volume.
# POST /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"
# Upload a volume to image with public visibility.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"
# Upload a volume to image.
# POST /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"
# Force detach a volume.
# POST /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"
# migrate a volume to a specified host.
# POST /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"
# Complete a volume migration.
# POST /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"
# Initialize volume attachment.
# POST /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"
# Terminate volume attachment.
# POST /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"
# Roll back volume status to 'in-use'.
# POST /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"
# Mark volume as reserved.
# POST /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"
# Unmark volume as reserved.
# POST /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"
# Begin detach volumes.
# POST /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"
# Add attachment metadata.
# POST /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"
# Clear attachment metadata.
# POST /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"
# List volume transfer.
# GET /os-volume-transfer
# GET /os-volume-transfer/detail
#"volume:get_all_transfers": "rule:admin_or_owner"
# Create a volume transfer.
# POST /os-volume-transfer
#"volume:create_transfer": "rule:admin_or_owner"
# Show one specified volume transfer.
# GET /os-volume-transfer/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"
# Accept a volume transfer.
# POST /os-volume-transfer/{transfer_id}/accept
#"volume:accept_transfer": ""
# Delete volume transfer.
# DELETE /os-volume-transfer/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"
# Show volume's metadata or one specified metadata with a given key.
# GET /volumes/{volume_id}/metadata
# GET /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"
# Create volume metadata.
# POST /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"
# Update volume's metadata or one specified metadata with a given key.
# PUT /volumes/{volume_id}/metadata
# PUT /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"
# Delete volume's specified metadata with a given key.
# DELETE /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"
# Volume's image metadata related operation, create, delete, show and
# list.
# GET /volumes/detail
# GET /volumes/{volume_id}
# POST /volumes/{volume_id}/action (os-set_image_metadata)
# POST /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"
# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST /volumes/{volume_id}/action (os-update_readonly_flag)
# POST /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"
# List type extra specs.
# GET /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"
# Create type extra specs.
# POST /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"
# Show one specified type extra specs.
# GET /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"
# Update type extra specs.
# PUT /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"
# Delete type extra specs.
# DELETE /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"
# Create volume.
# POST /volumes
#"volume:create": ""
# Create volume from image.
# POST /volumes
#"volume:create_from_image": ""
# Show volume.
# GET /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"
# List volumes.
# GET /volumes
# GET /volumes/detail
#"volume:get_all": "rule:admin_or_owner"
# Update volume.
# PUT /volumes
#"volume:update": "rule:admin_or_owner"
# Delete volume.
# DELETE /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"
# Force Delete a volume.
# DELETE /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"
# List or show volume with host attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"
# List or show volume with tenant attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"
# List or show volume with migration status attribute.
# GET /volumes/{volume_id}
# GET /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"
# Show volume's encryption metadata.
# GET /volumes/{volume_id}/encryption
# GET /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"
# Create multiattach capable volume.
# POST /volumes
#"volume:multiattach": "rule:admin_or_owner"
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.