Policy configuration¶
Configuration¶
The following is an overview of all available policies in Cinder.
cinder¶
context_is_adminDefault: role:adminDecides what is required for the ‘is_admin:True’ check to succeed.
admin_or_ownerDefault: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)sDefault rule for most non-Admin APIs.
admin_apiDefault: is_admin:True or (role:admin and is_admin_project:True)Default rule for most Admin APIs.
volume:attachment_createDefault: <empty string>
Operations: - POST
/attachments
Create attachment.
- POST
volume:attachment_updateDefault: rule:admin_or_ownerOperations: - PUT
/attachments/{attachment_id}
Update attachment.
- PUT
volume:attachment_deleteDefault: rule:admin_or_ownerOperations: - DELETE
/attachments/{attachment_id}
Delete attachment.
- DELETE
volume:attachment_completeDefault: rule:admin_or_ownerOperations: - POST
/attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
- POST
volume:multiattach_bootable_volumeDefault: rule:admin_or_ownerOperations: - POST
/attachments
Allow multiattach of bootable volumes.
- POST
message:get_allDefault: rule:admin_or_ownerOperations: - GET
/messages
List messages.
- GET
message:getDefault: rule:admin_or_ownerOperations: - GET
/messages/{message_id}
Show message.
- GET
message:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/messages/{message_id}
Delete message.
- DELETE
clusters:get_allDefault: rule:admin_apiOperations: - GET
/clusters - GET
/clusters/detail
List clusters.
- GET
clusters:getDefault: rule:admin_apiOperations: - GET
/clusters/{cluster_id}
Show cluster.
- GET
clusters:updateDefault: rule:admin_apiOperations: - PUT
/clusters/{cluster_id}
Update cluster.
- PUT
workers:cleanupDefault: rule:admin_apiOperations: - POST
/workers/cleanup
Clean up workers.
- POST
volume:get_snapshot_metadataDefault: rule:admin_or_ownerOperations: - GET
/snapshots/{snapshot_id}/metadata - GET
/snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
- GET
volume:update_snapshot_metadataDefault: rule:admin_or_ownerOperations: - PUT
/snapshots/{snapshot_id}/metadata - PUT
/snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
- PUT
volume:delete_snapshot_metadataDefault: rule:admin_or_ownerOperations: - DELETE
/snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
- DELETE
volume:get_all_snapshotsDefault: rule:admin_or_ownerOperations: - GET
/snapshots - GET
/snapshots/detail
List snapshots.
- GET
volume_extension:extended_snapshot_attributesDefault: rule:admin_or_ownerOperations: - GET
/snapshots/{snapshot_id} - GET
/snapshots/detail
List or show snapshots with extended attributes.
- GET
volume:create_snapshotDefault: rule:admin_or_ownerOperations: - POST
/snapshots
Create snapshot.
- POST
volume:get_snapshotDefault: rule:admin_or_ownerOperations: - GET
/snapshots/{snapshot_id}
Show snapshot.
- GET
volume:update_snapshotDefault: rule:admin_or_ownerOperations: - PUT
/snapshots/{snapshot_id}
Update snapshot.
- PUT
volume:delete_snapshotDefault: rule:admin_or_ownerOperations: - DELETE
/snapshots/{snapshot_id}
Delete snapshot.
- DELETE
volume_extension:snapshot_admin_actions:reset_statusDefault: rule:admin_apiOperations: - POST
/snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
- POST
snapshot_extension:snapshot_actions:update_snapshot_statusDefault: <empty string>
Operations: - POST
/snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
- POST
volume_extension:snapshot_admin_actions:force_deleteDefault: rule:admin_apiOperations: - POST
/snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
- POST
snapshot_extension:list_manageableDefault: rule:admin_apiOperations: - GET
/manageable_snapshots - GET
/manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
- GET
snapshot_extension:snapshot_manageDefault: rule:admin_apiOperations: - POST
/manageable_snapshots
Manage an existing snapshot.
- POST
snapshot_extension:snapshot_unmanageDefault: rule:admin_apiOperations: - POST
/snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
- POST
backup:get_allDefault: rule:admin_or_ownerOperations: - GET
/backups - GET
/backups/detail
List backups.
- GET
backup:backup_project_attributeDefault: rule:admin_apiOperations: - GET
/backups/{backup_id} - GET
/backups/detail
List backups or show backup with project attributes.
- GET
backup:createDefault: <empty string>
Operations: - POST
/backups
Create backup.
- POST
backup:getDefault: rule:admin_or_ownerOperations: - GET
/backups/{backup_id}
Show backup.
- GET
backup:updateDefault: rule:admin_or_ownerOperations: - PUT
/backups/{backup_id}
Update backup.
- PUT
backup:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/backups/{backup_id}
Delete backup.
- DELETE
backup:restoreDefault: rule:admin_or_ownerOperations: - POST
/backups/{backup_id}/restore
Restore backup.
- POST
backup:backup-importDefault: rule:admin_apiOperations: - POST
/backups/{backup_id}/import_record
Import backup.
- POST
backup:export-importDefault: rule:admin_apiOperations: - POST
/backups/{backup_id}/export_record
Export backup.
- POST
volume_extension:backup_admin_actions:reset_statusDefault: rule:admin_apiOperations: - POST
/backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
- POST
volume_extension:backup_admin_actions:force_deleteDefault: rule:admin_apiOperations: - POST
/backups/{backup_id}/action (os-force_delete)
Force delete a backup.
- POST
group:get_allDefault: rule:admin_or_ownerOperations: - GET
/groups - GET
/groups/detail
List groups.
- GET
group:createDefault: <empty string>
Operations: - POST
/groups
Create group.
- POST
group:getDefault: rule:admin_or_ownerOperations: - GET
/groups/{group_id}
Show group.
- GET
group:updateDefault: rule:admin_or_ownerOperations: - PUT
/groups/{group_id}
Update group.
- PUT
group:group_types_manageDefault: rule:admin_apiOperations: - POST
/group_types/ - PUT
/group_types/{group_type_id} - DELETE
/group_types/{group_type_id}
Create, update or delete a group type.
- POST
group:access_group_types_specsDefault: rule:admin_apiOperations: - GET
/group_types/{group_type_id}
Show group type with type specs attributes.
- GET
group:group_types_specsDefault: rule:admin_apiOperations: - GET
/group_types/{group_type_id}/group_specs/{g_spec_id} - GET
/group_types/{group_type_id}/group_specs - POST
/group_types/{group_type_id}/group_specs - PUT
/group_types/{group_type_id}/group_specs/{g_spec_id} - DELETE
/group_types/{group_type_id}/group_specs/{g_spec_id}
Create, show, update and delete group type spec.
- GET
group:get_all_group_snapshotsDefault: rule:admin_or_ownerOperations: - GET
/group_snapshots - GET
/group_snapshots/detail
List group snapshots.
- GET
group:create_group_snapshotDefault: <empty string>
Operations: - POST
/group_snapshots
Create group snapshot.
- POST
group:get_group_snapshotDefault: rule:admin_or_ownerOperations: - GET
/group_snapshots/{group_snapshot_id}
Show group snapshot.
- GET
group:delete_group_snapshotDefault: rule:admin_or_ownerOperations: - DELETE
/group_snapshots/{group_snapshot_id}
Delete group snapshot.
- DELETE
group:update_group_snapshotDefault: rule:admin_or_ownerOperations: - PUT
/group_snapshots/{group_snapshot_id}
Update group snapshot.
- PUT
group:reset_group_snapshot_statusDefault: rule:admin_apiOperations: - POST
/group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
- POST
group:deleteDefault: rule:admin_or_ownerOperations: - POST
/groups/{group_id}/action (delete)
Delete group.
- POST
group:reset_statusDefault: rule:admin_apiOperations: - POST
/groups/{group_id}/action (reset_status)
Reset status of group.
- POST
group:enable_replicationDefault: rule:admin_or_ownerOperations: - POST
/groups/{group_id}/action (enable_replication)
Enable replication.
- POST
group:disable_replicationDefault: rule:admin_or_ownerOperations: - POST
/groups/{group_id}/action (disable_replication)
Disable replication.
- POST
group:failover_replicationDefault: rule:admin_or_ownerOperations: - POST
/groups/{group_id}/action (failover_replication)
Fail over replication.
- POST
group:list_replication_targetsDefault: rule:admin_or_ownerOperations: - POST
/groups/{group_id}/action (list_replication_targets)
List failover replication.
- POST
volume_extension:qos_specs_manage:get_allDefault: rule:admin_apiOperations: - GET
/qos-specs - GET
/qos-specs/{qos_id}/associations
List qos specs or list all associations.
- GET
volume_extension:qos_specs_manage:getDefault: rule:admin_apiOperations: - GET
/qos-specs/{qos_id}
Show qos specs.
- GET
volume_extension:qos_specs_manage:createDefault: rule:admin_apiOperations: - POST
/qos-specs
Create qos specs.
- POST
volume_extension:qos_specs_manage:updateDefault: rule:admin_apiOperations: - PUT
/qos-specs/{qos_id} - GET
/qos-specs/{qos_id}/disassociate_all - GET
/qos-specs/{qos_id}/associate - GET
/qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
- PUT
volume_extension:qos_specs_manage:deleteDefault: rule:admin_apiOperations: - DELETE
/qos-specs/{qos_id} - PUT
/qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
- DELETE
volume_extension:quota_classesDefault: rule:admin_apiOperations: - GET
/os-quota-class-sets/{project_id} - PUT
/os-quota-class-sets/{project_id}
Show or update project quota class.
- GET
volume_extension:quotas:showDefault: rule:admin_or_ownerOperations: - GET
/os-quota-sets/{project_id} - GET
/os-quota-sets/{project_id}/default - GET
/os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
- GET
volume_extension:quotas:updateDefault: rule:admin_apiOperations: - PUT
/os-quota-sets/{project_id}
Update project quota.
- PUT
volume_extension:quotas:deleteDefault: rule:admin_apiOperations: - DELETE
/os-quota-sets/{project_id}
Delete project quota.
- DELETE
volume_extension:quota_classes:validate_setup_for_nested_quota_useDefault: rule:admin_apiOperations: - GET
/os-quota-sets/validate_setup_for_nested_quota_use
Validate setup for nested quota.
- GET
volume_extension:capabilitiesDefault: rule:admin_apiOperations: - GET
/capabilities/{host_name}
Show backend capabilities.
- GET
volume_extension:services:indexDefault: rule:admin_apiOperations: - GET
/os-services
List all services.
- GET
volume_extension:services:updateDefault: rule:admin_apiOperations: - PUT
/os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
- PUT
volume:freeze_hostDefault: rule:admin_apiOperations: - PUT
/os-services/freeze
Freeze a backend host.
- PUT
volume:thaw_hostDefault: rule:admin_apiOperations: - PUT
/os-services/thaw
Thaw a backend host.
- PUT
volume:failover_hostDefault: rule:admin_apiOperations: - PUT
/os-services/failover_host
Failover a backend host.
- PUT
scheduler_extension:scheduler_stats:get_poolsDefault: rule:admin_apiOperations: - GET
/scheduler-stats/get_pools
List all backend pools.
- GET
volume_extension:hostsDefault: rule:admin_apiOperations: - GET
/os-hosts - PUT
/os-hosts/{host_name} - GET
/os-hosts/{host_id}
List, update or show hosts for a project.
- GET
limits_extension:used_limitsDefault: rule:admin_or_ownerOperations: - GET
/limits
Show limits with used limit attributes.
- GET
volume_extension:list_manageableDefault: rule:admin_apiOperations: - GET
/manageable_volumes - GET
/manageable_volumes/detail
List (in detail) of volumes which are available to manage.
- GET
volume_extension:volume_manageDefault: rule:admin_apiOperations: - POST
/manageable_volumes
Manage existing volumes.
- POST
volume_extension:volume_unmanageDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
- POST
volume_extension:types_manageDefault: rule:admin_apiOperations: - POST
/types - PUT
/types - DELETE
/types
Create, update and delete volume type.
- POST
volume_extension:type_getDefault: <empty string>
Operations: - GET
/types/{type_id}
Get one specific volume type.
- GET
volume_extension:type_get_allDefault: <empty string>
Operations: - GET
/types/
List volume types.
- GET
volume_extension:volume_type_encryptionDefault: rule:admin_apiOperations: - POST
/types/{type_id}/encryption - PUT
/types/{type_id}/encryption/{encryption_id} - GET
/types/{type_id}/encryption - GET
/types/{type_id}/encryption/{encryption_id} - DELETE
/types/{type_id}/encryption/{encryption_id}
List, show, create, update and delete volume type encryption.
- POST
volume_extension:access_types_extra_specsDefault: rule:admin_apiOperations: - GET
/types/{type_id} - GET
/types
List or show volume type with access type extra specs attribute.
- GET
volume_extension:access_types_qos_specs_idDefault: rule:admin_apiOperations: - GET
/types/{type_id} - GET
/types
List or show volume type with access type qos specs id attribute.
- GET
volume_extension:volume_type_accessDefault: rule:admin_or_ownerOperations: - GET
/types - GET
/types/detail - GET
/types/{type_id} - POST
/types
Volume type access related APIs.
- GET
volume_extension:volume_type_access:addProjectAccessDefault: rule:admin_apiOperations: - POST
/types/{type_id}/action (addProjectAccess)
Add volume type access for project.
- POST
volume_extension:volume_type_access:removeProjectAccessDefault: rule:admin_apiOperations: - POST
/types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
- POST
volume:extendDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-extend)
Extend a volume.
- POST
volume:extend_attached_volumeDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-extend)
Extend a attached volume.
- POST
volume:revert_to_snapshotDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
- POST
volume_extension:volume_admin_actions:reset_statusDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
- POST
volume:retypeDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-retype)
Retype a volume.
- POST
volume:update_readonly_flagDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
- POST
volume_extension:volume_admin_actions:force_deleteDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
- POST
volume_extension:volume_actions:upload_publicDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
- POST
volume_extension:volume_actions:upload_imageDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
- POST
volume_extension:volume_admin_actions:force_detachDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
- POST
volume_extension:volume_admin_actions:migrate_volumeDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
- POST
volume_extension:volume_admin_actions:migrate_volume_completionDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
- POST
volume_extension:volume_actions:initialize_connectionDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
- POST
volume_extension:volume_actions:terminate_connectionDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
- POST
volume_extension:volume_actions:roll_detachingDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
- POST
volume_extension:volume_actions:reserveDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
- POST
volume_extension:volume_actions:unreserveDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
- POST
volume_extension:volume_actions:begin_detachingDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
- POST
volume_extension:volume_actions:attachDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-attach)
Add attachment metadata.
- POST
volume_extension:volume_actions:detachDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
- POST
volume:get_all_transfersDefault: rule:admin_or_ownerOperations: - GET
/os-volume-transfer - GET
/os-volume-transfer/detail - GET
/volume_transfers - GET
/volume-transfers/detail
List volume transfer.
- GET
volume:create_transferDefault: rule:admin_or_ownerOperations: - POST
/os-volume-transfer - POST
/volume_transfers
Create a volume transfer.
- POST
volume:get_transferDefault: rule:admin_or_ownerOperations: - GET
/os-volume-transfer/{transfer_id} - GET
/volume-transfers/{transfer_id}
Show one specified volume transfer.
- GET
volume:accept_transferDefault: <empty string>
Operations: - POST
/os-volume-transfer/{transfer_id}/accept - POST
/volume-transfers/{transfer_id}/accept
Accept a volume transfer.
- POST
volume:delete_transferDefault: rule:admin_or_ownerOperations: - DELETE
/os-volume-transfer/{transfer_id} - DELETE
/volume-transfers/{transfer_id}
Delete volume transfer.
- DELETE
volume:get_volume_metadataDefault: rule:admin_or_ownerOperations: - GET
/volumes/{volume_id}/metadata - GET
/volumes/{volume_id}/metadata/{key}
Show volume’s metadata or one specified metadata with a given key.
- GET
volume:create_volume_metadataDefault: rule:admin_or_ownerOperations: - POST
/volumes/{volume_id}/metadata
Create volume metadata.
- POST
volume:update_volume_metadataDefault: rule:admin_or_ownerOperations: - PUT
/volumes/{volume_id}/metadata - PUT
/volumes/{volume_id}/metadata/{key}
Update volume’s metadata or one specified metadata with a given key.
- PUT
volume:delete_volume_metadataDefault: rule:admin_or_ownerOperations: - DELETE
/volumes/{volume_id}/metadata/{key}
Delete volume’s specified metadata with a given key.
- DELETE
volume_extension:volume_image_metadataDefault: rule:admin_or_ownerOperations: - GET
/volumes/detail - GET
/volumes/{volume_id} - POST
/volumes/{volume_id}/action (os-set_image_metadata) - POST
/volumes/{volume_id}/action (os-unset_image_metadata)
Volume’s image metadata related operation, create, delete, show and list.
- GET
volume:update_volume_admin_metadataDefault: rule:admin_apiOperations: - POST
/volumes/{volume_id}/action (os-update_readonly_flag) - POST
/volumes/{volume_id}/action (os-attach)
Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs
- POST
volume_extension:types_extra_specs:indexDefault: rule:admin_apiOperations: - GET
/types/{type_id}/extra_specs
List type extra specs.
- GET
volume_extension:types_extra_specs:createDefault: rule:admin_apiOperations: - POST
/types/{type_id}/extra_specs
Create type extra specs.
- POST
volume_extension:types_extra_specs:showDefault: rule:admin_apiOperations: - GET
/types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
- GET
volume_extension:types_extra_specs:updateDefault: rule:admin_apiOperations: - PUT
/types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
- PUT
volume_extension:types_extra_specs:deleteDefault: rule:admin_apiOperations: - DELETE
/types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
- DELETE
volume:createDefault: <empty string>
Operations: - POST
/volumes
Create volume.
- POST
volume:create_from_imageDefault: <empty string>
Operations: - POST
/volumes
Create volume from image.
- POST
volume:getDefault: rule:admin_or_ownerOperations: - GET
/volumes/{volume_id}
Show volume.
- GET
volume:get_allDefault: rule:admin_or_ownerOperations: - GET
/volumes - GET
/volumes/detail - GET
/volumes/summary
List volumes or get summary of volumes.
- GET
volume:updateDefault: rule:admin_or_ownerOperations: - PUT
/volumes - POST
/volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
- PUT
volume:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/volumes/{volume_id}
Delete volume.
- DELETE
volume:force_deleteDefault: rule:admin_apiOperations: - DELETE
/volumes/{volume_id}
Force Delete a volume.
- DELETE
volume_extension:volume_host_attributeDefault: rule:admin_apiOperations: - GET
/volumes/{volume_id} - GET
/volumes/detail
List or show volume with host attribute.
- GET
volume_extension:volume_tenant_attributeDefault: rule:admin_or_ownerOperations: - GET
/volumes/{volume_id} - GET
/volumes/detail
List or show volume with tenant attribute.
- GET
volume_extension:volume_mig_status_attributeDefault: rule:admin_apiOperations: - GET
/volumes/{volume_id} - GET
/volumes/detail
List or show volume with migration status attribute.
- GET
volume_extension:volume_encryption_metadataDefault: rule:admin_or_ownerOperations: - GET
/volumes/{volume_id}/encryption - GET
/volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
- GET
volume:multiattachDefault: rule:admin_or_ownerOperations: - POST
/volumes
Create multiattach capable volume.
- POST
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.