Policy configuration¶
Configuration¶
The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.
cinder¶
context_is_admin
- Default
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
- Default
is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api
- Default
is_admin:True or (role:admin and is_admin_project:True)
Default rule for most Admin APIs.
system_or_domain_or_project_admin
- Default
(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)
Default rule for admins of cloud, domain or a project.
volume:attachment_create
- Default
<empty string>
- Operations
POST
/attachments
Create attachment.
volume:attachment_update
- Default
rule:admin_or_owner
- Operations
PUT
/attachments/{attachment_id}
Update attachment.
volume:attachment_delete
- Default
rule:admin_or_owner
- Operations
DELETE
/attachments/{attachment_id}
Delete attachment.
volume:attachment_complete
- Default
rule:admin_or_owner
- Operations
POST
/attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
volume:multiattach_bootable_volume
- Default
rule:admin_or_owner
- Operations
POST
/attachments
Allow multiattach of bootable volumes.
message:get_all
- Default
rule:admin_or_owner
- Operations
GET
/messages
List messages.
message:get
- Default
rule:admin_or_owner
- Operations
GET
/messages/{message_id}
Show message.
message:delete
- Default
rule:admin_or_owner
- Operations
DELETE
/messages/{message_id}
Delete message.
clusters:get_all
- Default
rule:admin_api
- Operations
GET
/clusters
GET
/clusters/detail
List clusters.
clusters:get
- Default
rule:admin_api
- Operations
GET
/clusters/{cluster_id}
Show cluster.
clusters:update
- Default
rule:admin_api
- Operations
PUT
/clusters/{cluster_id}
Update cluster.
workers:cleanup
- Default
rule:admin_api
- Operations
POST
/workers/cleanup
Clean up workers.
volume:get_snapshot_metadata
- Default
rule:admin_or_owner
- Operations
GET
/snapshots/{snapshot_id}/metadata
GET
/snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
volume:update_snapshot_metadata
- Default
rule:admin_or_owner
- Operations
PUT
/snapshots/{snapshot_id}/metadata
PUT
/snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
volume:delete_snapshot_metadata
- Default
rule:admin_or_owner
- Operations
DELETE
/snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
volume:get_all_snapshots
- Default
rule:admin_or_owner
- Operations
GET
/snapshots
GET
/snapshots/detail
List snapshots.
volume_extension:extended_snapshot_attributes
- Default
rule:admin_or_owner
- Operations
GET
/snapshots/{snapshot_id}
GET
/snapshots/detail
List or show snapshots with extended attributes.
volume:create_snapshot
- Default
rule:admin_or_owner
- Operations
POST
/snapshots
Create snapshot.
volume:get_snapshot
- Default
rule:admin_or_owner
- Operations
GET
/snapshots/{snapshot_id}
Show snapshot.
volume:update_snapshot
- Default
rule:admin_or_owner
- Operations
PUT
/snapshots/{snapshot_id}
Update snapshot.
volume:delete_snapshot
- Default
rule:admin_or_owner
- Operations
DELETE
/snapshots/{snapshot_id}
Delete snapshot.
volume_extension:snapshot_admin_actions:reset_status
- Default
rule:admin_api
- Operations
POST
/snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
snapshot_extension:snapshot_actions:update_snapshot_status
- Default
<empty string>
- Operations
POST
/snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
volume_extension:snapshot_admin_actions:force_delete
- Default
rule:admin_api
- Operations
POST
/snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
snapshot_extension:list_manageable
- Default
rule:admin_api
- Operations
GET
/manageable_snapshots
GET
/manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
snapshot_extension:snapshot_manage
- Default
rule:admin_api
- Operations
POST
/manageable_snapshots
Manage an existing snapshot.
snapshot_extension:snapshot_unmanage
- Default
rule:admin_api
- Operations
POST
/snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
backup:get_all
- Default
rule:admin_or_owner
- Operations
GET
/backups
GET
/backups/detail
List backups.
backup:backup_project_attribute
- Default
rule:admin_api
- Operations
GET
/backups/{backup_id}
GET
/backups/detail
List backups or show backup with project attributes.
backup:create
- Default
<empty string>
- Operations
POST
/backups
Create backup.
backup:get
- Default
rule:admin_or_owner
- Operations
GET
/backups/{backup_id}
Show backup.
backup:update
- Default
rule:admin_or_owner
- Operations
PUT
/backups/{backup_id}
Update backup.
backup:delete
- Default
rule:admin_or_owner
- Operations
DELETE
/backups/{backup_id}
Delete backup.
backup:restore
- Default
rule:admin_or_owner
- Operations
POST
/backups/{backup_id}/restore
Restore backup.
backup:backup-import
- Default
rule:admin_api
- Operations
POST
/backups/{backup_id}/import_record
Import backup.
backup:export-import
- Default
rule:admin_api
- Operations
POST
/backups/{backup_id}/export_record
Export backup.
volume_extension:backup_admin_actions:reset_status
- Default
rule:admin_api
- Operations
POST
/backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
volume_extension:backup_admin_actions:force_delete
- Default
rule:admin_api
- Operations
POST
/backups/{backup_id}/action (os-force_delete)
Force delete a backup.
group:get_all
- Default
rule:admin_or_owner
- Operations
GET
/groups
GET
/groups/detail
List groups.
group:create
- Default
<empty string>
- Operations
POST
/groups
Create group.
group:get
- Default
rule:admin_or_owner
- Operations
GET
/groups/{group_id}
Show group.
group:update
- Default
rule:admin_or_owner
- Operations
PUT
/groups/{group_id}
Update group.
group:group_project_attribute
- Default
rule:admin_api
- Operations
GET
/groups/{group_id}
GET
/groups/detail
List groups or show group with project attributes.
group:group_types_manage
- Default
rule:admin_api
- Operations
POST
/group_types/
PUT
/group_types/{group_type_id}
DELETE
/group_types/{group_type_id}
Create, update or delete a group type.
group:access_group_types_specs
- Default
rule:admin_api
- Operations
GET
/group_types/{group_type_id}
Show group type with type specs attributes.
group:group_types_specs
- Default
rule:admin_api
- Operations
GET
/group_types/{group_type_id}/group_specs/{g_spec_id}
GET
/group_types/{group_type_id}/group_specs
POST
/group_types/{group_type_id}/group_specs
PUT
/group_types/{group_type_id}/group_specs/{g_spec_id}
DELETE
/group_types/{group_type_id}/group_specs/{g_spec_id}
Create, show, update and delete group type spec.
group:get_all_group_snapshots
- Default
rule:admin_or_owner
- Operations
GET
/group_snapshots
GET
/group_snapshots/detail
List group snapshots.
group:create_group_snapshot
- Default
<empty string>
- Operations
POST
/group_snapshots
Create group snapshot.
group:get_group_snapshot
- Default
rule:admin_or_owner
- Operations
GET
/group_snapshots/{group_snapshot_id}
Show group snapshot.
group:delete_group_snapshot
- Default
rule:admin_or_owner
- Operations
DELETE
/group_snapshots/{group_snapshot_id}
Delete group snapshot.
group:update_group_snapshot
- Default
rule:admin_or_owner
- Operations
PUT
/group_snapshots/{group_snapshot_id}
Update group snapshot.
group:group_snapshot_project_attribute
- Default
rule:admin_api
- Operations
GET
/group_snapshots/{group_snapshot_id}
GET
/group_snapshots/detail
List group snapshots or show group snapshot with project attributes.
group:reset_group_snapshot_status
- Default
rule:admin_api
- Operations
POST
/group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
group:delete
- Default
rule:admin_or_owner
- Operations
POST
/groups/{group_id}/action (delete)
Delete group.
group:reset_status
- Default
rule:admin_api
- Operations
POST
/groups/{group_id}/action (reset_status)
Reset status of group.
group:enable_replication
- Default
rule:admin_or_owner
- Operations
POST
/groups/{group_id}/action (enable_replication)
Enable replication.
group:disable_replication
- Default
rule:admin_or_owner
- Operations
POST
/groups/{group_id}/action (disable_replication)
Disable replication.
group:failover_replication
- Default
rule:admin_or_owner
- Operations
POST
/groups/{group_id}/action (failover_replication)
Fail over replication.
group:list_replication_targets
- Default
rule:admin_or_owner
- Operations
POST
/groups/{group_id}/action (list_replication_targets)
List failover replication.
volume_extension:qos_specs_manage:get_all
- Default
rule:admin_api
- Operations
GET
/qos-specs
GET
/qos-specs/{qos_id}/associations
List qos specs or list all associations.
volume_extension:qos_specs_manage:get
- Default
rule:admin_api
- Operations
GET
/qos-specs/{qos_id}
Show qos specs.
volume_extension:qos_specs_manage:create
- Default
rule:admin_api
- Operations
POST
/qos-specs
Create qos specs.
volume_extension:qos_specs_manage:update
- Default
rule:admin_api
- Operations
PUT
/qos-specs/{qos_id}
GET
/qos-specs/{qos_id}/disassociate_all
GET
/qos-specs/{qos_id}/associate
GET
/qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
volume_extension:qos_specs_manage:delete
- Default
rule:admin_api
- Operations
DELETE
/qos-specs/{qos_id}
PUT
/qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
volume_extension:quota_classes
- Default
rule:admin_api
- Operations
GET
/os-quota-class-sets/{project_id}
PUT
/os-quota-class-sets/{project_id}
Show or update project quota class.
volume_extension:quotas:show
- Default
rule:admin_or_owner
- Operations
GET
/os-quota-sets/{project_id}
GET
/os-quota-sets/{project_id}/default
GET
/os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
volume_extension:quotas:update
- Default
rule:admin_api
- Operations
PUT
/os-quota-sets/{project_id}
Update project quota.
volume_extension:quotas:delete
- Default
rule:admin_api
- Operations
DELETE
/os-quota-sets/{project_id}
Delete project quota.
volume_extension:capabilities
- Default
rule:admin_api
- Operations
GET
/capabilities/{host_name}
Show backend capabilities.
volume_extension:services:index
- Default
rule:admin_api
- Operations
GET
/os-services
List all services.
volume_extension:services:update
- Default
rule:admin_api
- Operations
PUT
/os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
volume:freeze_host
- Default
rule:admin_api
- Operations
PUT
/os-services/freeze
Freeze a backend host.
volume:thaw_host
- Default
rule:admin_api
- Operations
PUT
/os-services/thaw
Thaw a backend host.
volume:failover_host
- Default
rule:admin_api
- Operations
PUT
/os-services/failover_host
Failover a backend host.
scheduler_extension:scheduler_stats:get_pools
- Default
rule:admin_api
- Operations
GET
/scheduler-stats/get_pools
List all backend pools.
volume_extension:hosts
- Default
rule:admin_api
- Operations
GET
/os-hosts
PUT
/os-hosts/{host_name}
GET
/os-hosts/{host_id}
List, update or show hosts for a project.
limits_extension:used_limits
- Default
rule:admin_or_owner
- Operations
GET
/limits
Show limits with used limit attributes.
volume_extension:list_manageable
- Default
rule:admin_api
- Operations
GET
/manageable_volumes
GET
/manageable_volumes/detail
List (in detail) of volumes which are available to manage.
volume_extension:volume_manage
- Default
rule:admin_api
- Operations
POST
/manageable_volumes
Manage existing volumes.
volume_extension:volume_unmanage
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
volume_extension:types_manage
- Default
rule:admin_api
- Operations
POST
/types
PUT
/types
DELETE
/types
Create, update and delete volume type.
volume_extension:type_get
- Default
<empty string>
- Operations
GET
/types/{type_id}
Get one specific volume type.
volume_extension:type_get_all
- Default
<empty string>
- Operations
GET
/types/
List volume types.
volume_extension:volume_type_encryption
- Default
rule:admin_api
- Operations
POST
/types/{type_id}/encryption
PUT
/types/{type_id}/encryption/{encryption_id}
GET
/types/{type_id}/encryption
GET
/types/{type_id}/encryption/{key}
DELETE
/types/{type_id}/encryption/{encryption_id}
Base policy for all volume type encryption type operations. This can be used to set the policies for a volume type’s encryption type create, show, update, and delete actions in one place, or any of those may be set individually using the following policy targets for finer grained control.
volume_extension:volume_type_encryption:create
- Default
rule:volume_extension:volume_type_encryption
- Operations
POST
/types/{type_id}/encryption
Create volume type encryption.
volume_extension:volume_type_encryption:get
- Default
rule:volume_extension:volume_type_encryption
- Operations
GET
/types/{type_id}/encryption
GET
/types/{type_id}/encryption/{key}
Show a volume type’s encryption type, show an encryption specs item.
volume_extension:volume_type_encryption:update
- Default
rule:volume_extension:volume_type_encryption
- Operations
PUT
/types/{type_id}/encryption/{encryption_id}
Update volume type encryption.
volume_extension:volume_type_encryption:delete
- Default
rule:volume_extension:volume_type_encryption
- Operations
DELETE
/types/{type_id}/encryption/{encryption_id}
Delete volume type encryption.
volume_extension:access_types_extra_specs
- Default
rule:admin_api
- Operations
GET
/types/{type_id}
GET
/types
List or show volume type with access type extra specs attribute.
volume_extension:access_types_qos_specs_id
- Default
rule:admin_api
- Operations
GET
/types/{type_id}
GET
/types
List or show volume type with access type qos specs id attribute.
volume_extension:volume_type_access
- Default
rule:admin_or_owner
- Operations
GET
/types
GET
/types/detail
GET
/types/{type_id}
POST
/types
Volume type access related APIs.
volume_extension:volume_type_access:addProjectAccess
- Default
rule:admin_api
- Operations
POST
/types/{type_id}/action (addProjectAccess)
Add volume type access for project.
volume_extension:volume_type_access:removeProjectAccess
- Default
rule:admin_api
- Operations
POST
/types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
volume:extend
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-extend)
Extend a volume.
volume:extend_attached_volume
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-extend)
Extend a attached volume.
volume:revert_to_snapshot
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
volume_extension:volume_admin_actions:reset_status
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
volume:retype
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-retype)
Retype a volume.
volume:update_readonly_flag
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
volume_extension:volume_admin_actions:force_delete
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
volume_extension:volume_actions:upload_public
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
volume_extension:volume_actions:upload_image
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
volume_extension:volume_admin_actions:force_detach
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
volume_extension:volume_admin_actions:migrate_volume
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
volume_extension:volume_admin_actions:migrate_volume_completion
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
volume_extension:volume_actions:initialize_connection
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
volume_extension:volume_actions:terminate_connection
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
volume_extension:volume_actions:roll_detaching
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
volume_extension:volume_actions:reserve
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
volume_extension:volume_actions:unreserve
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
volume_extension:volume_actions:begin_detaching
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
volume_extension:volume_actions:attach
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-attach)
Add attachment metadata.
volume_extension:volume_actions:detach
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
volume:get_all_transfers
- Default
rule:admin_or_owner
- Operations
GET
/os-volume-transfer
GET
/os-volume-transfer/detail
GET
/volume_transfers
GET
/volume-transfers/detail
List volume transfer.
volume:create_transfer
- Default
rule:admin_or_owner
- Operations
POST
/os-volume-transfer
POST
/volume_transfers
Create a volume transfer.
volume:get_transfer
- Default
rule:admin_or_owner
- Operations
GET
/os-volume-transfer/{transfer_id}
GET
/volume-transfers/{transfer_id}
Show one specified volume transfer.
volume:accept_transfer
- Default
<empty string>
- Operations
POST
/os-volume-transfer/{transfer_id}/accept
POST
/volume-transfers/{transfer_id}/accept
Accept a volume transfer.
volume:delete_transfer
- Default
rule:admin_or_owner
- Operations
DELETE
/os-volume-transfer/{transfer_id}
DELETE
/volume-transfers/{transfer_id}
Delete volume transfer.
volume:get_volume_metadata
- Default
rule:admin_or_owner
- Operations
GET
/volumes/{volume_id}/metadata
GET
/volumes/{volume_id}/metadata/{key}
Show volume’s metadata or one specified metadata with a given key.
volume:create_volume_metadata
- Default
rule:admin_or_owner
- Operations
POST
/volumes/{volume_id}/metadata
Create volume metadata.
volume:update_volume_metadata
- Default
rule:admin_or_owner
- Operations
PUT
/volumes/{volume_id}/metadata
PUT
/volumes/{volume_id}/metadata/{key}
Update volume’s metadata or one specified metadata with a given key.
volume:delete_volume_metadata
- Default
rule:admin_or_owner
- Operations
DELETE
/volumes/{volume_id}/metadata/{key}
Delete volume’s specified metadata with a given key.
volume_extension:volume_image_metadata
- Default
rule:admin_or_owner
- Operations
GET
/volumes/detail
GET
/volumes/{volume_id}
POST
/volumes/{volume_id}/action (os-set_image_metadata)
POST
/volumes/{volume_id}/action (os-unset_image_metadata)
Volume’s image metadata related operation, create, delete, show and list.
volume:update_volume_admin_metadata
- Default
rule:admin_api
- Operations
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
POST
/volumes/{volume_id}/action (os-attach)
Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs
volume_extension:types_extra_specs:index
- Default
rule:admin_api
- Operations
GET
/types/{type_id}/extra_specs
List type extra specs.
volume_extension:types_extra_specs:create
- Default
rule:admin_api
- Operations
POST
/types/{type_id}/extra_specs
Create type extra specs.
volume_extension:types_extra_specs:show
- Default
rule:admin_api
- Operations
GET
/types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
volume_extension:types_extra_specs:update
- Default
rule:admin_api
- Operations
PUT
/types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
volume_extension:types_extra_specs:delete
- Default
rule:admin_api
- Operations
DELETE
/types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
volume:create
- Default
<empty string>
- Operations
POST
/volumes
Create volume.
volume:create_from_image
- Default
<empty string>
- Operations
POST
/volumes
Create volume from image.
volume:get
- Default
rule:admin_or_owner
- Operations
GET
/volumes/{volume_id}
Show volume.
volume:get_all
- Default
rule:admin_or_owner
- Operations
GET
/volumes
GET
/volumes/detail
GET
/volumes/summary
List volumes or get summary of volumes.
volume:update
- Default
rule:admin_or_owner
- Operations
PUT
/volumes
POST
/volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
volume:delete
- Default
rule:admin_or_owner
- Operations
DELETE
/volumes/{volume_id}
Delete volume.
volume:force_delete
- Default
rule:admin_api
- Operations
DELETE
/volumes/{volume_id}
Force Delete a volume.
volume_extension:volume_host_attribute
- Default
rule:admin_api
- Operations
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with host attribute.
volume_extension:volume_tenant_attribute
- Default
rule:admin_or_owner
- Operations
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with tenant attribute.
volume_extension:volume_mig_status_attribute
- Default
rule:admin_api
- Operations
GET
/volumes/{volume_id}
GET
/volumes/detail
List or show volume with migration status attribute.
volume_extension:volume_encryption_metadata
- Default
rule:admin_or_owner
- Operations
GET
/volumes/{volume_id}/encryption
GET
/volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
volume:multiattach
- Default
rule:admin_or_owner
- Operations
POST
/volumes
Create multiattach capable volume.
volume_extension:default_set_or_update
- Default
rule:system_or_domain_or_project_admin
- Operations
PUT
/default-types
- Scope Types
system
Set or update default volume type.
volume_extension:default_get
- Default
rule:system_or_domain_or_project_admin
- Operations
GET
/default-types/{project-id}
- Scope Types
system
Get default types.
volume_extension:default_get_all
- Default
role:admin and system_scope:all
- Operations
GET
/default-types/
- Scope Types
system
Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.
volume_extension:default_unset
- Default
rule:system_or_domain_or_project_admin
- Operations
DELETE
/default-types/{project-id}
- Scope Types
system
Unset default type.