Policy configuration¶

Configuration¶

The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.

cinder¶

context_is_admin

Default: role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner

Default: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api

Default: is_admin:True or (role:admin and is_admin_project:True)

Default rule for most Admin APIs.

system_or_domain_or_project_admin

Default: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)

Default rule for admins of cloud, domain or a project.

volume:attachment_create

Default

Operations

POST /attachments

Create attachment.

volume:attachment_update

Default

rule:admin_or_owner

Operations

PUT /attachments/{attachment_id}

Update attachment.

volume:attachment_delete

Default

rule:admin_or_owner

Operations

DELETE /attachments/{attachment_id}

Delete attachment.

volume:attachment_complete

Default

rule:admin_or_owner

Operations

POST /attachments/{attachment_id}/action (os-complete)

Mark a volume attachment process as completed (in-use)

volume:multiattach_bootable_volume

Default

rule:admin_or_owner

Operations

POST /attachments

Allow multiattach of bootable volumes.

message:get_all

Default

rule:admin_or_owner

Operations

GET /messages

List messages.

message:get

Default

rule:admin_or_owner

Operations

GET /messages/{message_id}

Show message.

message:delete

Default

rule:admin_or_owner

Operations

DELETE /messages/{message_id}

Delete message.

clusters:get_all

Default

rule:admin_api

Operations

GET /clusters
GET /clusters/detail

List clusters.

clusters:get

Default

rule:admin_api

Operations

GET /clusters/{cluster_id}

Show cluster.

clusters:update

Default

rule:admin_api

Operations

PUT /clusters/{cluster_id}

Update cluster.

workers:cleanup

Default

rule:admin_api

Operations

POST /workers/cleanup

Clean up workers.

volume:get_snapshot_metadata

Default

rule:admin_or_owner

Operations

GET /snapshots/{snapshot_id}/metadata
GET /snapshots/{snapshot_id}/metadata/{key}

Show snapshot’s metadata or one specified metadata with a given key.

volume:update_snapshot_metadata

Default

rule:admin_or_owner

Operations

PUT /snapshots/{snapshot_id}/metadata
PUT /snapshots/{snapshot_id}/metadata/{key}

Update snapshot’s metadata or one specified metadata with a given key.

volume:delete_snapshot_metadata

Default

rule:admin_or_owner

Operations

DELETE /snapshots/{snapshot_id}/metadata/{key}

Delete snapshot’s specified metadata with a given key.

volume:get_all_snapshots

Default

rule:admin_or_owner

Operations

GET /snapshots
GET /snapshots/detail

List snapshots.

volume_extension:extended_snapshot_attributes

Default

rule:admin_or_owner

Operations

GET /snapshots/{snapshot_id}
GET /snapshots/detail

List or show snapshots with extended attributes.

volume:create_snapshot

Default

rule:admin_or_owner

Operations

POST /snapshots

Create snapshot.

volume:get_snapshot

Default

rule:admin_or_owner

Operations

GET /snapshots/{snapshot_id}

Show snapshot.

volume:update_snapshot

Default

rule:admin_or_owner

Operations

PUT /snapshots/{snapshot_id}

Update snapshot.

volume:delete_snapshot

Default

rule:admin_or_owner

Operations

DELETE /snapshots/{snapshot_id}

Delete snapshot.

volume_extension:snapshot_admin_actions:reset_status

Default

rule:admin_api

Operations

POST /snapshots/{snapshot_id}/action (os-reset_status)

Reset status of a snapshot.

snapshot_extension:snapshot_actions:update_snapshot_status

Default

Operations

POST /snapshots/{snapshot_id}/action (update_snapshot_status)

Update database fields of snapshot.

volume_extension:snapshot_admin_actions:force_delete

Default

rule:admin_api

Operations

POST /snapshots/{snapshot_id}/action (os-force_delete)

Force delete a snapshot.

snapshot_extension:list_manageable

Default

rule:admin_api

Operations

GET /manageable_snapshots
GET /manageable_snapshots/detail

List (in detail) of snapshots which are available to manage.

snapshot_extension:snapshot_manage

Default

rule:admin_api

Operations

POST /manageable_snapshots

Manage an existing snapshot.

snapshot_extension:snapshot_unmanage

Default

rule:admin_api

Operations

POST /snapshots/{snapshot_id}/action (os-unmanage)

Stop managing a snapshot.

backup:get_all

Default

rule:admin_or_owner

Operations

GET /backups
GET /backups/detail

List backups.

backup:backup_project_attribute

Default

rule:admin_api

Operations

GET /backups/{backup_id}
GET /backups/detail

List backups or show backup with project attributes.

backup:create

Default

Operations

POST /backups

Create backup.

backup:get

Default

rule:admin_or_owner

Operations

GET /backups/{backup_id}

Show backup.

backup:update

Default

rule:admin_or_owner

Operations

PUT /backups/{backup_id}

Update backup.

backup:delete

Default

rule:admin_or_owner

Operations

DELETE /backups/{backup_id}

Delete backup.

backup:restore

Default

rule:admin_or_owner

Operations

POST /backups/{backup_id}/restore

Restore backup.

backup:backup-import

Default

rule:admin_api

Operations

POST /backups/{backup_id}/import_record

Import backup.

backup:export-import

Default

rule:admin_api

Operations

POST /backups/{backup_id}/export_record

Export backup.

volume_extension:backup_admin_actions:reset_status

Default

rule:admin_api

Operations

POST /backups/{backup_id}/action (os-reset_status)

Reset status of a backup.

volume_extension:backup_admin_actions:force_delete

Default

rule:admin_api

Operations

POST /backups/{backup_id}/action (os-force_delete)

Force delete a backup.

group:get_all

Default

rule:admin_or_owner

Operations

GET /groups
GET /groups/detail

List groups.

group:create

Default

Operations

POST /groups

Create group.

group:get

Default

rule:admin_or_owner

Operations

GET /groups/{group_id}

Show group.

group:update

Default

rule:admin_or_owner

Operations

PUT /groups/{group_id}

Update group.

group:group_project_attribute

Default

rule:admin_api

Operations

GET /groups/{group_id}
GET /groups/detail

List groups or show group with project attributes.

group:group_types_manage

Default

rule:admin_api

Operations

POST /group_types/
PUT /group_types/{group_type_id}
DELETE /group_types/{group_type_id}

Create, update or delete a group type.

group:access_group_types_specs

Default

rule:admin_api

Operations

GET /group_types/{group_type_id}

Show group type with type specs attributes.

group:group_types_specs

Default

rule:admin_api

Operations

GET /group_types/{group_type_id}/group_specs/{g_spec_id}
GET /group_types/{group_type_id}/group_specs
POST /group_types/{group_type_id}/group_specs
PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}

Create, show, update and delete group type spec.

group:get_all_group_snapshots

Default

rule:admin_or_owner

Operations

GET /group_snapshots
GET /group_snapshots/detail

List group snapshots.

group:create_group_snapshot

Default

Operations

POST /group_snapshots

Create group snapshot.

group:get_group_snapshot

Default

rule:admin_or_owner

Operations

GET /group_snapshots/{group_snapshot_id}

Show group snapshot.

group:delete_group_snapshot

Default

rule:admin_or_owner

Operations

DELETE /group_snapshots/{group_snapshot_id}

Delete group snapshot.

group:update_group_snapshot

Default

rule:admin_or_owner

Operations

PUT /group_snapshots/{group_snapshot_id}

Update group snapshot.

group:group_snapshot_project_attribute

Default

rule:admin_api

Operations

GET /group_snapshots/{group_snapshot_id}
GET /group_snapshots/detail

List group snapshots or show group snapshot with project attributes.

group:reset_group_snapshot_status

Default

rule:admin_api

Operations

POST /group_snapshots/{g_snapshot_id}/action (reset_status)

Reset status of group snapshot.

group:delete

Default

rule:admin_or_owner

Operations

POST /groups/{group_id}/action (delete)

Delete group.

group:reset_status

Default

rule:admin_api

Operations

POST /groups/{group_id}/action (reset_status)

Reset status of group.

group:enable_replication

Default

rule:admin_or_owner

Operations

POST /groups/{group_id}/action (enable_replication)

Enable replication.

group:disable_replication

Default

rule:admin_or_owner

Operations

POST /groups/{group_id}/action (disable_replication)

Disable replication.

group:failover_replication

Default

rule:admin_or_owner

Operations

POST /groups/{group_id}/action (failover_replication)

Fail over replication.

group:list_replication_targets

Default

rule:admin_or_owner

Operations

POST /groups/{group_id}/action (list_replication_targets)

List failover replication.

volume_extension:qos_specs_manage:get_all

Default

rule:admin_api

Operations

GET /qos-specs
GET /qos-specs/{qos_id}/associations

List qos specs or list all associations.

volume_extension:qos_specs_manage:get

Default

rule:admin_api

Operations

GET /qos-specs/{qos_id}

Show qos specs.

volume_extension:qos_specs_manage:create

Default

rule:admin_api

Operations

POST /qos-specs

Create qos specs.

volume_extension:qos_specs_manage:update

Default

rule:admin_api

Operations

PUT /qos-specs/{qos_id}
GET /qos-specs/{qos_id}/disassociate_all
GET /qos-specs/{qos_id}/associate
GET /qos-specs/{qos_id}/disassociate

Update qos specs (including updating association).

volume_extension:qos_specs_manage:delete

Default

rule:admin_api

Operations

DELETE /qos-specs/{qos_id}
PUT /qos-specs/{qos_id}/delete_keys

delete qos specs or unset one specified qos key.

volume_extension:quota_classes

Default

rule:admin_api

Operations

GET /os-quota-class-sets/{project_id}
PUT /os-quota-class-sets/{project_id}

Show or update project quota class.

volume_extension:quotas:show

Default

rule:admin_or_owner

Operations

GET /os-quota-sets/{project_id}
GET /os-quota-sets/{project_id}/default
GET /os-quota-sets/{project_id}?usage=True

Show project quota (including usage and default).

volume_extension:quotas:update

Default

rule:admin_api

Operations

PUT /os-quota-sets/{project_id}

Update project quota.

volume_extension:quotas:delete

Default

rule:admin_api

Operations

DELETE /os-quota-sets/{project_id}

Delete project quota.

volume_extension:capabilities

Default

rule:admin_api

Operations

GET /capabilities/{host_name}

Show backend capabilities.

volume_extension:services:index

Default

rule:admin_api

Operations

GET /os-services

List all services.

volume_extension:services:update

Default

rule:admin_api

Operations

PUT /os-services/{action}

Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.

volume:freeze_host

Default

rule:admin_api

Operations

PUT /os-services/freeze

Freeze a backend host.

volume:thaw_host

Default

rule:admin_api

Operations

PUT /os-services/thaw

Thaw a backend host.

volume:failover_host

Default

rule:admin_api

Operations

PUT /os-services/failover_host

Failover a backend host.

scheduler_extension:scheduler_stats:get_pools

Default

rule:admin_api

Operations

GET /scheduler-stats/get_pools

List all backend pools.

volume_extension:hosts

Default

rule:admin_api

Operations

GET /os-hosts
PUT /os-hosts/{host_name}
GET /os-hosts/{host_id}

List, update or show hosts for a project.

limits_extension:used_limits

Default

rule:admin_or_owner

Operations

GET /limits

Show limits with used limit attributes.

volume_extension:list_manageable

Default

rule:admin_api

Operations

GET /manageable_volumes
GET /manageable_volumes/detail

List (in detail) of volumes which are available to manage.

volume_extension:volume_manage

Default

rule:admin_api

Operations

POST /manageable_volumes

Manage existing volumes.

volume_extension:volume_unmanage

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-unmanage)

Stop managing a volume.

volume_extension:types_manage

Default

rule:admin_api

Operations

POST /types
PUT /types
DELETE /types

Create, update and delete volume type.

volume_extension:type_get

Default

Operations

GET /types/{type_id}

Get one specific volume type.

volume_extension:type_get_all

Default

Operations

GET /types/

List volume types.

volume_extension:volume_type_encryption

Default

rule:admin_api

Operations

POST /types/{type_id}/encryption
PUT /types/{type_id}/encryption/{encryption_id}
GET /types/{type_id}/encryption
GET /types/{type_id}/encryption/{key}
DELETE /types/{type_id}/encryption/{encryption_id}

Base policy for all volume type encryption type operations. This can be used to set the policies for a volume type’s encryption type create, show, update, and delete actions in one place, or any of those may be set individually using the following policy targets for finer grained control.

volume_extension:volume_type_encryption:create

Default

rule:volume_extension:volume_type_encryption

Operations

POST /types/{type_id}/encryption

Create volume type encryption.

volume_extension:volume_type_encryption:get

Default

rule:volume_extension:volume_type_encryption

Operations

GET /types/{type_id}/encryption
GET /types/{type_id}/encryption/{key}

Show a volume type’s encryption type, show an encryption specs item.

volume_extension:volume_type_encryption:update

Default

rule:volume_extension:volume_type_encryption

Operations

PUT /types/{type_id}/encryption/{encryption_id}

Update volume type encryption.

volume_extension:volume_type_encryption:delete

Default

rule:volume_extension:volume_type_encryption

Operations

DELETE /types/{type_id}/encryption/{encryption_id}

Delete volume type encryption.

volume_extension:access_types_extra_specs

Default

rule:admin_api

Operations

GET /types/{type_id}
GET /types

List or show volume type with access type extra specs attribute.

volume_extension:access_types_qos_specs_id

Default

rule:admin_api

Operations

GET /types/{type_id}
GET /types

List or show volume type with access type qos specs id attribute.

volume_extension:volume_type_access

Default

rule:admin_or_owner

Operations

GET /types
GET /types/detail
GET /types/{type_id}
POST /types

Volume type access related APIs.

volume_extension:volume_type_access:addProjectAccess

Default

rule:admin_api

Operations

POST /types/{type_id}/action (addProjectAccess)

Add volume type access for project.

volume_extension:volume_type_access:removeProjectAccess

Default

rule:admin_api

Operations

POST /types/{type_id}/action (removeProjectAccess)

Remove volume type access for project.

volume:extend

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-extend)

Extend a volume.

volume:extend_attached_volume

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-extend)

Extend a attached volume.

volume:revert_to_snapshot

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (revert)

Revert a volume to a snapshot.

volume_extension:volume_admin_actions:reset_status

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-reset_status)

Reset status of a volume.

volume:retype

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-retype)

Retype a volume.

volume:update_readonly_flag

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-update_readonly_flag)

Update a volume’s readonly flag.

volume_extension:volume_admin_actions:force_delete

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-force_delete)

Force delete a volume.

volume_extension:volume_actions:upload_public

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image with public visibility.

volume_extension:volume_actions:upload_image

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image.

volume_extension:volume_admin_actions:force_detach

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-force_detach)

Force detach a volume.

volume_extension:volume_admin_actions:migrate_volume

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-migrate_volume)

migrate a volume to a specified host.

volume_extension:volume_admin_actions:migrate_volume_completion

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-migrate_volume_completion)

Complete a volume migration.

volume_extension:volume_actions:initialize_connection

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-initialize_connection)

Initialize volume attachment.

volume_extension:volume_actions:terminate_connection

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-terminate_connection)

Terminate volume attachment.

volume_extension:volume_actions:roll_detaching

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-roll_detaching)

Roll back volume status to ‘in-use’.

volume_extension:volume_actions:reserve

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-reserve)

Mark volume as reserved.

volume_extension:volume_actions:unreserve

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-unreserve)

Unmark volume as reserved.

volume_extension:volume_actions:begin_detaching

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-begin_detaching)

Begin detach volumes.

volume_extension:volume_actions:attach

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-attach)

Add attachment metadata.

volume_extension:volume_actions:detach

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/action (os-detach)

Clear attachment metadata.

volume:get_all_transfers

Default

rule:admin_or_owner

Operations

GET /os-volume-transfer
GET /os-volume-transfer/detail
GET /volume_transfers
GET /volume-transfers/detail

List volume transfer.

volume:create_transfer

Default

rule:admin_or_owner

Operations

POST /os-volume-transfer
POST /volume_transfers

Create a volume transfer.

volume:get_transfer

Default

rule:admin_or_owner

Operations

GET /os-volume-transfer/{transfer_id}
GET /volume-transfers/{transfer_id}

Show one specified volume transfer.

volume:accept_transfer

Default

Operations

POST /os-volume-transfer/{transfer_id}/accept
POST /volume-transfers/{transfer_id}/accept

Accept a volume transfer.

volume:delete_transfer

Default

rule:admin_or_owner

Operations

DELETE /os-volume-transfer/{transfer_id}
DELETE /volume-transfers/{transfer_id}

Delete volume transfer.

volume:get_volume_metadata

Default

rule:admin_or_owner

Operations

GET /volumes/{volume_id}/metadata
GET /volumes/{volume_id}/metadata/{key}

Show volume’s metadata or one specified metadata with a given key.

volume:create_volume_metadata

Default

rule:admin_or_owner

Operations

POST /volumes/{volume_id}/metadata

Create volume metadata.

volume:update_volume_metadata

Default

rule:admin_or_owner

Operations

PUT /volumes/{volume_id}/metadata
PUT /volumes/{volume_id}/metadata/{key}

Update volume’s metadata or one specified metadata with a given key.

volume:delete_volume_metadata

Default

rule:admin_or_owner

Operations

DELETE /volumes/{volume_id}/metadata/{key}

Delete volume’s specified metadata with a given key.

volume_extension:volume_image_metadata

Default

rule:admin_or_owner

Operations

GET /volumes/detail
GET /volumes/{volume_id}
POST /volumes/{volume_id}/action (os-set_image_metadata)
POST /volumes/{volume_id}/action (os-unset_image_metadata)

Volume’s image metadata related operation, create, delete, show and list.

volume:update_volume_admin_metadata

Default

rule:admin_api

Operations

POST /volumes/{volume_id}/action (os-update_readonly_flag)
POST /volumes/{volume_id}/action (os-attach)

Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs

volume_extension:types_extra_specs:index

Default

rule:admin_api

Operations

GET /types/{type_id}/extra_specs

List type extra specs.

volume_extension:types_extra_specs:create

Default

rule:admin_api

Operations

POST /types/{type_id}/extra_specs

Create type extra specs.

volume_extension:types_extra_specs:show

Default

rule:admin_api

Operations

GET /types/{type_id}/extra_specs/{extra_spec_key}

Show one specified type extra specs.

volume_extension:types_extra_specs:update

Default

rule:admin_api

Operations

PUT /types/{type_id}/extra_specs/{extra_spec_key}

Update type extra specs.

volume_extension:types_extra_specs:delete

Default

rule:admin_api

Operations

DELETE /types/{type_id}/extra_specs/{extra_spec_key}

Delete type extra specs.

volume:create

Default

Operations

POST /volumes

Create volume.

volume:create_from_image

Default

Operations

POST /volumes

Create volume from image.

volume:get

Default

rule:admin_or_owner

Operations

GET /volumes/{volume_id}

Show volume.

volume:get_all

Default

rule:admin_or_owner

Operations

GET /volumes
GET /volumes/detail
GET /volumes/summary

List volumes or get summary of volumes.

volume:update

Default

rule:admin_or_owner

Operations

PUT /volumes
POST /volumes/{volume_id}/action (os-set_bootable)

Update volume or update a volume’s bootable status.

volume:delete

Default

rule:admin_or_owner

Operations

DELETE /volumes/{volume_id}

Delete volume.

volume:force_delete

Default

rule:admin_api

Operations

DELETE /volumes/{volume_id}

Force Delete a volume.

volume_extension:volume_host_attribute

Default

rule:admin_api

Operations

GET /volumes/{volume_id}
GET /volumes/detail

List or show volume with host attribute.

volume_extension:volume_tenant_attribute

Default

rule:admin_or_owner

Operations

GET /volumes/{volume_id}
GET /volumes/detail

List or show volume with tenant attribute.

volume_extension:volume_mig_status_attribute

Default

rule:admin_api

Operations

GET /volumes/{volume_id}
GET /volumes/detail

List or show volume with migration status attribute.

volume_extension:volume_encryption_metadata

Default

rule:admin_or_owner

Operations

GET /volumes/{volume_id}/encryption
GET /volumes/{volume_id}/encryption/{encryption_key}

Show volume’s encryption metadata.

volume:multiattach

Default

rule:admin_or_owner

Operations

POST /volumes

Create multiattach capable volume.

volume_extension:default_set_or_update

Default

rule:system_or_domain_or_project_admin

Operations

PUT /default-types

Scope Types

system

Set or update default volume type.

volume_extension:default_get

Default

rule:system_or_domain_or_project_admin

Operations

GET /default-types/{project-id}

Scope Types

system

Get default types.

volume_extension:default_get_all

Default

role:admin and system_scope:all

Operations

GET /default-types/

Scope Types

system

Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.

volume_extension:default_unset

Default

rule:system_or_domain_or_project_admin

Operations

DELETE /default-types/{project-id}

Scope Types

system

Unset default type.

Policy configuration

Policy configuration¶

Configuration¶

cinder¶

cinder 18.2.2.dev20

Page Contents