Cyborg Sample Policy¶
The following is a sample cyborg policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific cyborg APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
If you wish build a policy file, you can also use tox -e genpolicy
to
generate it.
The sample policy file can also be downloaded in file form.
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Internal flag for public API routes
#"public_api": "is_public_api:True"
# any access will be passed
#"allow": "@"
# all access will be forbidden
#"deny": "!"
# Full read/write API access
#"is_admin": "rule:admin_api"
# Admin or owner API access
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# Admin or user API access
#"admin_or_user": "is_admin:True or user_id:%(user_id)s"
# Default API access rule
#"default": "rule:admin_or_owner"
# Show fpga detail
#"cyborg:fpga:get_one": "rule:allow"
# Retrieve all fpga records
#"cyborg:fpga:get_all": "rule:allow"
# Update fpga records
#"cyborg:fpga:update": "rule:allow"
# Retrieve accelerator request records.
#"cyborg:arq:get_all": "rule:default"
# Get an accelerator request record.
#"cyborg:arq:get_one": "rule:default"
# Create accelerator request records.
#"cyborg:arq:create": "rule:allow"
# Delete accelerator request records.
#"cyborg:arq:delete": "rule:default"
# Update accelerator request records.
#"cyborg:arq:update": "rule:default"
# Retrieve device_profile records.
#"cyborg:device_profile:get_all": "rule:default"
# Get a device_profile record.
#"cyborg:device_profile:get_one": "rule:default"
# Create device_profile records.
#"cyborg:device_profile:create": "rule:is_admin"
# Delete device_profile records.
#"cyborg:device_profile:delete": "rule:default"
# Show device detail
#"cyborg:device:get_one": "rule:allow"
# Retrieve all device records
#"cyborg:device:get_all": "rule:allow"
# Show deployable detail
#"cyborg:deployable:get_one": "rule:allow"
# Retrieve all deployable records
#"cyborg:deployable:get_all": "rule:allow"