Policy Documentation

The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.

designate

admin
Default

role:admin or is_admin:True

(no description provided)

primary_zone
Default

target.zone_type:SECONDARY

(no description provided)

owner
Default

tenant:%(tenant_id)s

(no description provided)

admin_or_owner
Default

rule:admin or rule:owner

(no description provided)

default
Default

rule:admin_or_owner

(no description provided)

target
Default

tenant:%(target_tenant_id)s

(no description provided)

owner_or_target
Default

rule:target or rule:owner

(no description provided)

admin_or_owner_or_target
Default

rule:owner_or_target or rule:admin

(no description provided)

admin_or_target
Default

rule:admin or rule:target

(no description provided)

zone_primary_or_admin
Default

('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)

(no description provided)

create_blacklist
Default

rule:admin

Operations
  • POST /v2/blacklists

Create blacklist.

find_blacklist
Default

rule:admin

Operations
  • GET /v2/blacklists

Find blacklist.

find_blacklists
Default

rule:admin

Operations
  • GET /v2/blacklists

Find blacklists.

get_blacklist
Default

rule:admin

Operations
  • GET /v2/blacklists/{blacklist_id}

Get blacklist.

update_blacklist
Default

rule:admin

Operations
  • PATCH /v2/blacklists/{blacklist_id}

Update blacklist.

delete_blacklist
Default

rule:admin

Operations
  • DELETE /v2/blacklists/{blacklist_id}

Delete blacklist.

use_blacklisted_zone
Default

rule:admin

Operations
  • POST /v2/zones

Allowed bypass the blacklist.

all_tenants
Default

rule:admin

Action on all tenants.

edit_managed_records
Default

rule:admin

Edit managed records.

use_low_ttl
Default

rule:admin

Use low TTL.

use_sudo
Default

rule:admin

Accept sudo from user to tenant.

diagnostics_ping
Default

rule:admin

Diagnose ping.

diagnostics_sync_zones
Default

rule:admin

Diagnose sync zones.

diagnostics_sync_zone
Default

rule:admin

Diagnose sync zone.

diagnostics_sync_record
Default

rule:admin

Diagnose sync record.

create_pool
Default

rule:admin

Create pool.

find_pools
Default

rule:admin

Operations
  • GET /v2/pools

Find pool.

find_pool
Default

rule:admin

Operations
  • GET /v2/pools

Find pools.

get_pool
Default

rule:admin

Operations
  • GET /v2/pools/{pool_id}

Get pool.

update_pool
Default

rule:admin

Update pool.

delete_pool
Default

rule:admin

Delete pool.

zone_create_forced_pool
Default

rule:admin

Operations
  • POST /v2/zones

load and set the pool to the one provided in the Zone attributes.

get_quotas
Default

rule:admin_or_owner

Operations
  • GET /v2/quotas

View Current Project’s Quotas.

get_quota
Default

rule:admin_or_owner

(no description provided)

set_quota
Default

rule:admin

Operations
  • PATCH /v2/quotas/{project_id}

Set Quotas.

reset_quotas
Default

rule:admin

Operations
  • DELETE /v2/quotas/{project_id}

Reset Quotas.

find_records
Default

rule:admin_or_owner

Operations
  • GET /v2/reverse/floatingips/{region}:{floatingip_id}

  • GET /v2/reverse/floatingips

Find records.

count_records
Default

rule:admin_or_owner

(no description provided)

create_recordset
Default

('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)

Operations
  • POST /v2/zones/{zone_id}/recordsets

  • PATCH /v2/reverse/floatingips/{region}:{floatingip_id}

Create Recordset

get_recordsets
Default

rule:admin_or_owner

(no description provided)

get_recordset
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/{zone_id}/recordsets/{recordset_id}

  • DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Get recordset

update_recordset
Default

('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)

Operations
  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

  • PATCH /v2/reverse/floatingips/{region}:{floatingip_id}

Update recordset

delete_recordset
Default

('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)

Operations
  • DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

Delete RecordSet

count_recordset
Default

rule:admin_or_owner

Count recordsets

find_service_status
Default

rule:admin

Operations
  • GET /v2/service_status/{service_id}

Find a single Service Status

find_service_statuses
Default

rule:admin

Operations
  • GET /v2/service_status

List service statuses.

update_service_status
Default

rule:admin

(no description provided)

find_tenants
Default

rule:admin

Find all Tenants.

get_tenant
Default

rule:admin

Get all Tenants.

count_tenants
Default

rule:admin

Count tenants

create_tld
Default

rule:admin

Operations
  • POST /v2/tlds

Create Tld

find_tlds
Default

rule:admin

Operations
  • GET /v2/tlds

List Tlds

get_tld
Default

rule:admin

Operations
  • GET /v2/tlds/{tld_id}

Show Tld

update_tld
Default

rule:admin

Operations
  • PATCH /v2/tlds/{tld_id}

Update Tld

delete_tld
Default

rule:admin

Operations
  • DELETE /v2/tlds/{tld_id}

Delete Tld

create_tsigkey
Default

rule:admin

Operations
  • POST /v2/tsigkeys

Create Tsigkey

find_tsigkeys
Default

rule:admin

Operations
  • GET /v2/tsigkeys

List Tsigkeys

get_tsigkey
Default

rule:admin

Operations
  • PATCH /v2/tsigkeys/{tsigkey_id}

  • GET /v2/tsigkeys/{tsigkey_id}

Show a Tsigkey

update_tsigkey
Default

rule:admin

Operations
  • PATCH /v2/tsigkeys/{tsigkey_id}

Update Tsigkey

delete_tsigkey
Default

rule:admin

Operations
  • DELETE /v2/tsigkeys/{tsigkey_id}

Delete a Tsigkey

create_zone
Default

rule:admin_or_owner

Operations
  • POST /v2/zones

Create Zone

get_zones
Default

rule:admin_or_owner

(no description provided)

get_zone
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/{zone_id}

  • PATCH /v2/zones/{zone_id}

  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Get Zone

get_zone_servers
Default

rule:admin_or_owner

(no description provided)

find_zones
Default

rule:admin_or_owner

Operations
  • GET /v2/zones

List existing zones

update_zone
Default

rule:admin_or_owner

Operations
  • PATCH /v2/zones/{zone_id}

Update Zone

delete_zone
Default

rule:admin_or_owner

Operations
  • DELETE /v2/zones/{zone_id}

Delete Zone

xfr_zone
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/{zone_id}/tasks/xfr

Manually Trigger an Update of a Secondary Zone

abandon_zone
Default

rule:admin

Operations
  • POST /v2/zones/{zone_id}/tasks/abandon

Abandon Zone

count_zones
Default

rule:admin_or_owner

(no description provided)

count_zones_pending_notify
Default

rule:admin_or_owner

(no description provided)

purge_zones
Default

rule:admin

(no description provided)

touch_zone
Default

rule:admin_or_owner

(no description provided)

zone_export
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}/export

Retrive a Zone Export from the Designate Datastore

create_zone_export
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Create Zone Export

find_zone_exports
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/exports

List Zone Exports

get_zone_export
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}

  • GET /v2/zones/tasks/exports/{zone_export_id}/export

Get Zone Exports

update_zone_export
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Update Zone Exports

create_zone_import
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/tasks/imports

Create Zone Import

find_zone_imports
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/imports

List all Zone Imports

get_zone_import
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/imports/{zone_import_id}

Get Zone Imports

update_zone_import
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/tasks/imports

Update Zone Imports

delete_zone_import
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/imports/{zone_import_id}

Delete a Zone Import

create_zone_transfer_accept
Default

rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s

Operations
  • POST /v2/zones/tasks/transfer_accepts

Create Zone Transfer Accept

get_zone_transfer_accept
Default

rule:admin_or_owner

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}

Get Zone Transfer Accept

find_zone_transfer_accepts
Default

rule:admin

Operations
  • GET /v2/zones/tasks/transfer_accepts

List Zone Transfer Accepts

find_zone_transfer_accept
Default

rule:admin

(no description provided)

update_zone_transfer_accept
Default

rule:admin

Operations
  • POST /v2/zones/tasks/transfer_accepts

Update a Zone Transfer Accept

delete_zone_transfer_accept
Default

rule:admin

(no description provided)

create_zone_transfer_request
Default

rule:admin_or_owner

Operations
  • POST /v2/zones/{zone_id}/tasks/transfer_requests

Create Zone Transfer Accept

get_zone_transfer_request
Default

rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)s

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

  • PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Show a Zone Transfer Request

get_zone_transfer_request_detailed
Default

rule:admin_or_owner

(no description provided)

find_zone_transfer_requests
Default

@

Operations
  • GET /v2/zones/tasks/transfer_requests

List Zone Transfer Requests

find_zone_transfer_request
Default

@

(no description provided)

update_zone_transfer_request
Default

rule:admin_or_owner

Operations
  • PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Update a Zone Transfer Request

delete_zone_transfer_request
Default

rule:admin_or_owner

Operations
  • DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Delete a Zone Transfer Request