Policy Documentation¶
Warning
JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.
designate¶
admin
- Default
role:admin or is_admin:True
(no description provided)
owner
- Default
tenant:%(tenant_id)s
(no description provided)
admin_or_owner
- Default
rule:admin or rule:owner
(no description provided)
default
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
(no description provided)
create_blacklist
- Default
role:admin and system_scope:all
- Operations
POST
/v2/blacklists
- Scope Types
system
Create blacklist.
find_blacklist
- Default
role:reader and system_scope:all
- Operations
GET
/v2/blacklists
- Scope Types
system
Find blacklist.
find_blacklists
- Default
role:reader and system_scope:all
- Operations
GET
/v2/blacklists
- Scope Types
system
Find blacklists.
get_blacklist
- Default
role:reader and system_scope:all
- Operations
GET
/v2/blacklists/{blacklist_id}
- Scope Types
system
Get blacklist.
update_blacklist
- Default
role:admin and system_scope:all
- Operations
PATCH
/v2/blacklists/{blacklist_id}
- Scope Types
system
Update blacklist.
delete_blacklist
- Default
role:admin and system_scope:all
- Operations
DELETE
/v2/blacklists/{blacklist_id}
- Scope Types
system
Delete blacklist.
use_blacklisted_zone
- Default
role:admin and system_scope:all
- Operations
POST
/v2/zones
- Scope Types
system
Allowed bypass the blacklist.
all_tenants
- Default
role:admin and system_scope:all
- Scope Types
system
Action on all tenants.
edit_managed_records
- Default
role:admin and system_scope:all
- Scope Types
system
Edit managed records.
use_low_ttl
- Default
role:admin and system_scope:all
- Scope Types
system
Use low TTL.
use_sudo
- Default
role:admin and system_scope:all
- Scope Types
system
Accept sudo from user to tenant.
diagnostics_ping
- Default
role:admin and system_scope:all
- Scope Types
system
Diagnose ping.
diagnostics_sync_zones
- Default
role:admin and system_scope:all
- Scope Types
system
Diagnose sync zones.
diagnostics_sync_zone
- Default
role:admin and system_scope:all
- Scope Types
system
Diagnose sync zone.
diagnostics_sync_record
- Default
role:admin and system_scope:all
- Scope Types
system
Diagnose sync record.
create_pool
- Default
role:admin and system_scope:all
- Scope Types
system
Create pool.
find_pools
- Default
role:reader and system_scope:all
- Operations
GET
/v2/pools
- Scope Types
system
Find pool.
find_pool
- Default
role:reader and system_scope:all
- Operations
GET
/v2/pools
- Scope Types
system
Find pools.
get_pool
- Default
role:reader and system_scope:all
- Operations
GET
/v2/pools/{pool_id}
- Scope Types
system
Get pool.
update_pool
- Default
role:admin and system_scope:all
- Scope Types
system
Update pool.
delete_pool
- Default
role:admin and system_scope:all
- Scope Types
system
Delete pool.
zone_create_forced_pool
- Default
role:admin and system_scope:all
- Operations
POST
/v2/zones
- Scope Types
system
load and set the pool to the one provided in the Zone attributes.
get_quotas
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)
- Operations
GET
/v2/quotas
- Scope Types
system
project
View Current Project’s Quotas.
get_quota
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
set_quota
- Default
role:admin and system_scope:all
- Operations
PATCH
/v2/quotas/{project_id}
- Scope Types
system
Set Quotas.
reset_quotas
- Default
role:admin and system_scope:all
- Operations
DELETE
/v2/quotas/{project_id}
- Scope Types
system
Reset Quotas.
find_records
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/reverse/floatingips/{region}:{floatingip_id}
GET
/v2/reverse/floatingips
- Scope Types
system
project
Find records.
count_records
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
create_recordset
- Default
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)
- Operations
POST
/v2/zones/{zone_id}/recordsets
- Scope Types
system
project
Create Recordset
get_recordsets
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
get_recordset
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types
system
project
Get recordset
find_recordset
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
List a Recordset in a Zone
find_recordsets
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/{zone_id}/recordsets
- Scope Types
system
project
List Recordsets in a Zone
update_recordset
- Default
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)
- Operations
PUT
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types
system
project
Update recordset
delete_recordset
- Default
(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)
- Operations
DELETE
/v2/zones/{zone_id}/recordsets/{recordset_id}
- Scope Types
system
project
Delete RecordSet
count_recordset
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
Count recordsets
find_service_status
- Default
role:reader and system_scope:all
- Operations
GET
/v2/service_status/{service_id}
- Scope Types
system
Find a single Service Status
find_service_statuses
- Default
role:reader and system_scope:all
- Operations
GET
/v2/service_status
- Scope Types
system
List service statuses.
update_service_status
- Default
role:admin and system_scope:all
- Scope Types
system
(no description provided)
find_tenants
- Default
role:reader and system_scope:all
- Scope Types
system
Find all Tenants.
get_tenant
- Default
role:reader and system_scope:all
- Scope Types
system
Get all Tenants.
count_tenants
- Default
role:reader and system_scope:all
- Scope Types
system
Count tenants
create_tld
- Default
role:admin and system_scope:all
- Operations
POST
/v2/tlds
- Scope Types
system
Create Tld
find_tlds
- Default
role:reader and system_scope:all
- Operations
GET
/v2/tlds
- Scope Types
system
List Tlds
get_tld
- Default
role:reader and system_scope:all
- Operations
GET
/v2/tlds/{tld_id}
- Scope Types
system
Show Tld
update_tld
- Default
role:admin and system_scope:all
- Operations
PATCH
/v2/tlds/{tld_id}
- Scope Types
system
Update Tld
delete_tld
- Default
role:admin and system_scope:all
- Operations
DELETE
/v2/tlds/{tld_id}
- Scope Types
system
Delete Tld
create_tsigkey
- Default
role:admin and system_scope:all
- Operations
POST
/v2/tsigkeys
- Scope Types
system
Create Tsigkey
find_tsigkeys
- Default
role:reader and system_scope:all
- Operations
GET
/v2/tsigkeys
- Scope Types
system
List Tsigkeys
get_tsigkey
- Default
role:reader and system_scope:all
- Operations
GET
/v2/tsigkeys/{tsigkey_id}
- Scope Types
system
Show a Tsigkey
update_tsigkey
- Default
role:admin and system_scope:all
- Operations
PATCH
/v2/tsigkeys/{tsigkey_id}
- Scope Types
system
Update Tsigkey
delete_tsigkey
- Default
role:admin and system_scope:all
- Operations
DELETE
/v2/tsigkeys/{tsigkey_id}
- Scope Types
system
Delete a Tsigkey
create_zone
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones
- Scope Types
system
project
Create Zone
get_zones
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
get_zone
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/{zone_id}
- Scope Types
system
project
Get Zone
get_zone_servers
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
get_zone_ns_records
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/{zone_id}/nameservers
- Scope Types
system
project
Get the Name Servers for a Zone
find_zones
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones
- Scope Types
system
project
List existing zones
update_zone
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
PATCH
/v2/zones/{zone_id}
- Scope Types
system
project
Update Zone
delete_zone
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
DELETE
/v2/zones/{zone_id}
- Scope Types
system
project
Delete Zone
xfr_zone
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/{zone_id}/tasks/xfr
- Scope Types
system
project
Manually Trigger an Update of a Secondary Zone
abandon_zone
- Default
role:admin and system_scope:all
- Operations
POST
/v2/zones/{zone_id}/tasks/abandon
- Scope Types
system
Abandon Zone
count_zones
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
count_zones_pending_notify
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
purge_zones
- Default
role:admin and system_scope:all
- Scope Types
system
(no description provided)
touch_zone
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
zone_export
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/exports/{zone_export_id}/export
- Scope Types
system
project
Retrive a Zone Export from the Designate Datastore
create_zone_export
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/{zone_id}/tasks/export
- Scope Types
system
project
Create Zone Export
find_zone_exports
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/exports
- Scope Types
system
project
List Zone Exports
get_zone_export
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/exports/{zone_export_id}
- Scope Types
system
project
Get Zone Exports
update_zone_export
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/{zone_id}/tasks/export
- Scope Types
system
project
Update Zone Exports
delete_zone_export
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
DELETE
/v2/zones/tasks/exports/{zone_export_id}
- Scope Types
system
project
Delete a zone export
create_zone_import
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/tasks/imports
- Scope Types
system
project
Create Zone Import
find_zone_imports
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/imports
- Scope Types
system
project
List all Zone Imports
get_zone_import
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/imports/{zone_import_id}
- Scope Types
system
project
Get Zone Imports
update_zone_import
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/tasks/imports
- Scope Types
system
project
Update Zone Imports
delete_zone_import
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
DELETE
/v2/zones/tasks/imports/{zone_import_id}
- Scope Types
system
project
Delete a Zone Import
create_zone_transfer_accept
- Default
((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s
- Operations
POST
/v2/zones/tasks/transfer_accepts
- Scope Types
system
project
Create Zone Transfer Accept
get_zone_transfer_accept
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Operations
GET
/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}
- Scope Types
system
project
Get Zone Transfer Accept
find_zone_transfer_accepts
- Default
role:reader and system_scope:all
- Operations
GET
/v2/zones/tasks/transfer_accepts
- Scope Types
system
List Zone Transfer Accepts
find_zone_transfer_accept
- Default
role:reader and system_scope:all
- Scope Types
system
(no description provided)
update_zone_transfer_accept
- Default
role:admin and system_scope:all
- Operations
POST
/v2/zones/tasks/transfer_accepts
- Scope Types
system
Update a Zone Transfer Accept
delete_zone_transfer_accept
- Default
role:admin and system_scope:all
- Scope Types
system
(no description provided)
create_zone_transfer_request
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
POST
/v2/zones/{zone_id}/tasks/transfer_requests
- Scope Types
system
project
Create Zone Transfer Accept
get_zone_transfer_request
- Default
((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s
- Operations
GET
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types
system
project
Show a Zone Transfer Request
get_zone_transfer_request_detailed
- Default
(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
- Scope Types
system
project
(no description provided)
find_zone_transfer_requests
- Default
@
- Operations
GET
/v2/zones/tasks/transfer_requests
List Zone Transfer Requests
find_zone_transfer_request
- Default
@
(no description provided)
update_zone_transfer_request
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
PATCH
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types
system
project
Update a Zone Transfer Request
delete_zone_transfer_request
- Default
(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
- Operations
DELETE
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
- Scope Types
system
project
Delete a Zone Transfer Request