Policy Documentation

Warning

JSON formatted policy file is deprecated since Designate 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.

designate

admin
Default

role:admin or is_admin:True

(no description provided)

owner
Default

tenant:%(tenant_id)s

(no description provided)

admin_or_owner
Default

rule:admin or rule:owner

(no description provided)

default
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

(no description provided)

create_blacklist
Default

role:admin and system_scope:all

Operations
  • POST /v2/blacklists

Scope Types
  • system

Create blacklist.

find_blacklist
Default

role:reader and system_scope:all

Operations
  • GET /v2/blacklists

Scope Types
  • system

Find blacklist.

find_blacklists
Default

role:reader and system_scope:all

Operations
  • GET /v2/blacklists

Scope Types
  • system

Find blacklists.

get_blacklist
Default

role:reader and system_scope:all

Operations
  • GET /v2/blacklists/{blacklist_id}

Scope Types
  • system

Get blacklist.

update_blacklist
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/blacklists/{blacklist_id}

Scope Types
  • system

Update blacklist.

delete_blacklist
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/blacklists/{blacklist_id}

Scope Types
  • system

Delete blacklist.

use_blacklisted_zone
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones

Scope Types
  • system

Allowed bypass the blacklist.

all_tenants
Default

role:admin and system_scope:all

Scope Types
  • system

Action on all tenants.

edit_managed_records
Default

role:admin and system_scope:all

Scope Types
  • system

Edit managed records.

use_low_ttl
Default

role:admin and system_scope:all

Scope Types
  • system

Use low TTL.

use_sudo
Default

role:admin and system_scope:all

Scope Types
  • system

Accept sudo from user to tenant.

diagnostics_ping
Default

role:admin and system_scope:all

Scope Types
  • system

Diagnose ping.

diagnostics_sync_zones
Default

role:admin and system_scope:all

Scope Types
  • system

Diagnose sync zones.

diagnostics_sync_zone
Default

role:admin and system_scope:all

Scope Types
  • system

Diagnose sync zone.

diagnostics_sync_record
Default

role:admin and system_scope:all

Scope Types
  • system

Diagnose sync record.

create_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Create pool.

find_pools
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools

Scope Types
  • system

Find pool.

find_pool
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools

Scope Types
  • system

Find pools.

get_pool
Default

role:reader and system_scope:all

Operations
  • GET /v2/pools/{pool_id}

Scope Types
  • system

Get pool.

update_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Update pool.

delete_pool
Default

role:admin and system_scope:all

Scope Types
  • system

Delete pool.

zone_create_forced_pool
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones

Scope Types
  • system

load and set the pool to the one provided in the Zone attributes.

get_quotas
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (True:%(all_tenants)s and role:reader)

Operations
  • GET /v2/quotas

Scope Types
  • system

  • project

View Current Project’s Quotas.

get_quota
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

set_quota
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/quotas/{project_id}

Scope Types
  • system

Set Quotas.

reset_quotas
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/quotas/{project_id}

Scope Types
  • system

Reset Quotas.

find_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/reverse/floatingips/{region}:{floatingip_id}

  • GET /v2/reverse/floatingips

Scope Types
  • system

  • project

Find records.

count_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

create_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • POST /v2/zones/{zone_id}/recordsets

Scope Types
  • system

  • project

Create Recordset

get_recordsets
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Get recordset

find_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

List a Recordset in a Zone

find_recordsets
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/recordsets

Scope Types
  • system

  • project

List Recordsets in a Zone

update_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • PUT /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Update recordset

delete_recordset
Default

(role:member and project_id:%(project_id)s) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('PRIMARY':%(zone_type)s) or (role:admin and system_scope:all) and ('SECONDARY':%(zone_type)s)

Operations
  • DELETE /v2/zones/{zone_id}/recordsets/{recordset_id}

Scope Types
  • system

  • project

Delete RecordSet

count_recordset
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

Count recordsets

find_service_status
Default

role:reader and system_scope:all

Operations
  • GET /v2/service_status/{service_id}

Scope Types
  • system

Find a single Service Status

find_service_statuses
Default

role:reader and system_scope:all

Operations
  • GET /v2/service_status

Scope Types
  • system

List service statuses.

update_service_status
Default

role:admin and system_scope:all

Scope Types
  • system

(no description provided)

find_tenants
Default

role:reader and system_scope:all

Scope Types
  • system

Find all Tenants.

get_tenant
Default

role:reader and system_scope:all

Scope Types
  • system

Get all Tenants.

count_tenants
Default

role:reader and system_scope:all

Scope Types
  • system

Count tenants

create_tld
Default

role:admin and system_scope:all

Operations
  • POST /v2/tlds

Scope Types
  • system

Create Tld

find_tlds
Default

role:reader and system_scope:all

Operations
  • GET /v2/tlds

Scope Types
  • system

List Tlds

get_tld
Default

role:reader and system_scope:all

Operations
  • GET /v2/tlds/{tld_id}

Scope Types
  • system

Show Tld

update_tld
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/tlds/{tld_id}

Scope Types
  • system

Update Tld

delete_tld
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/tlds/{tld_id}

Scope Types
  • system

Delete Tld

create_tsigkey
Default

role:admin and system_scope:all

Operations
  • POST /v2/tsigkeys

Scope Types
  • system

Create Tsigkey

find_tsigkeys
Default

role:reader and system_scope:all

Operations
  • GET /v2/tsigkeys

Scope Types
  • system

List Tsigkeys

get_tsigkey
Default

role:reader and system_scope:all

Operations
  • GET /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Show a Tsigkey

update_tsigkey
Default

role:admin and system_scope:all

Operations
  • PATCH /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Update Tsigkey

delete_tsigkey
Default

role:admin and system_scope:all

Operations
  • DELETE /v2/tsigkeys/{tsigkey_id}

Scope Types
  • system

Delete a Tsigkey

create_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones

Scope Types
  • system

  • project

Create Zone

get_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_zone
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}

Scope Types
  • system

  • project

Get Zone

get_zone_servers
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

get_zone_ns_records
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/{zone_id}/nameservers

Scope Types
  • system

  • project

Get the Name Servers for a Zone

find_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones

Scope Types
  • system

  • project

List existing zones

update_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • PATCH /v2/zones/{zone_id}

Scope Types
  • system

  • project

Update Zone

delete_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/{zone_id}

Scope Types
  • system

  • project

Delete Zone

xfr_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/xfr

Scope Types
  • system

  • project

Manually Trigger an Update of a Secondary Zone

abandon_zone
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones/{zone_id}/tasks/abandon

Scope Types
  • system

Abandon Zone

count_zones
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

count_zones_pending_notify
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

purge_zones
Default

role:admin and system_scope:all

Scope Types
  • system

(no description provided)

touch_zone
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}/export

Scope Types
  • system

  • project

Retrive a Zone Export from the Designate Datastore

create_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types
  • system

  • project

Create Zone Export

find_zone_exports
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports

Scope Types
  • system

  • project

List Zone Exports

get_zone_export
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/exports/{zone_export_id}

Scope Types
  • system

  • project

Get Zone Exports

update_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/export

Scope Types
  • system

  • project

Update Zone Exports

delete_zone_export
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/exports/{zone_export_id}

Scope Types
  • system

  • project

Delete a zone export

create_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/tasks/imports

Scope Types
  • system

  • project

Create Zone Import

find_zone_imports
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/imports

Scope Types
  • system

  • project

List all Zone Imports

get_zone_import
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/imports/{zone_import_id}

Scope Types
  • system

  • project

Get Zone Imports

update_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/tasks/imports

Scope Types
  • system

  • project

Update Zone Imports

delete_zone_import
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/imports/{zone_import_id}

Scope Types
  • system

  • project

Delete a Zone Import

create_zone_transfer_accept
Default

((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations
  • POST /v2/zones/tasks/transfer_accepts

Scope Types
  • system

  • project

Create Zone Transfer Accept

get_zone_transfer_accept
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}

Scope Types
  • system

  • project

Get Zone Transfer Accept

find_zone_transfer_accepts
Default

role:reader and system_scope:all

Operations
  • GET /v2/zones/tasks/transfer_accepts

Scope Types
  • system

List Zone Transfer Accepts

find_zone_transfer_accept
Default

role:reader and system_scope:all

Scope Types
  • system

(no description provided)

update_zone_transfer_accept
Default

role:admin and system_scope:all

Operations
  • POST /v2/zones/tasks/transfer_accepts

Scope Types
  • system

Update a Zone Transfer Accept

delete_zone_transfer_accept
Default

role:admin and system_scope:all

Scope Types
  • system

(no description provided)

create_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • POST /v2/zones/{zone_id}/tasks/transfer_requests

Scope Types
  • system

  • project

Create Zone Transfer Accept

get_zone_transfer_request
Default

((role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)) or project_id:%(target_project_id)s or None:%(target_project_id)s

Operations
  • GET /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Show a Zone Transfer Request

get_zone_transfer_request_detailed
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types
  • system

  • project

(no description provided)

find_zone_transfer_requests
Default

@

Operations
  • GET /v2/zones/tasks/transfer_requests

List Zone Transfer Requests

find_zone_transfer_request
Default

@

(no description provided)

update_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • PATCH /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Update a Zone Transfer Request

delete_zone_transfer_request
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations
  • DELETE /v2/zones/tasks/transfer_requests/{zone_transfer_request_id}

Scope Types
  • system

  • project

Delete a Zone Transfer Request