The following policies are shipped by default. Glance will assume a policy’s default value if it’s not explicitly overridden in the policy file.
policy.yaml¶
glance¶
default- Default
<empty string>
Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file.
context_is_admin- Default
role:admin
Defines the rule for the is_admin:True check.
add_image- Default
role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)- Operations
POST
/v2/images
- Scope Types
project
Create new image
delete_image- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
DELETE
/v2/images/{image_id}
- Scope Types
project
Deletes the image
get_image- Default
role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))- Operations
GET
/v2/images/{image_id}
- Scope Types
project
Get specified image
get_images- Default
role:admin or (role:reader and project_id:%(project_id)s)- Operations
GET
/v2/images
- Scope Types
project
Get all available images
modify_image- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
PATCH
/v2/images/{image_id}
- Scope Types
project
Updates given image
publicize_image- Default
role:admin- Operations
PATCH
/v2/images/{image_id}
- Scope Types
project
Publicize given image
communitize_image- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
PATCH
/v2/images/{image_id}
- Scope Types
project
Communitize given image
download_image- Default
role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))- Operations
GET
/v2/images/{image_id}/file
- Scope Types
project
Downloads given image
upload_image- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
PUT
/v2/images/{image_id}/file
- Scope Types
project
Uploads data to specified image
delete_image_location- Default
role:admin- Operations
PATCH
/v2/images/{image_id}
- Scope Types
project
Deletes the location of given image
get_image_location- Default
role:admin or (role:reader and project_id:%(project_id)s)- Operations
GET
/v2/images/{image_id}
- Scope Types
project
Reads the location of the image
set_image_location- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
PATCH
/v2/images/{image_id}
- Scope Types
project
Sets location URI to given image
add_member- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
POST
/v2/images/{image_id}/members
- Scope Types
project
Create image member
delete_member- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
DELETE
/v2/images/{image_id}/members/{member_id}
- Scope Types
project
Delete image member
get_member- Default
role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)- Operations
GET
/v2/images/{image_id}/members/{member_id}
- Scope Types
project
Show image member details
get_members- Default
role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)- Operations
GET
/v2/images/{image_id}/members
- Scope Types
project
List image members
modify_member- Default
role:admin or (role:member and project_id:%(member_id)s)- Operations
PUT
/v2/images/{image_id}/members/{member_id}
- Scope Types
project
Update image member
manage_image_cache- Default
role:admin- Scope Types
project
Manage image cache
deactivate- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
POST
/v2/images/{image_id}/actions/deactivate
- Scope Types
project
Deactivate image
reactivate- Default
role:admin or (role:member and project_id:%(project_id)s)- Operations
POST
/v2/images/{image_id}/actions/reactivate
- Scope Types
project
Reactivate image
copy_image- Default
role:admin- Operations
POST
/v2/images/{image_id}/import
- Scope Types
project
Copy existing image to other stores
get_task- Default
rule:default- Operations
GET
/v2/tasks/{task_id}
- Scope Types
project
Get an image task.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
get_tasks- Default
rule:default- Operations
GET
/v2/tasks
- Scope Types
project
List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
add_task- Default
rule:default- Operations
POST
/v2/tasks
- Scope Types
project
List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
modify_task- Default
rule:default- Operations
DELETE
/v2/tasks/{task_id}
- Scope Types
project
This policy is not used.
tasks_api_access- Default
role:admin- Operations
GET
/v2/tasks/{task_id}GET
/v2/tasksPOST
/v2/tasksDELETE
/v2/tasks/{task_id}
- Scope Types
project
This is a generic blanket policy for protecting all task APIs. It is not granular and will not allow you to separate writable and readable task operations into different roles.
metadef_default- Default
<empty string>
(no description provided)
metadef_admin- Default
role:admin
(no description provided)
get_metadef_namespace- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}
- Scope Types
project
Get a specific namespace.
get_metadef_namespaces- Default
role:admin or (role:reader and project_id:%(project_id)s)- Operations
GET
/v2/metadefs/namespaces
- Scope Types
project
List namespace.
modify_metadef_namespace- Default
rule:metadef_admin- Operations
PUT
/v2/metadefs/namespaces/{namespace_name}
- Scope Types
project
Modify an existing namespace.
add_metadef_namespace- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces
- Scope Types
project
Create a namespace.
delete_metadef_namespace- Default
rule:metadef_admin- Operations
DELETE
/v2/metadefs/namespaces/{namespace_name}
- Scope Types
project
Delete a namespace.
get_metadef_object- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
- Scope Types
project
Get a specific object from a namespace.
get_metadef_objects- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/objects
- Scope Types
project
Get objects from a namespace.
modify_metadef_object- Default
rule:metadef_admin- Operations
PUT
/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
- Scope Types
project
Update an object within a namespace.
add_metadef_object- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/objects
- Scope Types
project
Create an object within a namespace.
delete_metadef_object- Default
rule:metadef_admin- Operations
DELETE
/v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
- Scope Types
project
Delete an object within a namespace.
list_metadef_resource_types- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/resource_types
- Scope Types
project
List meta definition resource types.
get_metadef_resource_type- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/resource_types
- Scope Types
project
Get meta definition resource types associations.
add_metadef_resource_type_association- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/resource_types
- Scope Types
project
Create meta definition resource types association.
remove_metadef_resource_type_association- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
- Scope Types
project
Delete meta definition resource types association.
get_metadef_property- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
- Scope Types
project
Get a specific meta definition property.
get_metadef_properties- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/properties
- Scope Types
project
List meta definition properties.
modify_metadef_property- Default
rule:metadef_admin- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
- Scope Types
project
Update meta definition property.
add_metadef_property- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/properties
- Scope Types
project
Create meta definition property.
remove_metadef_property- Default
rule:metadef_admin- Operations
DELETE
/v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
- Scope Types
project
Delete meta definition property.
get_metadef_tag- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
- Scope Types
project
Get tag definition.
get_metadef_tags- Default
role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))- Operations
GET
/v2/metadefs/namespaces/{namespace_name}/tags
- Scope Types
project
List tag definitions.
modify_metadef_tag- Default
rule:metadef_admin- Operations
PUT
/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
- Scope Types
project
Update tag definition.
add_metadef_tag- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
- Scope Types
project
Add tag definition.
add_metadef_tags- Default
rule:metadef_admin- Operations
POST
/v2/metadefs/namespaces/{namespace_name}/tags
- Scope Types
project
Create tag definitions.
delete_metadef_tag- Default
rule:metadef_admin- Operations
DELETE
/v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
- Scope Types
project
Delete tag definition.
delete_metadef_tags- Default
rule:metadef_admin- Operations
DELETE
/v2/metadefs/namespaces/{namespace_name}/tags
- Scope Types
project
Delete tag definitions.
cache_image- Default
role:admin- Operations
PUT
/v2/cache/{image_id}
- Scope Types
project
Queue image for caching
cache_list- Default
role:admin- Operations
GET
/v2/cache
- Scope Types
project
List cache status
cache_delete- Default
role:admin- Operations
DELETE
/v2/cacheDELETE
/v2/cache/{image_id}
- Scope Types
project
Delete image(s) from cache and/or queue
stores_info_detail- Default
role:admin- Operations
GET
/v2/info/stores/detail
- Scope Types
project
Expose store specific information
