Heat Sample Policy¶
The following is a sample heat policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific heat APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
If you wish build a policy file, you can also use tox -e genpolicy
to
generate it.
The sample policy file can also be downloaded in file form.
# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin and is_admin_project:True"
# Default rule for project admin.
#"project_admin": "role:admin"
# Default rule for deny stack user.
#"deny_stack_user": "not role:heat_stack_user"
# Default rule for deny everybody.
#"deny_everybody": "!"
# Default rule for allow everybody.
#"allow_everybody": ""
# Performs non-lifecycle operations on the stack (Snapshot, Resume,
# Cancel update, or check stack resources).
# POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
#"actions:action": "rule:deny_stack_user"
# Show build information.
# GET /v1/{tenant_id}/build_info
#"build_info:build_info": "rule:deny_stack_user"
#
#"cloudformation:ListStacks": "rule:deny_stack_user"
#
#"cloudformation:CreateStack": "rule:deny_stack_user"
#
#"cloudformation:DescribeStacks": "rule:deny_stack_user"
#
#"cloudformation:DeleteStack": "rule:deny_stack_user"
#
#"cloudformation:UpdateStack": "rule:deny_stack_user"
#
#"cloudformation:CancelUpdateStack": "rule:deny_stack_user"
#
#"cloudformation:DescribeStackEvents": "rule:deny_stack_user"
#
#"cloudformation:ValidateTemplate": "rule:deny_stack_user"
#
#"cloudformation:GetTemplate": "rule:deny_stack_user"
#
#"cloudformation:EstimateTemplateCost": "rule:deny_stack_user"
#
#"cloudformation:DescribeStackResource": "rule:allow_everybody"
#
#"cloudformation:DescribeStackResources": "rule:deny_stack_user"
#
#"cloudformation:ListStackResources": "rule:deny_stack_user"
# List events.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events
#"events:index": "rule:deny_stack_user"
# Show event.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}
#"events:show": "rule:deny_stack_user"
# List resources.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources
#"resource:index": "rule:deny_stack_user"
# Show resource metadata.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata
#"resource:metadata": "rule:allow_everybody"
# Signal resource.
# POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal
#"resource:signal": "rule:allow_everybody"
# Mark resource as unhealthy.
# PATCH /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}
#"resource:mark_unhealthy": "rule:deny_stack_user"
# Show resource.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}
#"resource:show": "rule:deny_stack_user"
#
#"resource_types:OS::Nova::Flavor": "rule:project_admin"
#
#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"
#
#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"
#
#"resource_types:OS::Cinder::Quota": "rule:project_admin"
#
#"resource_types:OS::Neutron::Quota": "rule:project_admin"
#
#"resource_types:OS::Nova::Quota": "rule:project_admin"
#
#"resource_types:OS::Manila::ShareType": "rule:project_admin"
#
#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"
#
#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"
#
#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"
#
#"resource_types:OS::Neutron::Segment": "rule:project_admin"
#
#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"
#
#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"
#
#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"
#
#"resource_types:OS::Keystone::*": "rule:project_admin"
#
#"resource_types:OS::Blazar::Host": "rule:project_admin"
#
#"service:index": "rule:context_is_admin"
# List configs globally.
# GET /v1/{tenant_id}/software_configs
#"software_configs:global_index": "rule:deny_everybody"
# List configs.
# GET /v1/{tenant_id}/software_configs
#"software_configs:index": "rule:deny_stack_user"
# Create config.
# POST /v1/{tenant_id}/software_configs
#"software_configs:create": "rule:deny_stack_user"
# Show config details.
# GET /v1/{tenant_id}/software_configs/{config_id}
#"software_configs:show": "rule:deny_stack_user"
# Delete config.
# DELETE /v1/{tenant_id}/software_configs/{config_id}
#"software_configs:delete": "rule:deny_stack_user"
# List deployments.
# GET /v1/{tenant_id}/software_deployments
#"software_deployments:index": "rule:deny_stack_user"
# Create deployment.
# POST /v1/{tenant_id}/software_deployments
#"software_deployments:create": "rule:deny_stack_user"
# Show deployment details.
# GET /v1/{tenant_id}/software_deployments/{deployment_id}
#"software_deployments:show": "rule:deny_stack_user"
# Update deployment.
# PUT /v1/{tenant_id}/software_deployments/{deployment_id}
#"software_deployments:update": "rule:deny_stack_user"
# Delete deployment.
# DELETE /v1/{tenant_id}/software_deployments/{deployment_id}
#"software_deployments:delete": "rule:deny_stack_user"
# Show server configuration metadata.
# GET /v1/{tenant_id}/software_deployments/metadata/{server_id}
#"software_deployments:metadata": "rule:allow_everybody"
# Abandon stack.
# DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon
#"stacks:abandon": "rule:deny_stack_user"
# Create stack.
# POST /v1/{tenant_id}/stacks
#"stacks:create": "rule:deny_stack_user"
# Delete stack.
# DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
#"stacks:delete": "rule:deny_stack_user"
# List stacks in detail.
# GET /v1/{tenant_id}/stacks
#"stacks:detail": "rule:deny_stack_user"
# Export stack.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export
#"stacks:export": "rule:deny_stack_user"
# Generate stack template.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
#"stacks:generate_template": "rule:deny_stack_user"
# List stacks globally.
# GET /v1/{tenant_id}/stacks
#"stacks:global_index": "rule:deny_everybody"
# List stacks.
# GET /v1/{tenant_id}/stacks
#"stacks:index": "rule:deny_stack_user"
# List resource types.
# GET /v1/{tenant_id}/resource_types
#"stacks:list_resource_types": "rule:deny_stack_user"
# List template versions.
# GET /v1/{tenant_id}/template_versions
#"stacks:list_template_versions": "rule:deny_stack_user"
# List template functions.
# GET /v1/{tenant_id}/template_versions/{template_version}/functions
#"stacks:list_template_functions": "rule:deny_stack_user"
# Find stack.
# GET /v1/{tenant_id}/stacks/{stack_identity}
#"stacks:lookup": "rule:allow_everybody"
# Preview stack.
# POST /v1/{tenant_id}/stacks/preview
#"stacks:preview": "rule:deny_stack_user"
# Show resource type schema.
# GET /v1/{tenant_id}/resource_types/{type_name}
#"stacks:resource_schema": "rule:deny_stack_user"
# Show stack.
# GET /v1/{tenant_id}/stacks/{stack_identity}
#"stacks:show": "rule:deny_stack_user"
# Get stack template.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
#"stacks:template": "rule:deny_stack_user"
# Get stack environment.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment
#"stacks:environment": "rule:deny_stack_user"
# Get stack files.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files
#"stacks:files": "rule:deny_stack_user"
# Update stack.
# PUT /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
#"stacks:update": "rule:deny_stack_user"
# Update stack (PATCH).
# PATCH /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
#"stacks:update_patch": "rule:deny_stack_user"
# Preview update stack.
# PUT /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
#"stacks:preview_update": "rule:deny_stack_user"
# Preview update stack (PATCH).
# PATCH /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
#"stacks:preview_update_patch": "rule:deny_stack_user"
# Validate template.
# POST /v1/{tenant_id}/validate
#"stacks:validate_template": "rule:deny_stack_user"
# Snapshot Stack.
# POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
#"stacks:snapshot": "rule:deny_stack_user"
# Show snapshot.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
#"stacks:show_snapshot": "rule:deny_stack_user"
# Delete snapshot.
# DELETE /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
#"stacks:delete_snapshot": "rule:deny_stack_user"
# List snapshots.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
#"stacks:list_snapshots": "rule:deny_stack_user"
# Restore snapshot.
# POST /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore
#"stacks:restore_snapshot": "rule:deny_stack_user"
# List outputs.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs
#"stacks:list_outputs": "rule:deny_stack_user"
# Show outputs.
# GET /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}
#"stacks:show_output": "rule:deny_stack_user"