Ironic Inspector Policy

The following is a sample ironic-inspector policy file, autogenerated from Ironic Inspector when this documentation is built. To avoid issues, make sure your version of ironic-inspector matches that of the example policy file.

The sample policy can also be downloaded as a file.

# DEPRECATED
# "is_admin" has been deprecated since W.
# The inspector API is now aware of system scope and default roles.
# Full read/write API access
#"is_admin": "role:admin or role:administrator or role:baremetal_admin"

# DEPRECATED
# "is_observer" has been deprecated since W.
# The inspector API is now aware of system scope and default roles.
# Read-only API access
#"is_observer": "role:baremetal_observer"

# Internal flag for public API routes
#"public_api": "is_public_api:True"

# Default API access policy
#"default": "!"

# Access the API root for available versions information
# GET  /
#"introspection": "rule:public_api"

# Access the versioned API root for version information
# GET  /{version}
#"introspection:version": "rule:public_api"

# Ramdisk callback to continue introspection
# POST  /continue
#"introspection:continue": "rule:public_api"

# Get introspection status
# GET  /introspection
# GET  /introspection/{node_id}
#"introspection:status": "(role:reader and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:status":"rule:is_admin or rule:is_observer" has been
# deprecated since W in favor of "introspection:status":"(role:reader
# and system_scope:all) or (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Start introspection
# POST  /introspection/{node_id}
#"introspection:start": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:start":"rule:is_admin" has been deprecated since W in
# favor of "introspection:start":"(role:admin and system_scope:all) or
# (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Abort introspection
# POST  /introspection/{node_id}/abort
#"introspection:abort": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:abort":"rule:is_admin" has been deprecated since W in
# favor of "introspection:abort":"(role:admin and system_scope:all) or
# (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Get introspection data
# GET  /introspection/{node_id}/data
#"introspection:data": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:data":"rule:is_admin" has been deprecated since W in
# favor of "introspection:data":"(role:admin and system_scope:all) or
# (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Reapply introspection on stored data
# POST  /introspection/{node_id}/data/unprocessed
#"introspection:reapply": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:reapply":"rule:is_admin" has been deprecated since W
# in favor of "introspection:reapply":"(role:admin and
# system_scope:all) or (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Get introspection rule(s)
# GET  /rules
# GET  /rules/{rule_id}
#"introspection:rule:get": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:rule:get":"rule:is_admin" has been deprecated since W
# in favor of "introspection:rule:get":"(role:admin and
# system_scope:all) or (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Delete introspection rule(s)
# DELETE  /rules
# DELETE  /rules/{rule_id}
#"introspection:rule:delete": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:rule:delete":"rule:is_admin" has been deprecated
# since W in favor of "introspection:rule:delete":"(role:admin and
# system_scope:all) or (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.

# Create introspection rule
# POST  /rules
#"introspection:rule:create": "(role:admin and system_scope:all) or (role:admin) or (role:service)"

# DEPRECATED
# "introspection:rule:create":"rule:is_admin" has been deprecated
# since W in favor of "introspection:rule:create":"(role:admin and
# system_scope:all) or (role:admin) or (role:service)".
# The inspector API is now aware of system scope and default roles.