Policies

Warning

JSON formatted policy files were deprecated in the Wallaby development cycle due to the Victoria deprecation by the olso.policy library. Use the oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.

The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.

ironic.api

admin_api
Default:

role:admin or role:administrator

Legacy rule for cloud admin access

public_api
Default:

is_public_api:True

Internal flag for public API routes

show_password
Default:

!

Show or mask secrets within node driver information in API responses. This setting should be used with the utmost care as its use can present a security risk.

show_instance_secrets
Default:

!

Show or mask secrets within instance information in API responses. This setting should be used with the utmost care as its use can present a security risk.

service_role
Default:

role:service and project_name:%(config.service_project_name)s

Rule to match service role usage with a service project, delineated as a separate rule to enable customization.

is_member
Default:

(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)

May be used to restrict access to specific projects

is_observer
Default:

rule:is_member and (role:observer or role:baremetal_observer)

Read-only API access

is_admin
Default:

rule:admin_api or (rule:is_member and role:baremetal_admin)

Full read/write API access

is_node_owner
Default:

project_id:%(node.owner)s

Owner of node

is_node_lessee
Default:

project_id:%(node.lessee)s

Lessee of node

is_allocation_owner
Default:

project_id:%(allocation.owner)s

Owner of allocation

baremetal:node:create
Default:

(role:admin and system_scope:all) or (role:service and system_scope:all)

Operations:
  • POST /nodes

Scope Types:
  • system

  • project

Create Node records

baremetal:node:create:self_owned_node
Default:

(role:admin) or (role:service)

Operations:
  • POST /nodes

Scope Types:
  • system

  • project

Create node records which will be tracked as owned by the associated user project.

baremetal:node:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /nodes

  • GET /nodes/detail

Scope Types:
  • system

  • project

Retrieve multiple Node records, filtered by an explicit owner or the client project_id

baremetal:node:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /nodes

  • GET /nodes/detail

Scope Types:
  • system

  • project

Retrieve multiple Node records

baremetal:node:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Retrieve a single Node record

baremetal:node:get:filter_threshold
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.

baremetal:node:get:last_error
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if the node last_error field is masked from API clients with insufficient privileges.

baremetal:node:get:reservation
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if the node reservation field is masked from API clients with insufficient privileges.

baremetal:node:get:driver_internal_info
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.

baremetal:node:get:driver_info
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if the driver_info field is masked from API clients with insufficient privileges.

baremetal:node:update:driver_info
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node driver_info field can be updated via the API clients.

baremetal:node:update:properties
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node properties field can be updated via the API clients.

baremetal:node:update:chassis_uuid
Default:

role:admin and system_scope:all

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node chassis_uuid field can be updated via the API clients.

baremetal:node:update:instance_uuid
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node instance_uuid field can be updated via the API clients.

baremetal:node:update:lessee
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node lessee field can be updated via the API clients.

baremetal:node:update:owner
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node owner field can be updated via the API clients.

baremetal:node:update:driver_interfaces
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node driver and driver interfaces field can be updated via the API clients.

baremetal:node:update:network_data
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node driver_info field can be updated via the API clients.

baremetal:node:update:conductor_group
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node conductor_group field can be updated via the API clients.

baremetal:node:update:name
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node name field can be updated via the API clients.

baremetal:node:update:retired
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node retired and retired reason can be updated by API clients.

baremetal:node:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Generalized update of node records

baremetal:node:update_extra
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Update Node extra field

baremetal:node:update_instance_info
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Update Node instance_info field

baremetal:node:update_owner_provisioned
Default:

role:admin and system_scope:all

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

Update Node owner even when Node is provisioned

baremetal:node:delete
Default:

role:admin and system_scope:all

Operations:
  • DELETE /nodes/{node_ident}

Scope Types:
  • system

  • project

Delete Node records

baremetal:node:delete:self_owned_node
Default:

role:admin and project_id:%(node.owner)s

Operations:
  • DELETE /nodes/{node_ident}

Scope Types:
  • system

  • project

Delete node records which are associated with the requesting project.

baremetal:node:validate
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/validate

Scope Types:
  • system

  • project

Request active validation of Nodes

baremetal:node:set_maintenance
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/maintenance

Scope Types:
  • system

  • project

Set maintenance flag, taking a Node out of service

baremetal:node:clear_maintenance
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /nodes/{node_ident}/maintenance

Scope Types:
  • system

  • project

Clear maintenance flag, placing the Node into service again

baremetal:node:get_boot_device
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/management/boot_device

  • GET /nodes/{node_ident}/management/boot_device/supported

Scope Types:
  • system

  • project

Retrieve Node boot device metadata

baremetal:node:set_boot_device
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/management/boot_device

Scope Types:
  • system

  • project

Change Node boot device

baremetal:node:get_indicator_state
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/management/indicators/{component}/{indicator}

  • GET /nodes/{node_ident}/management/indicators

Scope Types:
  • system

  • project

Retrieve Node indicators and their states

baremetal:node:set_indicator_state
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/management/indicators/{component}/{indicator}

Scope Types:
  • system

  • project

Change Node indicator state

baremetal:node:inject_nmi
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/management/inject_nmi

Scope Types:
  • system

  • project

Inject NMI for a node

baremetal:node:get_states
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/states

Scope Types:
  • system

  • project

View Node power and provision state

baremetal:node:set_power_state
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • PUT /nodes/{node_ident}/states/power

Scope Types:
  • system

  • project

Change Node power status

baremetal:node:set_boot_mode
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • PUT /nodes/{node_ident}/states/boot_mode

Scope Types:
  • system

  • project

Change Node boot mode

baremetal:node:set_secure_boot
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • PUT /nodes/{node_ident}/states/secure_boot

Scope Types:
  • system

  • project

Change Node secure boot state

baremetal:node:set_provision_state
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/states/provision

Scope Types:
  • system

  • project

Change Node provision status

baremetal:node:set_provision_state:clean_steps
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/states/provision

Scope Types:
  • system

  • project

Allow execution of arbitrary steps on a node

baremetal:node:set_provision_state:service_steps
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/states/provision

Scope Types:
  • system

  • project

Allow execution of arbitrary steps on a node

baremetal:node:set_raid_state
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/states/raid

Scope Types:
  • system

  • project

Change Node RAID status

baremetal:node:get_console
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/states/console

Scope Types:
  • system

  • project

Get Node console connection information

baremetal:node:set_console_state
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/states/console

Scope Types:
  • system

  • project

Change Node console status

baremetal:node:vif:list
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/vifs

Scope Types:
  • system

  • project

List VIFs attached to node

baremetal:node:vif:attach
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • POST /nodes/{node_ident}/vifs

Scope Types:
  • system

  • project

Attach a VIF to a node

baremetal:node:vif:detach
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /nodes/{node_ident}/vifs/{node_vif_ident}

Scope Types:
  • system

  • project

Detach a VIF from a node

baremetal:node:traits:list
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/traits

Scope Types:
  • system

  • project

List node traits

baremetal:node:traits:set
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PUT /nodes/{node_ident}/traits

  • PUT /nodes/{node_ident}/traits/{trait}

Scope Types:
  • system

  • project

Add a trait to, or replace all traits of, a node

baremetal:node:traits:delete
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /nodes/{node_ident}/traits

  • DELETE /nodes/{node_ident}/traits/{trait}

Scope Types:
  • system

  • project

Remove one or all traits from a node

baremetal:node:bios:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/bios

  • GET /nodes/{node_ident}/bios/{setting}

Scope Types:
  • system

  • project

Retrieve Node BIOS information

baremetal:node:disable_cleaning
Default:

role:admin and system_scope:all

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Disable Node disk cleaning

baremetal:node:history:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/history

  • GET /nodes/{node_ident}/history/{event_ident}

Scope Types:
  • system

  • project

Filter to allow operators to retrieve history records for a node.

baremetal:node:inventory:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/inventory

Scope Types:
  • system

  • project

Retrieve introspection data for a node.

baremetal:node:update:shard
Default:

role:admin and system_scope:all

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node shard field can be updated via the API clients.

baremetal:shards:get
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /shards

Scope Types:
  • system

  • project

Governs if shards can be read via the API clients.

baremetal:node:update:parent_node
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /nodes/{node_ident}

Scope Types:
  • system

  • project

Governs if node parent_node field can be updated via the API clients.

baremetal:node:firmware:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/firmware

Scope Types:
  • system

  • project

Retrieve Node Firmware components information

baremetal:node:vmedia:attach
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • POST /nodes/{node_ident}/vmedia

Scope Types:
  • system

  • project

Attach a virtual media device to a node

baremetal:node:vmedia:detach
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)

Operations:
  • DELETE /nodes/{node_ident}/vmedia

Scope Types:
  • system

  • project

Detach a virtual media device from a node

baremetal:node:vmedia:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /nodes/{node_ident}/vmedia

Scope Types:
  • system

  • project

Get virtual media device details from a node

baremetal:port:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /ports/{port_id}

  • GET /nodes/{node_ident}/ports

  • GET /nodes/{node_ident}/ports/detail

  • GET /portgroups/{portgroup_ident}/ports

  • GET /portgroups/{portgroup_ident}/ports/detail

Scope Types:
  • system

  • project

Retrieve Port records

baremetal:port:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /ports

  • GET /ports/detail

Scope Types:
  • system

  • project

Retrieve multiple Port records, filtered by owner

baremetal:port:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /ports

  • GET /ports/detail

Scope Types:
  • system

  • project

Retrieve multiple Port records

baremetal:port:create
Default:

(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • POST /ports

Scope Types:
  • system

  • project

Create Port records

baremetal:port:delete
Default:

(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /ports/{port_id}

Scope Types:
  • system

  • project

Delete Port records

baremetal:port:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /ports/{port_id}

Scope Types:
  • system

  • project

Update Port records

baremetal:portgroup:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /portgroups

  • GET /portgroups/detail

  • GET /portgroups/{portgroup_ident}

  • GET /nodes/{node_ident}/portgroups

  • GET /nodes/{node_ident}/portgroups/detail

Scope Types:
  • system

  • project

Retrieve Portgroup records

baremetal:portgroup:create
Default:

(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • POST /portgroups

Scope Types:
  • system

  • project

Create Portgroup records

baremetal:portgroup:delete
Default:

(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /portgroups/{portgroup_ident}

Scope Types:
  • system

  • project

Delete Portgroup records

baremetal:portgroup:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /portgroups/{portgroup_ident}

Scope Types:
  • system

  • project

Update Portgroup records

baremetal:portgroup:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /portgroups

  • GET /portgroups/detail

Scope Types:
  • system

  • project

Retrieve multiple Port records, filtered by owner

baremetal:portgroup:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /portgroups

  • GET /portgroups/detail

Scope Types:
  • system

  • project

Retrieve multiple Port records

baremetal:chassis:get
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /chassis

  • GET /chassis/detail

  • GET /chassis/{chassis_id}

Scope Types:
  • system

Retrieve Chassis records

baremetal:chassis:create
Default:

role:admin and system_scope:all

Operations:
  • POST /chassis

Scope Types:
  • system

Create Chassis records

baremetal:chassis:delete
Default:

role:admin and system_scope:all

Operations:
  • DELETE /chassis/{chassis_id}

Scope Types:
  • system

Delete Chassis records

baremetal:chassis:update
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /chassis/{chassis_id}

Scope Types:
  • system

Update Chassis records

baremetal:driver:get
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /drivers

  • GET /drivers/{driver_name}

Scope Types:
  • system

View list of available drivers

baremetal:driver:get_properties
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /drivers/{driver_name}/properties

Scope Types:
  • system

View driver-specific properties

baremetal:driver:get_raid_logical_disk_properties
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /drivers/{driver_name}/raid/logical_disk_properties

Scope Types:
  • system

View driver-specific RAID metadata

baremetal:node:vendor_passthru
Default:

role:admin and system_scope:all

Operations:
  • GET nodes/{node_ident}/vendor_passthru/methods

  • GET nodes/{node_ident}/vendor_passthru?method={method_name}

  • PUT nodes/{node_ident}/vendor_passthru?method={method_name}

  • POST nodes/{node_ident}/vendor_passthru?method={method_name}

  • PATCH nodes/{node_ident}/vendor_passthru?method={method_name}

  • DELETE nodes/{node_ident}/vendor_passthru?method={method_name}

Scope Types:
  • system

  • project

Access vendor-specific Node functions

baremetal:driver:vendor_passthru
Default:

role:admin and system_scope:all

Operations:
  • GET drivers/{driver_name}/vendor_passthru/methods

  • GET drivers/{driver_name}/vendor_passthru?method={method_name}

  • PUT drivers/{driver_name}/vendor_passthru?method={method_name}

  • POST drivers/{driver_name}/vendor_passthru?method={method_name}

  • PATCH drivers/{driver_name}/vendor_passthru?method={method_name}

  • DELETE drivers/{driver_name}/vendor_passthru?method={method_name}

Scope Types:
  • system

Access vendor-specific Driver functions

baremetal:node:ipa_heartbeat
Default:

<empty string>

Operations:
  • POST /heartbeat/{node_ident}

Receive heartbeats from IPA ramdisk

baremetal:driver:ipa_lookup
Default:

<empty string>

Operations:
  • GET /lookup

Access IPA ramdisk functions

baremetal:driver:ipa_continue_inspection
Default:

<empty string>

Operations:
  • POST /continue_inspection

Receive inspection data from the ramdisk

baremetal:volume:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /volume/connectors

  • GET /volume/targets

  • GET /nodes/{node_ident}/volume/connectors

  • GET /nodes/{node_ident}/volume/targets

Scope Types:
  • system

  • project

Retrieve a list of all Volume connector and target records

baremetal:volume:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /volume/connectors

  • GET /volume/targets

  • GET /nodes/{node_ident}/volume/connectors

  • GET /nodes/{node_ident}/volume/targets

Scope Types:
  • system

  • project

Retrieve a list of Volume connector and target records

baremetal:volume:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)

Operations:
  • GET /volume

  • GET /volume/connectors

  • GET /volume/connectors/{volume_connector_id}

  • GET /volume/targets

  • GET /volume/targets/{volume_target_id}

  • GET /nodes/{node_ident}/volume

  • GET /nodes/{node_ident}/volume/connectors

  • GET /nodes/{node_ident}/volume/targets

Scope Types:
  • system

  • project

Retrieve Volume connector and target records

baremetal:volume:create
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • POST /volume/connectors

  • POST /volume/targets

Scope Types:
  • system

  • project

Create Volume connector and target records

baremetal:volume:delete
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • DELETE /volume/connectors/{volume_connector_id}

  • DELETE /volume/targets/{volume_target_id}

Scope Types:
  • system

  • project

Delete Volume connector and target records

baremetal:volume:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)

Operations:
  • PATCH /volume/connectors/{volume_connector_id}

  • PATCH /volume/targets/{volume_target_id}

Scope Types:
  • system

  • project

Update Volume connector and target records

baremetal:volume:view_target_properties
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:admin)

Operations:
  • GET /volume/connectors/{volume_connector_id}

  • GET /volume/targets/{volume_target_id}

Scope Types:
  • system

  • project

Ability to view volume target properties

baremetal:conductor:get
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /conductors

  • GET /conductors/{hostname}

Scope Types:
  • system

  • project

Retrieve Conductor records

baremetal:allocation:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and project_id:%(allocation.owner)s)

Operations:
  • GET /allocations/{allocation_id}

  • GET /nodes/{node_ident}/allocation

Scope Types:
  • system

  • project

Retrieve Allocation records

baremetal:allocation:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /allocations

Scope Types:
  • system

  • project

Retrieve multiple Allocation records, filtered by owner

baremetal:allocation:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /allocations

Scope Types:
  • system

  • project

Retrieve multiple Allocation records

baremetal:allocation:create
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member)

Operations:
  • POST /allocations

Scope Types:
  • system

  • project

Create Allocation records

baremetal:allocation:create_restricted
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • POST /allocations

Scope Types:
  • system

  • project

Create Allocation records with a specific owner.

baremetal:allocation:delete
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and project_id:%(allocation.owner)s)

Operations:
  • DELETE /allocations/{allocation_id}

  • DELETE /nodes/{node_ident}/allocation

Scope Types:
  • system

  • project

Delete Allocation records

baremetal:allocation:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:member and project_id:%(allocation.owner)s)

Operations:
  • PATCH /allocations/{allocation_id}

Scope Types:
  • system

  • project

Change name and extra fields of an allocation

baremetal:allocation:create_pre_rbac
Default:

(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)

Operations:
  • PATCH /allocations/{allocation_id}

Scope Types:
  • project

Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.

baremetal:events:post
Default:

role:admin and system_scope:all

Operations:
  • POST /events

Scope Types:
  • system

Post events

baremetal:deploy_template:get
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /deploy_templates

  • GET /deploy_templates/{deploy_template_ident}

Scope Types:
  • system

  • project

Retrieve Deploy Template records

baremetal:deploy_template:create
Default:

role:admin and system_scope:all

Operations:
  • POST /deploy_templates

Scope Types:
  • system

  • project

Create Deploy Template records

baremetal:deploy_template:delete
Default:

role:admin and system_scope:all

Operations:
  • DELETE /deploy_templates/{deploy_template_ident}

Scope Types:
  • system

  • project

Delete Deploy Template records

baremetal:deploy_template:update
Default:

role:admin and system_scope:all

Operations:
  • PATCH /deploy_templates/{deploy_template_ident}

Scope Types:
  • system

  • project

Update Deploy Template records

baremetal:runbook:get
Default:

((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and project_id:%(runbook.owner)s) or role:service

Operations:
  • GET /runbooks/{runbook_ident}

Scope Types:
  • system

  • project

Retrieve a single runbook record

baremetal:runbook:list
Default:

(role:reader) or (role:service)

Operations:
  • GET /runbooks

Scope Types:
  • system

  • project

Retrieve multiple runbook records, filtered by an explicit owner or the client project_id

baremetal:runbook:list_all
Default:

(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role

Operations:
  • GET /runbooks

Scope Types:
  • system

  • project

Retrieve all runbook records

baremetal:runbook:create
Default:

((role:member and system_scope:all) or rule:service_role) or role:manager or role:service

Operations:
  • POST /runbooks

Scope Types:
  • system

  • project

Create Runbook records

baremetal:runbook:delete
Default:

((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service

Operations:
  • DELETE /runbooks/{runbook_ident}

Scope Types:
  • system

  • project

Delete a runbook record

baremetal:runbook:update
Default:

((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service

Operations:
  • PATCH /runbooks/{runbook_ident}

Scope Types:
  • system

  • project

Update a runbook record

baremetal:runbook:update:public
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /runbooks/{runbook_ident}/public

Scope Types:
  • system

  • project

Set and unset a runbook as public

baremetal:runbook:update:owner
Default:

(role:member and system_scope:all) or rule:service_role

Operations:
  • PATCH /runbooks/{runbook_ident}/owner

Scope Types:
  • system

  • project

Set and unset the owner of a runbook

baremetal:runbook:use
Default:

((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service

Operations:
  • PUT /nodes/{node_ident}/states/provision

Scope Types:
  • system

  • project

Allowed to use a runbook for node operations