Policies

Policies

The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.

ironic.api

admin_api
Default:role:admin or role:administrator

Legacy rule for cloud admin access

public_api
Default:is_public_api:True

Internal flag for public API routes

show_password
Default:!

Show or mask secrets within node driver information in API responses

show_instance_secrets
Default:!

Show or mask secrets within instance information in API responses

is_member
Default:(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)

May be used to restrict access to specific projects

is_observer
Default:rule:is_member and (role:observer or role:baremetal_observer)

Read-only API access

is_admin
Default:rule:admin_api or (rule:is_member and role:baremetal_admin)

Full read/write API access

baremetal:node:get
Default:rule:is_admin or rule:is_observer

Retrieve Node records

baremetal:node:get_boot_device
Default:rule:is_admin or rule:is_observer

Retrieve Node boot device metadata

baremetal:node:get_states
Default:rule:is_admin or rule:is_observer

View Node power and provision state

baremetal:node:create
Default:rule:is_admin

Create Node records

baremetal:node:delete
Default:rule:is_admin

Delete Node records

baremetal:node:update
Default:rule:is_admin

Update Node records

baremetal:node:validate
Default:rule:is_admin

Request active validation of Nodes

baremetal:node:set_maintenance
Default:rule:is_admin

Set maintenance flag, taking a Node out of service

baremetal:node:clear_maintenance
Default:rule:is_admin

Clear maintenance flag, placing the Node into service again

baremetal:node:set_boot_device
Default:rule:is_admin

Change Node boot device

baremetal:node:set_power_state
Default:rule:is_admin

Change Node power status

baremetal:node:set_provision_state
Default:rule:is_admin

Change Node provision status

baremetal:node:set_raid_state
Default:rule:is_admin

Change Node RAID status

baremetal:node:get_console
Default:rule:is_admin

Get Node console connection information

baremetal:node:set_console_state
Default:rule:is_admin

Change Node console status

baremetal:node:vif:list
Default:rule:is_admin

List VIFs attached to node

baremetal:node:vif:attach
Default:rule:is_admin

Attach a VIF to a node

baremetal:node:vif:detach
Default:rule:is_admin

Detach a VIF from a node

baremetal:node:inject_nmi
Default:rule:is_admin

Inject NMI for a node

baremetal:port:get
Default:rule:is_admin or rule:is_observer

Retrieve Port records

baremetal:port:create
Default:rule:is_admin

Create Port records

baremetal:port:delete
Default:rule:is_admin

Delete Port records

baremetal:port:update
Default:rule:is_admin

Update Port records

baremetal:portgroup:get
Default:rule:is_admin or rule:is_observer

Retrieve Portgroup records

baremetal:portgroup:create
Default:rule:is_admin

Create Portgroup records

baremetal:portgroup:delete
Default:rule:is_admin

Delete Portgroup records

baremetal:portgroup:update
Default:rule:is_admin

Update Portgroup records

baremetal:chassis:get
Default:rule:is_admin or rule:is_observer

Retrieve Chassis records

baremetal:chassis:create
Default:rule:is_admin

Create Chassis records

baremetal:chassis:delete
Default:rule:is_admin

Delete Chassis records

baremetal:chassis:update
Default:rule:is_admin

Update Chassis records

baremetal:driver:get
Default:rule:is_admin or rule:is_observer

View list of available drivers

baremetal:driver:get_properties
Default:rule:is_admin or rule:is_observer

View driver-specific properties

baremetal:driver:get_raid_logical_disk_properties
Default:rule:is_admin or rule:is_observer

View driver-specific RAID metadata

baremetal:node:vendor_passthru
Default:rule:is_admin

Access vendor-specific Node functions

baremetal:driver:vendor_passthru
Default:rule:is_admin

Access vendor-specific Driver functions

baremetal:node:ipa_heartbeat
Default:rule:public_api

Send heartbeats from IPA ramdisk

baremetal:driver:ipa_lookup
Default:rule:public_api

Access IPA ramdisk functions

baremetal:volume:get
Default:rule:is_admin or rule:is_observer

Retrieve Volume connector and target records

baremetal:volume:create
Default:rule:is_admin

Create Volume connector and target records

baremetal:volume:delete
Default:rule:is_admin

Delete Volume connetor and target records

baremetal:volume:update
Default:rule:is_admin

Update Volume connector and target records

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.