The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.
admin_api
Default: | role:admin or role:administrator |
---|
Legacy rule for cloud admin access
public_api
Default: | is_public_api:True |
---|
Internal flag for public API routes
show_password
Default: | ! |
---|
Show or mask secrets within node driver information in API responses
show_instance_secrets
Default: | ! |
---|
Show or mask secrets within instance information in API responses
is_member
Default: | (project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal) |
---|
May be used to restrict access to specific projects
is_observer
Default: | rule:is_member and (role:observer or role:baremetal_observer) |
---|
Read-only API access
is_admin
Default: | rule:admin_api or (rule:is_member and role:baremetal_admin) |
---|
Full read/write API access
baremetal:node:get
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Node records
baremetal:node:get_boot_device
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Node boot device metadata
baremetal:node:get_states
Default: | rule:is_admin or rule:is_observer |
---|
View Node power and provision state
baremetal:node:create
Default: | rule:is_admin |
---|
Create Node records
baremetal:node:delete
Default: | rule:is_admin |
---|
Delete Node records
baremetal:node:update
Default: | rule:is_admin |
---|
Update Node records
baremetal:node:validate
Default: | rule:is_admin |
---|
Request active validation of Nodes
baremetal:node:set_maintenance
Default: | rule:is_admin |
---|
Set maintenance flag, taking a Node out of service
baremetal:node:clear_maintenance
Default: | rule:is_admin |
---|
Clear maintenance flag, placing the Node into service again
baremetal:node:set_boot_device
Default: | rule:is_admin |
---|
Change Node boot device
baremetal:node:set_power_state
Default: | rule:is_admin |
---|
Change Node power status
baremetal:node:set_provision_state
Default: | rule:is_admin |
---|
Change Node provision status
baremetal:node:set_raid_state
Default: | rule:is_admin |
---|
Change Node RAID status
baremetal:node:get_console
Default: | rule:is_admin |
---|
Get Node console connection information
baremetal:node:set_console_state
Default: | rule:is_admin |
---|
Change Node console status
baremetal:node:vif:list
Default: | rule:is_admin |
---|
List VIFs attached to node
baremetal:node:vif:attach
Default: | rule:is_admin |
---|
Attach a VIF to a node
baremetal:node:vif:detach
Default: | rule:is_admin |
---|
Detach a VIF from a node
baremetal:node:inject_nmi
Default: | rule:is_admin |
---|
Inject NMI for a node
baremetal:port:get
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Port records
baremetal:port:create
Default: | rule:is_admin |
---|
Create Port records
baremetal:port:delete
Default: | rule:is_admin |
---|
Delete Port records
baremetal:port:update
Default: | rule:is_admin |
---|
Update Port records
baremetal:portgroup:get
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Portgroup records
baremetal:portgroup:create
Default: | rule:is_admin |
---|
Create Portgroup records
baremetal:portgroup:delete
Default: | rule:is_admin |
---|
Delete Portgroup records
baremetal:portgroup:update
Default: | rule:is_admin |
---|
Update Portgroup records
baremetal:chassis:get
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Chassis records
baremetal:chassis:create
Default: | rule:is_admin |
---|
Create Chassis records
baremetal:chassis:delete
Default: | rule:is_admin |
---|
Delete Chassis records
baremetal:chassis:update
Default: | rule:is_admin |
---|
Update Chassis records
baremetal:driver:get
Default: | rule:is_admin or rule:is_observer |
---|
View list of available drivers
baremetal:driver:get_properties
Default: | rule:is_admin or rule:is_observer |
---|
View driver-specific properties
baremetal:driver:get_raid_logical_disk_properties
Default: | rule:is_admin or rule:is_observer |
---|
View driver-specific RAID metadata
baremetal:node:vendor_passthru
Default: | rule:is_admin |
---|
Access vendor-specific Node functions
baremetal:driver:vendor_passthru
Default: | rule:is_admin |
---|
Access vendor-specific Driver functions
baremetal:node:ipa_heartbeat
Default: | rule:public_api |
---|
Send heartbeats from IPA ramdisk
baremetal:driver:ipa_lookup
Default: | rule:public_api |
---|
Access IPA ramdisk functions
baremetal:volume:get
Default: | rule:is_admin or rule:is_observer |
---|
Retrieve Volume connector and target records
baremetal:volume:create
Default: | rule:is_admin |
---|
Create Volume connector and target records
baremetal:volume:delete
Default: | rule:is_admin |
---|
Delete Volume connetor and target records
baremetal:volume:update
Default: | rule:is_admin |
---|
Update Volume connector and target records
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.