Policies¶
The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.
ironic.api¶
admin_apiDefault: role:admin or role:administratorLegacy rule for cloud admin access
public_apiDefault: is_public_api:TrueInternal flag for public API routes
show_passwordDefault: !Show or mask secrets within node driver information in API responses
show_instance_secretsDefault: !Show or mask secrets within instance information in API responses
is_memberDefault: (project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)May be used to restrict access to specific projects
is_observerDefault: rule:is_member and (role:observer or role:baremetal_observer)Read-only API access
is_adminDefault: rule:admin_api or (rule:is_member and role:baremetal_admin)Full read/write API access
baremetal:node:createDefault: rule:is_adminOperations: - POST
/nodes
Create Node records
- POST
baremetal:node:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/nodes - GET
/nodes/detail - GET
/nodes/{node_ident}
Retrieve Node records
- GET
baremetal:node:updateDefault: rule:is_adminOperations: - PATCH
/nodes/{node_ident}
Update Node records
- PATCH
baremetal:node:deleteDefault: rule:is_adminOperations: - DELETE
/nodes/{node_ident}
Delete Node records
- DELETE
baremetal:node:validateDefault: rule:is_adminOperations: - GET
/nodes/{node_ident}/validate
Request active validation of Nodes
- GET
baremetal:node:set_maintenanceDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/maintenance
Set maintenance flag, taking a Node out of service
- PUT
baremetal:node:clear_maintenanceDefault: rule:is_adminOperations: - DELETE
/nodes/{node_ident}/maintenance
Clear maintenance flag, placing the Node into service again
- DELETE
baremetal:node:get_boot_deviceDefault: rule:is_admin or rule:is_observerOperations: - GET
/nodes/{node_ident}/management/boot_device - GET
/nodes/{node_ident}/management/boot_device/supported
Retrieve Node boot device metadata
- GET
baremetal:node:set_boot_deviceDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/management/boot_device
Change Node boot device
- PUT
baremetal:node:inject_nmiDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/management/inject_nmi
Inject NMI for a node
- PUT
baremetal:node:get_statesDefault: rule:is_admin or rule:is_observerOperations: - GET
/nodes/{node_ident}/states
View Node power and provision state
- GET
baremetal:node:set_power_stateDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/states/power
Change Node power status
- PUT
baremetal:node:set_provision_stateDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/states/provision
Change Node provision status
- PUT
baremetal:node:set_raid_stateDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/states/raid
Change Node RAID status
- PUT
baremetal:node:get_consoleDefault: rule:is_adminOperations: - GET
/nodes/{node_ident}/states/console
Get Node console connection information
- GET
baremetal:node:set_console_stateDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/states/console
Change Node console status
- PUT
baremetal:node:vif:listDefault: rule:is_adminOperations: - GET
/nodes/{node_ident}/vifs
List VIFs attached to node
- GET
baremetal:node:vif:attachDefault: rule:is_adminOperations: - POST
/nodes/{node_ident}/vifs
Attach a VIF to a node
- POST
baremetal:node:vif:detachDefault: rule:is_adminOperations: - DELETE
/nodes/{node_ident}/vifs/{node_vif_ident}
Detach a VIF from a node
- DELETE
baremetal:node:traits:listDefault: rule:is_admin or rule:is_observerOperations: - GET
/nodes/{node_ident}/traits
List node traits
- GET
baremetal:node:traits:setDefault: rule:is_adminOperations: - PUT
/nodes/{node_ident}/traits - PUT
/nodes/{node_ident}/traits/{trait}
Add a trait to, or replace all traits of, a node
- PUT
baremetal:node:traits:deleteDefault: rule:is_adminOperations: - DELETE
/nodes/{node_ident}/traits - DELETE
/nodes/{node_ident}/traits/{trait}
Remove one or all traits from a node
- DELETE
baremetal:node:bios:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/nodes/{node_ident}/bios - GET
/nodes/{node_ident}/bios/{setting}
Retrieve Node BIOS information
- GET
baremetal:port:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/ports - GET
/ports/detail - GET
/ports/{port_id} - GET
/nodes/{node_ident}/ports - GET
/nodes/{node_ident}/ports/detail - GET
/portgroups/{portgroup_ident}/ports - GET
/portgroups/{portgroup_ident}/ports/detail
Retrieve Port records
- GET
baremetal:port:createDefault: rule:is_adminOperations: - POST
/ports
Create Port records
- POST
baremetal:port:deleteDefault: rule:is_adminOperations: - DELETE
/ports/{port_id}
Delete Port records
- DELETE
baremetal:port:updateDefault: rule:is_adminOperations: - PATCH
/ports/{port_id}
Update Port records
- PATCH
baremetal:portgroup:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/portgroups - GET
/portgroups/detail - GET
/portgroups/{portgroup_ident} - GET
/nodes/{node_ident}/portgroups - GET
/nodes/{node_ident}/portgroups/detail
Retrieve Portgroup records
- GET
baremetal:portgroup:createDefault: rule:is_adminOperations: - POST
/portgroups
Create Portgroup records
- POST
baremetal:portgroup:deleteDefault: rule:is_adminOperations: - DELETE
/portgroups/{portgroup_ident}
Delete Portgroup records
- DELETE
baremetal:portgroup:updateDefault: rule:is_adminOperations: - PATCH
/portgroups/{portgroup_ident}
Update Portgroup records
- PATCH
baremetal:chassis:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/chassis - GET
/chassis/detail - GET
/chassis/{chassis_id}
Retrieve Chassis records
- GET
baremetal:chassis:createDefault: rule:is_adminOperations: - POST
/chassis
Create Chassis records
- POST
baremetal:chassis:deleteDefault: rule:is_adminOperations: - DELETE
/chassis/{chassis_id}
Delete Chassis records
- DELETE
baremetal:chassis:updateDefault: rule:is_adminOperations: - PATCH
/chassis/{chassis_id}
Update Chassis records
- PATCH
baremetal:driver:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/drivers - GET
/drivers/{driver_name}
View list of available drivers
- GET
baremetal:driver:get_propertiesDefault: rule:is_admin or rule:is_observerOperations: - GET
/drivers/{driver_name}/properties
View driver-specific properties
- GET
baremetal:driver:get_raid_logical_disk_propertiesDefault: rule:is_admin or rule:is_observerOperations: - GET
/drivers/{driver_name}/raid/logical_disk_properties
View driver-specific RAID metadata
- GET
baremetal:node:vendor_passthruDefault: rule:is_adminOperations: - GET
nodes/{node_ident}/vendor_passthru/methods - GET
nodes/{node_ident}/vendor_passthru?method={method_name} - PUT
nodes/{node_ident}/vendor_passthru?method={method_name} - POST
nodes/{node_ident}/vendor_passthru?method={method_name} - PATCH
nodes/{node_ident}/vendor_passthru?method={method_name} - DELETE
nodes/{node_ident}/vendor_passthru?method={method_name}
Access vendor-specific Node functions
- GET
baremetal:driver:vendor_passthruDefault: rule:is_adminOperations: - GET
drivers/{driver_name}/vendor_passthru/methods - GET
drivers/{driver_name}/vendor_passthru?method={method_name} - PUT
drivers/{driver_name}/vendor_passthru?method={method_name} - POST
drivers/{driver_name}/vendor_passthru?method={method_name} - PATCH
drivers/{driver_name}/vendor_passthru?method={method_name} - DELETE
drivers/{driver_name}/vendor_passthru?method={method_name}
Access vendor-specific Driver functions
- GET
baremetal:node:ipa_heartbeatDefault: rule:public_apiOperations: - POST
/heartbeat/{node_ident}
Send heartbeats from IPA ramdisk
- POST
baremetal:driver:ipa_lookupDefault: rule:public_apiOperations: - GET
/lookup
Access IPA ramdisk functions
- GET
baremetal:volume:getDefault: rule:is_admin or rule:is_observerOperations: - GET
/volume - GET
/volume/connectors - GET
/volume/connectors/{volume_connector_id} - GET
/volume/targets - GET
/volume/targets/{volume_target_id} - GET
/nodes/{node_ident}/volume - GET
/nodes/{node_ident}/volume/connectors - GET
/nodes/{node_ident}/volume/targets
Retrieve Volume connector and target records
- GET
baremetal:volume:createDefault: rule:is_adminOperations: - POST
/volume/connectors - POST
/volume/targets
Create Volume connector and target records
- POST
baremetal:volume:deleteDefault: rule:is_adminOperations: - DELETE
/volume/connectors/{volume_connector_id} - DELETE
/volume/targets/{volume_target_id}
Delete Volume connector and target records
- DELETE
baremetal:volume:updateDefault: rule:is_adminOperations: - PATCH
/volume/connectors/{volume_connector_id} - PATCH
/volume/targets/{volume_target_id}
Update Volume connector and target records
- PATCH
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.