The following is a sample Karbor policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific Karbor APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
The sample policy file can also be viewed in file form.
#
#"context_is_admin": "role:admin"
#
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"
#
#"default": "rule:admin_or_owner"
#
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"
# Create a plan.
# POST /plans
#"plan:create": "rule:admin_or_owner"
# Update a plan.
# PUT /plans/{plan_id}
#"plan:update": "rule:admin_or_owner"
# Delete a plan.
# DELETE /plans/{plan_id}
#"plan:delete": "rule:admin_or_owner"
# Get a plan.
# GET /plans/{plan_id}
#"plan:get": "rule:admin_or_owner"
# Get plans.
# GET /plans
#"plan:get_all": "rule:admin_or_owner"
# Create a restore.
# POST /restores
#"restore:create": "rule:admin_or_owner"
# Update a restore.
# PUT /restores
#"restore:update": "rule:admin_or_owner"
# Get a restore.
# GET /restores/{restore_id}
#"restore:get": "rule:admin_or_owner"
# Get restores.
# GET /restores
#"restore:get_all": "rule:admin_or_owner"
# Show a protectable type.
# GET /protectables/{protectable_type}
#"protectable:get": "rule:admin_or_owner"
# List protectable types.
# GET /protectables
#"protectable:get_all": "rule:admin_or_owner"
# Show a protectable instance.
# GET /protectables/{protectable_type}/instances/{resource_id}
#"protectable:instance_get": "rule:admin_or_owner"
# List protectable instances.
# GET /protectables/{protectable_type}/instances
#"protectable:instance_get_all": "rule:admin_or_owner"
# Show a protection provider.
# GET /providers/{provider_id}
#"provider:get": "rule:admin_or_owner"
# List protection providers.
# GET /providers
#"provider:get_all": "rule:admin_or_owner"
# Show a checkpoint.
# GET /providers/{provider_id}/checkpoints/{checkpoint_id}
#"provider:checkpoint_get": "rule:admin_or_owner"
# List checkpoints.
# GET /providers/{provider_id}/checkpoints
#"provider:checkpoint_get_all": "rule:admin_or_owner"
# Create checkpoint.
# POST /providers/{provider_id}/checkpoints
#"provider:checkpoint_create": "rule:admin_or_owner"
# Delete checkpoint.
# DELETE /providers/{provider_id}/checkpoints/{checkpoint_id}
#"provider:checkpoint_delete": "rule:admin_or_owner"
# Reset checkpoint state.
# PUT /providers/{provider_id}/checkpoints/{checkpoint_id}
#"provider:checkpoint_update": "rule:admin_or_owner"
# Create a trigger.
# POST /triggers
#"trigger:create": "rule:admin_or_owner"
# Update a trigger.
# PUT /triggers/{trigger_id}
#"trigger:update": "rule:admin_or_owner"
# Delete a trigger.
# DELETE /triggers/{trigger_id}
#"trigger:delete": "rule:admin_or_owner"
# Get a trigger.
# GET /triggers/{trigger_id}
#"trigger:get": "rule:admin_or_owner"
# Get triggerss.
# GET /triggers
#"trigger:list": "rule:admin_or_owner"
# Create a scheduled_operation.
# POST /scheduled_operations
#"scheduled_operation:create": "rule:admin_or_owner"
# Delete a scheduled_operation.
# DELETE /scheduled_operations/{scheduled_operation_id}
#"scheduled_operation:delete": "rule:admin_or_owner"
# Get a scheduled_operation.
# GET /scheduled_operations/{scheduled_operation_id}
#"scheduled_operation:get": "rule:admin_or_owner"
# Get scheduled_operations.
# GET /scheduled_operations
#"scheduled_operation:list": "rule:admin_or_owner"
# Get an operation_log.
# GET /operation_logs/{operation_log_id}
#"operation_log:get": "rule:admin_or_owner"
# Get operation_logs.
# GET /operation_logs
#"operation_log:list": "rule:admin_or_owner"
# Create a verification.
# POST /verifications
#"verification:create": "rule:admin_or_owner"
# Get a verification.
# GET /verifications/{verification_id}
#"verification:get": "rule:admin_or_owner"
# Get verifications.
# GET /verifications
#"verification:get_all": "rule:admin_or_owner"
# List services.
# GET /os-services
#"service:get_all": "rule:admin_api"
# Update service status
# PUT /os-services/{service_id}
#"service:update": "rule:admin_api"
# Update quotas for a project.
# PUT /quotas/{project_id}
#"quota:update": "rule:admin_api"
# Delete quotas for a project.
# DELETE /quotas/{project_id}
#"quota:delete": "rule:admin_api"
# Get quotas for a project.
# GET /quotas/{project_id}
#"quota:get": "rule:admin_or_owner"
# Get default quotas for a project.
# GET /quotas/{project_id}/defaults
#"quota:get_default": "rule:admin_or_owner"
# Update quota classes.
# PUT /quota_classes/{quota_class_name}
#"quota_class:update": "rule:admin_api"
# Get quota classes.
# GET /quota_classes/{quota_class_name}
#"quota_class:get": "rule:admin_or_owner"
# Create a copy.
# POST /{project_id}/providers/{provider_id}/checkpoints/action
#"copy:create": "rule:admin_or_owner"
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.