Policy configuration

Configuration

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.

magnum

context_is_admin
Default:

role:admin

(no description provided)

admin_or_owner
Default:

is_admin:True or project_id:%(project_id)s

(no description provided)

admin_or_user
Default:

is_admin:True or user_id:%(user_id)s

(no description provided)

is_user
Default:

user_id:%(user_id)s

(no description provided)

cluster_user
Default:

user_id:%(trustee_user_id)s

(no description provided)

deny_cluster_user
Default:

not domain_id:%(trustee_domain_id)s

(no description provided)

project_member
Default:

role:member and project_id:%(project_id)s

(no description provided)

project_reader
Default:

role:reader and project_id:%(project_id)s

(no description provided)

admin_or_project_reader
Default:

(rule:context_is_admin) or (rule:project_reader)

(no description provided)

admin_or_project_member
Default:

(rule:context_is_admin) or (rule:project_member)

(no description provided)

admin_or_project_member_user
Default:

(rule:context_is_admin) or ((rule:project_member) and (rule:is_user))

(no description provided)

user_or_cluster_user
Default:

((rule:is_user) or (rule:cluster_user))

(no description provided)

admin_or_user_or_cluster_user
Default:

((rule:context_is_admin) or (rule:user_or_cluster_user))

(no description provided)

admin_or_project_member_cluster_user
Default:

(rule:context_is_admin) or ((rule:project_member) and (rule:cluster_user))

(no description provided)

admin_or_project_member_user_or_cluster_user
Default:

(rule:context_is_admin) or ((rule:project_member) and (rule:user_or_cluster_user))

(no description provided)

project_member_deny_cluster_user
Default:

((rule:project_member) and (rule:deny_cluster_user))

(no description provided)

admin_or_project_member_deny_cluster_user
Default:

(rule:context_is_admin) or (rule:project_member_deny_cluster_user)

(no description provided)

project_reader_deny_cluster_user
Default:

((rule:project_reader) and (rule:deny_cluster_user))

(no description provided)

admin_or_project_reader_deny_cluster_user
Default:

(rule:context_is_admin) or (rule:project_reader_deny_cluster_user)

(no description provided)

admin_or_project_reader_user
Default:

(rule:context_is_admin) or ((rule:project_reader) and (rule:is_user))

(no description provided)

certificate:create
Default:

rule:admin_or_project_member_user

Operations:

  • POST /v1/certificates

Scope Types:

  • project

Sign a new certificate by the CA.

certificate:get
Default:

rule:admin_or_project_reader_user

Operations:

  • GET /v1/certificates/{cluster_uuid}

Scope Types:

  • project

Retrieve CA information about the given cluster.

certificate:rotate_ca
Default:

rule:admin_or_project_member

Operations:

  • PATCH /v1/certificates/{cluster_uuid}

Scope Types:

  • project

Rotate the CA certificate on the given cluster.

cluster:create
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • POST /v1/clusters

Scope Types:

  • project

Create a new cluster.

cluster:delete
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • DELETE /v1/clusters/{cluster_ident}

Scope Types:

  • project

Delete a cluster.

cluster:delete_all_projects
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/clusters/{cluster_ident}

Delete a cluster from any project.

cluster:detail
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clusters

Scope Types:

  • project

Retrieve a list of clusters with detail.

cluster:detail_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clusters

Retrieve a list of clusters with detail across projects.

cluster:get
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clusters/{cluster_ident}

Scope Types:

  • project

Retrieve information about the given cluster.

cluster:get_one_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster across projects.

cluster:get_all
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clusters/

Scope Types:

  • project

Retrieve a list of clusters.

cluster:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clusters/

Retrieve a list of all clusters across projects.

cluster:update
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • PATCH /v1/clusters/{cluster_ident}

Scope Types:

  • project

Update an existing cluster.

cluster:update_health_status
Default:

rule:admin_or_project_member_user_or_cluster_user

Operations:

  • PATCH /v1/clusters/{cluster_ident}

Scope Types:

  • project

Update the health status of an existing cluster.

cluster:update_all_projects
Default:

rule:context_is_admin

Operations:

  • PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:resize
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • POST /v1/clusters/{cluster_ident}/actions/resize

Scope Types:

  • project

Resize an existing cluster.

cluster:upgrade
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • POST /v1/clusters/{cluster_ident}/actions/upgrade

Scope Types:

  • project

Upgrade an existing cluster.

cluster:upgrade_all_projects
Default:

rule:context_is_admin

Operations:

  • POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster across all projects.

clustertemplate:create
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • POST /v1/clustertemplates

Scope Types:

  • project

Create a new cluster template.

clustertemplate:delete
Default:

rule:admin_or_project_member

Operations:

  • DELETE /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

  • project

Delete a cluster template.

clustertemplate:delete_all_projects
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template from any project.

clustertemplate:detail_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clustertemplates

Retrieve a list of cluster templates with detail across projects.

clustertemplate:detail
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clustertemplates

Scope Types:

  • project

Retrieve a list of cluster templates with detail.

clustertemplate:get
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

  • project

Retrieve information about the given cluster template.

clustertemplate:get_one_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template across project.

clustertemplate:get_all
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/clustertemplates

Scope Types:

  • project

Retrieve a list of cluster templates.

clustertemplate:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clustertemplates

Retrieve a list of cluster templates across projects.

clustertemplate:update
Default:

rule:admin_or_project_member

Operations:

  • PATCH /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

  • project

Update an existing cluster template.

clustertemplate:update_all_projects
Default:

rule:context_is_admin

Operations:

  • PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:publish
Default:

rule:context_is_admin

Operations:

  • POST /v1/clustertemplates

  • PATCH /v1/clustertemplates

Publish an existing cluster template.

federation:create
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • POST /v1/federations

Scope Types:

  • project

Create a new federation.

federation:delete
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • DELETE /v1/federations/{federation_ident}

Scope Types:

  • project

Delete a federation.

federation:detail
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/federations

Scope Types:

  • project

Retrieve a list of federations with detail.

federation:get
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/federations/{federation_ident}

Scope Types:

  • project

Retrieve information about the given federation.

federation:get_all
Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

  • GET /v1/federations/

Scope Types:

  • project

Retrieve a list of federations.

federation:update
Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

  • PATCH /v1/federations/{federation_ident}

Scope Types:

  • project

Update an existing federation.

magnum-service:get_all
Default:

rule:context_is_admin

Operations:

  • GET /v1/mservices

Retrieve a list of magnum-services.

quota:create
Default:

rule:context_is_admin

Operations:

  • POST /v1/quotas

Create quota.

quota:delete
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/quotas/{project_id}/{resource}

Delete quota for a given project_id and resource.

quota:get
Default:

rule:admin_or_project_reader

Operations:

  • GET /v1/quotas/{project_id}/{resource}

Scope Types:

  • project

Retrieve Quota information for the given project_id.

quota:get_all
Default:

rule:context_is_admin

Operations:

  • GET /v1/quotas

Retrieve a list of quotas.

quota:update
Default:

rule:context_is_admin

Operations:

  • PATCH /v1/quotas/{project_id}/{resource}

Update quota for a given project_id.

stats:get_all
Default:

rule:admin_or_project_reader

Operations:

  • GET /v1/stats

Scope Types:

  • project

Retrieve magnum stats.

nodegroup:get
Default:

rule:admin_or_project_reader

Operations:

  • GET /v1/clusters/{cluster_id}/nodegroup/{nodegroup}

Scope Types:

  • project

Retrieve information about the given nodegroup.

nodegroup:get_all
Default:

rule:admin_or_project_reader

Operations:

  • GET /v1/clusters/{cluster_id}/nodegroups/

Scope Types:

  • project

Retrieve a list of nodegroups that belong to a cluster.

nodegroup:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups across projects.

nodegroup:get_one_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Retrieve infornation for a given nodegroup.

nodegroup:create
Default:

rule:admin_or_project_member

Operations:

  • POST /v1/clusters/{cluster_id}/nodegroups/

Scope Types:

  • project

Create a new nodegroup.

nodegroup:delete
Default:

rule:admin_or_project_member

Operations:

  • DELETE /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Scope Types:

  • project

Delete a nodegroup.

nodegroup:update
Default:

rule:admin_or_project_member

Operations:

  • PATCH /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Scope Types:

  • project

Update an existing nodegroup.