policy.yaml

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Use the policy.yaml file to define additional access controls that apply to the Container Infrastructure Management service:

#"context_is_admin": "role:admin"

#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

#"admin_or_user": "is_admin:True or user_id:%(user_id)s"

#"is_user": "user_id:%(user_id)s"

#"cluster_user": "user_id:%(trustee_user_id)s"

#"deny_cluster_user": "not domain_id:%(trustee_domain_id)s"

#"project_member": "role:member and project_id:%(project_id)s"

#"project_reader": "role:reader and project_id:%(project_id)s"

#"admin_or_project_reader": "(rule:context_is_admin) or (rule:project_reader)"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor
# of "admin_or_project_reader":"(rule:context_is_admin) or
# (rule:project_reader)".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:admin_or_project_reader"

#"admin_or_project_member": "(rule:context_is_admin) or (rule:project_member)"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor
# of "admin_or_project_member":"(rule:context_is_admin) or
# (rule:project_member)".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:admin_or_project_member"

#"admin_or_project_member_user": "(rule:context_is_admin) or ((rule:project_member) and (rule:is_user))"

# DEPRECATED
# "rule:admin_or_user":"((rule:context_is_admin) or (rule:is_user))"
# has been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor
# of "admin_or_project_member_user":"(rule:context_is_admin) or
# ((rule:project_member) and (rule:is_user))".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_user": "rule:admin_or_project_member_user"

#"user_or_cluster_user": "((rule:is_user) or (rule:cluster_user))"

#"admin_or_user_or_cluster_user": "((rule:context_is_admin) or (rule:user_or_cluster_user))"

#"admin_or_project_member_cluster_user": "(rule:context_is_admin) or ((rule:project_member) and (rule:cluster_user))"

#"admin_or_project_member_user_or_cluster_user": "(rule:context_is_admin) or ((rule:project_member) and (rule:user_or_cluster_user))"

# DEPRECATED
# "rule:admin_or_user_or_cluster_user":"((rule:context_is_admin) or
# (rule:user_or_cluster_user))" has been deprecated since OpenStack
# 2023.2(Magnum 17.0.0) in favor of "admin_or_project_member_user_or_c
# luster_user":"(rule:context_is_admin) or ((rule:project_member) and
# (rule:user_or_cluster_user))".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_user_or_cluster_user": "rule:admin_or_project_member_user_or_cluster_user"

#"project_member_deny_cluster_user": "((rule:project_member) and (rule:deny_cluster_user))"

# DEPRECATED
# "rule:deny_cluster_user":"not domain_id:%(trustee_domain_id)s" has
# been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor of
# "project_member_deny_cluster_user":"((rule:project_member) and
# (rule:deny_cluster_user))".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:deny_cluster_user": "rule:project_member_deny_cluster_user"

#"admin_or_project_member_deny_cluster_user": "(rule:context_is_admin) or (rule:project_member_deny_cluster_user)"

# DEPRECATED
# "rule:deny_cluster_user":"not domain_id:%(trustee_domain_id)s" has
# been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor of
# "admin_or_project_member_deny_cluster_user":"(rule:context_is_admin)
# or (rule:project_member_deny_cluster_user)".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:deny_cluster_user": "rule:admin_or_project_member_deny_cluster_user"

#"project_reader_deny_cluster_user": "((rule:project_reader) and (rule:deny_cluster_user))"

# DEPRECATED
# "rule:deny_cluster_user":"not domain_id:%(trustee_domain_id)s" has
# been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor of
# "project_reader_deny_cluster_user":"((rule:project_reader) and
# (rule:deny_cluster_user))".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:deny_cluster_user": "rule:project_reader_deny_cluster_user"

#"admin_or_project_reader_deny_cluster_user": "(rule:context_is_admin) or (rule:project_reader_deny_cluster_user)"

# DEPRECATED
# "rule:deny_cluster_user":"not domain_id:%(trustee_domain_id)s" has
# been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor of
# "admin_or_project_reader_deny_cluster_user":"(rule:context_is_admin)
# or (rule:project_reader_deny_cluster_user)".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:deny_cluster_user": "rule:admin_or_project_reader_deny_cluster_user"

#"admin_or_project_reader_user": "(rule:context_is_admin) or ((rule:project_reader) and (rule:is_user))"

# DEPRECATED
# "rule:admin_or_user":"((rule:context_is_admin) or (rule:is_user))"
# has been deprecated since OpenStack 2023.2(Magnum 17.0.0) in favor
# of "admin_or_project_reader_user":"(rule:context_is_admin) or
# ((rule:project_reader) and (rule:is_user))".
# The Magnum API now enforces scoped tokens and default reader and
# member roles.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_user": "rule:admin_or_project_reader_user"

# Sign a new certificate by the CA.
# POST  /v1/certificates
# Intended scope(s): project
#"certificate:create": "rule:admin_or_project_member_user"

# Retrieve CA information about the given cluster.
# GET  /v1/certificates/{cluster_uuid}
# Intended scope(s): project
#"certificate:get": "rule:admin_or_project_reader_user"

# Rotate the CA certificate on the given cluster.
# PATCH  /v1/certificates/{cluster_uuid}
# Intended scope(s): project
#"certificate:rotate_ca": "rule:admin_or_project_member"

# Create a new cluster.
# POST  /v1/clusters
# Intended scope(s): project
#"cluster:create": "rule:admin_or_project_member_deny_cluster_user"

# Delete a cluster.
# DELETE  /v1/clusters/{cluster_ident}
# Intended scope(s): project
#"cluster:delete": "rule:admin_or_project_member_deny_cluster_user"

# Delete a cluster from any project.
# DELETE  /v1/clusters/{cluster_ident}
#"cluster:delete_all_projects": "rule:context_is_admin"

# Retrieve a list of clusters with detail.
# GET  /v1/clusters
# Intended scope(s): project
#"cluster:detail": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve a list of clusters with detail across projects.
# GET  /v1/clusters
#"cluster:detail_all_projects": "rule:context_is_admin"

# Retrieve information about the given cluster.
# GET  /v1/clusters/{cluster_ident}
# Intended scope(s): project
#"cluster:get": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve information about the given cluster across projects.
# GET  /v1/clusters/{cluster_ident}
#"cluster:get_one_all_projects": "rule:context_is_admin"

# Retrieve a list of clusters.
# GET  /v1/clusters/
# Intended scope(s): project
#"cluster:get_all": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve a list of all clusters across projects.
# GET  /v1/clusters/
#"cluster:get_all_all_projects": "rule:context_is_admin"

# Update an existing cluster.
# PATCH  /v1/clusters/{cluster_ident}
# Intended scope(s): project
#"cluster:update": "rule:admin_or_project_member_deny_cluster_user"

# Update the health status of an existing cluster.
# PATCH  /v1/clusters/{cluster_ident}
# Intended scope(s): project
#"cluster:update_health_status": "rule:admin_or_project_member_user_or_cluster_user"

# Update an existing cluster.
# PATCH  /v1/clusters/{cluster_ident}
#"cluster:update_all_projects": "rule:context_is_admin"

# Resize an existing cluster.
# POST  /v1/clusters/{cluster_ident}/actions/resize
# Intended scope(s): project
#"cluster:resize": "rule:admin_or_project_member_deny_cluster_user"

# Upgrade an existing cluster.
# POST  /v1/clusters/{cluster_ident}/actions/upgrade
# Intended scope(s): project
#"cluster:upgrade": "rule:admin_or_project_member_deny_cluster_user"

# Upgrade an existing cluster across all projects.
# POST  /v1/clusters/{cluster_ident}/actions/upgrade
#"cluster:upgrade_all_projects": "rule:context_is_admin"

# Create a new cluster template.
# POST  /v1/clustertemplates
# Intended scope(s): project
#"clustertemplate:create": "rule:admin_or_project_member_deny_cluster_user"

# Delete a cluster template.
# DELETE  /v1/clustertemplate/{clustertemplate_ident}
# Intended scope(s): project
#"clustertemplate:delete": "rule:admin_or_project_member"

# Delete a cluster template from any project.
# DELETE  /v1/clustertemplate/{clustertemplate_ident}
#"clustertemplate:delete_all_projects": "rule:context_is_admin"

# Retrieve a list of cluster templates with detail across projects.
# GET  /v1/clustertemplates
#"clustertemplate:detail_all_projects": "rule:context_is_admin"

# Retrieve a list of cluster templates with detail.
# GET  /v1/clustertemplates
# Intended scope(s): project
#"clustertemplate:detail": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve information about the given cluster template.
# GET  /v1/clustertemplate/{clustertemplate_ident}
# Intended scope(s): project
#"clustertemplate:get": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve information about the given cluster template across
# project.
# GET  /v1/clustertemplate/{clustertemplate_ident}
#"clustertemplate:get_one_all_projects": "rule:context_is_admin"

# Retrieve a list of cluster templates.
# GET  /v1/clustertemplates
# Intended scope(s): project
#"clustertemplate:get_all": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve a list of cluster templates across projects.
# GET  /v1/clustertemplates
#"clustertemplate:get_all_all_projects": "rule:context_is_admin"

# Update an existing cluster template.
# PATCH  /v1/clustertemplate/{clustertemplate_ident}
# Intended scope(s): project
#"clustertemplate:update": "rule:admin_or_project_member"

# Update an existing cluster template.
# PATCH  /v1/clustertemplate/{clustertemplate_ident}
#"clustertemplate:update_all_projects": "rule:context_is_admin"

# Publish an existing cluster template.
# POST  /v1/clustertemplates
# PATCH  /v1/clustertemplates
#"clustertemplate:publish": "rule:context_is_admin"

# Create a new federation.
# POST  /v1/federations
# Intended scope(s): project
#"federation:create": "rule:admin_or_project_member_deny_cluster_user"

# Delete a federation.
# DELETE  /v1/federations/{federation_ident}
# Intended scope(s): project
#"federation:delete": "rule:admin_or_project_member_deny_cluster_user"

# Retrieve a list of federations with detail.
# GET  /v1/federations
# Intended scope(s): project
#"federation:detail": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve information about the given federation.
# GET  /v1/federations/{federation_ident}
# Intended scope(s): project
#"federation:get": "rule:admin_or_project_reader_deny_cluster_user"

# Retrieve a list of federations.
# GET  /v1/federations/
# Intended scope(s): project
#"federation:get_all": "rule:admin_or_project_reader_deny_cluster_user"

# Update an existing federation.
# PATCH  /v1/federations/{federation_ident}
# Intended scope(s): project
#"federation:update": "rule:admin_or_project_member_deny_cluster_user"

# Retrieve a list of magnum-services.
# GET  /v1/mservices
#"magnum-service:get_all": "rule:context_is_admin"

# Create quota.
# POST  /v1/quotas
#"quota:create": "rule:context_is_admin"

# Delete quota for a given project_id and resource.
# DELETE  /v1/quotas/{project_id}/{resource}
#"quota:delete": "rule:context_is_admin"

# Retrieve Quota information for the given project_id.
# GET  /v1/quotas/{project_id}/{resource}
# Intended scope(s): project
#"quota:get": "rule:admin_or_project_reader"

# Retrieve a list of quotas.
# GET  /v1/quotas
#"quota:get_all": "rule:context_is_admin"

# Update quota for a given project_id.
# PATCH  /v1/quotas/{project_id}/{resource}
#"quota:update": "rule:context_is_admin"

# Retrieve magnum stats.
# GET  /v1/stats
# Intended scope(s): project
#"stats:get_all": "rule:admin_or_project_reader"

# Retrieve information about the given nodegroup.
# GET  /v1/clusters/{cluster_id}/nodegroup/{nodegroup}
# Intended scope(s): project
#"nodegroup:get": "rule:admin_or_project_reader"

# Retrieve a list of nodegroups that belong to a cluster.
# GET  /v1/clusters/{cluster_id}/nodegroups/
# Intended scope(s): project
#"nodegroup:get_all": "rule:admin_or_project_reader"

# Retrieve a list of nodegroups across projects.
# GET  /v1/clusters/{cluster_id}/nodegroups/
#"nodegroup:get_all_all_projects": "rule:context_is_admin"

# Retrieve infornation for a given nodegroup.
# GET  /v1/clusters/{cluster_id}/nodegroups/{nodegroup}
#"nodegroup:get_one_all_projects": "rule:context_is_admin"

# Create a new nodegroup.
# POST  /v1/clusters/{cluster_id}/nodegroups/
# Intended scope(s): project
#"nodegroup:create": "rule:admin_or_project_member"

# Delete a nodegroup.
# DELETE  /v1/clusters/{cluster_id}/nodegroups/{nodegroup}
# Intended scope(s): project
#"nodegroup:delete": "rule:admin_or_project_member"

# Update an existing nodegroup.
# PATCH  /v1/clusters/{cluster_id}/nodegroups/{nodegroup}
# Intended scope(s): project
#"nodegroup:update": "rule:admin_or_project_member"