Policy configuration¶
Configuration¶
The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.
magnum¶
context_is_adminDefault: role:admin(no description provided)
admin_or_ownerDefault: is_admin:True or project_id:%(project_id)s(no description provided)
admin_apiDefault: rule:context_is_admin(no description provided)
admin_or_userDefault: is_admin:True or user_id:%(user_id)s(no description provided)
cluster_userDefault: user_id:%(trustee_user_id)s(no description provided)
deny_cluster_userDefault: not domain_id:%(trustee_domain_id)s(no description provided)
bay:createDefault: rule:deny_cluster_userOperations: - POST
/v1/bays
Create a new bay.
- POST
bay:deleteDefault: rule:deny_cluster_userOperations: - DELETE
/v1/bays/{bay_ident}
Delete a bay.
- DELETE
bay:detailDefault: rule:deny_cluster_userOperations: - GET
/v1/bays
Retrieve a list of bays with detail.
- GET
bay:getDefault: rule:deny_cluster_userOperations: - GET
/v1/bays/{bay_ident}
Retrieve information about the given bay.
- GET
bay:get_allDefault: rule:deny_cluster_userOperations: - GET
/v1/bays/
Retrieve a list of bays.
- GET
bay:updateDefault: rule:deny_cluster_userOperations: - PATCH
/v1/bays/{bay_ident}
Update an existing bay.
- PATCH
baymodel:createDefault: rule:deny_cluster_userOperations: - POST
/v1/baymodels
Create a new baymodel.
- POST
baymodel:deleteDefault: rule:deny_cluster_userOperations: - DELETE
/v1/baymodels/{baymodel_ident}
Delete a baymodel.
- DELETE
baymodel:detailDefault: rule:deny_cluster_userOperations: - GET
/v1/baymodels
Retrieve a list of baymodel with detail.
- GET
baymodel:getDefault: rule:deny_cluster_userOperations: - GET
/v1/baymodels/{baymodel_ident}
Retrieve information about the given baymodel.
- GET
baymodel:get_allDefault: rule:deny_cluster_userOperations: - GET
/v1/baymodels
Retrieve a list of baymodel.
- GET
baymodel:updateDefault: rule:deny_cluster_userOperations: - PATCH
/v1/baymodels/{baymodel_ident}
Update an existing baymodel.
- PATCH
baymodel:publishDefault: rule:admin_apiOperations: - POST
/v1/baymodels - PATCH
/v1/baymodels
Publish an existing baymodel.
- POST
certificate:createDefault: rule:admin_or_user or rule:cluster_userOperations: - POST
/v1/certificates
Sign a new certificate by the CA.
- POST
certificate:getDefault: rule:admin_or_user or rule:cluster_userOperations: - GET
/v1/certificates/{bay_uuid/cluster_uuid}
Retrieve CA information about the given bay/cluster.
- GET
certificate:rotate_caDefault: rule:admin_or_ownerOperations: - PATCH
/v1/certificates/{bay_uuid/cluster_uuid}
Rotate the CA certificate on the given bay/cluster.
- PATCH
cluster:createDefault: rule:deny_cluster_userOperations: - POST
/v1/clusters
Create a new cluster.
- POST
cluster:deleteDefault: rule:deny_cluster_userOperations: - DELETE
/v1/clusters/{cluster_ident}
Delete a cluster.
- DELETE
cluster:delete_all_projectsDefault: rule:admin_apiOperations: - DELETE
/v1/clusters/{cluster_ident}
Delete a cluster from any project.
- DELETE
cluster:detailDefault: rule:deny_cluster_userOperations: - GET
/v1/clusters
Retrieve a list of clusters with detail.
- GET
cluster:detail_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clusters
Retrieve a list of clusters with detail across projects.
- GET
cluster:getDefault: rule:deny_cluster_userOperations: - GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster.
- GET
cluster:get_one_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster across projects.
- GET
cluster:get_allDefault: rule:deny_cluster_userOperations: - GET
/v1/clusters/
Retrieve a list of clusters.
- GET
cluster:get_all_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clusters/
Retrieve a list of all clusters across projects.
- GET
cluster:updateDefault: rule:deny_cluster_userOperations: - PATCH
/v1/clusters/{cluster_ident}
Update an existing cluster.
- PATCH
cluster:resizeDefault: rule:deny_cluster_userOperations: - POST
/v1/clusters/{cluster_ident}/actions/resize
Resize an existing cluster.
- POST
clustertemplate:createDefault: rule:deny_cluster_userOperations: - POST
/v1/clustertemplates
Create a new cluster template.
- POST
clustertemplate:deleteDefault: rule:deny_cluster_userOperations: - DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template.
- DELETE
clustertemplate:delete_all_projectsDefault: rule:admin_apiOperations: - DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template from any project.
- DELETE
clustertemplate:detail_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail across projects.
- GET
clustertemplate:detailDefault: rule:deny_cluster_userOperations: - GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail.
- GET
clustertemplate:getDefault: rule:deny_cluster_userOperations: - GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template.
- GET
clustertemplate:get_one_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template across project.
- GET
clustertemplate:get_allDefault: rule:deny_cluster_userOperations: - GET
/v1/clustertemplates
Retrieve a list of cluster templates.
- GET
clustertemplate:get_all_all_projectsDefault: rule:admin_apiOperations: - GET
/v1/clustertemplates
Retrieve a list of cluster templates across projects.
- GET
clustertemplate:updateDefault: rule:deny_cluster_userOperations: - PATCH
/v1/clustertemplate/{clustertemplate_ident}
Update an existing cluster template.
- PATCH
clustertemplate:publishDefault: rule:admin_apiOperations: - POST
/v1/clustertemplates - PATCH
/v1/clustertemplates
Publish an existing cluster template.
- POST
federation:createDefault: rule:deny_cluster_userOperations: - POST
/v1/federations
Create a new federation.
- POST
federation:deleteDefault: rule:deny_cluster_userOperations: - DELETE
/v1/federations/{federation_ident}
Delete a federation.
- DELETE
federation:detailDefault: rule:deny_cluster_userOperations: - GET
/v1/federations
Retrieve a list of federations with detail.
- GET
federation:getDefault: rule:deny_cluster_userOperations: - GET
/v1/federations/{federation_ident}
Retrieve information about the given federation.
- GET
federation:get_allDefault: rule:deny_cluster_userOperations: - GET
/v1/federations/
Retrieve a list of federations.
- GET
federation:updateDefault: rule:deny_cluster_userOperations: - PATCH
/v1/federations/{federation_ident}
Update an existing federation.
- PATCH
magnum-service:get_allDefault: rule:admin_apiOperations: - GET
/v1/mservices
Retrieve a list of magnum-services.
- GET
quota:createDefault: rule:admin_apiOperations: - POST
/v1/quotas
Create quota.
- POST
quota:deleteDefault: rule:admin_apiOperations: - DELETE
/v1/quotas/{project_id}/{resource}
Delete quota for a given project_id and resource.
- DELETE
quota:getDefault: rule:admin_or_ownerOperations: - GET
/v1/quotas/{project_id}/{resource}
Retrieve Quota information for the given project_id.
- GET
quota:get_allDefault: rule:admin_apiOperations: - GET
/v1/quotas
Retrieve a list of quotas.
- GET
quota:updateDefault: rule:admin_apiOperations: - PATCH
/v1/quotas/{project_id}/{resource}
Update quota for a given project_id.
- PATCH
stats:get_allDefault: rule:admin_or_ownerOperations: - GET
/v1/stats
Retrieve magnum stats.
- GET
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.