Policy configuration¶

Configuration¶

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.

magnum¶

context_is_admin

Default:: role:admin

(no description provided)

admin_or_owner

Default:: is_admin:True or project_id:%(project_id)s

(no description provided)

admin_api

Default:: rule:context_is_admin

(no description provided)

admin_or_user

Default:: is_admin:True or user_id:%(user_id)s

(no description provided)

cluster_user

Default:: user_id:%(trustee_user_id)s

(no description provided)

deny_cluster_user

Default:: not domain_id:%(trustee_domain_id)s

(no description provided)

bay:create

Default:

rule:deny_cluster_user

Operations:

POST /v1/bays

Create a new bay.

bay:delete

Default:

rule:deny_cluster_user

Operations:

DELETE /v1/bays/{bay_ident}

Delete a bay.

bay:detail

Default:

rule:deny_cluster_user

Operations:

GET /v1/bays

Retrieve a list of bays with detail.

bay:get

Default:

rule:deny_cluster_user

Operations:

GET /v1/bays/{bay_ident}

Retrieve information about the given bay.

bay:get_all

Default:

rule:deny_cluster_user

Operations:

GET /v1/bays/

Retrieve a list of bays.

bay:update

Default:

rule:deny_cluster_user

Operations:

PATCH /v1/bays/{bay_ident}

Update an existing bay.

baymodel:create

Default:

rule:deny_cluster_user

Operations:

POST /v1/baymodels

Create a new baymodel.

baymodel:delete

Default:

rule:deny_cluster_user

Operations:

DELETE /v1/baymodels/{baymodel_ident}

Delete a baymodel.

baymodel:detail

Default:

rule:deny_cluster_user

Operations:

GET /v1/baymodels

Retrieve a list of baymodel with detail.

baymodel:get

Default:

rule:deny_cluster_user

Operations:

GET /v1/baymodels/{baymodel_ident}

Retrieve information about the given baymodel.

baymodel:get_all

Default:

rule:deny_cluster_user

Operations:

GET /v1/baymodels

Retrieve a list of baymodel.

baymodel:update

Default:

rule:deny_cluster_user

Operations:

PATCH /v1/baymodels/{baymodel_ident}

Update an existing baymodel.

baymodel:publish

Default:

rule:admin_api

Operations:

POST /v1/baymodels
PATCH /v1/baymodels

Publish an existing baymodel.

certificate:create

Default:

rule:admin_or_user or rule:cluster_user

Operations:

POST /v1/certificates

Sign a new certificate by the CA.

certificate:get

Default:

rule:admin_or_user or rule:cluster_user

Operations:

GET /v1/certificates/{bay_uuid/cluster_uuid}

Retrieve CA information about the given bay/cluster.

certificate:rotate_ca

Default:

rule:admin_or_owner

Operations:

PATCH /v1/certificates/{bay_uuid/cluster_uuid}

Rotate the CA certificate on the given bay/cluster.

cluster:create

Default:

rule:deny_cluster_user

Operations:

POST /v1/clusters

Create a new cluster.

cluster:delete

Default:

rule:deny_cluster_user

Operations:

DELETE /v1/clusters/{cluster_ident}

Delete a cluster.

cluster:delete_all_projects

Default:

rule:admin_api

Operations:

DELETE /v1/clusters/{cluster_ident}

Delete a cluster from any project.

cluster:detail

Default:

rule:deny_cluster_user

Operations:

GET /v1/clusters

Retrieve a list of clusters with detail.

cluster:detail_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clusters

Retrieve a list of clusters with detail across projects.

cluster:get

Default:

rule:deny_cluster_user

Operations:

GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster.

cluster:get_one_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster across projects.

cluster:get_all

Default:

rule:deny_cluster_user

Operations:

GET /v1/clusters/

Retrieve a list of clusters.

cluster:get_all_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clusters/

Retrieve a list of all clusters across projects.

cluster:update

Default:

rule:deny_cluster_user

Operations:

PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:update_health_status

Default:

rule:admin_or_user or rule:cluster_user

Operations:

PATCH /v1/clusters/{cluster_ident}

Update the health status of an existing cluster.

cluster:update_all_projects

Default:

rule:admin_api

Operations:

PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:resize

Default:

rule:deny_cluster_user

Operations:

POST /v1/clusters/{cluster_ident}/actions/resize

Resize an existing cluster.

cluster:upgrade

Default:

rule:deny_cluster_user

Operations:

POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster.

cluster:upgrade_all_projects

Default:

rule:admin_api

Operations:

POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster across all projects.

clustertemplate:create

Default:

rule:deny_cluster_user

Operations:

POST /v1/clustertemplates

Create a new cluster template.

clustertemplate:delete

Default:

rule:admin_or_owner

Operations:

DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template.

clustertemplate:delete_all_projects

Default:

rule:admin_api

Operations:

DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template from any project.

clustertemplate:detail_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates with detail across projects.

clustertemplate:detail

Default:

rule:deny_cluster_user

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates with detail.

clustertemplate:get

Default:

rule:deny_cluster_user

Operations:

GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template.

clustertemplate:get_one_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template across project.

clustertemplate:get_all

Default:

rule:deny_cluster_user

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates.

clustertemplate:get_all_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates across projects.

clustertemplate:update

Default:

rule:admin_or_owner

Operations:

PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:update_all_projects

Default:

rule:admin_api

Operations:

PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:publish

Default:

rule:admin_api

Operations:

POST /v1/clustertemplates
PATCH /v1/clustertemplates

Publish an existing cluster template.

federation:create

Default:

rule:deny_cluster_user

Operations:

POST /v1/federations

Create a new federation.

federation:delete

Default:

rule:deny_cluster_user

Operations:

DELETE /v1/federations/{federation_ident}

Delete a federation.

federation:detail

Default:

rule:deny_cluster_user

Operations:

GET /v1/federations

Retrieve a list of federations with detail.

federation:get

Default:

rule:deny_cluster_user

Operations:

GET /v1/federations/{federation_ident}

Retrieve information about the given federation.

federation:get_all

Default:

rule:deny_cluster_user

Operations:

GET /v1/federations/

Retrieve a list of federations.

federation:update

Default:

rule:deny_cluster_user

Operations:

PATCH /v1/federations/{federation_ident}

Update an existing federation.

magnum-service:get_all

Default:

rule:admin_api

Operations:

GET /v1/mservices

Retrieve a list of magnum-services.

quota:create

Default:

rule:admin_api

Operations:

POST /v1/quotas

Create quota.

quota:delete

Default:

rule:admin_api

Operations:

DELETE /v1/quotas/{project_id}/{resource}

Delete quota for a given project_id and resource.

quota:get

Default:

rule:admin_or_owner

Operations:

GET /v1/quotas/{project_id}/{resource}

Retrieve Quota information for the given project_id.

quota:get_all

Default:

rule:admin_api

Operations:

GET /v1/quotas

Retrieve a list of quotas.

quota:update

Default:

rule:admin_api

Operations:

PATCH /v1/quotas/{project_id}/{resource}

Update quota for a given project_id.

stats:get_all

Default:

rule:admin_or_owner

Operations:

GET /v1/stats

Retrieve magnum stats.

nodegroup:get

Default:

rule:admin_or_owner

Operations:

GET /v1/clusters/{cluster_id}/nodegroup/{nodegroup}

Retrieve information about the given nodegroup.

nodegroup:get_all

Default:

rule:admin_or_owner

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups that belong to a cluster.

nodegroup:get_all_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups across projects.

nodegroup:get_one_all_projects

Default:

rule:admin_api

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Retrieve infornation for a given nodegroup.

nodegroup:create

Default:

rule:admin_or_owner

Operations:

POST /v1/clusters/{cluster_id}/nodegroups/

Create a new nodegroup.

nodegroup:delete

Default:

rule:admin_or_owner

Operations:

DELETE /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Delete a nodegroup.

nodegroup:update

Default:

rule:admin_or_owner

Operations:

PATCH /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Update an existing nodegroup.

Policy configuration

Policy configuration¶

Configuration¶

magnum¶

magnum 12.1.2.dev8

Page Contents