Policy configuration¶
Configuration¶
Warning
JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.
magnum¶
context_is_admin
- Default
role:admin
(no description provided)
admin_or_owner
- Default
is_admin:True or project_id:%(project_id)s
(no description provided)
admin_api
- Default
rule:context_is_admin
(no description provided)
admin_or_user
- Default
is_admin:True or user_id:%(user_id)s
(no description provided)
cluster_user
- Default
user_id:%(trustee_user_id)s
(no description provided)
deny_cluster_user
- Default
not domain_id:%(trustee_domain_id)s
(no description provided)
bay:create
- Default
rule:deny_cluster_user
- Operations
POST
/v1/bays
Create a new bay.
bay:delete
- Default
rule:deny_cluster_user
- Operations
DELETE
/v1/bays/{bay_ident}
Delete a bay.
bay:detail
- Default
rule:deny_cluster_user
- Operations
GET
/v1/bays
Retrieve a list of bays with detail.
bay:get
- Default
rule:deny_cluster_user
- Operations
GET
/v1/bays/{bay_ident}
Retrieve information about the given bay.
bay:get_all
- Default
rule:deny_cluster_user
- Operations
GET
/v1/bays/
Retrieve a list of bays.
bay:update
- Default
rule:deny_cluster_user
- Operations
PATCH
/v1/bays/{bay_ident}
Update an existing bay.
baymodel:create
- Default
rule:deny_cluster_user
- Operations
POST
/v1/baymodels
Create a new baymodel.
baymodel:delete
- Default
rule:deny_cluster_user
- Operations
DELETE
/v1/baymodels/{baymodel_ident}
Delete a baymodel.
baymodel:detail
- Default
rule:deny_cluster_user
- Operations
GET
/v1/baymodels
Retrieve a list of baymodel with detail.
baymodel:get
- Default
rule:deny_cluster_user
- Operations
GET
/v1/baymodels/{baymodel_ident}
Retrieve information about the given baymodel.
baymodel:get_all
- Default
rule:deny_cluster_user
- Operations
GET
/v1/baymodels
Retrieve a list of baymodel.
baymodel:update
- Default
rule:deny_cluster_user
- Operations
PATCH
/v1/baymodels/{baymodel_ident}
Update an existing baymodel.
baymodel:publish
- Default
rule:admin_api
- Operations
POST
/v1/baymodels
PATCH
/v1/baymodels
Publish an existing baymodel.
certificate:create
- Default
rule:admin_or_user or rule:cluster_user
- Operations
POST
/v1/certificates
Sign a new certificate by the CA.
certificate:get
- Default
rule:admin_or_user or rule:cluster_user
- Operations
GET
/v1/certificates/{bay_uuid/cluster_uuid}
Retrieve CA information about the given bay/cluster.
certificate:rotate_ca
- Default
rule:admin_or_owner
- Operations
PATCH
/v1/certificates/{bay_uuid/cluster_uuid}
Rotate the CA certificate on the given bay/cluster.
cluster:create
- Default
rule:deny_cluster_user
- Operations
POST
/v1/clusters
Create a new cluster.
cluster:delete
- Default
rule:deny_cluster_user
- Operations
DELETE
/v1/clusters/{cluster_ident}
Delete a cluster.
cluster:delete_all_projects
- Default
rule:admin_api
- Operations
DELETE
/v1/clusters/{cluster_ident}
Delete a cluster from any project.
cluster:detail
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clusters
Retrieve a list of clusters with detail.
cluster:detail_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clusters
Retrieve a list of clusters with detail across projects.
cluster:get
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster.
cluster:get_one_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clusters/{cluster_ident}
Retrieve information about the given cluster across projects.
cluster:get_all
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clusters/
Retrieve a list of clusters.
cluster:get_all_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clusters/
Retrieve a list of all clusters across projects.
cluster:update
- Default
rule:deny_cluster_user
- Operations
PATCH
/v1/clusters/{cluster_ident}
Update an existing cluster.
cluster:update_health_status
- Default
rule:admin_or_user or rule:cluster_user
- Operations
PATCH
/v1/clusters/{cluster_ident}
Update the health status of an existing cluster.
cluster:update_all_projects
- Default
rule:admin_api
- Operations
PATCH
/v1/clusters/{cluster_ident}
Update an existing cluster.
cluster:resize
- Default
rule:deny_cluster_user
- Operations
POST
/v1/clusters/{cluster_ident}/actions/resize
Resize an existing cluster.
cluster:upgrade
- Default
rule:deny_cluster_user
- Operations
POST
/v1/clusters/{cluster_ident}/actions/upgrade
Upgrade an existing cluster.
cluster:upgrade_all_projects
- Default
rule:admin_api
- Operations
POST
/v1/clusters/{cluster_ident}/actions/upgrade
Upgrade an existing cluster across all projects.
clustertemplate:create
- Default
rule:deny_cluster_user
- Operations
POST
/v1/clustertemplates
Create a new cluster template.
clustertemplate:delete
- Default
rule:admin_or_owner
- Operations
DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template.
clustertemplate:delete_all_projects
- Default
rule:admin_api
- Operations
DELETE
/v1/clustertemplate/{clustertemplate_ident}
Delete a cluster template from any project.
clustertemplate:detail_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail across projects.
clustertemplate:detail
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates with detail.
clustertemplate:get
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template.
clustertemplate:get_one_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clustertemplate/{clustertemplate_ident}
Retrieve information about the given cluster template across project.
clustertemplate:get_all
- Default
rule:deny_cluster_user
- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates.
clustertemplate:get_all_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clustertemplates
Retrieve a list of cluster templates across projects.
clustertemplate:update
- Default
rule:admin_or_owner
- Operations
PATCH
/v1/clustertemplate/{clustertemplate_ident}
Update an existing cluster template.
clustertemplate:update_all_projects
- Default
rule:admin_api
- Operations
PATCH
/v1/clustertemplate/{clustertemplate_ident}
Update an existing cluster template.
clustertemplate:publish
- Default
rule:admin_api
- Operations
POST
/v1/clustertemplates
PATCH
/v1/clustertemplates
Publish an existing cluster template.
federation:create
- Default
rule:deny_cluster_user
- Operations
POST
/v1/federations
Create a new federation.
federation:delete
- Default
rule:deny_cluster_user
- Operations
DELETE
/v1/federations/{federation_ident}
Delete a federation.
federation:detail
- Default
rule:deny_cluster_user
- Operations
GET
/v1/federations
Retrieve a list of federations with detail.
federation:get
- Default
rule:deny_cluster_user
- Operations
GET
/v1/federations/{federation_ident}
Retrieve information about the given federation.
federation:get_all
- Default
rule:deny_cluster_user
- Operations
GET
/v1/federations/
Retrieve a list of federations.
federation:update
- Default
rule:deny_cluster_user
- Operations
PATCH
/v1/federations/{federation_ident}
Update an existing federation.
magnum-service:get_all
- Default
rule:admin_api
- Operations
GET
/v1/mservices
Retrieve a list of magnum-services.
quota:create
- Default
rule:admin_api
- Operations
POST
/v1/quotas
Create quota.
quota:delete
- Default
rule:admin_api
- Operations
DELETE
/v1/quotas/{project_id}/{resource}
Delete quota for a given project_id and resource.
quota:get
- Default
rule:admin_or_owner
- Operations
GET
/v1/quotas/{project_id}/{resource}
Retrieve Quota information for the given project_id.
quota:get_all
- Default
rule:admin_api
- Operations
GET
/v1/quotas
Retrieve a list of quotas.
quota:update
- Default
rule:admin_api
- Operations
PATCH
/v1/quotas/{project_id}/{resource}
Update quota for a given project_id.
stats:get_all
- Default
rule:admin_or_owner
- Operations
GET
/v1/stats
Retrieve magnum stats.
nodegroup:get
- Default
rule:admin_or_owner
- Operations
GET
/v1/clusters/{cluster_id}/nodegroup/{nodegroup}
Retrieve information about the given nodegroup.
nodegroup:get_all
- Default
rule:admin_or_owner
- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/
Retrieve a list of nodegroups that belong to a cluster.
nodegroup:get_all_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/
Retrieve a list of nodegroups across projects.
nodegroup:get_one_all_projects
- Default
rule:admin_api
- Operations
GET
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Retrieve infornation for a given nodegroup.
nodegroup:create
- Default
rule:admin_or_owner
- Operations
POST
/v1/clusters/{cluster_id}/nodegroups/
Create a new nodegroup.
nodegroup:delete
- Default
rule:admin_or_owner
- Operations
DELETE
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Delete a nodegroup.
nodegroup:update
- Default
rule:admin_or_owner
- Operations
PATCH
/v1/clusters/{cluster_id}/nodegroups/{nodegroup}
Update an existing nodegroup.