Policy configuration

Warning

JSON formatted policy file is deprecated since Manila 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Configuration

The following is an overview of all available policies in Manila.

manila

project-admin
Default:

role:admin and project_id:%(project_id)s

Scope Types:
  • project

Project scoped Administrator

project-member
Default:

role:member and project_id:%(project_id)s

Scope Types:
  • project

Project scoped Member

project-reader
Default:

role:reader and project_id:%(project_id)s

Scope Types:
  • project

Project scoped Reader

owner-user
Default:

user_id:%(user_id)s and project_id:%(project_id)s

Scope Types:
  • project

Project scoped user that owns a user specific resource

admin_or_service_api
Default:

role:admin or role:service

Scope Types:
  • project

A service user or an administrator user.

context_is_admin
Default:

role:admin

Scope Types:
  • project

Privileged users checked via “context.is_admin”

context_is_host_admin
Default:

role:admin and project_id:%(project_id)s

Scope Types:
  • project

Privileged user who can select host during scheduling

admin_or_owner
Default:

is_admin:True or project_id:%(project_id)s

Administrator or Member of the project

admin_or_owner_user
Default:

is_admin:True or project_id:%(project_id)s and user_id:%(user_id)s

Administrator or owner user of a resource

default
Default:

rule:admin_or_owner

Default rule for most non-Admin APIs

admin_api
Default:

is_admin:True

Default rule for most Admin APIs.

availability_zone:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /os-availability-zone

  • GET /availability-zone

Scope Types:
  • project

Get all storage availability zones.

scheduler_stats:pools:index
Default:

rule:context_is_admin

Operations:
  • GET /scheduler-stats/pools?{query}

Scope Types:
  • project

Get information regarding backends (and storage pools) known to the scheduler.

scheduler_stats:pools:detail
Default:

rule:context_is_admin

Operations:
  • GET /scheduler-stats/pools/detail?{query}

Scope Types:
  • project

Get detailed information regarding backends (and storage pools) known to the scheduler.

share:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares

Scope Types:
  • project

Create share.

share:create_public_share
Default:

rule:context_is_admin

Operations:
  • POST /shares

Scope Types:
  • project

Create shares visible across all projects in the cloud.

share:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}

Scope Types:
  • project

Get share.

share:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares?{query}

  • GET /shares/detail?{query}

Scope Types:
  • project

List shares.

share:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /shares/{share_id}

Scope Types:
  • project

Update a share.

share:set_public_share
Default:

rule:context_is_admin

Operations:
  • PUT /shares/{share_id}

Scope Types:
  • project

Update a share to be visible across all projects in the cloud.

share:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /shares/{share_id}

Scope Types:
  • project

Delete share.

share:soft_delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Soft Delete a share.

share:restore
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Restore a share.

share:force_delete
Default:

rule:context_is_admin

Operations:
  • DELETE /shares/{share_id}

Scope Types:
  • project

Force Delete a share.

share:manage
Default:

rule:context_is_admin

Operations:
  • POST /shares/manage

Scope Types:
  • project

Manage share.

share:unmanage
Default:

rule:context_is_admin

Operations:
  • POST /shares/unmanage

Scope Types:
  • project

Unmanage share.

share:list_by_host
Default:

rule:context_is_admin

Operations:
  • GET /shares?host={host}

  • GET /shares/detail?host={host}

Scope Types:
  • project

List share by host.

share:list_by_share_server_id
Default:

rule:context_is_admin

Operations:
  • GET /shares?share_server_id={share_server_id}

  • GET /shares/detail?share_server_id={share_server_id}

Scope Types:
  • project

List share by server id.

share:access_get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Get share access rule (deprecated in API version 2.45).

share:access_get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}/action

Scope Types:
  • project

List share access rules (deprecated in API version 2.45).

share:extend
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Extend share.

share:force_extend
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Force extend share.

share:extend_beyond_max_share_size_spec
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Extend share beyond max share size.

share:shrink
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Shrink share.

share:migration_start
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Migrate a share to the specified host.

share:migration_complete
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Invoke 2nd phase of share migration.

share:migration_cancel
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Attempt to cancel share migration.

share:migration_get_progress
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Retrieve share migration progress for a given share.

share:reset_task_state
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Reset task state.

share:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Reset status.

share:revert_to_snapshot
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Revert a share to a snapshot.

share:allow_access
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Add share access rule.

share:deny_access
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /shares/{share_id}/action

Scope Types:
  • project

Remove share access rule.

share:update_share_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /shares/{share_id}/metadata

  • POST /shares/{share_id}/metadata/{key}

  • POST /shares/{share_id}/metadata

Scope Types:
  • project

Update share metadata.

share:delete_share_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /shares/{share_id}/metadata/{key}

Scope Types:
  • project

Delete share metadata.

share:get_share_metadata
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}/metadata

  • GET /shares/{share_id}/metadata/{key}

Scope Types:
  • project

Get share metadata.

share:list_shares_in_deferred_deletion_states
Default:

rule:context_is_admin

Operations:
  • GET /v2/shares

  • GET /shares/{share_id}

Scope Types:
  • project

List (or get) shares whose deletion has been deferred

share:list_all_projects
Default:

rule:context_is_admin

Operations:
  • GET /shares?all_tenants=1

  • GET /shares/detail?all_tenants=1

Scope Types:
  • project

List share by all projects.

share:create_snapshot
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /snapshots

Scope Types:
  • project

Create share snapshot.

share:delete_snapshot
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /snapshots/{snapshot_id}

Scope Types:
  • project

Delete share snapshot.

share:snapshot_update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /snapshots/{snapshot_id}/action

Scope Types:
  • project

Update share snapshot.

share:update_admin_only_metadata
Default:

rule:context_is_admin

Operations:
  • PUT /shares/{share_id}/metadata

Scope Types:
  • project

Update metadata items that are considered “admin only” by the service.

share_instance_export_location:index
Default:

rule:context_is_admin

Operations:
  • POST /share_instances/{share_instance_id}/export_locations

Scope Types:
  • project

Return data about the requested export location.

share_instance_export_location:show
Default:

rule:context_is_admin

Operations:
  • GET /share_instances/{share_instance_id}/export_locations/{export_location_id}

Scope Types:
  • project

Return data about the requested export location.

share_type:create
Default:

rule:context_is_admin

Operations:
  • POST /types

Scope Types:
  • project

Create share type.

share_type:update
Default:

rule:context_is_admin

Operations:
  • PUT /types/{share_type_id}

Scope Types:
  • project

Update share type.

share_type:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /types/{share_type_id}

Scope Types:
  • project

Get share type.

share_type:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /types?is_public=all

Scope Types:
  • project

List share types.

share_type:default
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /types/default

Scope Types:
  • project

Get default share type.

share_type:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /types/{share_type_id}

Scope Types:
  • project

Delete share type.

share_type:list_project_access
Default:

rule:context_is_admin

Operations:
  • GET /types/{share_type_id}

Scope Types:
  • project

List share type project access.

share_type:add_project_access
Default:

rule:context_is_admin

Operations:
  • POST /types/{share_type_id}/action

Scope Types:
  • project

Add share type to project.

share_type:remove_project_access
Default:

rule:context_is_admin

Operations:
  • POST /types/{share_type_id}/action

Scope Types:
  • project

Remove share type from project.

share_types_extra_spec:create
Default:

rule:context_is_admin

Operations:
  • POST /types/{share_type_id}/extra_specs

Scope Types:
  • project

Create share type extra spec.

share_types_extra_spec:show
Default:

rule:context_is_admin

Operations:
  • GET /types/{share_type_id}/extra_specs

Scope Types:
  • project

Get share type extra specs of a given share type.

share_types_extra_spec:index
Default:

rule:context_is_admin

Operations:
  • GET /types/{share_type_id}/extra_specs/{extra_spec_id}

Scope Types:
  • project

Get details of a share type extra spec.

share_types_extra_spec:update
Default:

rule:context_is_admin

Operations:
  • PUT /types/{share_type_id}/extra_specs

Scope Types:
  • project

Update share type extra spec.

share_types_extra_spec:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /types/{share_type_id}/extra_specs/{key}

Scope Types:
  • project

Delete share type extra spec.

share_snapshot:get_snapshot
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots/{snapshot_id}

Scope Types:
  • project

Get share snapshot.

share_snapshot:get_all_snapshots
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots?{query}

  • GET /snapshots/detail?{query}

Scope Types:
  • project

Get all share snapshots.

share_snapshot:list_all_projects
Default:

rule:context_is_admin

Operations:
  • GET /snapshots?all_tenants=1

  • GET /snapshots/detail?all_tenants=1

Scope Types:
  • project

List share snapshots by all projects.

share_snapshot:force_delete
Default:

rule:context_is_admin

Operations:
  • DELETE /snapshots/{snapshot_id}

Scope Types:
  • project

Force Delete a share snapshot.

share_snapshot:manage_snapshot
Default:

rule:context_is_admin

Operations:
  • POST /snapshots/manage

Scope Types:
  • project

Manage share snapshot.

share_snapshot:unmanage_snapshot
Default:

rule:context_is_admin

Operations:
  • POST /snapshots/{snapshot_id}/action

Scope Types:
  • project

Unmanage share snapshot.

share_snapshot:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /snapshots/{snapshot_id}/action

Scope Types:
  • project

Reset status.

share_snapshot:access_list
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots/{snapshot_id}/access-list

Scope Types:
  • project

List access rules of a share snapshot.

share_snapshot:allow_access
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /snapshots/{snapshot_id}/action

Scope Types:
  • project

Allow access to a share snapshot.

share_snapshot:deny_access
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /snapshots/{snapshot_id}/action

Scope Types:
  • project

Deny access to a share snapshot.

share_snapshot:update_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /snapshots/{snapshot_id}/metadata

  • POST /snapshots/{snapshot_id}/metadata/{key}

  • POST /snapshots/{snapshot_id}/metadata

Scope Types:
  • project

Update snapshot metadata.

share_snapshot:delete_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /snapshots/{snapshot_id}/metadata/{key}

Scope Types:
  • project

Delete snapshot metadata.

share_snapshot:get_metadata
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots/{snapshot_id}/metadata

  • GET /snapshots/{snapshot_id}/metadata/{key}

Scope Types:
  • project

Get snapshot metadata.

share_snapshot:list_snapshots_in_deferred_deletion_states
Default:

rule:context_is_admin

Operations:
  • GET /v2/snapshots

  • GET /snapshots/{snapshot_id}

Scope Types:
  • project

List (or get) snapshots whose deletion has been deferred

share_snapshot_export_location:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots/{snapshot_id}/export-locations/

Scope Types:
  • project

List export locations of a share snapshot.

share_snapshot_export_location:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /snapshots/{snapshot_id}/export-locations/{export_location_id}

Scope Types:
  • project

Get details of a specified export location of a share snapshot.

share_snapshot_instance:show
Default:

rule:context_is_admin

Operations:
  • GET /snapshot-instances/{snapshot_instance_id}

Scope Types:
  • project

Get share snapshot instance.

share_snapshot_instance:index
Default:

rule:context_is_admin

Operations:
  • GET /snapshot-instances?{query}

Scope Types:
  • project

Get all share snapshot instances.

share_snapshot_instance:detail
Default:

rule:context_is_admin

Operations:
  • GET /snapshot-instances/detail?{query}

Scope Types:
  • project

Get details of share snapshot instances.

share_snapshot_instance:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /snapshot-instances/{snapshot_instance_id}/action

Scope Types:
  • project

Reset share snapshot instance’s status.

share_snapshot_instance_export_location:index
Default:

rule:context_is_admin

Operations:
  • GET /snapshot-instances/{snapshot_instance_id}/export-locations

Scope Types:
  • project

List export locations of a share snapshot instance.

share_snapshot_instance_export_location:show
Default:

rule:context_is_admin

Operations:
  • GET /snapshot-instances/{snapshot_instance_id}/export-locations/{export_location_id}

Scope Types:
  • project

Show details of a specified export location of a share snapshot instance.

share_server:index
Default:

rule:context_is_admin

Operations:
  • GET /share-servers?{query}

Scope Types:
  • project

Get share servers.

share_server:show
Default:

rule:context_is_admin

Operations:
  • GET /share-servers/{server_id}

Scope Types:
  • project

Show share server.

share_server:details
Default:

rule:context_is_admin

Operations:
  • GET /share-servers/{server_id}/details

Scope Types:
  • project

Get share server details.

share_server:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /share-servers/{server_id}

Scope Types:
  • project

Delete share server.

share_server:manage_share_server
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/manage

Scope Types:
  • project

Manage share server.

share_server:unmanage_share_server
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Unmanage share server.

share_server:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Reset the status of a share server.

share_server:share_server_migration_start
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Migrates a share server to the specified host.

share_server:share_server_migration_check
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Check if can migrates a share server to the specified host.

share_server:share_server_migration_complete
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Invokes the 2nd phase of share server migration.

share_server:share_server_migration_cancel
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Attempts to cancel share server migration.

share_server:share_server_migration_get_progress
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Retrieves the share server migration progress for a given share server.

share_server:share_server_reset_task_state
Default:

rule:context_is_admin

Operations:
  • POST /share-servers/{share_server_id}/action

Scope Types:
  • project

Resets task state.

service:index
Default:

rule:context_is_admin

Operations:
  • GET /os-services?{query}

  • GET /services?{query}

Scope Types:
  • project

Return a list of all running services.

service:update
Default:

rule:context_is_admin

Operations:
  • PUT /os-services/disable

  • PUT /os-services/enable

  • PUT /services/disable

  • PUT /services/enable

Scope Types:
  • project

Enable/Disable scheduling for a service.

service:ensure_shares
Default:

rule:context_is_admin

Operations:
  • POST /services/ensure

Scope Types:
  • project

Run ensure shares for a manila-share binary.

quota_set:update
Default:

rule:context_is_admin

Operations:
  • PUT /quota-sets/{project_id}

  • PUT /quota-sets/{project_id}?user_id={user_id}

  • PUT /quota-sets/{project_id}?share_type={share_type_id}

  • PUT /os-quota-sets/{project_id}

  • PUT /os-quota-sets/{project_id}?user_id={user_id}

Scope Types:
  • project

Update the quotas for a project/user and/or share type.

quota_set:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /quota-sets/{project_id}/defaults

  • GET /os-quota-sets/{project_id}/defaults

Scope Types:
  • project

List the quotas for a project/user.

quota_set:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /quota-sets/{project_id}

  • DELETE /quota-sets/{project_id}?user_id={user_id}

  • DELETE /quota-sets/{project_id}?share_type={share_type_id}

  • DELETE /os-quota-sets/{project_id}

  • DELETE /os-quota-sets/{project_id}?user_id={user_id}

Scope Types:
  • project

Delete quota for a project/user or project/share-type. The quota will revert back to default (Admin only).

quota_class_set:update
Default:

rule:context_is_admin

Operations:
  • PUT /quota-class-sets/{class_name}

  • PUT /os-quota-class-sets/{class_name}

Scope Types:
  • project

Update quota class.

quota_class_set:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /quota-class-sets/{class_name}

  • GET /os-quota-class-sets/{class_name}

Scope Types:
  • project

Get quota class.

resource_lock:get
Default:

(rule:admin_or_service_api) or (rule:project-reader)

Operations:
  • GET /resource-locks/{lock_id}

Scope Types:
  • project

Get details of a given resource lock.

resource_lock:get_all
Default:

(rule:admin_or_service_api) or (rule:project-reader)

Operations:
  • GET /resource-locks

  • GET /resource-locks?{query}

Scope Types:
  • project

Get all resource locks.

resource_lock:get_all_projects
Default:

rule:admin_or_service_api

Operations:
  • GET /resource-locks?all_projects=1

  • GET /resource-locks?all_projects=1&project_id={project_id}

Scope Types:
  • project

Get resource locks from all project namespaces.

resource_lock:create
Default:

(rule:admin_or_service_api) or (rule:project-member)

Operations:
  • POST /resource-locks

Scope Types:
  • project

Create a resource lock.

resource_lock:update
Default:

(rule:owner-user or rule:admin_or_service_api)

Operations:
  • PUT /resource-locks/{lock_id}

Scope Types:
  • project

Update a resource lock.

resource_lock:delete
Default:

(rule:owner-user or rule:admin_or_service_api)

Operations:
  • DELETE /resource-locks/{lock_id}

Scope Types:
  • project

Delete a resource lock.

resource_lock:bypass_locked_show_action
Default:

(rule:owner-user or rule:admin_or_service_api)

Operations:
  • GET /share-access-rules/{share_access_id}

  • GET /share-access-rules?share_id={share_id}&key1=value1&key2=value2

Scope Types:
  • project

Bypass a visibility lock placed in a resource.

share_group_types_spec:create
Default:

rule:context_is_admin

Operations:
  • POST /share-group-types/{share_group_type_id}/group-specs

Scope Types:
  • project

Create share group type specs.

share_group_types_spec:index
Default:

rule:context_is_admin

Operations:
  • GET /share-group-types/{share_group_type_id}/group-specs

Scope Types:
  • project

Get share group type specs.

share_group_types_spec:show
Default:

rule:context_is_admin

Operations:
  • GET /share-group-types/{share_group_type_id}/group-specs/{key}

Scope Types:
  • project

Get details of a share group type spec.

share_group_types_spec:update
Default:

rule:context_is_admin

Operations:
  • PUT /share-group-types/{share_group_type_id}/group-specs/{key}

Scope Types:
  • project

Update a share group type spec.

share_group_types_spec:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /share-group-types/{share_group_type_id}/group-specs/{key}

Scope Types:
  • project

Delete a share group type spec.

share_group_type:create
Default:

rule:context_is_admin

Operations:
  • POST /share-group-types

Scope Types:
  • project

Create a new share group type.

share_group_type:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-group-types?is_public=all

Scope Types:
  • project

Get the list of share group types.

share_group_type:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-group-types/{share_group_type_id}

Scope Types:
  • project

Get details regarding the specified share group type.

share_group_type:default
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-group-types/default

Scope Types:
  • project

Get the default share group type.

share_group_type:delete
Default:

rule:context_is_admin

Operations:
  • DELETE /share-group-types/{share_group_type_id}

Scope Types:
  • project

Delete an existing group type.

share_group_type:list_project_access
Default:

rule:context_is_admin

Operations:
  • GET /share-group-types/{share_group_type_id}/access

Scope Types:
  • project

Get project access by share group type.

share_group_type:add_project_access
Default:

rule:context_is_admin

Operations:
  • POST /share-group-types/{share_group_type_id}/action

Scope Types:
  • project

Allow project to use the share group type.

share_group_type:remove_project_access
Default:

rule:context_is_admin

Operations:
  • POST /share-group-types/{share_group_type_id}/action

Scope Types:
  • project

Deny project access to use the share group type.

share_group_snapshot:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-group-snapshots

Scope Types:
  • project

Create a new share group snapshot.

share_group_snapshot:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-group-snapshots/{share_group_snapshot_id}

Scope Types:
  • project

Get details of a share group snapshot.

share_group_snapshot:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-group-snapshots?{query}

  • GET /share-group-snapshots/detail?{query}

Scope Types:
  • project

Get all share group snapshots.

share_group_snapshot:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-group-snapshots/{share_group_snapshot_id}

Scope Types:
  • project

Update a share group snapshot.

share_group_snapshot:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-group-snapshots/{share_group_snapshot_id}

Scope Types:
  • project

Delete a share group snapshot.

share_group_snapshot:force_delete
Default:

rule:context_is_admin

Operations:
  • POST /share-group-snapshots/{share_group_snapshot_id}/action

Scope Types:
  • project

Force delete a share group snapshot.

share_group_snapshot:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-group-snapshots/{share_group_snapshot_id}/action

Scope Types:
  • project

Reset a share group snapshot’s status.

share_group:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-groups

Scope Types:
  • project

Create share group.

share_group:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-groups/{share_group_id}

Scope Types:
  • project

Get details of a share group.

share_group:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-groups?{query}

  • GET /share-groups/detail?{query}

Scope Types:
  • project

Get all share groups.

share_group:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-groups/{share_group_id}

Scope Types:
  • project

Update share group.

share_group:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-groups/{share_group_id}

Scope Types:
  • project

Delete share group.

share_group:force_delete
Default:

rule:context_is_admin

Operations:
  • POST /share-groups/{share_group_id}/action

Scope Types:
  • project

Force delete a share group.

share_group:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-groups/{share_group_id}/action

Scope Types:
  • project

Reset share group’s status.

share_replica:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-replicas

Scope Types:
  • project

Create share replica.

share_replica:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-replicas

  • GET /share-replicas/detail

  • GET /share-replicas/detail?share_id={share_id}

Scope Types:
  • project

Get all share replicas.

share_replica:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-replicas/{share_replica_id}

Scope Types:
  • project

Get details of a share replica.

share_replica:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-replicas/{share_replica_id}

Scope Types:
  • project

Delete a share replica.

share_replica:force_delete
Default:

rule:context_is_admin

Operations:
  • POST /share-replicas/{share_replica_id}/action

Scope Types:
  • project

Force delete a share replica.

share_replica:promote
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-replicas/{share_replica_id}/action

Scope Types:
  • project

Promote a non-active share replica to active.

share_replica:resync
Default:

rule:context_is_admin

Operations:
  • POST /share-replicas/{share_replica_id}/action

Scope Types:
  • project

Resync a share replica that is out of sync.

share_replica:reset_replica_state
Default:

rule:context_is_admin

Operations:
  • POST /share-replicas/{share_replica_id}/action

Scope Types:
  • project

Reset share replica’s replica_state attribute.

share_replica:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-replicas/{share_replica_id}/action

Scope Types:
  • project

Reset share replica’s status.

share_replica_export_location:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-replicas/{share_replica_id}/export-locations

Scope Types:
  • project

Get all export locations of a given share replica.

share_replica_export_location:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-replicas/{share_replica_id}/export-locations/{export_location_id}

Scope Types:
  • project

Get details about the requested share replica export location.

share_network:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks

Scope Types:
  • project

Create share network.

share_network:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks/{share_network_id}

Scope Types:
  • project

Get details of a share network.

share_network:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks?{query}

Scope Types:
  • project

Get all share networks under a project.

share_network:detail
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks/detail?{query}

Scope Types:
  • project

Get details of share networks under a project.

share_network:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-networks/{share_network_id}

Scope Types:
  • project

Update a share network.

share_network:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-networks/{share_network_id}

Scope Types:
  • project

Delete a share network.

share_network:add_security_service
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Add security service to share network.

share_network:add_security_service_check
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Check the feasibility of add security service to a share network.

share_network:remove_security_service
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Remove security service from share network.

share_network:update_security_service
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Update security service from share network.

share_network:update_security_service_check
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Check the feasibility of update a security service from share network.

share_network:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Reset share network`s status.

share_network:get_all_share_networks
Default:

rule:context_is_admin

Operations:
  • GET /share-networks?all_tenants=1

  • GET /share-networks/detail?all_tenants=1

Scope Types:
  • project

Get share networks belonging to all projects.

share_network:subnet_create_check
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/action

Scope Types:
  • project

Check the feasibility of create a new share network subnet for share network.

share_network_subnet:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-networks/{share_network_id}/subnets

Scope Types:
  • project

Create a new share network subnet.

share_network_subnet:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-networks/{share_network_id}/subnets/{share_network_subnet_id}

Scope Types:
  • project

Delete a share network subnet.

share_network_subnet:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks/{share_network_id}/subnets/{share_network_subnet_id}

Scope Types:
  • project

Shows a share network subnet.

share_network_subnet:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks/{share_network_id}/subnets

Scope Types:
  • project

Get all share network subnets.

share_network_subnet:update_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata

  • POST /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata/{key}

  • POST /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata

Scope Types:
  • system

  • project

Update share network subnet metadata.

share_network_subnet:delete_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata/{key}

Scope Types:
  • system

  • project

Delete share network subnet metadata.

share_network_subnet:get_metadata
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata

  • GET /share-networks/{share_network_id}/subnets/{share_network_subnet_id}/metadata/{key}

Scope Types:
  • system

  • project

Get share network subnet metadata.

security_service:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /security-services

Scope Types:
  • project

Create security service.

security_service:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /security-services/{security_service_id}

Scope Types:
  • project

Get details of a security service.

security_service:detail
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /security-services/detail?{query}

Scope Types:
  • project

Get details of all security services.

security_service:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /security-services?{query}

Scope Types:
  • project

Get all security services under a project.

security_service:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /security-services/{security_service_id}

Scope Types:
  • project

Update a security service.

security_service:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /security-services/{security_service_id}

Scope Types:
  • project

Delete a security service.

security_service:get_all_security_services
Default:

rule:context_is_admin

Operations:
  • GET /security-services?all_tenants=1

  • GET /security-services/detail?all_tenants=1

Scope Types:
  • project

Get security services of all projects.

share_export_location:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}/export_locations

Scope Types:
  • project

Get all export locations of a given share.

share_export_location:show
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}/export_locations/{export_location_id}

Scope Types:
  • project

Get details about the requested export location.

share_export_location:update_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /shares/{share_id}/export_locations/{export_location_id}/metadata

  • POST /shares/{share_id}/export_locations/{export_location_id}/metadata/{key}

  • POST /shares/{share_id}/export_locations/{export_location_id}/metadata

Scope Types:
  • project

Update share export location metadata.

share_export_location:delete_metadata
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /shares/{share_id}/export_locations/{export_location_id}/metadata/{key}

Scope Types:
  • project

Delete share export location metadata

share_export_location:get_metadata
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /shares/{share_id}/export_locations/{export_location_id}/metadata

  • GET /shares/{share_id}/export_locations/{export_location_id}/metadata/{key}

Scope Types:
  • project

Get share export location metadata

share_export_location:update_admin_only_metadata
Default:

rule:context_is_admin

Operations:
  • PUT /shares/{share_id}/export_locations/{export_location_id}/metadata

Scope Types:
  • project

Update metadata items that are considered “admin only” by the service.

share_instance:index
Default:

rule:context_is_admin

Operations:
  • GET /share_instances

  • GET /share_instances?{query}

Scope Types:
  • project

Get all share instances.

share_instance:show
Default:

rule:context_is_admin

Operations:
  • GET /share_instances/{share_instance_id}

Scope Types:
  • project

Get details of a share instance.

share_instance:force_delete
Default:

rule:context_is_admin

Operations:
  • POST /share_instances/{share_instance_id}/action

Scope Types:
  • project

Force delete a share instance.

share_instance:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share_instances/{share_instance_id}/action

Scope Types:
  • project

Reset share instance’s status.

message:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /messages/{message_id}

Scope Types:
  • project

Get details of a given message.

message:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /messages

  • GET /messages?{query}

Scope Types:
  • project

Get all messages.

message:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /messages/{message_id}

Scope Types:
  • project

Delete a message.

share_access_rule:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-access-rules/{share_access_id}

Scope Types:
  • project

Get details of a share access rule.

share_access_rule:index
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-access-rules?share_id={share_id}&key1=value1&key2=value2

Scope Types:
  • project

List access rules of a given share.

share_access_metadata:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-access-rules/{share_access_id}/metadata

Scope Types:
  • project

Set metadata for a share access rule.

share_access_metadata:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-access-rules/{share_access_id}/metadata/{key}

Scope Types:
  • project

Delete metadata for a share access rule.

share_transfer:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-transfers

  • GET /share-transfers/detail

List share transfers.

share_transfer:get_all_tenant
Default:

rule:context_is_admin

Operations:
  • GET /share-transfers

  • GET /share-transfers/detail

Scope Types:
  • project

List share transfers with all tenants.

share_transfer:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-transfers

Create a share transfer.

share_transfer:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-transfers/{transfer_id}

Show one specified share transfer.

share_transfer:accept
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-transfers/{transfer_id}/accept

Accept a share transfer.

share_transfer:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-transfers/{transfer_id}

Delete share transfer.

share_backup:create
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-backups

Scope Types:
  • project

Create share backup.

share_backup:get
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-backups/{backup_id}

Scope Types:
  • project

Get share backup.

share_backup:get_all
Default:

(rule:context_is_admin) or (rule:project-reader)

Operations:
  • GET /share-backups

  • GET /share-backups/detail

  • GET /share-backups/detail?share_id=(share_id}

Scope Types:
  • project

Get all share backups.

share_backup:get_all_project
Default:

rule:context_is_admin

Operations:
  • GET /share-backups?all_tenants=1

  • GET /share-backups/detail?all_tenants=1

Scope Types:
  • project

Get share backups of all projects.

share_backup:restore
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • POST /share-backups/{backup_id}/action

Scope Types:
  • project

Restore a share backup.

share_backup:reset_status
Default:

rule:context_is_admin

Operations:
  • POST /share-backups/{backup_id}/action

Scope Types:
  • project

Reset status.

share_backup:update
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • PUT /share-backups/{backup_id}

Scope Types:
  • project

Update a share backup.

share_backup:delete
Default:

(rule:context_is_admin) or (rule:project-member)

Operations:
  • DELETE /share-backups/{backup_id}

Scope Types:
  • project

Force Delete a share backup.