Policy Reference¶
Warning
JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Neutron, like most OpenStack projects, uses a policy language to restrict
permissions on REST API actions. Policy defaults are defined in the codebase
and can be overridden in a policy.yaml file.
Each policy entry in the reference below contains three important fields:
- Default
The check string (
check_str) evaluated at runtime. Operators can override this value inpolicy.yaml.- Scope Types
The Keystone token scope required to call the API. This value is defined in code and cannot be overridden in
policy.yaml.- Description
A short summary of what the policy protects.
Scope¶
OpenStack Keystone supports different authorization scopes in tokens: system,
domain, and project. These are described in the Keystone tokens
overview.
Policy scope_types represent the scope that a token must carry in order to
invoke an API. Token scope is the authorization layer; it is not the same
thing as restricting access to a particular project or resource.
Note
Scope Types tells you what kind of token is required (for example, a project-scoped token). It does not mean that the caller is limited to the project that owns the resource. Resource-level restrictions are expressed in the Default check string.
Neutron policies currently define scope_types as project for all API
rules. This means that requests made with system- or domain-scoped
tokens, or with unscoped tokens, are rejected before the Default rule is
evaluated.
For example, consider POST /ports/{port_id}/bindings/:
create_port_binding
Default: rule:service_api
Scope Types: project
Here, project means the caller must present a project-scoped token.
The Default value rule:service_api resolves to role:service and does
not include a project_id:%(project_id)s check. A service user with a
project-scoped token from any project can call this API.
Compare that with POST /networks:
create_network
Default: rule:admin_or_project_member
Scope Types: project
Again, project requires a project-scoped token. The Default value
additionally requires the caller to be a cloud administrator or a member of
the project that owns the network (role:member and
project_id:%(project_id)s).
Policy configuration options¶
Scope enforcement ([oslo_policy] enforce_scope) is always active; the
option is deprecated for removal and its default value is True. Neutron
requires a token whose scope matches the policy scope_types. Requests
with a mismatching scope are rejected with 403 Forbidden.
The oslo_policy.enforce_new_defaults option (default
True since oslo.policy 4.4.0 / OpenStack 2024.2) controls whether legacy
deprecated check strings are considered during policy evaluation:
When
True, only the new default check strings documented in the Default column below are evaluated.When
False, legacy deprecated check strings are logically OR’d with the new defaults, allowing deployments that still rely on old policy rules to operate during a gradual migration.
This option is not deprecated. It remains the supported way to fall back
to legacy policy behavior. Neutron still contains deprecated policy check
strings for backward compatibility; once those are removed from the codebase,
setting this option to False will no longer change enforcement behavior.
Operators who need to temporarily restore legacy policy behavior can set the
option in neutron.conf:
[oslo_policy]
enforce_new_defaults = false
Roles¶
Keystone provides admin, manager, member, and reader roles by
default. Refer to the Keystone service API protection documentation
for details about these roles.
Neutron defines reusable check strings in neutron/conf/policies/base.py.
The most common ones are listed below.
Base roles¶
admin(rule:admin_only/rule:context_is_admin)Cloud administrator. Can perform administrative operations regardless of project ownership.
service(rule:service_api)Internal service-to-service communication. Assigned to service users (for example, the user configured for Nova or Neutron in other services’ config files). Must not be granted to human accounts.
manager(PROJECT_MANAGER)role:manager and project_id:%(project_id)s. Project-level management operations within the caller’s project.member(PROJECT_MEMBER)role:member and project_id:%(project_id)s. Typical end-user operations on project-owned resources (for example, creating ports or routers).reader(PROJECT_READER)role:reader and project_id:%(project_id)s. Read-only access to project-owned resources.
Composite rules¶
The following composite check strings combine the base roles above. They are the Default values for most Neutron API policies:
rule:admin_or_project_managerAdministrator, or
managerin the resource’s project.rule:admin_or_project_memberAdministrator, or
memberin the resource’s project.rule:admin_or_project_readerAdministrator, or
readerin the resource’s project.rule:admin_or_serviceAdministrator, or a service user with the
servicerole.
Owner-based rules¶
Some resources do not carry their own project_id (for example, QoS rules
or floating IP port-forwarding entries). For those, Neutron uses owner checks
against a parent or related resource:
rule:admin_or_parent_owner_member/rule:admin_or_parent_owner_readerAdministrator, or
member/readerin the parent resource’s project.rule:admin_or_net_owner_member/rule:admin_or_net_owner_readerAdministrator, or
member/readerin the network owner’s project.rule:admin_or_sg_owner_member/rule:admin_or_sg_owner_readerAdministrator, or
member/readerin the security group’s project.
Legacy rules¶
The following rules are retained for backward compatibility:
rule:admin_or_ownerAdministrator, or the project that owns the resource.
rule:ownerproject_id:%(project_id)s.rule:context_is_advsvc(role:advsvc)Deprecated since 2024.1 in favour of the
servicerole.
Neutron supported scope and roles¶
Neutron supports the following scope and role combinations. Roles can be
overridden in policy.yaml, but scope_types cannot.
ADMIN:
adminrole on aproject-scoped token. Administrative read and write operations (for example, creating shared or external networks).PROJECT_MANAGER:
managerrole on aproject-scoped token. Project-level management operations within the caller’s project.PROJECT_MEMBER:
memberrole on aproject-scoped token. Resource owner write operations within the caller’s project (for example, creating a port or router).PROJECT_READER:
readerrole on aproject-scoped token. Read-only operations within the caller’s project (for example, listing networks).ADMIN_OR_PROJECT_MANAGER:
adminormanageron aproject-scoped token. Default for project management APIs.ADMIN_OR_PROJECT_MEMBER:
adminormemberon aproject-scoped token. Default for most owner-level write APIs.ADMIN_OR_PROJECT_READER:
adminorreaderon aproject-scoped token. Default for most read-only APIs.SERVICE (internal):
servicerole on aproject-scoped token. Default for service-to-service APIs (for example, port bindings).
For more information about how policies are enforced in the API layer, refer to Policy Enforcement and Authorization. For using custom roles beyond the defaults, refer to Custom Policy Roles.
Policy rules¶
The following is a complete reference of all available policies in Neutron.
For a sample policy file, refer to Sample Policy File.
neutron¶
context_is_admin- Default:
role:admin
Rule for cloud admin access
context_with_global_access- Default:
!
Rule for context with global access to the resources
service_api- Default:
role:service
Default rule for the service-to-service APIs.
owner- Default:
project_id:%(project_id)s
Rule for resource owner access
admin_or_owner- Default:
rule:context_is_admin or rule:owner
Rule for admin or owner access
context_is_advsvc- Default:
role:advsvc
Rule for advsvc role access
admin_or_network_owner- Default:
rule:context_is_admin or project_id:%(network:project_id)s
Rule for admin or network owner access
admin_owner_or_network_owner- Default:
rule:owner or rule:admin_or_network_owner
Rule for resource owner, admin or network owner access
network_owner- Default:
project_id:%(network:project_id)s
Rule for network owner access
admin_only- Default:
rule:context_is_admin
Rule for admin-only access
regular_user- Default:
<empty string>
Rule for regular user access
shared- Default:
field:networks:shared=True
Rule of shared network
default- Default:
rule:admin_or_owner
Default access rule
admin_or_ext_parent_owner- Default:
rule:context_is_admin or project_id:%(ext_parent:project_id)s
Rule for common parent owner check
ext_parent_owner- Default:
project_id:%(ext_parent:project_id)s
Rule for common parent owner check
sg_owner- Default:
project_id:%(security_group:project_id)s
Rule for security group owner access
shared_address_groups- Default:
field:address_groups:shared=True
Definition of a shared address group
create_address_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/address-groups
- Scope Types:
project
Create an address group
get_address_group- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups- Operations:
GET
/address-groupsGET
/address-groups/{id}
- Scope Types:
project
Get an address group
update_address_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/address-groups/{id}
- Scope Types:
project
Update an address group
delete_address_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/address-groups/{id}
- Scope Types:
project
Delete an address group
add_addresses- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/address-groups/{id}/add_addresses
- Scope Types:
project
Add addresses to an address group
remove_addresses- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/address-groups/{id}/remove_addresses
- Scope Types:
project
Remove addresses from an address group
shared_address_scopes- Default:
field:address_scopes:shared=True
Definition of a shared address scope
create_address_scope- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/address-scopes
- Scope Types:
project
Create an address scope
create_address_scope:shared- Default:
rule:admin_only- Operations:
POST
/address-scopes
- Scope Types:
project
Create a shared address scope
get_address_scope- Default:
rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes- Operations:
GET
/address-scopesGET
/address-scopes/{id}
- Scope Types:
project
Get an address scope
update_address_scope- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/address-scopes/{id}
- Scope Types:
project
Update an address scope
update_address_scope:shared- Default:
rule:admin_only- Operations:
PUT
/address-scopes/{id}
- Scope Types:
project
Update
sharedattribute of an address scopedelete_address_scope- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/address-scopes/{id}
- Scope Types:
project
Delete an address scope
create_agent- Default:
rule:admin_only- Operations:
POST
/agents
- Scope Types:
project
Create an agent
get_agent- Default:
rule:admin_only- Operations:
GET
/agentsGET
/agents/{id}
- Scope Types:
project
Get an agent
update_agent- Default:
rule:admin_only- Operations:
PUT
/agents/{id}
- Scope Types:
project
Update an agent
delete_agent- Default:
rule:admin_only- Operations:
DELETE
/agents/{id}
- Scope Types:
project
Delete an agent
create_dhcp-network- Default:
rule:admin_only- Operations:
POST
/agents/{agent_id}/dhcp-networks
- Scope Types:
project
Add a network to a DHCP agent
get_dhcp-networks- Default:
rule:admin_only- Operations:
GET
/agents/{agent_id}/dhcp-networks
- Scope Types:
project
List networks on a DHCP agent
delete_dhcp-network- Default:
rule:admin_only- Operations:
DELETE
/agents/{agent_id}/dhcp-networks/{network_id}
- Scope Types:
project
Remove a network from a DHCP agent
create_l3-router- Default:
rule:admin_only- Operations:
POST
/agents/{agent_id}/l3-routers
- Scope Types:
project
Add a router to an L3 agent
get_l3-routers- Default:
rule:admin_only- Operations:
GET
/agents/{agent_id}/l3-routers
- Scope Types:
project
List routers on an L3 agent
delete_l3-router- Default:
rule:admin_only- Operations:
DELETE
/agents/{agent_id}/l3-routers/{router_id}
- Scope Types:
project
Remove a router from an L3 agent
get_dhcp-agents- Default:
rule:admin_only- Operations:
GET
/networks/{network_id}/dhcp-agents
- Scope Types:
project
List DHCP agents hosting a network
get_l3-agents- Default:
rule:admin_only- Operations:
GET
/routers/{router_id}/l3-agents
- Scope Types:
project
List L3 agents hosting a router
get_auto_allocated_topology- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/auto-allocated-topology/{project_id}
- Scope Types:
project
Get a project’s auto-allocated topology
delete_auto_allocated_topology- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/auto-allocated-topology/{project_id}
- Scope Types:
project
Delete a project’s auto-allocated topology
get_availability_zone- Default:
role:reader- Operations:
GET
/availability_zones
- Scope Types:
project
List availability zones
create_default_security_group_rule- Default:
rule:admin_only- Operations:
POST
/default-security-group-rules
- Scope Types:
project
Create a templated of the security group rule
get_default_security_group_rule- Default:
role:reader- Operations:
GET
/default-security-group-rulesGET
/default-security-group-rules/{id}
- Scope Types:
project
Get a templated of the security group rule
delete_default_security_group_rule- Default:
rule:admin_only- Operations:
DELETE
/default-security-group-rules/{id}
- Scope Types:
project
Delete a templated of the security group rule
create_router:evpn_vni- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
evpn_vniattribute when creating a routerget_router:evpn_vni- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/routersGET
/routers/{id}
- Scope Types:
project
Get
evpn_vniattribute of a routercreate_flavor- Default:
rule:admin_only- Operations:
POST
/flavors
- Scope Types:
project
Create a flavor
get_flavor- Default:
role:reader- Operations:
GET
/flavorsGET
/flavors/{id}
- Scope Types:
project
Get a flavor
update_flavor- Default:
rule:admin_only- Operations:
PUT
/flavors/{id}
- Scope Types:
project
Update a flavor
delete_flavor- Default:
rule:admin_only- Operations:
DELETE
/flavors/{id}
- Scope Types:
project
Delete a flavor
create_service_profile- Default:
rule:admin_only- Operations:
POST
/service_profiles
- Scope Types:
project
Create a service profile
get_service_profile- Default:
rule:admin_only- Operations:
GET
/service_profilesGET
/service_profiles/{id}
- Scope Types:
project
Get a service profile
update_service_profile- Default:
rule:admin_only- Operations:
PUT
/service_profiles/{id}
- Scope Types:
project
Update a service profile
delete_service_profile- Default:
rule:admin_only- Operations:
DELETE
/service_profiles/{id}
- Scope Types:
project
Delete a service profile
get_flavor_service_profile- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Scope Types:
project
Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.
create_flavor_service_profile- Default:
rule:admin_only- Operations:
POST
/flavors/{flavor_id}/service_profiles
- Scope Types:
project
Associate a flavor with a service profile
delete_flavor_service_profile- Default:
rule:admin_only- Operations:
DELETE
/flavors/{flavor_id}/service_profiles/{profile_id}
- Scope Types:
project
Disassociate a flavor with a service profile
create_floatingip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/floatingips
- Scope Types:
project
Create a floating IP
create_floatingip:floating_ip_address- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/floatingips
- Scope Types:
project
Create a floating IP with a specific IP address
create_floatingip:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/floatingips/{id}/tags
- Scope Types:
project
Create the floating IP tags
get_floatingip- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/floatingipsGET
/floatingips/{id}
- Scope Types:
project
Get a floating IP
get_floatingip:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/floatingips/{id}/tagsGET
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Get the floating IP tags
update_floatingip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/floatingips/{id}
- Scope Types:
project
Update a floating IP
update_floatingip:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/floatingips/{id}/tagsPUT
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Update the floating IP tags
delete_floatingip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/floatingips/{id}
- Scope Types:
project
Delete a floating IP
delete_floatingip:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/floatingips/{id}/tagsDELETE
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Delete the floating IP tags
get_floatingip_pool- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/floatingip_pools
- Scope Types:
project
Get floating IP pools
create_floatingip_port_forwarding- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
POST
/floatingips/{floatingip_id}/port_forwardings
- Scope Types:
project
Create a floating IP port forwarding
get_floatingip_port_forwarding- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/floatingips/{floatingip_id}/port_forwardingsGET
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Get a floating IP port forwarding
update_floatingip_port_forwarding- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
PUT
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Update a floating IP port forwarding
delete_floatingip_port_forwarding- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
DELETE
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Delete a floating IP port forwarding
create_router_conntrack_helper- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
POST
/routers/{router_id}/conntrack_helpers
- Scope Types:
project
Create a router conntrack helper
get_router_conntrack_helper- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/routers/{router_id}/conntrack_helpersGET
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Get a router conntrack helper
update_router_conntrack_helper- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
PUT
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Update a router conntrack helper
delete_router_conntrack_helper- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
DELETE
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Delete a router conntrack helper
create_local_ip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/local-ips
- Scope Types:
project
Create a Local IP
get_local_ip- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/local-ipsGET
/local-ips/{id}
- Scope Types:
project
Get a Local IP
update_local_ip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/local-ips/{id}
- Scope Types:
project
Update a Local IP
delete_local_ip- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/local-ips/{id}
- Scope Types:
project
Delete a Local IP
create_local_ip_port_association- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
POST
/local_ips/{local_ip_id}/port_associations
- Scope Types:
project
Create a Local IP port association
get_local_ip_port_association- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/local_ips/{local_ip_id}/port_associationsGET
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- Scope Types:
project
Get a Local IP port association
delete_local_ip_port_association- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- Operations:
DELETE
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- Scope Types:
project
Delete a Local IP port association
get_loggable_resource- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
GET
/log/loggable-resources
- Scope Types:
project
Get loggable resources
create_log- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/log/logs
- Scope Types:
project
Create a network log
get_log- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
GET
/log/logsGET
/log/logs/{id}
- Scope Types:
project
Get a network log
update_log- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
PUT
/log/logs/{id}
- Scope Types:
project
Update a network log
delete_log- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
DELETE
/log/logs/{id}
- Scope Types:
project
Delete a network log
create_metering_label- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/metering/metering-labels
- Scope Types:
project
Create a metering label
get_metering_label- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/metering/metering-labelsGET
/metering/metering-labels/{id}
- Scope Types:
project
Get a metering label
delete_metering_label- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
DELETE
/metering/metering-labels/{id}
- Scope Types:
project
Delete a metering label
create_metering_label_rule- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/metering/metering-label-rules
- Scope Types:
project
Create a metering label rule
get_metering_label_rule- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/metering/metering-label-rulesGET
/metering/metering-label-rules/{id}
- Scope Types:
project
Get a metering label rule
delete_metering_label_rule- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
DELETE
/metering/metering-label-rules/{id}
- Scope Types:
project
Delete a metering label rule
create_ndp_proxy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/ndp_proxies
- Scope Types:
project
Create a ndp proxy
get_ndp_proxy- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/ndp_proxiesGET
/ndp_proxies/{id}
- Scope Types:
project
Get a ndp proxy
update_ndp_proxy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/ndp_proxies/{id}
- Scope Types:
project
Update a ndp proxy
delete_ndp_proxy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/ndp_proxies/{id}
- Scope Types:
project
Delete a ndp proxy
external- Default:
field:networks:router:external=True
Definition of an external network
create_network- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/networks
- Scope Types:
project
Create a network
create_network:shared- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Create a shared network
create_network:router:external- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Create an external network
create_network:is_default- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Specify
is_defaultattribute when creating a networkcreate_network:port_security_enabled- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/networks
- Scope Types:
project
Specify
port_security_enabledattribute when creating a networkcreate_network:segments- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Specify
segmentsattribute when creating a networkcreate_network:provider:network_type- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:network_typewhen creating a networkcreate_network:provider:physical_network- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:physical_networkwhen creating a networkcreate_network:provider:segmentation_id- Default:
rule:admin_only- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:segmentation_idwhen creating a networkcreate_network:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/networks/{id}/tags
- Scope Types:
project
Create the network tags
get_network- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc- Operations:
GET
/networksGET
/networks/{id}
- Scope Types:
project
Get a network
get_network:segments- Default:
rule:admin_only- Operations:
GET
/networksGET
/networks/{id}
- Scope Types:
project
Get
segmentsattribute of a networkget_network:provider:network_type- Default:
rule:admin_only- Operations:
GET
/networksGET
/networks/{id}
- Scope Types:
project
Get
provider:network_typeattribute of a networkget_network:provider:physical_network- Default:
rule:admin_only- Operations:
GET
/networksGET
/networks/{id}
- Scope Types:
project
Get
provider:physical_networkattribute of a networkget_network:provider:segmentation_id- Default:
rule:admin_only- Operations:
GET
/networksGET
/networks/{id}
- Scope Types:
project
Get
provider:segmentation_idattribute of a networkget_network:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc- Operations:
GET
/networks/{id}/tagsGET
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Get the network tags
update_network- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update a network
update_network:segments- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
segmentsattribute of a networkupdate_network:shared- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
sharedattribute of a networkupdate_network:provider:network_type- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:network_typeattribute of a networkupdate_network:provider:physical_network- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:physical_networkattribute of a networkupdate_network:provider:segmentation_id- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:segmentation_idattribute of a networkupdate_network:router:external- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
router:externalattribute of a networkupdate_network:is_default- Default:
rule:admin_only- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
is_defaultattribute of a networkupdate_network:port_security_enabled- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
port_security_enabledattribute of a networkupdate_network:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/networks/{id}/tagsPUT
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Update the network tags
delete_network- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/networks/{id}
- Scope Types:
project
Delete a network
delete_network:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/networks/{id}/tagsDELETE
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Delete the network tags
get_network_ip_availability- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/network-ip-availabilitiesGET
/network-ip-availabilities/{network_id}
- Scope Types:
project
Get network IP availability
create_network_segment_range- Default:
rule:admin_only- Operations:
POST
/network_segment_ranges
- Scope Types:
project
Create a network segment range
create_network_segment_range:tags- Default:
rule:admin_only- Operations:
POST
/network_segment_ranges/{id}/tags
- Scope Types:
project
Create the network segment range tags
get_network_segment_range- Default:
rule:admin_only- Operations:
GET
/network_segment_rangesGET
/network_segment_ranges/{id}
- Scope Types:
project
Get a network segment range
get_network_segment_range:tags- Default:
rule:admin_only- Operations:
GET
/network_segment_ranges/{id}/tagsGET
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Get the network segment range tags
update_network_segment_range- Default:
rule:admin_only- Operations:
PUT
/network_segment_ranges/{id}
- Scope Types:
project
Update a network segment range
update_network_segment_range:tags- Default:
rule:admin_only- Operations:
PUT
/network_segment_ranges/{id}/tagsPUT
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Update the network segment range tags
delete_network_segment_range- Default:
rule:admin_only- Operations:
DELETE
/network_segment_ranges/{id}
- Scope Types:
project
Delete a network segment range
delete_network_segment_range:tags- Default:
rule:admin_only- Operations:
DELETE
/network_segment_ranges/{id}/tagsDELETE
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Delete the network segment range tags
get_port_binding- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/ports/{port_id}/bindings/
- Scope Types:
project
Get port binding information
create_port_binding- Default:
rule:service_api- Operations:
POST
/ports/{port_id}/bindings/
- Scope Types:
project
Create port binding on the host
delete_port_binding- Default:
rule:service_api- Operations:
DELETE
/ports/{port_id}/bindings/
- Scope Types:
project
Delete port binding on the host
activate- Default:
rule:service_api- Operations:
PUT
/ports/{port_id}/bindings/{host}
- Scope Types:
project
Activate port binding on the host
network_device- Default:
field:port:device_owner=~^network:
Definition of port with network device_owner
admin_or_data_plane_int- Default:
rule:context_is_admin or role:data_plane_integrator
Rule for data plane integration
create_port- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Create a port
create_port:device_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
device_idattribute when creating a portcreate_port:device_owner- Default:
not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
POST
/ports
- Scope Types:
project
Specify
device_ownerattribute when creating a portcreate_port:mac_address- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
POST
/ports
- Scope Types:
project
Specify
mac_addressattribute when creating a portcreate_port:fixed_ips- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared- Operations:
POST
/ports
- Scope Types:
project
Specify
fixed_ipsinformation when creating a portcreate_port:fixed_ips:ip_address- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
POST
/ports
- Scope Types:
project
Specify IP address in
fixed_ipswhen creating a portcreate_port:fixed_ips:subnet_id- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared- Operations:
POST
/ports
- Scope Types:
project
Specify subnet ID in
fixed_ipswhen creating a portcreate_port:port_security_enabled- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
POST
/ports
- Scope Types:
project
Specify
port_security_enabledattribute when creating a portcreate_port:binding:host_id- Default:
(rule:admin_only) or (rule:service_api)- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:host_idattribute when creating a portcreate_port:binding:profile- Default:
rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:profileattribute when creating a portcreate_port:binding:vnic_type- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:vnic_typeattribute when creating a portcreate_port:allowed_address_pairs- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
allowed_address_pairsattribute when creating a portcreate_port:allowed_address_pairs:mac_address- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
mac_address` of `allowed_address_pairsattribute when creating a portcreate_port:allowed_address_pairs:ip_address- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
POST
/ports
- Scope Types:
project
Specify
ip_addressofallowed_address_pairsattribute when creating a portcreate_port:hints- Default:
rule:admin_only- Operations:
POST
/ports
- Scope Types:
project
Specify
hintsattribute when creating a portcreate_port:trusted- Default:
rule:admin_only- Operations:
POST
/ports
- Scope Types:
project
Specify
trustedattribute when creating a portcreate_port:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc- Operations:
POST
/ports/{id}/tags
- Scope Types:
project
Create the port tags
get_port- Default:
(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get a port
get_port:binding:vif_type- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
binding:vif_typeattribute of a portget_port:binding:vif_details- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
binding:vif_detailsattribute of a portget_port:binding:host_id- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
binding:host_idattribute of a portget_port:binding:profile- Default:
(rule:admin_only) or (rule:service_api)- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
binding:profileattribute of a portget_port:resource_request- Default:
rule:admin_only- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
resource_requestattribute of a portget_port:hints- Default:
rule:admin_only- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
hintsattribute of a portget_port:trusted- Default:
rule:admin_only- Operations:
GET
/portsGET
/ports/{id}
- Scope Types:
project
Get
trustedattribute of a portget_port:tags- Default:
rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s- Operations:
GET
/ports/{id}/tagsGET
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Get the port tags
update_port- Default:
(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update a port
update_port:device_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
device_idattribute of a portupdate_port:device_owner- Default:
not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
device_ownerattribute of a portupdate_port:mac_address- Default:
(rule:admin_only) or (rule:service_api) or role:manager and rule:network_owner- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
mac_addressattribute of a portupdate_port:fixed_ips- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify
fixed_ipsinformation when updating a portupdate_port:fixed_ips:ip_address- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify IP address in
fixed_ipsinformation when updating a portupdate_port:fixed_ips:subnet_id- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify subnet ID in
fixed_ipsinformation when updating a portupdate_port:port_security_enabled- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
port_security_enabledattribute of a portupdate_port:binding:host_id- Default:
(rule:admin_only) or (rule:service_api)- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:host_idattribute of a portupdate_port:binding:profile- Default:
rule:service_api- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:profileattribute of a portupdate_port:binding:vnic_type- Default:
(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:vnic_typeattribute of a portupdate_port:allowed_address_pairs- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
allowed_address_pairsattribute of a portupdate_port:allowed_address_pairs:mac_address- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
mac_addressofallowed_address_pairsattribute of a portupdate_port:allowed_address_pairs:ip_address- Default:
(rule:admin_only) or (role:member and rule:network_owner) or rule:service_api- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
ip_addressofallowed_address_pairsattribute of a portupdate_port:data_plane_status- Default:
rule:admin_only or role:data_plane_integrator- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
data_plane_statusattribute of a portupdate_port:hints- Default:
rule:admin_only- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
hintsattribute of a portupdate_port:trusted- Default:
rule:admin_only- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
trustedattribute of a portupdate_port:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc- Operations:
PUT
/ports/{id}/tagsPUT
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Update the port tags
delete_port- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s- Operations:
DELETE
/ports/{id}
- Scope Types:
project
Delete a port
delete_port:tags- Default:
rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
DELETE
/ports/{id}/tagsDELETE
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Delete the port tags
shared_qos_policy- Default:
field:policies:shared=True
Rule of shared qos policy
get_policy- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy- Operations:
GET
/qos/policiesGET
/qos/policies/{id}
- Scope Types:
project
Get QoS policies
get_policy:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy- Operations:
GET
/qos/policies/{id}/tagsGET
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Get QoS policy tags
create_policy- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/qos/policies
- Scope Types:
project
Create a QoS policy
create_policy:tags- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
POST
/qos/policies/{id}/tags
- Scope Types:
project
Create the QoS policy tags
update_policy- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
PUT
/qos/policies/{id}
- Scope Types:
project
Update a QoS policy
update_policy:tags- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
PUT
/qos/policies/{id}/tagsPUT
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Update the QoS policy tags
delete_policy- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
DELETE
/qos/policies/{id}
- Scope Types:
project
Delete a QoS policy
delete_policy:tags- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
DELETE
/qos/policies/{id}/tagsDELETE
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Delete the QoS policy tags
get_rule_type- Default:
role:reader- Operations:
GET
/qos/rule-typesGET
/qos/rule-types/{rule_type}
- Scope Types:
project
Get available QoS rule types
get_policy_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/policies/{policy_id}/bandwidth_limit_rulesGET
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Get a QoS bandwidth limit rule
create_policy_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
POST
/qos/policies/{policy_id}/bandwidth_limit_rules
- Scope Types:
project
Create a QoS bandwidth limit rule
update_policy_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Update a QoS bandwidth limit rule
delete_policy_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Delete a QoS bandwidth limit rule
get_policy_packet_rate_limit_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/policies/{policy_id}/packet_rate_limit_rulesGET
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Get a QoS packet rate limit rule
create_policy_packet_rate_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
POST
/qos/policies/{policy_id}/packet_rate_limit_rules
- Scope Types:
project
Create a QoS packet rate limit rule
update_policy_packet_rate_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Update a QoS packet rate limit rule
delete_policy_packet_rate_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Delete a QoS packet rate limit rule
get_policy_dscp_marking_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/policies/{policy_id}/dscp_marking_rulesGET
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Get a QoS DSCP marking rule
create_policy_dscp_marking_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
POST
/qos/policies/{policy_id}/dscp_marking_rules
- Scope Types:
project
Create a QoS DSCP marking rule
update_policy_dscp_marking_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Update a QoS DSCP marking rule
delete_policy_dscp_marking_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Delete a QoS DSCP marking rule
get_policy_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/policies/{policy_id}/minimum_bandwidth_rulesGET
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Get a QoS minimum bandwidth rule
create_policy_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
POST
/qos/policies/{policy_id}/minimum_bandwidth_rules
- Scope Types:
project
Create a QoS minimum bandwidth rule
update_policy_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Update a QoS minimum bandwidth rule
delete_policy_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Delete a QoS minimum bandwidth rule
get_policy_minimum_packet_rate_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/policies/{policy_id}/minimum_packet_rate_rulesGET
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Get a QoS minimum packet rate rule
create_policy_minimum_packet_rate_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
POST
/qos/policies/{policy_id}/minimum_packet_rate_rules
- Scope Types:
project
Create a QoS minimum packet rate rule
update_policy_minimum_packet_rate_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Update a QoS minimum packet rate rule
delete_policy_minimum_packet_rate_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Delete a QoS minimum packet rate rule
get_alias_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Get a QoS bandwidth limit rule through alias
update_alias_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Update a QoS bandwidth limit rule through alias
delete_alias_bandwidth_limit_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Delete a QoS bandwidth limit rule through alias
get_alias_dscp_marking_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Get a QoS DSCP marking rule through alias
update_alias_dscp_marking_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Update a QoS DSCP marking rule through alias
delete_alias_dscp_marking_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Delete a QoS DSCP marking rule through alias
get_alias_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- Operations:
GET
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Get a QoS minimum bandwidth rule through alias
update_alias_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
PUT
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Update a QoS minimum bandwidth rule through alias
delete_alias_minimum_bandwidth_rule- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)- Operations:
DELETE
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Delete a QoS minimum bandwidth rule through alias
get_alias_minimum_packet_rate_rule- Default:
rule:get_policy_minimum_packet_rate_rule- Operations:
GET
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Get a QoS minimum packet rate rule through alias
update_alias_minimum_packet_rate_rule- Default:
rule:update_policy_minimum_packet_rate_rule- Operations:
PUT
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Update a QoS minimum packet rate rule through alias
delete_alias_minimum_packet_rate_rule- Default:
rule:delete_policy_minimum_packet_rate_rule- Operations:
DELETE
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Delete a QoS minimum packet rate rule through alias
get_quota- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- Operations:
GET
/quotaGET
/quota/{id}
- Scope Types:
project
Get a resource quota
update_quota- Default:
rule:admin_only- Operations:
PUT
/quota/{id}
- Scope Types:
project
Update a resource quota
delete_quota- Default:
rule:admin_only- Operations:
DELETE
/quota/{id}
- Scope Types:
project
Delete a resource quota
restrict_wildcard- Default:
(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only
Definition of a wildcard target_project
create_rbac_policy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/rbac-policies
- Scope Types:
project
Create an RBAC policy
create_rbac_policy:target_tenant- Default:
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)- Operations:
POST
/rbac-policies
- Scope Types:
project
Specify
target_tenantwhen creating an RBAC policycreate_rbac_policy:target_project- Default:
rule:admin_only or not field:rbac_policy:target_project=*- Operations:
POST
/rbac-policies
- Scope Types:
project
Specify
target_projectwhen creating an RBAC policyupdate_rbac_policy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update an RBAC policy
update_rbac_policy:target_tenant- Default:
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update
target_tenantattribute of an RBAC policyupdate_rbac_policy:target_project- Default:
rule:admin_only or not field:rbac_policy:target_project=*- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update
target_projectattribute of an RBAC policyget_rbac_policy- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/rbac-policiesGET
/rbac-policies/{id}
- Scope Types:
project
Get an RBAC policy
delete_rbac_policy- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/rbac-policies/{id}
- Scope Types:
project
Delete an RBAC policy
create_router- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/routers
- Scope Types:
project
Create a router
create_router:distributed- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
distributedattribute when creating a routercreate_router:ha- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
haattribute when creating a routercreate_router:external_gateway_info- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/routers
- Scope Types:
project
Specify
external_gateway_infoinformation when creating a routercreate_router:external_gateway_info:network_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/routers
- Scope Types:
project
Specify
network_idinexternal_gateway_infoinformation when creating a routercreate_router:external_gateway_info:enable_snat- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_snatinexternal_gateway_infoinformation when creating a routercreate_router:external_gateway_info:external_fixed_ips- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
external_fixed_ipsinexternal_gateway_infoinformation when creating a routercreate_router:enable_default_route_bfd- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_bfdattribute when creating a routercreate_router:enable_default_route_ecmp- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_ecmpattribute when creating a routercreate_router:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/routers/{id}/tags
- Scope Types:
project
Create the router tags
get_router- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/routersGET
/routers/{id}
- Scope Types:
project
Get a router
get_router:distributed- Default:
rule:admin_only- Operations:
GET
/routersGET
/routers/{id}
- Scope Types:
project
Get
distributedattribute of a routerget_router:ha- Default:
rule:admin_only- Operations:
GET
/routersGET
/routers/{id}
- Scope Types:
project
Get
haattribute of a routerget_router:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/routers/{id}/tagsGET
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Get the router tags
update_router- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update a router
update_router:distributed- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
distributedattribute of a routerupdate_router:ha- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
haattribute of a routerupdate_router:external_gateway_info- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
external_gateway_infoinformation of a routerupdate_router:external_gateway_info:network_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
network_idattribute ofexternal_gateway_infoinformation of a routerupdate_router:external_gateway_info:enable_snat- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
enable_snatattribute ofexternal_gateway_infoinformation of a routerupdate_router:external_gateway_info:external_fixed_ips- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
external_fixed_ipsattribute ofexternal_gateway_infoinformation of a routerupdate_router:enable_default_route_bfd- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_bfdattribute when updating a routerupdate_router:enable_default_route_ecmp- Default:
rule:admin_only- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_ecmpattribute when updating a routerupdate_router:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}/tagsPUT
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Update the router tags
delete_router- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/routers/{id}
- Scope Types:
project
Delete a router
delete_router:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/routers/{id}/tagsDELETE
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Delete the router tags
add_router_interface- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}/add_router_interface
- Scope Types:
project
Add an interface to a router
remove_router_interface- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}/remove_router_interface
- Scope Types:
project
Remove an interface from a router
add_extraroutes- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}/add_extraroutes
- Scope Types:
project
Add extra route to a router
remove_extraroutes- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}/remove_extraroutes
- Scope Types:
project
Remove extra route from a router
add_external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Add router external gateways
add_external_gateways:external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Add router external gateways
add_external_gateways:external_gateways:network_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Add router external gateways with defined network ID
add_external_gateways:external_gateways:enable_snat- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Add router external gateways specifying SNAT flag
add_external_gateways:external_gateways:external_fixed_ips- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Add router external gateways specifying the fixed IPs
update_external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update router external gateways
update_external_gateways:external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update router external gateways
update_external_gateways:external_gateways:network_id- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update router external gateways network ID
update_external_gateways:external_gateways:enable_snat- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update router external gateways SNAT flag
update_external_gateways:external_gateways:external_fixed_ips- Default:
rule:admin_only- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update router external gateways fixed IPs
remove_external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Remove router external gateways
remove_external_gateways:external_gateways- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/routers/{id}
- Scope Types:
project
Remove router external gateways
admin_or_sg_owner- Default:
rule:context_is_admin or project_id:%(security_group:project_id)s
Rule for admin or security group owner access
admin_owner_or_sg_owner- Default:
rule:owner or rule:admin_or_sg_owner
Rule for resource owner, admin or security group owner access
shared_security_group- Default:
field:security_groups:shared=True
Definition of a shared security group
rule_default_sg- Default:
field:security_group_rules:belongs_to_default_sg=True
Definition of a security group rule that belongs to the project default security group
create_security_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/security-groups
- Scope Types:
project
Create a security group
create_security_group:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/security-groups/{id}/tags
- Scope Types:
project
Create the security group tags
get_security_group- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group- Operations:
GET
/security-groupsGET
/security-groups/{id}
- Scope Types:
project
Get a security group
get_security_group:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group- Operations:
GET
/security-groups/{id}/tagsGET
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Get the security group tags
update_security_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/security-groups/{id}
- Scope Types:
project
Update a security group
update_security_group:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/security-groups/{id}/tagsPUT
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Update the security group tags
delete_security_group- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/security-groups/{id}
- Scope Types:
project
Delete a security group
delete_security_group:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/security-groups/{id}/tagsDELETE
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Delete the security group tags
create_security_group_rule- Default:
(rule:admin_only) or (role:member and rule:sg_owner)- Operations:
POST
/security-group-rules
- Scope Types:
project
Create a security group rule
get_security_group_rule- Default:
(rule:admin_only) or (role:reader and rule:sg_owner)- Operations:
GET
/security-group-rulesGET
/security-group-rules/{id}
- Scope Types:
project
Get a security group rule
delete_security_group_rule- Default:
(rule:admin_only) or (role:member and rule:sg_owner)- Operations:
DELETE
/security-group-rules/{id}
- Scope Types:
project
Delete a security group rule
create_segment- Default:
rule:admin_only- Operations:
POST
/segments
- Scope Types:
project
Create a segment
create_segments_tags- Default:
rule:admin_only- Operations:
POST
/segments/{id}/tags
- Scope Types:
project
Create the segment tags
get_segment- Default:
rule:admin_only- Operations:
GET
/segmentsGET
/segments/{id}
- Scope Types:
project
Get a segment
get_segments_tags- Default:
rule:admin_only- Operations:
GET
/segments/{id}/tagsGET
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Get the segment tags
update_segment- Default:
rule:admin_only- Operations:
PUT
/segments/{id}
- Scope Types:
project
Update a segment
update_segments_tags- Default:
rule:admin_only- Operations:
PUT
/segments/{id}/tagsPUT
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Update the segment tags
delete_segment- Default:
rule:admin_only- Operations:
DELETE
/segments/{id}
- Scope Types:
project
Delete a segment
delete_segments_tags- Default:
rule:admin_only- Operations:
DELETE
/segments/{id}/tagsDELETE
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Delete the segment tags
get_service_provider- Default:
role:reader- Operations:
GET
/service-providers
- Scope Types:
project
Get service providers
external_network- Default:
field:subnets:router:external=True
Definition of a subnet that belongs to an external network
create_subnet- Default:
(rule:admin_only) or (role:member and rule:network_owner)- Operations:
POST
/subnets
- Scope Types:
project
Create a subnet
create_subnet:segment_id- Default:
rule:admin_only- Operations:
POST
/subnets
- Scope Types:
project
Specify
segment_idattribute when creating a subnetcreate_subnet:service_types- Default:
rule:admin_only- Operations:
POST
/subnets
- Scope Types:
project
Specify
service_typesattribute when creating a subnetcreate_subnet:tags- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
POST
/subnets/{id}/tags
- Scope Types:
project
Create the subnet tags
get_subnet- Default:
role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:reader and rule:network_owner) or rule:service_api- Operations:
GET
/subnetsGET
/subnets/{id}
- Scope Types:
project
Get a subnet
get_subnet:segment_id- Default:
rule:admin_only- Operations:
GET
/subnetsGET
/subnets/{id}
- Scope Types:
project
Get
segment_idattribute of a subnetget_subnet:tags- Default:
role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:reader and rule:network_owner)- Operations:
GET
/subnets/{id}/tagsGET
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Get the subnet tags
update_subnet- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update a subnet
update_subnet:segment_id- Default:
rule:admin_only- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update
segment_idattribute of a subnetupdate_subnet:service_types- Default:
rule:admin_only- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update
service_typesattribute of a subnetupdate_subnet:tags- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
PUT
/subnets/{id}/tagsPUT
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Update the subnet tags
delete_subnet- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
DELETE
/subnets/{id}
- Scope Types:
project
Delete a subnet
delete_subnet:tags- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)- Operations:
DELETE
/subnets/{id}/tagsDELETE
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Delete the subnet tags
shared_subnetpools- Default:
field:subnetpools:shared=True
Definition of a shared subnetpool
create_subnetpool- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/subnetpools
- Scope Types:
project
Create a subnetpool
create_subnetpool:shared- Default:
rule:admin_only- Operations:
POST
/subnetpools
- Scope Types:
project
Create a shared subnetpool
create_subnetpool:is_default- Default:
rule:admin_only- Operations:
POST
/subnetpools
- Scope Types:
project
Specify
is_defaultattribute when creating a subnetpoolcreate_subnetpool:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/subnetpools/{id}/tags
- Scope Types:
project
Create the subnetpool tags
get_subnetpool- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools- Operations:
GET
/subnetpoolsGET
/subnetpools/{id}
- Scope Types:
project
Get a subnetpool
get_subnetpool:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools- Operations:
GET
/subnetpools/{id}/tagsGET
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Get the subnetpool tags
update_subnetpool- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/subnetpools/{id}
- Scope Types:
project
Update a subnetpool
update_subnetpool:is_default- Default:
rule:admin_only- Operations:
PUT
/subnetpools/{id}
- Scope Types:
project
Update
is_defaultattribute of a subnetpoolupdate_subnetpool:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/subnetpools/{id}/tagsPUT
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Update the subnetpool tags
delete_subnetpool- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/subnetpools/{id}
- Scope Types:
project
Delete a subnetpool
delete_subnetpool:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/subnetpools/{id}/tagsDELETE
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Delete the subnetpool tags
onboard_network_subnets- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/subnetpools/{id}/onboard_network_subnets
- Scope Types:
project
Onboard existing subnet into a subnetpool
add_prefixes- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/subnetpools/{id}/add_prefixes
- Scope Types:
project
Add prefixes to a subnetpool
remove_prefixes- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/subnetpools/{id}/remove_prefixes
- Scope Types:
project
Remove unallocated prefixes from a subnetpool
create_trunk- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/trunks
- Scope Types:
project
Create a trunk
create_trunk:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
POST
/trunks/{id}/tags
- Scope Types:
project
Create the trunk tags
get_trunk- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/trunksGET
/trunks/{id}
- Scope Types:
project
Get a trunk
get_trunk:tags- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/trunks/{id}/tagsGET
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Get the trunk tags
update_trunk- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/trunks/{id}
- Scope Types:
project
Update a trunk
update_trunk:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/trunks/{id}/tagsPUT
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Update the trunk tags
delete_trunk- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/trunks/{id}
- Scope Types:
project
Delete a trunk
delete_trunk:tags- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
DELETE
/trunks/{id}/tagsDELETE
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Delete a trunk
get_subports- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- Operations:
GET
/trunks/{id}/get_subports
- Scope Types:
project
List subports attached to a trunk
add_subports- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/trunks/{id}/add_subports
- Scope Types:
project
Add subports to a trunk
remove_subports- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- Operations:
PUT
/trunks/{id}/remove_subports
- Scope Types:
project
Delete subports from a trunk
