Policy Reference

Warning

JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.

The following is an overview of all available policies in neutron.

For a sample policy file, refer to Sample Policy File.

neutron

context_is_admin
Default

role:admin

Rule for cloud admin access

owner
Default

tenant_id:%(tenant_id)s

Rule for resource owner access

admin_or_owner
Default

rule:context_is_admin or rule:owner

Rule for admin or owner access

context_is_advsvc
Default

role:advsvc

Rule for advsvc role access

admin_or_network_owner
Default

rule:context_is_admin or tenant_id:%(network:tenant_id)s

Rule for admin or network owner access

admin_owner_or_network_owner
Default

rule:owner or rule:admin_or_network_owner

Rule for resource owner, admin or network owner access

network_owner
Default

tenant_id:%(network:tenant_id)s

Rule for network owner access

admin_only
Default

rule:context_is_admin

Rule for admin-only access

regular_user
Default

<empty string>

Rule for regular user access

shared
Default

field:networks:shared=True

Rule of shared network

default
Default

rule:admin_or_owner

Default access rule

admin_or_ext_parent_owner
Default

rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

ext_parent_owner
Default

tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

sg_owner
Default

tenant_id:%(security_group:tenant_id)s

Rule for security group owner access

shared_address_groups
Default

field:address_groups:shared=True

Definition of a shared address group

get_address_group
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups

Operations

  • GET /address-groups

  • GET /address-groups/{id}

Scope Types

  • system

  • project

Get an address group

shared_address_scopes
Default

field:address_scopes:shared=True

Definition of a shared address scope

create_address_scope
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /address-scopes

Scope Types

  • system

  • project

Create an address scope

create_address_scope:shared
Default

role:admin and system_scope:all

Operations

  • POST /address-scopes

Scope Types

  • system

  • project

Create a shared address scope

get_address_scope
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes

Operations

  • GET /address-scopes

  • GET /address-scopes/{id}

Scope Types

  • system

  • project

Get an address scope

update_address_scope
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /address-scopes/{id}

Scope Types

  • system

  • project

Update an address scope

update_address_scope:shared
Default

role:admin and system_scope:all

Operations

  • PUT /address-scopes/{id}

Scope Types

  • system

  • project

Update shared attribute of an address scope

delete_address_scope
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /address-scopes/{id}

Scope Types

  • system

  • project

Delete an address scope

get_agent
Default

role:reader and system_scope:all

Operations

  • GET /agents

  • GET /agents/{id}

Scope Types

  • system

Get an agent

update_agent
Default

role:admin and system_scope:all

Operations

  • PUT /agents/{id}

Scope Types

  • system

Update an agent

delete_agent
Default

role:admin and system_scope:all

Operations

  • DELETE /agents/{id}

Scope Types

  • system

Delete an agent

create_dhcp-network
Default

role:admin and system_scope:all

Operations

  • POST /agents/{agent_id}/dhcp-networks

Scope Types

  • system

Add a network to a DHCP agent

get_dhcp-networks
Default

role:reader and system_scope:all

Operations

  • GET /agents/{agent_id}/dhcp-networks

Scope Types

  • system

List networks on a DHCP agent

delete_dhcp-network
Default

role:admin and system_scope:all

Operations

  • DELETE /agents/{agent_id}/dhcp-networks/{network_id}

Scope Types

  • system

Remove a network from a DHCP agent

create_l3-router
Default

role:admin and system_scope:all

Operations

  • POST /agents/{agent_id}/l3-routers

Scope Types

  • system

Add a router to an L3 agent

get_l3-routers
Default

role:reader and system_scope:all

Operations

  • GET /agents/{agent_id}/l3-routers

Scope Types

  • system

List routers on an L3 agent

delete_l3-router
Default

role:admin and system_scope:all

Operations

  • DELETE /agents/{agent_id}/l3-routers/{router_id}

Scope Types

  • system

Remove a router from an L3 agent

get_dhcp-agents
Default

role:reader and system_scope:all

Operations

  • GET /networks/{network_id}/dhcp-agents

Scope Types

  • system

List DHCP agents hosting a network

get_l3-agents
Default

role:reader and system_scope:all

Operations

  • GET /routers/{router_id}/l3-agents

Scope Types

  • system

List L3 agents hosting a router

get_auto_allocated_topology
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /auto-allocated-topology/{project_id}

Scope Types

  • system

  • project

Get a project’s auto-allocated topology

delete_auto_allocated_topology
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /auto-allocated-topology/{project_id}

Scope Types

  • system

  • project

Delete a project’s auto-allocated topology

get_availability_zone
Default

role:reader and system_scope:all

Operations

  • GET /availability_zones

Scope Types

  • system

List availability zones

create_flavor
Default

role:admin and system_scope:all

Operations

  • POST /flavors

Scope Types

  • system

Create a flavor

get_flavor
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /flavors

  • GET /flavors/{id}

Scope Types

  • system

  • project

Get a flavor

update_flavor
Default

role:admin and system_scope:all

Operations

  • PUT /flavors/{id}

Scope Types

  • system

Update a flavor

delete_flavor
Default

role:admin and system_scope:all

Operations

  • DELETE /flavors/{id}

Scope Types

  • system

Delete a flavor

create_service_profile
Default

role:admin and system_scope:all

Operations

  • POST /service_profiles

Scope Types

  • system

Create a service profile

get_service_profile
Default

role:reader and system_scope:all

Operations

  • GET /service_profiles

  • GET /service_profiles/{id}

Scope Types

  • system

Get a service profile

update_service_profile
Default

role:admin and system_scope:all

Operations

  • PUT /service_profiles/{id}

Scope Types

  • system

Update a service profile

delete_service_profile
Default

role:admin and system_scope:all

Operations

  • DELETE /service_profiles/{id}

Scope Types

  • system

Delete a service profile

get_flavor_service_profile
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types

  • system

  • project

Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.

create_flavor_service_profile
Default

role:admin and system_scope:all

Operations

  • POST /flavors/{flavor_id}/service_profiles

Scope Types

  • system

Associate a flavor with a service profile

delete_flavor_service_profile
Default

role:admin and system_scope:all

Operations

  • DELETE /flavors/{flavor_id}/service_profiles/{profile_id}

Scope Types

  • system

Disassociate a flavor with a service profile

create_floatingip
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /floatingips

Scope Types

  • system

  • project

Create a floating IP

create_floatingip:floating_ip_address
Default

role:admin and system_scope:all

Operations

  • POST /floatingips

Scope Types

  • system

  • project

Create a floating IP with a specific IP address

get_floatingip
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /floatingips

  • GET /floatingips/{id}

Scope Types

  • system

  • project

Get a floating IP

update_floatingip
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /floatingips/{id}

Scope Types

  • system

  • project

Update a floating IP

delete_floatingip
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /floatingips/{id}

Scope Types

  • system

  • project

Delete a floating IP

get_floatingip_pool
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /floatingip_pools

Scope Types

  • system

  • project

Get floating IP pools

create_floatingip_port_forwarding
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • POST /floatingips/{floatingip_id}/port_forwardings

Scope Types

  • system

  • project

Create a floating IP port forwarding

get_floatingip_port_forwarding
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • GET /floatingips/{floatingip_id}/port_forwardings

  • GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

  • system

  • project

Get a floating IP port forwarding

update_floatingip_port_forwarding
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

  • system

  • project

Update a floating IP port forwarding

delete_floatingip_port_forwarding
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

  • system

  • project

Delete a floating IP port forwarding

create_router_conntrack_helper
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • POST /routers/{router_id}/conntrack_helpers

Scope Types

  • system

  • project

Create a router conntrack helper

get_router_conntrack_helper
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • GET /routers/{router_id}/conntrack_helpers

  • GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

  • system

  • project

Get a router conntrack helper

update_router_conntrack_helper
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

  • system

  • project

Update a router conntrack helper

delete_router_conntrack_helper
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

  • DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

  • system

  • project

Delete a router conntrack helper

get_loggable_resource
Default

role:reader and system_scope:all

Operations

  • GET /log/loggable-resources

Scope Types

  • system

Get loggable resources

create_log
Default

role:admin and system_scope:all

Operations

  • POST /log/logs

Scope Types

  • system

Create a network log

get_log
Default

role:reader and system_scope:all

Operations

  • GET /log/logs

  • GET /log/logs/{id}

Scope Types

  • system

Get a network log

update_log
Default

role:admin and system_scope:all

Operations

  • PUT /log/logs/{id}

Scope Types

  • system

Update a network log

delete_log
Default

role:admin and system_scope:all

Operations

  • DELETE /log/logs/{id}

Scope Types

  • system

Delete a network log

create_metering_label
Default

role:admin and system_scope:all

Operations

  • POST /metering/metering-labels

Scope Types

  • system

  • project

Create a metering label

get_metering_label
Default

role:reader and system_scope:all

Operations

  • GET /metering/metering-labels

  • GET /metering/metering-labels/{id}

Scope Types

  • system

  • project

Get a metering label

delete_metering_label
Default

role:admin and system_scope:all

Operations

  • DELETE /metering/metering-labels/{id}

Scope Types

  • system

  • project

Delete a metering label

create_metering_label_rule
Default

role:admin and system_scope:all

Operations

  • POST /metering/metering-label-rules

Scope Types

  • system

  • project

Create a metering label rule

get_metering_label_rule
Default

role:reader and system_scope:all

Operations

  • GET /metering/metering-label-rules

  • GET /metering/metering-label-rules/{id}

Scope Types

  • system

  • project

Get a metering label rule

delete_metering_label_rule
Default

role:admin and system_scope:all

Operations

  • DELETE /metering/metering-label-rules/{id}

Scope Types

  • system

  • project

Delete a metering label rule

external
Default

field:networks:router:external=True

Definition of an external network

create_network
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /networks

Scope Types

  • system

  • project

Create a network

create_network:shared
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Create a shared network

create_network:router:external
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Create an external network

create_network:is_default
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Specify is_default attribute when creating a network

create_network:port_security_enabled
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /networks

Scope Types

  • system

  • project

Specify port_security_enabled attribute when creating a network

create_network:segments
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Specify segments attribute when creating a network

create_network:provider:network_type
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Specify provider:network_type when creating a network

create_network:provider:physical_network
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Specify provider:physical_network when creating a network

create_network:provider:segmentation_id
Default

role:admin and system_scope:all

Operations

  • POST /networks

Scope Types

  • system

Specify provider:segmentation_id when creating a network

get_network
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

  • project

Get a network

get_network:router:external
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

  • project

Get router:external attribute of a network

get_network:segments
Default

role:reader and system_scope:all

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

Get segments attribute of a network

get_network:provider:network_type
Default

role:reader and system_scope:all

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

Get provider:network_type attribute of a network

get_network:provider:physical_network
Default

role:reader and system_scope:all

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

Get provider:physical_network attribute of a network

get_network:provider:segmentation_id
Default

role:reader and system_scope:all

Operations

  • GET /networks

  • GET /networks/{id}

Scope Types

  • system

Get provider:segmentation_id attribute of a network

update_network
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /networks/{id}

Scope Types

  • system

  • project

Update a network

update_network:segments
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update segments attribute of a network

update_network:shared
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update shared attribute of a network

update_network:provider:network_type
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update provider:network_type attribute of a network

update_network:provider:physical_network
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update provider:physical_network attribute of a network

update_network:provider:segmentation_id
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update provider:segmentation_id attribute of a network

update_network:router:external
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update router:external attribute of a network

update_network:is_default
Default

role:admin and system_scope:all

Operations

  • PUT /networks/{id}

Scope Types

  • system

Update is_default attribute of a network

update_network:port_security_enabled
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /networks/{id}

Scope Types

  • system

  • project

Update port_security_enabled attribute of a network

delete_network
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /networks/{id}

Scope Types

  • system

  • project

Delete a network

get_network_ip_availability
Default

role:reader and system_scope:all

Operations

  • GET /network-ip-availabilities

  • GET /network-ip-availabilities/{network_id}

Scope Types

  • system

Get network IP availability

create_network_segment_range
Default

role:admin and system_scope:all

Operations

  • POST /network_segment_ranges

Scope Types

  • system

Create a network segment range

get_network_segment_range
Default

role:reader and system_scope:all

Operations

  • GET /network_segment_ranges

  • GET /network_segment_ranges/{id}

Scope Types

  • system

Get a network segment range

update_network_segment_range
Default

role:admin and system_scope:all

Operations

  • PUT /network_segment_ranges/{id}

Scope Types

  • system

Update a network segment range

delete_network_segment_range
Default

role:admin and system_scope:all

Operations

  • DELETE /network_segment_ranges/{id}

Scope Types

  • system

Delete a network segment range

network_device
Default

field:port:device_owner=~^network:

Definition of port with network device_owner

admin_or_data_plane_int
Default

rule:context_is_admin or role:data_plane_integrator

Rule for data plane integration

create_port
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /ports

Scope Types

  • system

  • project

Create a port

create_port:device_owner
Default

not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify device_owner attribute when creting a port

create_port:mac_address
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify mac_address attribute when creating a port

create_port:fixed_ips
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify fixed_ips information when creating a port

create_port:fixed_ips:ip_address
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify IP address in fixed_ips when creating a port

create_port:fixed_ips:subnet_id
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify subnet ID in fixed_ips when creating a port

create_port:port_security_enabled
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify port_security_enabled attribute when creating a port

create_port:binding:host_id
Default

role:admin and system_scope:all

Operations

  • POST /ports

Scope Types

  • system

Specify binding:host_id attribute when creating a port

create_port:binding:profile
Default

role:admin and system_scope:all

Operations

  • POST /ports

Scope Types

  • system

Specify binding:profile attribute when creating a port

create_port:binding:vnic_type
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /ports

Scope Types

  • system

  • project

Specify binding:vnic_type attribute when creating a port

create_port:allowed_address_pairs
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • POST /ports

Scope Types

  • project

  • system

Specify allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:mac_address
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • POST /ports

Scope Types

  • project

  • system

Specify mac_address` of `allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:ip_address
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • POST /ports

Scope Types

  • project

  • system

Specify ip_address of allowed_address_pairs attribute when creating a port

get_port
Default

rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • project

  • system

Get a port

get_port:binding:vif_type
Default

role:reader and system_scope:all

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • system

Get binding:vif_type attribute of a port

get_port:binding:vif_details
Default

role:reader and system_scope:all

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • system

Get binding:vif_details attribute of a port

get_port:binding:host_id
Default

role:reader and system_scope:all

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • system

Get binding:host_id attribute of a port

get_port:binding:profile
Default

role:reader and system_scope:all

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • system

Get binding:profile attribute of a port

get_port:resource_request
Default

role:reader and system_scope:all

Operations

  • GET /ports

  • GET /ports/{id}

Scope Types

  • system

Get resource_request attribute of a port

update_port
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update a port

update_port:device_owner
Default

not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update device_owner attribute of a port

update_port:mac_address
Default

role:admin and system_scope:all or rule:context_is_advsvc

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update mac_address attribute of a port

update_port:fixed_ips
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Specify fixed_ips information when updating a port

update_port:fixed_ips:ip_address
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Specify IP address in fixed_ips information when updating a port

update_port:fixed_ips:subnet_id
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Specify subnet ID in fixed_ips information when updating a port

update_port:port_security_enabled
Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update port_security_enabled attribute of a port

update_port:binding:host_id
Default

role:admin and system_scope:all

Operations

  • PUT /ports/{id}

Scope Types

  • system

Update binding:host_id attribute of a port

update_port:binding:profile
Default

role:admin and system_scope:all

Operations

  • PUT /ports/{id}

Scope Types

  • system

Update binding:profile attribute of a port

update_port:binding:vnic_type
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update binding:vnic_type attribute of a port

update_port:allowed_address_pairs
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:mac_address
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update mac_address of allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:ip_address
Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update ip_address of allowed_address_pairs attribute of a port

update_port:data_plane_status
Default

role:admin and system_scope:all or role:data_plane_integrator

Operations

  • PUT /ports/{id}

Scope Types

  • system

  • project

Update data_plane_status attribute of a port

delete_port
Default

rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /ports/{id}

Scope Types

  • system

  • project

Delete a port

get_policy
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /qos/policies

  • GET /qos/policies/{id}

Scope Types

  • system

  • project

Get QoS policies

create_policy
Default

role:admin and system_scope:all

Operations

  • POST /qos/policies

Scope Types

  • system

Create a QoS policy

update_policy
Default

role:admin and system_scope:all

Operations

  • PUT /qos/policies/{id}

Scope Types

  • system

Update a QoS policy

delete_policy
Default

role:admin and system_scope:all

Operations

  • DELETE /qos/policies/{id}

Scope Types

  • system

Delete a QoS policy

get_rule_type
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /qos/rule-types

  • GET /qos/rule-types/{rule_type}

Scope Types

  • system

  • project

Get available QoS rule types

get_policy_bandwidth_limit_rule
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /qos/policies/{policy_id}/bandwidth_limit_rules

  • GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

  • system

  • project

Get a QoS bandwidth limit rule

create_policy_bandwidth_limit_rule
Default

role:admin and system_scope:all

Operations

  • POST /qos/policies/{policy_id}/bandwidth_limit_rules

Scope Types

  • system

Create a QoS bandwidth limit rule

update_policy_bandwidth_limit_rule
Default

role:admin and system_scope:all

Operations

  • PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

  • system

Update a QoS bandwidth limit rule

delete_policy_bandwidth_limit_rule
Default

role:admin and system_scope:all

Operations

  • DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

  • system

Delete a QoS bandwidth limit rule

get_policy_dscp_marking_rule
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /qos/policies/{policy_id}/dscp_marking_rules

  • GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

  • system

  • project

Get a QoS DSCP marking rule

create_policy_dscp_marking_rule
Default

role:admin and system_scope:all

Operations

  • POST /qos/policies/{policy_id}/dscp_marking_rules

Scope Types

  • system

Create a QoS DSCP marking rule

update_policy_dscp_marking_rule
Default

role:admin and system_scope:all

Operations

  • PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

  • system

Update a QoS DSCP marking rule

delete_policy_dscp_marking_rule
Default

role:admin and system_scope:all

Operations

  • DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

  • system

Delete a QoS DSCP marking rule

get_policy_minimum_bandwidth_rule
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules

  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

  • system

  • project

Get a QoS minimum bandwidth rule

create_policy_minimum_bandwidth_rule
Default

role:admin and system_scope:all

Operations

  • POST /qos/policies/{policy_id}/minimum_bandwidth_rules

Scope Types

  • system

Create a QoS minimum bandwidth rule

update_policy_minimum_bandwidth_rule
Default

role:admin and system_scope:all

Operations

  • PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

  • system

Update a QoS minimum bandwidth rule

delete_policy_minimum_bandwidth_rule
Default

role:admin and system_scope:all

Operations

  • DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

  • system

Delete a QoS minimum bandwidth rule

get_alias_bandwidth_limit_rule
Default

rule:get_policy_bandwidth_limit_rule

Operations

  • GET /qos/alias_bandwidth_limit_rules/{rule_id}/

Get a QoS bandwidth limit rule through alias

update_alias_bandwidth_limit_rule
Default

rule:update_policy_bandwidth_limit_rule

Operations

  • PUT /qos/alias_bandwidth_limit_rules/{rule_id}/

Update a QoS bandwidth limit rule through alias

delete_alias_bandwidth_limit_rule
Default

rule:delete_policy_bandwidth_limit_rule

Operations

  • DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/

Delete a QoS bandwidth limit rule through alias

get_alias_dscp_marking_rule
Default

rule:get_policy_dscp_marking_rule

Operations

  • GET /qos/alias_dscp_marking_rules/{rule_id}/

Get a QoS DSCP marking rule through alias

update_alias_dscp_marking_rule
Default

rule:update_policy_dscp_marking_rule

Operations

  • PUT /qos/alias_dscp_marking_rules/{rule_id}/

Update a QoS DSCP marking rule through alias

delete_alias_dscp_marking_rule
Default

rule:delete_policy_dscp_marking_rule

Operations

  • DELETE /qos/alias_dscp_marking_rules/{rule_id}/

Delete a QoS DSCP marking rule through alias

get_alias_minimum_bandwidth_rule
Default

rule:get_policy_minimum_bandwidth_rule

Operations

  • GET /qos/alias_minimum_bandwidth_rules/{rule_id}/

Get a QoS minimum bandwidth rule through alias

update_alias_minimum_bandwidth_rule
Default

rule:update_policy_minimum_bandwidth_rule

Operations

  • PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/

Update a QoS minimum bandwidth rule through alias

delete_alias_minimum_bandwidth_rule
Default

rule:delete_policy_minimum_bandwidth_rule

Operations

  • DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/

Delete a QoS minimum bandwidth rule through alias

get_quota
Default

role:reader and system_scope:all

Operations

  • GET /quota

  • GET /quota/{id}

Scope Types

  • system

Get a resource quota

update_quota
Default

role:admin and system_scope:all

Operations

  • PUT /quota/{id}

Scope Types

  • system

Update a resource quota

delete_quota
Default

role:admin and system_scope:all

Operations

  • DELETE /quota/{id}

Scope Types

  • system

Delete a resource quota

restrict_wildcard
Default

(not field:rbac_policy:target_tenant=*) or rule:admin_only

Definition of a wildcard target_tenant

create_rbac_policy
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /rbac-policies

Scope Types

  • system

  • project

Create an RBAC policy

create_rbac_policy:target_tenant
Default

role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)

Operations

  • POST /rbac-policies

Scope Types

  • system

  • project

Specify target_tenant when creating an RBAC policy

update_rbac_policy
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /rbac-policies/{id}

Scope Types

  • project

  • system

Update an RBAC policy

update_rbac_policy:target_tenant
Default

role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)

Operations

  • PUT /rbac-policies/{id}

Scope Types

  • system

  • project

Update target_tenant attribute of an RBAC policy

get_rbac_policy
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /rbac-policies

  • GET /rbac-policies/{id}

Scope Types

  • project

  • system

Get an RBAC policy

delete_rbac_policy
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /rbac-policies/{id}

Scope Types

  • project

  • system

Delete an RBAC policy

create_router
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /routers

Scope Types

  • system

  • project

Create a router

create_router:distributed
Default

role:admin and system_scope:all

Operations

  • POST /routers

Scope Types

  • system

Specify distributed attribute when creating a router

create_router:ha
Default

role:admin and system_scope:all

Operations

  • POST /routers

Scope Types

  • system

Specify ha attribute when creating a router

create_router:external_gateway_info
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /routers

Scope Types

  • system

  • project

Specify external_gateway_info information when creating a router

create_router:external_gateway_info:network_id
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /routers

Scope Types

  • system

  • project

Specify network_id in external_gateway_info information when creating a router

create_router:external_gateway_info:enable_snat
Default

role:admin and system_scope:all

Operations

  • POST /routers

Scope Types

  • system

Specify enable_snat in external_gateway_info information when creating a router

create_router:external_gateway_info:external_fixed_ips
Default

role:admin and system_scope:all

Operations

  • POST /routers

Scope Types

  • system

Specify external_fixed_ips in external_gateway_info information when creating a router

get_router
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /routers

  • GET /routers/{id}

Scope Types

  • system

  • project

Get a router

get_router:distributed
Default

role:reader and system_scope:all

Operations

  • GET /routers

  • GET /routers/{id}

Scope Types

  • system

Get distributed attribute of a router

get_router:ha
Default

role:reader and system_scope:all

Operations

  • GET /routers

  • GET /routers/{id}

Scope Types

  • system

Get ha attribute of a router

update_router
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}

Scope Types

  • system

  • project

Update a router

update_router:distributed
Default

role:admin and system_scope:all

Operations

  • PUT /routers/{id}

Scope Types

  • system

Update distributed attribute of a router

update_router:ha
Default

role:admin and system_scope:all

Operations

  • PUT /routers/{id}

Scope Types

  • system

Update ha attribute of a router

update_router:external_gateway_info
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}

Scope Types

  • system

  • project

Update external_gateway_info information of a router

update_router:external_gateway_info:network_id
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}

Scope Types

  • system

  • project

Update network_id attribute of external_gateway_info information of a router

update_router:external_gateway_info:enable_snat
Default

role:admin and system_scope:all

Operations

  • PUT /routers/{id}

Scope Types

  • system

Update enable_snat attribute of external_gateway_info information of a router

update_router:external_gateway_info:external_fixed_ips
Default

role:admin and system_scope:all

Operations

  • PUT /routers/{id}

Scope Types

  • system

Update external_fixed_ips attribute of external_gateway_info information of a router

delete_router
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /routers/{id}

Scope Types

  • system

  • project

Delete a router

add_router_interface
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}/add_router_interface

Scope Types

  • system

  • project

Add an interface to a router

remove_router_interface
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}/remove_router_interface

Scope Types

  • system

  • project

Remove an interface from a router

add_extraroutes
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}/add_extraroutes

Scope Types

  • system

  • project

Add extra route to a router

remove_extraroutes
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /routers/{id}/remove_extraroutes

Scope Types

  • system

  • project

Remove extra route from a router

admin_or_sg_owner
Default

rule:context_is_admin or tenant_id:%(security_group:tenant_id)s

Rule for admin or security group owner access

admin_owner_or_sg_owner
Default

rule:owner or rule:admin_or_sg_owner

Rule for resource owner, admin or security group owner access

create_security_group
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /security-groups

Scope Types

  • system

  • project

Create a security group

get_security_group
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /security-groups

  • GET /security-groups/{id}

Scope Types

  • system

  • project

Get a security group

update_security_group
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /security-groups/{id}

Scope Types

  • system

  • project

Update a security group

delete_security_group
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /security-groups/{id}

Scope Types

  • system

  • project

Delete a security group

create_security_group_rule
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /security-group-rules

Scope Types

  • system

  • project

Create a security group rule

get_security_group_rule
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner

Operations

  • GET /security-group-rules

  • GET /security-group-rules/{id}

Scope Types

  • system

  • project

Get a security group rule

delete_security_group_rule
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /security-group-rules/{id}

Scope Types

  • system

  • project

Delete a security group rule

create_segment
Default

role:admin and system_scope:all

Operations

  • POST /segments

Scope Types

  • system

Create a segment

get_segment
Default

role:reader and system_scope:all

Operations

  • GET /segments

  • GET /segments/{id}

Scope Types

  • system

Get a segment

update_segment
Default

role:admin and system_scope:all

Operations

  • PUT /segments/{id}

Scope Types

  • system

Update a segment

delete_segment
Default

role:admin and system_scope:all

Operations

  • DELETE /segments/{id}

Scope Types

  • system

Delete a segment

get_service_provider
Default

role:reader

Operations

  • GET /service-providers

Scope Types

  • system

  • project

Get service providers

create_subnet
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

  • POST /subnets

Scope Types

  • system

  • project

Create a subnet

create_subnet:segment_id
Default

role:admin and system_scope:all

Operations

  • POST /subnets

Scope Types

  • system

Specify segment_id attribute when creating a subnet

create_subnet:service_types
Default

role:admin and system_scope:all

Operations

  • POST /subnets

Scope Types

  • system

Specify service_types attribute when creating a subnet

get_subnet
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared

Operations

  • GET /subnets

  • GET /subnets/{id}

Scope Types

  • system

  • project

Get a subnet

get_subnet:segment_id
Default

role:reader and system_scope:all

Operations

  • GET /subnets

  • GET /subnets/{id}

Scope Types

  • system

Get segment_id attribute of a subnet

update_subnet
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

  • PUT /subnets/{id}

Scope Types

  • system

  • project

Update a subnet

update_subnet:segment_id
Default

role:admin and system_scope:all

Operations

  • PUT /subnets/{id}

Scope Types

  • system

Update segment_id attribute of a subnet

update_subnet:service_types
Default

role:admin and system_scope:all

Operations

  • PUT /subnets/{id}

Scope Types

  • system

Update service_types attribute of a subnet

delete_subnet
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

  • DELETE /subnets/{id}

Scope Types

  • system

  • project

Delete a subnet

shared_subnetpools
Default

field:subnetpools:shared=True

Definition of a shared subnetpool

create_subnetpool
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /subnetpools

Scope Types

  • project

  • system

Create a subnetpool

create_subnetpool:shared
Default

role:admin and system_scope:all

Operations

  • POST /subnetpools

Scope Types

  • system

Create a shared subnetpool

create_subnetpool:is_default
Default

role:admin and system_scope:all

Operations

  • POST /subnetpools

Scope Types

  • system

Specify is_default attribute when creating a subnetpool

get_subnetpool
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations

  • GET /subnetpools

  • GET /subnetpools/{id}

Scope Types

  • system

  • project

Get a subnetpool

update_subnetpool
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /subnetpools/{id}

Scope Types

  • system

  • project

Update a subnetpool

update_subnetpool:is_default
Default

role:admin and system_scope:all

Operations

  • PUT /subnetpools/{id}

Scope Types

  • system

Update is_default attribute of a subnetpool

delete_subnetpool
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /subnetpools/{id}

Scope Types

  • system

  • project

Delete a subnetpool

onboard_network_subnets
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /subnetpools/{id}/onboard_network_subnets

Scope Types

  • system

  • project

Onboard existing subnet into a subnetpool

add_prefixes
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /subnetpools/{id}/add_prefixes

Scope Types

  • system

  • project

Add prefixes to a subnetpool

remove_prefixes
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /subnetpools/{id}/remove_prefixes

Scope Types

  • system

  • project

Remove unallocated prefixes from a subnetpool

create_trunk
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • POST /trunks

Scope Types

  • project

  • system

Create a trunk

get_trunk
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /trunks

  • GET /trunks/{id}

Scope Types

  • project

  • system

Get a trunk

update_trunk
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /trunks/{id}

Scope Types

  • project

  • system

Update a trunk

delete_trunk
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • DELETE /trunks/{id}

Scope Types

  • project

  • system

Delete a trunk

get_subports
Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

  • GET /trunks/{id}/get_subports

Scope Types

  • project

  • system

List subports attached to a trunk

add_subports
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /trunks/{id}/add_subports

Scope Types

  • project

  • system

Add subports to a trunk

remove_subports
Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

  • PUT /trunks/{id}/remove_subports

Scope Types

  • project

  • system

Delete subports from a trunk