The following is an overview of all available policies in Nova. For a sample configuration file, refer to Sample Nova Policy File.
context_is_admin
Default: | role:admin |
---|
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
Default: | is_admin:True or project_id:%(project_id)s |
---|
Default rule for most non-Admin APIs.
admin_api
Default: | is_admin:True |
---|
Default rule for most Admin APIs.
os_compute_api:os-admin-actions:reset_state
Default: |
|
---|---|
Operations: |
|
Reset the state of a given server
os_compute_api:os-admin-actions:inject_network_info
Default: |
|
---|---|
Operations: |
|
Inject network information into the server
os_compute_api:os-admin-actions:reset_network
Default: |
|
---|---|
Operations: |
|
Reset networking on a server
os_compute_api:os-admin-password
Default: |
|
---|---|
Operations: |
|
Change the administrative password for a server
os_compute_api:os-agents
Default: |
|
---|---|
Operations: |
|
Create, list, update, and delete guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-aggregates:set_metadata
Default: |
|
---|---|
Operations: |
|
Create or replace metadata for an aggregate
os_compute_api:os-aggregates:add_host
Default: |
|
---|---|
Operations: |
|
Add a host to an aggregate
os_compute_api:os-aggregates:create
Default: |
|
---|---|
Operations: |
|
Create an aggregate
os_compute_api:os-aggregates:remove_host
Default: |
|
---|---|
Operations: |
|
Remove a host from an aggregate
os_compute_api:os-aggregates:update
Default: |
|
---|---|
Operations: |
|
Update name and/or availability zone for an aggregate
os_compute_api:os-aggregates:index
Default: |
|
---|---|
Operations: |
|
List all aggregates
os_compute_api:os-aggregates:delete
Default: |
|
---|---|
Operations: |
|
Delete an aggregate
os_compute_api:os-aggregates:show
Default: |
|
---|---|
Operations: |
|
Show details for an aggregate
os_compute_api:os-assisted-volume-snapshots:create
Default: |
|
---|---|
Operations: |
|
Create an assisted volume snapshot
os_compute_api:os-assisted-volume-snapshots:delete
Default: |
|
---|---|
Operations: |
|
Delete an assisted volume snapshot
os_compute_api:os-attach-interfaces
Default: |
|
---|---|
Operations: |
|
List port interfaces or show details of a port interface attached to a server
os_compute_api:os-attach-interfaces:create
Default: |
|
---|---|
Operations: |
|
Attach an interface to a server
os_compute_api:os-attach-interfaces:delete
Default: |
|
---|---|
Operations: |
|
Detach an interface from a server
os_compute_api:os-availability-zone:list
Default: |
|
---|---|
Operations: |
|
List availability zone information without host information
os_compute_api:os-availability-zone:detail
Default: |
|
---|---|
Operations: |
|
List detailed availability zone information with host information
os_compute_api:os-baremetal-nodes
Default: |
|
---|---|
Operations: |
|
List and show details of bare metal nodes. These APIs are proxy calls to the Ironic service and are deprecated.
os_compute_api:os-cells:update
Default: |
|
---|---|
Operations: |
|
Update an existing cell
os_compute_api:os-cells:create
Default: |
|
---|---|
Operations: |
|
Create a new cell
os_compute_api:os-cells
Default: |
|
---|---|
Operations: |
|
List and show detailed info for a given cell or all cells
os_compute_api:os-cells:sync_instances
Default: |
|
---|---|
Operations: |
|
Sync instances info in all cells
os_compute_api:os-cells:delete
Default: |
|
---|---|
Operations: |
|
Remove a cell
cells_scheduler_filter:DifferentCellFilter
Default: | is_admin:True |
---|
Different cell filter to route a build away from a particular cell This policy is read by nova-scheduler process.
cells_scheduler_filter:TargetCellFilter
Default: | is_admin:True |
---|
Target cell filter to route a build to a particular cell This policy is read by nova-scheduler process.
os_compute_api:os-config-drive
Default: |
|
---|---|
Operations: |
|
Add ‘config_drive’ attribute in the server response
os_compute_api:os-console-auth-tokens
Default: |
|
---|---|
Operations: |
|
Show console connection information for a given console authentication token
os_compute_api:os-console-output
Default: |
|
---|---|
Operations: |
|
Show console output for a server
os_compute_api:os-consoles:create
Default: |
|
---|---|
Operations: |
|
Create a console for a server instance
os_compute_api:os-consoles:show
Default: |
|
---|---|
Operations: |
|
Show console details for a server instance
os_compute_api:os-consoles:delete
Default: |
|
---|---|
Operations: |
|
Delete a console for a server instance
os_compute_api:os-consoles:index
Default: |
|
---|---|
Operations: |
|
List all consoles for a server instance
os_compute_api:os-create-backup
Default: |
|
---|---|
Operations: |
|
Create a back up of a server
os_compute_api:os-deferred-delete
Default: |
|
---|---|
Operations: |
|
Restore a soft deleted server or force delete a server before deferred cleanup
os_compute_api:os-evacuate
Default: |
|
---|---|
Operations: |
|
Evacuate a server from a failed host to a new host
os_compute_api:os-extended-availability-zone
Default: |
|
---|---|
Operations: |
|
Add OS-EXT-AZ:availability_zone into the server response
os_compute_api:os-extended-server-attributes
Default: |
|
---|---|
Operations: |
|
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
- OS-EXT-SRV-ATTR:host
- OS-EXT-SRV-ATTR:instance_name
- OS-EXT-SRV-ATTR:reservation_id
(since microversion 2.3)
- OS-EXT-SRV-ATTR:launch_index
(since microversion 2.3)
- OS-EXT-SRV-ATTR:hostname
(since microversion 2.3)
- OS-EXT-SRV-ATTR:kernel_id
(since microversion 2.3)
- OS-EXT-SRV-ATTR:ramdisk_id
(since microversion 2.3)
- OS-EXT-SRV-ATTR:root_device_name
(since microversion 2.3)
- OS-EXT-SRV-ATTR:user_data
(since microversion 2.3)
os_compute_api:os-extended-status
Default: |
|
---|---|
Operations: |
|
Return extended status in the response of server.
This policy will control the visibility for a set of attributes:
- OS-EXT-STS:task_state
- OS-EXT-STS:vm_state
- OS-EXT-STS:power_state
os_compute_api:os-extended-volumes
Default: |
|
---|---|
Operations: |
|
Return ‘os-extended-volumes:volumes_attached’ in the response of server
os_compute_api:extensions
Default: |
|
---|---|
Operations: |
|
List available extensions and show information for an extension by alias
os_compute_api:os-flavor-access:add_tenant_access
Default: |
|
---|---|
Operations: |
|
Add flavor access to a tenant
os_compute_api:os-flavor-access:remove_tenant_access
Default: |
|
---|---|
Operations: |
|
Remove flavor access from a tenant
os_compute_api:os-flavor-access
Default: |
|
---|---|
Operations: |
|
List flavor access information Adds the os-flavor-access:is_public key into several flavor APIs. It also allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
os_compute_api:os-flavor-extra-specs:show
Default: |
|
---|---|
Operations: |
|
Show an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:create
Default: |
|
---|---|
Operations: |
|
Create extra specs for a flavor
os_compute_api:os-flavor-extra-specs:update
Default: |
|
---|---|
Operations: |
|
Update an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:delete
Default: |
|
---|---|
Operations: |
|
Delete an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:index
Default: |
|
---|---|
Operations: |
|
List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
os_compute_api:os-flavor-manage
Default: |
|
---|---|
Operations: |
|
Create and delete Flavors. Deprecated in Pike and will be removed in future release
os_compute_api:os-flavor-manage:create
Default: |
|
---|---|
Operations: |
|
Create a flavor
os_compute_api:os-flavor-manage:update
Default: |
|
---|---|
Operations: |
|
Update a flavor
os_compute_api:os-flavor-manage:delete
Default: |
|
---|---|
Operations: |
|
Delete a flavor
os_compute_api:os-flavor-rxtx
Default: |
|
---|---|
Operations: |
|
Add the rxtx_factor key into some Flavor APIs
os_compute_api:flavors
Default: | rule:admin_or_owner |
---|
Deprecated in Pike and will be removed in next release
os_compute_api:os-floating-ip-pools
Default: |
|
---|---|
Operations: |
|
List floating IP pools. This API is deprecated.
os_compute_api:os-floating-ips
Default: |
|
---|---|
Operations: |
|
Manage a project’s floating IPs. These APIs are all deprecated.
os_compute_api:os-hide-server-addresses
Default: |
|
---|---|
Operations: |
|
Hide server’s ‘addresses’ key in the server response. This set the ‘addresses’ key in the server response to an empty dictionary when the server is in a specific set of states as defined in CONF.api.hide_server_address_states. By default ‘addresses’ is hidden only when the server is in ‘BUILDING’ state.
os_compute_api:os-hosts
Default: |
|
---|---|
Operations: |
|
List, show and manage physical hosts. These APIs are all deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hypervisors
Default: |
|
---|---|
Operations: |
|
Policy rule for hypervisor related APIs. This rule will be checked for the following APIs: List all hypervisors, list all hypervisors with details, show summary statistics for all hypervisors over all compute nodes, show details for a hypervisor, show the uptime of a hypervisor, search hypervisor by hypervisor_hostname pattern and list all servers on hypervisors that can match the provided hypervisor_hostname pattern.
os_compute_api:image-size
Default: |
|
---|---|
Operations: |
|
Add ‘OS-EXT-IMG-SIZE:size’ attribute in the image response.
os_compute_api:os-instance-actions:events
Default: |
|
---|---|
Operations: |
|
Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
os_compute_api:os-instance-actions
Default: |
|
---|---|
Operations: |
|
List actions and show action details for a server.
os_compute_api:os-instance-usage-audit-log
Default: |
|
---|---|
Operations: |
|
List all usage audits and that occurred before a specified time for all servers on all compute hosts where usage auditing is configured
os_compute_api:ips:show
Default: |
|
---|---|
Operations: |
|
Show IP addresses details for a network label of a server
os_compute_api:ips:index
Default: |
|
---|---|
Operations: |
|
List IP addresses that are assigned to a server
os_compute_api:os-keypairs:index
Default: |
|
---|---|
Operations: |
|
List all keypairs
os_compute_api:os-keypairs:create
Default: |
|
---|---|
Operations: |
|
Create a keypair
os_compute_api:os-keypairs:delete
Default: |
|
---|---|
Operations: |
|
Delete a keypair
os_compute_api:os-keypairs:show
Default: |
|
---|---|
Operations: |
|
Show details of a keypair
os_compute_api:os-keypairs
Default: |
|
---|---|
Operations: |
|
Return ‘key_name’ in the response of server.
os_compute_api:limits
Default: |
|
---|---|
Operations: |
|
Show rate and absolute limits for the project
os_compute_api:os-lock-server:lock
Default: |
|
---|---|
Operations: |
|
Lock a server
os_compute_api:os-lock-server:unlock
Default: |
|
---|---|
Operations: |
|
Unlock a server
os_compute_api:os-lock-server:unlock:unlock_override
Default: |
|
---|---|
Operations: |
|
Unlock a server, regardless who locked the server. This check is performed only after the check os_compute_api:os-lock-server:unlock passes
os_compute_api:os-migrate-server:migrate
Default: |
|
---|---|
Operations: |
|
Cold migrate a server to a host
os_compute_api:os-migrate-server:migrate_live
Default: |
|
---|---|
Operations: |
|
Live migrate a server to a new host without a reboot
os_compute_api:os-migrations:index
Default: |
|
---|---|
Operations: |
|
List migrations
os_compute_api:os-multinic
Default: |
|
---|---|
Operations: |
|
Add or remove a fixed IP address from a server. These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-networks
Default: |
|
---|---|
Operations: |
|
Create and delete a network, add and disassociate a network from a project. These APIs are only available with nova-network which is deprecated.
os_compute_api:os-networks:view
Default: |
|
---|---|
Operations: |
|
List networks for the project and show details for a network. These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-networks-associate
Default: |
|
---|---|
Operations: |
|
Associate or disassociate a network from a host or project. These APIs are only available with nova-network which is deprecated.
os_compute_api:os-pause-server:pause
Default: |
|
---|---|
Operations: |
|
Pause a server
os_compute_api:os-pause-server:unpause
Default: |
|
---|---|
Operations: |
|
Unpause a paused server
os_compute_api:os-quota-class-sets:show
Default: |
|
---|---|
Operations: |
|
List quotas for specific quota classs
os_compute_api:os-quota-class-sets:update
Default: |
|
---|---|
Operations: |
|
Update quotas for specific quota class
os_compute_api:os-quota-sets:update
Default: |
|
---|---|
Operations: |
|
Update the quotas
os_compute_api:os-quota-sets:defaults
Default: |
|
---|---|
Operations: |
|
List default quotas
os_compute_api:os-quota-sets:show
Default: |
|
---|---|
Operations: |
|
Show a quota
os_compute_api:os-quota-sets:delete
Default: |
|
---|---|
Operations: |
|
Revert quotas to defaults
os_compute_api:os-quota-sets:detail
Default: |
|
---|---|
Operations: |
|
Show the detail of quota
os_compute_api:os-remote-consoles
Default: |
|
---|---|
Operations: |
|
Generate a URL to access remove server console
os_compute_api:os-rescue
Default: |
|
---|---|
Operations: |
|
Rescue/unrescue a server
os_compute_api:os-security-group-default-rules
Default: |
|
---|---|
Operations: |
|
List, show information for, create, or delete default security group rules. These APIs are only available with nova-network which is now deprecated.
os_compute_api:os-security-groups
Default: |
|
---|---|
Operations: |
|
List, show, add, or remove security groups. APIs which are directly related to security groups resource are deprecated: Lists, shows information for, creates, updates and deletes security groups. Creates and deletes security group rules. All these APIs are deprecated. APIs which are related to server resource are not deprecated: Lists Security Groups for a server. Add Security Group to a server and remove security group from a server. Expand security_groups in server representation
os_compute_api:os-server-diagnostics
Default: |
|
---|---|
Operations: |
|
Show the usage data for a server
os_compute_api:os-server-external-events:create
Default: |
|
---|---|
Operations: |
|
Create one or more external events
os_compute_api:os-server-groups
Default: | rule:admin_or_owner |
---|
Deprecated in Pike and will be removed in next release
os_compute_api:os-server-groups:create
Default: |
|
---|---|
Operations: |
|
Create a new server group
os_compute_api:os-server-groups:delete
Default: |
|
---|---|
Operations: |
|
Delete a server group
os_compute_api:os-server-groups:index
Default: |
|
---|---|
Operations: |
|
List all server groups
os_compute_api:os-server-groups:show
Default: |
|
---|---|
Operations: |
|
Show details of a server group
os_compute_api:server-metadata:index
Default: |
|
---|---|
Operations: |
|
List all metadata of a server
os_compute_api:server-metadata:show
Default: |
|
---|---|
Operations: |
|
Show metadata for a server
os_compute_api:server-metadata:create
Default: |
|
---|---|
Operations: |
|
Create metadata for a server
os_compute_api:server-metadata:update_all
Default: |
|
---|---|
Operations: |
|
Replace metadata for a server
os_compute_api:server-metadata:update
Default: |
|
---|---|
Operations: |
|
Update metadata from a server
os_compute_api:server-metadata:delete
Default: |
|
---|---|
Operations: |
|
Delete metadata from a server
os_compute_api:os-server-password
Default: |
|
---|---|
Operations: |
|
Show and clear the encrypted administrative password of a server
os_compute_api:os-server-tags:delete_all
Default: |
|
---|---|
Operations: |
|
Delete all the server tags
os_compute_api:os-server-tags:index
Default: |
|
---|---|
Operations: |
|
List all tags for given server
os_compute_api:os-server-tags:update_all
Default: |
|
---|---|
Operations: |
|
Replace all tags on specified server with the new set of tags.
os_compute_api:os-server-tags:delete
Default: |
|
---|---|
Operations: |
|
Delete a single tag from the specified server
os_compute_api:os-server-tags:update
Default: |
|
---|---|
Operations: |
|
Add a single tag to the server if server has no specified tag
os_compute_api:os-server-tags:show
Default: |
|
---|---|
Operations: |
|
Check tag existence on the server.
os_compute_api:os-server-usage
Default: |
|
---|---|
Operations: |
|
Add ‘OS-SRV-USG:launched_at’ & ‘OS-SRV-USG:terminated_at’ attribute in the server response. This check is performed only after the check ‘os_compute_api:servers:show’ for GET /servers/{id} and ‘os_compute_api:servers:detail’ for GET /servers/detail passes
os_compute_api:servers:index
Default: |
|
---|---|
Operations: |
|
List all servers
os_compute_api:servers:detail
Default: |
|
---|---|
Operations: |
|
List all servers with detailed information
os_compute_api:servers:index:get_all_tenants
Default: |
|
---|---|
Operations: |
|
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
Default: |
|
---|---|
Operations: |
|
List all servers with detailed information for all projects
os_compute_api:servers:show
Default: |
|
---|---|
Operations: |
|
Show a server
os_compute_api:servers:show:host_status
Default: |
|
---|---|
Operations: |
|
Show a server with additional host status information
os_compute_api:servers:create
Default: |
|
---|---|
Operations: |
|
Create a server
os_compute_api:servers:create:forced_host
Default: |
|
---|---|
Operations: |
|
Create a server on the specified host
os_compute_api:servers:create:attach_volume
Default: |
|
---|---|
Operations: |
|
Create a server with the requested volume attached to it
os_compute_api:servers:create:attach_network
Default: |
|
---|---|
Operations: |
|
Create a server with the requested network attached to it
os_compute_api:servers:create:trusted_certs
Default: |
|
---|---|
Operations: |
|
Create a server with trusted image certificate IDs
os_compute_api:servers:create:zero_disk_flavor
Default: |
|
---|---|
Operations: |
|
This rule controls the compute API validation behavior of creating a server
with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the
image used to deploy the instance. However, in this case the filter_scheduler
cannot select the compute host based on the virtual image size. Therefore, 0
should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule
if users can upload their own images since repeated attempts to
create a disk=0 flavor instance with a large image can exhaust
the local disk of the compute (or shared storage cluster). See bug
https://bugs.launchpad.net/nova/+bug/1739646 for details.
This rule defaults to rule:admin_or_owner
for backward compatibility but
will be changed to default to rule:admin_api
in a subsequent release.
network:attach_external_network
Default: |
|
---|---|
Operations: |
|
Attach an unshared external network to a server
os_compute_api:servers:delete
Default: |
|
---|---|
Operations: |
|
Delete a server
os_compute_api:servers:update
Default: |
|
---|---|
Operations: |
|
Update a server
os_compute_api:servers:confirm_resize
Default: |
|
---|---|
Operations: |
|
Confirm a server resize
os_compute_api:servers:revert_resize
Default: |
|
---|---|
Operations: |
|
Revert a server resize
os_compute_api:servers:reboot
Default: |
|
---|---|
Operations: |
|
Reboot a server
os_compute_api:servers:resize
Default: |
|
---|---|
Operations: |
|
Resize a server
os_compute_api:servers:rebuild
Default: |
|
---|---|
Operations: |
|
Rebuild a server
os_compute_api:servers:rebuild:trusted_certs
Default: |
|
---|---|
Operations: |
|
Rebuild a server with trusted image certificate IDs
os_compute_api:servers:create_image
Default: |
|
---|---|
Operations: |
|
Create an image from a server
os_compute_api:servers:create_image:allow_volume_backed
Default: |
|
---|---|
Operations: |
|
Create an image from a volume backed server
os_compute_api:servers:start
Default: |
|
---|---|
Operations: |
|
Start a server
os_compute_api:servers:stop
Default: |
|
---|---|
Operations: |
|
Stop a server
os_compute_api:servers:trigger_crash_dump
Default: |
|
---|---|
Operations: |
|
Trigger crash dump in a server
os_compute_api:servers:migrations:show
Default: |
|
---|---|
Operations: |
|
Show details for an in-progress live migration for a given server
os_compute_api:servers:migrations:force_complete
Default: |
|
---|---|
Operations: |
|
Force an in-progress live migration for a given server to complete
os_compute_api:servers:migrations:delete
Default: |
|
---|---|
Operations: |
|
Delete(Abort) an in-progress live migration
os_compute_api:servers:migrations:index
Default: |
|
---|---|
Operations: |
|
Lists in-progress live migrations for a given server
os_compute_api:os-services
Default: |
|
---|---|
Operations: |
|
List all running Compute services in a region, enables or disable scheduling for a Compute service, logs disabled Compute service information, set or unset forced_down flag for the compute service and delete a Compute service
os_compute_api:os-shelve:shelve
Default: |
|
---|---|
Operations: |
|
Shelve server
os_compute_api:os-shelve:unshelve
Default: |
|
---|---|
Operations: |
|
Unshelve (restore) shelved server
os_compute_api:os-shelve:shelve_offload
Default: |
|
---|---|
Operations: |
|
Shelf-offload (remove) server
os_compute_api:os-simple-tenant-usage:show
Default: |
|
---|---|
Operations: |
|
Show usage statistics for a specific tenant
os_compute_api:os-simple-tenant-usage:list
Default: |
|
---|---|
Operations: |
|
List per tenant usage statistics for all tenants
os_compute_api:os-suspend-server:resume
Default: |
|
---|---|
Operations: |
|
Resume suspended server
os_compute_api:os-suspend-server:suspend
Default: |
|
---|---|
Operations: |
|
Suspend server
os_compute_api:os-tenant-networks
Default: |
|
---|---|
Operations: |
|
Create, list, show information for, and delete project networks. These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-used-limits
Default: |
|
---|---|
Operations: |
|
Show rate and absolute limits for the project. This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
os_compute_api:os-volumes
Default: |
|
---|---|
Operations: |
|
Manage volumes for use with the Compute API. Lists, shows details, creates, and deletes volumes and snapshots. These APIs are proxy calls to the Volume service. These are all deprecated.
os_compute_api:os-volumes-attachments:index
Default: |
|
---|---|
Operations: |
|
List volume attachments for an instance
os_compute_api:os-volumes-attachments:create
Default: |
|
---|---|
Operations: |
|
Attach a volume to an instance
os_compute_api:os-volumes-attachments:show
Default: |
|
---|---|
Operations: |
|
Show details of a volume attachment
os_compute_api:os-volumes-attachments:update
Default: |
|
---|---|
Operations: |
|
Update a volume attachment
os_compute_api:os-volumes-attachments:delete
Default: |
|
---|---|
Operations: |
|
Detach a volume from an instance
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.