Octavia Policies¶

The default policy is to not allow access unless the auth_strategy is ‘noauth’.

Users must be a member of one of the following roles to have access to the load-balancer API:

role:load-balancer_observer: User has access to load-balancer read-only APIs.
role:load-balancer_global_observer: User has access to load-balancer read-only APIs including resources owned by others.
role:load-balancer_member: User has access to load-balancer read and write APIs.
role:load-balancer_quota_admin: User is considered an admin for quota APIs only.
role:load-balancer_admin: User is considered an admin for all load-balnacer APIs including resources owned by others.
role:admin: User is admin to all APIs.

Note

‘is_admin:True’ is a policy rule that takes into account the auth_strategy == noauth configuration setting. It is equivalent to ‘rule:context_is_admin or {auth_strategy == noauth}’ if that would be valid syntax.

Legacy Admin or Owner Policy¶

An alternate policy file has been provided in octavia/etc/policy called admin_or_owner-policy.yaml that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.

Sample File Generation¶

To generate a sample policy.yaml file from the Octavia defaults, run the oslo policy generation script:

oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample

Merged File Generation¶

This will output a policy file which includes all registered policy defaults and all policies configured with a policy file. This file shows the effective policy in use by the project:

oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf

This tool uses the output_file path from the config-file.

List Redundant Configurations¶

This will output a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule. These are rules that can be removed from the policy file with no change in effective policy:

oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf

Default Octavia Policies¶

#"context_is_admin": "role:admin or role:load-balancer_admin"

#"load-balancer:owner": "project_id:%(project_id)s"

#"load-balancer:admin": "is_admin:True or role:admin or role:load-balancer_admin"

#"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:load-balancer:owner"

#"load-balancer:global_observer": "role:load-balancer_global_observer"

#"load-balancer:member_and_owner": "role:load-balancer_member and rule:load-balancer:owner"

#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"

#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"

#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"

#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin"

#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin"

#"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin"

# List Flavors
# GET  /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read"

# Create a Flavor
# POST  /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin"

# Update a Flavor
# PUT  /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin"

# Show Flavor details
# GET  /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read"

# Remove a Flavor
# DELETE  /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin"

# List Flavor Profiles
# GET  /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin"

# Create a Flavor Profile
# POST  /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin"

# Update a Flavor Profile
# PUT  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin"

# Show Flavor Profile details
# GET  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin"

# Remove a Flavor Profile
# DELETE  /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin"

# List Availability Zones
# GET  /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read"

# Create an Availability Zone
# POST  /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin"

# Update an Availability Zone
# PUT  /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin"

# Show Availability Zone details
# GET  /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read"

# Remove an Availability Zone
# DELETE  /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin"

# List Availability Zones
# GET  /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin"

# Create an Availability Zone
# POST  /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin"

# Update an Availability Zone
# PUT  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin"

# Show Availability Zone details
# GET  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin"

# Remove an Availability Zone
# DELETE  /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin"

# List Health Monitors of a Pool
# GET  /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"

# List Health Monitors including resources owned by others
# GET  /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"

# Create a Health Monitor
# POST  /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"

# Show Health Monitor details
# GET  /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"

# Update a Health Monitor
# PUT  /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"

# Remove a Health Monitor
# DELETE  /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"

# List L7 Policys
# GET  /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"

# List L7 Policys including resources owned by others
# GET  /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"

# Create a L7 Policy
# POST  /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write"

# Show L7 Policy details
# GET  /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"

# Update a L7 Policy
# PUT  /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write"

# Remove a L7 Policy
# DELETE  /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"

# List L7 Rules
# GET  /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"

# Create a L7 Rule
# POST  /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write"

# Show L7 Rule details
# GET  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"

# Update a L7 Rule
# PUT  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write"

# Remove a L7 Rule
# DELETE  /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"

# List Listeners
# GET  /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read"

# List Listeners including resources owned by others
# GET  /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"

# Create a Listener
# POST  /v2/lbaas/listeners
#"os_load-balancer_api:listener:post": "rule:load-balancer:write"

# Show Listener details
# GET  /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read"

# Update a Listener
# PUT  /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:put": "rule:load-balancer:write"

# Remove a Listener
# DELETE  /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:delete": "rule:load-balancer:write"

# Show Listener statistics
# GET  /v2/lbaas/listeners/{listener_id}/stats
#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"

# List Load Balancers
# GET  /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"

# List Load Balancers including resources owned by others
# GET  /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"

# Create a Load Balancer
# POST  /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"

# Show Load Balancer details
# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"

# Update a Load Balancer
# PUT  /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"

# Remove a Load Balancer
# DELETE  /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"

# Show Load Balancer statistics
# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"

# Show Load Balancer status
# GET  /v2/lbaas/loadbalancers/{loadbalancer_id}/status
#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"

# Failover a Load Balancer
# PUT  /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"

# List Members of a Pool
# GET  /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:get_all": "rule:load-balancer:read"

# Create a Member
# POST  /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:post": "rule:load-balancer:write"

# Show Member details
# GET  /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:get_one": "rule:load-balancer:read"

# Update a Member
# PUT  /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:put": "rule:load-balancer:write"

# Remove a Member
# DELETE  /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:delete": "rule:load-balancer:write"

# List Pools
# GET  /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read"

# List Pools including resources owned by others
# GET  /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"

# Create a Pool
# POST  /v2/lbaas/pools
#"os_load-balancer_api:pool:post": "rule:load-balancer:write"

# Show Pool details
# GET  /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read"

# Update a Pool
# PUT  /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:put": "rule:load-balancer:write"

# Remove a Pool
# DELETE  /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:delete": "rule:load-balancer:write"

# List enabled providers
# GET  /v2/lbaas/providers
#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read"

# List Quotas
# GET  /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"

# List Quotas including resources owned by others
# GET  /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"

# Show Quota details
# GET  /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"

# Update a Quota
# PUT  /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"

# Reset a Quota
# DELETE  /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"

# Show Default Quota for a Project
# GET  /v2/lbaas/quotas/{project_id}/default
#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"

# List Amphorae
# GET  /v2/octavia/amphorae
#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin"

# Show Amphora details
# GET  /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin"

# Delete an Amphora
# DELETE  /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin"

# Update Amphora Agent Configuration
# PUT  /v2/octavia/amphorae/{amphora_id}/config
#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin"

# Failover Amphora
# PUT  /v2/octavia/amphorae/{amphora_id}/failover
#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin"

# Show Amphora statistics
# GET  /v2/octavia/amphorae/{amphora_id}/stats
#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin"

# List the provider flavor capabilities.
# GET  /v2/lbaas/providers/{provider}/flavor_capabilities
#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin"

# List the provider availability zone capabilities.
# GET  /v2/lbaas/providers/{provider}/availability_zone_capabilities
#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"

Octavia Policies

Octavia Policies¶

Legacy Admin or Owner Policy¶

Sample File Generation¶

Merged File Generation¶

List Redundant Configurations¶

Default Octavia Policies¶

octavia 7.1.3.dev63

Page Contents