Sample Tacker Policy File¶
Warning
JSON formatted policy file is deprecated since Tacker 5.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is a sample tacker policy file for adaptation and use.
The sample policy can also be viewed in file form.
Important
The sample policy file is auto-generated from tacker when this documentation is built. You must ensure your version of tacker matches the version of this documentation.
# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"
# DEPRECATED
# "rule:admin_only":"is_admin:True" has been deprecated since 11.0.0
# in favor of "context_is_admin":"role:admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_only": "rule:context_is_admin"
# DEPRECATED
# "admin_or_owner" has been deprecated since 11.0.0.
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# DEPRECATED
# "admin_only" has been deprecated since 11.0.0.
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# Default rule for most Admin APIs.
#"admin_only": "is_admin:True"
# Default rule for sharing vims.
#"shared": "field:vims:shared=True"
# Default rule for Project level non admin APIs.
#"project_member": "role:member and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_member":"role:member and project_id:%(project_id)s".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member"
# Default rule for Project Member or admin APIs.
#"project_member_or_admin": "rule:project_member or rule:context_is_admin"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_member_or_admin":"rule:project_member or
# rule:context_is_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"
# Default rule for Project level read only APIs.
#"project_reader": "role:reader and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_reader":"role:reader and project_id:%(project_id)s".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader"
# Default rule for Project reader or admin APIs.
#"project_reader_or_admin": "rule:project_reader or rule:context_is_admin"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_reader_or_admin":"rule:project_reader or
# rule:context_is_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"
# Default rule for most non-Admin APIs.
#"default": "rule:project_member_or_admin"
# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "default":"rule:project_member_or_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:default"
# Creates a vnf package.
# POST /vnf_packages
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:create": "rule:project_member_or_admin"
# Show a vnf package.
# GET /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:show": "rule:project_reader_or_admin"
# List all vnf packages.
# GET /vnf_packages/
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:index": "rule:project_reader_or_admin"
# Delete a vnf package.
# DELETE /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:delete": "rule:project_member_or_admin"
# fetch the contents of an on-boarded VNF Package
# GET /vnf_packages/{vnf_package_id}/package_content
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:fetch_package_content": "rule:project_reader_or_admin"
# upload a vnf package content.
# PUT /vnf_packages/{vnf_package_id}/package_content
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:upload_package_content": "rule:project_member_or_admin"
# upload a vnf package content from uri.
# POST /vnf_packages/{vnf_package_id}/package_content/upload_from_uri
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:upload_from_uri": "rule:project_member_or_admin"
# update information of vnf package.
# PATCH /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:patch": "rule:project_member_or_admin"
# reads the content of the VNFD within a VNF package.
# GET /vnf_packages/{vnf_package_id}/vnfd
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:get_vnf_package_vnfd": "rule:project_reader_or_admin"
# reads the content of the artifact within a VNF package.
# GET /vnf_packages/{vnfPkgId}/artifacts/{artifactPath}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:fetch_artifact": "rule:project_reader_or_admin"
# Get API Versions.
# GET /vnflcm/v1/api_versions
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:api_versions": "@"
# Creates vnf instance.
# POST /vnflcm/v1/vnf_instances
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:create": "rule:project_member_or_admin"
# Instantiate vnf instance.
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/instantiate
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:instantiate": "rule:project_member_or_admin"
# Query an Individual VNF instance.
# GET /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:show": "rule:project_reader_or_admin"
# Terminate a VNF instance.
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/terminate
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:terminate": "rule:project_member_or_admin"
# Heal a VNF instance.
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/heal
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:heal": "rule:project_member_or_admin"
# Scale a VNF instance.
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/scale
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:scale": "rule:project_member_or_admin"
# Query an Individual VNF LCM operation occurrence
# GET /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:show_lcm_op_occs": "rule:project_reader_or_admin"
# Query VNF LCM operation occurrence
# GET /vnflcm/v1/vnf_lcm_op_occs
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:list_lcm_op_occs": "rule:project_reader_or_admin"
# Query VNF instances.
# GET /vnflcm/v1/vnf_instances
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:index": "rule:project_reader_or_admin"
# Delete an Individual VNF instance.
# DELETE /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:delete": "rule:project_member_or_admin"
# Update an Individual VNF instance.
# PATCH /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:update_vnf": "rule:project_member_or_admin"
# Rollback a VNF instance.
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:rollback": "rule:project_member_or_admin"
# Cancel a VNF instance.
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/cancel
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:cancel": "rule:project_member_or_admin"
# Fail a VNF instance.
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:fail": "rule:project_member_or_admin"
# Retry a VNF instance.
# POST /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:retry": "rule:project_member_or_admin"
# Change external VNF connectivity.
# POST /vnflcm/v1/vnf_instances/{vnfInstanceId}/change_ext_conn
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:change_ext_conn": "rule:project_member_or_admin"
# Get API Versions.
# GET /vnflcm/v2/api_versions
#"os_nfv_orchestration_api_v2:vnf_instances:api_versions": "@"
# Creates vnf instance.
# POST /vnflcm/v2/vnf_instances
#"os_nfv_orchestration_api_v2:vnf_instances:create": "@"
# Query VNF instances.
# GET /vnflcm/v2/vnf_instances
#"os_nfv_orchestration_api_v2:vnf_instances:index": "@"
# Query an Individual VNF instance.
# GET /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:show": "@"
# Delete an Individual VNF instance.
# DELETE /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:delete": "@"
# Modify vnf instance information.
# PATCH /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:update": "@"
# Instantiate vnf instance.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/instantiate
#"os_nfv_orchestration_api_v2:vnf_instances:instantiate": "@"
# Terminate vnf instance.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/terminate
#"os_nfv_orchestration_api_v2:vnf_instances:terminate": "@"
# Scale vnf instance.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/scale
#"os_nfv_orchestration_api_v2:vnf_instances:scale": "@"
# Heal vnf instance.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/heal
#"os_nfv_orchestration_api_v2:vnf_instances:heal": "@"
# Change external vnf connectivity.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_ext_conn
#"os_nfv_orchestration_api_v2:vnf_instances:change_ext_conn": "@"
# Change vnf package.
# POST /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_vnfpkg
#"os_nfv_orchestration_api_v2:vnf_instances:change_vnfpkg": "@"
# Create subscription.
# POST /vnflcm/v2/subscriptions
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_create": "@"
# List subscription.
# GET /vnflcm/v2/subscriptions
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_list": "@"
# Show subscription.
# GET /vnflcm/v2/vnf_instances/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_show": "@"
# Delete subscription.
# DELETE /vnflcm/v2/vnf_instances/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_delete": "@"
# List VnfLcmOpOcc.
# GET /vnflcm/v2/vnf_lcm_op_occs
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_list": "@"
# Show VnfLcmOpOcc.
# GET /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_show": "@"
# Retry VnfLcmOpOcc.
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_retry": "@"
# Rollback VnfLcmOpOcc.
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_rollback": "@"
# Fail VnfLcmOpOcc.
# POST /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_fail": "@"
# Delete VnfLcmOpOcc.
# DELETE /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_delete": "@"
# notify
# POST /server_notification
#"tacker_server_notification_api:server_notification:notify": "@"
# Query FM alarms.
# GET /vnffm/v1/alarms
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:index": "@"
# Query an Individual FM alarm.
# GET /vnffm/v1/alarms/{alarmId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:show": "@"
# Modify FM alarm information.
# PATCH /vnffm/v1/alarms/{alarmId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:update": "@"
# Create subscription.
# POST /vnffm/v1/subscriptions
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_create": "@"
# List subscription.
# GET /vnffm/v1/subscriptions
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_list": "@"
# Show subscription.
# GET /vnffm/v1/subscriptions/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_show": "@"
# Delete subscription.
# DELETE /vnffm/v1/subscriptions/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_delete": "@"
# Receive the alert sent from External Monitoring Tool
# POST /alert
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:alert": "@"
# Create a PM job.
# POST /vnfpm/v2/pm_jobs
#"os_nfv_orchestration_api_v2:vnf_performance_management:create": "@"
# Query PM jobs.
# GET /vnfpm/v2/pm_jobs
#"os_nfv_orchestration_api_v2:vnf_performance_management:index": "@"
# Update a PM job.
# PATCH /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:update": "@"
# Get an individual PM job.
# GET /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:show": "@"
# Delete a PM job.
# DELETE /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:delete": "@"
# Get an individual performance report.
# GET /vnfpm/v2/pm_jobs/{id}/reports/{report_id}
#"os_nfv_orchestration_api_v2:vnf_performance_management:report_get": "@"
# Receive the PM event sent from External Monitoring Tool
# POST /pm_event
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:pm_event": "@"
# auto_healing
# POST /alert/auto_healing
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:auto_healing": "@"
# auto_scaling
# POST /alert/auto_scaling
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:auto_scaling": "@"
# Create a PM threshold.
# POST /vnfpm/v2/thresholds
#"os_nfv_orchestration_api_v2:vnf_performance_management:create_threshold": "@"
# Query PM thresholds.
# GET /vnfpm/v2/thresholds
#"os_nfv_orchestration_api_v2:vnf_performance_management:index_threshold": "@"
# Get an individual PM threshold.
# GET /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:show_threshold": "@"
# Update a PM threshold callback.
# PATCH /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:update_threshold": "@"
# Delete a PM threshold.
# DELETE /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:delete_threshold": "@"
# Receive the PM threshold sent from External Monitoring Tool.
# POST /pm_threshold
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:pm_threshold": "@"
