policy.yaml

Warning

JSON formatted policy file is deprecated since Trove 15.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

To see available policies, refer to Trove Policy Configuration.

Use the policy.yaml file to define additional access controls that will be applied to Trove:

# Must be an administrator.
#"admin": "role:admin or is_admin:True"

# Must be an administrator or owner of the object.
#"admin_or_owner": "rule:admin or tenant:%(tenant)s"

# Must be an administrator or owner of the object.
#"default": "rule:admin_or_owner"

# Create a database instance.
# POST  /v1.0/{account_id}/instances
#"instance:create": "rule:admin_or_owner"

# Delete a database instance.
# DELETE  /v1.0/{account_id}/instances/{instance_id}
#"instance:delete": "rule:admin_or_owner"

# Forcibly delete a database instance.
# DELETE  /v1.0/{account_id}/instances/{instance_id}
#"instance:force_delete": "rule:admin_or_owner"

# List database instances.
# GET  /v1.0/{account_id}/instances
#"instance:index": "rule:admin_or_owner"

# List database instances with details.
# GET  /v1.0/{account_id}/instances/detail
#"instance:detail": "rule:admin_or_owner"

# Get details of a specific database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}
#"instance:show": "rule:admin_or_owner"

# Update a database instance to attach/detach configuration
# PUT  /v1.0/{account_id}/instances/{instance_id}
# POST  /v1.0/{account_id}/instances
#"instance:update": "rule:admin_or_owner"

# Updates the instance to set or unset one or more attributes.
# PATCH  /v1.0/{account_id}/instances/{instance_id}
#"instance:edit": "rule:admin_or_owner"

# Restart a database instance.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (restart)
#"instance:restart": "rule:admin_or_owner"

# Resize a database instance volume.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (resize)
#"instance:resize_volume": "rule:admin_or_owner"

# Resize a database instance flavor.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (resize)
#"instance:resize_flavor": "rule:admin_or_owner"

# Reset the status of a database instance to ERROR.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (reset_status)
#"instance:reset_status": "rule:admin"

# Promote instance to replica source.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (promote_to_replica_source)
#"instance:promote_to_replica_source": "rule:admin_or_owner"

# Eject the replica source from its replica set.
# POST  /v1.0/{account_id}/instances/{instance_id}/action (eject_replica_source)
#"instance:eject_replica_source": "rule:admin_or_owner"

# Get the default configuration template applied to the instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/configuration
#"instance:configuration": "rule:admin_or_owner"

# Get all informations about all logs of a database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/log
#"instance:guest_log_list": "rule:admin_or_owner"

# Get all backups of a database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/backups
#"instance:backups": "rule:admin_or_owner"

# Get informations about modules on a database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/modules
#"instance:module_list": "rule:admin_or_owner"

# Apply modules to a database instance.
# POST  /v1.0/{account_id}/instances/{instance_id}/modules
# POST  /v1.0/{account_id}/instances
#"instance:module_apply": "rule:admin_or_owner"

# Remove a module from a database instance.
# DELETE  /v1.0/{account_id}/instances/{instance_id}/modules/{module_id}
#"instance:module_remove": "rule:admin_or_owner"

# Enable the root user of a database instance.
# POST  /v1.0/{account_id}/instances/{instance_id}/root
#"instance:extension:root:create": "rule:admin_or_owner"

# Disable the root user of a database instance.
# DELETE  /v1.0/{account_id}/instances/{instance_id}/root
#"instance:extension:root:delete": "rule:admin_or_owner"

# Show whether the root user of a database instance has been ever
# enabled.
# GET  /v1.0/{account_id}/instances/{instance_id}/root
#"instance:extension:root:index": "rule:admin_or_owner"

# Enable the root user of the instances in a cluster.
# POST  /v1.0/{account_id}/clusters/{cluster}/root
#"cluster:extension:root:create": "rule:admin_or_owner"

# Enable the root user of the instances in a cluster.
# DELETE  /v1.0/{account_id}/clusters/{cluster}/root
#"cluster:extension:root:delete": "rule:admin_or_owner"

# Disable the root of the instances in a cluster.
# GET  /v1.0/{account_id}/clusters/{cluster}/root
#"cluster:extension:root:index": "rule:admin_or_owner"

# Create users for a database instance.
# POST  /v1.0/{account_id}/instances/{instance_id}/users
# POST  /v1.0/{account_id}/instances
#"instance:extension:user:create": "rule:admin_or_owner"

# Delete a user from a database instance.
# DELETE  /v1.0/{account_id}/instances/{instance_id}/users/{user}
#"instance:extension:user:delete": "rule:admin_or_owner"

# Get all users of a database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/users
#"instance:extension:user:index": "rule:admin_or_owner"

# Get the information of a single user of a database instance.
# GET  /v1.0/{account_id}/instances/{instance_id}/users/{user}
#"instance:extension:user:show": "rule:admin_or_owner"

# Update attributes for a user of a database instance.
# PUT  /v1.0/{account_id}/instances/{instance_id}/users/{user}
#"instance:extension:user:update": "rule:admin_or_owner"

# Update the password for one or more users a database instance.
# PUT  /v1.0/{account_id}/instances/{instance_id}/users
#"instance:extension:user:update_all": "rule:admin_or_owner"

# Grant access for a user to one or more databases.
# PUT  /v1.0/{account_id}/instances/{instance_id}/users/{user}/databases
#"instance:extension:user_access:update": "rule:admin_or_owner"

# Revoke access for a user to a databases.
# DELETE  /v1.0/{account_id}/instances/{instance_id}/users/{user}/databases/{database}
#"instance:extension:user_access:delete": "rule:admin_or_owner"

# Get permissions of a user
# GET  /v1.0/{account_id}/instances/{instance_id}/users/{user}/databases
#"instance:extension:user_access:index": "rule:admin_or_owner"

# Create a set of Schemas
# POST  /v1.0/{account_id}/instances/{instance_id}/databases
# POST  /v1.0/{account_id}/instances
#"instance:extension:database:create": "rule:admin_or_owner"

# Delete a schema from a database.
# DELETE  /v1.0/{account_id}/instances/{instance_id}/databases/{database}
#"instance:extension:database:delete": "rule:admin_or_owner"

# List all schemas from a database.
# GET  /v1.0/{account_id}/instances/{instance_id}/databases
#"instance:extension:database:index": "rule:admin_or_owner"

# Get informations of a schema(Currently Not Implemented).
# GET  /v1.0/{account_id}/instances/{instance_id}/databases/{database}
#"instance:extension:database:show": "rule:admin_or_owner"

# Create a cluster.
# POST  /v1.0/{account_id}/clusters
#"cluster:create": "rule:admin_or_owner"

# Delete a cluster.
# DELETE  /v1.0/{account_id}/clusters/{cluster}
#"cluster:delete": "rule:admin_or_owner"

# Forcibly delete a cluster.
# POST  /v1.0/{account_id}/clusters/{cluster} (reset-status)
#"cluster:force_delete": "rule:admin_or_owner"

# List all clusters
# GET  /v1.0/{account_id}/clusters
#"cluster:index": "rule:admin_or_owner"

# Get informations of a cluster.
# GET  /v1.0/{account_id}/clusters/{cluster}
#"cluster:show": "rule:admin_or_owner"

# Get informations of a instance in a cluster.
# GET  /v1.0/{account_id}/clusters/{cluster}/instances/{instance}
#"cluster:show_instance": "rule:admin_or_owner"

# Commit an action against a cluster
# POST  /v1.0/{account_id}/clusters/{cluster}
#"cluster:action": "rule:admin_or_owner"

# Reset the status of a cluster to NONE.
# POST  /v1.0/{account_id}/clusters/{cluster} (reset-status)
#"cluster:reset-status": "rule:admin"

# Create a backup of a database instance.
# POST  /v1.0/{account_id}/backups
#"backup:create": "rule:admin_or_owner"

# Delete a backup of a database instance.
# DELETE  /v1.0/{account_id}/backups/{backup}
#"backup:delete": "rule:admin_or_owner"

# List all backups.
# GET  /v1.0/{account_id}/backups
#"backup:index": "rule:admin_or_owner"

# List backups for all the projects.
# GET  /v1.0/{account_id}/backups
#"backup:index:all_projects": "role:admin"

# Get informations of a backup.
# GET  /v1.0/{account_id}/backups/{backup}
#"backup:show": "rule:admin_or_owner"

# Create a backup strategy.
# POST  /v1.0/{account_id}/backup_strategies
#"backup_strategy:create": "rule:admin_or_owner"

# List all backup strategies.
# GET  /v1.0/{account_id}/backup_strategies
#"backup_strategy:index": "rule:admin_or_owner"

# Delete backup strategies.
# DELETE  /v1.0/{account_id}/backup_strategies
#"backup_strategy:delete": "rule:admin_or_owner"

# Create a configuration group.
# POST  /v1.0/{account_id}/configurations
#"configuration:create": "rule:admin_or_owner"

# Delete a configuration group.
# DELETE  /v1.0/{account_id}/configurations/{config}
#"configuration:delete": "rule:admin_or_owner"

# List all configuration groups.
# GET  /v1.0/{account_id}/configurations
#"configuration:index": "rule:admin_or_owner"

# Get informations of a configuration group.
# GET  /v1.0/{account_id}/configurations/{config}
#"configuration:show": "rule:admin_or_owner"

# List all instances which a configuration group has be assigned to.
# GET  /v1.0/{account_id}/configurations/{config}/instances
#"configuration:instances": "rule:admin_or_owner"

# Update a configuration group(the configuration group will be
# replaced completely).
# PUT  /v1.0/{account_id}/configurations/{config}
#"configuration:update": "rule:admin_or_owner"

# Patch a configuration group.
# PATCH  /v1.0/{account_id}/configurations/{config}
#"configuration:edit": "rule:admin_or_owner"

# List all parameters bind to a datastore version.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters
#"configuration-parameter:index": "rule:admin_or_owner"

# Get a paramter of a datastore version.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions/{version}/parameters/{param}
#"configuration-parameter:show": "rule:admin_or_owner"

# List all paramters bind to a datastore version by the id of the
# version(datastore is not provided).
# GET  /v1.0/{account_id}/datastores/versions/{version}/paramters
#"configuration-parameter:index_by_version": "rule:admin_or_owner"

# Get a paramter of a datastore version by it names and the id of the
# version(datastore is not provided).
# GET  /v1.0/{account_id}/datastores/versions/{version}/paramters/{param}
#"configuration-parameter:show_by_version": "rule:admin_or_owner"

# List all datastores.
# GET  /v1.0/{account_id}/datastores
#"datastore:index": ""

# Get informations of a datastore.
# GET  /v1.0/{account_id}/datastores/{datastore}
#"datastore:show": ""

# Delete a datastore.
# DELETE  /v1.0/{account_id}/datastores/{datastore}
#"datastore:delete": "rule:admin"

# Get a version of a datastore by the version id.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions/{version}
#"datastore:version_show": ""

# Get a version of a datastore by the version id(without providing the
# datastore id).
# GET  /v1.0/{account_id}/datastores/versions/{version}
#"datastore:version_show_by_uuid": ""

# Get all versions of a datastore.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions
#"datastore:version_index": ""

# List all flavors associated with a datastore version.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions/{version}/flavors
#"datastore:list_associated_flavors": ""

# List all volume-types associated with a datastore version.
# GET  /v1.0/{account_id}/datastores/{datastore}/versions/{version}/volume-types
#"datastore:list_associated_volume_types": ""

# List all flavors.
# GET  /v1.0/{account_id}/flavors
#"flavor:index": ""

# Get information of a flavor.
# GET  /v1.0/{account_id}/flavors/{flavor}
#"flavor:show": ""

# List all absolute and rate limit informations.
# GET  /v1.0/{account_id}/limits
#"limits:index": "rule:admin_or_owner"

# Create a module.
# POST  /v1.0/{account_id}/modules
#"module:create": "rule:admin_or_owner"

# Delete a module.
# DELETE  /v1.0/{account_id}/modules/{module}
#"module:delete": "rule:admin_or_owner"

# List all modules.
# GET  /v1.0/{account_id}/modules
#"module:index": "rule:admin_or_owner"

# Get informations of a module.
# GET  /v1.0/{account_id}/modules/{module}
#"module:show": "rule:admin_or_owner"

# List all instances to which a module is applied.
# GET  /v1.0/{account_id}/modules/{module}/instances
#"module:instances": "rule:admin_or_owner"

# Update a module.
# PUT  /v1.0/{account_id}/modules/{module}
#"module:update": "rule:admin_or_owner"

# Reapply a module to all instances.
# PUT  /v1.0/{account_id}/modules/{module}/instances
#"module:reapply": "rule:admin_or_owner"