Policy configuration

Configuration

Warning

JSON formatted policy file is deprecated since Zun 7.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Zun. For a sample configuration file.

zun

context_is_admin
Default:

role:admin

(no description provided)

admin_or_owner
Default:

is_admin:True or project_id:%(project_id)s

(no description provided)

admin_api
Default:

rule:context_is_admin

(no description provided)

deny_everybody
Default:

!

Default rule for deny everybody.

container:create
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers

Create a new container.

container:create:runtime
Default:

rule:context_is_admin

Operations:

  • POST /v1/containers

Create a new container with specified runtime.

container:create:privileged
Default:

rule:deny_everybody

Operations:

  • POST /v1/containers

Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature

container:create:requested_destination
Default:

rule:context_is_admin

Operations:

  • POST /v1/containers

Create a container on the requested compute host.

container:create:image_pull_policy
Default:

rule:context_is_admin

Operations:

  • POST /v1/containers

Create a new container with specified image pull policy.

container:delete
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • DELETE /v1/containers/{container_ident}

Delete a container.

container:delete_all_projects
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/containers/{container_ident}

Delete a container from all projects.

container:delete_force
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/containers/{container_ident}

Forcibly delete a container.

container:get_one
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}

Retrieve the details of a specific container.

container:get_one:host
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}

  • GET /v1/containers

  • POST /v1/containers

  • PATCH /v1/containers/{container_ident}

Retrieve the host field of containers.

container:get_one:image_pull_policy
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}

  • GET /v1/containers

  • POST /v1/containers

  • PATCH /v1/containers/{container_ident}

Retrieve the image_pull_policy field of containers.

container:get_one:privileged
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}

  • GET /v1/containers

  • POST /v1/containers

  • PATCH /v1/containers/{container_ident}

Retrieve the privileged field of containers.

container:get_one:runtime
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}

  • GET /v1/containers

  • POST /v1/containers

  • PATCH /v1/containers/{container_ident}

Retrieve the runtime field of containers.

container:get_one_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}

Retrieve the details of a specific container from all projects.

container:get_all
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers

Retrieve the details of all containers.

container:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers

Retrieve the details of all containers across projects.

container:update
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • PATCH /v1/containers/{container_ident}

Update a container.

container:start
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/start

Start a container.

container:stop
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/stop

Stop a container.

container:reboot
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/reboot

Reboot a container.

container:pause
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/pause

Pause a container.

container:unpause
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/unpause

Unpause a container.

container:logs
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/logs

Get the log of a container

container:execute
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/execute

Execute command in a running container

container:execute_resize
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/execute_resize

Resize the TTY used by an execute command.

container:kill
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/kill

Kill a running container

container:rename
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/rename

Rename a container.

container:attach
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/attach

Attach to a running container

container:resize
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/resize

Resize a container.

container:top
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/top

Display the running processes inside the container.

container:get_archive
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/get_archive

Get a tar archive of a path of container.

container:put_archive
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • PUT /v1/containers/{container_ident}/put_archive

Put a tar archive to be extracted to a path of container

container:stats
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/stats

Display the statistics of a container

container:commit
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/commit

Commit a container

container:add_security_group
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/add_security_group

Add a security group to a specific container.

container:network_detach
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/network_detach

Detach a network from a container.

container:network_attach
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/network_attach

Attach a network from a container.

container:remove_security_group
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/remove_security_group

Remove security group from a specific container.

container:rebuild
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/rebuild

Rebuild a container.

container:resize_container
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/containers/{container_ident}/resize_container

Resize an existing container.

image:pull
Default:

rule:context_is_admin

Operations:

  • POST /v1/images

Pull an image.

image:get_all
Default:

rule:context_is_admin

Operations:

  • GET /v1/images

Print a list of available images.

image:get_one
Default:

rule:context_is_admin

Operations:

  • GET /v1/images/{image_id}

Retrieve the details of a specific image.

image:search
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/images/{image_ident}/search

Search an image.

image:delete
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/images/{image_ident}

Delete an image.

zun-service:delete
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/services

Delete a service.

zun-service:disable
Default:

rule:context_is_admin

Operations:

  • PUT /v1/services/disable

Disable a service.

zun-service:enable
Default:

rule:context_is_admin

Operations:

  • PUT /v1/services/enable

Enable a service.

zun-service:force_down
Default:

rule:context_is_admin

Operations:

  • PUT /v1/services/force_down

Forcibly shutdown a service.

zun-service:get_all
Default:

rule:context_is_admin

Operations:

  • GET /v1/services

Show the status of a service.

host:get_all
Default:

rule:context_is_admin

Operations:

  • GET /v1/hosts

List all compute hosts.

host:get
Default:

rule:context_is_admin

Operations:

  • GET /v1/hosts/{host_ident}

Show the details of a specific compute host.

capsule:create
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/capsules/

Create a capsule

capsule:delete
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • DELETE /v1/capsules/{capsule_ident}

Delete a capsule

capsule:delete_all_projects
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/capsules/{capsule_ident}

Delete a container in any project.

capsule:get
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/capsules/{capsule_ident}

Retrieve the details of a capsule.

capsule:get:host
Default:

rule:context_is_admin

Operations:

  • GET /v1/capsules/{capsule_ident}

  • GET /v1/capsules

  • POST /v1/capsules

Retrieve the host field of a capsule.

capsule:get_one_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/capsules/{capsule_ident}

Retrieve the details of a capsule in any project.

capsule:get_all
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/capsules/

List all capsules.

capsule:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/capsules/

List all capsules across projects.

network:attach_external_network
Default:

role:admin

Operations:

  • POST /v1/containers

Attach an unshared external network to a container

network:create
Default:

role:admin

Operations:

  • POST /v1/networks

Create a network

network:delete
Default:

role:admin

Operations:

  • DELETE /v1/networks

Delete a network

container:actions
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/containers/{container_ident}/container_actions/

  • GET /v1/containers/{container_ident}/container_actions/{request_id}

List actions and show action details for a container

container:action:events
Default:

rule:context_is_admin

Operations:

  • GET /v1/containers/{container_ident}/container_actions/{request_id}

Add events details in action details for a container.

availability_zones:get_all
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/availability_zones

List availability zone

quota:update
Default:

rule:context_is_admin

Operations:

  • PUT /v1/quotas/{project_id}

Update quotas for a project

quota:delete
Default:

rule:context_is_admin

Operations:

  • DELETE /v1/quotas/{project_id}

Delete quotas for a project

quota:get
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/quotas/{project_id}

Get quotas for a project

quota:get_default
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/quotas/defaults

Get default quotas for a project

quota_class:update
Default:

rule:context_is_admin

Operations:

  • PUT /v1/quota_classes/{quota_class_name}

Update quotas for specific quota class

quota_class:get
Default:

rule:context_is_admin

Operations:

  • GET /v1/quota_classes/{quota_class_name}

List quotas for specific quota class

registry:create
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • POST /v1/registries

Create a new registry.

registry:delete
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • DELETE /v1/registries/{registry_ident}

Delete a registry.

registry:get_one
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/registries/{registry_ident}

Retrieve the details of a specific registry.

registry:get_all
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • GET /v1/registries

Retrieve the details of all registries.

registry:get_all_all_projects
Default:

rule:context_is_admin

Operations:

  • GET /v1/registries

Retrieve the details of all registries across projects.

registry:update
Default:

is_admin:True or project_id:%(project_id)s

Operations:

  • PATCH /v1/registries/{registry_ident}

Update a registry.