Policy configuration¶
Configuration¶
The following is an overview of all available policies in Zun. For a sample configuration file.
zun¶
context_is_adminDefault: role:admin(no description provided)
admin_or_ownerDefault: is_admin:True or project_id:%(project_id)s(no description provided)
admin_apiDefault: rule:context_is_admin(no description provided)
deny_everybodyDefault: !Default rule for deny everybody.
container:createDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers
Create a new container.
- POST
container:create:runtimeDefault: rule:context_is_adminOperations: - POST
/v1/containers
Create a new container with specified runtime.
- POST
container:create:privilegedDefault: rule:deny_everybodyOperations: - POST
/v1/containers
Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature
- POST
container:deleteDefault: is_admin:True or project_id:%(project_id)sOperations: - DELETE
/v1/containers/{container_ident}
Delete a container.
- DELETE
container:delete_all_projectsDefault: rule:context_is_adminOperations: - DELETE
/v1/containers/{container_ident}
Delete a container from all projects.
- DELETE
container:delete_forceDefault: rule:context_is_adminOperations: - DELETE
/v1/containers/{container_ident}
Forcibly delete a container.
- DELETE
container:get_oneDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}
Retrieve the details of a specific container.
- GET
container:get_one:hostDefault: rule:context_is_adminOperations: - GET
/v1/containers/{container_ident} - GET
/v1/containers - POST
/v1/containers - PATCH
/v1/containers/{container_ident}
Retrieve the host field of containers.
- GET
container:get_one_all_projectsDefault: rule:context_is_adminOperations: - GET
/v1/containers/{container_ident}
Retrieve the details of a specific container from all projects.
- GET
container:get_allDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers
Retrieve the details of all containers.
- GET
container:get_all_all_projectsDefault: rule:context_is_adminOperations: - GET
/v1/containers
Retrieve the details of all containers across projects.
- GET
container:updateDefault: is_admin:True or project_id:%(project_id)sOperations: - PATCH
/v1/containers/{container_ident}
Update a container.
- PATCH
container:startDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/start
Start a container.
- POST
container:stopDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/stop
Stop a container.
- POST
container:rebootDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/reboot
Reboot a container.
- POST
container:pauseDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/pause
Pause a container.
- POST
container:unpauseDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/unpause
Unpause a container.
- POST
container:logsDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/logs
Get the log of a container
- GET
container:executeDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/execute
Execute command in a running container
- POST
container:execute_resizeDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/execute_resize
Resize the TTY used by an execute command.
- POST
container:killDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/kill
Kill a running container
- POST
container:renameDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/rename
Rename a container.
- POST
container:attachDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/attach
Attach to a running container
- GET
container:resizeDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/resize
Resize a container.
- POST
container:topDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/top
Display the running processes inside the container.
- GET
container:get_archiveDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/get_archive
Get a tar archive of a path of container.
- GET
container:put_archiveDefault: is_admin:True or project_id:%(project_id)sOperations: - PUT
/v1/containers/{container_ident}/put_archive
Put a tar archive to be extracted to a path of container
- PUT
container:statsDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/stats
Display the statistics of a container
- GET
container:commitDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/commit
Commit a container
- POST
container:add_security_groupDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/add_security_group
Add a security group to a specific container.
- POST
container:network_detachDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/network_detach
Detach a network from a container.
- POST
container:network_attachDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/network_attach
Attach a network from a container.
- POST
container:remove_security_groupDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/remove_security_group
Remove security group from a specific container.
- POST
container:rebuildDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/rebuild
Rebuild a container.
- POST
container:resize_containerDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/containers/{container_ident}/resize_container
Resize an existing container.
- POST
image:pullDefault: rule:context_is_adminOperations: - POST
/v1/images
Pull an image.
- POST
image:get_allDefault: rule:context_is_adminOperations: - GET
/v1/images
Print a list of available images.
- GET
image:get_oneDefault: rule:context_is_adminOperations: - GET
/v1/images/{image_id}
Retrieve the details of a specific image.
- GET
image:searchDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/images/{image_ident}/search
Search an image.
- GET
image:deleteDefault: rule:context_is_adminOperations: - DELETE
/v1/images/{image_ident}
Delete an image.
- DELETE
zun-service:deleteDefault: rule:context_is_adminOperations: - DELETE
/v1/services
Delete a service.
- DELETE
zun-service:disableDefault: rule:context_is_adminOperations: - PUT
/v1/services/disable
Disable a service.
- PUT
zun-service:enableDefault: rule:context_is_adminOperations: - PUT
/v1/services/enable
Enable a service.
- PUT
zun-service:force_downDefault: rule:context_is_adminOperations: - PUT
/v1/services/force_down
Forcibly shutdown a service.
- PUT
zun-service:get_allDefault: rule:context_is_adminOperations: - GET
/v1/services
Show the status of a service.
- GET
host:get_allDefault: rule:context_is_adminOperations: - GET
/v1/hosts
List all compute hosts.
- GET
host:getDefault: rule:context_is_adminOperations: - GET
/v1/hosts/{host_ident}
Show the details of a specific compute host.
- GET
capsule:createDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/capsules/
Create a capsule
- POST
capsule:deleteDefault: is_admin:True or project_id:%(project_id)sOperations: - DELETE
/v1/capsules/{capsule_ident}
Delete a capsule
- DELETE
capsule:delete_all_projectsDefault: rule:context_is_adminOperations: - DELETE
/v1/capsules/{capsule_ident}
Delete a container in any project.
- DELETE
capsule:getDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/capsules/{capsule_ident}
Retrieve the details of a capsule.
- GET
capsule:get_one_all_projectsDefault: rule:context_is_adminOperations: - GET
/v1/capsules/{capsule_ident}
Retrieve the details of a capsule in any project.
- GET
capsule:get_allDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/capsules/
List all capsules.
- GET
capsule:get_all_all_projectsDefault: rule:context_is_adminOperations: - GET
/v1/capsules/
List all capsules across projects.
- GET
network:attach_external_networkDefault: role:adminOperations: - POST
/v1/containers
Attach an unshared external network to a container
- POST
network:createDefault: role:adminOperations: - POST
/v1/networks
Create a network
- POST
network:deleteDefault: role:adminOperations: - DELETE
/v1/networks
Delete a network
- DELETE
container:actionsDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/containers/{container_ident}/container_actions/ - GET
/v1/containers/{container_ident}/container_actions/{request_id}
List actions and show action details for a container
- GET
container:action:eventsDefault: rule:context_is_adminOperations: - GET
/v1/containers/{container_ident}/container_actions/{request_id}
Add events details in action details for a container.
- GET
availability_zones:get_allDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/availability_zones
List availability zone
- GET
quota:updateDefault: rule:context_is_adminOperations: - PUT
/v1/quotas/{project_id}
Update quotas for a project
- PUT
quota:deleteDefault: rule:context_is_adminOperations: - DELETE
/v1/quotas/{project_id}
Delete quotas for a project
- DELETE
quota:getDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/quotas/{project_id}
Get quotas for a project
- GET
quota:get_defaultDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/quotas/defaults
Get default quotas for a project
- GET
quota_class:updateDefault: rule:context_is_adminOperations: - PUT
/v1/quota_classes/{quota_class_name}
Update quotas for specific quota class
- PUT
quota_class:getDefault: rule:context_is_adminOperations: - GET
/v1/quota_classes/{quota_class_name}
List quotas for specific quota class
- GET
registry:createDefault: is_admin:True or project_id:%(project_id)sOperations: - POST
/v1/registries
Create a new registry.
- POST
registry:deleteDefault: is_admin:True or project_id:%(project_id)sOperations: - DELETE
/v1/registries/{registry_ident}
Delete a registry.
- DELETE
registry:get_oneDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/registries/{registry_ident}
Retrieve the details of a specific registry.
- GET
registry:get_allDefault: is_admin:True or project_id:%(project_id)sOperations: - GET
/v1/registries
Retrieve the details of all registries.
- GET
registry:get_all_all_projectsDefault: rule:context_is_adminOperations: - GET
/v1/registries
Retrieve the details of all registries across projects.
- GET
registry:updateDefault: is_admin:True or project_id:%(project_id)sOperations: - PATCH
/v1/registries/{registry_ident}
Update a registry.
- PATCH
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.