diff --git a/lower-constraints.txt b/lower-constraints.txt index f3976063cf..43eb5a3d36 100644 --- a/lower-constraints.txt +++ b/lower-constraints.txt @@ -54,19 +54,19 @@ openstacksdk==0.11.2 os-client-config==1.28.0 os-service-types==1.2.0 osc-lib==1.8.0 -oslo.concurrency==3.26.0 -oslo.config==5.2.0 -oslo.context==2.22.0 -oslo.i18n==5.0.1 -oslo.log==3.36.0 +oslo.concurrency==4.5.0 +oslo.config==8.8.0 +oslo.context==4.1.0 +oslo.i18n==5.1.0 +oslo.log==4.7.0 oslo.messaging==5.29.0 oslo.middleware==3.31.0 -oslo.policy==3.2.0 -oslo.serialization==2.18.0 +oslo.policy==3.11.0 +oslo.serialization==4.3.0 oslo.service==1.24.0 -oslo.upgradecheck==0.1.1 -oslo.utils==4.8.0 -osprofiler==2.3.0 +oslo.upgradecheck==1.5.0 +oslo.utils==4.12.0 +osprofiler==3.4.2 Paste==2.0.2 PasteDeploy==1.5.0 pbr==5.5.0 @@ -97,14 +97,14 @@ python-neutronclient==6.7.0 python-novaclient==9.1.0 python-swiftclient==3.2.0 pytz==2013.6 -PyYAML==3.12 +PyYAML==6.0 rcssmin==1.0.6 reno==3.1.0 repoze.lru==0.7 requests==2.25.1 requestsexceptions==1.2.0 restructuredtext-lint==1.1.1 -rfc3986==0.3.1 +rfc3986==1.5.0 rjsmin==1.1.0 Routes==2.3.1 selenium==2.50.1 diff --git a/openstack_dashboard/conf/cinder_policy.yaml b/openstack_dashboard/conf/cinder_policy.yaml index ad64123a80..ab30bae09d 100644 --- a/openstack_dashboard/conf/cinder_policy.yaml +++ b/openstack_dashboard/conf/cinder_policy.yaml @@ -1,46 +1,125 @@ -# Decides what is required for the 'is_admin:True' check to succeed. -#"context_is_admin": "role:admin" - +# DEPRECATED: This rule will be removed in the Yoga release. # Default rule for most non-Admin APIs. #"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s" +# DEPRECATED: This rule will be removed in the Yoga release. +# Default rule for admins of cloud, domain or a project. +#"system_or_domain_or_project_admin": "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)" + +# Decides what is required for the 'is_admin:True' check to succeed. +#"context_is_admin": "role:admin" + # Default rule for most Admin APIs. #"admin_api": "is_admin:True or (role:admin and is_admin_project:True)" -# Default rule for admins of cloud, domain or a project. -#"system_or_domain_or_project_admin": "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)" +# NOTE: this purely role-based rule recognizes only project scope +#"xena_system_admin_or_project_reader": "(role:admin) or (role:reader and project_id:%(project_id)s)" + +# NOTE: this purely role-based rule recognizes only project scope +#"xena_system_admin_or_project_member": "(role:admin) or (role:member and project_id:%(project_id)s)" # Create attachment. # POST /attachments -#"volume:attachment_create": "" +#"volume:attachment_create": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:attachment_create":"" has been deprecated since X in favor +# of "volume:attachment_create":"rule:xena_system_admin_or_project_mem +# ber". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update attachment. # PUT /attachments/{attachment_id} -#"volume:attachment_update": "rule:admin_or_owner" +#"volume:attachment_update": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:attachment_update":"rule:admin_or_owner" has been deprecated +# since X in favor of "volume:attachment_update":"rule:xena_system_adm +# in_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete attachment. # DELETE /attachments/{attachment_id} -#"volume:attachment_delete": "rule:admin_or_owner" +#"volume:attachment_delete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:attachment_delete":"rule:admin_or_owner" has been deprecated +# since X in favor of "volume:attachment_delete":"rule:xena_system_adm +# in_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Mark a volume attachment process as completed (in-use) # POST /attachments/{attachment_id}/action (os-complete) -#"volume:attachment_complete": "rule:admin_or_owner" +#"volume:attachment_complete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:attachment_complete":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:attachment_complete":"rule:xe +# na_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Allow multiattach of bootable volumes. # POST /attachments -#"volume:multiattach_bootable_volume": "rule:admin_or_owner" +#"volume:multiattach_bootable_volume": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:multiattach_bootable_volume":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:multiattach_bootable_volume": +# "rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List messages. # GET /messages -#"message:get_all": "rule:admin_or_owner" +#"message:get_all": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "message:get_all":"rule:admin_or_owner" has been deprecated since X +# in favor of +# "message:get_all":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show message. # GET /messages/{message_id} -#"message:get": "rule:admin_or_owner" +#"message:get": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "message:get":"rule:admin_or_owner" has been deprecated since X in +# favor of "message:get":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete message. # DELETE /messages/{message_id} -#"message:delete": "rule:admin_or_owner" +#"message:delete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "message:delete":"rule:admin_or_owner" has been deprecated since X +# in favor of +# "message:delete":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List clusters. # GET /clusters @@ -62,43 +141,124 @@ # Show snapshot's metadata or one specified metadata with a given key. # GET /snapshots/{snapshot_id}/metadata # GET /snapshots/{snapshot_id}/metadata/{key} -#"volume:get_snapshot_metadata": "rule:admin_or_owner" +#"volume:get_snapshot_metadata": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_snapshot_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:get_snapshot_metadata":"rule: +# xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update snapshot's metadata or one specified metadata with a given # key. -# PUT /snapshots/{snapshot_id}/metadata +# POST /snapshots/{snapshot_id}/metadata # PUT /snapshots/{snapshot_id}/metadata/{key} -#"volume:update_snapshot_metadata": "rule:admin_or_owner" +#"volume:update_snapshot_metadata": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:update_snapshot_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:update_snapshot_metadata":"ru +# le:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete snapshot's specified metadata with a given key. # DELETE /snapshots/{snapshot_id}/metadata/{key} -#"volume:delete_snapshot_metadata": "rule:admin_or_owner" +#"volume:delete_snapshot_metadata": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:delete_snapshot_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:delete_snapshot_metadata":"ru +# le:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List snapshots. # GET /snapshots # GET /snapshots/detail -#"volume:get_all_snapshots": "rule:admin_or_owner" +#"volume:get_all_snapshots": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_all_snapshots":"rule:admin_or_owner" has been deprecated +# since X in favor of "volume:get_all_snapshots":"rule:xena_system_adm +# in_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List or show snapshots with extended attributes. # GET /snapshots/{snapshot_id} # GET /snapshots/detail -#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner" +#"volume_extension:extended_snapshot_attributes": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:extended_snapshot_attributes":"rule:admin_or_owner +# " has been deprecated since X in favor of "volume_extension:extended +# _snapshot_attributes":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create snapshot. # POST /snapshots -#"volume:create_snapshot": "rule:admin_or_owner" +#"volume:create_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:create_snapshot":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:create_snapshot":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show snapshot. # GET /snapshots/{snapshot_id} -#"volume:get_snapshot": "rule:admin_or_owner" +#"volume:get_snapshot": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_snapshot":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:get_snapshot":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update snapshot. # PUT /snapshots/{snapshot_id} -#"volume:update_snapshot": "rule:admin_or_owner" +#"volume:update_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:update_snapshot":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:update_snapshot":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete snapshot. # DELETE /snapshots/{snapshot_id} -#"volume:delete_snapshot": "rule:admin_or_owner" +#"volume:delete_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:delete_snapshot":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:delete_snapshot":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Reset status of a snapshot. # POST /snapshots/{snapshot_id}/action (os-reset_status) @@ -106,7 +266,17 @@ # Update database fields of snapshot. # POST /snapshots/{snapshot_id}/action (update_snapshot_status) -#"snapshot_extension:snapshot_actions:update_snapshot_status": "" +#"snapshot_extension:snapshot_actions:update_snapshot_status": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "snapshot_extension:snapshot_actions:update_snapshot_status":"" has +# been deprecated since X in favor of "snapshot_extension:snapshot_act +# ions:update_snapshot_status":"rule:xena_system_admin_or_project_memb +# er". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Force delete a snapshot. # POST /snapshots/{snapshot_id}/action (os-force_delete) @@ -128,7 +298,16 @@ # List backups. # GET /backups # GET /backups/detail -#"backup:get_all": "rule:admin_or_owner" +#"backup:get_all": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "backup:get_all":"rule:admin_or_owner" has been deprecated since X +# in favor of +# "backup:get_all":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List backups or show backup with project attributes. # GET /backups/{backup_id} @@ -137,23 +316,64 @@ # Create backup. # POST /backups -#"backup:create": "" +#"backup:create": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "backup:create":"" has been deprecated since X in favor of +# "backup:create":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show backup. # GET /backups/{backup_id} -#"backup:get": "rule:admin_or_owner" +#"backup:get": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "backup:get":"rule:admin_or_owner" has been deprecated since X in +# favor of "backup:get":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update backup. # PUT /backups/{backup_id} -#"backup:update": "rule:admin_or_owner" +#"backup:update": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "backup:update":"rule:admin_or_owner" has been deprecated since X in +# favor of "backup:update":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete backup. # DELETE /backups/{backup_id} -#"backup:delete": "rule:admin_or_owner" +#"backup:delete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "backup:delete":"rule:admin_or_owner" has been deprecated since X in +# favor of "backup:delete":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Restore backup. # POST /backups/{backup_id}/restore -#"backup:restore": "rule:admin_or_owner" +#"backup:restore": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "backup:restore":"rule:admin_or_owner" has been deprecated since X +# in favor of +# "backup:restore":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Import backup. # POST /backups/{backup_id}/import_record @@ -174,63 +394,214 @@ # List groups. # GET /groups # GET /groups/detail -#"group:get_all": "rule:admin_or_owner" +#"group:get_all": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "group:get_all":"rule:admin_or_owner" has been deprecated since X in +# favor of "group:get_all":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create group. # POST /groups -#"group:create": "" +#"group:create": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:create":"" has been deprecated since X in favor of +# "group:create":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show group. # GET /groups/{group_id} -#"group:get": "rule:admin_or_owner" +#"group:get": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "group:get":"rule:admin_or_owner" has been deprecated since X in +# favor of "group:get":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update group. # PUT /groups/{group_id} -#"group:update": "rule:admin_or_owner" +#"group:update": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:update":"rule:admin_or_owner" has been deprecated since X in +# favor of "group:update":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List groups or show group with project attributes. # GET /groups/{group_id} # GET /groups/detail #"group:group_project_attribute": "rule:admin_api" -# Create, update or delete a group type. +# Create a group type. # POST /group_types/ +#"group:group_types:create": "rule:admin_api" + +# DEPRECATED +# "group:group_types_manage":"rule:admin_api" has been deprecated +# since X in favor of "group:group_types:create":"rule:admin_api". +# group:group_types_manage has been replaced by more granular policies +# that separately govern POST, PUT, and DELETE operations. +#"group:group_types_manage": "rule:group:group_types:create" + +# Update a group type. # PUT /group_types/{group_type_id} +#"group:group_types:update": "rule:admin_api" + +# DEPRECATED +# "group:group_types_manage":"rule:admin_api" has been deprecated +# since X in favor of "group:group_types:update":"rule:admin_api". +# group:group_types_manage has been replaced by more granular policies +# that separately govern POST, PUT, and DELETE operations. +#"group:group_types_manage": "rule:group:group_types:update" + +# Delete a group type. # DELETE /group_types/{group_type_id} -#"group:group_types_manage": "rule:admin_api" +#"group:group_types:delete": "rule:admin_api" + +# DEPRECATED +# "group:group_types_manage":"rule:admin_api" has been deprecated +# since X in favor of "group:group_types:delete":"rule:admin_api". +# group:group_types_manage has been replaced by more granular policies +# that separately govern POST, PUT, and DELETE operations. +#"group:group_types_manage": "rule:group:group_types:delete" # Show group type with type specs attributes. # GET /group_types/{group_type_id} #"group:access_group_types_specs": "rule:admin_api" -# Create, show, update and delete group type spec. +# Show a group type spec. # GET /group_types/{group_type_id}/group_specs/{g_spec_id} +#"group:group_types_specs:get": "rule:admin_api" + +# DEPRECATED +# "group:group_types_specs":"rule:admin_api" has been deprecated since +# X in favor of "group:group_types_specs:get":"rule:admin_api". +# group:group_types_specs has been replaced by more granular policies +# that separately govern GET, POST, PUT, and DELETE operations. +#"group:group_types_specs": "rule:group:group_types_specs:get" + +# List group type specs. # GET /group_types/{group_type_id}/group_specs +#"group:group_types_specs:get_all": "rule:admin_api" + +# DEPRECATED +# "group:group_types_specs":"rule:admin_api" has been deprecated since +# X in favor of "group:group_types_specs:get_all":"rule:admin_api". +# group:group_types_specs has been replaced by more granular policies +# that separately govern GET, POST, PUT, and DELETE operations. +#"group:group_types_specs": "rule:group:group_types_specs:get_all" + +# Create a group type spec. # POST /group_types/{group_type_id}/group_specs +#"group:group_types_specs:create": "rule:admin_api" + +# DEPRECATED +# "group:group_types_specs":"rule:admin_api" has been deprecated since +# X in favor of "group:group_types_specs:create":"rule:admin_api". +# group:group_types_specs has been replaced by more granular policies +# that separately govern GET, POST, PUT, and DELETE operations. +#"group:group_types_specs": "rule:group:group_types_specs:create" + +# Update a group type spec. # PUT /group_types/{group_type_id}/group_specs/{g_spec_id} +#"group:group_types_specs:update": "rule:admin_api" + +# DEPRECATED +# "group:group_types_specs":"rule:admin_api" has been deprecated since +# X in favor of "group:group_types_specs:update":"rule:admin_api". +# group:group_types_specs has been replaced by more granular policies +# that separately govern GET, POST, PUT, and DELETE operations. +#"group:group_types_specs": "rule:group:group_types_specs:update" + +# Delete a group type spec. # DELETE /group_types/{group_type_id}/group_specs/{g_spec_id} -#"group:group_types_specs": "rule:admin_api" +#"group:group_types_specs:delete": "rule:admin_api" + +# DEPRECATED +# "group:group_types_specs":"rule:admin_api" has been deprecated since +# X in favor of "group:group_types_specs:delete":"rule:admin_api". +# group:group_types_specs has been replaced by more granular policies +# that separately govern GET, POST, PUT, and DELETE operations. +#"group:group_types_specs": "rule:group:group_types_specs:delete" # List group snapshots. # GET /group_snapshots # GET /group_snapshots/detail -#"group:get_all_group_snapshots": "rule:admin_or_owner" +#"group:get_all_group_snapshots": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "group:get_all_group_snapshots":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:get_all_group_snapshots":"rule +# :xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create group snapshot. # POST /group_snapshots -#"group:create_group_snapshot": "" +#"group:create_group_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:create_group_snapshot":"" has been deprecated since X in +# favor of "group:create_group_snapshot":"rule:xena_system_admin_or_pr +# oject_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show group snapshot. # GET /group_snapshots/{group_snapshot_id} -#"group:get_group_snapshot": "rule:admin_or_owner" +#"group:get_group_snapshot": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "group:get_group_snapshot":"rule:admin_or_owner" has been deprecated +# since X in favor of "group:get_group_snapshot":"rule:xena_system_adm +# in_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete group snapshot. # DELETE /group_snapshots/{group_snapshot_id} -#"group:delete_group_snapshot": "rule:admin_or_owner" +#"group:delete_group_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:delete_group_snapshot":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:delete_group_snapshot":"rule:x +# ena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update group snapshot. # PUT /group_snapshots/{group_snapshot_id} -#"group:update_group_snapshot": "rule:admin_or_owner" +#"group:update_group_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:update_group_snapshot":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:update_group_snapshot":"rule:x +# ena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List group snapshots or show group snapshot with project attributes. # GET /group_snapshots/{group_snapshot_id} @@ -243,7 +614,15 @@ # Delete group. # POST /groups/{group_id}/action (delete) -#"group:delete": "rule:admin_or_owner" +#"group:delete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:delete":"rule:admin_or_owner" has been deprecated since X in +# favor of "group:delete":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Reset status of group. # POST /groups/{group_id}/action (reset_status) @@ -251,19 +630,55 @@ # Enable replication. # POST /groups/{group_id}/action (enable_replication) -#"group:enable_replication": "rule:admin_or_owner" +#"group:enable_replication": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:enable_replication":"rule:admin_or_owner" has been deprecated +# since X in favor of "group:enable_replication":"rule:xena_system_adm +# in_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Disable replication. # POST /groups/{group_id}/action (disable_replication) -#"group:disable_replication": "rule:admin_or_owner" +#"group:disable_replication": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:disable_replication":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:disable_replication":"rule:xen +# a_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Fail over replication. # POST /groups/{group_id}/action (failover_replication) -#"group:failover_replication": "rule:admin_or_owner" +#"group:failover_replication": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:failover_replication":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:failover_replication":"rule:xe +# na_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List failover replication. # POST /groups/{group_id}/action (list_replication_targets) -#"group:list_replication_targets": "rule:admin_or_owner" +#"group:list_replication_targets": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "group:list_replication_targets":"rule:admin_or_owner" has been +# deprecated since X in favor of "group:list_replication_targets":"rul +# e:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List qos specs or list all associations. # GET /qos-specs @@ -290,16 +705,41 @@ # PUT /qos-specs/{qos_id}/delete_keys #"volume_extension:qos_specs_manage:delete": "rule:admin_api" -# Show or update project quota class. +# Show project quota class. # GET /os-quota-class-sets/{project_id} +#"volume_extension:quota_classes:get": "rule:admin_api" + +# DEPRECATED +# "volume_extension:quota_classes":"rule:admin_api" has been +# deprecated since X in favor of +# "volume_extension:quota_classes:get":"rule:admin_api". +# volume_extension:quota_classes has been replaced by more granular +# policies that separately govern GET and PUT operations. +#"volume_extension:quota_classes": "rule:volume_extension:quota_classes:get" + +# Update project quota class. # PUT /os-quota-class-sets/{project_id} -#"volume_extension:quota_classes": "rule:admin_api" +#"volume_extension:quota_classes:update": "rule:admin_api" + +# DEPRECATED +# "volume_extension:quota_classes":"rule:admin_api" has been +# deprecated since X in favor of +# "volume_extension:quota_classes:update":"rule:admin_api". +# volume_extension:quota_classes has been replaced by more granular +# policies that separately govern GET and PUT operations. +#"volume_extension:quota_classes": "rule:volume_extension:quota_classes:update" # Show project quota (including usage and default). # GET /os-quota-sets/{project_id} # GET /os-quota-sets/{project_id}/default # GET /os-quota-sets/{project_id}?usage=True -#"volume_extension:quotas:show": "rule:admin_or_owner" +#"volume_extension:quotas:show": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:quotas:show":"rule:admin_or_owner" has been +# deprecated since None in favor of "volume_extension:quotas:show":"ru +# le:xena_system_admin_or_project_reader". +# # Update project quota. # PUT /os-quota-sets/{project_id} @@ -346,7 +786,16 @@ # Show limits with used limit attributes. # GET /limits -#"limits_extension:used_limits": "rule:admin_or_owner" +#"limits_extension:used_limits": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "limits_extension:used_limits":"rule:admin_or_owner" has been +# deprecated since X in favor of "limits_extension:used_limits":"rule: +# xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List (in detail) of volumes which are available to manage. # GET /manageable_volumes @@ -361,65 +810,168 @@ # POST /volumes/{volume_id}/action (os-unmanage) #"volume_extension:volume_unmanage": "rule:admin_api" -# Create, update and delete volume type. +# Create volume type. # POST /types +#"volume_extension:type_create": "rule:admin_api" + +# DEPRECATED +# "volume_extension:types_manage":"rule:admin_api" has been deprecated +# since X in favor of "volume_extension:type_create":"rule:admin_api". +# volume_extension:types_manage has been replaced by more granular +# policies that separately govern POST, PUT, and DELETE operations. +#"volume_extension:types_manage": "rule:volume_extension:type_create" + +# Update volume type. # PUT /types +#"volume_extension:type_update": "rule:admin_api" + +# DEPRECATED +# "volume_extension:types_manage":"rule:admin_api" has been deprecated +# since X in favor of "volume_extension:type_update":"rule:admin_api". +# volume_extension:types_manage has been replaced by more granular +# policies that separately govern POST, PUT, and DELETE operations. +#"volume_extension:types_manage": "rule:volume_extension:type_update" + +# Delete volume type. # DELETE /types -#"volume_extension:types_manage": "rule:admin_api" +#"volume_extension:type_delete": "rule:admin_api" + +# DEPRECATED +# "volume_extension:types_manage":"rule:admin_api" has been deprecated +# since X in favor of "volume_extension:type_delete":"rule:admin_api". +# volume_extension:types_manage has been replaced by more granular +# policies that separately govern POST, PUT, and DELETE operations. +#"volume_extension:types_manage": "rule:volume_extension:type_delete" # Get one specific volume type. # GET /types/{type_id} -#"volume_extension:type_get": "" +#"volume_extension:type_get": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:type_get":"" has been deprecated since X in favor +# of "volume_extension:type_get":"rule:xena_system_admin_or_project_re +# ader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List volume types. # GET /types/ -#"volume_extension:type_get_all": "" +#"volume_extension:type_get_all": "rule:xena_system_admin_or_project_reader" -# Base policy for all volume type encryption type operations. This -# can be used to set the policies for a volume type's encryption type -# create, show, update, and delete actions in one place, or any of -# those may be set individually using the following policy targets for -# finer grained control. -# POST /types/{type_id}/encryption -# PUT /types/{type_id}/encryption/{encryption_id} -# GET /types/{type_id}/encryption -# GET /types/{type_id}/encryption/{key} -# DELETE /types/{type_id}/encryption/{encryption_id} -#"volume_extension:volume_type_encryption": "rule:admin_api" +# DEPRECATED +# "volume_extension:type_get_all":"" has been deprecated since X in +# favor of "volume_extension:type_get_all":"rule:xena_system_admin_or_ +# project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. -# Create volume type encryption. -# POST /types/{type_id}/encryption -#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption" - -# Show a volume type's encryption type, show an encryption specs item. -# GET /types/{type_id}/encryption -# GET /types/{type_id}/encryption/{key} -#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption" - -# Update volume type encryption. -# PUT /types/{type_id}/encryption/{encryption_id} -#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption" - -# Delete volume type encryption. -# DELETE /types/{type_id}/encryption/{encryption_id} -#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption" - -# List or show volume type with access type extra specs attribute. +# Include the volume type's extra_specs attribute in the volume type +# list or show requests. The ability to make these calls is governed +# by other policies. # GET /types/{type_id} # GET /types -#"volume_extension:access_types_extra_specs": "rule:admin_api" +#"volume_extension:access_types_extra_specs": "rule:xena_system_admin_or_project_reader" -# List or show volume type with access type qos specs id attribute. +# DEPRECATED +# "volume_extension:access_types_extra_specs":"rule:admin_api" has +# been deprecated since X in favor of "volume_extension:access_types_e +# xtra_specs":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Include the volume type's QoS specifications ID attribute in the +# volume type list or show requests. The ability to make these calls +# is governed by other policies. # GET /types/{type_id} # GET /types #"volume_extension:access_types_qos_specs_id": "rule:admin_api" -# Volume type access related APIs. +# DEPRECATED: This rule will be removed in the Yoga release. +#"volume_extension:volume_type_encryption": "rule:admin_api" + +# Create volume type encryption. +# POST /types/{type_id}/encryption +#"volume_extension:volume_type_encryption:create": "rule:admin_api" + +# DEPRECATED +# "volume_extension:volume_type_encryption:create":"rule:volume_extens +# ion:volume_type_encryption" has been deprecated since X in favor of +# "volume_extension:volume_type_encryption:create":"rule:admin_api". +# Reason: 'volume_extension:volume_type_encryption' was a convenience +# policy that allowed you to set all volume encryption type policies +# to the same value. We are deprecating this rule to prepare for a +# future release in which the default values for policies that read, +# create/update, and delete encryption types will be different from +# each other. + +# Show a volume type's encryption type, show an encryption specs item. +# GET /types/{type_id}/encryption +# GET /types/{type_id}/encryption/{key} +#"volume_extension:volume_type_encryption:get": "rule:admin_api" + +# DEPRECATED +# "volume_extension:volume_type_encryption:get":"rule:volume_extension +# :volume_type_encryption" has been deprecated since X in favor of +# "volume_extension:volume_type_encryption:get":"rule:admin_api". +# Reason: 'volume_extension:volume_type_encryption' was a convenience +# policy that allowed you to set all volume encryption type policies +# to the same value. We are deprecating this rule to prepare for a +# future release in which the default values for policies that read, +# create/update, and delete encryption types will be different from +# each other. + +# Update volume type encryption. +# PUT /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:update": "rule:admin_api" + +# DEPRECATED +# "volume_extension:volume_type_encryption:update":"rule:volume_extens +# ion:volume_type_encryption" has been deprecated since X in favor of +# "volume_extension:volume_type_encryption:update":"rule:admin_api". +# Reason: 'volume_extension:volume_type_encryption' was a convenience +# policy that allowed you to set all volume encryption type policies +# to the same value. We are deprecating this rule to prepare for a +# future release in which the default values for policies that read, +# create/update, and delete encryption types will be different from +# each other. + +# Delete volume type encryption. +# DELETE /types/{type_id}/encryption/{encryption_id} +#"volume_extension:volume_type_encryption:delete": "rule:admin_api" + +# DEPRECATED +# "volume_extension:volume_type_encryption:delete":"rule:volume_extens +# ion:volume_type_encryption" has been deprecated since X in favor of +# "volume_extension:volume_type_encryption:delete":"rule:admin_api". +# Reason: 'volume_extension:volume_type_encryption' was a convenience +# policy that allowed you to set all volume encryption type policies +# to the same value. We are deprecating this rule to prepare for a +# future release in which the default values for policies that read, +# create/update, and delete encryption types will be different from +# each other. + +# Adds the boolean field 'os-volume-type-access:is_public' to the +# responses for these API calls. The ability to make these calls is +# governed by other policies. # GET /types -# GET /types/detail # GET /types/{type_id} # POST /types -#"volume_extension:volume_type_access": "rule:admin_or_owner" +#"volume_extension:volume_type_access": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_type_access":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume_extension:volume_type_access" +# :"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Add volume type access for project. # POST /types/{type_id}/action (addProjectAccess) @@ -429,17 +981,58 @@ # POST /types/{type_id}/action (removeProjectAccess) #"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api" +# List private volume type access detail, that is, list the projects +# that have access to this volume type. +# GET /types/{type_id}/os-volume-type-access +#"volume_extension:volume_type_access:get_all_for_type": "rule:admin_api" + +# DEPRECATED +# "volume_extension:volume_type_access:get_all_for_type":"volume_exten +# sion:volume_type_access" has been deprecated since X in favor of "vo +# lume_extension:volume_type_access:get_all_for_type":"rule:admin_api" +# . +# Reason: 'volume_extension:volume_type_access:get_all_for_type' is a +# new policy that protects an API call formerly governed by +# 'volume_extension:volume_type_access', but which has been separated +# for finer-grained policy control. + # Extend a volume. # POST /volumes/{volume_id}/action (os-extend) -#"volume:extend": "rule:admin_or_owner" +#"volume:extend": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:extend":"rule:admin_or_owner" has been deprecated since X in +# favor of "volume:extend":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Extend a attached volume. # POST /volumes/{volume_id}/action (os-extend) -#"volume:extend_attached_volume": "rule:admin_or_owner" +#"volume:extend_attached_volume": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:extend_attached_volume":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:extend_attached_volume":"rule +# :xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Revert a volume to a snapshot. # POST /volumes/{volume_id}/action (revert) -#"volume:revert_to_snapshot": "rule:admin_or_owner" +#"volume:revert_to_snapshot": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:revert_to_snapshot":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:revert_to_snapshot":"rule:xen +# a_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Reset status of a volume. # POST /volumes/{volume_id}/action (os-reset_status) @@ -447,11 +1040,28 @@ # Retype a volume. # POST /volumes/{volume_id}/action (os-retype) -#"volume:retype": "rule:admin_or_owner" +#"volume:retype": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:retype":"rule:admin_or_owner" has been deprecated since X in +# favor of "volume:retype":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update a volume's readonly flag. # POST /volumes/{volume_id}/action (os-update_readonly_flag) -#"volume:update_readonly_flag": "rule:admin_or_owner" +#"volume:update_readonly_flag": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:update_readonly_flag":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:update_readonly_flag":"rule:x +# ena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Force delete a volume. # POST /volumes/{volume_id}/action (os-force_delete) @@ -463,7 +1073,16 @@ # Upload a volume to image. # POST /volumes/{volume_id}/action (os-volume_upload_image) -#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner" +#"volume_extension:volume_actions:upload_image": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:upload_image":"rule:admin_or_owner" +# has been deprecated since X in favor of "volume_extension:volume_act +# ions:upload_image":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Force detach a volume. # POST /volumes/{volume_id}/action (os-force_detach) @@ -479,98 +1098,306 @@ # Initialize volume attachment. # POST /volumes/{volume_id}/action (os-initialize_connection) -#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner" +#"volume_extension:volume_actions:initialize_connection": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:initialize_connection":"rule:admin_ +# or_owner" has been deprecated since X in favor of "volume_extension: +# volume_actions:initialize_connection":"rule:xena_system_admin_or_pro +# ject_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Terminate volume attachment. # POST /volumes/{volume_id}/action (os-terminate_connection) -#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner" +#"volume_extension:volume_actions:terminate_connection": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:terminate_connection":"rule:admin_o +# r_owner" has been deprecated since X in favor of "volume_extension:v +# olume_actions:terminate_connection":"rule:xena_system_admin_or_proje +# ct_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Roll back volume status to 'in-use'. # POST /volumes/{volume_id}/action (os-roll_detaching) -#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner" +#"volume_extension:volume_actions:roll_detaching": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:roll_detaching":"rule:admin_or_owne +# r" has been deprecated since X in favor of "volume_extension:volume_ +# actions:roll_detaching":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Mark volume as reserved. # POST /volumes/{volume_id}/action (os-reserve) -#"volume_extension:volume_actions:reserve": "rule:admin_or_owner" +#"volume_extension:volume_actions:reserve": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:reserve":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_actions +# :reserve":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Unmark volume as reserved. # POST /volumes/{volume_id}/action (os-unreserve) -#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner" +#"volume_extension:volume_actions:unreserve": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:unreserve":"rule:admin_or_owner" +# has been deprecated since X in favor of "volume_extension:volume_act +# ions:unreserve":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Begin detach volumes. # POST /volumes/{volume_id}/action (os-begin_detaching) -#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner" +#"volume_extension:volume_actions:begin_detaching": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:begin_detaching":"rule:admin_or_own +# er" has been deprecated since X in favor of "volume_extension:volume +# _actions:begin_detaching":"rule:xena_system_admin_or_project_member" +# . +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Add attachment metadata. # POST /volumes/{volume_id}/action (os-attach) -#"volume_extension:volume_actions:attach": "rule:admin_or_owner" +#"volume_extension:volume_actions:attach": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:attach":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_actions +# :attach":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Clear attachment metadata. # POST /volumes/{volume_id}/action (os-detach) -#"volume_extension:volume_actions:detach": "rule:admin_or_owner" +#"volume_extension:volume_actions:detach": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_actions:detach":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_actions +# :detach":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Reimage a volume in 'available' or 'error' status. +# POST /volumes/{volume_id}/action (os-reimage) +#"volume:reimage": "rule:xena_system_admin_or_project_member" + +# Reimage a volume in 'reserved' status. +# POST /volumes/{volume_id}/action (os-reimage) +#"volume:reimage_reserved": "rule:xena_system_admin_or_project_member" # List volume transfer. # GET /os-volume-transfer # GET /os-volume-transfer/detail # GET /volume_transfers # GET /volume-transfers/detail -#"volume:get_all_transfers": "rule:admin_or_owner" +#"volume:get_all_transfers": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_all_transfers":"rule:admin_or_owner" has been deprecated +# since X in favor of "volume:get_all_transfers":"rule:xena_system_adm +# in_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create a volume transfer. # POST /os-volume-transfer # POST /volume_transfers -#"volume:create_transfer": "rule:admin_or_owner" +#"volume:create_transfer": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:create_transfer":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:create_transfer":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show one specified volume transfer. # GET /os-volume-transfer/{transfer_id} # GET /volume-transfers/{transfer_id} -#"volume:get_transfer": "rule:admin_or_owner" +#"volume:get_transfer": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_transfer":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:get_transfer":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Accept a volume transfer. # POST /os-volume-transfer/{transfer_id}/accept # POST /volume-transfers/{transfer_id}/accept -#"volume:accept_transfer": "" +#"volume:accept_transfer": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:accept_transfer":"" has been deprecated since X in favor of +# "volume:accept_transfer":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete volume transfer. # DELETE /os-volume-transfer/{transfer_id} # DELETE /volume-transfers/{transfer_id} -#"volume:delete_transfer": "rule:admin_or_owner" +#"volume:delete_transfer": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:delete_transfer":"rule:admin_or_owner" has been deprecated +# since X in favor of +# "volume:delete_transfer":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show volume's metadata or one specified metadata with a given key. # GET /volumes/{volume_id}/metadata # GET /volumes/{volume_id}/metadata/{key} -#"volume:get_volume_metadata": "rule:admin_or_owner" +# POST /volumes/{volume_id}/action (os-show_image_metadata) +#"volume:get_volume_metadata": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_volume_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:get_volume_metadata":"rule:xe +# na_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create volume metadata. # POST /volumes/{volume_id}/metadata -#"volume:create_volume_metadata": "rule:admin_or_owner" +#"volume:create_volume_metadata": "rule:xena_system_admin_or_project_member" -# Update volume's metadata or one specified metadata with a given key. +# DEPRECATED +# "volume:create_volume_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:create_volume_metadata":"rule +# :xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Replace a volume's metadata dictionary or update a single metadatum +# with a given key. # PUT /volumes/{volume_id}/metadata # PUT /volumes/{volume_id}/metadata/{key} -#"volume:update_volume_metadata": "rule:admin_or_owner" +#"volume:update_volume_metadata": "rule:xena_system_admin_or_project_member" -# Delete volume's specified metadata with a given key. +# DEPRECATED +# "volume:update_volume_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:update_volume_metadata":"rule +# :xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Delete a volume's metadatum with the given key. # DELETE /volumes/{volume_id}/metadata/{key} -#"volume:delete_volume_metadata": "rule:admin_or_owner" +#"volume:delete_volume_metadata": "rule:xena_system_admin_or_project_member" -# Volume's image metadata related operation, create, delete, show and -# list. +# DEPRECATED +# "volume:delete_volume_metadata":"rule:admin_or_owner" has been +# deprecated since X in favor of "volume:delete_volume_metadata":"rule +# :xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Include a volume's image metadata in volume detail responses. The +# ability to make these calls is governed by other policies. # GET /volumes/detail # GET /volumes/{volume_id} -# POST /volumes/{volume_id}/action (os-set_image_metadata) -# POST /volumes/{volume_id}/action (os-unset_image_metadata) -#"volume_extension:volume_image_metadata": "rule:admin_or_owner" +#"volume_extension:volume_image_metadata:show": "rule:xena_system_admin_or_project_reader" -# Update volume admin metadata. It's used in `attach` and `os- -# update_readonly_flag` APIs +# DEPRECATED +# "volume_extension:volume_image_metadata":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_image_m +# etadata:show":"rule:xena_system_admin_or_project_reader". +# volume_extension:volume_image_metadata has been replaced by more +# granular policies that separately govern show, set, and remove +# operations. +#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:show" + +# Set image metadata for a volume +# POST /volumes/{volume_id}/action (os-set_image_metadata) +#"volume_extension:volume_image_metadata:set": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_image_metadata":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_image_m +# etadata:set":"rule:xena_system_admin_or_project_member". +# volume_extension:volume_image_metadata has been replaced by more +# granular policies that separately govern show, set, and remove +# operations. +#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:set" + +# Remove specific image metadata from a volume +# POST /volumes/{volume_id}/action (os-unset_image_metadata) +#"volume_extension:volume_image_metadata:remove": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume_extension:volume_image_metadata":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_image_m +# etadata:remove":"rule:xena_system_admin_or_project_member". +# volume_extension:volume_image_metadata has been replaced by more +# granular policies that separately govern show, set, and remove +# operations. +#"volume_extension:volume_image_metadata": "rule:volume_extension:volume_image_metadata:remove" + +# Update volume admin metadata. This permission is required to +# complete these API calls, though the ability to make these calls is +# governed by other policies. # POST /volumes/{volume_id}/action (os-update_readonly_flag) # POST /volumes/{volume_id}/action (os-attach) #"volume:update_volume_admin_metadata": "rule:admin_api" # List type extra specs. # GET /types/{type_id}/extra_specs -#"volume_extension:types_extra_specs:index": "rule:admin_api" +#"volume_extension:types_extra_specs:index": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:types_extra_specs:index":"" has been deprecated +# since X in favor of "volume_extension:types_extra_specs:index":"rule +# :xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create type extra specs. # POST /types/{type_id}/extra_specs @@ -578,7 +1405,26 @@ # Show one specified type extra specs. # GET /types/{type_id}/extra_specs/{extra_spec_key} -#"volume_extension:types_extra_specs:show": "rule:admin_api" +#"volume_extension:types_extra_specs:show": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:types_extra_specs:show":"" has been deprecated +# since X in favor of "volume_extension:types_extra_specs:show":"rule: +# xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. + +# Include extra_specs fields that may reveal sensitive information +# about the deployment that should not be exposed to end users in +# various volume-type responses that show extra_specs. The ability to +# make these calls is governed by other policies. +# GET /types +# GET /types/{type_id} +# GET /types/{type_id}/extra_specs +# GET /types/{type_id}/extra_specs/{extra_spec_key} +#"volume_extension:types_extra_specs:read_sensitive": "rule:admin_api" # Update type extra specs. # PUT /types/{type_id}/extra_specs/{extra_spec_key} @@ -590,30 +1436,80 @@ # Create volume. # POST /volumes -#"volume:create": "" +#"volume:create": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:create":"" has been deprecated since X in favor of +# "volume:create":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create volume from image. # POST /volumes -#"volume:create_from_image": "" +#"volume:create_from_image": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:create_from_image":"" has been deprecated since X in favor +# of "volume:create_from_image":"rule:xena_system_admin_or_project_mem +# ber". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Show volume. # GET /volumes/{volume_id} -#"volume:get": "rule:admin_or_owner" +#"volume:get": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get":"rule:admin_or_owner" has been deprecated since X in +# favor of "volume:get":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List volumes or get summary of volumes. # GET /volumes # GET /volumes/detail # GET /volumes/summary -#"volume:get_all": "rule:admin_or_owner" +#"volume:get_all": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume:get_all":"rule:admin_or_owner" has been deprecated since X +# in favor of +# "volume:get_all":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Update volume or update a volume's bootable status. # PUT /volumes # POST /volumes/{volume_id}/action (os-set_bootable) -#"volume:update": "rule:admin_or_owner" +#"volume:update": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:update":"rule:admin_or_owner" has been deprecated since X in +# favor of "volume:update":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Delete volume. # DELETE /volumes/{volume_id} -#"volume:delete": "rule:admin_or_owner" +#"volume:delete": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:delete":"rule:admin_or_owner" has been deprecated since X in +# favor of "volume:delete":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Force Delete a volume. # DELETE /volumes/{volume_id} @@ -627,7 +1523,16 @@ # List or show volume with tenant attribute. # GET /volumes/{volume_id} # GET /volumes/detail -#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner" +#"volume_extension:volume_tenant_attribute": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:volume_tenant_attribute":"rule:admin_or_owner" has +# been deprecated since X in favor of "volume_extension:volume_tenant_ +# attribute":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # List or show volume with migration status attribute. # GET /volumes/{volume_id} @@ -637,30 +1542,80 @@ # Show volume's encryption metadata. # GET /volumes/{volume_id}/encryption # GET /volumes/{volume_id}/encryption/{encryption_key} -#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner" +#"volume_extension:volume_encryption_metadata": "rule:xena_system_admin_or_project_reader" + +# DEPRECATED +# "volume_extension:volume_encryption_metadata":"rule:admin_or_owner" +# has been deprecated since X in favor of "volume_extension:volume_enc +# ryption_metadata":"rule:xena_system_admin_or_project_reader". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Create multiattach capable volume. # POST /volumes -#"volume:multiattach": "rule:admin_or_owner" +#"volume:multiattach": "rule:xena_system_admin_or_project_member" + +# DEPRECATED +# "volume:multiattach":"rule:admin_or_owner" has been deprecated since +# X in favor of +# "volume:multiattach":"rule:xena_system_admin_or_project_member". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Set or update default volume type. # PUT /default-types -# Intended scope(s): system -#"volume_extension:default_set_or_update": "rule:system_or_domain_or_project_admin" +#"volume_extension:default_set_or_update": "rule:admin_api" + +# DEPRECATED +# "volume_extension:default_set_or_update":"rule:system_or_domain_or_p +# roject_admin" has been deprecated since X in favor of +# "volume_extension:default_set_or_update":"rule:admin_api". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Get default types. # GET /default-types/{project-id} -# Intended scope(s): system -#"volume_extension:default_get": "rule:system_or_domain_or_project_admin" +#"volume_extension:default_get": "rule:admin_api" + +# DEPRECATED +# "volume_extension:default_get":"rule:system_or_domain_or_project_adm +# in" has been deprecated since X in favor of +# "volume_extension:default_get":"rule:admin_api". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Get all default types. WARNING: Changing this might open up too much # information regarding cloud deployment. # GET /default-types/ -# Intended scope(s): system -#"volume_extension:default_get_all": "role:admin and system_scope:all" +#"volume_extension:default_get_all": "rule:admin_api" + +# DEPRECATED +# "volume_extension:default_get_all":"role:admin and system_scope:all" +# has been deprecated since X in favor of +# "volume_extension:default_get_all":"rule:admin_api". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. # Unset default type. # DELETE /default-types/{project-id} -# Intended scope(s): system -#"volume_extension:default_unset": "rule:system_or_domain_or_project_admin" +#"volume_extension:default_unset": "rule:admin_api" + +# DEPRECATED +# "volume_extension:default_unset":"rule:system_or_domain_or_project_a +# dmin" has been deprecated since X in favor of +# "volume_extension:default_unset":"rule:admin_api". +# Default policies now support the three Keystone default roles, +# namely 'admin', 'member', and 'reader' to implement three Cinder +# "personas". See "Policy Personas and Permissions" in the "Cinder +# Service Configuration" documentation (Xena release) for details. diff --git a/openstack_dashboard/conf/default_policies/cinder.yaml b/openstack_dashboard/conf/default_policies/cinder.yaml index 5a29e2ec55..0d9d461c0e 100644 --- a/openstack_dashboard/conf/default_policies/cinder.yaml +++ b/openstack_dashboard/conf/default_policies/cinder.yaml @@ -1,74 +1,126 @@ +- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s + description: 'DEPRECATED: This rule will be removed in the Yoga release. Default + rule for most non-Admin APIs.' + name: admin_or_owner + operations: [] + scope_types: null +- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) + or (role:admin and project_id:%(project_id)s) + description: 'DEPRECATED: This rule will be removed in the Yoga release. Default + rule for admins of cloud, domain or a project.' + name: system_or_domain_or_project_admin + operations: [] + scope_types: null - check_str: role:admin description: Decides what is required for the 'is_admin:True' check to succeed. name: context_is_admin operations: [] scope_types: null -- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s - description: Default rule for most non-Admin APIs. - name: admin_or_owner - operations: [] - scope_types: null - check_str: is_admin:True or (role:admin and is_admin_project:True) description: Default rule for most Admin APIs. name: admin_api operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) - or (role:admin and project_id:%(project_id)s) - description: Default rule for admins of cloud, domain or a project. - name: system_or_domain_or_project_admin +- check_str: (role:admin) or (role:reader and project_id:%(project_id)s) + description: 'NOTE: this purely role-based rule recognizes only project scope' + name: xena_system_admin_or_project_reader operations: [] scope_types: null -- check_str: '' +- check_str: (role:admin) or (role:member and project_id:%(project_id)s) + description: 'NOTE: this purely role-based rule recognizes only project scope' + name: xena_system_admin_or_project_member + operations: [] + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume:attachment_create + deprecated_since: null description: Create attachment. name: volume:attachment_create operations: - method: POST path: /attachments scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:attachment_update + deprecated_since: null description: Update attachment. name: volume:attachment_update operations: - method: PUT path: /attachments/{attachment_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:attachment_delete + deprecated_since: null description: Delete attachment. name: volume:attachment_delete operations: - method: DELETE path: /attachments/{attachment_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:attachment_complete + deprecated_since: null description: Mark a volume attachment process as completed (in-use) name: volume:attachment_complete operations: - method: POST path: /attachments/{attachment_id}/action (os-complete) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:multiattach_bootable_volume + deprecated_since: null description: Allow multiattach of bootable volumes. name: volume:multiattach_bootable_volume operations: - method: POST path: /attachments scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: message:get_all + deprecated_since: null description: List messages. name: message:get_all operations: - method: GET path: /messages scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: message:get + deprecated_since: null description: Show message. name: message:get operations: - method: GET path: /messages/{message_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: message:delete + deprecated_since: null description: Delete message. name: message:delete operations: @@ -105,7 +157,12 @@ - method: POST path: /workers/cleanup scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_snapshot_metadata + deprecated_since: null description: Show snapshot's metadata or one specified metadata with a given key. name: volume:get_snapshot_metadata operations: @@ -114,23 +171,38 @@ - method: GET path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:update_snapshot_metadata + deprecated_since: null description: Update snapshot's metadata or one specified metadata with a given key. name: volume:update_snapshot_metadata operations: - - method: PUT + - method: POST path: /snapshots/{snapshot_id}/metadata - method: PUT path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:delete_snapshot_metadata + deprecated_since: null description: Delete snapshot's specified metadata with a given key. name: volume:delete_snapshot_metadata operations: - method: DELETE path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_all_snapshots + deprecated_since: null description: List snapshots. name: volume:get_all_snapshots operations: @@ -139,7 +211,12 @@ - method: GET path: /snapshots/detail scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:extended_snapshot_attributes + deprecated_since: null description: List or show snapshots with extended attributes. name: volume_extension:extended_snapshot_attributes operations: @@ -148,28 +225,48 @@ - method: GET path: /snapshots/detail scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:create_snapshot + deprecated_since: null description: Create snapshot. name: volume:create_snapshot operations: - method: POST path: /snapshots scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_snapshot + deprecated_since: null description: Show snapshot. name: volume:get_snapshot operations: - method: GET path: /snapshots/{snapshot_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:update_snapshot + deprecated_since: null description: Update snapshot. name: volume:update_snapshot operations: - method: PUT path: /snapshots/{snapshot_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:delete_snapshot + deprecated_since: null description: Delete snapshot. name: volume:delete_snapshot operations: @@ -183,7 +280,12 @@ - method: POST path: /snapshots/{snapshot_id}/action (os-reset_status) scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: snapshot_extension:snapshot_actions:update_snapshot_status + deprecated_since: null description: Update database fields of snapshot. name: snapshot_extension:snapshot_actions:update_snapshot_status operations: @@ -220,7 +322,12 @@ - method: POST path: /snapshots/{snapshot_id}/action (os-unmanage) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: backup:get_all + deprecated_since: null description: List backups. name: backup:get_all operations: @@ -238,35 +345,60 @@ - method: GET path: /backups/detail scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: backup:create + deprecated_since: null description: Create backup. name: backup:create operations: - method: POST path: /backups scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: backup:get + deprecated_since: null description: Show backup. name: backup:get operations: - method: GET path: /backups/{backup_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: backup:update + deprecated_since: null description: Update backup. name: backup:update operations: - method: PUT path: /backups/{backup_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: backup:delete + deprecated_since: null description: Delete backup. name: backup:delete operations: - method: DELETE path: /backups/{backup_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: backup:restore + deprecated_since: null description: Restore backup. name: backup:restore operations: @@ -301,7 +433,12 @@ - method: POST path: /backups/{backup_id}/action (os-force_delete) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:get_all + deprecated_since: null description: List groups. name: group:get_all operations: @@ -310,21 +447,36 @@ - method: GET path: /groups/detail scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: group:create + deprecated_since: null description: Create group. name: group:create operations: - method: POST path: /groups scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:get + deprecated_since: null description: Show group. name: group:get operations: - method: GET path: /groups/{group_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:update + deprecated_since: null description: Update group. name: group:update operations: @@ -341,13 +493,38 @@ path: /groups/detail scope_types: null - check_str: rule:admin_api - description: Create, update or delete a group type. - name: group:group_types_manage + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_manage + deprecated_since: null + description: Create a group type. + name: group:group_types:create operations: - method: POST path: /group_types/ + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_manage + deprecated_since: null + description: Update a group type. + name: group:group_types:update + operations: - method: PUT path: /group_types/{group_type_id} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_manage + deprecated_since: null + description: Delete a group type. + name: group:group_types:delete + operations: - method: DELETE path: /group_types/{group_type_id} scope_types: null @@ -359,21 +536,71 @@ path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api - description: Create, show, update and delete group type spec. - name: group:group_types_specs + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_specs + deprecated_since: null + description: Show a group type spec. + name: group:group_types_specs:get operations: - method: GET path: /group_types/{group_type_id}/group_specs/{g_spec_id} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_specs + deprecated_since: null + description: List group type specs. + name: group:group_types_specs:get_all + operations: - method: GET path: /group_types/{group_type_id}/group_specs + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_specs + deprecated_since: null + description: Create a group type spec. + name: group:group_types_specs:create + operations: - method: POST path: /group_types/{group_type_id}/group_specs + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_specs + deprecated_since: null + description: Update a group type spec. + name: group:group_types_specs:update + operations: - method: PUT path: /group_types/{group_type_id}/group_specs/{g_spec_id} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: group:group_types_specs + deprecated_since: null + description: Delete a group type spec. + name: group:group_types_specs:delete + operations: - method: DELETE path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:get_all_group_snapshots + deprecated_since: null description: List group snapshots. name: group:get_all_group_snapshots operations: @@ -382,28 +609,48 @@ - method: GET path: /group_snapshots/detail scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: group:create_group_snapshot + deprecated_since: null description: Create group snapshot. name: group:create_group_snapshot operations: - method: POST path: /group_snapshots scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:get_group_snapshot + deprecated_since: null description: Show group snapshot. name: group:get_group_snapshot operations: - method: GET path: /group_snapshots/{group_snapshot_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:delete_group_snapshot + deprecated_since: null description: Delete group snapshot. name: group:delete_group_snapshot operations: - method: DELETE path: /group_snapshots/{group_snapshot_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:update_group_snapshot + deprecated_since: null description: Update group snapshot. name: group:update_group_snapshot operations: @@ -426,7 +673,12 @@ - method: POST path: /group_snapshots/{g_snapshot_id}/action (reset_status) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:delete + deprecated_since: null description: Delete group. name: group:delete operations: @@ -440,28 +692,48 @@ - method: POST path: /groups/{group_id}/action (reset_status) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:enable_replication + deprecated_since: null description: Enable replication. name: group:enable_replication operations: - method: POST path: /groups/{group_id}/action (enable_replication) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:disable_replication + deprecated_since: null description: Disable replication. name: group:disable_replication operations: - method: POST path: /groups/{group_id}/action (disable_replication) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:failover_replication + deprecated_since: null description: Fail over replication. name: group:failover_replication operations: - method: POST path: /groups/{group_id}/action (failover_replication) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: group:list_replication_targets + deprecated_since: null description: List failover replication. name: group:list_replication_targets operations: @@ -514,15 +786,35 @@ path: /qos-specs/{qos_id}/delete_keys scope_types: null - check_str: rule:admin_api - description: Show or update project quota class. - name: volume_extension:quota_classes + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:quota_classes + deprecated_since: null + description: Show project quota class. + name: volume_extension:quota_classes:get operations: - method: GET path: /os-quota-class-sets/{project_id} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:quota_classes + deprecated_since: null + description: Update project quota class. + name: volume_extension:quota_classes:update + operations: - method: PUT path: /os-quota-class-sets/{project_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:quotas:show + deprecated_since: null description: Show project quota (including usage and default). name: volume_extension:quotas:show operations: @@ -608,7 +900,12 @@ - method: GET path: /os-hosts/{host_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: limits_extension:used_limits + deprecated_since: null description: Show limits with used limit attributes. name: limits_extension:used_limits operations: @@ -639,80 +936,73 @@ path: /volumes/{volume_id}/action (os-unmanage) scope_types: null - check_str: rule:admin_api - description: Create, update and delete volume type. - name: volume_extension:types_manage + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:types_manage + deprecated_since: null + description: Create volume type. + name: volume_extension:type_create operations: - method: POST path: /types + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:types_manage + deprecated_since: null + description: Update volume type. + name: volume_extension:type_update + operations: - method: PUT path: /types + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:types_manage + deprecated_since: null + description: Delete volume type. + name: volume_extension:type_delete + operations: - method: DELETE path: /types scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume_extension:type_get + deprecated_since: null description: Get one specific volume type. name: volume_extension:type_get operations: - method: GET path: /types/{type_id} scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume_extension:type_get_all + deprecated_since: null description: List volume types. name: volume_extension:type_get_all operations: - method: GET path: /types/ scope_types: null -- check_str: rule:admin_api - description: Base policy for all volume type encryption type operations. This can - be used to set the policies for a volume type's encryption type create, show, - update, and delete actions in one place, or any of those may be set individually - using the following policy targets for finer grained control. - name: volume_extension:volume_type_encryption - operations: - - method: POST - path: /types/{type_id}/encryption - - method: PUT - path: /types/{type_id}/encryption/{encryption_id} - - method: GET - path: /types/{type_id}/encryption - - method: GET - path: /types/{type_id}/encryption/{key} - - method: DELETE - path: /types/{type_id}/encryption/{encryption_id} - scope_types: null -- check_str: rule:volume_extension:volume_type_encryption - description: Create volume type encryption. - name: volume_extension:volume_type_encryption:create - operations: - - method: POST - path: /types/{type_id}/encryption - scope_types: null -- check_str: rule:volume_extension:volume_type_encryption - description: Show a volume type's encryption type, show an encryption specs item. - name: volume_extension:volume_type_encryption:get - operations: - - method: GET - path: /types/{type_id}/encryption - - method: GET - path: /types/{type_id}/encryption/{key} - scope_types: null -- check_str: rule:volume_extension:volume_type_encryption - description: Update volume type encryption. - name: volume_extension:volume_type_encryption:update - operations: - - method: PUT - path: /types/{type_id}/encryption/{encryption_id} - scope_types: null -- check_str: rule:volume_extension:volume_type_encryption - description: Delete volume type encryption. - name: volume_extension:volume_type_encryption:delete - operations: - - method: DELETE - path: /types/{type_id}/encryption/{encryption_id} - scope_types: null -- check_str: rule:admin_api - description: List or show volume type with access type extra specs attribute. +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_api + name: volume_extension:access_types_extra_specs + deprecated_since: null + description: Include the volume type's extra_specs attribute in the volume type + list or show requests. The ability to make these calls is governed by other policies. name: volume_extension:access_types_extra_specs operations: - method: GET @@ -721,7 +1011,9 @@ path: /types scope_types: null - check_str: rule:admin_api - description: List or show volume type with access type qos specs id attribute. + description: Include the volume type's QoS specifications ID attribute in the volume + type list or show requests. The ability to make these calls is governed by other + policies. name: volume_extension:access_types_qos_specs_id operations: - method: GET @@ -729,14 +1021,73 @@ - method: GET path: /types scope_types: null -- check_str: rule:admin_or_owner - description: Volume type access related APIs. +- check_str: rule:admin_api + description: 'DEPRECATED: This rule will be removed in the Yoga release.' + name: volume_extension:volume_type_encryption + operations: [] + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:volume_extension:volume_type_encryption + name: volume_extension:volume_type_encryption:create + deprecated_since: null + description: Create volume type encryption. + name: volume_extension:volume_type_encryption:create + operations: + - method: POST + path: /types/{type_id}/encryption + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:volume_extension:volume_type_encryption + name: volume_extension:volume_type_encryption:get + deprecated_since: null + description: Show a volume type's encryption type, show an encryption specs item. + name: volume_extension:volume_type_encryption:get + operations: + - method: GET + path: /types/{type_id}/encryption + - method: GET + path: /types/{type_id}/encryption/{key} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:volume_extension:volume_type_encryption + name: volume_extension:volume_type_encryption:update + deprecated_since: null + description: Update volume type encryption. + name: volume_extension:volume_type_encryption:update + operations: + - method: PUT + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:volume_extension:volume_type_encryption + name: volume_extension:volume_type_encryption:delete + deprecated_since: null + description: Delete volume type encryption. + name: volume_extension:volume_type_encryption:delete + operations: + - method: DELETE + path: /types/{type_id}/encryption/{encryption_id} + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_type_access + deprecated_since: null + description: Adds the boolean field 'os-volume-type-access:is_public' to the responses + for these API calls. The ability to make these calls is governed by other policies. name: volume_extension:volume_type_access operations: - method: GET path: /types - - method: GET - path: /types/detail - method: GET path: /types/{type_id} - method: POST @@ -756,21 +1107,49 @@ - method: POST path: /types/{type_id}/action (removeProjectAccess) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: volume_extension:volume_type_access + name: volume_extension:volume_type_access:get_all_for_type + deprecated_since: null + description: List private volume type access detail, that is, list the projects + that have access to this volume type. + name: volume_extension:volume_type_access:get_all_for_type + operations: + - method: GET + path: /types/{type_id}/os-volume-type-access + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:extend + deprecated_since: null description: Extend a volume. name: volume:extend operations: - method: POST path: /volumes/{volume_id}/action (os-extend) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:extend_attached_volume + deprecated_since: null description: Extend a attached volume. name: volume:extend_attached_volume operations: - method: POST path: /volumes/{volume_id}/action (os-extend) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:revert_to_snapshot + deprecated_since: null description: Revert a volume to a snapshot. name: volume:revert_to_snapshot operations: @@ -784,14 +1163,24 @@ - method: POST path: /volumes/{volume_id}/action (os-reset_status) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:retype + deprecated_since: null description: Retype a volume. name: volume:retype operations: - method: POST path: /volumes/{volume_id}/action (os-retype) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:update_readonly_flag + deprecated_since: null description: Update a volume's readonly flag. name: volume:update_readonly_flag operations: @@ -812,7 +1201,12 @@ - method: POST path: /volumes/{volume_id}/action (os-volume_upload_image) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:upload_image + deprecated_since: null description: Upload a volume to image. name: volume_extension:volume_actions:upload_image operations: @@ -840,63 +1234,122 @@ - method: POST path: /volumes/{volume_id}/action (os-migrate_volume_completion) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:initialize_connection + deprecated_since: null description: Initialize volume attachment. name: volume_extension:volume_actions:initialize_connection operations: - method: POST path: /volumes/{volume_id}/action (os-initialize_connection) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:terminate_connection + deprecated_since: null description: Terminate volume attachment. name: volume_extension:volume_actions:terminate_connection operations: - method: POST path: /volumes/{volume_id}/action (os-terminate_connection) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:roll_detaching + deprecated_since: null description: Roll back volume status to 'in-use'. name: volume_extension:volume_actions:roll_detaching operations: - method: POST path: /volumes/{volume_id}/action (os-roll_detaching) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:reserve + deprecated_since: null description: Mark volume as reserved. name: volume_extension:volume_actions:reserve operations: - method: POST path: /volumes/{volume_id}/action (os-reserve) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:unreserve + deprecated_since: null description: Unmark volume as reserved. name: volume_extension:volume_actions:unreserve operations: - method: POST path: /volumes/{volume_id}/action (os-unreserve) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:begin_detaching + deprecated_since: null description: Begin detach volumes. name: volume_extension:volume_actions:begin_detaching operations: - method: POST path: /volumes/{volume_id}/action (os-begin_detaching) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:attach + deprecated_since: null description: Add attachment metadata. name: volume_extension:volume_actions:attach operations: - method: POST path: /volumes/{volume_id}/action (os-attach) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_actions:detach + deprecated_since: null description: Clear attachment metadata. name: volume_extension:volume_actions:detach operations: - method: POST path: /volumes/{volume_id}/action (os-detach) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + description: Reimage a volume in 'available' or 'error' status. + name: volume:reimage + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reimage) + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + description: Reimage a volume in 'reserved' status. + name: volume:reimage_reserved + operations: + - method: POST + path: /volumes/{volume_id}/action (os-reimage) + scope_types: null +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_all_transfers + deprecated_since: null description: List volume transfer. name: volume:get_all_transfers operations: @@ -909,7 +1362,12 @@ - method: GET path: /volume-transfers/detail scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:create_transfer + deprecated_since: null description: Create a volume transfer. name: volume:create_transfer operations: @@ -918,7 +1376,12 @@ - method: POST path: /volume_transfers scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_transfer + deprecated_since: null description: Show one specified volume transfer. name: volume:get_transfer operations: @@ -927,7 +1390,12 @@ - method: GET path: /volume-transfers/{transfer_id} scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume:accept_transfer + deprecated_since: null description: Accept a volume transfer. name: volume:accept_transfer operations: @@ -936,7 +1404,12 @@ - method: POST path: /volume-transfers/{transfer_id}/accept scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:delete_transfer + deprecated_since: null description: Delete volume transfer. name: volume:delete_transfer operations: @@ -945,7 +1418,12 @@ - method: DELETE path: /volume-transfers/{transfer_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_volume_metadata + deprecated_since: null description: Show volume's metadata or one specified metadata with a given key. name: volume:get_volume_metadata operations: @@ -953,16 +1431,29 @@ path: /volumes/{volume_id}/metadata - method: GET path: /volumes/{volume_id}/metadata/{key} + - method: POST + path: /volumes/{volume_id}/action (os-show_image_metadata) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:create_volume_metadata + deprecated_since: null description: Create volume metadata. name: volume:create_volume_metadata operations: - method: POST path: /volumes/{volume_id}/metadata scope_types: null -- check_str: rule:admin_or_owner - description: Update volume's metadata or one specified metadata with a given key. +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:update_volume_metadata + deprecated_since: null + description: Replace a volume's metadata dictionary or update a single metadatum + with a given key. name: volume:update_volume_metadata operations: - method: PUT @@ -970,30 +1461,60 @@ - method: PUT path: /volumes/{volume_id}/metadata/{key} scope_types: null -- check_str: rule:admin_or_owner - description: Delete volume's specified metadata with a given key. +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:delete_volume_metadata + deprecated_since: null + description: Delete a volume's metadatum with the given key. name: volume:delete_volume_metadata operations: - method: DELETE path: /volumes/{volume_id}/metadata/{key} scope_types: null -- check_str: rule:admin_or_owner - description: Volume's image metadata related operation, create, delete, show and - list. - name: volume_extension:volume_image_metadata +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_image_metadata + deprecated_since: null + description: Include a volume's image metadata in volume detail responses. The + ability to make these calls is governed by other policies. + name: volume_extension:volume_image_metadata:show operations: - method: GET path: /volumes/detail - method: GET path: /volumes/{volume_id} + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_image_metadata + deprecated_since: null + description: Set image metadata for a volume + name: volume_extension:volume_image_metadata:set + operations: - method: POST path: /volumes/{volume_id}/action (os-set_image_metadata) + scope_types: null +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_image_metadata + deprecated_since: null + description: Remove specific image metadata from a volume + name: volume_extension:volume_image_metadata:remove + operations: - method: POST path: /volumes/{volume_id}/action (os-unset_image_metadata) scope_types: null - check_str: rule:admin_api - description: Update volume admin metadata. It's used in `attach` and `os-update_readonly_flag` - APIs + description: Update volume admin metadata. This permission is required to complete + these API calls, though the ability to make these calls is governed by other policies. name: volume:update_volume_admin_metadata operations: - method: POST @@ -1001,7 +1522,12 @@ - method: POST path: /volumes/{volume_id}/action (os-attach) scope_types: null -- check_str: rule:admin_api +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume_extension:types_extra_specs:index + deprecated_since: null description: List type extra specs. name: volume_extension:types_extra_specs:index operations: @@ -1015,13 +1541,34 @@ - method: POST path: /types/{type_id}/extra_specs scope_types: null -- check_str: rule:admin_api +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume_extension:types_extra_specs:show + deprecated_since: null description: Show one specified type extra specs. name: volume_extension:types_extra_specs:show operations: - method: GET path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null +- check_str: rule:admin_api + description: Include extra_specs fields that may reveal sensitive information about + the deployment that should not be exposed to end users in various volume-type + responses that show extra_specs. The ability to make these calls is governed by + other policies. + name: volume_extension:types_extra_specs:read_sensitive + operations: + - method: GET + path: /types + - method: GET + path: /types/{type_id} + - method: GET + path: /types/{type_id}/extra_specs + - method: GET + path: /types/{type_id}/extra_specs/{extra_spec_key} + scope_types: null - check_str: rule:admin_api description: Update type extra specs. name: volume_extension:types_extra_specs:update @@ -1036,28 +1583,48 @@ - method: DELETE path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume:create + deprecated_since: null description: Create volume. name: volume:create operations: - method: POST path: /volumes scope_types: null -- check_str: '' +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: '' + name: volume:create_from_image + deprecated_since: null description: Create volume from image. name: volume:create_from_image operations: - method: POST path: /volumes scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get + deprecated_since: null description: Show volume. name: volume:get operations: - method: GET path: /volumes/{volume_id} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:get_all + deprecated_since: null description: List volumes or get summary of volumes. name: volume:get_all operations: @@ -1068,7 +1635,12 @@ - method: GET path: /volumes/summary scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:update + deprecated_since: null description: Update volume or update a volume's bootable status. name: volume:update operations: @@ -1077,7 +1649,12 @@ - method: POST path: /volumes/{volume_id}/action (os-set_bootable) scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:delete + deprecated_since: null description: Delete volume. name: volume:delete operations: @@ -1100,7 +1677,12 @@ - method: GET path: /volumes/detail scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_tenant_attribute + deprecated_since: null description: List or show volume with tenant attribute. name: volume_extension:volume_tenant_attribute operations: @@ -1118,7 +1700,12 @@ - method: GET path: /volumes/detail scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_reader + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume_extension:volume_encryption_metadata + deprecated_since: null description: Show volume's encryption metadata. name: volume_extension:volume_encryption_metadata operations: @@ -1127,43 +1714,64 @@ - method: GET path: /volumes/{volume_id}/encryption/{encryption_key} scope_types: null -- check_str: rule:admin_or_owner +- check_str: rule:xena_system_admin_or_project_member + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: volume:multiattach + deprecated_since: null description: Create multiattach capable volume. name: volume:multiattach operations: - method: POST path: /volumes scope_types: null -- check_str: rule:system_or_domain_or_project_admin +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:system_or_domain_or_project_admin + name: volume_extension:default_set_or_update + deprecated_since: null description: Set or update default volume type. name: volume_extension:default_set_or_update operations: - method: PUT path: /default-types - scope_types: - - system -- check_str: rule:system_or_domain_or_project_admin + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:system_or_domain_or_project_admin + name: volume_extension:default_get + deprecated_since: null description: Get default types. name: volume_extension:default_get operations: - method: GET path: /default-types/{project-id} - scope_types: - - system -- check_str: role:admin and system_scope:all + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: role:admin and system_scope:all + name: volume_extension:default_get_all + deprecated_since: null description: 'Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.' name: volume_extension:default_get_all operations: - method: GET path: /default-types/ - scope_types: - - system -- check_str: rule:system_or_domain_or_project_admin + scope_types: null +- check_str: rule:admin_api + deprecated_reason: null + deprecated_rule: + check_str: rule:system_or_domain_or_project_admin + name: volume_extension:default_unset + deprecated_since: null description: Unset default type. name: volume_extension:default_unset operations: - method: DELETE path: /default-types/{project-id} - scope_types: - - system + scope_types: null diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml index 46d635804d..0dc1846f6e 100644 --- a/openstack_dashboard/conf/default_policies/glance.yaml +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -1,13 +1,9 @@ - check_str: '' - deprecated_reason: In order to allow operators to accept the default policies from - code by not defining them in the policy file, while still working with old policy - files that rely on the ``default`` rule for policies that are not specified in - the policy file, the ``default`` rule must now be explicitly set to ``"role:admin"`` - when that is the desired default for unspecified rules. + deprecated_reason: null deprecated_rule: check_str: role:admin name: default - deprecated_since: Ussuri + deprecated_since: null description: Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file. name: default @@ -18,16 +14,12 @@ name: context_is_admin operations: [] scope_types: null -- check_str: role:role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s) - deprecated_reason: ' - - The image API now supports roles. - - ' +- check_str: role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s) + deprecated_reason: null deprecated_rule: check_str: rule:default name: add_image - deprecated_since: W + deprecated_since: null description: Create new image name: add_image operations: @@ -37,15 +29,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: delete_image - deprecated_since: W + deprecated_since: null description: Deletes the image name: delete_image operations: @@ -55,16 +43,12 @@ - system - project - check_str: role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s - or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s)) - deprecated_reason: ' - - The image API now supports roles. - - ' + or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_image - deprecated_since: W + deprecated_since: null description: Get specified image name: get_image operations: @@ -74,15 +58,11 @@ - system - project - check_str: role:admin or (role:reader and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_images - deprecated_since: W + deprecated_since: null description: Get all available images name: get_images operations: @@ -92,15 +72,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: modify_image - deprecated_since: W + deprecated_since: null description: Updates given image name: modify_image operations: @@ -119,15 +95,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: communitize_image - deprecated_since: W + deprecated_since: null description: Communitize given image name: communitize_image operations: @@ -137,16 +109,12 @@ - system - project - check_str: role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s - or "community":%(visibility)s or "public":%(visibility)s)) - deprecated_reason: ' - - The image API now supports roles. - - ' + or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) + deprecated_reason: null deprecated_rule: check_str: rule:default name: download_image - deprecated_since: W + deprecated_since: null description: Downloads given image name: download_image operations: @@ -156,15 +124,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: upload_image - deprecated_since: W + deprecated_since: null description: Uploads data to specified image name: upload_image operations: @@ -174,15 +138,11 @@ - system - project - check_str: role:admin - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: delete_image_location - deprecated_since: W + deprecated_since: null description: Deletes the location of given image name: delete_image_location operations: @@ -192,15 +152,11 @@ - system - project - check_str: role:admin or (role:reader and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_image_location - deprecated_since: W + deprecated_since: null description: Reads the location of the image name: get_image_location operations: @@ -210,15 +166,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: set_image_location - deprecated_since: W + deprecated_since: null description: Sets location URI to given image name: set_image_location operations: @@ -228,15 +180,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: add_member - deprecated_since: W + deprecated_since: null description: Create image member name: add_member operations: @@ -246,15 +194,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: delete_member - deprecated_since: W + deprecated_since: null description: Delete image member name: delete_member operations: @@ -264,15 +208,11 @@ - system - project - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_member - deprecated_since: W + deprecated_since: null description: Show image member details name: get_member operations: @@ -282,15 +222,11 @@ - system - project - check_str: role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_members - deprecated_since: W + deprecated_since: null description: List image members name: get_members operations: @@ -300,15 +236,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(member_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: modify_member - deprecated_since: W + deprecated_since: null description: Update image member name: modify_member operations: @@ -325,15 +257,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: deactivate - deprecated_since: W + deprecated_since: null description: Deactivate image name: deactivate operations: @@ -343,15 +271,11 @@ - system - project - check_str: role:admin or (role:member and project_id:%(project_id)s) - deprecated_reason: ' - - The image API now supports roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: reactivate - deprecated_since: W + deprecated_since: null description: Reactivate image name: reactivate operations: @@ -370,18 +294,11 @@ - system - project - check_str: rule:default - deprecated_reason: ' - - From Xena we are enforcing policy checks in the API and policy layer where task - policies were enforcing will be removed. Since task APIs are already deprecated - and `tasks_api_access` is checked for each API at API layer, there will be no - benefit of other having other task related policies. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: get_task - deprecated_since: X + deprecated_since: null description: 'Get an image task. @@ -406,18 +323,11 @@ - system - project - check_str: rule:default - deprecated_reason: ' - - From Xena we are enforcing policy checks in the API and policy layer where task - policies were enforcing will be removed. Since task APIs are already deprecated - and `tasks_api_access` is checked for each API at API layer, there will be no - benefit of other having other task related policies. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default - name: get_task - deprecated_since: X + name: get_tasks + deprecated_since: null description: 'List tasks for all images. @@ -442,18 +352,11 @@ - system - project - check_str: rule:default - deprecated_reason: ' - - From Xena we are enforcing policy checks in the API and policy layer where task - policies were enforcing will be removed. Since task APIs are already deprecated - and `tasks_api_access` is checked for each API at API layer, there will be no - benefit of other having other task related policies. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:default name: add_task - deprecated_since: X + deprecated_since: null description: 'List tasks for all images. @@ -528,133 +431,337 @@ name: metadef_admin operations: [] scope_types: null -- check_str: rule:metadef_default - description: null +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_namespace + deprecated_since: null + description: Get a specific namespace. name: get_metadef_namespace - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and project_id:%(project_id)s) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_namespaces + deprecated_since: null + description: List namespace. name: get_metadef_namespaces - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Modify an existing namespace. name: modify_metadef_namespace - operations: [] - scope_types: null + operations: + - method: PUT + path: /v2/metadefs/namespaces/{namespace_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Create a namespace. name: add_metadef_namespace - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete a namespace. name: delete_metadef_namespace - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: DELETE + path: /v2/metadefs/namespaces/{namespace_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_object + deprecated_since: null + description: Get a specific object from a namespace. name: get_metadef_object - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_objects + deprecated_since: null + description: Get objects from a namespace. name: get_metadef_objects - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/objects + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Update an object within a namespace. name: modify_metadef_object - operations: [] - scope_types: null + operations: + - method: PUT + path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Create an object within a namespace. name: add_metadef_object - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/objects + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete an object within a namespace. name: delete_metadef_object - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: DELETE + path: /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: list_metadef_resource_types + deprecated_since: null + description: List meta definition resource types. name: list_metadef_resource_types - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: GET + path: /v2/metadefs/resource_types + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_resource_type + deprecated_since: null + description: Get meta definition resource types associations. name: get_metadef_resource_type - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/resource_types + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Create meta definition resource types association. name: add_metadef_resource_type_association - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/resource_types + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete meta definition resource types association. name: remove_metadef_resource_type_association - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/resource_types/{name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_property + deprecated_since: null + description: Get a specific meta definition property. name: get_metadef_property - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_properties + deprecated_since: null + description: List meta definition properties. name: get_metadef_properties - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/properties + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Update meta definition property. name: modify_metadef_property - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Create meta definition property. name: add_metadef_property - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/properties + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete meta definition property. name: remove_metadef_property - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: DELETE + path: /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_tag + deprecated_since: null + description: Get tag definition. name: get_metadef_tag - operations: [] - scope_types: null -- check_str: rule:metadef_default - description: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} + scope_types: + - system + - project +- check_str: role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) + deprecated_reason: null + deprecated_rule: + check_str: rule:metadef_default + name: get_metadef_tags + deprecated_since: null + description: List tag definitions. name: get_metadef_tags - operations: [] - scope_types: null + operations: + - method: GET + path: /v2/metadefs/namespaces/{namespace_name}/tags + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Update tag definition. name: modify_metadef_tag - operations: [] - scope_types: null + operations: + - method: PUT + path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Add tag definition. name: add_metadef_tag - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Create tag definitions. name: add_metadef_tags - operations: [] - scope_types: null + operations: + - method: POST + path: /v2/metadefs/namespaces/{namespace_name}/tags + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete tag definition. name: delete_metadef_tag - operations: [] - scope_types: null + operations: + - method: DELETE + path: /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} + scope_types: + - system + - project - check_str: rule:metadef_admin - description: null + description: Delete tag definitions. name: delete_metadef_tags - operations: [] - scope_types: null + operations: + - method: DELETE + path: /v2/metadefs/namespaces/{namespace_name}/tags + scope_types: + - system + - project +- check_str: role:admin + deprecated_reason: null + deprecated_rule: + check_str: rule:manage_image_cache + name: cache_image + deprecated_since: null + description: Queue image for caching + name: cache_image + operations: + - method: PUT + path: /v2/cache/{image_id} + scope_types: + - project +- check_str: role:admin + deprecated_reason: null + deprecated_rule: + check_str: rule:manage_image_cache + name: cache_list + deprecated_since: null + description: List cache status + name: cache_list + operations: + - method: GET + path: /v2/cache + scope_types: + - project +- check_str: role:admin + deprecated_reason: null + deprecated_rule: + check_str: rule:manage_image_cache + name: cache_delete + deprecated_since: null + description: Delete image(s) from cache and/or queue + name: cache_delete + operations: + - method: DELETE + path: /v2/cache + - method: DELETE + path: /v2/cache/{image_id} + scope_types: + - project +- check_str: role:admin + description: Expose store specific information + name: stores_info_detail + operations: + - method: GET + path: /v2/info/stores/detail + scope_types: + - system + - project diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml index 51161ebb22..47b0f8fa04 100644 --- a/openstack_dashboard/conf/default_policies/keystone.yaml +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -118,12 +118,11 @@ scope_types: - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: The application credential API is now aware of system scope and - default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner - name: identity:get_application_credentials - deprecated_since: T + name: identity:get_application_credential + deprecated_since: null description: Show application credential details. name: identity:get_application_credential operations: @@ -135,12 +134,11 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: The application credential API is now aware of system scope and - default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_application_credentials - deprecated_since: T + deprecated_since: null description: List application credentials for a user. name: identity:list_application_credentials operations: @@ -160,12 +158,11 @@ scope_types: - project - check_str: (role:admin and system_scope:all) or rule:owner - deprecated_reason: The application credential API is now aware of system scope and - default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner - name: identity:delete_application_credentials - deprecated_since: T + name: identity:delete_application_credential + deprecated_since: null description: Delete an application credential. name: identity:delete_application_credential operations: @@ -211,12 +208,11 @@ path: /v3/auth/system scope_types: null - check_str: role:reader and system_scope:all - deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_consumer - deprecated_since: T + deprecated_since: null description: Show OAUTH1 consumer details. name: identity:get_consumer operations: @@ -225,12 +221,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_consumers - deprecated_since: T + deprecated_since: null description: List OAUTH1 consumers. name: identity:list_consumers operations: @@ -239,12 +234,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_consumer - deprecated_since: T + deprecated_since: null description: Create OAUTH1 consumer. name: identity:create_consumer operations: @@ -253,12 +247,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_consumer - deprecated_since: T + deprecated_since: null description: Update OAUTH1 consumer. name: identity:update_consumer operations: @@ -267,12 +260,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_consumer - deprecated_since: T + deprecated_since: null description: Delete OAUTH1 consumer. name: identity:delete_consumer operations: @@ -281,11 +273,11 @@ scope_types: - system - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_credential - deprecated_since: S + deprecated_since: null description: Show credentials details. name: identity:get_credential operations: @@ -295,11 +287,11 @@ - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_credentials - deprecated_since: S + deprecated_since: null description: List credentials. name: identity:list_credentials operations: @@ -309,11 +301,11 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_credential - deprecated_since: S + deprecated_since: null description: Create credential. name: identity:create_credential operations: @@ -323,11 +315,11 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_credential - deprecated_since: S + deprecated_since: null description: Update credential. name: identity:update_credential operations: @@ -337,11 +329,11 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The credential API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_credential - deprecated_since: S + deprecated_since: null description: Delete credential. name: identity:delete_credential operations: @@ -352,11 +344,11 @@ - project - check_str: (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s - deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s name: identity:get_domain - deprecated_since: S + deprecated_since: null description: Show domain details. name: identity:get_domain operations: @@ -367,11 +359,11 @@ - domain - project - check_str: role:reader and system_scope:all - deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_domains - deprecated_since: S + deprecated_since: null description: List domains. name: identity:list_domains operations: @@ -380,11 +372,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain - deprecated_since: S + deprecated_since: null description: Create domain. name: identity:create_domain operations: @@ -393,11 +385,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain - deprecated_since: S + deprecated_since: null description: Update domain. name: identity:update_domain operations: @@ -406,11 +398,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain - deprecated_since: S + deprecated_since: null description: Delete domain. name: identity:delete_domain operations: @@ -419,12 +411,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The domain config API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain_config - deprecated_since: T + deprecated_since: null description: Create domain configuration. name: identity:create_domain_config operations: @@ -433,12 +424,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The domain config API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_config - deprecated_since: T + deprecated_since: null description: Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain. name: identity:get_domain_config @@ -475,12 +465,11 @@ - domain - project - check_str: role:admin and system_scope:all - deprecated_reason: The domain config API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain_config - deprecated_since: T + deprecated_since: null description: Update domain configuration for either a domain, specific group or a specific option in a group. name: identity:update_domain_config @@ -494,12 +483,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The domain config API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain_config - deprecated_since: T + deprecated_since: null description: Delete domain configuration for either a domain, specific group or a specific option in a group. name: identity:delete_domain_config @@ -513,12 +501,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The domain config API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_config_default - deprecated_since: T + deprecated_since: null description: Get domain configuration default for either a domain, specific group or a specific option in a group. name: identity:get_domain_config_default @@ -538,12 +525,11 @@ scope_types: - system - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The EC2 credential API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) name: identity:ec2_get_credential - deprecated_since: T + deprecated_since: null description: Show ec2 credential details. name: identity:ec2_get_credential operations: @@ -553,12 +539,11 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: The EC2 credential API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:ec2_list_credentials - deprecated_since: T + deprecated_since: null description: List ec2 credentials. name: identity:ec2_list_credentials operations: @@ -568,12 +553,11 @@ - system - project - check_str: (role:admin and system_scope:all) or rule:owner - deprecated_reason: The EC2 credential API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner - name: identity:ec2_create_credentials - deprecated_since: T + name: identity:ec2_create_credential + deprecated_since: null description: Create ec2 credential. name: identity:ec2_create_credential operations: @@ -583,12 +567,11 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: The EC2 credential API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) - name: identity:ec2_delete_credentials - deprecated_since: T + name: identity:ec2_delete_credential + deprecated_since: null description: Delete ec2 credential. name: identity:ec2_delete_credential operations: @@ -598,11 +581,11 @@ - system - project - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint - deprecated_since: S + deprecated_since: null description: Show endpoint details. name: identity:get_endpoint operations: @@ -611,11 +594,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints - deprecated_since: S + deprecated_since: null description: List endpoints. name: identity:list_endpoints operations: @@ -624,11 +607,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_endpoint - deprecated_since: S + deprecated_since: null description: Create endpoint. name: identity:create_endpoint operations: @@ -637,11 +620,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_endpoint - deprecated_since: S + deprecated_since: null description: Update endpoint. name: identity:update_endpoint operations: @@ -650,11 +633,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_endpoint - deprecated_since: S + deprecated_since: null description: Delete endpoint. name: identity:delete_endpoint operations: @@ -663,12 +646,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_endpoint_group - deprecated_since: T + deprecated_since: null description: Create endpoint group. name: identity:create_endpoint_group operations: @@ -677,12 +659,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoint_groups - deprecated_since: T + deprecated_since: null description: List endpoint groups. name: identity:list_endpoint_groups operations: @@ -691,12 +672,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint_group - deprecated_since: T + deprecated_since: null description: Get endpoint group. name: identity:get_endpoint_group operations: @@ -707,12 +687,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_endpoint_group - deprecated_since: T + deprecated_since: null description: Update endpoint group. name: identity:update_endpoint_group operations: @@ -721,12 +700,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_endpoint_group - deprecated_since: T + deprecated_since: null description: Delete endpoint group. name: identity:delete_endpoint_group operations: @@ -735,12 +713,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects_associated_with_endpoint_group - deprecated_since: T + deprecated_since: null description: List all projects associated with a specific endpoint group. name: identity:list_projects_associated_with_endpoint_group operations: @@ -749,12 +726,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_associated_with_endpoint_group - deprecated_since: T + deprecated_since: null description: List all endpoints associated with an endpoint group. name: identity:list_endpoints_associated_with_endpoint_group operations: @@ -763,12 +739,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint_group_in_project - deprecated_since: T + deprecated_since: null description: Check if an endpoint group is associated with a project. name: identity:get_endpoint_group_in_project operations: @@ -779,12 +754,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoint_groups_for_project - deprecated_since: T + deprecated_since: null description: List endpoint groups associated with a specific project. name: identity:list_endpoint_groups_for_project operations: @@ -793,12 +767,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_endpoint_group_to_project - deprecated_since: T + deprecated_since: null description: Allow a project to access an endpoint group. name: identity:add_endpoint_group_to_project operations: @@ -807,12 +780,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The endpoint groups API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_endpoint_group_from_project - deprecated_since: T + deprecated_since: null description: Remove endpoint group from project. name: identity:remove_endpoint_group_from_project operations: @@ -826,11 +798,11 @@ and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_grant - deprecated_since: S + deprecated_since: null description: Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all @@ -877,11 +849,11 @@ and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_grants - deprecated_since: S + deprecated_since: null description: List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where @@ -917,11 +889,11 @@ and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_grant - deprecated_since: S + deprecated_since: null description: Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited @@ -953,11 +925,11 @@ and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_grant - deprecated_since: S + deprecated_since: null description: Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited @@ -986,11 +958,11 @@ - system - domain - check_str: role:reader and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_system_grants_for_user - deprecated_since: S + deprecated_since: null description: List all grants a specific user has on the system. name: identity:list_system_grants_for_user operations: @@ -1001,11 +973,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_system_grant_for_user - deprecated_since: S + deprecated_since: null description: Check if a user has a role on the system. name: identity:check_system_grant_for_user operations: @@ -1016,11 +988,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_system_grant_for_user - deprecated_since: S + deprecated_since: null description: Grant a user a role on the system. name: identity:create_system_grant_for_user operations: @@ -1030,11 +1002,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_system_grant_for_user - deprecated_since: S + deprecated_since: null description: Remove a role from a user on the system. name: identity:revoke_system_grant_for_user operations: @@ -1044,11 +1016,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_system_grants_for_group - deprecated_since: S + deprecated_since: null description: List all grants a specific group has on the system. name: identity:list_system_grants_for_group operations: @@ -1059,11 +1031,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_system_grant_for_group - deprecated_since: S + deprecated_since: null description: Check if a group has a role on the system. name: identity:check_system_grant_for_group operations: @@ -1074,11 +1046,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_system_grant_for_group - deprecated_since: S + deprecated_since: null description: Grant a group a role on the system. name: identity:create_system_grant_for_group operations: @@ -1088,11 +1060,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_system_grant_for_group - deprecated_since: S + deprecated_since: null description: Remove a role from a group on the system. name: identity:revoke_system_grant_for_group operations: @@ -1102,11 +1074,11 @@ scope_types: - system - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_group - deprecated_since: S + deprecated_since: null description: Show group details. name: identity:get_group operations: @@ -1118,11 +1090,11 @@ - system - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_groups - deprecated_since: S + deprecated_since: null description: List groups. name: identity:list_groups operations: @@ -1135,11 +1107,11 @@ - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_groups_for_user - deprecated_since: S + deprecated_since: null description: List groups to which a user belongs. name: identity:list_groups_for_user operations: @@ -1152,11 +1124,11 @@ - domain - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_group - deprecated_since: S + deprecated_since: null description: Create group. name: identity:create_group operations: @@ -1166,11 +1138,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_group - deprecated_since: S + deprecated_since: null description: Update group. name: identity:update_group operations: @@ -1180,11 +1152,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_group - deprecated_since: S + deprecated_since: null description: Delete group. name: identity:delete_group operations: @@ -1194,11 +1166,11 @@ - system - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_users_in_group - deprecated_since: S + deprecated_since: null description: List members of a specific group. name: identity:list_users_in_group operations: @@ -1211,11 +1183,11 @@ - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_user_from_group - deprecated_since: S + deprecated_since: null description: Remove user from group. name: identity:remove_user_from_group operations: @@ -1226,11 +1198,11 @@ - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_user_in_group - deprecated_since: S + deprecated_since: null description: Check whether a user is a member of a group. name: identity:check_user_in_group operations: @@ -1243,11 +1215,11 @@ - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) - deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_user_to_group - deprecated_since: S + deprecated_since: null description: Add user to group. name: identity:add_user_to_group operations: @@ -1257,12 +1229,11 @@ - system - domain - check_str: role:admin and system_scope:all - deprecated_reason: The identity provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required - name: identity:create_identity_providers - deprecated_since: S + name: identity:create_identity_provider + deprecated_since: null description: Create identity provider. name: identity:create_identity_provider operations: @@ -1271,12 +1242,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The identity provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_identity_providers - deprecated_since: S + deprecated_since: null description: List identity providers. name: identity:list_identity_providers operations: @@ -1287,12 +1257,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The identity provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required - name: identity:get_identity_providers - deprecated_since: S + name: identity:get_identity_provider + deprecated_since: null description: Get identity provider. name: identity:get_identity_provider operations: @@ -1303,12 +1272,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The identity provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required - name: identity:update_identity_providers - deprecated_since: S + name: identity:update_identity_provider + deprecated_since: null description: Update identity provider. name: identity:update_identity_provider operations: @@ -1317,12 +1285,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The identity provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required - name: identity:delete_identity_providers - deprecated_since: S + name: identity:delete_identity_provider + deprecated_since: null description: Delete identity provider. name: identity:delete_identity_provider operations: @@ -1331,12 +1298,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_implied_role - deprecated_since: T + deprecated_since: null description: Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1347,12 +1313,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_implied_roles - deprecated_since: T + deprecated_since: null description: List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that @@ -1366,12 +1331,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_implied_role - deprecated_since: T + deprecated_since: null description: Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1382,12 +1346,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_implied_role - deprecated_since: T + deprecated_since: null description: Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that @@ -1399,12 +1362,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_inference_rules - deprecated_since: T + deprecated_since: null description: List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1417,12 +1379,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The implied role API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_implied_role - deprecated_since: T + deprecated_since: null description: Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1495,12 +1456,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated mapping API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_mapping - deprecated_since: S + deprecated_since: null description: Create a new federated mapping containing one or more sets of rules. name: identity:create_mapping operations: @@ -1509,12 +1469,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The federated mapping API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_mapping - deprecated_since: S + deprecated_since: null description: Get a federated mapping. name: identity:get_mapping operations: @@ -1525,12 +1484,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The federated mapping API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_mappings - deprecated_since: S + deprecated_since: null description: List federated mappings. name: identity:list_mappings operations: @@ -1541,12 +1499,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated mapping API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_mapping - deprecated_since: S + deprecated_since: null description: Delete a federated mapping. name: identity:delete_mapping operations: @@ -1555,12 +1512,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated mapping API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_mapping - deprecated_since: S + deprecated_since: null description: Update a federated mapping. name: identity:update_mapping operations: @@ -1569,11 +1525,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_policy - deprecated_since: T + deprecated_since: null description: Show policy details. name: identity:get_policy operations: @@ -1582,11 +1538,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_policies - deprecated_since: T + deprecated_since: null description: List policies. name: identity:list_policies operations: @@ -1595,11 +1551,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy - deprecated_since: T + deprecated_since: null description: Create policy. name: identity:create_policy operations: @@ -1608,11 +1564,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_policy - deprecated_since: T + deprecated_since: null description: Update policy. name: identity:update_policy operations: @@ -1621,11 +1577,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy - deprecated_since: T + deprecated_since: null description: Delete policy. name: identity:delete_policy operations: @@ -1634,12 +1590,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_endpoint - deprecated_since: T + deprecated_since: null description: Associate a policy to a specific endpoint. name: identity:create_policy_association_for_endpoint operations: @@ -1648,12 +1603,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_endpoint - deprecated_since: T + deprecated_since: null description: Check policy association for endpoint. name: identity:check_policy_association_for_endpoint operations: @@ -1664,12 +1618,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_endpoint - deprecated_since: T + deprecated_since: null description: Delete policy association for endpoint. name: identity:delete_policy_association_for_endpoint operations: @@ -1678,12 +1631,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_service - deprecated_since: T + deprecated_since: null description: Associate a policy to a specific service. name: identity:create_policy_association_for_service operations: @@ -1692,12 +1644,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_service - deprecated_since: T + deprecated_since: null description: Check policy association for service. name: identity:check_policy_association_for_service operations: @@ -1708,12 +1659,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_service - deprecated_since: T + deprecated_since: null description: Delete policy association for service. name: identity:delete_policy_association_for_service operations: @@ -1722,12 +1672,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_region_and_service - deprecated_since: T + deprecated_since: null description: Associate a policy to a specific region and service combination. name: identity:create_policy_association_for_region_and_service operations: @@ -1736,12 +1685,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_region_and_service - deprecated_since: T + deprecated_since: null description: Check policy association for region and service. name: identity:check_policy_association_for_region_and_service operations: @@ -1752,12 +1700,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_region_and_service - deprecated_since: T + deprecated_since: null description: Delete policy association for region and service. name: identity:delete_policy_association_for_region_and_service operations: @@ -1766,12 +1713,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_policy_for_endpoint - deprecated_since: T + deprecated_since: null description: Get policy for endpoint. name: identity:get_policy_for_endpoint operations: @@ -1782,12 +1728,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The policy association API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_for_policy - deprecated_since: T + deprecated_since: null description: List endpoints for policy. name: identity:list_endpoints_for_policy operations: @@ -1797,11 +1742,11 @@ - system - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:get_project - deprecated_since: S + deprecated_since: null description: Show project details. name: identity:get_project operations: @@ -1812,11 +1757,11 @@ - domain - project - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects - deprecated_since: S + deprecated_since: null description: List projects. name: identity:list_projects operations: @@ -1827,11 +1772,11 @@ - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_user_projects - deprecated_since: S + deprecated_since: null description: List projects for user. name: identity:list_user_projects operations: @@ -1842,11 +1787,11 @@ - domain - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_project - deprecated_since: S + deprecated_since: null description: Create project. name: identity:create_project operations: @@ -1856,11 +1801,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_project - deprecated_since: S + deprecated_since: null description: Update project. name: identity:update_project operations: @@ -1870,11 +1815,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) - deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project - deprecated_since: S + deprecated_since: null description: Delete project. name: identity:delete_project operations: @@ -1885,15 +1830,11 @@ - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:list_project_tags - deprecated_since: T + deprecated_since: null description: List tags for a project. name: identity:list_project_tags operations: @@ -1907,15 +1848,11 @@ - project - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:get_project_tag - deprecated_since: T + deprecated_since: null description: Check if project contains a tag. name: identity:get_project_tag operations: @@ -1929,15 +1866,11 @@ - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s) - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_project_tags - deprecated_since: T + deprecated_since: null description: Replace all tags on a project with the new set of tags. name: identity:update_project_tags operations: @@ -1949,15 +1882,11 @@ - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s) - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_project_tag - deprecated_since: T + deprecated_since: null description: Add a single tag to a project. name: identity:create_project_tag operations: @@ -1969,15 +1898,11 @@ - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s) - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project_tags - deprecated_since: T + deprecated_since: null description: Remove all tags from a project. name: identity:delete_project_tags operations: @@ -1989,15 +1914,11 @@ - project - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s) - deprecated_reason: ' - - The project API is now aware of system scope and default roles. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project_tag - deprecated_since: T + deprecated_since: null description: Delete a specified tag from project. name: identity:delete_project_tag operations: @@ -2008,23 +1929,11 @@ - domain - project - check_str: role:reader and system_scope:all - deprecated_reason: ' - - As of the Train release, the project endpoint API now understands default - - roles and system-scoped tokens, making the API more granular by default without - - compromising security. The new policy defaults account for these changes - - automatically. Be sure to take these new defaults into consideration if you are - - relying on overrides in your deployment for the project endpoint API. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects_for_endpoint - deprecated_since: T + deprecated_since: null description: List projects allowed to access an endpoint. name: identity:list_projects_for_endpoint operations: @@ -2033,23 +1942,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: ' - - As of the Train release, the project endpoint API now understands default - - roles and system-scoped tokens, making the API more granular by default without - - compromising security. The new policy defaults account for these changes - - automatically. Be sure to take these new defaults into consideration if you are - - relying on overrides in your deployment for the project endpoint API. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_endpoint_to_project - deprecated_since: T + deprecated_since: null description: Allow project to access an endpoint. name: identity:add_endpoint_to_project operations: @@ -2058,23 +1955,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: ' - - As of the Train release, the project endpoint API now understands default - - roles and system-scoped tokens, making the API more granular by default without - - compromising security. The new policy defaults account for these changes - - automatically. Be sure to take these new defaults into consideration if you are - - relying on overrides in your deployment for the project endpoint API. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_endpoint_in_project - deprecated_since: T + deprecated_since: null description: Check if a project is allowed to access an endpoint. name: identity:check_endpoint_in_project operations: @@ -2085,23 +1970,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: ' - - As of the Train release, the project endpoint API now understands default - - roles and system-scoped tokens, making the API more granular by default without - - compromising security. The new policy defaults account for these changes - - automatically. Be sure to take these new defaults into consideration if you are - - relying on overrides in your deployment for the project endpoint API. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_for_project - deprecated_since: T + deprecated_since: null description: List the endpoints a project is allowed to access. name: identity:list_endpoints_for_project operations: @@ -2110,23 +1983,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: ' - - As of the Train release, the project endpoint API now understands default - - roles and system-scoped tokens, making the API more granular by default without - - compromising security. The new policy defaults account for these changes - - automatically. Be sure to take these new defaults into consideration if you are - - relying on overrides in your deployment for the project endpoint API. - - ' + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_endpoint_from_project - deprecated_since: T + deprecated_since: null description: Remove access to an endpoint from a project that has previously been given explicit access. name: identity:remove_endpoint_from_project @@ -2136,12 +1997,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated protocol API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_protocol - deprecated_since: S + deprecated_since: null description: Create federated protocol. name: identity:create_protocol operations: @@ -2150,12 +2010,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated protocol API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_protocol - deprecated_since: S + deprecated_since: null description: Update federated protocol. name: identity:update_protocol operations: @@ -2164,12 +2023,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The federated protocol API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_protocol - deprecated_since: S + deprecated_since: null description: Get federated protocol. name: identity:get_protocol operations: @@ -2178,12 +2036,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The federated protocol API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_protocols - deprecated_since: S + deprecated_since: null description: List federated protocols. name: identity:list_protocols operations: @@ -2192,12 +2049,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The federated protocol API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_protocol - deprecated_since: S + deprecated_since: null description: Delete federated protocol. name: identity:delete_protocol operations: @@ -2230,11 +2086,11 @@ - domain - project - check_str: role:admin and system_scope:all - deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_region - deprecated_since: S + deprecated_since: null description: Create region. name: identity:create_region operations: @@ -2245,11 +2101,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_region - deprecated_since: S + deprecated_since: null description: Update region. name: identity:update_region operations: @@ -2258,11 +2114,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_region - deprecated_since: S + deprecated_since: null description: Delete region. name: identity:delete_region operations: @@ -2327,11 +2183,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_role - deprecated_since: S + deprecated_since: null description: Show role details. name: identity:get_role operations: @@ -2342,11 +2198,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_roles - deprecated_since: S + deprecated_since: null description: List roles. name: identity:list_roles operations: @@ -2357,11 +2213,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_role - deprecated_since: S + deprecated_since: null description: Create role. name: identity:create_role operations: @@ -2370,11 +2226,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_role - deprecated_since: S + deprecated_since: null description: Update role. name: identity:update_role operations: @@ -2383,11 +2239,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_role - deprecated_since: S + deprecated_since: null description: Delete role. name: identity:delete_role operations: @@ -2396,11 +2252,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_role - deprecated_since: T + deprecated_since: null description: Show domain role. name: identity:get_domain_role operations: @@ -2411,11 +2267,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_domain_roles - deprecated_since: T + deprecated_since: null description: List domain roles. name: identity:list_domain_roles operations: @@ -2426,11 +2282,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain_role - deprecated_since: T + deprecated_since: null description: Create domain role. name: identity:create_domain_role operations: @@ -2439,11 +2295,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain_role - deprecated_since: T + deprecated_since: null description: Update domain role. name: identity:update_domain_role operations: @@ -2452,11 +2308,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain_role - deprecated_since: T + deprecated_since: null description: Delete domain role. name: identity:delete_domain_role operations: @@ -2465,11 +2321,11 @@ scope_types: - system - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_assignments - deprecated_since: S + deprecated_since: null description: List role assignments. name: identity:list_role_assignments operations: @@ -2482,11 +2338,11 @@ - domain - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s) - deprecated_reason: The assignment API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_assignments_for_tree - deprecated_since: T + deprecated_since: null description: List all role assignments for a given tree of hierarchical projects. name: identity:list_role_assignments_for_tree operations: @@ -2499,11 +2355,11 @@ - domain - project - check_str: role:reader and system_scope:all - deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_service - deprecated_since: S + deprecated_since: null description: Show service details. name: identity:get_service operations: @@ -2512,11 +2368,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_services - deprecated_since: S + deprecated_since: null description: List services. name: identity:list_services operations: @@ -2525,11 +2381,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_service - deprecated_since: S + deprecated_since: null description: Create service. name: identity:create_service operations: @@ -2538,11 +2394,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_service - deprecated_since: S + deprecated_since: null description: Update service. name: identity:update_service operations: @@ -2551,11 +2407,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_service - deprecated_since: S + deprecated_since: null description: Delete service. name: identity:delete_service operations: @@ -2564,12 +2420,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_service_provider - deprecated_since: S + deprecated_since: null description: Create federated service provider. name: identity:create_service_provider operations: @@ -2578,12 +2433,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The service provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_service_providers - deprecated_since: S + deprecated_since: null description: List federated service providers. name: identity:list_service_providers operations: @@ -2594,12 +2448,11 @@ scope_types: - system - check_str: role:reader and system_scope:all - deprecated_reason: The service provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_service_provider - deprecated_since: S + deprecated_since: null description: Get federated service provider. name: identity:get_service_provider operations: @@ -2610,12 +2463,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_service_provider - deprecated_since: S + deprecated_since: null description: Update federated service provider. name: identity:update_service_provider operations: @@ -2624,12 +2476,11 @@ scope_types: - system - check_str: role:admin and system_scope:all - deprecated_reason: The service provider API is now aware of system scope and default - roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_service_provider - deprecated_since: S + deprecated_since: null description: Delete federated service provider. name: identity:delete_service_provider operations: @@ -2660,11 +2511,11 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:token_subject - deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject name: identity:check_token - deprecated_since: T + deprecated_since: null description: Check a token. name: identity:check_token operations: @@ -2675,11 +2526,11 @@ - domain - project - check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject - deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:service_admin_or_token_subject name: identity:validate_token - deprecated_since: T + deprecated_since: null description: Validate a token. name: identity:validate_token operations: @@ -2690,11 +2541,11 @@ - domain - project - check_str: (role:admin and system_scope:all) or rule:token_subject - deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject name: identity:revoke_token - deprecated_since: T + deprecated_since: null description: Revoke a token. name: identity:revoke_token operations: @@ -2713,11 +2564,11 @@ scope_types: - project - check_str: role:reader and system_scope:all - deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_trusts - deprecated_since: T + deprecated_since: null description: List trusts. name: identity:list_trusts operations: @@ -2751,11 +2602,11 @@ - project - check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s - deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:list_roles_for_trust - deprecated_since: T + deprecated_since: null description: List roles delegated by a trust. name: identity:list_roles_for_trust operations: @@ -2768,11 +2619,11 @@ - project - check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s - deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:get_role_for_trust - deprecated_since: T + deprecated_since: null description: Check if trust delegates a particular role. name: identity:get_role_for_trust operations: @@ -2784,11 +2635,11 @@ - system - project - check_str: role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s - deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s name: identity:delete_trust - deprecated_since: T + deprecated_since: null description: Revoke trust. name: identity:delete_trust operations: @@ -2799,11 +2650,11 @@ - project - check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s - deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:get_trust - deprecated_since: T + deprecated_since: null description: Get trust. name: identity:get_trust operations: @@ -2816,11 +2667,11 @@ - project - check_str: (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s - deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:get_user - deprecated_since: S + deprecated_since: null description: Show user details. name: identity:get_user operations: @@ -2833,11 +2684,11 @@ - domain - project - check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_users - deprecated_since: S + deprecated_since: null description: List users. name: identity:list_users operations: @@ -2863,11 +2714,11 @@ path: /v3/auth/domains scope_types: null - check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) - deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_user - deprecated_since: S + deprecated_since: null description: Create a user. name: identity:create_user operations: @@ -2877,11 +2728,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) - deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_user - deprecated_since: S + deprecated_since: null description: Update a user, including administrative password resets. name: identity:update_user operations: @@ -2891,11 +2742,11 @@ - system - domain - check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s) - deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_user - deprecated_since: S + deprecated_since: null description: Delete a user. name: identity:delete_user operations: diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index 0fa10c8484..d26ccac427 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -73,8 +73,7 @@ name: shared_address_groups operations: [] scope_types: null -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:shared_address_groups +- check_str: role:reader and project_id:%(project_id)s or rule:shared_address_groups deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_groups @@ -88,14 +87,13 @@ - method: GET path: /address-groups/{id} scope_types: - - system - project - check_str: field:address_scopes:shared=True description: Definition of a shared address scope name: shared_address_scopes operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -107,9 +105,8 @@ - method: POST path: /address-scopes scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -121,10 +118,8 @@ - method: POST path: /address-scopes scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:shared_address_scopes +- check_str: role:reader and project_id:%(project_id)s or rule:shared_address_scopes deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_scopes @@ -138,9 +133,8 @@ - method: GET path: /address-scopes/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -152,9 +146,8 @@ - method: PUT path: /address-scopes/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -166,9 +159,8 @@ - method: PUT path: /address-scopes/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -180,7 +172,6 @@ - method: DELETE path: /address-scopes/{id} scope_types: - - system - project - check_str: role:reader and system_scope:all deprecated_reason: null @@ -240,7 +231,7 @@ deprecated_reason: null deprecated_rule: check_str: rule:admin_only - name: get_dhcp-networs + name: get_dhcp-networks deprecated_since: null description: List networks on a DHCP agent name: get_dhcp-networks @@ -253,7 +244,7 @@ deprecated_reason: null deprecated_rule: check_str: rule:admin_only - name: delete_dhcp-networ + name: delete_dhcp-network deprecated_since: null description: Remove a network from a DHCP agent name: delete_dhcp-network @@ -327,7 +318,7 @@ path: /routers/{router_id}/l3-agents scope_types: - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -339,9 +330,8 @@ - method: GET path: /auto-allocated-topology/{project_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -353,7 +343,6 @@ - method: DELETE path: /auto-allocated-topology/{project_id} scope_types: - - system - project - check_str: role:reader and system_scope:all deprecated_reason: null @@ -517,7 +506,7 @@ path: /flavors/{flavor_id}/service_profiles/{profile_id} scope_types: - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -529,9 +518,8 @@ - method: POST path: /floatingips scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -543,9 +531,8 @@ - method: POST path: /floatingips scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -559,9 +546,8 @@ - method: GET path: /floatingips/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -573,9 +559,8 @@ - method: PUT path: /floatingips/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -587,9 +572,8 @@ - method: DELETE path: /floatingips/{id} scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -601,10 +585,8 @@ - method: GET path: /floatingip_pools scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -616,10 +598,8 @@ - method: POST path: /floatingips/{floatingip_id}/port_forwardings scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -633,10 +613,8 @@ - method: GET path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -648,10 +626,8 @@ - method: PUT path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -663,10 +639,8 @@ - method: DELETE path: /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -678,10 +652,8 @@ - method: POST path: /routers/{router_id}/conntrack_helpers scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -695,10 +667,8 @@ - method: GET path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -710,10 +680,8 @@ - method: PUT path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:ext_parent_owner +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner @@ -725,7 +693,101 @@ - method: DELETE path: /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} scope_types: - - system + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: create_local_ip + deprecated_since: null + description: Create a Local IP + name: create_local_ip + operations: + - method: POST + path: /local-ips + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: get_local_ip + deprecated_since: null + description: Get a Local IP + name: get_local_ip + operations: + - method: GET + path: /local-ips + - method: GET + path: /local-ips/{id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: update_local_ip + deprecated_since: null + description: Update a Local IP + name: update_local_ip + operations: + - method: PUT + path: /local-ips/{id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: delete_local_ip + deprecated_since: null + description: Delete a Local IP + name: delete_local_ip + operations: + - method: DELETE + path: /local-ips/{id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_ext_parent_owner + name: create_local_ip_port_association + deprecated_since: null + description: Create a Local IP port association + name: create_local_ip_port_association + operations: + - method: POST + path: /local_ips/{local_ip_id}/port_associations + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s or rule:ext_parent_owner + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_ext_parent_owner + name: get_local_ip_port_association + deprecated_since: null + description: Get a Local IP port association + name: get_local_ip_port_association + operations: + - method: GET + path: /local_ips/{local_ip_id}/port_associations + - method: GET + path: /local_ips/{local_ip_id}/port_associations/{fixed_port_id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s or rule:ext_parent_owner + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_ext_parent_owner + name: delete_local_ip_port_association + deprecated_since: null + description: Delete a Local IP port association + name: delete_local_ip_port_association + operations: + - method: DELETE + path: /local_ips/{local_ip_id}/port_associations/{fixed_port_id} + scope_types: - project - check_str: role:reader and system_scope:all deprecated_reason: null @@ -753,7 +815,6 @@ path: /log/logs scope_types: - system - - project - check_str: role:reader and system_scope:all deprecated_reason: null deprecated_rule: @@ -795,7 +856,7 @@ path: /log/logs/{id} scope_types: - system -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -807,9 +868,8 @@ - method: POST path: /metering/metering-labels scope_types: - - system - project -- check_str: role:reader and system_scope:all +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -823,9 +883,8 @@ - method: GET path: /metering/metering-labels/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -837,9 +896,8 @@ - method: DELETE path: /metering/metering-labels/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -851,9 +909,8 @@ - method: POST path: /metering/metering-label-rules scope_types: - - system - project -- check_str: role:reader and system_scope:all +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -867,9 +924,8 @@ - method: GET path: /metering/metering-label-rules/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -881,14 +937,67 @@ - method: DELETE path: /metering/metering-label-rules/{id} scope_types: - - system + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: create_ndp_proxy + deprecated_since: null + description: Create a ndp proxy + name: create_ndp_proxy + operations: + - method: POST + path: /ndp_proxies + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: get_ndp_proxy + deprecated_since: null + description: Get a ndp proxy + name: get_ndp_proxy + operations: + - method: GET + path: /ndp_proxies + - method: GET + path: /ndp_proxies/{id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: update_ndp_proxy + deprecated_since: null + description: Update a ndp proxy + name: update_ndp_proxy + operations: + - method: PUT + path: /ndp_proxies/{id} + scope_types: + - project +- check_str: role:member and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_or_owner + name: delete_ndp_proxy + deprecated_since: null + description: Delete a ndp proxy + name: delete_ndp_proxy + operations: + - method: DELETE + path: /ndp_proxies/{id} + scope_types: - project - check_str: field:networks:router:external=True description: Definition of an external network name: external operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -900,9 +1009,8 @@ - method: POST path: /networks scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -912,8 +1020,8 @@ name: create_network:shared operations: *id001 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -923,8 +1031,8 @@ name: create_network:router:external operations: *id001 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -934,8 +1042,8 @@ name: create_network:is_default operations: *id001 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -945,9 +1053,8 @@ name: create_network:port_security_enabled operations: *id001 scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -957,8 +1064,8 @@ name: create_network:segments operations: *id001 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -968,8 +1075,8 @@ name: create_network:provider:network_type operations: *id001 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -979,8 +1086,8 @@ name: create_network:provider:physical_network operations: *id001 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -990,9 +1097,9 @@ name: create_network:provider:segmentation_id operations: *id001 scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:shared or rule:external or rule:context_is_advsvc + - project +- check_str: role:reader and project_id:%(project_id)s or rule:shared or rule:external + or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc @@ -1006,9 +1113,8 @@ - method: GET path: /networks/{id} scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1018,9 +1124,8 @@ name: get_network:router:external operations: *id002 scope_types: - - system - project -- check_str: role:reader and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1030,8 +1135,8 @@ name: get_network:segments operations: *id002 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1041,8 +1146,8 @@ name: get_network:provider:network_type operations: *id002 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1052,8 +1157,8 @@ name: get_network:provider:physical_network operations: *id002 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1063,8 +1168,8 @@ name: get_network:provider:segmentation_id operations: *id002 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1076,9 +1181,8 @@ - method: PUT path: /networks/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1088,8 +1192,8 @@ name: update_network:segments operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1099,8 +1203,8 @@ name: update_network:shared operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1110,8 +1214,8 @@ name: update_network:provider:network_type operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1121,8 +1225,8 @@ name: update_network:provider:physical_network operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1132,8 +1236,8 @@ name: update_network:provider:segmentation_id operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1143,8 +1247,8 @@ name: update_network:router:external operations: *id003 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1154,8 +1258,8 @@ name: update_network:is_default operations: *id003 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1165,9 +1269,8 @@ name: update_network:port_security_enabled operations: *id003 scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -1179,7 +1282,6 @@ - method: DELETE path: /networks/{id} scope_types: - - system - project - check_str: role:reader and system_scope:all deprecated_reason: null @@ -1260,7 +1362,7 @@ name: admin_or_data_plane_int operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1272,10 +1374,9 @@ - method: POST path: /ports scope_types: - - system - project -- check_str: not rule:network_device or role:admin and system_scope:all or role:admin - and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner +- check_str: not rule:network_device or role:admin and project_id:%(project_id)s or + rule:context_is_advsvc or rule:network_owner deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1285,10 +1386,8 @@ name: create_port:device_owner operations: *id004 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1298,10 +1397,9 @@ name: create_port:mac_address operations: *id004 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1311,10 +1409,8 @@ name: create_port:fixed_ips operations: *id004 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1324,10 +1420,9 @@ name: create_port:fixed_ips:ip_address operations: *id004 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1337,10 +1432,8 @@ name: create_port:fixed_ips:subnet_id operations: *id004 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1350,9 +1443,8 @@ name: create_port:port_security_enabled operations: *id004 scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1362,8 +1454,8 @@ name: create_port:binding:host_id operations: *id004 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1373,8 +1465,8 @@ name: create_port:binding:profile operations: *id004 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1384,10 +1476,8 @@ name: create_port:binding:vnic_type operations: *id004 scope_types: - - system - project -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1398,9 +1488,7 @@ operations: *id004 scope_types: - project - - system -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1412,9 +1500,7 @@ operations: *id004 scope_types: - project - - system -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1426,9 +1512,7 @@ operations: *id004 scope_types: - project - - system -- check_str: rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader - and project_id:%(project_id)s) +- check_str: rule:context_is_advsvc or role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1443,8 +1527,7 @@ path: /ports/{id} scope_types: - project - - system -- check_str: role:reader and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1454,8 +1537,8 @@ name: get_port:binding:vif_type operations: *id005 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1465,8 +1548,8 @@ name: get_port:binding:vif_details operations: *id005 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1476,8 +1559,8 @@ name: get_port:binding:host_id operations: *id005 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1487,8 +1570,8 @@ name: get_port:binding:profile operations: *id005 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1498,9 +1581,8 @@ name: get_port:resource_request operations: *id005 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:context_is_advsvc + - project +- check_str: role:member and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1512,10 +1594,9 @@ - method: PUT path: /ports/{id} scope_types: - - system - project - check_str: not rule:network_device or rule:context_is_advsvc or rule:network_owner - or role:admin and system_scope:all or role:admin and project_id:%(project_id)s + or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner @@ -1525,9 +1606,8 @@ name: update_port:device_owner operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all or rule:context_is_advsvc +- check_str: role:admin and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_only or rule:context_is_advsvc @@ -1537,10 +1617,8 @@ name: update_port:mac_address operations: *id006 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1550,10 +1628,8 @@ name: update_port:fixed_ips operations: *id006 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1563,10 +1639,9 @@ name: update_port:fixed_ips:ip_address operations: *id006 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s or rule:shared +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s + or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared @@ -1576,10 +1651,8 @@ name: update_port:fixed_ips:subnet_id operations: *id006 scope_types: - - system - project -- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all - or role:admin and project_id:%(project_id)s +- check_str: rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner @@ -1589,9 +1662,8 @@ name: update_port:port_security_enabled operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1601,8 +1673,8 @@ name: update_port:binding:host_id operations: *id006 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1612,9 +1684,8 @@ name: update_port:binding:profile operations: *id006 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:context_is_advsvc + - project +- check_str: role:member and project_id:%(project_id)s or rule:context_is_advsvc deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc @@ -1624,10 +1695,8 @@ name: update_port:binding:vnic_type operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1637,10 +1706,8 @@ name: update_port:allowed_address_pairs operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1651,10 +1718,8 @@ name: update_port:allowed_address_pairs:mac_address operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all or role:admin and project_id:%(project_id)s - or rule:network_owner +- check_str: role:admin and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -1664,9 +1729,8 @@ name: update_port:allowed_address_pairs:ip_address operations: *id006 scope_types: - - system - project -- check_str: role:admin and system_scope:all or role:data_plane_integrator +- check_str: role:admin and project_id:%(project_id)s or role:data_plane_integrator deprecated_reason: null deprecated_rule: check_str: rule:admin_or_data_plane_int @@ -1676,10 +1740,8 @@ name: update_port:data_plane_status operations: *id006 scope_types: - - system - project -- check_str: rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member - and project_id:%(project_id)s) +- check_str: rule:context_is_advsvc or role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner @@ -1691,9 +1753,8 @@ - method: DELETE path: /ports/{id} scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1707,9 +1768,8 @@ - method: GET path: /qos/policies/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1721,8 +1781,8 @@ - method: POST path: /qos/policies scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1734,8 +1794,8 @@ - method: PUT path: /qos/policies/{id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1747,8 +1807,8 @@ - method: DELETE path: /qos/policies/{id} scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: role:admin or role:reader and system_scope:all deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1764,7 +1824,7 @@ scope_types: - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1778,9 +1838,8 @@ - method: GET path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1792,8 +1851,8 @@ - method: POST path: /qos/policies/{policy_id}/bandwidth_limit_rules scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1805,8 +1864,8 @@ - method: PUT path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1818,8 +1877,8 @@ - method: DELETE path: /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1833,9 +1892,8 @@ - method: GET path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1847,8 +1905,8 @@ - method: POST path: /qos/policies/{policy_id}/dscp_marking_rules scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1860,8 +1918,8 @@ - method: PUT path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1873,8 +1931,8 @@ - method: DELETE path: /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -1888,9 +1946,8 @@ - method: GET path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1902,8 +1959,8 @@ - method: POST path: /qos/policies/{policy_id}/minimum_bandwidth_rules scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1915,8 +1972,8 @@ - method: PUT path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -1928,69 +1985,178 @@ - method: DELETE path: /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} scope_types: - - system -- check_str: rule:get_policy_bandwidth_limit_rule + - project +- check_str: role:reader and project_id:%(project_id)s + description: Get a QoS minimum packet rate rule + name: get_policy_minimum_packet_rate_rule + operations: + - method: GET + path: /qos/policies/{policy_id}/minimum_packet_rate_rules + - method: GET + path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + description: Create a QoS minimum packet rate rule + name: create_policy_minimum_packet_rate_rule + operations: + - method: POST + path: /qos/policies/{policy_id}/minimum_packet_rate_rules + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + description: Update a QoS minimum packet rate rule + name: update_policy_minimum_packet_rate_rule + operations: + - method: PUT + path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + description: Delete a QoS minimum packet rate rule + name: delete_policy_minimum_packet_rate_rule + operations: + - method: DELETE + path: /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: get_alias_bandwidth_limit_rule + deprecated_since: null description: Get a QoS bandwidth limit rule through alias name: get_alias_bandwidth_limit_rule operations: - method: GET path: /qos/alias_bandwidth_limit_rules/{rule_id}/ - scope_types: null -- check_str: rule:update_policy_bandwidth_limit_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: update_alias_bandwidth_limit_rule + deprecated_since: null description: Update a QoS bandwidth limit rule through alias name: update_alias_bandwidth_limit_rule operations: - method: PUT path: /qos/alias_bandwidth_limit_rules/{rule_id}/ - scope_types: null -- check_str: rule:delete_policy_bandwidth_limit_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: delete_alias_bandwidth_limit_rule + deprecated_since: null description: Delete a QoS bandwidth limit rule through alias name: delete_alias_bandwidth_limit_rule operations: - method: DELETE path: /qos/alias_bandwidth_limit_rules/{rule_id}/ - scope_types: null -- check_str: rule:get_policy_dscp_marking_rule + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: get_alias_dscp_marking_rule + deprecated_since: null description: Get a QoS DSCP marking rule through alias name: get_alias_dscp_marking_rule operations: - method: GET path: /qos/alias_dscp_marking_rules/{rule_id}/ - scope_types: null -- check_str: rule:update_policy_dscp_marking_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: update_alias_dscp_marking_rule + deprecated_since: null description: Update a QoS DSCP marking rule through alias name: update_alias_dscp_marking_rule operations: - method: PUT path: /qos/alias_dscp_marking_rules/{rule_id}/ - scope_types: null -- check_str: rule:delete_policy_dscp_marking_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: delete_alias_dscp_marking_rule + deprecated_since: null description: Delete a QoS DSCP marking rule through alias name: delete_alias_dscp_marking_rule operations: - method: DELETE path: /qos/alias_dscp_marking_rules/{rule_id}/ - scope_types: null -- check_str: rule:get_policy_minimum_bandwidth_rule + scope_types: + - project +- check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:regular_user + name: get_alias_minimum_bandwidth_rule + deprecated_since: null description: Get a QoS minimum bandwidth rule through alias name: get_alias_minimum_bandwidth_rule operations: - method: GET path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ - scope_types: null -- check_str: rule:update_policy_minimum_bandwidth_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: update_alias_minimum_bandwidth_rule + deprecated_since: null description: Update a QoS minimum bandwidth rule through alias name: update_alias_minimum_bandwidth_rule operations: - method: PUT path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ - scope_types: null -- check_str: rule:delete_policy_minimum_bandwidth_rule + scope_types: + - project +- check_str: role:admin and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: rule:admin_only + name: delete_alias_minimum_bandwidth_rule + deprecated_since: null description: Delete a QoS minimum bandwidth rule through alias name: delete_alias_minimum_bandwidth_rule operations: - method: DELETE path: /qos/alias_minimum_bandwidth_rules/{rule_id}/ + scope_types: + - project +- check_str: rule:get_policy_minimum_packet_rate_rule + description: Get a QoS minimum packet rate rule through alias + name: get_alias_minimum_packet_rate_rule + operations: + - method: GET + path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ + scope_types: null +- check_str: rule:update_policy_minimum_packet_rate_rule + description: Update a QoS minimum packet rate rule through alias + name: update_alias_minimum_packet_rate_rule + operations: + - method: PUT + path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ + scope_types: null +- check_str: rule:delete_policy_minimum_packet_rate_rule + description: Delete a QoS minimum packet rate rule through alias + name: delete_alias_minimum_packet_rate_rule + operations: + - method: DELETE + path: /qos/alias_minimum_packet_rate_rules/{rule_id}/ scope_types: null - check_str: role:reader and system_scope:all deprecated_reason: null @@ -2033,12 +2199,13 @@ path: /quota/{id} scope_types: - system -- check_str: (not field:rbac_policy:target_tenant=*) or rule:admin_only - description: Definition of a wildcard target_tenant +- check_str: (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) + or rule:admin_only + description: Definition of a wildcard target_project name: restrict_wildcard operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2050,9 +2217,9 @@ - method: POST path: /rbac-policies scope_types: - - system - project -- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*) +- check_str: role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* + and not field:rbac_policy:target_project=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard @@ -2064,9 +2231,8 @@ - method: POST path: /rbac-policies scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2079,8 +2245,8 @@ path: /rbac-policies/{id} scope_types: - project - - system -- check_str: role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*) +- check_str: role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* + and not field:rbac_policy:target_project=*) deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard and rule:admin_or_owner @@ -2092,9 +2258,8 @@ - method: PUT path: /rbac-policies/{id} scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2109,8 +2274,7 @@ path: /rbac-policies/{id} scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2123,8 +2287,7 @@ path: /rbac-policies/{id} scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2136,9 +2299,8 @@ - method: POST path: /routers scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2148,8 +2310,8 @@ name: create_router:distributed operations: *id007 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2159,8 +2321,8 @@ name: create_router:ha operations: *id007 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2170,9 +2332,8 @@ name: create_router:external_gateway_info operations: *id007 scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2183,9 +2344,8 @@ name: create_router:external_gateway_info:network_id operations: *id007 scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2196,8 +2356,8 @@ name: create_router:external_gateway_info:enable_snat operations: *id007 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2208,8 +2368,8 @@ name: create_router:external_gateway_info:external_fixed_ips operations: *id007 scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) + - project +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2223,9 +2383,8 @@ - method: GET path: /routers/{id} scope_types: - - system - project -- check_str: role:reader and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2235,8 +2394,8 @@ name: get_router:distributed operations: *id008 scope_types: - - system -- check_str: role:reader and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2246,8 +2405,8 @@ name: get_router:ha operations: *id008 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2259,9 +2418,8 @@ - method: PUT path: /routers/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2271,8 +2429,8 @@ name: update_router:distributed operations: *id009 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2282,8 +2440,8 @@ name: update_router:ha operations: *id009 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2293,9 +2451,8 @@ name: update_router:external_gateway_info operations: *id009 scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2306,9 +2463,8 @@ name: update_router:external_gateway_info:network_id operations: *id009 scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2319,8 +2475,8 @@ name: update_router:external_gateway_info:enable_snat operations: *id009 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2331,8 +2487,8 @@ name: update_router:external_gateway_info:external_fixed_ips operations: *id009 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2344,9 +2500,8 @@ - method: DELETE path: /routers/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2358,9 +2513,8 @@ - method: PUT path: /routers/{id}/add_router_interface scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2372,9 +2526,8 @@ - method: PUT path: /routers/{id}/remove_router_interface scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2386,9 +2539,8 @@ - method: PUT path: /routers/{id}/add_extraroutes scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2400,7 +2552,6 @@ - method: PUT path: /routers/{id}/remove_extraroutes scope_types: - - system - project - check_str: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s description: Rule for admin or security group owner access @@ -2412,7 +2563,7 @@ name: admin_owner_or_sg_owner operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2424,9 +2575,8 @@ - method: POST path: /security-groups scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2440,9 +2590,8 @@ - method: GET path: /security-groups/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2454,9 +2603,8 @@ - method: PUT path: /security-groups/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2468,9 +2616,8 @@ - method: DELETE path: /security-groups/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2482,10 +2629,8 @@ - method: POST path: /security-group-rules scope_types: - - system - project -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:sg_owner +- check_str: role:reader and project_id:%(project_id)s or rule:sg_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_owner_or_sg_owner @@ -2499,9 +2644,8 @@ - method: GET path: /security-group-rules/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2513,7 +2657,6 @@ - method: DELETE path: /security-group-rules/{id} scope_types: - - system - project - check_str: role:admin and system_scope:all deprecated_reason: null @@ -2583,8 +2726,7 @@ scope_types: - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:network_owner +- check_str: role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2596,9 +2738,8 @@ - method: POST path: /subnets scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2608,8 +2749,8 @@ name: create_subnet:segment_id operations: *id010 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2619,9 +2760,8 @@ name: create_subnet:service_types operations: *id010 scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:shared + - project +- check_str: role:reader and project_id:%(project_id)s or rule:shared deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared @@ -2635,9 +2775,8 @@ - method: GET path: /subnets/{id} scope_types: - - system - project -- check_str: role:reader and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2647,9 +2786,8 @@ name: get_subnet:segment_id operations: *id011 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:network_owner + - project +- check_str: role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2661,9 +2799,8 @@ - method: PUT path: /subnets/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2673,8 +2810,8 @@ name: update_subnet:segment_id operations: *id012 scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2684,9 +2821,8 @@ name: update_subnet:service_types operations: *id012 scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) - or rule:network_owner + - project +- check_str: role:member and project_id:%(project_id)s or rule:network_owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner @@ -2698,14 +2834,13 @@ - method: DELETE path: /subnets/{id} scope_types: - - system - project - check_str: field:subnetpools:shared=True description: Definition of a shared subnetpool name: shared_subnetpools operations: [] scope_types: null -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2718,8 +2853,7 @@ path: /subnetpools scope_types: - project - - system -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2731,8 +2865,8 @@ - method: POST path: /subnetpools scope_types: - - system -- check_str: role:admin and system_scope:all + - project +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2744,9 +2878,8 @@ - method: POST path: /subnetpools scope_types: - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) - or rule:shared_subnetpools + - project +- check_str: role:reader and project_id:%(project_id)s or rule:shared_subnetpools deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_subnetpools @@ -2760,9 +2893,8 @@ - method: GET path: /subnetpools/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2774,9 +2906,8 @@ - method: PUT path: /subnetpools/{id} scope_types: - - system - project -- check_str: role:admin and system_scope:all +- check_str: role:admin and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_only @@ -2788,8 +2919,8 @@ - method: PUT path: /subnetpools/{id} scope_types: - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) + - project +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2801,9 +2932,8 @@ - method: DELETE path: /subnetpools/{id} scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2815,9 +2945,8 @@ - method: PUT path: /subnetpools/{id}/onboard_network_subnets scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2829,9 +2958,8 @@ - method: PUT path: /subnetpools/{id}/add_prefixes scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2843,9 +2971,8 @@ - method: PUT path: /subnetpools/{id}/remove_prefixes scope_types: - - system - project -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2858,8 +2985,7 @@ path: /trunks scope_types: - project - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2874,8 +3000,7 @@ path: /trunks/{id} scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2888,8 +3013,7 @@ path: /trunks/{id} scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2902,8 +3026,7 @@ path: /trunks/{id} scope_types: - project - - system -- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) +- check_str: role:reader and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:regular_user @@ -2916,8 +3039,7 @@ path: /trunks/{id}/get_subports scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2930,8 +3052,7 @@ path: /trunks/{id}/add_subports scope_types: - project - - system -- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) +- check_str: role:member and project_id:%(project_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner @@ -2944,4 +3065,3 @@ path: /trunks/{id}/remove_subports scope_types: - project - - system diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index 0c593877b9..35132129b9 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -1,4 +1,9 @@ - check_str: role:admin + deprecated_reason: null + deprecated_rule: + check_str: is_admin:True + name: rule:admin_api + deprecated_since: null description: Decides what is required for the 'is_admin:True' check to succeed. name: context_is_admin operations: [] @@ -35,147 +40,71 @@ name: admin_api operations: [] scope_types: null -- check_str: role:admin and system_scope:all - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' - deprecated_rule: - check_str: is_admin:True - name: rule:admin_api - deprecated_since: 21.0.0 - description: Default rule for System Admin APIs. - name: system_admin_api - operations: [] - scope_types: null -- check_str: role:reader and system_scope:all - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' - deprecated_rule: - check_str: is_admin:True - name: rule:admin_api - deprecated_since: 21.0.0 - description: Default rule for System level read only APIs. - name: system_reader_api - operations: [] - scope_types: null - check_str: role:admin and project_id:%(project_id)s - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' + deprecated_reason: null deprecated_rule: check_str: is_admin:True name: rule:admin_api - deprecated_since: 21.0.0 + deprecated_since: null description: Default rule for Project level admin APIs. name: project_admin_api operations: [] scope_types: null - check_str: role:member and project_id:%(project_id)s - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' + deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s name: rule:admin_or_owner - deprecated_since: 21.0.0 + deprecated_since: null description: Default rule for Project level non admin APIs. name: project_member_api operations: [] scope_types: null - check_str: role:reader and project_id:%(project_id)s + deprecated_reason: null + deprecated_rule: + check_str: is_admin:True or project_id:%(project_id)s + name: rule:admin_or_owner + deprecated_since: null description: Default rule for Project level read only APIs. name: project_reader_api operations: [] scope_types: null -- check_str: rule:system_admin_api or rule:project_member_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api or rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s name: rule:admin_or_owner - deprecated_since: 21.0.0 - description: Default rule for System admin+owner APIs. - name: system_admin_or_owner + deprecated_since: null + description: Default rule for Project reader and admin APIs. + name: project_reader_or_admin operations: [] scope_types: null -- check_str: rule:system_reader_api or rule:project_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' - deprecated_rule: - check_str: is_admin:True or project_id:%(project_id)s - name: rule:admin_or_owner - deprecated_since: 21.0.0 - description: Default rule for System+Project read only APIs. - name: system_or_project_reader - operations: [] - scope_types: null -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Reset the state of a given server name: os_compute_api:os-admin-actions:reset_state operations: - method: POST path: /servers/{server_id}/action (os-resetState) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Inject network information into the server name: os_compute_api:os-admin-actions:inject_network_info operations: - method: POST path: /servers/{server_id}/action (injectNetworkInfo) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Change the administrative password for a server name: os_compute_api:os-admin-password operations: - method: POST path: /servers/{server_id}/action (changePassword) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create or replace metadata for an aggregate name: os_compute_api:os-aggregates:set_metadata operations: @@ -183,7 +112,7 @@ path: /os-aggregates/{aggregate_id}/action (set_metadata) scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Add a host to an aggregate name: os_compute_api:os-aggregates:add_host operations: @@ -191,7 +120,7 @@ path: /os-aggregates/{aggregate_id}/action (add_host) scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create an aggregate name: os_compute_api:os-aggregates:create operations: @@ -199,7 +128,7 @@ path: /os-aggregates scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Remove a host from an aggregate name: os_compute_api:os-aggregates:remove_host operations: @@ -207,7 +136,7 @@ path: /os-aggregates/{aggregate_id}/action (remove_host) scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Update name and/or availability zone for an aggregate name: os_compute_api:os-aggregates:update operations: @@ -215,7 +144,7 @@ path: /os-aggregates/{aggregate_id} scope_types: - system -- check_str: rule:system_reader_api +- check_str: rule:context_is_admin description: List all aggregates name: os_compute_api:os-aggregates:index operations: @@ -223,7 +152,7 @@ path: /os-aggregates scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Delete an aggregate name: os_compute_api:os-aggregates:delete operations: @@ -231,7 +160,7 @@ path: /os-aggregates/{aggregate_id} scope_types: - system -- check_str: rule:system_reader_api +- check_str: rule:context_is_admin description: Show details for an aggregate name: os_compute_api:os-aggregates:show operations: @@ -239,7 +168,7 @@ path: /os-aggregates/{aggregate_id} scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Request image caching for an aggregate name: compute:aggregates:images operations: @@ -247,109 +176,73 @@ path: /os-aggregates/{aggregate_id}/images scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create an assisted volume snapshot name: os_compute_api:os-assisted-volume-snapshots:create operations: - method: POST path: /os-assisted-volume-snapshots scope_types: - - system -- check_str: rule:system_admin_api + - project +- check_str: rule:context_is_admin description: Delete an assisted volume snapshot name: os_compute_api:os-assisted-volume-snapshots:delete operations: - method: DELETE path: /os-assisted-volume-snapshots/{snapshot_id} scope_types: - - system -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' + - project +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-attach-interfaces - deprecated_since: 21.0.0 + deprecated_since: null description: List port interfaces attached to a server name: os_compute_api:os-attach-interfaces:list operations: - method: GET path: /servers/{server_id}/os-interface scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-attach-interfaces - deprecated_since: 21.0.0 + deprecated_since: null description: Show details of a port interface attached to a server name: os_compute_api:os-attach-interfaces:show operations: - method: GET path: /servers/{server_id}/os-interface/{port_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-attach-interfaces - deprecated_since: 21.0.0 + deprecated_since: null description: Attach an interface to a server name: os_compute_api:os-attach-interfaces:create operations: - method: POST path: /servers/{server_id}/os-interface scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-attach-interfaces - deprecated_since: 21.0.0 + deprecated_since: null description: Detach an interface from a server name: os_compute_api:os-attach-interfaces:delete operations: - method: DELETE path: /servers/{server_id}/os-interface/{port_id} scope_types: - - system - project - check_str: '@' description: List availability zone information without host information @@ -360,7 +253,7 @@ scope_types: - system - project -- check_str: rule:system_reader_api +- check_str: rule:context_is_admin description: List detailed availability zone information with host information name: os_compute_api:os-availability-zone:detail operations: @@ -368,20 +261,12 @@ path: /os-availability-zone/detail scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-baremetal-nodes - deprecated_since: 22.0.0 + deprecated_since: null description: 'List and show details of bare metal nodes. @@ -394,20 +279,12 @@ path: /os-baremetal-nodes scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-baremetal-nodes - deprecated_since: 22.0.0 + deprecated_since: null description: Show action details for a server. name: os_compute_api:os-baremetal-nodes:show operations: @@ -415,7 +292,7 @@ path: /os-baremetal-nodes/{node_id} scope_types: - system -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: Show console connection information for a given console authentication token name: os_compute_api:os-console-auth-tokens @@ -423,79 +300,58 @@ - method: GET path: /os-console-auth-tokens/{console_token} scope_types: - - system -- check_str: rule:system_admin_or_owner + - project +- check_str: rule:project_member_api description: Show console output for a server name: os_compute_api:os-console-output operations: - method: POST path: /servers/{server_id}/action (os-getConsoleOutput) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Create a back up of a server name: os_compute_api:os-create-backup operations: - method: POST path: /servers/{server_id}/action (createBackup) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-deferred-delete - deprecated_since: 21.0.0 + deprecated_since: null description: Restore a soft deleted server name: os_compute_api:os-deferred-delete:restore operations: - method: POST path: /servers/{server_id}/action (restore) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-deferred-delete - deprecated_since: 21.0.0 + deprecated_since: null description: Force delete a server before deferred cleanup name: os_compute_api:os-deferred-delete:force operations: - method: POST path: /servers/{server_id}/action (forceDelete) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Evacuate a server from a failed host to a new host name: os_compute_api:os-evacuate operations: - method: POST path: /servers/{server_id}/action (evacuate) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: 'Return extended attributes for server. @@ -527,6 +383,15 @@ also controlled by this policy rule, like the ``GET /servers*`` APIs. + + Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute available to + + all users, so this policy has no effect on that field for microversions 2.90 + + and greater. Controlling the visibility of this attribute for all microversions + + is therefore deprecated and will be removed in a future release. + ' name: os_compute_api:os-extended-server-attributes operations: @@ -539,7 +404,6 @@ - method: POST path: /servers/{server_id}/action (rebuild) scope_types: - - system - project - check_str: '@' description: List available extensions and show information for an extension by @@ -553,7 +417,7 @@ scope_types: - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Add flavor access to a tenant name: os_compute_api:os-flavor-access:add_tenant_access operations: @@ -561,7 +425,7 @@ path: /flavors/{flavor_id}/action (addTenantAccess) scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Remove flavor access from a tenant name: os_compute_api:os-flavor-access:remove_tenant_access operations: @@ -569,20 +433,12 @@ path: /flavors/{flavor_id}/action (removeTenantAccess) scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-flavor-access - deprecated_since: 21.0.0 + deprecated_since: null description: 'List flavor access information @@ -597,7 +453,7 @@ path: /flavors/{flavor_id}/os-flavor-access scope_types: - system -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_or_admin description: Show an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:show operations: @@ -606,7 +462,7 @@ scope_types: - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create extra specs for a flavor name: os_compute_api:os-flavor-extra-specs:create operations: @@ -614,7 +470,7 @@ path: /flavors/{flavor_id}/os-extra_specs/ scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Update an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:update operations: @@ -622,7 +478,7 @@ path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Delete an extra spec for a flavor name: os_compute_api:os-flavor-extra-specs:delete operations: @@ -630,23 +486,13 @@ path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} scope_types: - system -- check_str: rule:system_or_project_reader - description: List extra specs for a flavor. Starting with microversion 2.47, the - flavor used for a server is also returned in the response when showing server - details, updating a server or rebuilding a server. Starting with microversion - 2.61, extra specs may be returned in responses for the flavor resource. +- check_str: rule:project_reader_or_admin + description: List extra specs for a flavor. Starting with microversion 2.61, extra + specs may be returned in responses for the flavor resource. name: os_compute_api:os-flavor-extra-specs:index operations: - method: GET path: /flavors/{flavor_id}/os-extra_specs/ - - method: GET - path: /servers/detail - - method: GET - path: /servers/{server_id} - - method: PUT - path: /servers/{server_id} - - method: POST - path: /servers/{server_id}/action (rebuild) - method: POST path: /flavors - method: GET @@ -658,7 +504,7 @@ scope_types: - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create a flavor name: os_compute_api:os-flavor-manage:create operations: @@ -666,7 +512,7 @@ path: /flavors scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Update a flavor name: os_compute_api:os-flavor-manage:update operations: @@ -674,7 +520,7 @@ path: /flavors/{flavor_id} scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Delete a flavor name: os_compute_api:os-flavor-manage:delete operations: @@ -691,152 +537,90 @@ scope_types: - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: Associate floating IPs to server. This API is deprecated. name: os_compute_api:os-floating-ips:add operations: - method: POST path: /servers/{server_id}/action (addFloatingIp) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: Disassociate floating IPs to server. This API is deprecated. name: os_compute_api:os-floating-ips:remove operations: - method: POST path: /servers/{server_id}/action (removeFloatingIp) scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: List floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:list operations: - method: GET path: /os-floating-ips scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: Create floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:create operations: - method: POST path: /os-floating-ips scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: Show floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:show operations: - method: GET path: /os-floating-ips/{floating_ip_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-floating-ips - deprecated_since: 22.0.0 + deprecated_since: null description: Delete floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:delete operations: - method: DELETE path: /os-floating-ips/{floating_ip_id} scope_types: - - system - project -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'List physical hosts. @@ -847,20 +631,12 @@ path: /os-hosts scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'Show physical host. @@ -871,20 +647,12 @@ path: /os-hosts/{host_name} scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'Update physical host. @@ -895,20 +663,12 @@ path: /os-hosts/{host_name} scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'Reboot physical host. @@ -919,20 +679,12 @@ path: /os-hosts/{host_name}/reboot scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'Shutdown physical host. @@ -943,20 +695,12 @@ path: /os-hosts/{host_name}/shutdown scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hosts - deprecated_since: 22.0.0 + deprecated_since: null description: 'Start physical host. @@ -967,20 +711,12 @@ path: /os-hosts/{host_name}/startup scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: List all hypervisors. name: os_compute_api:os-hypervisors:list operations: @@ -988,20 +724,12 @@ path: /os-hypervisors scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: List all hypervisors with details name: os_compute_api:os-hypervisors:list-detail operations: @@ -1009,20 +737,12 @@ path: /os-hypervisors/details scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: Show summary statistics for all hypervisors over all compute nodes. name: os_compute_api:os-hypervisors:statistics operations: @@ -1030,20 +750,12 @@ path: /os-hypervisors/statistics scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: Show details for a hypervisor. name: os_compute_api:os-hypervisors:show operations: @@ -1051,20 +763,12 @@ path: /os-hypervisors/{hypervisor_id} scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: Show the uptime of a hypervisor. name: os_compute_api:os-hypervisors:uptime operations: @@ -1072,20 +776,12 @@ path: /os-hypervisors/{hypervisor_id}/uptime scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: Search hypervisor by hypervisor_hostname pattern. name: os_compute_api:os-hypervisors:search operations: @@ -1093,20 +789,12 @@ path: /os-hypervisors/{hypervisor_hostname_pattern}/search scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-hypervisors - deprecated_since: 21.0.0 + deprecated_since: null description: List all servers on hypervisors that can match the provided hypervisor_hostname pattern. name: os_compute_api:os-hypervisors:servers @@ -1115,7 +803,7 @@ path: /os-hypervisors/{hypervisor_hostname_pattern}/servers scope_types: - system -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: 'Add "details" key in action events for a server. @@ -1141,9 +829,8 @@ - method: GET path: /servers/{server_id}/os-instance-actions/{request_id} scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: 'Add events details in action details for a server. This check is performed only after the check @@ -1162,66 +849,39 @@ - method: GET path: /servers/{server_id}/os-instance-actions/{request_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-instance-actions - deprecated_since: 21.0.0 + deprecated_since: null description: List actions for a server. name: os_compute_api:os-instance-actions:list operations: - method: GET path: /servers/{server_id}/os-instance-actions scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-instance-actions - deprecated_since: 21.0.0 + deprecated_since: null description: Show action details for a server. name: os_compute_api:os-instance-actions:show operations: - method: GET path: /servers/{server_id}/os-instance-actions/{request_id} scope_types: - - system - project -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-instance-usage-audit-log - deprecated_since: 21.0.0 + deprecated_since: null description: List all usage audits. name: os_compute_api:os-instance-usage-audit-log:list operations: @@ -1229,20 +889,12 @@ path: /os-instance_usage_audit_log scope_types: - system -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-instance-usage-audit-log - deprecated_since: 21.0.0 + deprecated_since: null description: List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured name: os_compute_api:os-instance-usage-audit-log:show @@ -1251,25 +903,23 @@ path: /os-instance_usage_audit_log/{before_timestamp} scope_types: - system -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Show IP addresses details for a network label of a server name: os_compute_api:ips:show operations: - method: GET path: /servers/{server_id}/ips/{network_label} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List IP addresses that are assigned to a server name: os_compute_api:ips:index operations: - method: GET path: /servers/{server_id}/ips scope_types: - - system - project -- check_str: (rule:system_reader_api) or user_id:%(user_id)s +- check_str: (rule:context_is_admin) or user_id:%(user_id)s description: List all keypairs name: os_compute_api:os-keypairs:index operations: @@ -1278,7 +928,7 @@ scope_types: - system - project -- check_str: (rule:system_admin_api) or user_id:%(user_id)s +- check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Create a keypair name: os_compute_api:os-keypairs:create operations: @@ -1287,7 +937,7 @@ scope_types: - system - project -- check_str: (rule:system_admin_api) or user_id:%(user_id)s +- check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Delete a keypair name: os_compute_api:os-keypairs:delete operations: @@ -1296,7 +946,7 @@ scope_types: - system - project -- check_str: (rule:system_reader_api) or user_id:%(user_id)s +- check_str: (rule:context_is_admin) or user_id:%(user_id)s description: Show details of a keypair name: os_compute_api:os-keypairs:show operations: @@ -1312,22 +962,13 @@ - method: GET path: /limits scope_types: - - system - project -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_admin_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-used-limits - deprecated_since: 21.0.0 + deprecated_since: null description: 'Show rate and absolute limits of other project. @@ -1341,26 +982,24 @@ - method: GET path: /limits scope_types: - - system -- check_str: rule:system_admin_or_owner + - project +- check_str: rule:project_member_api description: Lock a server name: os_compute_api:os-lock-server:lock operations: - method: POST path: /servers/{server_id}/action (lock) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Unlock a server name: os_compute_api:os-lock-server:unlock operations: - method: POST path: /servers/{server_id}/action (unlock) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: 'Unlock a server, regardless who locked the server. @@ -1372,48 +1011,37 @@ - method: POST path: /servers/{server_id}/action (unlock) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Cold migrate a server to a host name: os_compute_api:os-migrate-server:migrate operations: - method: POST path: /servers/{server_id}/action (migrate) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Live migrate a server to a new host without a reboot name: os_compute_api:os-migrate-server:migrate_live operations: - method: POST path: /servers/{server_id}/action (os-migrateLive) scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: List migrations name: os_compute_api:os-migrations:index operations: - method: GET path: /os-migrations scope_types: - - system -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' + - project +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-multinic - deprecated_since: 22.0.0 + deprecated_since: null description: 'Add a fixed IP address to a server. @@ -1425,22 +1053,13 @@ - method: POST path: /servers/{server_id}/action (addFixedIp) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-multinic - deprecated_since: 22.0.0 + deprecated_since: null description: 'Remove a fixed IP address from a server. @@ -1452,22 +1071,13 @@ - method: POST path: /servers/{server_id}/action (removeFixedIp) scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-networks:view - deprecated_since: 22.0.0 + deprecated_since: null description: 'List networks for the project. @@ -1477,22 +1087,13 @@ - method: GET path: /os-networks scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-networks:view - deprecated_since: 22.0.0 + deprecated_since: null description: 'Show network details. @@ -1502,27 +1103,24 @@ - method: GET path: /os-networks/{network_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Pause a server name: os_compute_api:os-pause-server:pause operations: - method: POST path: /servers/{server_id}/action (pause) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Unpause a paused server name: os_compute_api:os-pause-server:unpause operations: - method: POST path: /servers/{server_id}/action (unpause) scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:context_is_admin description: List quotas for specific quota classs name: os_compute_api:os-quota-class-sets:show operations: @@ -1530,7 +1128,7 @@ path: /os-quota-class-sets/{quota_class} scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Update quotas for specific quota class name: os_compute_api:os-quota-class-sets:update operations: @@ -1538,14 +1136,14 @@ path: /os-quota-class-sets/{quota_class} scope_types: - system -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Update the quotas name: os_compute_api:os-quota-sets:update operations: - method: PUT path: /os-quota-sets/{tenant_id} scope_types: - - system + - project - check_str: '@' description: List default quotas name: os_compute_api:os-quota-sets:defaults @@ -1555,33 +1153,31 @@ scope_types: - system - project -- check_str: rule:system_or_project_reader +- check_str: (rule:project_reader_api) or role:admin description: Show a quota name: os_compute_api:os-quota-sets:show operations: - method: GET path: /os-quota-sets/{tenant_id} scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Revert quotas to defaults name: os_compute_api:os-quota-sets:delete operations: - method: DELETE path: /os-quota-sets/{tenant_id} scope_types: - - system -- check_str: rule:system_or_project_reader + - project +- check_str: (rule:project_reader_api) or role:admin description: Show the detail of quota name: os_compute_api:os-quota-sets:detail operations: - method: GET path: /os-quota-sets/{tenant_id}/detail scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: 'Generate a URL to access remove server console. @@ -1610,274 +1206,174 @@ - method: POST path: /servers/{server_id}/remote-consoles scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Rescue a server name: os_compute_api:os-rescue operations: - method: POST path: /servers/{server_id}/action (rescue) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Rescue/Unrescue API policies are made granular with new policy - - for unrescue and keeping old policy for rescue. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-rescue - deprecated_since: 21.0.0 + deprecated_since: null description: Unrescue a server name: os_compute_api:os-unrescue operations: - method: POST path: /servers/{server_id}/action (unrescue) scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: List security groups. This API is deprecated. name: os_compute_api:os-security-groups:get operations: - method: GET path: /os-security-groups scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Show security group. This API is deprecated. name: os_compute_api:os-security-groups:show operations: - method: GET path: /os-security-groups/{security_group_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Create security group. This API is deprecated. name: os_compute_api:os-security-groups:create operations: - method: POST path: /os-security-groups scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Update security group. This API is deprecated. name: os_compute_api:os-security-groups:update operations: - method: PUT path: /os-security-groups/{security_group_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Delete security group. This API is deprecated. name: os_compute_api:os-security-groups:delete operations: - method: DELETE path: /os-security-groups/{security_group_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Create security group Rule. This API is deprecated. name: os_compute_api:os-security-groups:rule:create operations: - method: POST path: /os-security-group-rules scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Delete security group Rule. This API is deprecated. name: os_compute_api:os-security-groups:rule:delete operations: - method: DELETE path: /os-security-group-rules/{security_group_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: List security groups of server. name: os_compute_api:os-security-groups:list operations: - method: GET path: /servers/{server_id}/os-security-groups scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Add security groups to server. name: os_compute_api:os-security-groups:add operations: - method: POST path: /servers/{server_id}/action (addSecurityGroup) scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-security-groups - deprecated_since: 22.0.0 + deprecated_since: null description: Remove security groups from server. name: os_compute_api:os-security-groups:remove operations: - method: POST path: /servers/{server_id}/action (removeSecurityGroup) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Show the usage data for a server name: os_compute_api:os-server-diagnostics operations: - method: GET path: /servers/{server_id}/diagnostics scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Create one or more external events name: os_compute_api:os-server-external-events:create operations: - method: POST path: /os-server-external-events scope_types: - - system + - project - check_str: rule:project_member_api description: Create a new server group name: os_compute_api:os-server-groups:create @@ -1886,203 +1382,169 @@ path: /os-server-groups scope_types: - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Delete a server group name: os_compute_api:os-server-groups:delete operations: - method: DELETE path: /os-server-groups/{server_group_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List all server groups name: os_compute_api:os-server-groups:index operations: - method: GET path: /os-server-groups scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: List all server groups for all projects name: os_compute_api:os-server-groups:index:all_projects operations: - method: GET path: /os-server-groups scope_types: - - system -- check_str: rule:system_or_project_reader + - project +- check_str: rule:project_reader_api description: Show details of a server group name: os_compute_api:os-server-groups:show operations: - method: GET path: /os-server-groups/{server_group_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List all metadata of a server name: os_compute_api:server-metadata:index operations: - method: GET path: /servers/{server_id}/metadata scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Show metadata for a server name: os_compute_api:server-metadata:show operations: - method: GET path: /servers/{server_id}/metadata/{key} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Create metadata for a server name: os_compute_api:server-metadata:create operations: - method: POST path: /servers/{server_id}/metadata scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Replace metadata for a server name: os_compute_api:server-metadata:update_all operations: - method: PUT path: /servers/{server_id}/metadata scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Update metadata from a server name: os_compute_api:server-metadata:update operations: - method: PUT path: /servers/{server_id}/metadata/{key} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Delete metadata from a server name: os_compute_api:server-metadata:delete operations: - method: DELETE path: /servers/{server_id}/metadata/{key} scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-server-password - deprecated_since: 21.0.0 + deprecated_since: null description: Show the encrypted administrative password of a server name: os_compute_api:os-server-password:show operations: - method: GET path: /servers/{server_id}/os-server-password scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-server-password - deprecated_since: 21.0.0 + deprecated_since: null description: Clear the encrypted administrative password of a server name: os_compute_api:os-server-password:clear operations: - method: DELETE path: /servers/{server_id}/os-server-password scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Delete all the server tags name: os_compute_api:os-server-tags:delete_all operations: - method: DELETE path: /servers/{server_id}/tags scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List all tags for given server name: os_compute_api:os-server-tags:index operations: - method: GET path: /servers/{server_id}/tags scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Replace all tags on specified server with the new set of tags. name: os_compute_api:os-server-tags:update_all operations: - method: PUT path: /servers/{server_id}/tags scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Delete a single tag from the specified server name: os_compute_api:os-server-tags:delete operations: - method: DELETE path: /servers/{server_id}/tags/{tag} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Add a single tag to the server if server has no specified tag name: os_compute_api:os-server-tags:update operations: - method: PUT path: /servers/{server_id}/tags/{tag} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Check tag existence on the server. name: os_compute_api:os-server-tags:show operations: - method: GET path: /servers/{server_id}/tags/{tag} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Show the NUMA topology data for a server name: compute:server:topology:index operations: - method: GET path: /servers/{server_id}/topology scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: Show the NUMA topology data for a server with host NUMA ID and CPU pinning information name: compute:server:topology:host:index @@ -2090,42 +1552,40 @@ - method: GET path: /servers/{server_id}/topology scope_types: - - system -- check_str: rule:system_or_project_reader + - project +- check_str: rule:project_reader_api description: List all servers name: os_compute_api:servers:index operations: - method: GET path: /servers scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List all servers with detailed information name: os_compute_api:servers:detail operations: - method: GET path: /servers/detail scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: List all servers for all projects name: os_compute_api:servers:index:get_all_tenants operations: - method: GET path: /servers scope_types: - - system -- check_str: rule:system_reader_api + - project +- check_str: rule:project_admin_api description: List all servers with detailed information for all projects name: os_compute_api:servers:detail:get_all_tenants operations: - method: GET path: /servers/detail scope_types: - - system -- check_str: rule:system_reader_api + - project +- check_str: rule:project_admin_api description: Allow all filters when listing servers name: os_compute_api:servers:allow_all_filters operations: @@ -2134,17 +1594,45 @@ - method: GET path: /servers/detail scope_types: - - system -- check_str: rule:system_or_project_reader + - project +- check_str: rule:project_reader_api description: Show a server name: os_compute_api:servers:show operations: - method: GET path: /servers/{server_id} scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_reader_api + deprecated_reason: ' + + Policies for showing flavor extra specs in server APIs response is + + seprated as new policy. This policy is deprecated only for that but + + not for list extra specs and showing it in flavor API response. + + ' + deprecated_rule: + check_str: rule:admin_or_owner + name: os_compute_api:os-flavor-extra-specs:index + deprecated_since: 25.0.0 + description: Starting with microversion 2.47, the flavor and its extra specs used + for a server is also returned in the response when showing server details, updating + a server or rebuilding a server. + name: os_compute_api:servers:show:flavor-extra-specs + operations: + - method: GET + path: /servers/detail + - method: GET + path: /servers/{server_id} + - method: PUT + path: /servers/{server_id} + - method: POST + path: /servers/{server_id}/action (rebuild) + scope_types: + - project +- check_str: rule:project_admin_api description: ' Show a server with additional host status information. @@ -2177,9 +1665,8 @@ - method: POST path: /servers/{server_id}/action (rebuild) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: ' Show a server with additional host status information, only if host status is @@ -2211,7 +1698,6 @@ - method: POST path: /servers/{server_id}/action (rebuild) scope_types: - - system - project - check_str: rule:project_member_api description: Create a server @@ -2239,7 +1725,6 @@ - method: POST path: /servers scope_types: - - system - project - check_str: rule:project_admin_api description: ' @@ -2261,7 +1746,6 @@ - method: POST path: /servers scope_types: - - system - project - check_str: rule:project_member_api description: Create a server with the requested volume attached to it @@ -2320,7 +1804,6 @@ - method: POST path: /servers scope_types: - - system - project - check_str: rule:project_admin_api description: Attach an unshared external network to a server @@ -2331,61 +1814,54 @@ - method: POST path: /servers/{server_id}/os-interface scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Delete a server name: os_compute_api:servers:delete operations: - method: DELETE path: /servers/{server_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Update a server name: os_compute_api:servers:update operations: - method: PUT path: /servers/{server_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Confirm a server resize name: os_compute_api:servers:confirm_resize operations: - method: POST path: /servers/{server_id}/action (confirmResize) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Revert a server resize name: os_compute_api:servers:revert_resize operations: - method: POST path: /servers/{server_id}/action (revertResize) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Reboot a server name: os_compute_api:servers:reboot operations: - method: POST path: /servers/{server_id}/action (reboot) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Resize a server name: os_compute_api:servers:resize operations: - method: POST path: /servers/{server_id}/action (resize) scope_types: - - system - project - check_str: '!' description: 'Resize a server across cells. By default, this is disabled for all @@ -2397,121 +1873,101 @@ - method: POST path: /servers/{server_id}/action (resize) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Rebuild a server name: os_compute_api:servers:rebuild operations: - method: POST path: /servers/{server_id}/action (rebuild) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Rebuild a server with trusted image certificate IDs name: os_compute_api:servers:rebuild:trusted_certs operations: - method: POST path: /servers/{server_id}/action (rebuild) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Create an image from a server name: os_compute_api:servers:create_image operations: - method: POST path: /servers/{server_id}/action (createImage) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Create an image from a volume backed server name: os_compute_api:servers:create_image:allow_volume_backed operations: - method: POST path: /servers/{server_id}/action (createImage) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Start a server name: os_compute_api:servers:start operations: - method: POST path: /servers/{server_id}/action (os-start) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Stop a server name: os_compute_api:servers:stop operations: - method: POST path: /servers/{server_id}/action (os-stop) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Trigger crash dump in a server name: os_compute_api:servers:trigger_crash_dump operations: - method: POST path: /servers/{server_id}/action (trigger_crash_dump) scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: Show details for an in-progress live migration for a given server name: os_compute_api:servers:migrations:show operations: - method: GET path: /servers/{server_id}/migrations/{migration_id} scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Force an in-progress live migration for a given server to complete name: os_compute_api:servers:migrations:force_complete operations: - method: POST path: /servers/{server_id}/migrations/{migration_id}/action (force_complete) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Delete(Abort) an in-progress live migration name: os_compute_api:servers:migrations:delete operations: - method: DELETE path: /servers/{server_id}/migrations/{migration_id} scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: Lists in-progress live migrations for a given server name: os_compute_api:servers:migrations:index operations: - method: GET path: /servers/{server_id}/migrations scope_types: - - system - project -- check_str: rule:system_reader_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-services - deprecated_since: 21.0.0 + deprecated_since: null description: List all running Compute services in a region. name: os_compute_api:os-services:list operations: @@ -2519,20 +1975,12 @@ path: /os-services scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-services - deprecated_since: 21.0.0 + deprecated_since: null description: Update a Compute service. name: os_compute_api:os-services:update operations: @@ -2540,20 +1988,12 @@ path: /os-services/{service_id} scope_types: - system -- check_str: rule:system_admin_api - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:context_is_admin + deprecated_reason: null deprecated_rule: check_str: rule:admin_api name: os_compute_api:os-services - deprecated_since: 21.0.0 + deprecated_since: null description: Delete a Compute service. name: os_compute_api:os-services:delete operations: @@ -2561,82 +2001,68 @@ path: /os-services/{service_id} scope_types: - system -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Shelve server name: os_compute_api:os-shelve:shelve operations: - method: POST path: /servers/{server_id}/action (shelve) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Unshelve (restore) shelved server name: os_compute_api:os-shelve:unshelve operations: - method: POST path: /servers/{server_id}/action (unshelve) scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:project_admin_api description: Shelf-offload (remove) server name: os_compute_api:os-shelve:shelve_offload operations: - method: POST path: /servers/{server_id}/action (shelveOffload) scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Show usage statistics for a specific tenant name: os_compute_api:os-simple-tenant-usage:show operations: - method: GET path: /os-simple-tenant-usage/{tenant_id} scope_types: - - system - project -- check_str: rule:system_reader_api +- check_str: rule:project_admin_api description: List per tenant usage statistics for all tenants name: os_compute_api:os-simple-tenant-usage:list operations: - method: GET path: /os-simple-tenant-usage scope_types: - - system -- check_str: rule:system_admin_or_owner + - project +- check_str: rule:project_member_api description: Resume suspended server name: os_compute_api:os-suspend-server:resume operations: - method: POST path: /servers/{server_id}/action (resume) scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Suspend server name: os_compute_api:os-suspend-server:suspend operations: - method: POST path: /servers/{server_id}/action (suspend) scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-tenant-networks - deprecated_since: 22.0.0 + deprecated_since: null description: 'List project networks. @@ -2646,22 +2072,13 @@ - method: GET path: /os-tenant-networks scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-tenant-networks - deprecated_since: 22.0.0 + deprecated_since: null description: 'Show project network details. @@ -2671,22 +2088,13 @@ - method: GET path: /os-tenant-networks/{network_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'List volumes. @@ -2696,22 +2104,13 @@ - method: GET path: /os-volumes scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Create volume. @@ -2721,22 +2120,13 @@ - method: POST path: /os-volumes scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'List volumes detail. @@ -2746,22 +2136,13 @@ - method: GET path: /os-volumes/detail scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Show volume. @@ -2771,22 +2152,13 @@ - method: GET path: /os-volumes/{volume_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Delete volume. @@ -2796,22 +2168,13 @@ - method: DELETE path: /os-volumes/{volume_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'List snapshots. @@ -2821,22 +2184,13 @@ - method: GET path: /os-snapshots scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Create snapshots. @@ -2846,22 +2200,13 @@ - method: POST path: /os-snapshots scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'List snapshots details. @@ -2871,22 +2216,13 @@ - method: GET path: /os-snapshots/detail scope_types: - - system - project -- check_str: rule:system_or_project_reader - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_reader_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Show snapshot. @@ -2896,22 +2232,13 @@ - method: GET path: /os-snapshots/{snapshot_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner - deprecated_reason: ' - - Nova API policies are introducing new default roles with scope_type - - capabilities. Old policies are deprecated and silently going to be ignored - - in nova 23.0.0 release. - - ' +- check_str: rule:project_member_api + deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: os_compute_api:os-volumes - deprecated_since: 22.0.0 + deprecated_since: null description: 'Delete snapshot. @@ -2921,36 +2248,32 @@ - method: DELETE path: /os-snapshots/{snapshot_id} scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: List volume attachments for an instance name: os_compute_api:os-volumes-attachments:index operations: - method: GET path: /servers/{server_id}/os-volume_attachments scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: Attach a volume to an instance name: os_compute_api:os-volumes-attachments:create operations: - method: POST path: /servers/{server_id}/os-volume_attachments scope_types: - - system - project -- check_str: rule:system_or_project_reader +- check_str: rule:project_reader_api description: Show details of a volume attachment name: os_compute_api:os-volumes-attachments:show operations: - method: GET path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - - system - project -- check_str: rule:system_admin_or_owner +- check_str: rule:project_member_api description: 'Update a volume attachment. New ''update'' policy about ''swap + update'' request (which is possible @@ -2965,22 +2288,20 @@ - method: PUT path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - - system - project -- check_str: rule:system_admin_api +- check_str: rule:context_is_admin description: Update a volume attachment with a different volumeId name: os_compute_api:os-volumes-attachments:swap operations: - method: PUT path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - - system -- check_str: rule:system_admin_or_owner + - project +- check_str: rule:project_member_api description: Detach a volume from an instance name: os_compute_api:os-volumes-attachments:delete operations: - method: DELETE path: /servers/{server_id}/os-volume_attachments/{volume_id} scope_types: - - system - project diff --git a/openstack_dashboard/conf/glance_policy.yaml b/openstack_dashboard/conf/glance_policy.yaml index 4299d6edac..17e10fb524 100644 --- a/openstack_dashboard/conf/glance_policy.yaml +++ b/openstack_dashboard/conf/glance_policy.yaml @@ -40,14 +40,14 @@ # Get specified image # GET /v2/images/{image_id} # Intended scope(s): system, project -#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))" +#"get_image": "role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED # "get_image":"rule:default" has been deprecated since W in favor of # "get_image":"role:admin or (role:reader and # (project_id:%(project_id)s or project_id:%(member_id)s or -# "community":%(visibility)s or "public":%(visibility)s or -# "shared":%(visibility)s))". +# 'community':%(visibility)s or 'public':%(visibility)s or +# 'shared':%(visibility)s))". # The image API now supports roles. # Get all available images @@ -91,14 +91,14 @@ # Downloads given image # GET /v2/images/{image_id}/file # Intended scope(s): system, project -#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or "community":%(visibility)s or "public":%(visibility)s or "shared":%(visibility)s))" +#"download_image": "role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))" # DEPRECATED # "download_image":"rule:default" has been deprecated since W in favor # of "download_image":"role:admin or (role:member and # (project_id:%(project_id)s or project_id:%(member_id)s or -# "community":%(visibility)s or "public":%(visibility)s or -# "shared":%(visibility)s))". +# 'community':%(visibility)s or 'public':%(visibility)s or +# 'shared':%(visibility)s))". # The image API now supports roles. # Uploads data to specified image @@ -319,55 +319,235 @@ #"metadef_admin": "role:admin" -#"get_metadef_namespace": "rule:metadef_default" +# Get a specific namespace. +# GET /v2/metadefs/namespaces/{namespace_name} +# Intended scope(s): system, project +#"get_metadef_namespace": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" -#"get_metadef_namespaces": "rule:metadef_default" +# DEPRECATED +# "get_metadef_namespace":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_namespace":"role:admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. +# List namespace. +# GET /v2/metadefs/namespaces +# Intended scope(s): system, project +#"get_metadef_namespaces": "role:admin or (role:reader and project_id:%(project_id)s)" + +# DEPRECATED +# "get_metadef_namespaces":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_namespaces":"role:admin or +# (role:reader and project_id:%(project_id)s)". +# The metadata API now supports project scope and default roles. + +# Modify an existing namespace. +# PUT /v2/metadefs/namespaces/{namespace_name} +# Intended scope(s): system, project #"modify_metadef_namespace": "rule:metadef_admin" +# Create a namespace. +# POST /v2/metadefs/namespaces +# Intended scope(s): system, project #"add_metadef_namespace": "rule:metadef_admin" +# Delete a namespace. +# DELETE /v2/metadefs/namespaces/{namespace_name} +# Intended scope(s): system, project #"delete_metadef_namespace": "rule:metadef_admin" -#"get_metadef_object": "rule:metadef_default" +# Get a specific object from a namespace. +# GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} +# Intended scope(s): system, project +#"get_metadef_object": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" -#"get_metadef_objects": "rule:metadef_default" +# DEPRECATED +# "get_metadef_object":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_object":"role:admin or (role:reader +# and (project_id:%(project_id)s or 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. +# Get objects from a namespace. +# GET /v2/metadefs/namespaces/{namespace_name}/objects +# Intended scope(s): system, project +#"get_metadef_objects": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + +# DEPRECATED +# "get_metadef_objects":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_objects":"role:admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. + +# Update an object within a namespace. +# PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} +# Intended scope(s): system, project #"modify_metadef_object": "rule:metadef_admin" +# Create an object within a namespace. +# POST /v2/metadefs/namespaces/{namespace_name}/objects +# Intended scope(s): system, project #"add_metadef_object": "rule:metadef_admin" +# Delete an object within a namespace. +# DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name} +# Intended scope(s): system, project #"delete_metadef_object": "rule:metadef_admin" -#"list_metadef_resource_types": "rule:metadef_default" +# List meta definition resource types. +# GET /v2/metadefs/resource_types +# Intended scope(s): system, project +#"list_metadef_resource_types": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" -#"get_metadef_resource_type": "rule:metadef_default" +# DEPRECATED +# "list_metadef_resource_types":"rule:metadef_default" has been +# deprecated since X in favor of +# "list_metadef_resource_types":"role:admin or (role:reader and +# (project_id:%(project_id)s or 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. +# Get meta definition resource types associations. +# GET /v2/metadefs/namespaces/{namespace_name}/resource_types +# Intended scope(s): system, project +#"get_metadef_resource_type": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + +# DEPRECATED +# "get_metadef_resource_type":"rule:metadef_default" has been +# deprecated since X in favor of +# "get_metadef_resource_type":"role:admin or (role:reader and +# (project_id:%(project_id)s or 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. + +# Create meta definition resource types association. +# POST /v2/metadefs/namespaces/{namespace_name}/resource_types +# Intended scope(s): system, project #"add_metadef_resource_type_association": "rule:metadef_admin" +# Delete meta definition resource types association. +# POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name} +# Intended scope(s): system, project #"remove_metadef_resource_type_association": "rule:metadef_admin" -#"get_metadef_property": "rule:metadef_default" +# Get a specific meta definition property. +# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} +# Intended scope(s): system, project +#"get_metadef_property": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" -#"get_metadef_properties": "rule:metadef_default" +# DEPRECATED +# "get_metadef_property":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_property":"role:admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. +# List meta definition properties. +# GET /v2/metadefs/namespaces/{namespace_name}/properties +# Intended scope(s): system, project +#"get_metadef_properties": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + +# DEPRECATED +# "get_metadef_properties":"rule:metadef_default" has been deprecated +# since X in favor of "get_metadef_properties":"role:admin or +# (role:reader and (project_id:%(project_id)s or +# 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. + +# Update meta definition property. +# GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} +# Intended scope(s): system, project #"modify_metadef_property": "rule:metadef_admin" +# Create meta definition property. +# POST /v2/metadefs/namespaces/{namespace_name}/properties +# Intended scope(s): system, project #"add_metadef_property": "rule:metadef_admin" +# Delete meta definition property. +# DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name} +# Intended scope(s): system, project #"remove_metadef_property": "rule:metadef_admin" -#"get_metadef_tag": "rule:metadef_default" +# Get tag definition. +# GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} +# Intended scope(s): system, project +#"get_metadef_tag": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" -#"get_metadef_tags": "rule:metadef_default" +# DEPRECATED +# "get_metadef_tag":"rule:metadef_default" has been deprecated since X +# in favor of "get_metadef_tag":"role:admin or (role:reader and +# (project_id:%(project_id)s or 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. +# List tag definitions. +# GET /v2/metadefs/namespaces/{namespace_name}/tags +# Intended scope(s): system, project +#"get_metadef_tags": "role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))" + +# DEPRECATED +# "get_metadef_tags":"rule:metadef_default" has been deprecated since +# X in favor of "get_metadef_tags":"role:admin or (role:reader and +# (project_id:%(project_id)s or 'public':%(visibility)s))". +# The metadata API now supports project scope and default roles. + +# Update tag definition. +# PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} +# Intended scope(s): system, project #"modify_metadef_tag": "rule:metadef_admin" +# Add tag definition. +# POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} +# Intended scope(s): system, project #"add_metadef_tag": "rule:metadef_admin" +# Create tag definitions. +# POST /v2/metadefs/namespaces/{namespace_name}/tags +# Intended scope(s): system, project #"add_metadef_tags": "rule:metadef_admin" +# Delete tag definition. +# DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name} +# Intended scope(s): system, project #"delete_metadef_tag": "rule:metadef_admin" +# Delete tag definitions. +# DELETE /v2/metadefs/namespaces/{namespace_name}/tags +# Intended scope(s): system, project #"delete_metadef_tags": "rule:metadef_admin" +# Queue image for caching +# PUT /v2/cache/{image_id} +# Intended scope(s): project +#"cache_image": "role:admin" + +# DEPRECATED +# "cache_image":"rule:manage_image_cache" has been deprecated since X +# in favor of "cache_image":"role:admin". +# The image API now supports roles. + +# List cache status +# GET /v2/cache +# Intended scope(s): project +#"cache_list": "role:admin" + +# DEPRECATED +# "cache_list":"rule:manage_image_cache" has been deprecated since X +# in favor of "cache_list":"role:admin". +# The image API now supports roles. + +# Delete image(s) from cache and/or queue +# DELETE /v2/cache +# DELETE /v2/cache/{image_id} +# Intended scope(s): project +#"cache_delete": "role:admin" + +# DEPRECATED +# "cache_delete":"rule:manage_image_cache" has been deprecated since X +# in favor of "cache_delete":"role:admin". +# The image API now supports roles. + +# Expose store specific information +# GET /v2/info/stores/detail +# Intended scope(s): system, project +#"stores_info_detail": "role:admin" + diff --git a/openstack_dashboard/conf/keystone_policy.yaml b/openstack_dashboard/conf/keystone_policy.yaml index 15913e796e..1ff8d9f7ce 100644 --- a/openstack_dashboard/conf/keystone_policy.yaml +++ b/openstack_dashboard/conf/keystone_policy.yaml @@ -68,13 +68,12 @@ #"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" # DEPRECATED -# "identity:get_application_credentials":"rule:admin_or_owner" has -# been deprecated since T in favor of +# "identity:get_application_credential":"rule:admin_or_owner" has been +# deprecated since T in favor of # "identity:get_application_credential":"(role:reader and # system_scope:all) or rule:owner". # The application credential API is now aware of system scope and # default roles. -#"identity:get_application_credentials": "rule:identity:get_application_credential" # List application credentials for a user. # GET /v3/users/{user_id}/application_credentials @@ -101,13 +100,12 @@ #"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" # DEPRECATED -# "identity:delete_application_credentials":"rule:admin_or_owner" has +# "identity:delete_application_credential":"rule:admin_or_owner" has # been deprecated since T in favor of # "identity:delete_application_credential":"(role:admin and # system_scope:all) or rule:owner". # The application credential API is now aware of system scope and # default roles. -#"identity:delete_application_credentials": "rule:identity:delete_application_credential" # Get service catalog. # GET /v3/auth/catalog @@ -426,13 +424,12 @@ #"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" # DEPRECATED -# "identity:ec2_create_credentials":"rule:admin_or_owner" has been +# "identity:ec2_create_credential":"rule:admin_or_owner" has been # deprecated since T in favor of # "identity:ec2_create_credential":"(role:admin and system_scope:all) # or rule:owner". # The EC2 credential API is now aware of system scope and default # roles. -#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" # Delete ec2 credential. # DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} @@ -440,14 +437,12 @@ #"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" # DEPRECATED -# "identity:ec2_delete_credentials":"rule:admin_required or -# (rule:owner and user_id:%(target.credential.user_id)s)" has been -# deprecated since T in favor of -# "identity:ec2_delete_credential":"(role:admin and system_scope:all) -# or user_id:%(target.credential.user_id)s". +# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner +# and user_id:%(target.credential.user_id)s)" has been deprecated +# since T in favor of "identity:ec2_delete_credential":"(role:admin +# and system_scope:all) or user_id:%(target.credential.user_id)s". # The EC2 credential API is now aware of system scope and default # roles. -#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" # Show endpoint details. # GET /v3/endpoints/{endpoint_id} @@ -1013,13 +1008,12 @@ #"identity:create_identity_provider": "role:admin and system_scope:all" # DEPRECATED -# "identity:create_identity_providers":"rule:admin_required" has been +# "identity:create_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:create_identity_provider":"role:admin and # system_scope:all". # The identity provider API is now aware of system scope and default # roles. -#"identity:create_identity_providers": "rule:identity:create_identity_provider" # List identity providers. # GET /v3/OS-FEDERATION/identity_providers @@ -1042,12 +1036,11 @@ #"identity:get_identity_provider": "role:reader and system_scope:all" # DEPRECATED -# "identity:get_identity_providers":"rule:admin_required" has been +# "identity:get_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:get_identity_provider":"role:reader and system_scope:all". # The identity provider API is now aware of system scope and default # roles. -#"identity:get_identity_providers": "rule:identity:get_identity_provider" # Update identity provider. # PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} @@ -1055,13 +1048,12 @@ #"identity:update_identity_provider": "role:admin and system_scope:all" # DEPRECATED -# "identity:update_identity_providers":"rule:admin_required" has been +# "identity:update_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:update_identity_provider":"role:admin and # system_scope:all". # The identity provider API is now aware of system scope and default # roles. -#"identity:update_identity_providers": "rule:identity:update_identity_provider" # Delete identity provider. # DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} @@ -1069,13 +1061,12 @@ #"identity:delete_identity_provider": "role:admin and system_scope:all" # DEPRECATED -# "identity:delete_identity_providers":"rule:admin_required" has been +# "identity:delete_identity_provider":"rule:admin_required" has been # deprecated since S in favor of # "identity:delete_identity_provider":"role:admin and # system_scope:all". # The identity provider API is now aware of system scope and default # roles. -#"identity:delete_identity_providers": "rule:identity:delete_identity_provider" # Get information about an association between two roles. When a # relationship exists between a prior role and an implied role and the diff --git a/openstack_dashboard/conf/neutron_policy.yaml b/openstack_dashboard/conf/neutron_policy.yaml index 9784dc4bc3..5b1b0f0150 100644 --- a/openstack_dashboard/conf/neutron_policy.yaml +++ b/openstack_dashboard/conf/neutron_policy.yaml @@ -46,14 +46,13 @@ # Get an address group # GET /address-groups # GET /address-groups/{id} -# Intended scope(s): system, project -#"get_address_group": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups" +# Intended scope(s): project +#"get_address_group": "role:reader and project_id:%(project_id)s or rule:shared_address_groups" # DEPRECATED # "get_address_group":"rule:admin_or_owner or # rule:shared_address_groups" has been deprecated since W in favor of -# "get_address_group":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s) or +# "get_address_group":"role:reader and project_id:%(project_id)s or # rule:shared_address_groups". # The Address scope API now supports system scope and default roles. @@ -62,71 +61,70 @@ # Create an address scope # POST /address-scopes -# Intended scope(s): system, project -#"create_address_scope": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_address_scope": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_address_scope":"rule:regular_user" has been deprecated since -# W in favor of "create_address_scope":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# W in favor of "create_address_scope":"role:member and +# project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Create a shared address scope # POST /address-scopes -# Intended scope(s): system, project -#"create_address_scope:shared": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_address_scope:shared": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_address_scope:shared":"rule:admin_only" has been deprecated # since W in favor of "create_address_scope:shared":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Get an address scope # GET /address-scopes # GET /address-scopes/{id} -# Intended scope(s): system, project -#"get_address_scope": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes" +# Intended scope(s): project +#"get_address_scope": "role:reader and project_id:%(project_id)s or rule:shared_address_scopes" # DEPRECATED # "get_address_scope":"rule:admin_or_owner or # rule:shared_address_scopes" has been deprecated since W in favor of -# "get_address_scope":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s) or +# "get_address_scope":"role:reader and project_id:%(project_id)s or # rule:shared_address_scopes". # The Address scope API now supports system scope and default roles. # Update an address scope # PUT /address-scopes/{id} -# Intended scope(s): system, project -#"update_address_scope": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_address_scope": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "update_address_scope":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "update_address_scope":"role:member and +# project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Update ``shared`` attribute of an address scope # PUT /address-scopes/{id} -# Intended scope(s): system, project -#"update_address_scope:shared": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_address_scope:shared": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_address_scope:shared":"rule:admin_only" has been deprecated # since W in favor of "update_address_scope:shared":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Delete an address scope # DELETE /address-scopes/{id} -# Intended scope(s): system, project -#"delete_address_scope": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_address_scope": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_address_scope":"rule:admin_or_owner" has been deprecated -# since W in favor of "delete_address_scope":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "delete_address_scope":"role:member and +# project_id:%(project_id)s". # The Address scope API now supports system scope and default roles. # Get an agent @@ -176,10 +174,9 @@ #"get_dhcp-networks": "role:reader and system_scope:all" # DEPRECATED -# "get_dhcp-networs":"rule:admin_only" has been deprecated since W in +# "get_dhcp-networks":"rule:admin_only" has been deprecated since W in # favor of "get_dhcp-networks":"role:reader and system_scope:all". # The Agent API now supports system scope and default roles. -#"get_dhcp-networs": "rule:get_dhcp-networks" # Remove a network from a DHCP agent # DELETE /agents/{agent_id}/dhcp-networks/{network_id} @@ -187,10 +184,9 @@ #"delete_dhcp-network": "role:admin and system_scope:all" # DEPRECATED -# "delete_dhcp-networ":"rule:admin_only" has been deprecated since W +# "delete_dhcp-network":"rule:admin_only" has been deprecated since W # in favor of "delete_dhcp-network":"role:admin and system_scope:all". # The Agent API now supports system scope and default roles. -#"delete_dhcp-networ": "rule:delete_dhcp-network" # Add a router to an L3 agent # POST /agents/{agent_id}/l3-routers @@ -244,27 +240,27 @@ # Get a project's auto-allocated topology # GET /auto-allocated-topology/{project_id} -# Intended scope(s): system, project -#"get_auto_allocated_topology": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_auto_allocated_topology": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of -# "get_auto_allocated_topology":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# "get_auto_allocated_topology":"role:reader and +# project_id:%(project_id)s". # The Auto allocated topology API now supports system scope and # default roles. # Delete a project's auto-allocated topology # DELETE /auto-allocated-topology/{project_id} -# Intended scope(s): system, project -#"delete_auto_allocated_topology": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_auto_allocated_topology": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_auto_allocated_topology":"rule:admin_or_owner" has been # deprecated since W in favor of -# "delete_auto_allocated_topology":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# "delete_auto_allocated_topology":"role:member and +# project_id:%(project_id)s". # The Auto allocated topology API now supports system scope and # default roles. @@ -403,187 +399,260 @@ # Create a floating IP # POST /floatingips -# Intended scope(s): system, project -#"create_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_floatingip": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_floatingip":"rule:regular_user" has been deprecated since W -# in favor of "create_floatingip":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# in favor of "create_floatingip":"role:member and +# project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Create a floating IP with a specific IP address # POST /floatingips -# Intended scope(s): system, project -#"create_floatingip:floating_ip_address": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_floatingip:floating_ip_address": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_floatingip:floating_ip_address":"rule:admin_only" has been # deprecated since W in favor of # "create_floatingip:floating_ip_address":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Get a floating IP # GET /floatingips # GET /floatingips/{id} -# Intended scope(s): system, project -#"get_floatingip": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_floatingip": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_floatingip":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_floatingip":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# in favor of "get_floatingip":"role:reader and +# project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Update a floating IP # PUT /floatingips/{id} -# Intended scope(s): system, project -#"update_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_floatingip": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_floatingip":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# W in favor of "update_floatingip":"role:member and +# project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Delete a floating IP # DELETE /floatingips/{id} -# Intended scope(s): system, project -#"delete_floatingip": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_floatingip": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_floatingip":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_floatingip":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# W in favor of "delete_floatingip":"role:member and +# project_id:%(project_id)s". # The Floating IP API now supports system scope and default roles. # Get floating IP pools # GET /floatingip_pools -# Intended scope(s): system, project -#"get_floatingip_pool": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_floatingip_pool": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_floatingip_pool":"rule:regular_user" has been deprecated since -# W in favor of "get_floatingip_pool":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". +# W in favor of "get_floatingip_pool":"role:reader and +# project_id:%(project_id)s". # The Floating IP Pool API now supports system scope and default # roles. # Create a floating IP port forwarding # POST /floatingips/{floatingip_id}/port_forwardings -# Intended scope(s): system, project -#"create_floatingip_port_forwarding": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"create_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "create_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "create_floatingip_port_forwarding":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "create_floatingip_port_forwarding":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Get a floating IP port forwarding # GET /floatingips/{floatingip_id}/port_forwardings # GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} -# Intended scope(s): system, project -#"get_floatingip_port_forwarding": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"get_floatingip_port_forwarding": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "get_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "get_floatingip_port_forwarding":"(role:reader and system_scope:all) -# or (role:reader and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "get_floatingip_port_forwarding":"role:reader and +# project_id:%(project_id)s or rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Update a floating IP port forwarding # PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} -# Intended scope(s): system, project -#"update_floatingip_port_forwarding": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"update_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "update_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "update_floatingip_port_forwarding":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "update_floatingip_port_forwarding":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Delete a floating IP port forwarding # DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id} -# Intended scope(s): system, project -#"delete_floatingip_port_forwarding": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"delete_floatingip_port_forwarding": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "delete_floatingip_port_forwarding":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "delete_floatingip_port_forwarding":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "delete_floatingip_port_forwarding":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The floating IP port forwarding API now supports system scope and # default roles. # Create a router conntrack helper # POST /routers/{router_id}/conntrack_helpers -# Intended scope(s): system, project -#"create_router_conntrack_helper": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"create_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "create_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "create_router_conntrack_helper":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "create_router_conntrack_helper":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Get a router conntrack helper # GET /routers/{router_id}/conntrack_helpers # GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} -# Intended scope(s): system, project -#"get_router_conntrack_helper": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"get_router_conntrack_helper": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "get_router_conntrack_helper":"rule:admin_or_ext_parent_owner" has # been deprecated since W in favor of -# "get_router_conntrack_helper":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "get_router_conntrack_helper":"role:reader and +# project_id:%(project_id)s or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Update a router conntrack helper # PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} -# Intended scope(s): system, project -#"update_router_conntrack_helper": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"update_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "update_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "update_router_conntrack_helper":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "update_router_conntrack_helper":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. # Delete a router conntrack helper # DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id} -# Intended scope(s): system, project -#"delete_router_conntrack_helper": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner" +# Intended scope(s): project +#"delete_router_conntrack_helper": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" # DEPRECATED # "delete_router_conntrack_helper":"rule:admin_or_ext_parent_owner" # has been deprecated since W in favor of -# "delete_router_conntrack_helper":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s) or -# rule:ext_parent_owner". +# "delete_router_conntrack_helper":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". # The router conntrack API now supports system scope and default # roles. +# Create a Local IP +# POST /local-ips +# Intended scope(s): project +#"create_local_ip": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "create_local_ip":"rule:regular_user" has been deprecated since W in +# favor of "create_local_ip":"role:member and +# project_id:%(project_id)s". +# The Local IP API now supports system scope and default roles. + +# Get a Local IP +# GET /local-ips +# GET /local-ips/{id} +# Intended scope(s): project +#"get_local_ip": "role:reader and project_id:%(project_id)s" + +# DEPRECATED +# "get_local_ip":"rule:admin_or_owner" has been deprecated since W in +# favor of "get_local_ip":"role:reader and project_id:%(project_id)s". +# The Local IP API now supports system scope and default roles. + +# Update a Local IP +# PUT /local-ips/{id} +# Intended scope(s): project +#"update_local_ip": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "update_local_ip":"rule:admin_or_owner" has been deprecated since W +# in favor of "update_local_ip":"role:member and +# project_id:%(project_id)s". +# The Local IP API now supports system scope and default roles. + +# Delete a Local IP +# DELETE /local-ips/{id} +# Intended scope(s): project +#"delete_local_ip": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "delete_local_ip":"rule:admin_or_owner" has been deprecated since W +# in favor of "delete_local_ip":"role:member and +# project_id:%(project_id)s". +# The Local IP API now supports system scope and default roles. + +# Create a Local IP port association +# POST /local_ips/{local_ip_id}/port_associations +# Intended scope(s): project +#"create_local_ip_port_association": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" + +# DEPRECATED +# "create_local_ip_port_association":"rule:admin_or_ext_parent_owner" +# has been deprecated since W in favor of +# "create_local_ip_port_association":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". +# The Local IP API now supports system scope and default roles. + +# Get a Local IP port association +# GET /local_ips/{local_ip_id}/port_associations +# GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id} +# Intended scope(s): project +#"get_local_ip_port_association": "role:reader and project_id:%(project_id)s or rule:ext_parent_owner" + +# DEPRECATED +# "get_local_ip_port_association":"rule:admin_or_ext_parent_owner" has +# been deprecated since W in favor of +# "get_local_ip_port_association":"role:reader and +# project_id:%(project_id)s or rule:ext_parent_owner". +# The Local IP API now supports system scope and default roles. + +# Delete a Local IP port association +# DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id} +# Intended scope(s): project +#"delete_local_ip_port_association": "role:member and project_id:%(project_id)s or rule:ext_parent_owner" + +# DEPRECATED +# "delete_local_ip_port_association":"rule:admin_or_ext_parent_owner" +# has been deprecated since W in favor of +# "delete_local_ip_port_association":"role:member and +# project_id:%(project_id)s or rule:ext_parent_owner". +# The Local IP API now supports system scope and default roles. + # Get loggable resources # GET /log/loggable-resources # Intended scope(s): system @@ -638,367 +707,414 @@ # Create a metering label # POST /metering/metering-labels -# Intended scope(s): system, project -#"create_metering_label": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_metering_label": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_metering_label":"rule:admin_only" has been deprecated since # W in favor of "create_metering_label":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Get a metering label # GET /metering/metering-labels # GET /metering/metering-labels/{id} -# Intended scope(s): system, project -#"get_metering_label": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_metering_label": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_metering_label":"rule:admin_only" has been deprecated since W -# in favor of "get_metering_label":"role:reader and system_scope:all". +# in favor of "get_metering_label":"role:reader and +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Delete a metering label # DELETE /metering/metering-labels/{id} -# Intended scope(s): system, project -#"delete_metering_label": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_metering_label": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_metering_label":"rule:admin_only" has been deprecated since # W in favor of "delete_metering_label":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Create a metering label rule # POST /metering/metering-label-rules -# Intended scope(s): system, project -#"create_metering_label_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_metering_label_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "create_metering_label_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Get a metering label rule # GET /metering/metering-label-rules # GET /metering/metering-label-rules/{id} -# Intended scope(s): system, project -#"get_metering_label_rule": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_metering_label_rule": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "get_metering_label_rule":"role:reader and -# system_scope:all". +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. # Delete a metering label rule # DELETE /metering/metering-label-rules/{id} -# Intended scope(s): system, project -#"delete_metering_label_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_metering_label_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_metering_label_rule":"rule:admin_only" has been deprecated # since W in favor of "delete_metering_label_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The metering API now supports system scope and default roles. +# Create a ndp proxy +# POST /ndp_proxies +# Intended scope(s): project +#"create_ndp_proxy": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "create_ndp_proxy":"rule:regular_user" has been deprecated since W +# in favor of "create_ndp_proxy":"role:member and +# project_id:%(project_id)s". +# The ndp proxy API now supports system scope and default roles. + +# Get a ndp proxy +# GET /ndp_proxies +# GET /ndp_proxies/{id} +# Intended scope(s): project +#"get_ndp_proxy": "role:reader and project_id:%(project_id)s" + +# DEPRECATED +# "get_ndp_proxy":"rule:admin_or_owner" has been deprecated since W in +# favor of "get_ndp_proxy":"role:reader and +# project_id:%(project_id)s". +# The ndp proxy API now supports system scope and default roles. + +# Update a ndp proxy +# PUT /ndp_proxies/{id} +# Intended scope(s): project +#"update_ndp_proxy": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "update_ndp_proxy":"rule:admin_or_owner" has been deprecated since W +# in favor of "update_ndp_proxy":"role:member and +# project_id:%(project_id)s". +# The ndp proxy API now supports system scope and default roles. + +# Delete a ndp proxy +# DELETE /ndp_proxies/{id} +# Intended scope(s): project +#"delete_ndp_proxy": "role:member and project_id:%(project_id)s" + +# DEPRECATED +# "delete_ndp_proxy":"rule:admin_or_owner" has been deprecated since W +# in favor of "delete_ndp_proxy":"role:member and +# project_id:%(project_id)s". +# The ndp proxy API now supports system scope and default roles. + # Definition of an external network #"external": "field:networks:router:external=True" # Create a network # POST /networks -# Intended scope(s): system, project -#"create_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_network": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_network":"rule:regular_user" has been deprecated since W in -# favor of "create_network":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "create_network":"role:member and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Create a shared network # POST /networks -# Intended scope(s): system -#"create_network:shared": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:shared": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:shared":"rule:admin_only" has been deprecated since # W in favor of "create_network:shared":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Create an external network # POST /networks -# Intended scope(s): system -#"create_network:router:external": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:router:external": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:router:external":"rule:admin_only" has been # deprecated since W in favor of -# "create_network:router:external":"role:admin and system_scope:all". +# "create_network:router:external":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a network # POST /networks -# Intended scope(s): system -#"create_network:is_default": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:is_default": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:is_default":"rule:admin_only" has been deprecated # since W in favor of "create_network:is_default":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``port_security_enabled`` attribute when creating a network # POST /networks -# Intended scope(s): system, project -#"create_network:port_security_enabled": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_network:port_security_enabled": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_network:port_security_enabled":"rule:regular_user" has been # deprecated since W in favor of -# "create_network:port_security_enabled":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "create_network:port_security_enabled":"role:member and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``segments`` attribute when creating a network # POST /networks -# Intended scope(s): system -#"create_network:segments": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:segments": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:segments":"rule:admin_only" has been deprecated # since W in favor of "create_network:segments":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``provider:network_type`` when creating a network # POST /networks -# Intended scope(s): system -#"create_network:provider:network_type": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:provider:network_type": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of # "create_network:provider:network_type":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``provider:physical_network`` when creating a network # POST /networks -# Intended scope(s): system -#"create_network:provider:physical_network": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:provider:physical_network": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of # "create_network:provider:physical_network":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Specify ``provider:segmentation_id`` when creating a network # POST /networks -# Intended scope(s): system -#"create_network:provider:segmentation_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of # "create_network:provider:segmentation_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get a network # GET /networks # GET /networks/{id} -# Intended scope(s): system, project -#"get_network": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc" +# Intended scope(s): project +#"get_network": "role:reader and project_id:%(project_id)s or rule:shared or rule:external or rule:context_is_advsvc" # DEPRECATED # "get_network":"rule:admin_or_owner or rule:shared or rule:external # or rule:context_is_advsvc" has been deprecated since W in favor of -# "get_network":"(role:reader and system_scope:all) or (role:reader -# and project_id:%(project_id)s) or rule:shared or rule:external or -# rule:context_is_advsvc". +# "get_network":"role:reader and project_id:%(project_id)s or +# rule:shared or rule:external or rule:context_is_advsvc". # The network API now supports system scope and default roles. # Get ``router:external`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): system, project -#"get_network:router:external": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_network:router:external": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_network:router:external":"rule:regular_user" has been # deprecated since W in favor of -# "get_network:router:external":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# "get_network:router:external":"role:reader and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get ``segments`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): system -#"get_network:segments": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network:segments": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_network:segments":"rule:admin_only" has been deprecated since W -# in favor of "get_network:segments":"role:reader and -# system_scope:all". +# in favor of "get_network:segments":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get ``provider:network_type`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): system -#"get_network:provider:network_type": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network:provider:network_type": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:network_type":"role:reader and -# system_scope:all". +# "get_network:provider:network_type":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get ``provider:physical_network`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): system -#"get_network:provider:physical_network": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network:provider:physical_network": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_network:provider:physical_network":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:physical_network":"role:reader and -# system_scope:all". +# "get_network:provider:physical_network":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get ``provider:segmentation_id`` attribute of a network # GET /networks # GET /networks/{id} -# Intended scope(s): system -#"get_network:provider:segmentation_id": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of -# "get_network:provider:segmentation_id":"role:reader and -# system_scope:all". +# "get_network:provider:segmentation_id":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update a network # PUT /networks/{id} -# Intended scope(s): system, project -#"update_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_network": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "update_network":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# in favor of "update_network":"role:member and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``segments`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:segments": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:segments": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:segments":"rule:admin_only" has been deprecated # since W in favor of "update_network:segments":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``shared`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:shared": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:shared": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:shared":"rule:admin_only" has been deprecated since # W in favor of "update_network:shared":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``provider:network_type`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:provider:network_type": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:provider:network_type": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:provider:network_type":"rule:admin_only" has been # deprecated since W in favor of # "update_network:provider:network_type":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``provider:physical_network`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:provider:physical_network": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:provider:physical_network": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:provider:physical_network":"rule:admin_only" has # been deprecated since W in favor of # "update_network:provider:physical_network":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``provider:segmentation_id`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:provider:segmentation_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:provider:segmentation_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:provider:segmentation_id":"rule:admin_only" has been # deprecated since W in favor of # "update_network:provider:segmentation_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``router:external`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:router:external": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:router:external": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:router:external":"rule:admin_only" has been # deprecated since W in favor of -# "update_network:router:external":"role:admin and system_scope:all". +# "update_network:router:external":"role:admin and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``is_default`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system -#"update_network:is_default": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_network:is_default": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_network:is_default":"rule:admin_only" has been deprecated # since W in favor of "update_network:is_default":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Update ``port_security_enabled`` attribute of a network # PUT /networks/{id} -# Intended scope(s): system, project -#"update_network:port_security_enabled": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_network:port_security_enabled": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_network:port_security_enabled":"rule:admin_or_owner" has # been deprecated since W in favor of -# "update_network:port_security_enabled":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "update_network:port_security_enabled":"role:member and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Delete a network # DELETE /networks/{id} -# Intended scope(s): system, project -#"delete_network": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_network": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_network":"rule:admin_or_owner" has been deprecated since W -# in favor of "delete_network":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# in favor of "delete_network":"role:member and +# project_id:%(project_id)s". # The network API now supports system scope and default roles. # Get network IP availability @@ -1071,665 +1187,757 @@ # Create a port # POST /ports -# Intended scope(s): system, project -#"create_port": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_port": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_port":"rule:regular_user" has been deprecated since W in -# favor of "create_port":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "create_port":"role:member and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``device_owner`` attribute when creting a port # POST /ports -# Intended scope(s): system, project -#"create_port:device_owner": "not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" +# Intended scope(s): project +#"create_port:device_owner": "not rule:network_device or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner" # DEPRECATED # "create_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "create_port:device_owner":"not -# rule:network_device or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s or rule:context_is_advsvc or -# rule:network_owner". +# rule:network_device or role:admin and project_id:%(project_id)s or +# rule:context_is_advsvc or rule:network_owner". # The port API now supports system scope and default roles. # Specify ``mac_address`` attribute when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:mac_address": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"create_port:mac_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "create_port:mac_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:mac_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``fixed_ips`` information when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" +# Intended scope(s): project +#"create_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" # DEPRECATED # "create_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of "create_port:fixed_ips":"rule:context_is_advsvc -# or rule:network_owner or role:admin and system_scope:all or -# role:admin and project_id:%(project_id)s or rule:shared". +# or rule:network_owner or role:admin and project_id:%(project_id)s or +# rule:shared". # The port API now supports system scope and default roles. # Specify IP address in ``fixed_ips`` when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify subnet ID in ``fixed_ips`` when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" +# Intended scope(s): project +#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" # DEPRECATED # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "create_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s or rule:shared". +# rule:network_owner or role:admin and project_id:%(project_id)s or +# rule:shared". # The port API now supports system scope and default roles. # Specify ``port_security_enabled`` attribute when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "create_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "create_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``binding:host_id`` attribute when creating a port # POST /ports -# Intended scope(s): system -#"create_port:binding:host_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_port:binding:host_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_port:binding:host_id":"rule:admin_only" has been deprecated # since W in favor of "create_port:binding:host_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``binding:profile`` attribute when creating a port # POST /ports -# Intended scope(s): system -#"create_port:binding:profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_port:binding:profile": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_port:binding:profile":"rule:admin_only" has been deprecated # since W in favor of "create_port:binding:profile":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``binding:vnic_type`` attribute when creating a port # POST /ports -# Intended scope(s): system, project -#"create_port:binding:vnic_type": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_port:binding:vnic_type": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_port:binding:vnic_type":"rule:regular_user" has been # deprecated since W in favor of -# "create_port:binding:vnic_type":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# "create_port:binding:vnic_type":"role:member and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify ``allowed_address_pairs`` attribute when creating a port # POST /ports -# Intended scope(s): project, system -#"create_port:allowed_address_pairs": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"create_port:allowed_address_pairs": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "create_port:allowed_address_pairs":"role:admin and system_scope:all -# or role:admin and project_id:%(project_id)s or rule:network_owner". +# "create_port:allowed_address_pairs":"role:admin and +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Specify ``mac_address` of `allowed_address_pairs`` attribute when # creating a port # POST /ports -# Intended scope(s): project, system -#"create_port:allowed_address_pairs:mac_address": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"create_port:allowed_address_pairs:mac_address": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of # "create_port:allowed_address_pairs:mac_address":"role:admin and -# system_scope:all or role:admin and project_id:%(project_id)s or -# rule:network_owner". +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Specify ``ip_address`` of ``allowed_address_pairs`` attribute when # creating a port # POST /ports -# Intended scope(s): project, system -#"create_port:allowed_address_pairs:ip_address": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"create_port:allowed_address_pairs:ip_address": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "create_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of # "create_port:allowed_address_pairs:ip_address":"role:admin and -# system_scope:all or role:admin and project_id:%(project_id)s or -# rule:network_owner". +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Get a port # GET /ports # GET /ports/{id} -# Intended scope(s): project, system -#"get_port": "rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_port": "rule:context_is_advsvc or role:reader and project_id:%(project_id)s" # DEPRECATED # "get_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "get_port":"rule:context_is_advsvc or (role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". +# favor of "get_port":"rule:context_is_advsvc or role:reader and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get ``binding:vif_type`` attribute of a port # GET /ports # GET /ports/{id} -# Intended scope(s): system -#"get_port:binding:vif_type": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_port:binding:vif_type": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_port:binding:vif_type":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:vif_type":"role:reader and -# system_scope:all". +# since W in favor of "get_port:binding:vif_type":"role:admin and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get ``binding:vif_details`` attribute of a port # GET /ports # GET /ports/{id} -# Intended scope(s): system -#"get_port:binding:vif_details": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_port:binding:vif_details": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_port:binding:vif_details":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:vif_details":"role:reader and -# system_scope:all". +# since W in favor of "get_port:binding:vif_details":"role:admin and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get ``binding:host_id`` attribute of a port # GET /ports # GET /ports/{id} -# Intended scope(s): system -#"get_port:binding:host_id": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_port:binding:host_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_port:binding:host_id":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:host_id":"role:reader and -# system_scope:all". +# since W in favor of "get_port:binding:host_id":"role:admin and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get ``binding:profile`` attribute of a port # GET /ports # GET /ports/{id} -# Intended scope(s): system -#"get_port:binding:profile": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_port:binding:profile": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_port:binding:profile":"rule:admin_only" has been deprecated -# since W in favor of "get_port:binding:profile":"role:reader and -# system_scope:all". +# since W in favor of "get_port:binding:profile":"role:admin and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get ``resource_request`` attribute of a port # GET /ports # GET /ports/{id} -# Intended scope(s): system -#"get_port:resource_request": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_port:resource_request": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_port:resource_request":"rule:admin_only" has been deprecated -# since W in favor of "get_port:resource_request":"role:reader and -# system_scope:all". +# since W in favor of "get_port:resource_request":"role:admin and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Update a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" +# Intended scope(s): project +#"update_port": "role:member and project_id:%(project_id)s or rule:context_is_advsvc" # DEPRECATED # "update_port":"rule:admin_or_owner or rule:context_is_advsvc" has -# been deprecated since W in favor of "update_port":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:context_is_advsvc". +# been deprecated since W in favor of "update_port":"role:member and +# project_id:%(project_id)s or rule:context_is_advsvc". # The port API now supports system scope and default roles. # Update ``device_owner`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:device_owner":"not rule:network_device or # rule:context_is_advsvc or rule:admin_or_network_owner" has been # deprecated since W in favor of "update_port:device_owner":"not # rule:network_device or rule:context_is_advsvc or rule:network_owner -# or role:admin and system_scope:all or role:admin and -# project_id:%(project_id)s". +# or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Update ``mac_address`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:mac_address": "role:admin and system_scope:all or rule:context_is_advsvc" +# Intended scope(s): project +#"update_port:mac_address": "role:admin and project_id:%(project_id)s or rule:context_is_advsvc" # DEPRECATED # "update_port:mac_address":"rule:admin_only or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:mac_address":"role:admin and system_scope:all or -# rule:context_is_advsvc". +# "update_port:mac_address":"role:admin and project_id:%(project_id)s +# or rule:context_is_advsvc". # The port API now supports system scope and default roles. # Specify ``fixed_ips`` information when updating a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"update_port:fixed_ips": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:fixed_ips":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify IP address in ``fixed_ips`` information when updating a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:fixed_ips:ip_address":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Specify subnet ID in ``fixed_ips`` information when updating a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared" +# Intended scope(s): project +#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s or rule:shared" # DEPRECATED # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or # rule:admin_or_network_owner or rule:shared" has been deprecated # since W in favor of # "update_port:fixed_ips:subnet_id":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s or rule:shared". +# rule:network_owner or role:admin and project_id:%(project_id)s or +# rule:shared". # The port API now supports system scope and default roles. # Update ``port_security_enabled`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s" +# Intended scope(s): project +#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:port_security_enabled":"rule:context_is_advsvc or # rule:admin_or_network_owner" has been deprecated since W in favor of # "update_port:port_security_enabled":"rule:context_is_advsvc or -# rule:network_owner or role:admin and system_scope:all or role:admin -# and project_id:%(project_id)s". +# rule:network_owner or role:admin and project_id:%(project_id)s". # The port API now supports system scope and default roles. # Update ``binding:host_id`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system -#"update_port:binding:host_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_port:binding:host_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:binding:host_id":"rule:admin_only" has been deprecated # since W in favor of "update_port:binding:host_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Update ``binding:profile`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system -#"update_port:binding:profile": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_port:binding:profile": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_port:binding:profile":"rule:admin_only" has been deprecated # since W in favor of "update_port:binding:profile":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Update ``binding:vnic_type`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:binding:vnic_type": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc" +# Intended scope(s): project +#"update_port:binding:vnic_type": "role:member and project_id:%(project_id)s or rule:context_is_advsvc" # DEPRECATED # "update_port:binding:vnic_type":"rule:admin_or_owner or # rule:context_is_advsvc" has been deprecated since W in favor of -# "update_port:binding:vnic_type":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s) or -# rule:context_is_advsvc". +# "update_port:binding:vnic_type":"role:member and +# project_id:%(project_id)s or rule:context_is_advsvc". # The port API now supports system scope and default roles. # Update ``allowed_address_pairs`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:allowed_address_pairs": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"update_port:allowed_address_pairs": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs":"rule:admin_or_network_owner" # has been deprecated since W in favor of -# "update_port:allowed_address_pairs":"role:admin and system_scope:all -# or role:admin and project_id:%(project_id)s or rule:network_owner". +# "update_port:allowed_address_pairs":"role:admin and +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Update ``mac_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:allowed_address_pairs:mac_address": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"update_port:allowed_address_pairs:mac_address": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs:mac_address":"rule:admin_or_netwo # rk_owner" has been deprecated since W in favor of # "update_port:allowed_address_pairs:mac_address":"role:admin and -# system_scope:all or role:admin and project_id:%(project_id)s or -# rule:network_owner". +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Update ``ip_address`` of ``allowed_address_pairs`` attribute of a # port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:allowed_address_pairs:ip_address": "role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner" +# Intended scope(s): project +#"update_port:allowed_address_pairs:ip_address": "role:admin and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "update_port:allowed_address_pairs:ip_address":"rule:admin_or_networ # k_owner" has been deprecated since W in favor of # "update_port:allowed_address_pairs:ip_address":"role:admin and -# system_scope:all or role:admin and project_id:%(project_id)s or -# rule:network_owner". +# project_id:%(project_id)s or rule:network_owner". # The port API now supports system scope and default roles. # Update ``data_plane_status`` attribute of a port # PUT /ports/{id} -# Intended scope(s): system, project -#"update_port:data_plane_status": "role:admin and system_scope:all or role:data_plane_integrator" +# Intended scope(s): project +#"update_port:data_plane_status": "role:admin and project_id:%(project_id)s or role:data_plane_integrator" # DEPRECATED # "update_port:data_plane_status":"rule:admin_or_data_plane_int" has # been deprecated since W in favor of -# "update_port:data_plane_status":"role:admin and system_scope:all or -# role:data_plane_integrator". +# "update_port:data_plane_status":"role:admin and +# project_id:%(project_id)s or role:data_plane_integrator". # The port API now supports system scope and default roles. # Delete a port # DELETE /ports/{id} -# Intended scope(s): system, project -#"delete_port": "rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_port": "rule:context_is_advsvc or role:member and project_id:%(project_id)s" # DEPRECATED # "delete_port":"rule:context_is_advsvc or # rule:admin_owner_or_network_owner" has been deprecated since W in -# favor of "delete_port":"rule:context_is_advsvc or (role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# favor of "delete_port":"rule:context_is_advsvc or role:member and +# project_id:%(project_id)s". # The port API now supports system scope and default roles. # Get QoS policies # GET /qos/policies # GET /qos/policies/{id} -# Intended scope(s): system, project -#"get_policy": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_policy": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy":"rule:regular_user" has been deprecated since W in -# favor of "get_policy":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# favor of "get_policy":"role:reader and project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Create a QoS policy # POST /qos/policies -# Intended scope(s): system -#"create_policy": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_policy": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_policy":"rule:admin_only" has been deprecated since W in -# favor of "create_policy":"role:admin and system_scope:all". +# favor of "create_policy":"role:admin and project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Update a QoS policy # PUT /qos/policies/{id} -# Intended scope(s): system -#"update_policy": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_policy": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_policy":"rule:admin_only" has been deprecated since W in -# favor of "update_policy":"role:admin and system_scope:all". +# favor of "update_policy":"role:admin and project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Delete a QoS policy # DELETE /qos/policies/{id} -# Intended scope(s): system -#"delete_policy": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_policy": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_policy":"rule:admin_only" has been deprecated since W in -# favor of "delete_policy":"role:admin and system_scope:all". +# favor of "delete_policy":"role:admin and project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Get available QoS rule types # GET /qos/rule-types # GET /qos/rule-types/{rule_type} # Intended scope(s): system, project -#"get_rule_type": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +#"get_rule_type": "role:admin or role:reader and system_scope:all" # DEPRECATED # "get_rule_type":"rule:regular_user" has been deprecated since W in -# favor of "get_rule_type":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# favor of "get_rule_type":"role:admin or role:reader and +# system_scope:all". # The QoS API now supports system scope and default roles. # Get a QoS bandwidth limit rule # GET /qos/policies/{policy_id}/bandwidth_limit_rules # GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} -# Intended scope(s): system, project -#"get_policy_bandwidth_limit_rule": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_policy_bandwidth_limit_rule": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_bandwidth_limit_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_bandwidth_limit_rule":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". +# "get_policy_bandwidth_limit_rule":"role:reader and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Create a QoS bandwidth limit rule # POST /qos/policies/{policy_id}/bandwidth_limit_rules -# Intended scope(s): system -#"create_policy_bandwidth_limit_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "create_policy_bandwidth_limit_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Update a QoS bandwidth limit rule # PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} -# Intended scope(s): system -#"update_policy_bandwidth_limit_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_policy_bandwidth_limit_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Delete a QoS bandwidth limit rule # DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id} -# Intended scope(s): system -#"delete_policy_bandwidth_limit_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_policy_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_policy_bandwidth_limit_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_policy_bandwidth_limit_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Get a QoS DSCP marking rule # GET /qos/policies/{policy_id}/dscp_marking_rules # GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} -# Intended scope(s): system, project -#"get_policy_dscp_marking_rule": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_policy_dscp_marking_rule": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_dscp_marking_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_dscp_marking_rule":"(role:reader and system_scope:all) -# or (role:reader and project_id:%(project_id)s)". +# "get_policy_dscp_marking_rule":"role:reader and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Create a QoS DSCP marking rule # POST /qos/policies/{policy_id}/dscp_marking_rules -# Intended scope(s): system -#"create_policy_dscp_marking_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "create_policy_dscp_marking_rule":"role:admin and system_scope:all". +# "create_policy_dscp_marking_rule":"role:admin and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Update a QoS DSCP marking rule # PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} -# Intended scope(s): system -#"update_policy_dscp_marking_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "update_policy_dscp_marking_rule":"role:admin and system_scope:all". +# "update_policy_dscp_marking_rule":"role:admin and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Delete a QoS DSCP marking rule # DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id} -# Intended scope(s): system -#"delete_policy_dscp_marking_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_policy_dscp_marking_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_policy_dscp_marking_rule":"rule:admin_only" has been # deprecated since W in favor of -# "delete_policy_dscp_marking_rule":"role:admin and system_scope:all". +# "delete_policy_dscp_marking_rule":"role:admin and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Get a QoS minimum bandwidth rule # GET /qos/policies/{policy_id}/minimum_bandwidth_rules # GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} -# Intended scope(s): system, project -#"get_policy_minimum_bandwidth_rule": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_policy_minimum_bandwidth_rule": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_policy_minimum_bandwidth_rule":"rule:regular_user" has been # deprecated since W in favor of -# "get_policy_minimum_bandwidth_rule":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s)". +# "get_policy_minimum_bandwidth_rule":"role:reader and +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Create a QoS minimum bandwidth rule # POST /qos/policies/{policy_id}/minimum_bandwidth_rules -# Intended scope(s): system -#"create_policy_minimum_bandwidth_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "create_policy_minimum_bandwidth_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Update a QoS minimum bandwidth rule # PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} -# Intended scope(s): system -#"update_policy_minimum_bandwidth_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "update_policy_minimum_bandwidth_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. # Delete a QoS minimum bandwidth rule # DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id} -# Intended scope(s): system -#"delete_policy_minimum_bandwidth_rule": "role:admin and system_scope:all" +# Intended scope(s): project +#"delete_policy_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" # DEPRECATED # "delete_policy_minimum_bandwidth_rule":"rule:admin_only" has been # deprecated since W in favor of # "delete_policy_minimum_bandwidth_rule":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The QoS API now supports system scope and default roles. +# Get a QoS minimum packet rate rule +# GET /qos/policies/{policy_id}/minimum_packet_rate_rules +# GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} +# Intended scope(s): project +#"get_policy_minimum_packet_rate_rule": "role:reader and project_id:%(project_id)s" + +# Create a QoS minimum packet rate rule +# POST /qos/policies/{policy_id}/minimum_packet_rate_rules +# Intended scope(s): project +#"create_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" + +# Update a QoS minimum packet rate rule +# PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} +# Intended scope(s): project +#"update_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" + +# Delete a QoS minimum packet rate rule +# DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id} +# Intended scope(s): project +#"delete_policy_minimum_packet_rate_rule": "role:admin and project_id:%(project_id)s" + # Get a QoS bandwidth limit rule through alias # GET /qos/alias_bandwidth_limit_rules/{rule_id}/ -#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule" +# Intended scope(s): project +#"get_alias_bandwidth_limit_rule": "role:reader and project_id:%(project_id)s" + +# DEPRECATED +# "get_alias_bandwidth_limit_rule":"rule:regular_user" has been +# deprecated since W in favor of +# "get_alias_bandwidth_limit_rule":"role:reader and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Update a QoS bandwidth limit rule through alias # PUT /qos/alias_bandwidth_limit_rules/{rule_id}/ -#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule" +# Intended scope(s): project +#"update_alias_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "update_alias_bandwidth_limit_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "update_alias_bandwidth_limit_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Delete a QoS bandwidth limit rule through alias # DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/ -#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule" +# Intended scope(s): project +#"delete_alias_bandwidth_limit_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "delete_alias_bandwidth_limit_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "delete_alias_bandwidth_limit_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Get a QoS DSCP marking rule through alias # GET /qos/alias_dscp_marking_rules/{rule_id}/ -#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule" +# Intended scope(s): project +#"get_alias_dscp_marking_rule": "role:reader and project_id:%(project_id)s" + +# DEPRECATED +# "get_alias_dscp_marking_rule":"rule:regular_user" has been +# deprecated since W in favor of +# "get_alias_dscp_marking_rule":"role:reader and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Update a QoS DSCP marking rule through alias # PUT /qos/alias_dscp_marking_rules/{rule_id}/ -#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule" +# Intended scope(s): project +#"update_alias_dscp_marking_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "update_alias_dscp_marking_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "update_alias_dscp_marking_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Delete a QoS DSCP marking rule through alias # DELETE /qos/alias_dscp_marking_rules/{rule_id}/ -#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule" +# Intended scope(s): project +#"delete_alias_dscp_marking_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "delete_alias_dscp_marking_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "delete_alias_dscp_marking_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Get a QoS minimum bandwidth rule through alias # GET /qos/alias_minimum_bandwidth_rules/{rule_id}/ -#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule" +# Intended scope(s): project +#"get_alias_minimum_bandwidth_rule": "role:reader and project_id:%(project_id)s" + +# DEPRECATED +# "get_alias_minimum_bandwidth_rule":"rule:regular_user" has been +# deprecated since W in favor of +# "get_alias_minimum_bandwidth_rule":"role:reader and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Update a QoS minimum bandwidth rule through alias # PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/ -#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule" +# Intended scope(s): project +#"update_alias_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "update_alias_minimum_bandwidth_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "update_alias_minimum_bandwidth_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. # Delete a QoS minimum bandwidth rule through alias # DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/ -#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule" +# Intended scope(s): project +#"delete_alias_minimum_bandwidth_rule": "role:admin and project_id:%(project_id)s" + +# DEPRECATED +# "delete_alias_minimum_bandwidth_rule":"rule:admin_only" has been +# deprecated since W in favor of +# "delete_alias_minimum_bandwidth_rule":"role:admin and +# project_id:%(project_id)s". +# The QoS API now supports system scope and default roles. + +# Get a QoS minimum packet rate rule through alias +# GET /qos/alias_minimum_packet_rate_rules/{rule_id}/ +#"get_alias_minimum_packet_rate_rule": "rule:get_policy_minimum_packet_rate_rule" + +# Update a QoS minimum packet rate rule through alias +# PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/ +#"update_alias_minimum_packet_rate_rule": "rule:update_policy_minimum_packet_rate_rule" + +# Delete a QoS minimum packet rate rule through alias +# DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/ +#"delete_alias_minimum_packet_rate_rule": "rule:delete_policy_minimum_packet_rate_rule" # Get a resource quota # GET /quota @@ -1762,332 +1970,335 @@ # favor of "delete_quota":"role:admin and system_scope:all". # The quotas API now supports system scope and default roles. -# Definition of a wildcard target_tenant -#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only" +# Definition of a wildcard target_project +#"restrict_wildcard": "(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only" # Create an RBAC policy # POST /rbac-policies -# Intended scope(s): system, project -#"create_rbac_policy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_rbac_policy": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_rbac_policy":"rule:regular_user" has been deprecated since W -# in favor of "create_rbac_policy":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# in favor of "create_rbac_policy":"role:member and +# project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Specify ``target_tenant`` when creating an RBAC policy # POST /rbac-policies -# Intended scope(s): system, project -#"create_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" +# Intended scope(s): project +#"create_rbac_policy:target_tenant": "role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "create_rbac_policy:target_tenant":"rule:restrict_wildcard" has been # deprecated since W in favor of -# "create_rbac_policy:target_tenant":"role:admin and system_scope:all -# or (not field:rbac_policy:target_tenant=*)". +# "create_rbac_policy:target_tenant":"role:admin and +# project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* +# and not field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Update an RBAC policy # PUT /rbac-policies/{id} -# Intended scope(s): project, system -#"update_rbac_policy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_rbac_policy": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_rbac_policy":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# W in favor of "update_rbac_policy":"role:member and +# project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Update ``target_tenant`` attribute of an RBAC policy # PUT /rbac-policies/{id} -# Intended scope(s): system, project -#"update_rbac_policy:target_tenant": "role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)" +# Intended scope(s): project +#"update_rbac_policy:target_tenant": "role:admin and project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)" # DEPRECATED # "update_rbac_policy:target_tenant":"rule:restrict_wildcard and # rule:admin_or_owner" has been deprecated since W in favor of -# "update_rbac_policy:target_tenant":"role:admin and system_scope:all -# or (not field:rbac_policy:target_tenant=*)". +# "update_rbac_policy:target_tenant":"role:admin and +# project_id:%(project_id)s or (not field:rbac_policy:target_tenant=* +# and not field:rbac_policy:target_project=*)". # The RBAC API now supports system scope and default roles. # Get an RBAC policy # GET /rbac-policies # GET /rbac-policies/{id} -# Intended scope(s): project, system -#"get_rbac_policy": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_rbac_policy": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_rbac_policy":"rule:admin_or_owner" has been deprecated since W -# in favor of "get_rbac_policy":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# in favor of "get_rbac_policy":"role:reader and +# project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Delete an RBAC policy # DELETE /rbac-policies/{id} -# Intended scope(s): project, system -#"delete_rbac_policy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_rbac_policy": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_rbac_policy":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_rbac_policy":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# W in favor of "delete_rbac_policy":"role:member and +# project_id:%(project_id)s". # The RBAC API now supports system scope and default roles. # Create a router # POST /routers -# Intended scope(s): system, project -#"create_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_router": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_router":"rule:regular_user" has been deprecated since W in -# favor of "create_router":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "create_router":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``distributed`` attribute when creating a router # POST /routers -# Intended scope(s): system -#"create_router:distributed": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_router:distributed": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_router:distributed":"rule:admin_only" has been deprecated # since W in favor of "create_router:distributed":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``ha`` attribute when creating a router # POST /routers -# Intended scope(s): system -#"create_router:ha": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_router:ha": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "create_router:ha":"role:admin and system_scope:all". +# favor of "create_router:ha":"role:admin and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``external_gateway_info`` information when creating a router # POST /routers -# Intended scope(s): system, project -#"create_router:external_gateway_info": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_router:external_gateway_info": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "create_router:external_gateway_info":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "create_router:external_gateway_info":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``network_id`` in ``external_gateway_info`` information when # creating a router # POST /routers -# Intended scope(s): system, project -#"create_router:external_gateway_info:network_id": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_router:external_gateway_info:network_id": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "create_router:external_gateway_info:network_id":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "create_router:external_gateway_info:network_id":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``enable_snat`` in ``external_gateway_info`` information # when creating a router # POST /routers -# Intended scope(s): system -#"create_router:external_gateway_info:enable_snat": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_router:external_gateway_info:enable_snat": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of # "create_router:external_gateway_info:enable_snat":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Specify ``external_fixed_ips`` in ``external_gateway_info`` # information when creating a router # POST /routers -# Intended scope(s): system -#"create_router:external_gateway_info:external_fixed_ips": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_router:external_gateway_info:external_fixed_ips": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_router:external_gateway_info:external_fixed_ips":"rule:admin # _only" has been deprecated since W in favor of # "create_router:external_gateway_info:external_fixed_ips":"role:admin -# and system_scope:all". +# and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Get a router # GET /routers # GET /routers/{id} -# Intended scope(s): system, project -#"get_router": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_router": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_router":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# favor of "get_router":"role:reader and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Get ``distributed`` attribute of a router # GET /routers # GET /routers/{id} -# Intended scope(s): system -#"get_router:distributed": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_router:distributed": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_router:distributed":"rule:admin_only" has been deprecated since -# W in favor of "get_router:distributed":"role:reader and -# system_scope:all". +# W in favor of "get_router:distributed":"role:admin and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Get ``ha`` attribute of a router # GET /routers # GET /routers/{id} -# Intended scope(s): system -#"get_router:ha": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_router:ha": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "get_router:ha":"role:reader and system_scope:all". +# favor of "get_router:ha":"role:admin and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update a router # PUT /routers/{id} -# Intended scope(s): system, project -#"update_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_router": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "update_router":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "update_router":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``distributed`` attribute of a router # PUT /routers/{id} -# Intended scope(s): system -#"update_router:distributed": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_router:distributed": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_router:distributed":"rule:admin_only" has been deprecated # since W in favor of "update_router:distributed":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``ha`` attribute of a router # PUT /routers/{id} -# Intended scope(s): system -#"update_router:ha": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_router:ha": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_router:ha":"rule:admin_only" has been deprecated since W in -# favor of "update_router:ha":"role:admin and system_scope:all". +# favor of "update_router:ha":"role:admin and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``external_gateway_info`` information of a router # PUT /routers/{id} -# Intended scope(s): system, project -#"update_router:external_gateway_info": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_router:external_gateway_info": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info":"rule:admin_or_owner" has been # deprecated since W in favor of -# "update_router:external_gateway_info":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "update_router:external_gateway_info":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``network_id`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} -# Intended scope(s): system, project -#"update_router:external_gateway_info:network_id": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_router:external_gateway_info:network_id": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info:network_id":"rule:admin_or_owne # r" has been deprecated since W in favor of -# "update_router:external_gateway_info:network_id":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# "update_router:external_gateway_info:network_id":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``enable_snat`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} -# Intended scope(s): system -#"update_router:external_gateway_info:enable_snat": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_router:external_gateway_info:enable_snat": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info:enable_snat":"rule:admin_only" # has been deprecated since W in favor of # "update_router:external_gateway_info:enable_snat":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Update ``external_fixed_ips`` attribute of ``external_gateway_info`` # information of a router # PUT /routers/{id} -# Intended scope(s): system -#"update_router:external_gateway_info:external_fixed_ips": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_router:external_gateway_info:external_fixed_ips": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_router:external_gateway_info:external_fixed_ips":"rule:admin # _only" has been deprecated since W in favor of # "update_router:external_gateway_info:external_fixed_ips":"role:admin -# and system_scope:all". +# and project_id:%(project_id)s". # The router API now supports system scope and default roles. # Delete a router # DELETE /routers/{id} -# Intended scope(s): system, project -#"delete_router": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_router": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_router":"rule:admin_or_owner" has been deprecated since W in -# favor of "delete_router":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "delete_router":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Add an interface to a router # PUT /routers/{id}/add_router_interface -# Intended scope(s): system, project -#"add_router_interface": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"add_router_interface": "role:member and project_id:%(project_id)s" # DEPRECATED # "add_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "add_router_interface":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "add_router_interface":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Remove an interface from a router # PUT /routers/{id}/remove_router_interface -# Intended scope(s): system, project -#"remove_router_interface": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"remove_router_interface": "role:member and project_id:%(project_id)s" # DEPRECATED # "remove_router_interface":"rule:admin_or_owner" has been deprecated -# since W in favor of "remove_router_interface":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "remove_router_interface":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Add extra route to a router # PUT /routers/{id}/add_extraroutes -# Intended scope(s): system, project -#"add_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"add_extraroutes": "role:member and project_id:%(project_id)s" # DEPRECATED # "add_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "add_extraroutes":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# Xena in favor of "add_extraroutes":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Remove extra route from a router # PUT /routers/{id}/remove_extraroutes -# Intended scope(s): system, project -#"remove_extraroutes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"remove_extraroutes": "role:member and project_id:%(project_id)s" # DEPRECATED # "remove_extraroutes":"rule:admin_or_owner" has been deprecated since -# Xena in favor of "remove_extraroutes":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# Xena in favor of "remove_extraroutes":"role:member and +# project_id:%(project_id)s". # The router API now supports system scope and default roles. # Rule for admin or security group owner access @@ -2098,84 +2309,84 @@ # Create a security group # POST /security-groups -# Intended scope(s): system, project -#"create_security_group": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_security_group": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "create_security_group":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "create_security_group":"role:member and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Get a security group # GET /security-groups # GET /security-groups/{id} -# Intended scope(s): system, project -#"get_security_group": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_security_group": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_security_group":"rule:regular_user" has been deprecated since W -# in favor of "get_security_group":"(role:reader and system_scope:all) -# or (role:reader and project_id:%(project_id)s)". +# in favor of "get_security_group":"role:reader and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Update a security group # PUT /security-groups/{id} -# Intended scope(s): system, project -#"update_security_group": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_security_group": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "update_security_group":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "update_security_group":"role:member and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Delete a security group # DELETE /security-groups/{id} -# Intended scope(s): system, project -#"delete_security_group": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_security_group": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_security_group":"rule:admin_or_owner" has been deprecated -# since W in favor of "delete_security_group":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "delete_security_group":"role:member and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Create a security group rule # POST /security-group-rules -# Intended scope(s): system, project -#"create_security_group_rule": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_security_group_rule": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of -# "create_security_group_rule":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# "create_security_group_rule":"role:member and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Get a security group rule # GET /security-group-rules # GET /security-group-rules/{id} -# Intended scope(s): system, project -#"get_security_group_rule": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner" +# Intended scope(s): project +#"get_security_group_rule": "role:reader and project_id:%(project_id)s or rule:sg_owner" # DEPRECATED # "get_security_group_rule":"rule:admin_owner_or_sg_owner" has been # deprecated since W in favor of -# "get_security_group_rule":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s) or rule:sg_owner". +# "get_security_group_rule":"role:reader and project_id:%(project_id)s +# or rule:sg_owner". # The security group API now supports system scope and default roles. # Delete a security group rule # DELETE /security-group-rules/{id} -# Intended scope(s): system, project -#"delete_security_group_rule": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_security_group_rule": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_security_group_rule":"rule:admin_or_owner" has been # deprecated since W in favor of -# "delete_security_group_rule":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# "delete_security_group_rule":"role:member and +# project_id:%(project_id)s". # The security group API now supports system scope and default roles. # Create a segment @@ -2232,107 +2443,103 @@ # Create a subnet # POST /subnets -# Intended scope(s): system, project -#"create_subnet": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" +# Intended scope(s): project +#"create_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "create_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "create_subnet":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:network_owner". +# since W in favor of "create_subnet":"role:member and +# project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Specify ``segment_id`` attribute when creating a subnet # POST /subnets -# Intended scope(s): system -#"create_subnet:segment_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_subnet:segment_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_subnet:segment_id":"rule:admin_only" has been deprecated # since W in favor of "create_subnet:segment_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Specify ``service_types`` attribute when creating a subnet # POST /subnets -# Intended scope(s): system -#"create_subnet:service_types": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_subnet:service_types": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_subnet:service_types":"rule:admin_only" has been deprecated # since W in favor of "create_subnet:service_types":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Get a subnet # GET /subnets # GET /subnets/{id} -# Intended scope(s): system, project -#"get_subnet": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared" +# Intended scope(s): project +#"get_subnet": "role:reader and project_id:%(project_id)s or rule:shared" # DEPRECATED # "get_subnet":"rule:admin_or_owner or rule:shared" has been -# deprecated since W in favor of "get_subnet":"(role:reader and -# system_scope:all) or (role:reader and project_id:%(project_id)s) or -# rule:shared". +# deprecated since W in favor of "get_subnet":"role:reader and +# project_id:%(project_id)s or rule:shared". # The subnet API now supports system scope and default roles. # Get ``segment_id`` attribute of a subnet # GET /subnets # GET /subnets/{id} -# Intended scope(s): system -#"get_subnet:segment_id": "role:reader and system_scope:all" +# Intended scope(s): project +#"get_subnet:segment_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "get_subnet:segment_id":"rule:admin_only" has been deprecated since -# W in favor of "get_subnet:segment_id":"role:reader and -# system_scope:all". +# W in favor of "get_subnet:segment_id":"role:admin and +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Update a subnet # PUT /subnets/{id} -# Intended scope(s): system, project -#"update_subnet": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" +# Intended scope(s): project +#"update_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "update_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "update_subnet":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:network_owner". +# since W in favor of "update_subnet":"role:member and +# project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Update ``segment_id`` attribute of a subnet # PUT /subnets/{id} -# Intended scope(s): system -#"update_subnet:segment_id": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_subnet:segment_id": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_subnet:segment_id":"rule:admin_only" has been deprecated # since W in favor of "update_subnet:segment_id":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Update ``service_types`` attribute of a subnet # PUT /subnets/{id} -# Intended scope(s): system -#"update_subnet:service_types": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_subnet:service_types": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_subnet:service_types":"rule:admin_only" has been deprecated # since W in favor of "update_subnet:service_types":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet API now supports system scope and default roles. # Delete a subnet # DELETE /subnets/{id} -# Intended scope(s): system, project -#"delete_subnet": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner" +# Intended scope(s): project +#"delete_subnet": "role:member and project_id:%(project_id)s or rule:network_owner" # DEPRECATED # "delete_subnet":"rule:admin_or_network_owner" has been deprecated -# since W in favor of "delete_subnet":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s) or -# rule:network_owner". +# since W in favor of "delete_subnet":"role:member and +# project_id:%(project_id)s or rule:network_owner". # The subnet API now supports system scope and default roles. # Definition of a shared subnetpool @@ -2340,191 +2547,184 @@ # Create a subnetpool # POST /subnetpools -# Intended scope(s): project, system -#"create_subnetpool": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_subnetpool": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_subnetpool":"rule:regular_user" has been deprecated since W -# in favor of "create_subnetpool":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# in favor of "create_subnetpool":"role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Create a shared subnetpool # POST /subnetpools -# Intended scope(s): system -#"create_subnetpool:shared": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_subnetpool:shared": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_subnetpool:shared":"rule:admin_only" has been deprecated # since W in favor of "create_subnetpool:shared":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Specify ``is_default`` attribute when creating a subnetpool # POST /subnetpools -# Intended scope(s): system -#"create_subnetpool:is_default": "role:admin and system_scope:all" +# Intended scope(s): project +#"create_subnetpool:is_default": "role:admin and project_id:%(project_id)s" # DEPRECATED # "create_subnetpool:is_default":"rule:admin_only" has been deprecated # since W in favor of "create_subnetpool:is_default":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Get a subnetpool # GET /subnetpools # GET /subnetpools/{id} -# Intended scope(s): system, project -#"get_subnetpool": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools" +# Intended scope(s): project +#"get_subnetpool": "role:reader and project_id:%(project_id)s or rule:shared_subnetpools" # DEPRECATED # "get_subnetpool":"rule:admin_or_owner or rule:shared_subnetpools" # has been deprecated since W in favor of -# "get_subnetpool":"(role:reader and system_scope:all) or (role:reader -# and project_id:%(project_id)s) or rule:shared_subnetpools". +# "get_subnetpool":"role:reader and project_id:%(project_id)s or +# rule:shared_subnetpools". # The subnet pool API now supports system scope and default roles. # Update a subnetpool # PUT /subnetpools/{id} -# Intended scope(s): system, project -#"update_subnetpool": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_subnetpool": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "update_subnetpool":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# W in favor of "update_subnetpool":"role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Update ``is_default`` attribute of a subnetpool # PUT /subnetpools/{id} -# Intended scope(s): system -#"update_subnetpool:is_default": "role:admin and system_scope:all" +# Intended scope(s): project +#"update_subnetpool:is_default": "role:admin and project_id:%(project_id)s" # DEPRECATED # "update_subnetpool:is_default":"rule:admin_only" has been deprecated # since W in favor of "update_subnetpool:is_default":"role:admin and -# system_scope:all". +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Delete a subnetpool # DELETE /subnetpools/{id} -# Intended scope(s): system, project -#"delete_subnetpool": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_subnetpool": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_subnetpool":"rule:admin_or_owner" has been deprecated since -# W in favor of "delete_subnetpool":"(role:admin and system_scope:all) -# or (role:member and project_id:%(project_id)s)". +# W in favor of "delete_subnetpool":"role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Onboard existing subnet into a subnetpool # PUT /subnetpools/{id}/onboard_network_subnets -# Intended scope(s): system, project -#"onboard_network_subnets": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"onboard_network_subnets": "role:member and project_id:%(project_id)s" # DEPRECATED # "onboard_network_subnets":"rule:admin_or_owner" has been deprecated -# since W in favor of "onboard_network_subnets":"(role:admin and -# system_scope:all) or (role:member and project_id:%(project_id)s)". +# since W in favor of "onboard_network_subnets":"role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Add prefixes to a subnetpool # PUT /subnetpools/{id}/add_prefixes -# Intended scope(s): system, project -#"add_prefixes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"add_prefixes": "role:member and project_id:%(project_id)s" # DEPRECATED # "add_prefixes":"rule:admin_or_owner" has been deprecated since W in -# favor of "add_prefixes":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "add_prefixes":"role:member and project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Remove unallocated prefixes from a subnetpool # PUT /subnetpools/{id}/remove_prefixes -# Intended scope(s): system, project -#"remove_prefixes": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"remove_prefixes": "role:member and project_id:%(project_id)s" # DEPRECATED # "remove_prefixes":"rule:admin_or_owner" has been deprecated since W -# in favor of "remove_prefixes":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# in favor of "remove_prefixes":"role:member and +# project_id:%(project_id)s". # The subnet pool API now supports system scope and default roles. # Create a trunk # POST /trunks -# Intended scope(s): project, system -#"create_trunk": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"create_trunk": "role:member and project_id:%(project_id)s" # DEPRECATED # "create_trunk":"rule:regular_user" has been deprecated since W in -# favor of "create_trunk":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "create_trunk":"role:member and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # Get a trunk # GET /trunks # GET /trunks/{id} -# Intended scope(s): project, system -#"get_trunk": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_trunk": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "get_trunk":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# favor of "get_trunk":"role:reader and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # Update a trunk # PUT /trunks/{id} -# Intended scope(s): project, system -#"update_trunk": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"update_trunk": "role:member and project_id:%(project_id)s" # DEPRECATED # "update_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "update_trunk":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "update_trunk":"role:member and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # Delete a trunk # DELETE /trunks/{id} -# Intended scope(s): project, system -#"delete_trunk": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"delete_trunk": "role:member and project_id:%(project_id)s" # DEPRECATED # "delete_trunk":"rule:admin_or_owner" has been deprecated since W in -# favor of "delete_trunk":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "delete_trunk":"role:member and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # List subports attached to a trunk # GET /trunks/{id}/get_subports -# Intended scope(s): project, system -#"get_subports": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)" +# Intended scope(s): project +#"get_subports": "role:reader and project_id:%(project_id)s" # DEPRECATED # "get_subports":"rule:regular_user" has been deprecated since W in -# favor of "get_subports":"(role:reader and system_scope:all) or -# (role:reader and project_id:%(project_id)s)". +# favor of "get_subports":"role:reader and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # Add subports to a trunk # PUT /trunks/{id}/add_subports -# Intended scope(s): project, system -#"add_subports": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"add_subports": "role:member and project_id:%(project_id)s" # DEPRECATED # "add_subports":"rule:admin_or_owner" has been deprecated since W in -# favor of "add_subports":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# favor of "add_subports":"role:member and project_id:%(project_id)s". # The trunks API now supports system scope and default roles. # Delete subports from a trunk # PUT /trunks/{id}/remove_subports -# Intended scope(s): project, system -#"remove_subports": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)" +# Intended scope(s): project +#"remove_subports": "role:member and project_id:%(project_id)s" # DEPRECATED # "remove_subports":"rule:admin_or_owner" has been deprecated since W -# in favor of "remove_subports":"(role:admin and system_scope:all) or -# (role:member and project_id:%(project_id)s)". +# in favor of "remove_subports":"role:member and +# project_id:%(project_id)s". # The trunks API now supports system scope and default roles. diff --git a/openstack_dashboard/conf/nova_policy.yaml b/openstack_dashboard/conf/nova_policy.yaml index babffa2bb8..faed1abf0e 100644 --- a/openstack_dashboard/conf/nova_policy.yaml +++ b/openstack_dashboard/conf/nova_policy.yaml @@ -1,6 +1,14 @@ # Decides what is required for the 'is_admin:True' check to succeed. #"context_is_admin": "role:admin" +# DEPRECATED +# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in +# favor of "context_is_admin":"role:admin". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_api": "rule:context_is_admin" + # DEPRECATED # "admin_or_owner" has been deprecated since 21.0.0. # Nova API policies are introducing new default roles with scope_type @@ -17,28 +25,6 @@ # Default rule for most Admin APIs. #"admin_api": "is_admin:True" -# Default rule for System Admin APIs. -#"system_admin_api": "role:admin and system_scope:all" - -# DEPRECATED -# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in -# favor of "system_admin_api":"role:admin and system_scope:all". -# Nova API policies are introducing new default roles with scope_type -# capabilities. Old policies are deprecated and silently going to be -# ignored in nova 23.0.0 release. -#"rule:admin_api": "rule:system_admin_api" - -# Default rule for System level read only APIs. -#"system_reader_api": "role:reader and system_scope:all" - -# DEPRECATED -# "rule:admin_api":"is_admin:True" has been deprecated since 21.0.0 in -# favor of "system_reader_api":"role:reader and system_scope:all". -# Nova API policies are introducing new default roles with scope_type -# capabilities. Old policies are deprecated and silently going to be -# ignored in nova 23.0.0 release. -#"rule:admin_api": "rule:system_reader_api" - # Default rule for Project level admin APIs. #"project_admin_api": "role:admin and project_id:%(project_id)s" @@ -66,111 +52,107 @@ # Default rule for Project level read only APIs. #"project_reader_api": "role:reader and project_id:%(project_id)s" -# Default rule for System admin+owner APIs. -#"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api" +# DEPRECATED +# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" +# has been deprecated since 21.0.0 in favor of +# "project_reader_api":"role:reader and project_id:%(project_id)s". +# Nova API policies are introducing new default roles with scope_type +# capabilities. Old policies are deprecated and silently going to be +# ignored in nova 23.0.0 release. +#"rule:admin_or_owner": "rule:project_reader_api" + +# Default rule for Project reader and admin APIs. +#"project_reader_or_admin": "rule:project_reader_api or rule:context_is_admin" # DEPRECATED # "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" # has been deprecated since 21.0.0 in favor of -# "system_admin_or_owner":"rule:system_admin_api or -# rule:project_member_api". +# "project_reader_or_admin":"rule:project_reader_api or +# rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. -#"rule:admin_or_owner": "rule:system_admin_or_owner" - -# Default rule for System+Project read only APIs. -#"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api" - -# DEPRECATED -# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s" -# has been deprecated since 21.0.0 in favor of -# "system_or_project_reader":"rule:system_reader_api or -# rule:project_reader_api". -# Nova API policies are introducing new default roles with scope_type -# capabilities. Old policies are deprecated and silently going to be -# ignored in nova 23.0.0 release. -#"rule:admin_or_owner": "rule:system_or_project_reader" +#"rule:admin_or_owner": "rule:project_reader_or_admin" # Reset the state of a given server # POST /servers/{server_id}/action (os-resetState) -# Intended scope(s): system, project -#"os_compute_api:os-admin-actions:reset_state": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-admin-actions:reset_state": "rule:project_admin_api" # Inject network information into the server # POST /servers/{server_id}/action (injectNetworkInfo) -# Intended scope(s): system, project -#"os_compute_api:os-admin-actions:inject_network_info": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-admin-actions:inject_network_info": "rule:project_admin_api" # Change the administrative password for a server # POST /servers/{server_id}/action (changePassword) -# Intended scope(s): system, project -#"os_compute_api:os-admin-password": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-admin-password": "rule:project_member_api" # Create or replace metadata for an aggregate # POST /os-aggregates/{aggregate_id}/action (set_metadata) # Intended scope(s): system -#"os_compute_api:os-aggregates:set_metadata": "rule:system_admin_api" +#"os_compute_api:os-aggregates:set_metadata": "rule:context_is_admin" # Add a host to an aggregate # POST /os-aggregates/{aggregate_id}/action (add_host) # Intended scope(s): system -#"os_compute_api:os-aggregates:add_host": "rule:system_admin_api" +#"os_compute_api:os-aggregates:add_host": "rule:context_is_admin" # Create an aggregate # POST /os-aggregates # Intended scope(s): system -#"os_compute_api:os-aggregates:create": "rule:system_admin_api" +#"os_compute_api:os-aggregates:create": "rule:context_is_admin" # Remove a host from an aggregate # POST /os-aggregates/{aggregate_id}/action (remove_host) # Intended scope(s): system -#"os_compute_api:os-aggregates:remove_host": "rule:system_admin_api" +#"os_compute_api:os-aggregates:remove_host": "rule:context_is_admin" # Update name and/or availability zone for an aggregate # PUT /os-aggregates/{aggregate_id} # Intended scope(s): system -#"os_compute_api:os-aggregates:update": "rule:system_admin_api" +#"os_compute_api:os-aggregates:update": "rule:context_is_admin" # List all aggregates # GET /os-aggregates # Intended scope(s): system -#"os_compute_api:os-aggregates:index": "rule:system_reader_api" +#"os_compute_api:os-aggregates:index": "rule:context_is_admin" # Delete an aggregate # DELETE /os-aggregates/{aggregate_id} # Intended scope(s): system -#"os_compute_api:os-aggregates:delete": "rule:system_admin_api" +#"os_compute_api:os-aggregates:delete": "rule:context_is_admin" # Show details for an aggregate # GET /os-aggregates/{aggregate_id} # Intended scope(s): system -#"os_compute_api:os-aggregates:show": "rule:system_reader_api" +#"os_compute_api:os-aggregates:show": "rule:context_is_admin" # Request image caching for an aggregate # POST /os-aggregates/{aggregate_id}/images # Intended scope(s): system -#"compute:aggregates:images": "rule:system_admin_api" +#"compute:aggregates:images": "rule:context_is_admin" # Create an assisted volume snapshot # POST /os-assisted-volume-snapshots -# Intended scope(s): system -#"os_compute_api:os-assisted-volume-snapshots:create": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-assisted-volume-snapshots:create": "rule:context_is_admin" # Delete an assisted volume snapshot # DELETE /os-assisted-volume-snapshots/{snapshot_id} -# Intended scope(s): system -#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:context_is_admin" # List port interfaces attached to a server # GET /servers/{server_id}/os-interface -# Intended scope(s): system, project -#"os_compute_api:os-attach-interfaces:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-attach-interfaces:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:list":"rule:system_or_project_reader". +# interfaces:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -178,13 +160,13 @@ # Show details of a port interface attached to a server # GET /servers/{server_id}/os-interface/{port_id} -# Intended scope(s): system, project -#"os_compute_api:os-attach-interfaces:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-attach-interfaces:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:show":"rule:system_or_project_reader". +# interfaces:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -192,13 +174,13 @@ # Attach an interface to a server # POST /servers/{server_id}/os-interface -# Intended scope(s): system, project -#"os_compute_api:os-attach-interfaces:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-attach-interfaces:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:create":"rule:system_admin_or_owner". +# interfaces:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -206,13 +188,13 @@ # Detach an interface from a server # DELETE /servers/{server_id}/os-interface/{port_id} -# Intended scope(s): system, project -#"os_compute_api:os-attach-interfaces:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-attach-interfaces:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-attach-interfaces":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-attach- -# interfaces:delete":"rule:system_admin_or_owner". +# interfaces:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -226,19 +208,19 @@ # List detailed availability zone information with host information # GET /os-availability-zone/detail # Intended scope(s): system -#"os_compute_api:os-availability-zone:detail": "rule:system_reader_api" +#"os_compute_api:os-availability-zone:detail": "rule:context_is_admin" # List and show details of bare metal nodes. # # These APIs are proxy calls to the Ironic service and are deprecated. # GET /os-baremetal-nodes # Intended scope(s): system -#"os_compute_api:os-baremetal-nodes:list": "rule:system_reader_api" +#"os_compute_api:os-baremetal-nodes:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- -# nodes:list":"rule:system_reader_api". +# nodes:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -247,12 +229,12 @@ # Show action details for a server. # GET /os-baremetal-nodes/{node_id} # Intended scope(s): system -#"os_compute_api:os-baremetal-nodes:show": "rule:system_reader_api" +#"os_compute_api:os-baremetal-nodes:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-baremetal-nodes":"rule:admin_api" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-baremetal- -# nodes:show":"rule:system_reader_api". +# nodes:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -261,28 +243,28 @@ # Show console connection information for a given console # authentication token # GET /os-console-auth-tokens/{console_token} -# Intended scope(s): system -#"os_compute_api:os-console-auth-tokens": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-console-auth-tokens": "rule:project_admin_api" # Show console output for a server # POST /servers/{server_id}/action (os-getConsoleOutput) -# Intended scope(s): system, project -#"os_compute_api:os-console-output": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-console-output": "rule:project_member_api" # Create a back up of a server # POST /servers/{server_id}/action (createBackup) -# Intended scope(s): system, project -#"os_compute_api:os-create-backup": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-create-backup": "rule:project_member_api" # Restore a soft deleted server # POST /servers/{server_id}/action (restore) -# Intended scope(s): system, project -#"os_compute_api:os-deferred-delete:restore": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-deferred-delete:restore": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- -# delete:restore":"rule:system_admin_or_owner". +# delete:restore":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -290,13 +272,13 @@ # Force delete a server before deferred cleanup # POST /servers/{server_id}/action (forceDelete) -# Intended scope(s): system, project -#"os_compute_api:os-deferred-delete:force": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-deferred-delete:force": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-deferred-delete":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-deferred- -# delete:force":"rule:system_admin_or_owner". +# delete:force":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -304,8 +286,8 @@ # Evacuate a server from a failed host to a new host # POST /servers/{server_id}/action (evacuate) -# Intended scope(s): system, project -#"os_compute_api:os-evacuate": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-evacuate": "rule:project_admin_api" # Return extended attributes for server. # @@ -325,12 +307,18 @@ # /servers/{server_id}`` and ``POST /servers/{server_id}/action # (rebuild)`` API responses which are also controlled by this policy # rule, like the ``GET /servers*`` APIs. +# +# Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute +# available to all users, so this policy has no effect on that field +# for microversions 2.90 and greater. Controlling the visibility of +# this attribute for all microversions is therefore deprecated and +# will be removed in a future release. # GET /servers/{id} # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) -# Intended scope(s): system, project -#"os_compute_api:os-extended-server-attributes": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-extended-server-attributes": "rule:project_admin_api" # List available extensions and show information for an extension by # alias @@ -342,12 +330,12 @@ # Add flavor access to a tenant # POST /flavors/{flavor_id}/action (addTenantAccess) # Intended scope(s): system -#"os_compute_api:os-flavor-access:add_tenant_access": "rule:system_admin_api" +#"os_compute_api:os-flavor-access:add_tenant_access": "rule:context_is_admin" # Remove flavor access from a tenant # POST /flavors/{flavor_id}/action (removeTenantAccess) # Intended scope(s): system -#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:system_admin_api" +#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:context_is_admin" # List flavor access information # @@ -355,12 +343,12 @@ # flavor via an os-flavor-access API. # GET /flavors/{flavor_id}/os-flavor-access # Intended scope(s): system -#"os_compute_api:os-flavor-access": "rule:system_reader_api" +#"os_compute_api:os-flavor-access": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-flavor-access":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-flavor- -# access":"rule:system_reader_api". +# access":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -368,54 +356,47 @@ # Show an extra spec for a flavor # GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): system, project -#"os_compute_api:os-flavor-extra-specs:show": "rule:system_or_project_reader" +#"os_compute_api:os-flavor-extra-specs:show": "rule:project_reader_or_admin" # Create extra specs for a flavor # POST /flavors/{flavor_id}/os-extra_specs/ # Intended scope(s): system -#"os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api" +#"os_compute_api:os-flavor-extra-specs:create": "rule:context_is_admin" # Update an extra spec for a flavor # PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): system -#"os_compute_api:os-flavor-extra-specs:update": "rule:system_admin_api" +#"os_compute_api:os-flavor-extra-specs:update": "rule:context_is_admin" # Delete an extra spec for a flavor # DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key} # Intended scope(s): system -#"os_compute_api:os-flavor-extra-specs:delete": "rule:system_admin_api" +#"os_compute_api:os-flavor-extra-specs:delete": "rule:context_is_admin" -# List extra specs for a flavor. Starting with microversion 2.47, the -# flavor used for a server is also returned in the response when -# showing server details, updating a server or rebuilding a server. -# Starting with microversion 2.61, extra specs may be returned in -# responses for the flavor resource. +# List extra specs for a flavor. Starting with microversion 2.61, +# extra specs may be returned in responses for the flavor resource. # GET /flavors/{flavor_id}/os-extra_specs/ -# GET /servers/detail -# GET /servers/{server_id} -# PUT /servers/{server_id} -# POST /servers/{server_id}/action (rebuild) # POST /flavors # GET /flavors/detail # GET /flavors/{flavor_id} # PUT /flavors/{flavor_id} # Intended scope(s): system, project -#"os_compute_api:os-flavor-extra-specs:index": "rule:system_or_project_reader" +#"os_compute_api:os-flavor-extra-specs:index": "rule:project_reader_or_admin" # Create a flavor # POST /flavors # Intended scope(s): system -#"os_compute_api:os-flavor-manage:create": "rule:system_admin_api" +#"os_compute_api:os-flavor-manage:create": "rule:context_is_admin" # Update a flavor # PUT /flavors/{flavor_id} # Intended scope(s): system -#"os_compute_api:os-flavor-manage:update": "rule:system_admin_api" +#"os_compute_api:os-flavor-manage:update": "rule:context_is_admin" # Delete a flavor # DELETE /flavors/{flavor_id} # Intended scope(s): system -#"os_compute_api:os-flavor-manage:delete": "rule:system_admin_api" +#"os_compute_api:os-flavor-manage:delete": "rule:context_is_admin" # List floating IP pools. This API is deprecated. # GET /os-floating-ip-pools @@ -424,13 +405,13 @@ # Associate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (addFloatingIp) -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:add": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:add": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:add":"rule:system_admin_or_owner". +# ips:add":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -438,13 +419,13 @@ # Disassociate floating IPs to server. This API is deprecated. # POST /servers/{server_id}/action (removeFloatingIp) -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:remove": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:remove": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:remove":"rule:system_admin_or_owner". +# ips:remove":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -452,13 +433,13 @@ # List floating IPs. This API is deprecated. # GET /os-floating-ips -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:list":"rule:system_or_project_reader". +# ips:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -466,13 +447,13 @@ # Create floating IPs. This API is deprecated. # POST /os-floating-ips -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:create":"rule:system_admin_or_owner". +# ips:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -480,13 +461,13 @@ # Show floating IPs. This API is deprecated. # GET /os-floating-ips/{floating_ip_id} -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:show":"rule:system_or_project_reader". +# ips:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -494,13 +475,13 @@ # Delete floating IPs. This API is deprecated. # DELETE /os-floating-ips/{floating_ip_id} -# Intended scope(s): system, project -#"os_compute_api:os-floating-ips:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-floating-ips:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-floating-ips":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-floating- -# ips:delete":"rule:system_admin_or_owner". +# ips:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -511,12 +492,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts # Intended scope(s): system -#"os_compute_api:os-hosts:list": "rule:system_reader_api" +#"os_compute_api:os-hosts:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:list":"rule:system_reader_api". +# hosts:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -527,12 +508,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name} # Intended scope(s): system -#"os_compute_api:os-hosts:show": "rule:system_reader_api" +#"os_compute_api:os-hosts:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:show":"rule:system_reader_api". +# hosts:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -543,12 +524,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # PUT /os-hosts/{host_name} # Intended scope(s): system -#"os_compute_api:os-hosts:update": "rule:system_admin_api" +#"os_compute_api:os-hosts:update": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:update":"rule:system_admin_api". +# hosts:update":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -559,12 +540,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/reboot # Intended scope(s): system -#"os_compute_api:os-hosts:reboot": "rule:system_admin_api" +#"os_compute_api:os-hosts:reboot": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:reboot":"rule:system_admin_api". +# hosts:reboot":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -575,12 +556,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/shutdown # Intended scope(s): system -#"os_compute_api:os-hosts:shutdown": "rule:system_admin_api" +#"os_compute_api:os-hosts:shutdown": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:shutdown":"rule:system_admin_api". +# hosts:shutdown":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -591,12 +572,12 @@ # This API is deprecated in favor of os-hypervisors and os-services. # GET /os-hosts/{host_name}/startup # Intended scope(s): system -#"os_compute_api:os-hosts:start": "rule:system_admin_api" +#"os_compute_api:os-hosts:start": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hosts":"rule:admin_api" has been deprecated since # 22.0.0 in favor of "os_compute_api:os- -# hosts:start":"rule:system_admin_api". +# hosts:start":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -605,12 +586,12 @@ # List all hypervisors. # GET /os-hypervisors # Intended scope(s): system -#"os_compute_api:os-hypervisors:list": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:list":"rule:system_reader_api". +# hypervisors:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -619,12 +600,12 @@ # List all hypervisors with details # GET /os-hypervisors/details # Intended scope(s): system -#"os_compute_api:os-hypervisors:list-detail": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:list-detail": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os-hypervisors:list- -# detail":"rule:system_reader_api". +# detail":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -633,12 +614,12 @@ # Show summary statistics for all hypervisors over all compute nodes. # GET /os-hypervisors/statistics # Intended scope(s): system -#"os_compute_api:os-hypervisors:statistics": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:statistics": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:statistics":"rule:system_reader_api". +# hypervisors:statistics":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -647,12 +628,12 @@ # Show details for a hypervisor. # GET /os-hypervisors/{hypervisor_id} # Intended scope(s): system -#"os_compute_api:os-hypervisors:show": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:show":"rule:system_reader_api". +# hypervisors:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -661,12 +642,12 @@ # Show the uptime of a hypervisor. # GET /os-hypervisors/{hypervisor_id}/uptime # Intended scope(s): system -#"os_compute_api:os-hypervisors:uptime": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:uptime": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:uptime":"rule:system_reader_api". +# hypervisors:uptime":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -675,12 +656,12 @@ # Search hypervisor by hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/search # Intended scope(s): system -#"os_compute_api:os-hypervisors:search": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:search": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:search":"rule:system_reader_api". +# hypervisors:search":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -690,12 +671,12 @@ # hypervisor_hostname pattern. # GET /os-hypervisors/{hypervisor_hostname_pattern}/servers # Intended scope(s): system -#"os_compute_api:os-hypervisors:servers": "rule:system_reader_api" +#"os_compute_api:os-hypervisors:servers": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-hypervisors":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# hypervisors:servers":"rule:system_reader_api". +# hypervisors:servers":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -712,8 +693,8 @@ # if the action can be retried), but in the other hand it might leak # information about the deployment (e.g. the type of the hypervisor). # GET /servers/{server_id}/os-instance-actions/{request_id} -# Intended scope(s): system, project -#"os_compute_api:os-instance-actions:events:details": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-instance-actions:events:details": "rule:project_admin_api" # Add events details in action details for a server. This check is # performed only after the check os_compute_api:os-instance- @@ -723,18 +704,18 @@ # 2.62, each event includes a hashed host identifier and, if policy # enforcement passes, the name of the host. # GET /servers/{server_id}/os-instance-actions/{request_id} -# Intended scope(s): system, project -#"os_compute_api:os-instance-actions:events": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-instance-actions:events": "rule:project_admin_api" # List actions for a server. # GET /servers/{server_id}/os-instance-actions -# Intended scope(s): system, project -#"os_compute_api:os-instance-actions:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-instance-actions:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- -# actions:list":"rule:system_or_project_reader". +# actions:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -742,13 +723,13 @@ # Show action details for a server. # GET /servers/{server_id}/os-instance-actions/{request_id} -# Intended scope(s): system, project -#"os_compute_api:os-instance-actions:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-instance-actions:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-instance-actions":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-instance- -# actions:show":"rule:system_or_project_reader". +# actions:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -757,12 +738,12 @@ # List all usage audits. # GET /os-instance_usage_audit_log # Intended scope(s): system -#"os_compute_api:os-instance-usage-audit-log:list": "rule:system_reader_api" +#"os_compute_api:os-instance-usage-audit-log:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has # been deprecated since 21.0.0 in favor of "os_compute_api:os- -# instance-usage-audit-log:list":"rule:system_reader_api". +# instance-usage-audit-log:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -772,12 +753,12 @@ # servers on all compute hosts where usage auditing is configured # GET /os-instance_usage_audit_log/{before_timestamp} # Intended scope(s): system -#"os_compute_api:os-instance-usage-audit-log:show": "rule:system_reader_api" +#"os_compute_api:os-instance-usage-audit-log:show": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-instance-usage-audit-log":"rule:admin_api" has # been deprecated since 21.0.0 in favor of "os_compute_api:os- -# instance-usage-audit-log:show":"rule:system_reader_api". +# instance-usage-audit-log:show":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -785,37 +766,37 @@ # Show IP addresses details for a network label of a server # GET /servers/{server_id}/ips/{network_label} -# Intended scope(s): system, project -#"os_compute_api:ips:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:ips:show": "rule:project_reader_api" # List IP addresses that are assigned to a server # GET /servers/{server_id}/ips -# Intended scope(s): system, project -#"os_compute_api:ips:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:ips:index": "rule:project_reader_api" # List all keypairs # GET /os-keypairs # Intended scope(s): system, project -#"os_compute_api:os-keypairs:index": "(rule:system_reader_api) or user_id:%(user_id)s" +#"os_compute_api:os-keypairs:index": "(rule:context_is_admin) or user_id:%(user_id)s" # Create a keypair # POST /os-keypairs # Intended scope(s): system, project -#"os_compute_api:os-keypairs:create": "(rule:system_admin_api) or user_id:%(user_id)s" +#"os_compute_api:os-keypairs:create": "(rule:context_is_admin) or user_id:%(user_id)s" # Delete a keypair # DELETE /os-keypairs/{keypair_name} # Intended scope(s): system, project -#"os_compute_api:os-keypairs:delete": "(rule:system_admin_api) or user_id:%(user_id)s" +#"os_compute_api:os-keypairs:delete": "(rule:context_is_admin) or user_id:%(user_id)s" # Show details of a keypair # GET /os-keypairs/{keypair_name} # Intended scope(s): system, project -#"os_compute_api:os-keypairs:show": "(rule:system_reader_api) or user_id:%(user_id)s" +#"os_compute_api:os-keypairs:show": "(rule:context_is_admin) or user_id:%(user_id)s" # Show rate and absolute limits for the current user project # GET /limits -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:limits": "@" # Show rate and absolute limits of other project. @@ -824,13 +805,13 @@ # project limits. And this check is performed only after the check # os_compute_api:limits passes # GET /limits -# Intended scope(s): system -#"os_compute_api:limits:other_project": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:limits:other_project": "rule:project_admin_api" # DEPRECATED # "os_compute_api:os-used-limits":"rule:admin_api" has been deprecated # since 21.0.0 in favor of -# "os_compute_api:limits:other_project":"rule:system_reader_api". +# "os_compute_api:limits:other_project":"rule:project_admin_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -838,48 +819,48 @@ # Lock a server # POST /servers/{server_id}/action (lock) -# Intended scope(s): system, project -#"os_compute_api:os-lock-server:lock": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-lock-server:lock": "rule:project_member_api" # Unlock a server # POST /servers/{server_id}/action (unlock) -# Intended scope(s): system, project -#"os_compute_api:os-lock-server:unlock": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-lock-server:unlock": "rule:project_member_api" # Unlock a server, regardless who locked the server. # # This check is performed only after the check os_compute_api:os-lock- # server:unlock passes # POST /servers/{server_id}/action (unlock) -# Intended scope(s): system, project -#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:project_admin_api" # Cold migrate a server to a host # POST /servers/{server_id}/action (migrate) -# Intended scope(s): system, project -#"os_compute_api:os-migrate-server:migrate": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-migrate-server:migrate": "rule:project_admin_api" # Live migrate a server to a new host without a reboot # POST /servers/{server_id}/action (os-migrateLive) -# Intended scope(s): system, project -#"os_compute_api:os-migrate-server:migrate_live": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-migrate-server:migrate_live": "rule:project_admin_api" # List migrations # GET /os-migrations -# Intended scope(s): system -#"os_compute_api:os-migrations:index": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-migrations:index": "rule:project_admin_api" # Add a fixed IP address to a server. # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (addFixedIp) -# Intended scope(s): system, project -#"os_compute_api:os-multinic:add": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-multinic:add": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# multinic:add":"rule:system_admin_or_owner". +# multinic:add":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -889,13 +870,13 @@ # # This API is proxy calls to the Network service. This is deprecated. # POST /servers/{server_id}/action (removeFixedIp) -# Intended scope(s): system, project -#"os_compute_api:os-multinic:remove": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-multinic:remove": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-multinic":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# multinic:remove":"rule:system_admin_or_owner". +# multinic:remove":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -905,13 +886,13 @@ # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks -# Intended scope(s): system, project -#"os_compute_api:os-networks:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-networks:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# networks:list":"rule:system_or_project_reader". +# networks:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -921,13 +902,13 @@ # # This API is proxy calls to the Network service. This is deprecated. # GET /os-networks/{network_id} -# Intended scope(s): system, project -#"os_compute_api:os-networks:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-networks:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-networks:view":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# networks:show":"rule:system_or_project_reader". +# networks:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -935,28 +916,28 @@ # Pause a server # POST /servers/{server_id}/action (pause) -# Intended scope(s): system, project -#"os_compute_api:os-pause-server:pause": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-pause-server:pause": "rule:project_member_api" # Unpause a paused server # POST /servers/{server_id}/action (unpause) -# Intended scope(s): system, project -#"os_compute_api:os-pause-server:unpause": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-pause-server:unpause": "rule:project_member_api" # List quotas for specific quota classs # GET /os-quota-class-sets/{quota_class} # Intended scope(s): system -#"os_compute_api:os-quota-class-sets:show": "rule:system_reader_api" +#"os_compute_api:os-quota-class-sets:show": "rule:context_is_admin" # Update quotas for specific quota class # PUT /os-quota-class-sets/{quota_class} # Intended scope(s): system -#"os_compute_api:os-quota-class-sets:update": "rule:system_admin_api" +#"os_compute_api:os-quota-class-sets:update": "rule:context_is_admin" # Update the quotas # PUT /os-quota-sets/{tenant_id} -# Intended scope(s): system -#"os_compute_api:os-quota-sets:update": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-quota-sets:update": "rule:project_admin_api" # List default quotas # GET /os-quota-sets/{tenant_id}/defaults @@ -965,18 +946,18 @@ # Show a quota # GET /os-quota-sets/{tenant_id} -# Intended scope(s): system, project -#"os_compute_api:os-quota-sets:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-quota-sets:show": "(rule:project_reader_api) or role:admin" # Revert quotas to defaults # DELETE /os-quota-sets/{tenant_id} -# Intended scope(s): system -#"os_compute_api:os-quota-sets:delete": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-quota-sets:delete": "rule:project_admin_api" # Show the detail of quota # GET /os-quota-sets/{tenant_id}/detail -# Intended scope(s): system, project -#"os_compute_api:os-quota-sets:detail": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-quota-sets:detail": "(rule:project_reader_api) or role:admin" # Generate a URL to access remove server console. # @@ -990,36 +971,36 @@ # POST /servers/{server_id}/action (os-getSPICEConsole) # POST /servers/{server_id}/action (os-getVNCConsole) # POST /servers/{server_id}/remote-consoles -# Intended scope(s): system, project -#"os_compute_api:os-remote-consoles": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-remote-consoles": "rule:project_member_api" # Rescue a server # POST /servers/{server_id}/action (rescue) -# Intended scope(s): system, project -#"os_compute_api:os-rescue": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-rescue": "rule:project_member_api" # Unrescue a server # POST /servers/{server_id}/action (unrescue) -# Intended scope(s): system, project -#"os_compute_api:os-unrescue": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-unrescue": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-rescue":"rule:admin_or_owner" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# unrescue":"rule:system_admin_or_owner". +# unrescue":"rule:project_member_api". # Rescue/Unrescue API policies are made granular with new policy for # unrescue and keeping old policy for rescue. #"os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue" # List security groups. This API is deprecated. # GET /os-security-groups -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:get": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-security-groups:get": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:get":"rule:system_or_project_reader". +# groups:get":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1027,13 +1008,13 @@ # Show security group. This API is deprecated. # GET /os-security-groups/{security_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-security-groups:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:show":"rule:system_or_project_reader". +# groups:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1041,13 +1022,13 @@ # Create security group. This API is deprecated. # POST /os-security-groups -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:create":"rule:system_admin_or_owner". +# groups:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1055,13 +1036,13 @@ # Update security group. This API is deprecated. # PUT /os-security-groups/{security_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:update": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:update": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:update":"rule:system_admin_or_owner". +# groups:update":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1069,13 +1050,13 @@ # Delete security group. This API is deprecated. # DELETE /os-security-groups/{security_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:delete":"rule:system_admin_or_owner". +# groups:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1083,13 +1064,13 @@ # Create security group Rule. This API is deprecated. # POST /os-security-group-rules -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:rule:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:rule:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:rule:create":"rule:system_admin_or_owner". +# groups:rule:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1097,13 +1078,13 @@ # Delete security group Rule. This API is deprecated. # DELETE /os-security-group-rules/{security_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:rule:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:rule:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:rule:delete":"rule:system_admin_or_owner". +# groups:rule:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1111,13 +1092,13 @@ # List security groups of server. # GET /servers/{server_id}/os-security-groups -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-security-groups:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:list":"rule:system_or_project_reader". +# groups:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1125,13 +1106,13 @@ # Add security groups to server. # POST /servers/{server_id}/action (addSecurityGroup) -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:add": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:add": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:add":"rule:system_admin_or_owner". +# groups:add":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1139,13 +1120,13 @@ # Remove security groups from server. # POST /servers/{server_id}/action (removeSecurityGroup) -# Intended scope(s): system, project -#"os_compute_api:os-security-groups:remove": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-security-groups:remove": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-security-groups":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-security- -# groups:remove":"rule:system_admin_or_owner". +# groups:remove":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1153,13 +1134,13 @@ # Show the usage data for a server # GET /servers/{server_id}/diagnostics -# Intended scope(s): system, project -#"os_compute_api:os-server-diagnostics": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-server-diagnostics": "rule:project_admin_api" # Create one or more external events # POST /os-server-external-events -# Intended scope(s): system -#"os_compute_api:os-server-external-events:create": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-server-external-events:create": "rule:context_is_admin" # Create a new server group # POST /os-server-groups @@ -1168,63 +1149,63 @@ # Delete a server group # DELETE /os-server-groups/{server_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-server-groups:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-groups:delete": "rule:project_member_api" # List all server groups # GET /os-server-groups -# Intended scope(s): system, project -#"os_compute_api:os-server-groups:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-server-groups:index": "rule:project_reader_api" # List all server groups for all projects # GET /os-server-groups -# Intended scope(s): system -#"os_compute_api:os-server-groups:index:all_projects": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-server-groups:index:all_projects": "rule:project_admin_api" # Show details of a server group # GET /os-server-groups/{server_group_id} -# Intended scope(s): system, project -#"os_compute_api:os-server-groups:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-server-groups:show": "rule:project_reader_api" # List all metadata of a server # GET /servers/{server_id}/metadata -# Intended scope(s): system, project -#"os_compute_api:server-metadata:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:server-metadata:index": "rule:project_reader_api" # Show metadata for a server # GET /servers/{server_id}/metadata/{key} -# Intended scope(s): system, project -#"os_compute_api:server-metadata:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:server-metadata:show": "rule:project_reader_api" # Create metadata for a server # POST /servers/{server_id}/metadata -# Intended scope(s): system, project -#"os_compute_api:server-metadata:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:server-metadata:create": "rule:project_member_api" # Replace metadata for a server # PUT /servers/{server_id}/metadata -# Intended scope(s): system, project -#"os_compute_api:server-metadata:update_all": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:server-metadata:update_all": "rule:project_member_api" # Update metadata from a server # PUT /servers/{server_id}/metadata/{key} -# Intended scope(s): system, project -#"os_compute_api:server-metadata:update": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:server-metadata:update": "rule:project_member_api" # Delete metadata from a server # DELETE /servers/{server_id}/metadata/{key} -# Intended scope(s): system, project -#"os_compute_api:server-metadata:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:server-metadata:delete": "rule:project_member_api" # Show the encrypted administrative password of a server # GET /servers/{server_id}/os-server-password -# Intended scope(s): system, project -#"os_compute_api:os-server-password:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-server-password:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- -# password:show":"rule:system_or_project_reader". +# password:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1232,13 +1213,13 @@ # Clear the encrypted administrative password of a server # DELETE /servers/{server_id}/os-server-password -# Intended scope(s): system, project -#"os_compute_api:os-server-password:clear": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-password:clear": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-server-password":"rule:admin_or_owner" has been # deprecated since 21.0.0 in favor of "os_compute_api:os-server- -# password:clear":"rule:system_admin_or_owner". +# password:clear":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1246,75 +1227,95 @@ # Delete all the server tags # DELETE /servers/{server_id}/tags -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:delete_all": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-tags:delete_all": "rule:project_member_api" # List all tags for given server # GET /servers/{server_id}/tags -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-server-tags:index": "rule:project_reader_api" # Replace all tags on specified server with the new set of tags. # PUT /servers/{server_id}/tags -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:update_all": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-tags:update_all": "rule:project_member_api" # Delete a single tag from the specified server # DELETE /servers/{server_id}/tags/{tag} -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-tags:delete": "rule:project_member_api" # Add a single tag to the server if server has no specified tag # PUT /servers/{server_id}/tags/{tag} -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:update": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-server-tags:update": "rule:project_member_api" # Check tag existence on the server. # GET /servers/{server_id}/tags/{tag} -# Intended scope(s): system, project -#"os_compute_api:os-server-tags:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-server-tags:show": "rule:project_reader_api" # Show the NUMA topology data for a server # GET /servers/{server_id}/topology -# Intended scope(s): system, project -#"compute:server:topology:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"compute:server:topology:index": "rule:project_reader_api" # Show the NUMA topology data for a server with host NUMA ID and CPU # pinning information # GET /servers/{server_id}/topology -# Intended scope(s): system -#"compute:server:topology:host:index": "rule:system_reader_api" +# Intended scope(s): project +#"compute:server:topology:host:index": "rule:project_admin_api" # List all servers # GET /servers -# Intended scope(s): system, project -#"os_compute_api:servers:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:servers:index": "rule:project_reader_api" # List all servers with detailed information # GET /servers/detail -# Intended scope(s): system, project -#"os_compute_api:servers:detail": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:servers:detail": "rule:project_reader_api" # List all servers for all projects # GET /servers -# Intended scope(s): system -#"os_compute_api:servers:index:get_all_tenants": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:servers:index:get_all_tenants": "rule:project_admin_api" # List all servers with detailed information for all projects # GET /servers/detail -# Intended scope(s): system -#"os_compute_api:servers:detail:get_all_tenants": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:servers:detail:get_all_tenants": "rule:project_admin_api" # Allow all filters when listing servers # GET /servers # GET /servers/detail -# Intended scope(s): system -#"os_compute_api:servers:allow_all_filters": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:servers:allow_all_filters": "rule:project_admin_api" # Show a server # GET /servers/{server_id} -# Intended scope(s): system, project -#"os_compute_api:servers:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:servers:show": "rule:project_reader_api" + +# Starting with microversion 2.47, the flavor and its extra specs used +# for a server is also returned in the response when showing server +# details, updating a server or rebuilding a server. +# GET /servers/detail +# GET /servers/{server_id} +# PUT /servers/{server_id} +# POST /servers/{server_id}/action (rebuild) +# Intended scope(s): project +#"os_compute_api:servers:show:flavor-extra-specs": "rule:project_reader_api" + +# DEPRECATED +# "os_compute_api:os-flavor-extra-specs:index":"rule:admin_or_owner" +# has been deprecated since 25.0.0 in favor of +# "os_compute_api:servers:show:flavor-extra- +# specs":"rule:project_reader_api". +# Policies for showing flavor extra specs in server APIs response is +# seprated as new policy. This policy is deprecated only for that but +# not for list extra specs and showing it in flavor API response. +#"os_compute_api:os-flavor-extra-specs:index": "rule:os_compute_api:servers:show:flavor-extra-specs" # Show a server with additional host status information. # @@ -1331,8 +1332,8 @@ # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) -# Intended scope(s): system, project -#"os_compute_api:servers:show:host_status": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:servers:show:host_status": "rule:project_admin_api" # Show a server with additional host status information, only if host # status is UNKNOWN. @@ -1348,8 +1349,8 @@ # GET /servers/detail # PUT /servers/{server_id} # POST /servers/{server_id}/action (rebuild) -# Intended scope(s): system, project -#"os_compute_api:servers:show:host_status:unknown-only": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:servers:show:host_status:unknown-only": "rule:project_admin_api" # Create a server # POST /servers @@ -1362,7 +1363,7 @@ # and/or node by bypassing the scheduler filters unlike the # ``compute:servers:create:requested_destination`` rule. # POST /servers -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:servers:create:forced_host": "rule:project_admin_api" # Create a server on the requested compute service host and/or @@ -1372,7 +1373,7 @@ # validated by the scheduler filters unlike the # ``os_compute_api:servers:create:forced_host`` rule. # POST /servers -# Intended scope(s): system, project +# Intended scope(s): project #"compute:servers:create:requested_destination": "rule:project_admin_api" # Create a server with the requested volume attached to it @@ -1406,117 +1407,117 @@ # local disk of the compute (or shared storage cluster). See bug # https://bugs.launchpad.net/nova/+bug/1739646 for details. # POST /servers -# Intended scope(s): system, project +# Intended scope(s): project #"os_compute_api:servers:create:zero_disk_flavor": "rule:project_admin_api" # Attach an unshared external network to a server # POST /servers # POST /servers/{server_id}/os-interface -# Intended scope(s): system, project +# Intended scope(s): project #"network:attach_external_network": "rule:project_admin_api" # Delete a server # DELETE /servers/{server_id} -# Intended scope(s): system, project -#"os_compute_api:servers:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:delete": "rule:project_member_api" # Update a server # PUT /servers/{server_id} -# Intended scope(s): system, project -#"os_compute_api:servers:update": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:update": "rule:project_member_api" # Confirm a server resize # POST /servers/{server_id}/action (confirmResize) -# Intended scope(s): system, project -#"os_compute_api:servers:confirm_resize": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:confirm_resize": "rule:project_member_api" # Revert a server resize # POST /servers/{server_id}/action (revertResize) -# Intended scope(s): system, project -#"os_compute_api:servers:revert_resize": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:revert_resize": "rule:project_member_api" # Reboot a server # POST /servers/{server_id}/action (reboot) -# Intended scope(s): system, project -#"os_compute_api:servers:reboot": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:reboot": "rule:project_member_api" # Resize a server # POST /servers/{server_id}/action (resize) -# Intended scope(s): system, project -#"os_compute_api:servers:resize": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:resize": "rule:project_member_api" # Resize a server across cells. By default, this is disabled for all # users and recommended to be tested in a deployment for admin users # before opening it up to non-admin users. Resizing within a cell is # the default preferred behavior even if this is enabled. # POST /servers/{server_id}/action (resize) -# Intended scope(s): system, project +# Intended scope(s): project #"compute:servers:resize:cross_cell": "!" # Rebuild a server # POST /servers/{server_id}/action (rebuild) -# Intended scope(s): system, project -#"os_compute_api:servers:rebuild": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:rebuild": "rule:project_member_api" # Rebuild a server with trusted image certificate IDs # POST /servers/{server_id}/action (rebuild) -# Intended scope(s): system, project -#"os_compute_api:servers:rebuild:trusted_certs": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:rebuild:trusted_certs": "rule:project_member_api" # Create an image from a server # POST /servers/{server_id}/action (createImage) -# Intended scope(s): system, project -#"os_compute_api:servers:create_image": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:create_image": "rule:project_member_api" # Create an image from a volume backed server # POST /servers/{server_id}/action (createImage) -# Intended scope(s): system, project -#"os_compute_api:servers:create_image:allow_volume_backed": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:create_image:allow_volume_backed": "rule:project_member_api" # Start a server # POST /servers/{server_id}/action (os-start) -# Intended scope(s): system, project -#"os_compute_api:servers:start": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:start": "rule:project_member_api" # Stop a server # POST /servers/{server_id}/action (os-stop) -# Intended scope(s): system, project -#"os_compute_api:servers:stop": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:stop": "rule:project_member_api" # Trigger crash dump in a server # POST /servers/{server_id}/action (trigger_crash_dump) -# Intended scope(s): system, project -#"os_compute_api:servers:trigger_crash_dump": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:servers:trigger_crash_dump": "rule:project_member_api" # Show details for an in-progress live migration for a given server # GET /servers/{server_id}/migrations/{migration_id} -# Intended scope(s): system, project -#"os_compute_api:servers:migrations:show": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:servers:migrations:show": "rule:project_admin_api" # Force an in-progress live migration for a given server to complete # POST /servers/{server_id}/migrations/{migration_id}/action (force_complete) -# Intended scope(s): system, project -#"os_compute_api:servers:migrations:force_complete": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:servers:migrations:force_complete": "rule:project_admin_api" # Delete(Abort) an in-progress live migration # DELETE /servers/{server_id}/migrations/{migration_id} -# Intended scope(s): system, project -#"os_compute_api:servers:migrations:delete": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:servers:migrations:delete": "rule:project_admin_api" # Lists in-progress live migrations for a given server # GET /servers/{server_id}/migrations -# Intended scope(s): system, project -#"os_compute_api:servers:migrations:index": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:servers:migrations:index": "rule:project_admin_api" # List all running Compute services in a region. # GET /os-services # Intended scope(s): system -#"os_compute_api:os-services:list": "rule:system_reader_api" +#"os_compute_api:os-services:list": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# services:list":"rule:system_reader_api". +# services:list":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1525,12 +1526,12 @@ # Update a Compute service. # PUT /os-services/{service_id} # Intended scope(s): system -#"os_compute_api:os-services:update": "rule:system_admin_api" +#"os_compute_api:os-services:update": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# services:update":"rule:system_admin_api". +# services:update":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1539,12 +1540,12 @@ # Delete a Compute service. # DELETE /os-services/{service_id} # Intended scope(s): system -#"os_compute_api:os-services:delete": "rule:system_admin_api" +#"os_compute_api:os-services:delete": "rule:context_is_admin" # DEPRECATED # "os_compute_api:os-services":"rule:admin_api" has been deprecated # since 21.0.0 in favor of "os_compute_api:os- -# services:delete":"rule:system_admin_api". +# services:delete":"rule:context_is_admin". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1552,50 +1553,50 @@ # Shelve server # POST /servers/{server_id}/action (shelve) -# Intended scope(s): system, project -#"os_compute_api:os-shelve:shelve": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-shelve:shelve": "rule:project_member_api" # Unshelve (restore) shelved server # POST /servers/{server_id}/action (unshelve) -# Intended scope(s): system, project -#"os_compute_api:os-shelve:unshelve": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-shelve:unshelve": "rule:project_member_api" # Shelf-offload (remove) server # POST /servers/{server_id}/action (shelveOffload) -# Intended scope(s): system, project -#"os_compute_api:os-shelve:shelve_offload": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-shelve:shelve_offload": "rule:project_admin_api" # Show usage statistics for a specific tenant # GET /os-simple-tenant-usage/{tenant_id} -# Intended scope(s): system, project -#"os_compute_api:os-simple-tenant-usage:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-simple-tenant-usage:show": "rule:project_reader_api" # List per tenant usage statistics for all tenants # GET /os-simple-tenant-usage -# Intended scope(s): system -#"os_compute_api:os-simple-tenant-usage:list": "rule:system_reader_api" +# Intended scope(s): project +#"os_compute_api:os-simple-tenant-usage:list": "rule:project_admin_api" # Resume suspended server # POST /servers/{server_id}/action (resume) -# Intended scope(s): system, project -#"os_compute_api:os-suspend-server:resume": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-suspend-server:resume": "rule:project_member_api" # Suspend server # POST /servers/{server_id}/action (suspend) -# Intended scope(s): system, project -#"os_compute_api:os-suspend-server:suspend": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-suspend-server:suspend": "rule:project_member_api" # List project networks. # # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks -# Intended scope(s): system, project -#"os_compute_api:os-tenant-networks:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-tenant-networks:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- -# networks:list":"rule:system_or_project_reader". +# networks:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1605,13 +1606,13 @@ # # This API is proxy calls to the Network service. This is deprecated. # GET /os-tenant-networks/{network_id} -# Intended scope(s): system, project -#"os_compute_api:os-tenant-networks:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-tenant-networks:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-tenant-networks":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os-tenant- -# networks:show":"rule:system_or_project_reader". +# networks:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1621,13 +1622,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes -# Intended scope(s): system, project -#"os_compute_api:os-volumes:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:list":"rule:system_or_project_reader". +# volumes:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1637,13 +1638,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-volumes -# Intended scope(s): system, project -#"os_compute_api:os-volumes:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:create":"rule:system_admin_or_owner". +# volumes:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1653,13 +1654,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/detail -# Intended scope(s): system, project -#"os_compute_api:os-volumes:detail": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:detail": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:detail":"rule:system_or_project_reader". +# volumes:detail":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1669,13 +1670,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-volumes/{volume_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:show":"rule:system_or_project_reader". +# volumes:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1685,13 +1686,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-volumes/{volume_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:delete":"rule:system_admin_or_owner". +# volumes:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1701,13 +1702,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots -# Intended scope(s): system, project -#"os_compute_api:os-volumes:snapshots:list": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:snapshots:list": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:list":"rule:system_or_project_reader". +# volumes:snapshots:list":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1717,13 +1718,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # POST /os-snapshots -# Intended scope(s): system, project -#"os_compute_api:os-volumes:snapshots:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes:snapshots:create": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:create":"rule:system_admin_or_owner". +# volumes:snapshots:create":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1733,13 +1734,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/detail -# Intended scope(s): system, project -#"os_compute_api:os-volumes:snapshots:detail": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:snapshots:detail": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:detail":"rule:system_or_project_reader". +# volumes:snapshots:detail":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1749,13 +1750,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # GET /os-snapshots/{snapshot_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes:snapshots:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes:snapshots:show": "rule:project_reader_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:show":"rule:system_or_project_reader". +# volumes:snapshots:show":"rule:project_reader_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1765,13 +1766,13 @@ # # This API is a proxy call to the Volume service. It is deprecated. # DELETE /os-snapshots/{snapshot_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes:snapshots:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes:snapshots:delete": "rule:project_member_api" # DEPRECATED # "os_compute_api:os-volumes":"rule:admin_or_owner" has been # deprecated since 22.0.0 in favor of "os_compute_api:os- -# volumes:snapshots:delete":"rule:system_admin_or_owner". +# volumes:snapshots:delete":"rule:project_member_api". # Nova API policies are introducing new default roles with scope_type # capabilities. Old policies are deprecated and silently going to be # ignored in nova 23.0.0 release. @@ -1779,34 +1780,34 @@ # List volume attachments for an instance # GET /servers/{server_id}/os-volume_attachments -# Intended scope(s): system, project -#"os_compute_api:os-volumes-attachments:index": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:index": "rule:project_reader_api" # Attach a volume to an instance # POST /servers/{server_id}/os-volume_attachments -# Intended scope(s): system, project -#"os_compute_api:os-volumes-attachments:create": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:create": "rule:project_member_api" # Show details of a volume attachment # GET /servers/{server_id}/os-volume_attachments/{volume_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes-attachments:show": "rule:system_or_project_reader" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:show": "rule:project_reader_api" # Update a volume attachment. New 'update' policy about 'swap + # update' request (which is possible only >2.85) only is # checked. We expect to be always superset of this # policy permission. # PUT /servers/{server_id}/os-volume_attachments/{volume_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes-attachments:update": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:update": "rule:project_member_api" # Update a volume attachment with a different volumeId # PUT /servers/{server_id}/os-volume_attachments/{volume_id} -# Intended scope(s): system -#"os_compute_api:os-volumes-attachments:swap": "rule:system_admin_api" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:swap": "rule:context_is_admin" # Detach a volume from an instance # DELETE /servers/{server_id}/os-volume_attachments/{volume_id} -# Intended scope(s): system, project -#"os_compute_api:os-volumes-attachments:delete": "rule:system_admin_or_owner" +# Intended scope(s): project +#"os_compute_api:os-volumes-attachments:delete": "rule:project_member_api" diff --git a/requirements.txt b/requirements.txt index 151359316d..f1f2459937 100644 --- a/requirements.txt +++ b/requirements.txt @@ -20,14 +20,14 @@ futurist>=1.2.0 # Apache-2.0 iso8601>=0.1.11 # MIT keystoneauth1>=4.3.1 # Apache-2.0 netaddr>=0.7.18 # BSD -oslo.concurrency>=3.26.0 # Apache-2.0 -oslo.config>=5.2.0 # Apache-2.0 -oslo.i18n>=5.0.1 # Apache-2.0 -oslo.policy>=3.2.0 # Apache-2.0 -oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0 -oslo.upgradecheck>=0.1.1 # Apache-2.0 -oslo.utils>=4.8.0 # Apache-2.0 -osprofiler>=2.3.0 # Apache-2.0 +oslo.concurrency>=4.5.0 # Apache-2.0 +oslo.config>=8.8.0 # Apache-2.0 +oslo.i18n>=5.1.0 # Apache-2.0 +oslo.policy>=3.11.0 # Apache-2.0 +oslo.serialization>=4.3.0 # Apache-2.0 +oslo.upgradecheck>=1.5.0 # Apache-2.0 +oslo.utils>=4.12.0 # Apache-2.0 +osprofiler>=3.4.2 # Apache-2.0 pymongo!=3.1,>=3.0.2 # Apache-2.0 pyScss>=1.3.7 # MIT License python-cinderclient>=8.0.0 # Apache-2.0 @@ -37,7 +37,7 @@ python-neutronclient>=6.7.0 # Apache-2.0 python-novaclient>=9.1.0 # Apache-2.0 python-swiftclient>=3.2.0 # Apache-2.0 pytz>=2013.6 # MIT -PyYAML>=3.12 # MIT +PyYAML>=6.0 # MIT requests>=2.25.1 # Apache-2.0 six>=1.16.0 # MIT semantic-version>=2.3.1 # BSD