962 lines
29 KiB
YAML
962 lines
29 KiB
YAML
# Rule for cloud admin access
|
|
#"context_is_admin": "role:admin"
|
|
|
|
# Rule for resource owner access
|
|
#"owner": "tenant_id:%(tenant_id)s"
|
|
|
|
# Rule for admin or owner access
|
|
#"admin_or_owner": "rule:context_is_admin or rule:owner"
|
|
|
|
# Rule for advsvc role access
|
|
#"context_is_advsvc": "role:advsvc"
|
|
|
|
# Rule for admin or network owner access
|
|
#"admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s"
|
|
|
|
# Rule for resource owner, admin or network owner access
|
|
#"admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner"
|
|
|
|
# Rule for admin-only access
|
|
#"admin_only": "rule:context_is_admin"
|
|
|
|
# Rule for regular user access
|
|
#"regular_user": ""
|
|
|
|
# Rule of shared network
|
|
#"shared": "field:networks:shared=True"
|
|
|
|
# Default access rule
|
|
#"default": "rule:admin_or_owner"
|
|
|
|
# Rule for common parent owner check
|
|
#"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s"
|
|
|
|
# Definition of a shared address scope
|
|
#"shared_address_scopes": "field:address_scopes:shared=True"
|
|
|
|
# Create an address scope
|
|
# POST /address-scopes
|
|
#"create_address_scope": "rule:regular_user"
|
|
|
|
# Create a shared address scope
|
|
# POST /address-scopes
|
|
#"create_address_scope:shared": "rule:admin_only"
|
|
|
|
# Get an address scope
|
|
# GET /address-scopes
|
|
# GET /address-scopes/{id}
|
|
#"get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes"
|
|
|
|
# Update an address scope
|
|
# PUT /address-scopes/{id}
|
|
#"update_address_scope": "rule:admin_or_owner"
|
|
|
|
# Update ``shared`` attribute of an address scope
|
|
# PUT /address-scopes/{id}
|
|
#"update_address_scope:shared": "rule:admin_only"
|
|
|
|
# Delete an address scope
|
|
# DELETE /address-scopes/{id}
|
|
#"delete_address_scope": "rule:admin_or_owner"
|
|
|
|
# Get an agent
|
|
# GET /agents
|
|
# GET /agents/{id}
|
|
#"get_agent": "rule:admin_only"
|
|
|
|
# Update an agent
|
|
# PUT /agents/{id}
|
|
#"update_agent": "rule:admin_only"
|
|
|
|
# Delete an agent
|
|
# DELETE /agents/{id}
|
|
#"delete_agent": "rule:admin_only"
|
|
|
|
# Add a network to a DHCP agent
|
|
# POST /agents/{agent_id}/dhcp-networks
|
|
#"create_dhcp-network": "rule:admin_only"
|
|
|
|
# List networks on a DHCP agent
|
|
# GET /agents/{agent_id}/dhcp-networks
|
|
#"get_dhcp-networks": "rule:admin_only"
|
|
|
|
# Remove a network from a DHCP agent
|
|
# DELETE /agents/{agent_id}/dhcp-networks/{network_id}
|
|
#"delete_dhcp-network": "rule:admin_only"
|
|
|
|
# Add a router to an L3 agent
|
|
# POST /agents/{agent_id}/l3-routers
|
|
#"create_l3-router": "rule:admin_only"
|
|
|
|
# List routers on an L3 agent
|
|
# GET /agents/{agent_id}/l3-routers
|
|
#"get_l3-routers": "rule:admin_only"
|
|
|
|
# Remove a router from an L3 agent
|
|
# DELETE /agents/{agent_id}/l3-routers/{router_id}
|
|
#"delete_l3-router": "rule:admin_only"
|
|
|
|
# List DHCP agents hosting a network
|
|
# GET /networks/{network_id}/dhcp-agents
|
|
#"get_dhcp-agents": "rule:admin_only"
|
|
|
|
# List L3 agents hosting a router
|
|
# GET /routers/{router_id}/l3-agents
|
|
#"get_l3-agents": "rule:admin_only"
|
|
|
|
# Get a project's auto-allocated topology
|
|
# GET /auto-allocated-topology/{project_id}
|
|
#"get_auto_allocated_topology": "rule:admin_or_owner"
|
|
|
|
# Delete a project's auto-allocated topology
|
|
# DELETE /auto-allocated-topology/{project_id}
|
|
#"delete_auto_allocated_topology": "rule:admin_or_owner"
|
|
|
|
# List availability zones
|
|
# GET /availability_zones
|
|
#"get_availability_zone": "rule:regular_user"
|
|
|
|
# Create a flavor
|
|
# POST /flavors
|
|
#"create_flavor": "rule:admin_only"
|
|
|
|
# Get a flavor
|
|
# GET /flavors
|
|
# GET /flavors/{id}
|
|
#"get_flavor": "rule:regular_user"
|
|
|
|
# Update a flavor
|
|
# PUT /flavors/{id}
|
|
#"update_flavor": "rule:admin_only"
|
|
|
|
# Delete a flavor
|
|
# DELETE /flavors/{id}
|
|
#"delete_flavor": "rule:admin_only"
|
|
|
|
# Create a service profile
|
|
# POST /service_profiles
|
|
#"create_service_profile": "rule:admin_only"
|
|
|
|
# Get a service profile
|
|
# GET /service_profiles
|
|
# GET /service_profiles/{id}
|
|
#"get_service_profile": "rule:admin_only"
|
|
|
|
# Update a service profile
|
|
# PUT /service_profiles/{id}
|
|
#"update_service_profile": "rule:admin_only"
|
|
|
|
# Delete a service profile
|
|
# DELETE /service_profiles/{id}
|
|
#"delete_service_profile": "rule:admin_only"
|
|
|
|
# Get a flavor associated with a given service profiles. There is no
|
|
# corresponding GET operations in API currently. This rule is
|
|
# currently referred only in the DELETE of flavor_service_profile.
|
|
#"get_flavor_service_profile": "rule:regular_user"
|
|
|
|
# Associate a flavor with a service profile
|
|
# POST /flavors/{flavor_id}/service_profiles
|
|
#"create_flavor_service_profile": "rule:admin_only"
|
|
|
|
# Disassociate a flavor with a service profile
|
|
# DELETE /flavors/{flavor_id}/service_profiles/{profile_id}
|
|
#"delete_flavor_service_profile": "rule:admin_only"
|
|
|
|
# Create a floating IP
|
|
# POST /floatingips
|
|
#"create_floatingip": "rule:regular_user"
|
|
|
|
# Create a floating IP with a specific IP address
|
|
# POST /floatingips
|
|
#"create_floatingip:floating_ip_address": "rule:admin_only"
|
|
|
|
# Get a floating IP
|
|
# GET /floatingips
|
|
# GET /floatingips/{id}
|
|
#"get_floatingip": "rule:admin_or_owner"
|
|
|
|
# Update a floating IP
|
|
# PUT /floatingips/{id}
|
|
#"update_floatingip": "rule:admin_or_owner"
|
|
|
|
# Delete a floating IP
|
|
# DELETE /floatingips/{id}
|
|
#"delete_floatingip": "rule:admin_or_owner"
|
|
|
|
# Get floating IP pools
|
|
# GET /floatingip_pools
|
|
#"get_floatingip_pool": "rule:regular_user"
|
|
|
|
# Create a floating IP port forwarding
|
|
# POST /floatingips/{floatingip_id}/port_forwardings
|
|
#"create_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get a floating IP port forwarding
|
|
# GET /floatingips/{floatingip_id}/port_forwardings
|
|
# GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"get_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Update a floating IP port forwarding
|
|
# PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"update_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Delete a floating IP port forwarding
|
|
# DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
|
|
#"delete_floatingip_port_forwarding": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Create a router conntrack helper
|
|
# POST /routers/{router_id}/conntrack_helpers
|
|
#"create_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get a router conntrack helper
|
|
# GET /routers/{router_id}/conntrack_helpers
|
|
# GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"get_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Update a router conntrack helper
|
|
# PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"update_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Delete a router conntrack helper
|
|
# DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
|
|
#"delete_router_conntrack_helper": "rule:admin_or_ext_parent_owner"
|
|
|
|
# Get loggable resources
|
|
# GET /log/loggable-resources
|
|
#"get_loggable_resource": "rule:admin_only"
|
|
|
|
# Create a network log
|
|
# POST /log/logs
|
|
#"create_log": "rule:admin_only"
|
|
|
|
# Get a network log
|
|
# GET /log/logs
|
|
# GET /log/logs/{id}
|
|
#"get_log": "rule:admin_only"
|
|
|
|
# Update a network log
|
|
# PUT /log/logs/{id}
|
|
#"update_log": "rule:admin_only"
|
|
|
|
# Delete a network log
|
|
# DELETE /log/logs/{id}
|
|
#"delete_log": "rule:admin_only"
|
|
|
|
# Create a metering label
|
|
# POST /metering/metering-labels
|
|
#"create_metering_label": "rule:admin_only"
|
|
|
|
# Get a metering label
|
|
# GET /metering/metering-labels
|
|
# GET /metering/metering-labels/{id}
|
|
#"get_metering_label": "rule:admin_only"
|
|
|
|
# Delete a metering label
|
|
# DELETE /metering/metering-labels/{id}
|
|
#"delete_metering_label": "rule:admin_only"
|
|
|
|
# Create a metering label rule
|
|
# POST /metering/metering-label-rules
|
|
#"create_metering_label_rule": "rule:admin_only"
|
|
|
|
# Get a metering label rule
|
|
# GET /metering/metering-label-rules
|
|
# GET /metering/metering-label-rules/{id}
|
|
#"get_metering_label_rule": "rule:admin_only"
|
|
|
|
# Delete a metering label rule
|
|
# DELETE /metering/metering-label-rules/{id}
|
|
#"delete_metering_label_rule": "rule:admin_only"
|
|
|
|
# Definition of an external network
|
|
#"external": "field:networks:router:external=True"
|
|
|
|
# Create a network
|
|
# POST /networks
|
|
#"create_network": "rule:regular_user"
|
|
|
|
# Create a shared network
|
|
# POST /networks
|
|
#"create_network:shared": "rule:admin_only"
|
|
|
|
# Create an external network
|
|
# POST /networks
|
|
#"create_network:router:external": "rule:admin_only"
|
|
|
|
# Specify ``is_default`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:is_default": "rule:admin_only"
|
|
|
|
# Specify ``port_security_enabled`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:port_security_enabled": "rule:regular_user"
|
|
|
|
# Specify ``segments`` attribute when creating a network
|
|
# POST /networks
|
|
#"create_network:segments": "rule:admin_only"
|
|
|
|
# Specify ``provider:network_type`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Specify ``provider:physical_network`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Specify ``provider:segmentation_id`` when creating a network
|
|
# POST /networks
|
|
#"create_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Get a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc"
|
|
|
|
# Get ``router:external`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:router:external": "rule:regular_user"
|
|
|
|
# Get ``segments`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:segments": "rule:admin_only"
|
|
|
|
# Get ``provider:network_type`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Get ``provider:physical_network`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Get ``provider:segmentation_id`` attribute of a network
|
|
# GET /networks
|
|
# GET /networks/{id}
|
|
#"get_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Update a network
|
|
# PUT /networks/{id}
|
|
#"update_network": "rule:admin_or_owner"
|
|
|
|
# Update ``segments`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:segments": "rule:admin_only"
|
|
|
|
# Update ``shared`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:shared": "rule:admin_only"
|
|
|
|
# Update ``provider:network_type`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:network_type": "rule:admin_only"
|
|
|
|
# Update ``provider:physical_network`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:physical_network": "rule:admin_only"
|
|
|
|
# Update ``provider:segmentation_id`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:provider:segmentation_id": "rule:admin_only"
|
|
|
|
# Update ``router:external`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:router:external": "rule:admin_only"
|
|
|
|
# Update ``is_default`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:is_default": "rule:admin_only"
|
|
|
|
# Update ``port_security_enabled`` attribute of a network
|
|
# PUT /networks/{id}
|
|
#"update_network:port_security_enabled": "rule:admin_or_owner"
|
|
|
|
# Delete a network
|
|
# DELETE /networks/{id}
|
|
#"delete_network": "rule:admin_or_owner"
|
|
|
|
# Get network IP availability
|
|
# GET /network-ip-availabilities
|
|
# GET /network-ip-availabilities/{network_id}
|
|
#"get_network_ip_availability": "rule:admin_only"
|
|
|
|
# Create a network segment range
|
|
# POST /network_segment_ranges
|
|
#"create_network_segment_range": "rule:admin_only"
|
|
|
|
# Get a network segment range
|
|
# GET /network_segment_ranges
|
|
# GET /network_segment_ranges/{id}
|
|
#"get_network_segment_range": "rule:admin_only"
|
|
|
|
# Update a network segment range
|
|
# PUT /network_segment_ranges/{id}
|
|
#"update_network_segment_range": "rule:admin_only"
|
|
|
|
# Delete a network segment range
|
|
# DELETE /network_segment_ranges/{id}
|
|
#"delete_network_segment_range": "rule:admin_only"
|
|
|
|
# Definition of port with network device_owner
|
|
#"network_device": "field:port:device_owner=~^network:"
|
|
|
|
# Rule for data plane integration
|
|
#"admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator"
|
|
|
|
# Create a port
|
|
# POST /ports
|
|
#"create_port": "rule:regular_user"
|
|
|
|
# Specify ``device_owner`` attribute when creting a port
|
|
# POST /ports
|
|
#"create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``mac_address`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``fixed_ips`` information when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Specify IP address in ``fixed_ips`` when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify subnet ID in ``fixed_ips`` when creating a port
|
|
# POST /ports
|
|
#"create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Specify ``port_security_enabled`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify ``binding:host_id`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Specify ``binding:profile`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:profile": "rule:admin_only"
|
|
|
|
# Specify ``binding:vnic_type`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:binding:vnic_type": "rule:regular_user"
|
|
|
|
# Specify ``allowed_address_pairs`` attribute when creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``mac_address` of `allowed_address_pairs`` attribute when
|
|
# creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``ip_address`` of ``allowed_address_pairs`` attribute when
|
|
# creating a port
|
|
# POST /ports
|
|
#"create_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
|
|
|
|
# Get a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
|
|
|
|
# Get ``binding:vif_type`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:vif_type": "rule:admin_only"
|
|
|
|
# Get ``binding:vif_details`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:vif_details": "rule:admin_only"
|
|
|
|
# Get ``binding:host_id`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Get ``binding:profile`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:binding:profile": "rule:admin_only"
|
|
|
|
# Get ``resource_request`` attribute of a port
|
|
# GET /ports
|
|
# GET /ports/{id}
|
|
#"get_port:resource_request": "rule:admin_only"
|
|
|
|
# Update a port
|
|
# PUT /ports/{id}
|
|
#"update_port": "rule:admin_or_owner or rule:context_is_advsvc"
|
|
|
|
# Update ``device_owner`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Update ``mac_address`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:mac_address": "rule:admin_only or rule:context_is_advsvc"
|
|
|
|
# Specify ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify IP address in ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Specify subnet ID in ``fixed_ips`` information when updating a port
|
|
# PUT /ports/{id}
|
|
#"update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"
|
|
|
|
# Update ``port_security_enabled`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner"
|
|
|
|
# Update ``binding:host_id`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:host_id": "rule:admin_only"
|
|
|
|
# Update ``binding:profile`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:profile": "rule:admin_only"
|
|
|
|
# Update ``binding:vnic_type`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:binding:vnic_type": "rule:admin_or_owner or rule:context_is_advsvc"
|
|
|
|
# Update ``allowed_address_pairs`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs": "rule:admin_or_network_owner"
|
|
|
|
# Update ``mac_address`` of ``allowed_address_pairs`` attribute of a
|
|
# port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs:mac_address": "rule:admin_or_network_owner"
|
|
|
|
# Update ``ip_address`` of ``allowed_address_pairs`` attribute of a
|
|
# port
|
|
# PUT /ports/{id}
|
|
#"update_port:allowed_address_pairs:ip_address": "rule:admin_or_network_owner"
|
|
|
|
# Update ``data_plane_status`` attribute of a port
|
|
# PUT /ports/{id}
|
|
#"update_port:data_plane_status": "rule:admin_or_data_plane_int"
|
|
|
|
# Delete a port
|
|
# DELETE /ports/{id}
|
|
#"delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner"
|
|
|
|
# Get QoS policies
|
|
# GET /qos/policies
|
|
# GET /qos/policies/{id}
|
|
#"get_policy": "rule:regular_user"
|
|
|
|
# Create a QoS policy
|
|
# POST /qos/policies
|
|
#"create_policy": "rule:admin_only"
|
|
|
|
# Update a QoS policy
|
|
# PUT /qos/policies/{id}
|
|
#"update_policy": "rule:admin_only"
|
|
|
|
# Delete a QoS policy
|
|
# DELETE /qos/policies/{id}
|
|
#"delete_policy": "rule:admin_only"
|
|
|
|
# Get available QoS rule types
|
|
# GET /qos/rule-types
|
|
# GET /qos/rule-types/{rule_type}
|
|
#"get_rule_type": "rule:regular_user"
|
|
|
|
# Get a QoS bandwidth limit rule
|
|
# GET /qos/policies/{policy_id}/bandwidth_limit_rules
|
|
# GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"get_policy_bandwidth_limit_rule": "rule:regular_user"
|
|
|
|
# Create a QoS bandwidth limit rule
|
|
# POST /qos/policies/{policy_id}/bandwidth_limit_rules
|
|
#"create_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Update a QoS bandwidth limit rule
|
|
# PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"update_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS bandwidth limit rule
|
|
# DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
|
|
#"delete_policy_bandwidth_limit_rule": "rule:admin_only"
|
|
|
|
# Get a QoS DSCP marking rule
|
|
# GET /qos/policies/{policy_id}/dscp_marking_rules
|
|
# GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"get_policy_dscp_marking_rule": "rule:regular_user"
|
|
|
|
# Create a QoS DSCP marking rule
|
|
# POST /qos/policies/{policy_id}/dscp_marking_rules
|
|
#"create_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Update a QoS DSCP marking rule
|
|
# PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"update_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS DSCP marking rule
|
|
# DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
|
|
#"delete_policy_dscp_marking_rule": "rule:admin_only"
|
|
|
|
# Get a QoS minimum bandwidth rule
|
|
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules
|
|
# GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"get_policy_minimum_bandwidth_rule": "rule:regular_user"
|
|
|
|
# Create a QoS minimum bandwidth rule
|
|
# POST /qos/policies/{policy_id}/minimum_bandwidth_rules
|
|
#"create_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Update a QoS minimum bandwidth rule
|
|
# PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"update_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Delete a QoS minimum bandwidth rule
|
|
# DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
|
|
#"delete_policy_minimum_bandwidth_rule": "rule:admin_only"
|
|
|
|
# Get a QoS bandwidth limit rule through alias
|
|
# GET /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"get_alias_bandwidth_limit_rule": "rule:get_policy_bandwidth_limit_rule"
|
|
|
|
# Update a QoS bandwidth limit rule through alias
|
|
# PUT /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"update_alias_bandwidth_limit_rule": "rule:update_policy_bandwidth_limit_rule"
|
|
|
|
# Delete a QoS bandwidth limit rule through alias
|
|
# DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/
|
|
#"delete_alias_bandwidth_limit_rule": "rule:delete_policy_bandwidth_limit_rule"
|
|
|
|
# Get a QoS DSCP marking rule through alias
|
|
# GET /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"get_alias_dscp_marking_rule": "rule:get_policy_dscp_marking_rule"
|
|
|
|
# Update a QoS DSCP marking rule through alias
|
|
# PUT /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"update_alias_dscp_marking_rule": "rule:update_policy_dscp_marking_rule"
|
|
|
|
# Delete a QoS DSCP marking rule through alias
|
|
# DELETE /qos/alias_dscp_marking_rules/{rule_id}/
|
|
#"delete_alias_dscp_marking_rule": "rule:delete_policy_dscp_marking_rule"
|
|
|
|
# Get a QoS minimum bandwidth rule through alias
|
|
# GET /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"get_alias_minimum_bandwidth_rule": "rule:get_policy_minimum_bandwidth_rule"
|
|
|
|
# Update a QoS minimum bandwidth rule through alias
|
|
# PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"update_alias_minimum_bandwidth_rule": "rule:update_policy_minimum_bandwidth_rule"
|
|
|
|
# Delete a QoS minimum bandwidth rule through alias
|
|
# DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/
|
|
#"delete_alias_minimum_bandwidth_rule": "rule:delete_policy_minimum_bandwidth_rule"
|
|
|
|
# Get a resource quota
|
|
# GET /quota
|
|
# GET /quota/{id}
|
|
#"get_quota": "rule:admin_only"
|
|
|
|
# Update a resource quota
|
|
# PUT /quota/{id}
|
|
#"update_quota": "rule:admin_only"
|
|
|
|
# Delete a resource quota
|
|
# DELETE /quota/{id}
|
|
#"delete_quota": "rule:admin_only"
|
|
|
|
# Definition of a wildcard target_tenant
|
|
#"restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only"
|
|
|
|
# Create an RBAC policy
|
|
# POST /rbac-policies
|
|
#"create_rbac_policy": "rule:regular_user"
|
|
|
|
# Specify ``target_tenant`` when creating an RBAC policy
|
|
# POST /rbac-policies
|
|
#"create_rbac_policy:target_tenant": "rule:restrict_wildcard"
|
|
|
|
# Update an RBAC policy
|
|
# PUT /rbac-policies/{id}
|
|
#"update_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Update ``target_tenant`` attribute of an RBAC policy
|
|
# PUT /rbac-policies/{id}
|
|
#"update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner"
|
|
|
|
# Get an RBAC policy
|
|
# GET /rbac-policies
|
|
# GET /rbac-policies/{id}
|
|
#"get_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Delete an RBAC policy
|
|
# DELETE /rbac-policies/{id}
|
|
#"delete_rbac_policy": "rule:admin_or_owner"
|
|
|
|
# Create a router
|
|
# POST /routers
|
|
#"create_router": "rule:regular_user"
|
|
|
|
# Specify ``distributed`` attribute when creating a router
|
|
# POST /routers
|
|
#"create_router:distributed": "rule:admin_only"
|
|
|
|
# Specify ``ha`` attribute when creating a router
|
|
# POST /routers
|
|
#"create_router:ha": "rule:admin_only"
|
|
|
|
# Specify ``external_gateway_info`` information when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info": "rule:admin_or_owner"
|
|
|
|
# Specify ``network_id`` in ``external_gateway_info`` information when
|
|
# creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:network_id": "rule:admin_or_owner"
|
|
|
|
# Specify ``enable_snat`` in ``external_gateway_info`` information
|
|
# when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:enable_snat": "rule:admin_only"
|
|
|
|
# Specify ``external_fixed_ips`` in ``external_gateway_info``
|
|
# information when creating a router
|
|
# POST /routers
|
|
#"create_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
|
|
|
|
# Get a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router": "rule:admin_or_owner"
|
|
|
|
# Get ``distributed`` attribute of a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router:distributed": "rule:admin_only"
|
|
|
|
# Get ``ha`` attribute of a router
|
|
# GET /routers
|
|
# GET /routers/{id}
|
|
#"get_router:ha": "rule:admin_only"
|
|
|
|
# Update a router
|
|
# PUT /routers/{id}
|
|
#"update_router": "rule:admin_or_owner"
|
|
|
|
# Update ``distributed`` attribute of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:distributed": "rule:admin_only"
|
|
|
|
# Update ``ha`` attribute of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:ha": "rule:admin_only"
|
|
|
|
# Update ``external_gateway_info`` information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info": "rule:admin_or_owner"
|
|
|
|
# Update ``network_id`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:network_id": "rule:admin_or_owner"
|
|
|
|
# Update ``enable_snat`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:enable_snat": "rule:admin_only"
|
|
|
|
# Update ``external_fixed_ips`` attribute of ``external_gateway_info``
|
|
# information of a router
|
|
# PUT /routers/{id}
|
|
#"update_router:external_gateway_info:external_fixed_ips": "rule:admin_only"
|
|
|
|
# Delete a router
|
|
# DELETE /routers/{id}
|
|
#"delete_router": "rule:admin_or_owner"
|
|
|
|
# Add an interface to a router
|
|
# PUT /routers/{id}/add_router_interface
|
|
#"add_router_interface": "rule:admin_or_owner"
|
|
|
|
# Remove an interface from a router
|
|
# PUT /routers/{id}/remove_router_interface
|
|
#"remove_router_interface": "rule:admin_or_owner"
|
|
|
|
# Rule for admin or security group owner access
|
|
#"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s"
|
|
|
|
# Rule for resource owner, admin or security group owner access
|
|
#"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner"
|
|
|
|
# Create a security group
|
|
# POST /security-groups
|
|
#"create_security_group": "rule:admin_or_owner"
|
|
|
|
# Get a security group
|
|
# GET /security-groups
|
|
# GET /security-groups/{id}
|
|
#"get_security_group": "rule:regular_user"
|
|
|
|
# Update a security group
|
|
# PUT /security-groups/{id}
|
|
#"update_security_group": "rule:admin_or_owner"
|
|
|
|
# Delete a security group
|
|
# DELETE /security-groups/{id}
|
|
#"delete_security_group": "rule:admin_or_owner"
|
|
|
|
# Create a security group rule
|
|
# POST /security-group-rules
|
|
#"create_security_group_rule": "rule:admin_or_owner"
|
|
|
|
# Get a security group rule
|
|
# GET /security-group-rules
|
|
# GET /security-group-rules/{id}
|
|
#"get_security_group_rule": "rule:admin_owner_or_sg_owner"
|
|
|
|
# Delete a security group rule
|
|
# DELETE /security-group-rules/{id}
|
|
#"delete_security_group_rule": "rule:admin_or_owner"
|
|
|
|
# Create a segment
|
|
# POST /segments
|
|
#"create_segment": "rule:admin_only"
|
|
|
|
# Get a segment
|
|
# GET /segments
|
|
# GET /segments/{id}
|
|
#"get_segment": "rule:admin_only"
|
|
|
|
# Update a segment
|
|
# PUT /segments/{id}
|
|
#"update_segment": "rule:admin_only"
|
|
|
|
# Delete a segment
|
|
# DELETE /segments/{id}
|
|
#"delete_segment": "rule:admin_only"
|
|
|
|
# Get service providers
|
|
# GET /service-providers
|
|
#"get_service_provider": "rule:regular_user"
|
|
|
|
# Create a subnet
|
|
# POST /subnets
|
|
#"create_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Specify ``segment_id`` attribute when creating a subnet
|
|
# POST /subnets
|
|
#"create_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Specify ``service_types`` attribute when creating a subnet
|
|
# POST /subnets
|
|
#"create_subnet:service_types": "rule:admin_only"
|
|
|
|
# Get a subnet
|
|
# GET /subnets
|
|
# GET /subnets/{id}
|
|
#"get_subnet": "rule:admin_or_owner or rule:shared"
|
|
|
|
# Get ``segment_id`` attribute of a subnet
|
|
# GET /subnets
|
|
# GET /subnets/{id}
|
|
#"get_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Update a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Update ``segment_id`` attribute of a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet:segment_id": "rule:admin_only"
|
|
|
|
# Update ``service_types`` attribute of a subnet
|
|
# PUT /subnets/{id}
|
|
#"update_subnet:service_types": "rule:admin_only"
|
|
|
|
# Delete a subnet
|
|
# DELETE /subnets/{id}
|
|
#"delete_subnet": "rule:admin_or_network_owner"
|
|
|
|
# Definition of a shared subnetpool
|
|
#"shared_subnetpools": "field:subnetpools:shared=True"
|
|
|
|
# Create a subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool": "rule:regular_user"
|
|
|
|
# Create a shared subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool:shared": "rule:admin_only"
|
|
|
|
# Specify ``is_default`` attribute when creating a subnetpool
|
|
# POST /subnetpools
|
|
#"create_subnetpool:is_default": "rule:admin_only"
|
|
|
|
# Get a subnetpool
|
|
# GET /subnetpools
|
|
# GET /subnetpools/{id}
|
|
#"get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools"
|
|
|
|
# Update a subnetpool
|
|
# PUT /subnetpools/{id}
|
|
#"update_subnetpool": "rule:admin_or_owner"
|
|
|
|
# Update ``is_default`` attribute of a subnetpool
|
|
# PUT /subnetpools/{id}
|
|
#"update_subnetpool:is_default": "rule:admin_only"
|
|
|
|
# Delete a subnetpool
|
|
# DELETE /subnetpools/{id}
|
|
#"delete_subnetpool": "rule:admin_or_owner"
|
|
|
|
# Onboard existing subnet into a subnetpool
|
|
# Put /subnetpools/{id}/onboard_network_subnets
|
|
#"onboard_network_subnets": "rule:admin_or_owner"
|
|
|
|
# Add prefixes to a subnetpool
|
|
# Put /subnetpools/{id}/add_prefixes
|
|
#"add_prefixes": "rule:admin_or_owner"
|
|
|
|
# Remove unallocated prefixes from a subnetpool
|
|
# Put /subnetpools/{id}/remove_prefixes
|
|
#"remove_prefixes": "rule:admin_or_owner"
|
|
|
|
# Create a trunk
|
|
# POST /trunks
|
|
#"create_trunk": "rule:regular_user"
|
|
|
|
# Get a trunk
|
|
# GET /trunks
|
|
# GET /trunks/{id}
|
|
#"get_trunk": "rule:admin_or_owner"
|
|
|
|
# Update a trunk
|
|
# PUT /trunks/{id}
|
|
#"update_trunk": "rule:admin_or_owner"
|
|
|
|
# Delete a trunk
|
|
# DELETE /trunks/{id}
|
|
#"delete_trunk": "rule:admin_or_owner"
|
|
|
|
# List subports attached to a trunk
|
|
# GET /trunks/{id}/get_subports
|
|
#"get_subports": "rule:regular_user"
|
|
|
|
# Add subports to a trunk
|
|
# PUT /trunks/{id}/add_subports
|
|
#"add_subports": "rule:admin_or_owner"
|
|
|
|
# Delete subports from a trunk
|
|
# PUT /trunks/{id}/remove_subports
|
|
#"remove_subports": "rule:admin_or_owner"
|
|
|