The following is an overview of all available policies in Nova.
Warning
JSON formatted policy file is deprecated since Nova 22.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
For a sample configuration file, refer to Sample Nova Policy File.
context_is_admin
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
is_admin:True or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api
is_admin:True
Default rule for most Admin APIs.
project_member_api
role:member and project_id:%(project_id)s
Default rule for Project level non admin APIs.
project_reader_api
role:reader and project_id:%(project_id)s
Default rule for Project level read only APIs.
project_member_or_admin
rule:project_member_api or rule:context_is_admin
Default rule for Project Member or admin APIs.
project_reader_or_admin
rule:project_reader_api or rule:context_is_admin
Default rule for Project reader or admin APIs.
os_compute_api:os-admin-actions:reset_state
rule:context_is_admin
POST /servers/{server_id}/action (os-resetState)
project
Reset the state of a given server
os_compute_api:os-admin-actions:inject_network_info
rule:context_is_admin
POST /servers/{server_id}/action (injectNetworkInfo)
project
Inject network information into the server
os_compute_api:os-admin-password
rule:project_member_or_admin
POST /servers/{server_id}/action (changePassword)
project
Change the administrative password for a server
os_compute_api:os-aggregates:set_metadata
rule:context_is_admin
POST /os-aggregates/{aggregate_id}/action (set_metadata)
project
Create or replace metadata for an aggregate
os_compute_api:os-aggregates:add_host
rule:context_is_admin
POST /os-aggregates/{aggregate_id}/action (add_host)
project
Add a host to an aggregate
os_compute_api:os-aggregates:create
rule:context_is_admin
POST /os-aggregates
project
Create an aggregate
os_compute_api:os-aggregates:remove_host
rule:context_is_admin
POST /os-aggregates/{aggregate_id}/action (remove_host)
project
Remove a host from an aggregate
os_compute_api:os-aggregates:update
rule:context_is_admin
PUT /os-aggregates/{aggregate_id}
project
Update name and/or availability zone for an aggregate
os_compute_api:os-aggregates:index
rule:context_is_admin
GET /os-aggregates
project
List all aggregates
os_compute_api:os-aggregates:delete
rule:context_is_admin
DELETE /os-aggregates/{aggregate_id}
project
Delete an aggregate
os_compute_api:os-aggregates:show
rule:context_is_admin
GET /os-aggregates/{aggregate_id}
project
Show details for an aggregate
compute:aggregates:images
rule:context_is_admin
POST /os-aggregates/{aggregate_id}/images
project
Request image caching for an aggregate
os_compute_api:os-assisted-volume-snapshots:create
rule:context_is_admin
POST /os-assisted-volume-snapshots
project
Create an assisted volume snapshot
os_compute_api:os-assisted-volume-snapshots:delete
rule:context_is_admin
DELETE /os-assisted-volume-snapshots/{snapshot_id}
project
Delete an assisted volume snapshot
os_compute_api:os-attach-interfaces:list
rule:project_reader_or_admin
GET /servers/{server_id}/os-interface
project
List port interfaces attached to a server
os_compute_api:os-attach-interfaces:show
rule:project_reader_or_admin
GET /servers/{server_id}/os-interface/{port_id}
project
Show details of a port interface attached to a server
os_compute_api:os-attach-interfaces:create
rule:project_member_or_admin
POST /servers/{server_id}/os-interface
project
Attach an interface to a server
os_compute_api:os-attach-interfaces:delete
rule:project_member_or_admin
DELETE /servers/{server_id}/os-interface/{port_id}
project
Detach an interface from a server
os_compute_api:os-availability-zone:list
@
GET /os-availability-zone
project
List availability zone information without host information
os_compute_api:os-availability-zone:detail
rule:context_is_admin
GET /os-availability-zone/detail
project
List detailed availability zone information with host information
os_compute_api:os-baremetal-nodes:list
rule:context_is_admin
GET /os-baremetal-nodes
project
List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
os_compute_api:os-baremetal-nodes:show
rule:context_is_admin
GET /os-baremetal-nodes/{node_id}
project
Show action details for a server.
os_compute_api:os-console-auth-tokens
rule:context_is_admin
GET /os-console-auth-tokens/{console_token}
project
Show console connection information for a given console authentication token
os_compute_api:os-console-output
rule:project_member_or_admin
POST /servers/{server_id}/action (os-getConsoleOutput)
project
Show console output for a server
os_compute_api:os-create-backup
rule:project_member_or_admin
POST /servers/{server_id}/action (createBackup)
project
Create a back up of a server
os_compute_api:os-deferred-delete:restore
rule:project_member_or_admin
POST /servers/{server_id}/action (restore)
project
Restore a soft deleted server
os_compute_api:os-deferred-delete:force
rule:project_member_or_admin
POST /servers/{server_id}/action (forceDelete)
project
Force delete a server before deferred cleanup
os_compute_api:os-evacuate
rule:context_is_admin
POST /servers/{server_id}/action (evacuate)
project
Evacuate a server from a failed host to a new host
os_compute_api:os-extended-server-attributes
rule:context_is_admin
GET /servers/{id}
GET /servers/detail
PUT /servers/{server_id}
POST /servers/{server_id}/action (rebuild)
project
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:host
OS-EXT-SRV-ATTR:instance_name
OS-EXT-SRV-ATTR:reservation_id
(since microversion 2.3)
OS-EXT-SRV-ATTR:launch_index
(since microversion 2.3)
OS-EXT-SRV-ATTR:hostname
(since microversion 2.3)
OS-EXT-SRV-ATTR:kernel_id
(since microversion 2.3)
OS-EXT-SRV-ATTR:ramdisk_id
(since microversion 2.3)
OS-EXT-SRV-ATTR:root_device_name
(since microversion 2.3)
OS-EXT-SRV-ATTR:user_data
(since microversion 2.3)
Microvision 2.75 added the above attributes in the PUT /servers/{server_id}
and POST /servers/{server_id}/action (rebuild)
API responses which are
also controlled by this policy rule, like the GET /servers*
APIs.
Microversion 2.90 made the OS-EXT-SRV-ATTR:hostname
attribute available to
all users, so this policy has no effect on that field for microversions 2.90
and greater. Controlling the visibility of this attribute for all microversions
is therefore deprecated and will be removed in a future release.
os_compute_api:extensions
@
GET /extensions
GET /extensions/{alias}
project
List available extensions and show information for an extension by alias
os_compute_api:os-flavor-access:add_tenant_access
rule:context_is_admin
POST /flavors/{flavor_id}/action (addTenantAccess)
project
Add flavor access to a tenant
os_compute_api:os-flavor-access:remove_tenant_access
rule:context_is_admin
POST /flavors/{flavor_id}/action (removeTenantAccess)
project
Remove flavor access from a tenant
os_compute_api:os-flavor-access
rule:context_is_admin
GET /flavors/{flavor_id}/os-flavor-access
project
List flavor access information
Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
os_compute_api:os-flavor-extra-specs:show
rule:project_reader_or_admin
GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
project
Show an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:create
rule:context_is_admin
POST /flavors/{flavor_id}/os-extra_specs/
project
Create extra specs for a flavor
os_compute_api:os-flavor-extra-specs:update
rule:context_is_admin
PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
project
Update an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:delete
rule:context_is_admin
DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
project
Delete an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:index
rule:project_reader_or_admin
GET /flavors/{flavor_id}/os-extra_specs/
POST /flavors
GET /flavors/detail
GET /flavors/{flavor_id}
PUT /flavors/{flavor_id}
project
List extra specs for a flavor. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
os_compute_api:os-flavor-manage:create
rule:context_is_admin
POST /flavors
project
Create a flavor
os_compute_api:os-flavor-manage:update
rule:context_is_admin
PUT /flavors/{flavor_id}
project
Update a flavor
os_compute_api:os-flavor-manage:delete
rule:context_is_admin
DELETE /flavors/{flavor_id}
project
Delete a flavor
os_compute_api:os-floating-ip-pools
@
GET /os-floating-ip-pools
project
List floating IP pools. This API is deprecated.
os_compute_api:os-floating-ips:add
rule:project_member_or_admin
POST /servers/{server_id}/action (addFloatingIp)
project
Associate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:remove
rule:project_member_or_admin
POST /servers/{server_id}/action (removeFloatingIp)
project
Disassociate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:list
rule:project_reader_or_admin
GET /os-floating-ips
project
List floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:create
rule:project_member_or_admin
POST /os-floating-ips
project
Create floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:show
rule:project_reader_or_admin
GET /os-floating-ips/{floating_ip_id}
project
Show floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:delete
rule:project_member_or_admin
DELETE /os-floating-ips/{floating_ip_id}
project
Delete floating IPs. This API is deprecated.
os_compute_api:os-hosts:list
rule:context_is_admin
GET /os-hosts
project
List physical hosts.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:show
rule:context_is_admin
GET /os-hosts/{host_name}
project
Show physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:update
rule:context_is_admin
PUT /os-hosts/{host_name}
project
Update physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:reboot
rule:context_is_admin
GET /os-hosts/{host_name}/reboot
project
Reboot physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:shutdown
rule:context_is_admin
GET /os-hosts/{host_name}/shutdown
project
Shutdown physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:start
rule:context_is_admin
GET /os-hosts/{host_name}/startup
project
Start physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hypervisors:list
rule:context_is_admin
GET /os-hypervisors
project
List all hypervisors.
os_compute_api:os-hypervisors:list-detail
rule:context_is_admin
GET /os-hypervisors/details
project
List all hypervisors with details
os_compute_api:os-hypervisors:statistics
rule:context_is_admin
GET /os-hypervisors/statistics
project
Show summary statistics for all hypervisors over all compute nodes.
os_compute_api:os-hypervisors:show
rule:context_is_admin
GET /os-hypervisors/{hypervisor_id}
project
Show details for a hypervisor.
os_compute_api:os-hypervisors:uptime
rule:context_is_admin
GET /os-hypervisors/{hypervisor_id}/uptime
project
Show the uptime of a hypervisor.
os_compute_api:os-hypervisors:search
rule:context_is_admin
GET /os-hypervisors/{hypervisor_hostname_pattern}/search
project
Search hypervisor by hypervisor_hostname pattern.
os_compute_api:os-hypervisors:servers
rule:context_is_admin
GET /os-hypervisors/{hypervisor_hostname_pattern}/servers
project
List all servers on hypervisors that can match the provided hypervisor_hostname pattern.
os_compute_api:os-instance-actions:events:details
rule:context_is_admin
GET /servers/{server_id}/os-instance-actions/{request_id}
project
Add “details” key in action events for a server.
This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.84, new field ‘details’ is exposed via API which can have more details about event failure. That field is controlled by this policy which is system reader by default. Making the ‘details’ field visible to the non-admin user helps to understand the nature of the problem (i.e. if the action can be retried), but in the other hand it might leak information about the deployment (e.g. the type of the hypervisor).
os_compute_api:os-instance-actions:events
rule:context_is_admin
GET /servers/{server_id}/os-instance-actions/{request_id}
project
Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
os_compute_api:os-instance-actions:list
rule:project_reader_or_admin
GET /servers/{server_id}/os-instance-actions
project
List actions for a server.
os_compute_api:os-instance-actions:show
rule:project_reader_or_admin
GET /servers/{server_id}/os-instance-actions/{request_id}
project
Show action details for a server.
os_compute_api:os-instance-usage-audit-log:list
rule:context_is_admin
GET /os-instance_usage_audit_log
project
List all usage audits.
os_compute_api:os-instance-usage-audit-log:show
rule:context_is_admin
GET /os-instance_usage_audit_log/{before_timestamp}
project
List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured
os_compute_api:ips:show
rule:project_reader_or_admin
GET /servers/{server_id}/ips/{network_label}
project
Show IP addresses details for a network label of a server
os_compute_api:ips:index
rule:project_reader_or_admin
GET /servers/{server_id}/ips
project
List IP addresses that are assigned to a server
os_compute_api:os-keypairs:index
(rule:context_is_admin) or user_id:%(user_id)s
GET /os-keypairs
project
List all keypairs
os_compute_api:os-keypairs:create
(rule:context_is_admin) or user_id:%(user_id)s
POST /os-keypairs
project
Create a keypair
os_compute_api:os-keypairs:delete
(rule:context_is_admin) or user_id:%(user_id)s
DELETE /os-keypairs/{keypair_name}
project
Delete a keypair
os_compute_api:os-keypairs:show
(rule:context_is_admin) or user_id:%(user_id)s
GET /os-keypairs/{keypair_name}
project
Show details of a keypair
os_compute_api:limits
@
GET /limits
project
Show rate and absolute limits for the current user project
os_compute_api:limits:other_project
rule:context_is_admin
GET /limits
project
Show rate and absolute limits of other project.
This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
os_compute_api:os-lock-server:lock
rule:project_member_or_admin
POST /servers/{server_id}/action (lock)
project
Lock a server
os_compute_api:os-lock-server:unlock
rule:project_member_or_admin
POST /servers/{server_id}/action (unlock)
project
Unlock a server
os_compute_api:os-lock-server:unlock:unlock_override
rule:context_is_admin
POST /servers/{server_id}/action (unlock)
project
Unlock a server, regardless who locked the server.
This check is performed only after the check os_compute_api:os-lock-server:unlock passes
os_compute_api:os-migrate-server:migrate
rule:context_is_admin
POST /servers/{server_id}/action (migrate)
project
Cold migrate a server to a host
os_compute_api:os-migrate-server:migrate_live
rule:context_is_admin
POST /servers/{server_id}/action (os-migrateLive)
project
Live migrate a server to a new host without a reboot
os_compute_api:os-migrations:index
rule:context_is_admin
GET /os-migrations
project
List migrations
os_compute_api:os-multinic:add
rule:project_member_or_admin
POST /servers/{server_id}/action (addFixedIp)
project
Add a fixed IP address to a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-multinic:remove
rule:project_member_or_admin
POST /servers/{server_id}/action (removeFixedIp)
project
Remove a fixed IP address from a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:list
rule:project_reader_or_admin
GET /os-networks
project
List networks for the project.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:show
rule:project_reader_or_admin
GET /os-networks/{network_id}
project
Show network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-pause-server:pause
rule:project_member_or_admin
POST /servers/{server_id}/action (pause)
project
Pause a server
os_compute_api:os-pause-server:unpause
rule:project_member_or_admin
POST /servers/{server_id}/action (unpause)
project
Unpause a paused server
os_compute_api:os-quota-class-sets:show
rule:context_is_admin
GET /os-quota-class-sets/{quota_class}
project
List quotas for specific quota classs
os_compute_api:os-quota-class-sets:update
rule:context_is_admin
PUT /os-quota-class-sets/{quota_class}
project
Update quotas for specific quota class
os_compute_api:os-quota-sets:update
rule:context_is_admin
PUT /os-quota-sets/{tenant_id}
project
Update the quotas
os_compute_api:os-quota-sets:defaults
@
GET /os-quota-sets/{tenant_id}/defaults
project
List default quotas
os_compute_api:os-quota-sets:show
rule:project_reader_or_admin
GET /os-quota-sets/{tenant_id}
project
Show a quota
os_compute_api:os-quota-sets:delete
rule:context_is_admin
DELETE /os-quota-sets/{tenant_id}
project
Revert quotas to defaults
os_compute_api:os-quota-sets:detail
rule:project_reader_or_admin
GET /os-quota-sets/{tenant_id}/detail
project
Show the detail of quota
os_compute_api:os-remote-consoles
rule:project_member_or_admin
POST /servers/{server_id}/action (os-getRDPConsole)
POST /servers/{server_id}/action (os-getSerialConsole)
POST /servers/{server_id}/action (os-getSPICEConsole)
POST /servers/{server_id}/action (os-getVNCConsole)
POST /servers/{server_id}/remote-consoles
project
Generate a URL to access remove server console.
This policy is for POST /remote-consoles
API and below Server actions APIs
are deprecated:
os-getRDPConsole
os-getSerialConsole
os-getSPICEConsole
os-getVNCConsole
.
os_compute_api:os-rescue
rule:project_member_or_admin
POST /servers/{server_id}/action (rescue)
project
Rescue a server
os_compute_api:os-unrescue
rule:project_member_or_admin
POST /servers/{server_id}/action (unrescue)
project
Unrescue a server
os_compute_api:os-security-groups:get
rule:project_reader_or_admin
GET /os-security-groups
project
List security groups. This API is deprecated.
os_compute_api:os-security-groups:show
rule:project_reader_or_admin
GET /os-security-groups/{security_group_id}
project
Show security group. This API is deprecated.
os_compute_api:os-security-groups:create
rule:project_member_or_admin
POST /os-security-groups
project
Create security group. This API is deprecated.
os_compute_api:os-security-groups:update
rule:project_member_or_admin
PUT /os-security-groups/{security_group_id}
project
Update security group. This API is deprecated.
os_compute_api:os-security-groups:delete
rule:project_member_or_admin
DELETE /os-security-groups/{security_group_id}
project
Delete security group. This API is deprecated.
os_compute_api:os-security-groups:rule:create
rule:project_member_or_admin
POST /os-security-group-rules
project
Create security group Rule. This API is deprecated.
os_compute_api:os-security-groups:rule:delete
rule:project_member_or_admin
DELETE /os-security-group-rules/{security_group_id}
project
Delete security group Rule. This API is deprecated.
os_compute_api:os-security-groups:list
rule:project_reader_or_admin
GET /servers/{server_id}/os-security-groups
project
List security groups of server.
os_compute_api:os-security-groups:add
rule:project_member_or_admin
POST /servers/{server_id}/action (addSecurityGroup)
project
Add security groups to server.
os_compute_api:os-security-groups:remove
rule:project_member_or_admin
POST /servers/{server_id}/action (removeSecurityGroup)
project
Remove security groups from server.
os_compute_api:os-server-diagnostics
rule:context_is_admin
GET /servers/{server_id}/diagnostics
project
Show the usage data for a server
os_compute_api:os-server-external-events:create
rule:context_is_admin
POST /os-server-external-events
project
Create one or more external events
os_compute_api:os-server-groups:create
rule:project_member_or_admin
POST /os-server-groups
project
Create a new server group
os_compute_api:os-server-groups:delete
rule:project_member_or_admin
DELETE /os-server-groups/{server_group_id}
project
Delete a server group
os_compute_api:os-server-groups:index
rule:project_reader_or_admin
GET /os-server-groups
project
List all server groups
os_compute_api:os-server-groups:index:all_projects
rule:context_is_admin
GET /os-server-groups
project
List all server groups for all projects
os_compute_api:os-server-groups:show
rule:project_reader_or_admin
GET /os-server-groups/{server_group_id}
project
Show details of a server group
os_compute_api:server-metadata:index
rule:project_reader_or_admin
GET /servers/{server_id}/metadata
project
List all metadata of a server
os_compute_api:server-metadata:show
rule:project_reader_or_admin
GET /servers/{server_id}/metadata/{key}
project
Show metadata for a server
os_compute_api:server-metadata:create
rule:project_member_or_admin
POST /servers/{server_id}/metadata
project
Create metadata for a server
os_compute_api:server-metadata:update_all
rule:project_member_or_admin
PUT /servers/{server_id}/metadata
project
Replace metadata for a server
os_compute_api:server-metadata:update
rule:project_member_or_admin
PUT /servers/{server_id}/metadata/{key}
project
Update metadata from a server
os_compute_api:server-metadata:delete
rule:project_member_or_admin
DELETE /servers/{server_id}/metadata/{key}
project
Delete metadata from a server
os_compute_api:os-server-password:show
rule:project_reader_or_admin
GET /servers/{server_id}/os-server-password
project
Show the encrypted administrative password of a server
os_compute_api:os-server-password:clear
rule:project_member_or_admin
DELETE /servers/{server_id}/os-server-password
project
Clear the encrypted administrative password of a server
os_compute_api:os-server-tags:delete_all
rule:project_member_or_admin
DELETE /servers/{server_id}/tags
project
Delete all the server tags
os_compute_api:os-server-tags:index
rule:project_reader_or_admin
GET /servers/{server_id}/tags
project
List all tags for given server
os_compute_api:os-server-tags:update_all
rule:project_member_or_admin
PUT /servers/{server_id}/tags
project
Replace all tags on specified server with the new set of tags.
os_compute_api:os-server-tags:delete
rule:project_member_or_admin
DELETE /servers/{server_id}/tags/{tag}
project
Delete a single tag from the specified server
os_compute_api:os-server-tags:update
rule:project_member_or_admin
PUT /servers/{server_id}/tags/{tag}
project
Add a single tag to the server if server has no specified tag
os_compute_api:os-server-tags:show
rule:project_reader_or_admin
GET /servers/{server_id}/tags/{tag}
project
Check tag existence on the server.
compute:server:topology:index
rule:project_reader_or_admin
GET /servers/{server_id}/topology
project
Show the NUMA topology data for a server
compute:server:topology:host:index
rule:context_is_admin
GET /servers/{server_id}/topology
project
Show the NUMA topology data for a server with host NUMA ID and CPU pinning information
os_compute_api:servers:index
rule:project_reader_or_admin
GET /servers
project
List all servers
os_compute_api:servers:detail
rule:project_reader_or_admin
GET /servers/detail
project
List all servers with detailed information
os_compute_api:servers:index:get_all_tenants
rule:context_is_admin
GET /servers
project
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
rule:context_is_admin
GET /servers/detail
project
List all servers with detailed information for all projects
os_compute_api:servers:allow_all_filters
rule:context_is_admin
GET /servers
GET /servers/detail
project
Allow all filters when listing servers
os_compute_api:servers:show
rule:project_reader_or_admin
GET /servers/{server_id}
project
Show a server
os_compute_api:servers:show:flavor-extra-specs
rule:project_reader_or_admin
GET /servers/detail
GET /servers/{server_id}
PUT /servers/{server_id}
POST /servers/{server_id}/action (rebuild)
project
Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server.
os_compute_api:servers:show:host_status
rule:context_is_admin
GET /servers/{server_id}
GET /servers/detail
PUT /servers/{server_id}
POST /servers/{server_id}/action (rebuild)
project
Show a server with additional host status information.
This means host_status will be shown irrespective of status value. If showing
only host_status UNKNOWN is desired, use the
os_compute_api:servers:show:host_status:unknown-only
policy rule.
Microvision 2.75 added the host_status
attribute in the
PUT /servers/{server_id}
and POST /servers/{server_id}/action (rebuild)
API responses which are also controlled by this policy rule, like the
GET /servers*
APIs.
os_compute_api:servers:show:host_status:unknown-only
rule:context_is_admin
GET /servers/{server_id}
GET /servers/detail
PUT /servers/{server_id}
POST /servers/{server_id}/action (rebuild)
project
Show a server with additional host status information, only if host status is UNKNOWN.
This policy rule will only be enforced when the
os_compute_api:servers:show:host_status
policy rule does not pass for the
request. An example policy configuration could be where the
os_compute_api:servers:show:host_status
rule is set to allow admin-only and
the os_compute_api:servers:show:host_status:unknown-only
rule is set to
allow everyone.
os_compute_api:servers:create
rule:project_member_or_admin
POST /servers
project
Create a server
os_compute_api:servers:create:forced_host
rule:context_is_admin
POST /servers
project
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified
host and/or node by bypassing the scheduler filters unlike the
compute:servers:create:requested_destination
rule.
compute:servers:create:requested_destination
rule:context_is_admin
POST /servers
project
Create a server on the requested compute service host and/or hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is
validated by the scheduler filters unlike the
os_compute_api:servers:create:forced_host
rule.
os_compute_api:servers:create:attach_volume
rule:project_member_or_admin
POST /servers
project
Create a server with the requested volume attached to it
os_compute_api:servers:create:attach_network
rule:project_member_or_admin
POST /servers
project
Create a server with the requested network attached to it
os_compute_api:servers:create:trusted_certs
rule:project_member_or_admin
POST /servers
project
Create a server with trusted image certificate IDs
os_compute_api:servers:create:zero_disk_flavor
rule:context_is_admin
POST /servers
project
This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.
network:attach_external_network
rule:context_is_admin
POST /servers
POST /servers/{server_id}/os-interface
project
Attach an unshared external network to a server
os_compute_api:servers:delete
rule:project_member_or_admin
DELETE /servers/{server_id}
project
Delete a server
os_compute_api:servers:update
rule:project_member_or_admin
PUT /servers/{server_id}
project
Update a server
os_compute_api:servers:confirm_resize
rule:project_member_or_admin
POST /servers/{server_id}/action (confirmResize)
project
Confirm a server resize
os_compute_api:servers:revert_resize
rule:project_member_or_admin
POST /servers/{server_id}/action (revertResize)
project
Revert a server resize
os_compute_api:servers:reboot
rule:project_member_or_admin
POST /servers/{server_id}/action (reboot)
project
Reboot a server
os_compute_api:servers:resize
rule:project_member_or_admin
POST /servers/{server_id}/action (resize)
project
Resize a server
compute:servers:resize:cross_cell
!
POST /servers/{server_id}/action (resize)
project
Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled.
os_compute_api:servers:rebuild
rule:project_member_or_admin
POST /servers/{server_id}/action (rebuild)
project
Rebuild a server
os_compute_api:servers:rebuild:trusted_certs
rule:project_member_or_admin
POST /servers/{server_id}/action (rebuild)
project
Rebuild a server with trusted image certificate IDs
os_compute_api:servers:create_image
rule:project_member_or_admin
POST /servers/{server_id}/action (createImage)
project
Create an image from a server
os_compute_api:servers:create_image:allow_volume_backed
rule:project_member_or_admin
POST /servers/{server_id}/action (createImage)
project
Create an image from a volume backed server
os_compute_api:servers:start
rule:project_member_or_admin
POST /servers/{server_id}/action (os-start)
project
Start a server
os_compute_api:servers:stop
rule:project_member_or_admin
POST /servers/{server_id}/action (os-stop)
project
Stop a server
os_compute_api:servers:trigger_crash_dump
rule:project_member_or_admin
POST /servers/{server_id}/action (trigger_crash_dump)
project
Trigger crash dump in a server
os_compute_api:servers:migrations:show
rule:context_is_admin
GET /servers/{server_id}/migrations/{migration_id}
project
Show details for an in-progress live migration for a given server
os_compute_api:servers:migrations:force_complete
rule:context_is_admin
POST /servers/{server_id}/migrations/{migration_id}/action (force_complete)
project
Force an in-progress live migration for a given server to complete
os_compute_api:servers:migrations:delete
rule:context_is_admin
DELETE /servers/{server_id}/migrations/{migration_id}
project
Delete(Abort) an in-progress live migration
os_compute_api:servers:migrations:index
rule:context_is_admin
GET /servers/{server_id}/migrations
project
Lists in-progress live migrations for a given server
os_compute_api:os-services:list
rule:context_is_admin
GET /os-services
project
List all running Compute services in a region.
os_compute_api:os-services:update
rule:context_is_admin
PUT /os-services/{service_id}
project
Update a Compute service.
os_compute_api:os-services:delete
rule:context_is_admin
DELETE /os-services/{service_id}
project
Delete a Compute service.
os_compute_api:os-shelve:shelve
rule:project_member_or_admin
POST /servers/{server_id}/action (shelve)
project
Shelve server
os_compute_api:os-shelve:unshelve
rule:project_member_or_admin
POST /servers/{server_id}/action (unshelve)
project
Unshelve (restore) shelved server
os_compute_api:os-shelve:unshelve_to_host
rule:context_is_admin
POST /servers/{server_id}/action (unshelve)
project
Unshelve (restore) shelve offloaded server to a specific host
os_compute_api:os-shelve:shelve_offload
rule:context_is_admin
POST /servers/{server_id}/action (shelveOffload)
project
Shelf-offload (remove) server
os_compute_api:os-simple-tenant-usage:show
rule:project_reader_or_admin
GET /os-simple-tenant-usage/{tenant_id}
project
Show usage statistics for a specific tenant
os_compute_api:os-simple-tenant-usage:list
rule:context_is_admin
GET /os-simple-tenant-usage
project
List per tenant usage statistics for all tenants
os_compute_api:os-suspend-server:resume
rule:project_member_or_admin
POST /servers/{server_id}/action (resume)
project
Resume suspended server
os_compute_api:os-suspend-server:suspend
rule:project_member_or_admin
POST /servers/{server_id}/action (suspend)
project
Suspend server
os_compute_api:os-tenant-networks:list
rule:project_reader_api
GET /os-tenant-networks
project
List project networks.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-tenant-networks:show
rule:project_reader_api
GET /os-tenant-networks/{network_id}
project
Show project network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-volumes:list
rule:project_reader_or_admin
GET /os-volumes
project
List volumes.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:create
rule:project_member_or_admin
POST /os-volumes
project
Create volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:detail
rule:project_reader_or_admin
GET /os-volumes/detail
project
List volumes detail.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:show
rule:project_reader_or_admin
GET /os-volumes/{volume_id}
project
Show volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:delete
rule:project_member_or_admin
DELETE /os-volumes/{volume_id}
project
Delete volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:list
rule:project_reader_or_admin
GET /os-snapshots
project
List snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:create
rule:project_member_or_admin
POST /os-snapshots
project
Create snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:detail
rule:project_reader_or_admin
GET /os-snapshots/detail
project
List snapshots details.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:show
rule:project_reader_or_admin
GET /os-snapshots/{snapshot_id}
project
Show snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:delete
rule:project_member_or_admin
DELETE /os-snapshots/{snapshot_id}
project
Delete snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes-attachments:index
rule:project_reader_or_admin
GET /servers/{server_id}/os-volume_attachments
project
List volume attachments for an instance
os_compute_api:os-volumes-attachments:create
rule:project_member_or_admin
POST /servers/{server_id}/os-volume_attachments
project
Attach a volume to an instance
os_compute_api:os-volumes-attachments:show
rule:project_reader_or_admin
GET /servers/{server_id}/os-volume_attachments/{volume_id}
project
Show details of a volume attachment
os_compute_api:os-volumes-attachments:update
rule:project_member_or_admin
PUT /servers/{server_id}/os-volume_attachments/{volume_id}
project
Update a volume attachment. New ‘update’ policy about ‘swap + update’ request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be always superset of this policy permission.
os_compute_api:os-volumes-attachments:swap
rule:context_is_admin
PUT /servers/{server_id}/os-volume_attachments/{volume_id}
project
Update a volume attachment with a different volumeId
os_compute_api:os-volumes-attachments:delete
rule:project_member_or_admin
DELETE /servers/{server_id}/os-volume_attachments/{volume_id}
project
Detach a volume from an instance
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.