From e3bf69f015cedde822f20347dc9f20ad93ed0965 Mon Sep 17 00:00:00 2001 From: yatinkarel Date: Tue, 7 Jan 2025 20:35:03 +0530 Subject: [PATCH] Move deprecated since/reason to deprecated_rule object [1] moved these attributes to deprecated_rule in wallaby release. Updated the tool and pulled default conf of services. [1] https://review.opendev.org/c/openstack/oslo.policy/+/766628 Related-Bug: #2092657 Change-Id: Ib0f4ede94f51e0d6ba48c2a77c0303e702f2ca2f --- openstack_auth/policy.py | 7 +- .../conf/default_policies/cinder.yaml | 689 ++++++--- .../conf/default_policies/glance.yaml | 298 +++- .../conf/default_policies/keystone.yaml | 777 ++++++---- .../conf/default_policies/neutron.yaml | 1278 +++++++++++------ .../conf/default_policies/nova.yaml | 850 +++++++++-- .../commands/dump_default_policies.py | 4 +- 7 files changed, 2701 insertions(+), 1202 deletions(-) diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index ae58209414..cb14fc89f0 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -64,8 +64,11 @@ def _get_policy_file_with_full_path(service): def _convert_to_ruledefault(p): deprecated = p.get('deprecated_rule') if deprecated: - deprecated_rule = policy.DeprecatedRule(deprecated['name'], - deprecated['check_str']) + deprecated_rule = policy.DeprecatedRule( + deprecated['name'], + deprecated['check_str'], + deprecated_reason=deprecated.get('deprecated_reason'), + deprecated_since=deprecated.get('deprecated_since')) else: deprecated_rule = None diff --git a/openstack_dashboard/conf/default_policies/cinder.yaml b/openstack_dashboard/conf/default_policies/cinder.yaml index 1badc61387..31dda6e220 100644 --- a/openstack_dashboard/conf/default_policies/cinder.yaml +++ b/openstack_dashboard/conf/default_policies/cinder.yaml @@ -32,11 +32,14 @@ operations: [] scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:attachment_create - deprecated_since: null description: Create attachment. name: volume:attachment_create operations: @@ -44,11 +47,14 @@ path: /attachments scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:attachment_update - deprecated_since: null description: Update attachment. name: volume:attachment_update operations: @@ -56,11 +62,14 @@ path: /attachments/{attachment_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:attachment_delete - deprecated_since: null description: Delete attachment. name: volume:attachment_delete operations: @@ -68,11 +77,14 @@ path: /attachments/{attachment_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:attachment_complete - deprecated_since: null description: Mark a volume attachment process as completed (in-use) name: volume:attachment_complete operations: @@ -80,11 +92,14 @@ path: /attachments/{attachment_id}/action (os-complete) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:multiattach_bootable_volume - deprecated_since: null description: Allow multiattach of bootable volumes. name: volume:multiattach_bootable_volume operations: @@ -92,11 +107,14 @@ path: /attachments scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: message:get_all - deprecated_since: null description: List messages. name: message:get_all operations: @@ -104,11 +122,14 @@ path: /messages scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: message:get - deprecated_since: null description: Show message. name: message:get operations: @@ -116,11 +137,14 @@ path: /messages/{message_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: message:delete - deprecated_since: null description: Delete message. name: message:delete operations: @@ -158,11 +182,14 @@ path: /workers/cleanup scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_snapshot_metadata - deprecated_since: null description: Show snapshot's metadata or one specified metadata with a given key. name: volume:get_snapshot_metadata operations: @@ -172,11 +199,14 @@ path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:update_snapshot_metadata - deprecated_since: null description: Update snapshot's metadata or one specified metadata with a given key. name: volume:update_snapshot_metadata operations: @@ -186,11 +216,14 @@ path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:delete_snapshot_metadata - deprecated_since: null description: Delete snapshot's specified metadata with a given key. name: volume:delete_snapshot_metadata operations: @@ -198,11 +231,14 @@ path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_all_snapshots - deprecated_since: null description: List snapshots. name: volume:get_all_snapshots operations: @@ -212,11 +248,14 @@ path: /snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:extended_snapshot_attributes - deprecated_since: null description: List or show snapshots with extended attributes. name: volume_extension:extended_snapshot_attributes operations: @@ -226,11 +265,14 @@ path: /snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:create_snapshot - deprecated_since: null description: Create snapshot. name: volume:create_snapshot operations: @@ -238,11 +280,14 @@ path: /snapshots scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_snapshot - deprecated_since: null description: Show snapshot. name: volume:get_snapshot operations: @@ -250,11 +295,14 @@ path: /snapshots/{snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:update_snapshot - deprecated_since: null description: Update snapshot. name: volume:update_snapshot operations: @@ -262,11 +310,14 @@ path: /snapshots/{snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:delete_snapshot - deprecated_since: null description: Delete snapshot. name: volume:delete_snapshot operations: @@ -281,11 +332,14 @@ path: /snapshots/{snapshot_id}/action (os-reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: snapshot_extension:snapshot_actions:update_snapshot_status - deprecated_since: null description: Update database fields of snapshot. name: snapshot_extension:snapshot_actions:update_snapshot_status operations: @@ -323,11 +377,14 @@ path: /snapshots/{snapshot_id}/action (os-unmanage) scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:get_all - deprecated_since: null description: List backups. name: backup:get_all operations: @@ -346,11 +403,14 @@ path: /backups/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:create - deprecated_since: null description: Create backup. name: backup:create operations: @@ -358,11 +418,14 @@ path: /backups scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:get - deprecated_since: null description: Show backup. name: backup:get operations: @@ -370,11 +433,14 @@ path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:update - deprecated_since: null description: Update backup. name: backup:update operations: @@ -382,11 +448,14 @@ path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:delete - deprecated_since: null description: Delete backup. name: backup:delete operations: @@ -394,11 +463,14 @@ path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: backup:restore - deprecated_since: null description: Restore backup. name: backup:restore operations: @@ -434,11 +506,14 @@ path: /backups/{backup_id}/action (os-force_delete) scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:get_all - deprecated_since: null description: List groups. name: group:get_all operations: @@ -448,11 +523,14 @@ path: /groups/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:create - deprecated_since: null description: Create group. name: group:create operations: @@ -460,11 +538,14 @@ path: /groups scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:get - deprecated_since: null description: Show group. name: group:get operations: @@ -472,11 +553,14 @@ path: /groups/{group_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:update - deprecated_since: null description: Update group. name: group:update operations: @@ -493,11 +577,12 @@ path: /groups/detail scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_manage - deprecated_since: null description: Create a group type. name: group:group_types:create operations: @@ -505,11 +590,12 @@ path: /group_types/ scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_manage - deprecated_since: null description: Update a group type. name: group:group_types:update operations: @@ -517,11 +603,12 @@ path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_manage - deprecated_since: null description: Delete a group type. name: group:group_types:delete operations: @@ -536,11 +623,12 @@ path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_specs has been replaced by more granular + policies that separately govern GET, POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_specs - deprecated_since: null description: Show a group type spec. name: group:group_types_specs:get operations: @@ -548,11 +636,12 @@ path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_specs has been replaced by more granular + policies that separately govern GET, POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_specs - deprecated_since: null description: List group type specs. name: group:group_types_specs:get_all operations: @@ -560,11 +649,12 @@ path: /group_types/{group_type_id}/group_specs scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_specs has been replaced by more granular + policies that separately govern GET, POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_specs - deprecated_since: null description: Create a group type spec. name: group:group_types_specs:create operations: @@ -572,11 +662,12 @@ path: /group_types/{group_type_id}/group_specs scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_specs has been replaced by more granular + policies that separately govern GET, POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_specs - deprecated_since: null description: Update a group type spec. name: group:group_types_specs:update operations: @@ -584,11 +675,12 @@ path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: group:group_types_specs has been replaced by more granular + policies that separately govern GET, POST, PUT, and DELETE operations. + deprecated_since: X name: group:group_types_specs - deprecated_since: null description: Delete a group type spec. name: group:group_types_specs:delete operations: @@ -596,11 +688,14 @@ path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:get_all_group_snapshots - deprecated_since: null description: List group snapshots. name: group:get_all_group_snapshots operations: @@ -610,11 +705,14 @@ path: /group_snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:create_group_snapshot - deprecated_since: null description: Create group snapshot. name: group:create_group_snapshot operations: @@ -622,11 +720,14 @@ path: /group_snapshots scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:get_group_snapshot - deprecated_since: null description: Show group snapshot. name: group:get_group_snapshot operations: @@ -634,11 +735,14 @@ path: /group_snapshots/{group_snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:delete_group_snapshot - deprecated_since: null description: Delete group snapshot. name: group:delete_group_snapshot operations: @@ -646,11 +750,14 @@ path: /group_snapshots/{group_snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:update_group_snapshot - deprecated_since: null description: Update group snapshot. name: group:update_group_snapshot operations: @@ -674,11 +781,14 @@ path: /group_snapshots/{g_snapshot_id}/action (reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:delete - deprecated_since: null description: Delete group. name: group:delete operations: @@ -693,11 +803,14 @@ path: /groups/{group_id}/action (reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:enable_replication - deprecated_since: null description: Enable replication. name: group:enable_replication operations: @@ -705,11 +818,14 @@ path: /groups/{group_id}/action (enable_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:disable_replication - deprecated_since: null description: Disable replication. name: group:disable_replication operations: @@ -717,11 +833,14 @@ path: /groups/{group_id}/action (disable_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:failover_replication - deprecated_since: null description: Fail over replication. name: group:failover_replication operations: @@ -729,11 +848,14 @@ path: /groups/{group_id}/action (failover_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: group:list_replication_targets - deprecated_since: null description: List failover replication. name: group:list_replication_targets operations: @@ -786,11 +908,12 @@ path: /qos-specs/{qos_id}/delete_keys scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: volume_extension:quota_classes has been replaced by more granular + policies that separately govern GET and PUT operations. + deprecated_since: X name: volume_extension:quota_classes - deprecated_since: null description: Show project quota class. name: volume_extension:quota_classes:get operations: @@ -798,11 +921,12 @@ path: /os-quota-class-sets/{project_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: volume_extension:quota_classes has been replaced by more granular + policies that separately govern GET and PUT operations. + deprecated_since: X name: volume_extension:quota_classes - deprecated_since: null description: Update project quota class. name: volume_extension:quota_classes:update operations: @@ -810,11 +934,11 @@ path: /os-quota-class-sets/{project_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: null + deprecated_since: null name: volume_extension:quotas:show - deprecated_since: null description: Show project quota (including usage and default). name: volume_extension:quotas:show operations: @@ -901,11 +1025,14 @@ path: /os-hosts/{host_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: limits_extension:used_limits - deprecated_since: null description: Show limits with used limit attributes. name: limits_extension:used_limits operations: @@ -936,11 +1063,12 @@ path: /volumes/{volume_id}/action (os-unmanage) scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: volume_extension:types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: volume_extension:types_manage - deprecated_since: null description: Create volume type. name: volume_extension:type_create operations: @@ -948,11 +1076,12 @@ path: /types scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: volume_extension:types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: volume_extension:types_manage - deprecated_since: null description: Update volume type. name: volume_extension:type_update operations: @@ -960,11 +1089,12 @@ path: /types scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: volume_extension:types_manage has been replaced by more granular + policies that separately govern POST, PUT, and DELETE operations. + deprecated_since: X name: volume_extension:types_manage - deprecated_since: null description: Delete volume type. name: volume_extension:type_delete operations: @@ -972,11 +1102,14 @@ path: /types scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:type_get - deprecated_since: null description: Get one specific volume type. name: volume_extension:type_get operations: @@ -984,11 +1117,14 @@ path: /types/{type_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:type_get_all - deprecated_since: null description: List volume types. name: volume_extension:type_get_all operations: @@ -996,11 +1132,14 @@ path: /types/ scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:access_types_extra_specs - deprecated_since: null description: Include the volume type's extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies. name: volume_extension:access_types_extra_specs @@ -1027,11 +1166,15 @@ operations: [] scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:volume_extension:volume_type_encryption + deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a + convenience policy that allowed you to set all volume encryption type policies + to the same value. We are deprecating this rule to prepare for a future release + in which the default values for policies that read, create/update, and delete + encryption types will be different from each other.' + deprecated_since: X name: volume_extension:volume_type_encryption:create - deprecated_since: null description: Create volume type encryption. name: volume_extension:volume_type_encryption:create operations: @@ -1039,11 +1182,15 @@ path: /types/{type_id}/encryption scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:volume_extension:volume_type_encryption + deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a + convenience policy that allowed you to set all volume encryption type policies + to the same value. We are deprecating this rule to prepare for a future release + in which the default values for policies that read, create/update, and delete + encryption types will be different from each other.' + deprecated_since: X name: volume_extension:volume_type_encryption:get - deprecated_since: null description: Show a volume type's encryption type, show an encryption specs item. name: volume_extension:volume_type_encryption:get operations: @@ -1053,11 +1200,15 @@ path: /types/{type_id}/encryption/{key} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:volume_extension:volume_type_encryption + deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a + convenience policy that allowed you to set all volume encryption type policies + to the same value. We are deprecating this rule to prepare for a future release + in which the default values for policies that read, create/update, and delete + encryption types will be different from each other.' + deprecated_since: X name: volume_extension:volume_type_encryption:update - deprecated_since: null description: Update volume type encryption. name: volume_extension:volume_type_encryption:update operations: @@ -1065,11 +1216,15 @@ path: /types/{type_id}/encryption/{encryption_id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:volume_extension:volume_type_encryption + deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a + convenience policy that allowed you to set all volume encryption type policies + to the same value. We are deprecating this rule to prepare for a future release + in which the default values for policies that read, create/update, and delete + encryption types will be different from each other.' + deprecated_since: X name: volume_extension:volume_type_encryption:delete - deprecated_since: null description: Delete volume type encryption. name: volume_extension:volume_type_encryption:delete operations: @@ -1077,11 +1232,14 @@ path: /types/{type_id}/encryption/{encryption_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_type_access - deprecated_since: null description: Adds the boolean field 'os-volume-type-access:is_public' to the responses for these API calls. The ability to make these calls is governed by other policies. name: volume_extension:volume_type_access @@ -1108,11 +1266,13 @@ path: /types/{type_id}/action (removeProjectAccess) scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: volume_extension:volume_type_access + deprecated_reason: 'Reason: ''volume_extension:volume_type_access:get_all_for_type'' + is a new policy that protects an API call formerly governed by ''volume_extension:volume_type_access'', + but which has been separated for finer-grained policy control.' + deprecated_since: X name: volume_extension:volume_type_access:get_all_for_type - deprecated_since: null description: List private volume type access detail, that is, list the projects that have access to this volume type. name: volume_extension:volume_type_access:get_all_for_type @@ -1121,11 +1281,14 @@ path: /types/{type_id}/os-volume-type-access scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:extend - deprecated_since: null description: Extend a volume. name: volume:extend operations: @@ -1133,11 +1296,14 @@ path: /volumes/{volume_id}/action (os-extend) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:extend_attached_volume - deprecated_since: null description: Extend a attached volume. name: volume:extend_attached_volume operations: @@ -1152,11 +1318,14 @@ path: /volumes/{volume_id}/action (os-extend_volume_completion) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:revert_to_snapshot - deprecated_since: null description: Revert a volume to a snapshot. name: volume:revert_to_snapshot operations: @@ -1171,11 +1340,14 @@ path: /volumes/{volume_id}/action (os-reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:retype - deprecated_since: null description: Retype a volume. name: volume:retype operations: @@ -1183,11 +1355,14 @@ path: /volumes/{volume_id}/action (os-retype) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:update_readonly_flag - deprecated_since: null description: Update a volume's readonly flag. name: volume:update_readonly_flag operations: @@ -1209,11 +1384,14 @@ path: /volumes/{volume_id}/action (os-volume_upload_image) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:upload_image - deprecated_since: null description: Upload a volume to image. name: volume_extension:volume_actions:upload_image operations: @@ -1242,11 +1420,14 @@ path: /volumes/{volume_id}/action (os-migrate_volume_completion) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:initialize_connection - deprecated_since: null description: Initialize volume attachment. name: volume_extension:volume_actions:initialize_connection operations: @@ -1254,11 +1435,14 @@ path: /volumes/{volume_id}/action (os-initialize_connection) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:terminate_connection - deprecated_since: null description: Terminate volume attachment. name: volume_extension:volume_actions:terminate_connection operations: @@ -1266,11 +1450,14 @@ path: /volumes/{volume_id}/action (os-terminate_connection) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:roll_detaching - deprecated_since: null description: Roll back volume status to 'in-use'. name: volume_extension:volume_actions:roll_detaching operations: @@ -1278,11 +1465,14 @@ path: /volumes/{volume_id}/action (os-roll_detaching) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:reserve - deprecated_since: null description: Mark volume as reserved. name: volume_extension:volume_actions:reserve operations: @@ -1290,11 +1480,14 @@ path: /volumes/{volume_id}/action (os-reserve) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:unreserve - deprecated_since: null description: Unmark volume as reserved. name: volume_extension:volume_actions:unreserve operations: @@ -1302,11 +1495,14 @@ path: /volumes/{volume_id}/action (os-unreserve) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:begin_detaching - deprecated_since: null description: Begin detach volumes. name: volume_extension:volume_actions:begin_detaching operations: @@ -1314,11 +1510,14 @@ path: /volumes/{volume_id}/action (os-begin_detaching) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:attach - deprecated_since: null description: Add attachment metadata. name: volume_extension:volume_actions:attach operations: @@ -1326,11 +1525,14 @@ path: /volumes/{volume_id}/action (os-attach) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_actions:detach - deprecated_since: null description: Clear attachment metadata. name: volume_extension:volume_actions:detach operations: @@ -1352,11 +1554,14 @@ path: /volumes/{volume_id}/action (os-reimage) scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_all_transfers - deprecated_since: null description: List volume transfer. name: volume:get_all_transfers operations: @@ -1370,11 +1575,14 @@ path: /volume-transfers/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:create_transfer - deprecated_since: null description: Create a volume transfer. name: volume:create_transfer operations: @@ -1384,11 +1592,14 @@ path: /volume_transfers scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_transfer - deprecated_since: null description: Show one specified volume transfer. name: volume:get_transfer operations: @@ -1398,11 +1609,14 @@ path: /volume-transfers/{transfer_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:accept_transfer - deprecated_since: null description: Accept a volume transfer. name: volume:accept_transfer operations: @@ -1412,11 +1626,14 @@ path: /volume-transfers/{transfer_id}/accept scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:delete_transfer - deprecated_since: null description: Delete volume transfer. name: volume:delete_transfer operations: @@ -1426,11 +1643,14 @@ path: /volume-transfers/{transfer_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_volume_metadata - deprecated_since: null description: Show volume's metadata or one specified metadata with a given key. name: volume:get_volume_metadata operations: @@ -1442,11 +1662,14 @@ path: /volumes/{volume_id}/action (os-show_image_metadata) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:create_volume_metadata - deprecated_since: null description: Create volume metadata. name: volume:create_volume_metadata operations: @@ -1454,11 +1677,14 @@ path: /volumes/{volume_id}/metadata scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:update_volume_metadata - deprecated_since: null description: Replace a volume's metadata dictionary or update a single metadatum with a given key. name: volume:update_volume_metadata @@ -1469,11 +1695,14 @@ path: /volumes/{volume_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:delete_volume_metadata - deprecated_since: null description: Delete a volume's metadatum with the given key. name: volume:delete_volume_metadata operations: @@ -1481,11 +1710,12 @@ path: /volumes/{volume_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: volume_extension:volume_image_metadata has been replaced by + more granular policies that separately govern show, set, and remove operations. + deprecated_since: X name: volume_extension:volume_image_metadata - deprecated_since: null description: Include a volume's image metadata in volume detail responses. The ability to make these calls is governed by other policies. name: volume_extension:volume_image_metadata:show @@ -1496,11 +1726,12 @@ path: /volumes/{volume_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: volume_extension:volume_image_metadata has been replaced by + more granular policies that separately govern show, set, and remove operations. + deprecated_since: X name: volume_extension:volume_image_metadata - deprecated_since: null description: Set image metadata for a volume name: volume_extension:volume_image_metadata:set operations: @@ -1508,11 +1739,12 @@ path: /volumes/{volume_id}/action (os-set_image_metadata) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: volume_extension:volume_image_metadata has been replaced by + more granular policies that separately govern show, set, and remove operations. + deprecated_since: X name: volume_extension:volume_image_metadata - deprecated_since: null description: Remove specific image metadata from a volume name: volume_extension:volume_image_metadata:remove operations: @@ -1530,11 +1762,14 @@ path: /volumes/{volume_id}/action (os-attach) scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:types_extra_specs:index - deprecated_since: null description: List type extra specs. name: volume_extension:types_extra_specs:index operations: @@ -1549,11 +1784,14 @@ path: /types/{type_id}/extra_specs scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:types_extra_specs:show - deprecated_since: null description: Show one specified type extra specs. name: volume_extension:types_extra_specs:show operations: @@ -1591,11 +1829,14 @@ path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:create - deprecated_since: null description: Create volume. name: volume:create operations: @@ -1603,11 +1844,14 @@ path: /volumes scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: '' + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:create_from_image - deprecated_since: null description: Create volume from image. name: volume:create_from_image operations: @@ -1615,11 +1859,14 @@ path: /volumes scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get - deprecated_since: null description: Show volume. name: volume:get operations: @@ -1627,11 +1874,14 @@ path: /volumes/{volume_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:get_all - deprecated_since: null description: List volumes or get summary of volumes. name: volume:get_all operations: @@ -1643,11 +1893,14 @@ path: /volumes/summary scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:update - deprecated_since: null description: Update volume or update a volume's bootable status. name: volume:update operations: @@ -1657,11 +1910,14 @@ path: /volumes/{volume_id}/action (os-set_bootable) scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:delete - deprecated_since: null description: Delete volume. name: volume:delete operations: @@ -1685,11 +1941,14 @@ path: /volumes/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_tenant_attribute - deprecated_since: null description: List or show volume with tenant attribute. name: volume_extension:volume_tenant_attribute operations: @@ -1708,11 +1967,14 @@ path: /volumes/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:volume_encryption_metadata - deprecated_since: null description: Show volume's encryption metadata. name: volume_extension:volume_encryption_metadata operations: @@ -1722,11 +1984,14 @@ path: /volumes/{volume_id}/encryption/{encryption_key} scope_types: null - check_str: rule:xena_system_admin_or_project_member - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume:multiattach - deprecated_since: null description: Create multiattach capable volume. name: volume:multiattach operations: @@ -1734,11 +1999,14 @@ path: /volumes scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:system_or_domain_or_project_admin + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:default_set_or_update - deprecated_since: null description: Set or update default volume type. name: volume_extension:default_set_or_update operations: @@ -1746,11 +2014,14 @@ path: /default-types scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:system_or_domain_or_project_admin + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:default_get - deprecated_since: null description: Get default types. name: volume_extension:default_get operations: @@ -1758,11 +2029,14 @@ path: /default-types/{project-id} scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: role:admin and system_scope:all + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:default_get_all - deprecated_since: null description: 'Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.' name: volume_extension:default_get_all @@ -1771,11 +2045,14 @@ path: /default-types/ scope_types: null - check_str: rule:admin_api - deprecated_reason: null deprecated_rule: check_str: rule:system_or_domain_or_project_admin + deprecated_reason: Default policies now support the three Keystone default roles, + namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See + "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation + (Xena release) for details. + deprecated_since: X name: volume_extension:default_unset - deprecated_since: null description: Unset default type. name: volume_extension:default_unset operations: diff --git a/openstack_dashboard/conf/default_policies/glance.yaml b/openstack_dashboard/conf/default_policies/glance.yaml index c3fcd62d47..a5ab80e365 100644 --- a/openstack_dashboard/conf/default_policies/glance.yaml +++ b/openstack_dashboard/conf/default_policies/glance.yaml @@ -1,9 +1,13 @@ - check_str: '' - deprecated_reason: null deprecated_rule: check_str: rule:context_is_admin + deprecated_reason: In order to allow operators to accept the default policies + from code by not defining them in the policy file, while still working with + old policy files that rely on the ``default`` rule for policies that are not + specified in the policy file, the ``default`` rule must now be explicitly set + to ``"role:admin"`` when that is the desired default for unspecified rules. + deprecated_since: Ussuri name: default - deprecated_since: null description: Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file. name: default @@ -16,11 +20,15 @@ scope_types: null - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: add_image - deprecated_since: null description: Create new image name: add_image operations: @@ -29,11 +37,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: delete_image - deprecated_since: null description: Deletes the image name: delete_image operations: @@ -44,11 +56,15 @@ - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: get_image - deprecated_since: null description: Get specified image name: get_image operations: @@ -57,11 +73,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: get_images - deprecated_since: null description: Get all available images name: get_images operations: @@ -70,11 +90,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: modify_image - deprecated_since: null description: Updates given image name: modify_image operations: @@ -91,11 +115,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: communitize_image - deprecated_since: null description: Communitize given image name: communitize_image operations: @@ -106,11 +134,15 @@ - check_str: rule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: download_image - deprecated_since: null description: Downloads given image name: download_image operations: @@ -119,11 +151,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: upload_image - deprecated_since: null description: Uploads data to specified image name: upload_image operations: @@ -132,11 +168,15 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: delete_image_location - deprecated_since: null description: Deletes the location of given image name: delete_image_location operations: @@ -145,11 +185,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: get_image_location - deprecated_since: null description: Reads the location of the image name: get_image_location operations: @@ -158,11 +202,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: set_image_location - deprecated_since: null description: Sets location URI to given image name: set_image_location operations: @@ -171,11 +219,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: add_member - deprecated_since: null description: Create image member name: add_member operations: @@ -184,11 +236,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: delete_member - deprecated_since: null description: Delete image member name: delete_member operations: @@ -198,11 +254,15 @@ - project - check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: get_member - deprecated_since: null description: Show image member details name: get_member operations: @@ -212,11 +272,15 @@ - project - check_str: rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: get_members - deprecated_since: null description: List image members name: get_members operations: @@ -225,11 +289,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(member_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: modify_member - deprecated_since: null description: Update image member name: modify_member operations: @@ -244,11 +312,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: deactivate - deprecated_since: null description: Deactivate image name: deactivate operations: @@ -257,11 +329,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: W name: reactivate - deprecated_since: null description: Reactivate image name: reactivate operations: @@ -278,11 +354,21 @@ scope_types: - project - check_str: rule:default - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where + + task policies were enforcing will be removed. Since task APIs are already + + deprecated and `tasks_api_access` is checked for each API at API layer, + + there will be no benefit of other having other task related policies. + + ' + deprecated_since: X name: get_task - deprecated_since: null description: 'Get an image task. @@ -306,11 +392,21 @@ scope_types: - project - check_str: rule:default - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where + + task policies were enforcing will be removed. Since task APIs are already + + deprecated and `tasks_api_access` is checked for each API at API layer, + + there will be no benefit of other having other task related policies. + + ' + deprecated_since: X name: get_tasks - deprecated_since: null description: 'List tasks for all images. @@ -334,11 +430,21 @@ scope_types: - project - check_str: rule:default - deprecated_reason: null deprecated_rule: check_str: rule:default + deprecated_reason: ' + + From Xena we are enforcing policy checks in the API and policy layer where + + task policies were enforcing will be removed. Since task APIs are already + + deprecated and `tasks_api_access` is checked for each API at API layer, + + there will be no benefit of other having other task related policies. + + ' + deprecated_since: X name: add_task - deprecated_since: null description: 'List tasks for all images. @@ -412,11 +518,15 @@ scope_types: null - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_namespace - deprecated_since: null description: Get a specific namespace. name: get_metadef_namespace operations: @@ -425,11 +535,15 @@ scope_types: - project - check_str: rule:context_is_admin or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_namespaces - deprecated_since: null description: List namespace. name: get_metadef_namespaces operations: @@ -463,11 +577,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_object - deprecated_since: null description: Get a specific object from a namespace. name: get_metadef_object operations: @@ -477,11 +595,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_objects - deprecated_since: null description: Get objects from a namespace. name: get_metadef_objects operations: @@ -515,11 +637,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: list_metadef_resource_types - deprecated_since: null description: List meta definition resource types. name: list_metadef_resource_types operations: @@ -529,11 +655,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_resource_type - deprecated_since: null description: Get meta definition resource types associations. name: get_metadef_resource_type operations: @@ -559,11 +689,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_property - deprecated_since: null description: Get a specific meta definition property. name: get_metadef_property operations: @@ -573,11 +707,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_properties - deprecated_since: null description: List meta definition properties. name: get_metadef_properties operations: @@ -611,11 +749,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_tag - deprecated_since: null description: Get tag definition. name: get_metadef_tag operations: @@ -625,11 +767,15 @@ - project - check_str: rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s)) - deprecated_reason: null deprecated_rule: check_str: rule:metadef_default + deprecated_reason: ' + + The metadata API now supports project scope and default roles. + + ' + deprecated_since: X name: get_metadef_tags - deprecated_since: null description: List tag definitions. name: get_metadef_tags operations: @@ -678,11 +824,15 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: X name: cache_image - deprecated_since: null description: Queue image for caching name: cache_image operations: @@ -691,11 +841,15 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: X name: cache_list - deprecated_since: null description: List cache status name: cache_list operations: @@ -704,11 +858,15 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:manage_image_cache + deprecated_reason: ' + + The image API now supports roles. + + ' + deprecated_since: X name: cache_delete - deprecated_since: null description: Delete image(s) from cache and/or queue name: cache_delete operations: diff --git a/openstack_dashboard/conf/default_policies/keystone.yaml b/openstack_dashboard/conf/default_policies/keystone.yaml index aa3a3af971..d2f1965fbc 100644 --- a/openstack_dashboard/conf/default_policies/keystone.yaml +++ b/openstack_dashboard/conf/default_policies/keystone.yaml @@ -118,11 +118,12 @@ scope_types: - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The application credential API is now aware of system scope + and default roles. + deprecated_since: T name: identity:get_application_credential - deprecated_since: null description: Show application credential details. name: identity:get_application_credential operations: @@ -134,11 +135,12 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The application credential API is now aware of system scope + and default roles. + deprecated_since: T name: identity:list_application_credentials - deprecated_since: null description: List application credentials for a user. name: identity:list_application_credentials operations: @@ -158,11 +160,12 @@ scope_types: - project - check_str: (role:admin and system_scope:all) or rule:owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The application credential API is now aware of system scope + and default roles. + deprecated_since: T name: identity:delete_application_credential - deprecated_since: null description: Delete an application credential. name: identity:delete_application_credential operations: @@ -208,11 +211,12 @@ path: /v3/auth/system scope_types: null - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_consumer - deprecated_since: null description: Show OAUTH1 consumer details. name: identity:get_consumer operations: @@ -222,11 +226,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_consumers - deprecated_since: null description: List OAUTH1 consumers. name: identity:list_consumers operations: @@ -236,11 +241,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_since: T name: identity:create_consumer - deprecated_since: null description: Create OAUTH1 consumer. name: identity:create_consumer operations: @@ -250,11 +256,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_since: T name: identity:update_consumer - deprecated_since: null description: Update OAUTH1 consumer. name: identity:update_consumer operations: @@ -264,11 +271,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default + roles. + deprecated_since: T name: identity:delete_consumer - deprecated_since: null description: Delete OAUTH1 consumer. name: identity:delete_consumer operations: @@ -278,11 +286,12 @@ - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The credential API is now aware of system scope and default + roles. + deprecated_since: S name: identity:get_credential - deprecated_since: null description: Show credentials details. name: identity:get_credential operations: @@ -292,11 +301,12 @@ - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The credential API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_credentials - deprecated_since: null description: List credentials. name: identity:list_credentials operations: @@ -306,11 +316,12 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The credential API is now aware of system scope and default + roles. + deprecated_since: S name: identity:create_credential - deprecated_since: null description: Create credential. name: identity:create_credential operations: @@ -320,11 +331,12 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The credential API is now aware of system scope and default + roles. + deprecated_since: S name: identity:update_credential - deprecated_since: null description: Update credential. name: identity:update_credential operations: @@ -334,11 +346,12 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The credential API is now aware of system scope and default + roles. + deprecated_since: S name: identity:delete_credential - deprecated_since: null description: Delete credential. name: identity:delete_credential operations: @@ -349,11 +362,11 @@ - project - check_str: rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_domain - deprecated_since: null description: Show domain details. name: identity:get_domain operations: @@ -365,11 +378,11 @@ - project - check_str: rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_domains - deprecated_since: null description: List domains. name: identity:list_domains operations: @@ -380,11 +393,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_domain - deprecated_since: null description: Create domain. name: identity:create_domain operations: @@ -394,11 +407,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_domain - deprecated_since: null description: Update domain. name: identity:update_domain operations: @@ -408,11 +421,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_domain - deprecated_since: null description: Delete domain. name: identity:delete_domain operations: @@ -422,11 +435,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_since: T name: identity:create_domain_config - deprecated_since: null description: Create domain configuration. name: identity:create_domain_config operations: @@ -436,11 +450,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_domain_config - deprecated_since: null description: Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain. name: identity:get_domain_config @@ -478,11 +493,12 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_since: T name: identity:update_domain_config - deprecated_since: null description: Update domain configuration for either a domain, specific group or a specific option in a group. name: identity:update_domain_config @@ -497,11 +513,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_since: T name: identity:delete_domain_config - deprecated_since: null description: Delete domain configuration for either a domain, specific group or a specific option in a group. name: identity:delete_domain_config @@ -516,11 +533,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The domain config API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_domain_config_default - deprecated_since: null description: Get domain configuration default for either a domain, specific group or a specific option in a group. name: identity:get_domain_config_default @@ -541,11 +559,12 @@ - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_since: T name: identity:ec2_get_credential - deprecated_since: null description: Show ec2 credential details. name: identity:ec2_get_credential operations: @@ -555,11 +574,12 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_since: T name: identity:ec2_list_credentials - deprecated_since: null description: List ec2 credentials. name: identity:ec2_list_credentials operations: @@ -569,11 +589,12 @@ - system - project - check_str: (role:admin and system_scope:all) or rule:owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_since: T name: identity:ec2_create_credential - deprecated_since: null description: Create ec2 credential. name: identity:ec2_create_credential operations: @@ -583,11 +604,12 @@ - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) + deprecated_reason: The EC2 credential API is now aware of system scope and default + roles. + deprecated_since: T name: identity:ec2_delete_credential - deprecated_since: null description: Delete ec2 credential. name: identity:ec2_delete_credential operations: @@ -597,11 +619,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_endpoint - deprecated_since: null description: Show endpoint details. name: identity:get_endpoint operations: @@ -611,11 +633,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_endpoints - deprecated_since: null description: List endpoints. name: identity:list_endpoints operations: @@ -625,11 +647,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_endpoint - deprecated_since: null description: Create endpoint. name: identity:create_endpoint operations: @@ -639,11 +661,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_endpoint - deprecated_since: null description: Update endpoint. name: identity:update_endpoint operations: @@ -653,11 +675,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_endpoint - deprecated_since: null description: Delete endpoint. name: identity:delete_endpoint operations: @@ -667,11 +689,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:create_endpoint_group - deprecated_since: null description: Create endpoint group. name: identity:create_endpoint_group operations: @@ -681,11 +704,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_endpoint_groups - deprecated_since: null description: List endpoint groups. name: identity:list_endpoint_groups operations: @@ -695,11 +719,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_endpoint_group - deprecated_since: null description: Get endpoint group. name: identity:get_endpoint_group operations: @@ -711,11 +736,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:update_endpoint_group - deprecated_since: null description: Update endpoint group. name: identity:update_endpoint_group operations: @@ -725,11 +751,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:delete_endpoint_group - deprecated_since: null description: Delete endpoint group. name: identity:delete_endpoint_group operations: @@ -739,11 +766,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_projects_associated_with_endpoint_group - deprecated_since: null description: List all projects associated with a specific endpoint group. name: identity:list_projects_associated_with_endpoint_group operations: @@ -753,11 +781,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_endpoints_associated_with_endpoint_group - deprecated_since: null description: List all endpoints associated with an endpoint group. name: identity:list_endpoints_associated_with_endpoint_group operations: @@ -767,11 +796,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_endpoint_group_in_project - deprecated_since: null description: Check if an endpoint group is associated with a project. name: identity:get_endpoint_group_in_project operations: @@ -783,11 +813,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_endpoint_groups_for_project - deprecated_since: null description: List endpoint groups associated with a specific project. name: identity:list_endpoint_groups_for_project operations: @@ -797,11 +828,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:add_endpoint_group_to_project - deprecated_since: null description: Allow a project to access an endpoint group. name: identity:add_endpoint_group_to_project operations: @@ -811,11 +843,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The endpoint groups API is now aware of system scope and default + roles. + deprecated_since: T name: identity:remove_endpoint_group_from_project - deprecated_since: null description: Remove endpoint group from project. name: identity:remove_endpoint_group_from_project operations: @@ -830,11 +863,12 @@ or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:check_grant - deprecated_since: null description: Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all @@ -882,11 +916,12 @@ or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_grants - deprecated_since: null description: List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where @@ -923,11 +958,12 @@ and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:create_grant - deprecated_since: null description: Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited @@ -960,11 +996,12 @@ and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:revoke_grant - deprecated_since: null description: Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited @@ -994,11 +1031,12 @@ - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_system_grants_for_user - deprecated_since: null description: List all grants a specific user has on the system. name: identity:list_system_grants_for_user operations: @@ -1010,11 +1048,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:check_system_grant_for_user - deprecated_since: null description: Check if a user has a role on the system. name: identity:check_system_grant_for_user operations: @@ -1026,11 +1065,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:create_system_grant_for_user - deprecated_since: null description: Grant a user a role on the system. name: identity:create_system_grant_for_user operations: @@ -1041,11 +1081,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:revoke_system_grant_for_user - deprecated_since: null description: Remove a role from a user on the system. name: identity:revoke_system_grant_for_user operations: @@ -1056,11 +1097,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_system_grants_for_group - deprecated_since: null description: List all grants a specific group has on the system. name: identity:list_system_grants_for_group operations: @@ -1072,11 +1114,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:check_system_grant_for_group - deprecated_since: null description: Check if a group has a role on the system. name: identity:check_system_grant_for_group operations: @@ -1088,11 +1131,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:create_system_grant_for_group - deprecated_since: null description: Grant a group a role on the system. name: identity:create_system_grant_for_group operations: @@ -1103,11 +1147,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:revoke_system_grant_for_group - deprecated_since: null description: Remove a role from a group on the system. name: identity:revoke_system_grant_for_group operations: @@ -1119,11 +1164,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_group - deprecated_since: null description: Show group details. name: identity:get_group operations: @@ -1137,11 +1182,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_groups - deprecated_since: null description: List groups. name: identity:list_groups operations: @@ -1155,11 +1200,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_groups_for_user - deprecated_since: null description: List groups to which a user belongs. name: identity:list_groups_for_user operations: @@ -1172,11 +1217,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_group - deprecated_since: null description: Create group. name: identity:create_group operations: @@ -1187,11 +1232,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_group - deprecated_since: null description: Update group. name: identity:update_group operations: @@ -1202,11 +1247,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_group - deprecated_since: null description: Delete group. name: identity:delete_group operations: @@ -1218,11 +1263,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_users_in_group - deprecated_since: null description: List members of a specific group. name: identity:list_users_in_group operations: @@ -1235,11 +1280,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:remove_user_from_group - deprecated_since: null description: Remove user from group. name: identity:remove_user_from_group operations: @@ -1251,11 +1296,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:check_user_in_group - deprecated_since: null description: Check whether a user is a member of a group. name: identity:check_user_in_group operations: @@ -1268,11 +1313,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The group API is now aware of system scope and default roles. + deprecated_since: S name: identity:add_user_to_group - deprecated_since: null description: Add user to group. name: identity:add_user_to_group operations: @@ -1283,11 +1328,12 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The identity provider API is now aware of system scope and + default roles. + deprecated_since: S name: identity:create_identity_provider - deprecated_since: null description: Create identity provider. name: identity:create_identity_provider operations: @@ -1297,11 +1343,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The identity provider API is now aware of system scope and + default roles. + deprecated_since: S name: identity:list_identity_providers - deprecated_since: null description: List identity providers. name: identity:list_identity_providers operations: @@ -1313,11 +1360,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The identity provider API is now aware of system scope and + default roles. + deprecated_since: S name: identity:get_identity_provider - deprecated_since: null description: Get identity provider. name: identity:get_identity_provider operations: @@ -1329,11 +1377,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The identity provider API is now aware of system scope and + default roles. + deprecated_since: S name: identity:update_identity_provider - deprecated_since: null description: Update identity provider. name: identity:update_identity_provider operations: @@ -1343,11 +1392,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The identity provider API is now aware of system scope and + default roles. + deprecated_since: S name: identity:delete_identity_provider - deprecated_since: null description: Delete identity provider. name: identity:delete_identity_provider operations: @@ -1357,11 +1407,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:get_implied_role - deprecated_since: null description: Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1373,11 +1424,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_implied_roles - deprecated_since: null description: List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that @@ -1392,11 +1444,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:create_implied_role - deprecated_since: null description: Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1408,11 +1461,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:delete_implied_role - deprecated_since: null description: Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that @@ -1425,11 +1479,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_role_inference_rules - deprecated_since: null description: List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1443,11 +1498,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The implied role API is now aware of system scope and default + roles. + deprecated_since: T name: identity:check_implied_role - deprecated_since: null description: Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. @@ -1524,11 +1580,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated mapping API is now aware of system scope and + default roles. + deprecated_since: S name: identity:create_mapping - deprecated_since: null description: Create a new federated mapping containing one or more sets of rules. name: identity:create_mapping operations: @@ -1538,11 +1595,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated mapping API is now aware of system scope and + default roles. + deprecated_since: S name: identity:get_mapping - deprecated_since: null description: Get a federated mapping. name: identity:get_mapping operations: @@ -1554,11 +1612,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated mapping API is now aware of system scope and + default roles. + deprecated_since: S name: identity:list_mappings - deprecated_since: null description: List federated mappings. name: identity:list_mappings operations: @@ -1570,11 +1629,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated mapping API is now aware of system scope and + default roles. + deprecated_since: S name: identity:delete_mapping - deprecated_since: null description: Delete a federated mapping. name: identity:delete_mapping operations: @@ -1584,11 +1644,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated mapping API is now aware of system scope and + default roles. + deprecated_since: S name: identity:update_mapping - deprecated_since: null description: Update a federated mapping. name: identity:update_mapping operations: @@ -1598,11 +1659,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_since: T name: identity:get_policy - deprecated_since: null description: Show policy details. name: identity:get_policy operations: @@ -1612,11 +1673,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_since: T name: identity:list_policies - deprecated_since: null description: List policies. name: identity:list_policies operations: @@ -1626,11 +1687,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_since: T name: identity:create_policy - deprecated_since: null description: Create policy. name: identity:create_policy operations: @@ -1640,11 +1701,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_since: T name: identity:update_policy - deprecated_since: null description: Update policy. name: identity:update_policy operations: @@ -1654,11 +1715,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy API is now aware of system scope and default roles. + deprecated_since: T name: identity:delete_policy - deprecated_since: null description: Delete policy. name: identity:delete_policy operations: @@ -1668,11 +1729,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:create_policy_association_for_endpoint - deprecated_since: null description: Associate a policy to a specific endpoint. name: identity:create_policy_association_for_endpoint operations: @@ -1682,11 +1744,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:check_policy_association_for_endpoint - deprecated_since: null description: Check policy association for endpoint. name: identity:check_policy_association_for_endpoint operations: @@ -1698,11 +1761,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:delete_policy_association_for_endpoint - deprecated_since: null description: Delete policy association for endpoint. name: identity:delete_policy_association_for_endpoint operations: @@ -1712,11 +1776,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:create_policy_association_for_service - deprecated_since: null description: Associate a policy to a specific service. name: identity:create_policy_association_for_service operations: @@ -1726,11 +1791,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:check_policy_association_for_service - deprecated_since: null description: Check policy association for service. name: identity:check_policy_association_for_service operations: @@ -1742,11 +1808,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:delete_policy_association_for_service - deprecated_since: null description: Delete policy association for service. name: identity:delete_policy_association_for_service operations: @@ -1756,11 +1823,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:create_policy_association_for_region_and_service - deprecated_since: null description: Associate a policy to a specific region and service combination. name: identity:create_policy_association_for_region_and_service operations: @@ -1770,11 +1838,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:check_policy_association_for_region_and_service - deprecated_since: null description: Check policy association for region and service. name: identity:check_policy_association_for_region_and_service operations: @@ -1786,11 +1855,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:delete_policy_association_for_region_and_service - deprecated_since: null description: Delete policy association for region and service. name: identity:delete_policy_association_for_region_and_service operations: @@ -1800,11 +1870,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:get_policy_for_endpoint - deprecated_since: null description: Get policy for endpoint. name: identity:get_policy_for_endpoint operations: @@ -1816,11 +1887,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The policy association API is now aware of system scope and + default roles. + deprecated_since: T name: identity:list_endpoints_for_policy - deprecated_since: null description: List endpoints for policy. name: identity:list_endpoints_for_policy operations: @@ -1831,11 +1903,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_project - deprecated_since: null description: Show project details. name: identity:get_project operations: @@ -1847,11 +1919,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_projects - deprecated_since: null description: List projects. name: identity:list_projects operations: @@ -1863,11 +1935,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_user_projects - deprecated_since: null description: List projects for user. name: identity:list_user_projects operations: @@ -1878,11 +1950,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_project - deprecated_since: null description: Create project. name: identity:create_project operations: @@ -1893,11 +1965,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_project - deprecated_since: null description: Update project. name: identity:update_project operations: @@ -1908,11 +1980,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_project - deprecated_since: null description: Delete project. name: identity:delete_project operations: @@ -1924,11 +1996,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:list_project_tags - deprecated_since: null description: List tags for a project. name: identity:list_project_tags operations: @@ -1942,11 +2014,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:get_project_tag - deprecated_since: null description: Check if project contains a tag. name: identity:get_project_tag operations: @@ -1959,11 +2031,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:update_project_tags - deprecated_since: null description: Replace all tags on a project with the new set of tags. name: identity:update_project_tags operations: @@ -1974,11 +2046,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:create_project_tag - deprecated_since: null description: Add a single tag to a project. name: identity:create_project_tag operations: @@ -1989,11 +2061,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:delete_project_tags - deprecated_since: null description: Remove all tags from a project. name: identity:delete_project_tags operations: @@ -2004,11 +2076,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The project API is now aware of system scope and default roles. + deprecated_since: T name: identity:delete_project_tag - deprecated_since: null description: Delete a specified tag from project. name: identity:delete_project_tag operations: @@ -2019,11 +2091,24 @@ - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you + are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_since: T name: identity:list_projects_for_endpoint - deprecated_since: null description: List projects allowed to access an endpoint. name: identity:list_projects_for_endpoint operations: @@ -2033,11 +2118,24 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you + are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_since: T name: identity:add_endpoint_to_project - deprecated_since: null description: Allow project to access an endpoint. name: identity:add_endpoint_to_project operations: @@ -2047,11 +2145,24 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you + are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_since: T name: identity:check_endpoint_in_project - deprecated_since: null description: Check if a project is allowed to access an endpoint. name: identity:check_endpoint_in_project operations: @@ -2063,11 +2174,24 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you + are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_since: T name: identity:list_endpoints_for_project - deprecated_since: null description: List the endpoints a project is allowed to access. name: identity:list_endpoints_for_project operations: @@ -2077,11 +2201,24 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: ' + + As of the Train release, the project endpoint API now understands default + + roles and system-scoped tokens, making the API more granular by default without + + compromising security. The new policy defaults account for these changes + + automatically. Be sure to take these new defaults into consideration if you + are + + relying on overrides in your deployment for the project endpoint API. + + ' + deprecated_since: T name: identity:remove_endpoint_from_project - deprecated_since: null description: Remove access to an endpoint from a project that has previously been given explicit access. name: identity:remove_endpoint_from_project @@ -2092,11 +2229,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated protocol API is now aware of system scope and + default roles. + deprecated_since: S name: identity:create_protocol - deprecated_since: null description: Create federated protocol. name: identity:create_protocol operations: @@ -2106,11 +2244,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated protocol API is now aware of system scope and + default roles. + deprecated_since: S name: identity:update_protocol - deprecated_since: null description: Update federated protocol. name: identity:update_protocol operations: @@ -2120,11 +2259,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated protocol API is now aware of system scope and + default roles. + deprecated_since: S name: identity:get_protocol - deprecated_since: null description: Get federated protocol. name: identity:get_protocol operations: @@ -2134,11 +2274,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated protocol API is now aware of system scope and + default roles. + deprecated_since: S name: identity:list_protocols - deprecated_since: null description: List federated protocols. name: identity:list_protocols operations: @@ -2148,11 +2289,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The federated protocol API is now aware of system scope and + default roles. + deprecated_since: S name: identity:delete_protocol - deprecated_since: null description: Delete federated protocol. name: identity:delete_protocol operations: @@ -2186,11 +2328,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_region - deprecated_since: null description: Create region. name: identity:create_region operations: @@ -2202,11 +2344,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_region - deprecated_since: null description: Update region. name: identity:update_region operations: @@ -2216,11 +2358,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The region API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_region - deprecated_since: null description: Delete region. name: identity:delete_region operations: @@ -2290,11 +2432,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_role - deprecated_since: null description: Show role details. name: identity:get_role operations: @@ -2306,11 +2448,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_roles - deprecated_since: null description: List roles. name: identity:list_roles operations: @@ -2322,11 +2464,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_role - deprecated_since: null description: Create role. name: identity:create_role operations: @@ -2336,11 +2478,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_role - deprecated_since: null description: Update role. name: identity:update_role operations: @@ -2350,11 +2492,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_role - deprecated_since: null description: Delete role. name: identity:delete_role operations: @@ -2364,11 +2506,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: T name: identity:get_domain_role - deprecated_since: null description: Show domain role. name: identity:get_domain_role operations: @@ -2380,11 +2522,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: T name: identity:list_domain_roles - deprecated_since: null description: List domain roles. name: identity:list_domain_roles operations: @@ -2396,11 +2538,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: T name: identity:create_domain_role - deprecated_since: null description: Create domain role. name: identity:create_domain_role operations: @@ -2410,11 +2552,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: T name: identity:update_domain_role - deprecated_since: null description: Update domain role. name: identity:update_domain_role operations: @@ -2424,11 +2566,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The role API is now aware of system scope and default roles. + deprecated_since: T name: identity:delete_domain_role - deprecated_since: null description: Delete domain role. name: identity:delete_domain_role operations: @@ -2439,11 +2581,12 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_role_assignments - deprecated_since: null description: List role assignments. name: identity:list_role_assignments operations: @@ -2457,11 +2600,12 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The assignment API is now aware of system scope and default + roles. + deprecated_since: T name: identity:list_role_assignments_for_tree - deprecated_since: null description: List all role assignments for a given tree of hierarchical projects. name: identity:list_role_assignments_for_tree operations: @@ -2474,11 +2618,11 @@ - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_service - deprecated_since: null description: Show service details. name: identity:get_service operations: @@ -2488,11 +2632,11 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_services - deprecated_since: null description: List services. name: identity:list_services operations: @@ -2502,11 +2646,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_service - deprecated_since: null description: Create service. name: identity:create_service operations: @@ -2516,11 +2660,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_service - deprecated_since: null description: Update service. name: identity:update_service operations: @@ -2530,11 +2674,11 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_service - deprecated_since: null description: Delete service. name: identity:delete_service operations: @@ -2544,11 +2688,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_since: S name: identity:create_service_provider - deprecated_since: null description: Create federated service provider. name: identity:create_service_provider operations: @@ -2558,11 +2703,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_since: S name: identity:list_service_providers - deprecated_since: null description: List federated service providers. name: identity:list_service_providers operations: @@ -2574,11 +2720,12 @@ - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_since: S name: identity:get_service_provider - deprecated_since: null description: Get federated service provider. name: identity:get_service_provider operations: @@ -2590,11 +2737,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_since: S name: identity:update_service_provider - deprecated_since: null description: Update federated service provider. name: identity:update_service_provider operations: @@ -2604,11 +2752,12 @@ - system - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The service provider API is now aware of system scope and default + roles. + deprecated_since: S name: identity:delete_service_provider - deprecated_since: null description: Delete federated service provider. name: identity:delete_service_provider operations: @@ -2640,11 +2789,11 @@ - system - project - check_str: (role:reader and system_scope:all) or rule:token_subject - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_since: T name: identity:check_token - deprecated_since: null description: Check a token. name: identity:check_token operations: @@ -2655,11 +2804,11 @@ - domain - project - check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject - deprecated_reason: null deprecated_rule: check_str: rule:service_admin_or_token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_since: T name: identity:validate_token - deprecated_since: null description: Validate a token. name: identity:validate_token operations: @@ -2670,11 +2819,11 @@ - domain - project - check_str: (role:admin and system_scope:all) or rule:token_subject - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject + deprecated_reason: The token API is now aware of system scope and default roles. + deprecated_since: T name: identity:revoke_token - deprecated_since: null description: Revoke a token. name: identity:revoke_token operations: @@ -2693,11 +2842,11 @@ scope_types: - project - check_str: rule:admin_required or (role:reader and system_scope:all) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_since: T name: identity:list_trusts - deprecated_since: null description: List trusts. name: identity:list_trusts operations: @@ -2732,11 +2881,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) - deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_since: T name: identity:list_roles_for_trust - deprecated_since: null description: List roles delegated by a trust. name: identity:list_roles_for_trust operations: @@ -2749,11 +2898,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) - deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_since: T name: identity:get_role_for_trust - deprecated_since: null description: Check if trust delegates a particular role. name: identity:get_role_for_trust operations: @@ -2765,11 +2914,11 @@ - system - project - check_str: rule:admin_required or user_id:%(target.trust.trustor_user_id)s - deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_since: T name: identity:delete_trust - deprecated_since: null description: Revoke trust. name: identity:delete_trust operations: @@ -2780,11 +2929,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) - deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s + deprecated_reason: The trust API is now aware of system scope and default roles. + deprecated_since: T name: identity:get_trust - deprecated_since: null description: Get trust. name: identity:get_trust operations: @@ -2797,11 +2946,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_since: S name: identity:get_user - deprecated_since: null description: Show user details. name: identity:get_user operations: @@ -2815,11 +2964,11 @@ - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_since: S name: identity:list_users - deprecated_since: null description: List users. name: identity:list_users operations: @@ -2846,11 +2995,11 @@ path: /v3/auth/domains scope_types: null - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_since: S name: identity:create_user - deprecated_since: null description: Create a user. name: identity:create_user operations: @@ -2861,11 +3010,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_since: S name: identity:update_user - deprecated_since: null description: Update a user, including administrative password resets. name: identity:update_user operations: @@ -2876,11 +3025,11 @@ - domain - project - check_str: rule:admin_required - deprecated_reason: null deprecated_rule: check_str: rule:admin_required + deprecated_reason: The user API is now aware of system scope and default roles. + deprecated_since: S name: identity:delete_user - deprecated_since: null description: Delete a user. name: identity:delete_user operations: diff --git a/openstack_dashboard/conf/default_policies/neutron.yaml b/openstack_dashboard/conf/default_policies/neutron.yaml index 48157cc62f..d92f3123c4 100644 --- a/openstack_dashboard/conf/default_policies/neutron.yaml +++ b/openstack_dashboard/conf/default_policies/neutron.yaml @@ -79,11 +79,12 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_groups + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: get_address_group - deprecated_since: null description: Get an address group name: get_address_group operations: @@ -99,11 +100,12 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: create_address_scope - deprecated_since: null description: Create an address scope name: create_address_scope operations: @@ -112,11 +114,12 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: create_address_scope:shared - deprecated_since: null description: Create a shared address scope name: create_address_scope:shared operations: @@ -125,11 +128,12 @@ scope_types: - project - check_str: rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_address_scopes + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: get_address_scope - deprecated_since: null description: Get an address scope name: get_address_scope operations: @@ -140,11 +144,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: update_address_scope - deprecated_since: null description: Update an address scope name: update_address_scope operations: @@ -153,11 +158,12 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: update_address_scope:shared - deprecated_since: null description: Update ``shared`` attribute of an address scope name: update_address_scope:shared operations: @@ -166,11 +172,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Address scope API now supports system scope and default + roles. + deprecated_since: W name: delete_address_scope - deprecated_since: null description: Delete an address scope name: delete_address_scope operations: @@ -179,11 +186,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: get_agent - deprecated_since: null description: Get an agent name: get_agent operations: @@ -194,11 +201,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: update_agent - deprecated_since: null description: Update an agent name: update_agent operations: @@ -207,11 +214,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: delete_agent - deprecated_since: null description: Delete an agent name: delete_agent operations: @@ -220,11 +227,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: create_dhcp-network - deprecated_since: null description: Add a network to a DHCP agent name: create_dhcp-network operations: @@ -233,11 +240,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: get_dhcp-networks - deprecated_since: null description: List networks on a DHCP agent name: get_dhcp-networks operations: @@ -246,11 +253,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: delete_dhcp-network - deprecated_since: null description: Remove a network from a DHCP agent name: delete_dhcp-network operations: @@ -259,11 +266,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: create_l3-router - deprecated_since: null description: Add a router to an L3 agent name: create_l3-router operations: @@ -272,11 +279,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: get_l3-routers - deprecated_since: null description: List routers on an L3 agent name: get_l3-routers operations: @@ -285,11 +292,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: delete_l3-router - deprecated_since: null description: Remove a router from an L3 agent name: delete_l3-router operations: @@ -298,11 +305,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: get_dhcp-agents - deprecated_since: null description: List DHCP agents hosting a network name: get_dhcp-agents operations: @@ -311,11 +318,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Agent API now supports project scope and default roles. + deprecated_since: W name: get_l3-agents - deprecated_since: null description: List L3 agents hosting a router name: get_l3-agents operations: @@ -324,11 +331,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Auto allocated topology API now supports system scope and + default roles. + deprecated_since: W name: get_auto_allocated_topology - deprecated_since: null description: Get a project's auto-allocated topology name: get_auto_allocated_topology operations: @@ -337,11 +345,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Auto allocated topology API now supports system scope and + default roles. + deprecated_since: W name: delete_auto_allocated_topology - deprecated_since: null description: Delete a project's auto-allocated topology name: delete_auto_allocated_topology operations: @@ -350,11 +359,12 @@ scope_types: - project - check_str: role:reader - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Availability Zone API now supports project scope and default + roles. + deprecated_since: W name: get_availability_zone - deprecated_since: null description: List availability zones name: get_availability_zone operations: @@ -363,11 +373,12 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The default security group rules API supports system scope + and default roles. + deprecated_since: '2023.2' name: create_default_security_group_rule - deprecated_since: null description: Create a templated of the security group rule name: create_default_security_group_rule operations: @@ -376,11 +387,12 @@ scope_types: - project - check_str: role:reader - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The default security group rules API supports system scope + and default roles. + deprecated_since: '2023.2' name: get_default_security_group_rule - deprecated_since: null description: Get a templated of the security group rule name: get_default_security_group_rule operations: @@ -391,11 +403,12 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The default security group rules API supports system scope + and default roles. + deprecated_since: '2023.2' name: delete_default_security_group_rule - deprecated_since: null description: Delete a templated of the security group rule name: delete_default_security_group_rule operations: @@ -404,11 +417,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: create_flavor - deprecated_since: null description: Create a flavor name: create_flavor operations: @@ -417,11 +430,11 @@ scope_types: - project - check_str: role:reader - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: get_flavor - deprecated_since: null description: Get a flavor name: get_flavor operations: @@ -432,11 +445,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: update_flavor - deprecated_since: null description: Update a flavor name: update_flavor operations: @@ -445,11 +458,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: delete_flavor - deprecated_since: null description: Delete a flavor name: delete_flavor operations: @@ -458,11 +471,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: create_service_profile - deprecated_since: null description: Create a service profile name: create_service_profile operations: @@ -471,11 +484,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: get_service_profile - deprecated_since: null description: Get a service profile name: get_service_profile operations: @@ -486,11 +499,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: update_service_profile - deprecated_since: null description: Update a service profile name: update_service_profile operations: @@ -499,11 +512,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: delete_service_profile - deprecated_since: null description: Delete a service profile name: delete_service_profile operations: @@ -512,11 +525,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: get_flavor_service_profile - deprecated_since: null description: Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile. @@ -525,11 +538,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: create_flavor_service_profile - deprecated_since: null description: Associate a flavor with a service profile name: create_flavor_service_profile operations: @@ -538,11 +551,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The flavor API now supports project scope and default roles. + deprecated_since: W name: delete_flavor_service_profile - deprecated_since: null description: Disassociate a flavor with a service profile name: delete_flavor_service_profile operations: @@ -551,11 +564,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Floating IP API now supports system scope and default roles. + deprecated_since: W name: create_floatingip - deprecated_since: null description: Create a floating IP name: create_floatingip operations: @@ -564,11 +577,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The Floating IP API now supports system scope and default roles. + deprecated_since: W name: create_floatingip:floating_ip_address - deprecated_since: null description: Create a floating IP with a specific IP address name: create_floatingip:floating_ip_address operations: @@ -577,11 +590,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Floating IP API now supports system scope and default roles. + deprecated_since: W name: get_floatingip - deprecated_since: null description: Get a floating IP name: get_floatingip operations: @@ -602,11 +615,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Floating IP API now supports system scope and default roles. + deprecated_since: W name: update_floatingip - deprecated_since: null description: Update a floating IP name: update_floatingip operations: @@ -625,11 +638,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Floating IP API now supports system scope and default roles. + deprecated_since: W name: delete_floatingip - deprecated_since: null description: Delete a floating IP name: delete_floatingip operations: @@ -648,11 +661,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Floating IP Pool API now supports system scope and default + roles. + deprecated_since: W name: get_floatingip_pool - deprecated_since: null description: Get floating IP pools name: get_floatingip_pool operations: @@ -661,11 +675,17 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The floating IP port forwarding API now supports system scope and default + + roles. + + ' + deprecated_since: W name: create_floatingip_port_forwarding - deprecated_since: null description: Create a floating IP port forwarding name: create_floatingip_port_forwarding operations: @@ -674,11 +694,17 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The floating IP port forwarding API now supports system scope and default + + roles. + + ' + deprecated_since: W name: get_floatingip_port_forwarding - deprecated_since: null description: Get a floating IP port forwarding name: get_floatingip_port_forwarding operations: @@ -689,11 +715,17 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The floating IP port forwarding API now supports system scope and default + + roles. + + ' + deprecated_since: W name: update_floatingip_port_forwarding - deprecated_since: null description: Update a floating IP port forwarding name: update_floatingip_port_forwarding operations: @@ -702,11 +734,17 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The floating IP port forwarding API now supports system scope and default + + roles. + + ' + deprecated_since: W name: delete_floatingip_port_forwarding - deprecated_since: null description: Delete a floating IP port forwarding name: delete_floatingip_port_forwarding operations: @@ -715,11 +753,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The router conntrack API now supports system scope and default roles. + + ' + deprecated_since: W name: create_router_conntrack_helper - deprecated_since: null description: Create a router conntrack helper name: create_router_conntrack_helper operations: @@ -728,11 +770,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The router conntrack API now supports system scope and default roles. + + ' + deprecated_since: W name: get_router_conntrack_helper - deprecated_since: null description: Get a router conntrack helper name: get_router_conntrack_helper operations: @@ -743,11 +789,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The router conntrack API now supports system scope and default roles. + + ' + deprecated_since: W name: update_router_conntrack_helper - deprecated_since: null description: Update a router conntrack helper name: update_router_conntrack_helper operations: @@ -756,11 +806,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: ' + + The router conntrack API now supports system scope and default roles. + + ' + deprecated_since: W name: delete_router_conntrack_helper - deprecated_since: null description: Delete a router conntrack helper name: delete_router_conntrack_helper operations: @@ -769,11 +823,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: create_local_ip - deprecated_since: null description: Create a Local IP name: create_local_ip operations: @@ -782,11 +836,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: get_local_ip - deprecated_since: null description: Get a Local IP name: get_local_ip operations: @@ -797,11 +851,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: update_local_ip - deprecated_since: null description: Update a Local IP name: update_local_ip operations: @@ -810,11 +864,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: delete_local_ip - deprecated_since: null description: Delete a Local IP name: delete_local_ip operations: @@ -823,11 +877,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: create_local_ip_port_association - deprecated_since: null description: Create a Local IP port association name: create_local_ip_port_association operations: @@ -836,11 +890,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: get_local_ip_port_association - deprecated_since: null description: Get a Local IP port association name: get_local_ip_port_association operations: @@ -851,11 +905,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_ext_parent_owner + deprecated_reason: The Local IP API now supports system scope and default roles. + deprecated_since: W name: delete_local_ip_port_association - deprecated_since: null description: Delete a Local IP port association name: delete_local_ip_port_association operations: @@ -864,11 +918,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The logging API now supports project scope and default roles. + + ' + deprecated_since: W name: get_loggable_resource - deprecated_since: null description: Get loggable resources name: get_loggable_resource operations: @@ -877,11 +935,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The logging API now supports project scope and default roles. + + ' + deprecated_since: W name: create_log - deprecated_since: null description: Create a network log name: create_log operations: @@ -890,11 +952,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The logging API now supports project scope and default roles. + + ' + deprecated_since: W name: get_log - deprecated_since: null description: Get a network log name: get_log operations: @@ -905,11 +971,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The logging API now supports project scope and default roles. + + ' + deprecated_since: W name: update_log - deprecated_since: null description: Update a network log name: update_log operations: @@ -918,11 +988,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The logging API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_log - deprecated_since: null description: Delete a network log name: delete_log operations: @@ -931,11 +1005,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: create_metering_label - deprecated_since: null description: Create a metering label name: create_metering_label operations: @@ -944,11 +1022,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: get_metering_label - deprecated_since: null description: Get a metering label name: get_metering_label operations: @@ -959,11 +1041,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: delete_metering_label - deprecated_since: null description: Delete a metering label name: delete_metering_label operations: @@ -972,11 +1058,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: create_metering_label_rule - deprecated_since: null description: Create a metering label rule name: create_metering_label_rule operations: @@ -985,11 +1075,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: get_metering_label_rule - deprecated_since: null description: Get a metering label rule name: get_metering_label_rule operations: @@ -1000,11 +1094,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The metering API now supports system scope and default roles. + + ' + deprecated_since: W name: delete_metering_label_rule - deprecated_since: null description: Delete a metering label rule name: delete_metering_label_rule operations: @@ -1013,11 +1111,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The ndp proxy API now supports system scope and default roles. + deprecated_since: W name: create_ndp_proxy - deprecated_since: null description: Create a ndp proxy name: create_ndp_proxy operations: @@ -1026,11 +1124,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The ndp proxy API now supports system scope and default roles. + deprecated_since: W name: get_ndp_proxy - deprecated_since: null description: Get a ndp proxy name: get_ndp_proxy operations: @@ -1041,11 +1139,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The ndp proxy API now supports system scope and default roles. + deprecated_since: W name: update_ndp_proxy - deprecated_since: null description: Update a ndp proxy name: update_ndp_proxy operations: @@ -1054,11 +1152,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The ndp proxy API now supports system scope and default roles. + deprecated_since: W name: delete_ndp_proxy - deprecated_since: null description: Delete a ndp proxy name: delete_ndp_proxy operations: @@ -1072,11 +1170,15 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network - deprecated_since: null description: Create a network name: create_network operations: &id001 @@ -1085,88 +1187,120 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:shared - deprecated_since: null description: Create a shared network name: create_network:shared operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:router:external - deprecated_since: null description: Create an external network name: create_network:router:external operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:is_default - deprecated_since: null description: Specify ``is_default`` attribute when creating a network name: create_network:is_default operations: *id001 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:port_security_enabled - deprecated_since: null description: Specify ``port_security_enabled`` attribute when creating a network name: create_network:port_security_enabled operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:segments - deprecated_since: null description: Specify ``segments`` attribute when creating a network name: create_network:segments operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:provider:network_type - deprecated_since: null description: Specify ``provider:network_type`` when creating a network name: create_network:provider:network_type operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:provider:physical_network - deprecated_since: null description: Specify ``provider:physical_network`` when creating a network name: create_network:provider:physical_network operations: *id001 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: create_network:provider:segmentation_id - deprecated_since: null description: Specify ``provider:segmentation_id`` when creating a network name: create_network:provider:segmentation_id operations: *id001 @@ -1174,11 +1308,15 @@ - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: get_network - deprecated_since: null description: Get a network name: get_network operations: &id002 @@ -1189,44 +1327,60 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: get_network:segments - deprecated_since: null description: Get ``segments`` attribute of a network name: get_network:segments operations: *id002 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: get_network:provider:network_type - deprecated_since: null description: Get ``provider:network_type`` attribute of a network name: get_network:provider:network_type operations: *id002 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: get_network:provider:physical_network - deprecated_since: null description: Get ``provider:physical_network`` attribute of a network name: get_network:provider:physical_network operations: *id002 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: get_network:provider:segmentation_id - deprecated_since: null description: Get ``provider:segmentation_id`` attribute of a network name: get_network:provider:segmentation_id operations: *id002 @@ -1244,11 +1398,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network - deprecated_since: null description: Update a network name: update_network operations: &id003 @@ -1257,88 +1415,120 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:segments - deprecated_since: null description: Update ``segments`` attribute of a network name: update_network:segments operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:shared - deprecated_since: null description: Update ``shared`` attribute of a network name: update_network:shared operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:provider:network_type - deprecated_since: null description: Update ``provider:network_type`` attribute of a network name: update_network:provider:network_type operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:provider:physical_network - deprecated_since: null description: Update ``provider:physical_network`` attribute of a network name: update_network:provider:physical_network operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:provider:segmentation_id - deprecated_since: null description: Update ``provider:segmentation_id`` attribute of a network name: update_network:provider:segmentation_id operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:router:external - deprecated_since: null description: Update ``router:external`` attribute of a network name: update_network:router:external operations: *id003 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:is_default - deprecated_since: null description: Update ``is_default`` attribute of a network name: update_network:is_default operations: *id003 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: update_network:port_security_enabled - deprecated_since: null description: Update ``port_security_enabled`` attribute of a network name: update_network:port_security_enabled operations: *id003 @@ -1355,11 +1545,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The network API now supports system scope and default roles. + + ' + deprecated_since: W name: delete_network - deprecated_since: null description: Delete a network name: delete_network operations: @@ -1378,11 +1572,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network IP availability API now support project scope and default roles. + + ' + deprecated_since: W name: get_network_ip_availability - deprecated_since: null description: Get network IP availability name: get_network_ip_availability operations: @@ -1393,11 +1591,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network segment range API now supports project scope and default roles. + + ' + deprecated_since: W name: create_network_segment_range - deprecated_since: null description: Create a network segment range name: create_network_segment_range operations: @@ -1406,11 +1608,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network segment range API now supports project scope and default roles. + + ' + deprecated_since: W name: get_network_segment_range - deprecated_since: null description: Get a network segment range name: get_network_segment_range operations: @@ -1431,11 +1637,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network segment range API now supports project scope and default roles. + + ' + deprecated_since: W name: update_network_segment_range - deprecated_since: null description: Update a network segment range name: update_network_segment_range operations: @@ -1454,11 +1664,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The network segment range API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_network_segment_range - deprecated_since: null description: Delete a network segment range name: delete_network_segment_range operations: @@ -1519,11 +1733,11 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port - deprecated_since: null description: Create a port name: create_port operations: &id004 @@ -1533,22 +1747,22 @@ - project - check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:device_owner - deprecated_since: null description: Specify ``device_owner`` attribute when creating a port name: create_port:device_owner operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:mac_address - deprecated_since: null description: Specify ``mac_address`` attribute when creating a port name: create_port:mac_address operations: *id004 @@ -1556,22 +1770,22 @@ - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:fixed_ips - deprecated_since: null description: Specify ``fixed_ips`` information when creating a port name: create_port:fixed_ips operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:fixed_ips:ip_address - deprecated_since: null description: Specify IP address in ``fixed_ips`` when creating a port name: create_port:fixed_ips:ip_address operations: *id004 @@ -1579,77 +1793,77 @@ - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:fixed_ips:subnet_id - deprecated_since: null description: Specify subnet ID in ``fixed_ips`` when creating a port name: create_port:fixed_ips:subnet_id operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:port_security_enabled - deprecated_since: null description: Specify ``port_security_enabled`` attribute when creating a port name: create_port:port_security_enabled operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:binding:host_id - deprecated_since: null description: Specify ``binding:host_id`` attribute when creating a port name: create_port:binding:host_id operations: *id004 scope_types: - project - check_str: rule:service_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:binding:profile - deprecated_since: null description: Specify ``binding:profile`` attribute when creating a port name: create_port:binding:profile operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:binding:vnic_type - deprecated_since: null description: Specify ``binding:vnic_type`` attribute when creating a port name: create_port:binding:vnic_type operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:allowed_address_pairs - deprecated_since: null description: Specify ``allowed_address_pairs`` attribute when creating a port name: create_port:allowed_address_pairs operations: *id004 scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:allowed_address_pairs:mac_address - deprecated_since: null description: Specify ``mac_address` of `allowed_address_pairs`` attribute when creating a port name: create_port:allowed_address_pairs:mac_address @@ -1657,11 +1871,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: create_port:allowed_address_pairs:ip_address - deprecated_since: null description: Specify ``ip_address`` of ``allowed_address_pairs`` attribute when creating a port name: create_port:allowed_address_pairs:ip_address @@ -1676,11 +1890,11 @@ - project - check_str: (rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port - deprecated_since: null description: Get a port name: get_port operations: &id005 @@ -1691,55 +1905,55 @@ scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port:binding:vif_type - deprecated_since: null description: Get ``binding:vif_type`` attribute of a port name: get_port:binding:vif_type operations: *id005 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port:binding:vif_details - deprecated_since: null description: Get ``binding:vif_details`` attribute of a port name: get_port:binding:vif_details operations: *id005 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port:binding:host_id - deprecated_since: null description: Get ``binding:host_id`` attribute of a port name: get_port:binding:host_id operations: *id005 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port:binding:profile - deprecated_since: null description: Get ``binding:profile`` attribute of a port name: get_port:binding:profile operations: *id005 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: get_port:resource_request - deprecated_since: null description: Get ``resource_request`` attribute of a port name: get_port:resource_request operations: *id005 @@ -1763,11 +1977,11 @@ scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port - deprecated_since: null description: Update a port name: update_port operations: &id006 @@ -1777,44 +1991,44 @@ - project - check_str: not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:device_owner - deprecated_since: null description: Update ``device_owner`` attribute of a port name: update_port:device_owner operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only or rule:context_is_advsvc + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:mac_address - deprecated_since: null description: Update ``mac_address`` attribute of a port name: update_port:mac_address operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:fixed_ips - deprecated_since: null description: Specify ``fixed_ips`` information when updating a port name: update_port:fixed_ips operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:fixed_ips:ip_address - deprecated_since: null description: Specify IP address in ``fixed_ips`` information when updating a port name: update_port:fixed_ips:ip_address operations: *id006 @@ -1822,77 +2036,77 @@ - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:fixed_ips:subnet_id - deprecated_since: null description: Specify subnet ID in ``fixed_ips`` information when updating a port name: update_port:fixed_ips:subnet_id operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:port_security_enabled - deprecated_since: null description: Update ``port_security_enabled`` attribute of a port name: update_port:port_security_enabled operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:binding:host_id - deprecated_since: null description: Update ``binding:host_id`` attribute of a port name: update_port:binding:host_id operations: *id006 scope_types: - project - check_str: rule:service_api - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:binding:profile - deprecated_since: null description: Update ``binding:profile`` attribute of a port name: update_port:binding:profile operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:context_is_advsvc + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:binding:vnic_type - deprecated_since: null description: Update ``binding:vnic_type`` attribute of a port name: update_port:binding:vnic_type operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:allowed_address_pairs - deprecated_since: null description: Update ``allowed_address_pairs`` attribute of a port name: update_port:allowed_address_pairs operations: *id006 scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:allowed_address_pairs:mac_address - deprecated_since: null description: Update ``mac_address`` of ``allowed_address_pairs`` attribute of a port name: update_port:allowed_address_pairs:mac_address @@ -1900,22 +2114,22 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:allowed_address_pairs:ip_address - deprecated_since: null description: Update ``ip_address`` of ``allowed_address_pairs`` attribute of a port name: update_port:allowed_address_pairs:ip_address operations: *id006 scope_types: - project - check_str: rule:admin_only or role:data_plane_integrator - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_data_plane_int + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: update_port:data_plane_status - deprecated_since: null description: Update ``data_plane_status`` attribute of a port name: update_port:data_plane_status operations: *id006 @@ -1939,11 +2153,11 @@ - project - check_str: (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:context_is_advsvc or rule:admin_owner_or_network_owner + deprecated_reason: The port API now supports project scope and default roles. + deprecated_since: W name: delete_port - deprecated_since: null description: Delete a port name: delete_port operations: @@ -1968,11 +2182,15 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_policy - deprecated_since: null description: Get QoS policies name: get_policy operations: @@ -1983,11 +2201,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: create_policy - deprecated_since: null description: Create a QoS policy name: create_policy operations: @@ -1996,11 +2218,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_policy - deprecated_since: null description: Update a QoS policy name: update_policy operations: @@ -2009,11 +2235,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_policy - deprecated_since: null description: Delete a QoS policy name: delete_policy operations: @@ -2022,11 +2252,15 @@ scope_types: - project - check_str: role:reader - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_rule_type - deprecated_since: null description: Get available QoS rule types name: get_rule_type operations: @@ -2037,11 +2271,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_policy_bandwidth_limit_rule - deprecated_since: null description: Get a QoS bandwidth limit rule name: get_policy_bandwidth_limit_rule operations: @@ -2052,11 +2290,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: create_policy_bandwidth_limit_rule - deprecated_since: null description: Create a QoS bandwidth limit rule name: create_policy_bandwidth_limit_rule operations: @@ -2065,11 +2307,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_policy_bandwidth_limit_rule - deprecated_since: null description: Update a QoS bandwidth limit rule name: update_policy_bandwidth_limit_rule operations: @@ -2078,11 +2324,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_policy_bandwidth_limit_rule - deprecated_since: null description: Delete a QoS bandwidth limit rule name: delete_policy_bandwidth_limit_rule operations: @@ -2125,11 +2375,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_policy_dscp_marking_rule - deprecated_since: null description: Get a QoS DSCP marking rule name: get_policy_dscp_marking_rule operations: @@ -2140,11 +2394,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: create_policy_dscp_marking_rule - deprecated_since: null description: Create a QoS DSCP marking rule name: create_policy_dscp_marking_rule operations: @@ -2153,11 +2411,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_policy_dscp_marking_rule - deprecated_since: null description: Update a QoS DSCP marking rule name: update_policy_dscp_marking_rule operations: @@ -2166,11 +2428,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_policy_dscp_marking_rule - deprecated_since: null description: Delete a QoS DSCP marking rule name: delete_policy_dscp_marking_rule operations: @@ -2179,11 +2445,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_policy_minimum_bandwidth_rule - deprecated_since: null description: Get a QoS minimum bandwidth rule name: get_policy_minimum_bandwidth_rule operations: @@ -2194,11 +2464,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: create_policy_minimum_bandwidth_rule - deprecated_since: null description: Create a QoS minimum bandwidth rule name: create_policy_minimum_bandwidth_rule operations: @@ -2207,11 +2481,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_policy_minimum_bandwidth_rule - deprecated_since: null description: Update a QoS minimum bandwidth rule name: update_policy_minimum_bandwidth_rule operations: @@ -2220,11 +2498,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_policy_minimum_bandwidth_rule - deprecated_since: null description: Delete a QoS minimum bandwidth rule name: delete_policy_minimum_bandwidth_rule operations: @@ -2267,11 +2549,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_alias_bandwidth_limit_rule - deprecated_since: null description: Get a QoS bandwidth limit rule through alias name: get_alias_bandwidth_limit_rule operations: @@ -2280,11 +2566,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_alias_bandwidth_limit_rule - deprecated_since: null description: Update a QoS bandwidth limit rule through alias name: update_alias_bandwidth_limit_rule operations: @@ -2293,11 +2583,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_alias_bandwidth_limit_rule - deprecated_since: null description: Delete a QoS bandwidth limit rule through alias name: delete_alias_bandwidth_limit_rule operations: @@ -2306,11 +2600,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_alias_dscp_marking_rule - deprecated_since: null description: Get a QoS DSCP marking rule through alias name: get_alias_dscp_marking_rule operations: @@ -2319,11 +2617,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_alias_dscp_marking_rule - deprecated_since: null description: Update a QoS DSCP marking rule through alias name: update_alias_dscp_marking_rule operations: @@ -2332,11 +2634,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_alias_dscp_marking_rule - deprecated_since: null description: Delete a QoS DSCP marking rule through alias name: delete_alias_dscp_marking_rule operations: @@ -2345,11 +2651,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and rule:ext_parent_owner) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: get_alias_minimum_bandwidth_rule - deprecated_since: null description: Get a QoS minimum bandwidth rule through alias name: get_alias_minimum_bandwidth_rule operations: @@ -2358,11 +2668,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: update_alias_minimum_bandwidth_rule - deprecated_since: null description: Update a QoS minimum bandwidth rule through alias name: update_alias_minimum_bandwidth_rule operations: @@ -2371,11 +2685,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The QoS API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_alias_minimum_bandwidth_rule - deprecated_since: null description: Delete a QoS minimum bandwidth rule through alias name: delete_alias_minimum_bandwidth_rule operations: @@ -2408,11 +2726,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The quotas API now supports project scope and default roles. + + ' + deprecated_since: W name: get_quota - deprecated_since: null description: Get a resource quota name: get_quota operations: @@ -2423,11 +2745,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The quotas API now supports project scope and default roles. + + ' + deprecated_since: W name: update_quota - deprecated_since: null description: Update a resource quota name: update_quota operations: @@ -2436,11 +2762,15 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: ' + + The quotas API now supports project scope and default roles. + + ' + deprecated_since: W name: delete_quota - deprecated_since: null description: Delete a resource quota name: delete_quota operations: @@ -2455,11 +2785,15 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: create_rbac_policy - deprecated_since: null description: Create an RBAC policy name: create_rbac_policy operations: @@ -2468,11 +2802,15 @@ scope_types: - project - check_str: rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) - deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: create_rbac_policy:target_tenant - deprecated_since: null description: Specify ``target_tenant`` when creating an RBAC policy name: create_rbac_policy:target_tenant operations: @@ -2481,11 +2819,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: update_rbac_policy - deprecated_since: null description: Update an RBAC policy name: update_rbac_policy operations: @@ -2494,11 +2836,15 @@ scope_types: - project - check_str: rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) - deprecated_reason: null deprecated_rule: check_str: rule:restrict_wildcard and rule:admin_or_owner + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: update_rbac_policy:target_tenant - deprecated_since: null description: Update ``target_tenant`` attribute of an RBAC policy name: update_rbac_policy:target_tenant operations: @@ -2507,11 +2853,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: get_rbac_policy - deprecated_since: null description: Get an RBAC policy name: get_rbac_policy operations: @@ -2522,11 +2872,15 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + The RBAC API now supports system scope and default roles. + + ' + deprecated_since: W name: delete_rbac_policy - deprecated_since: null description: Delete an RBAC policy name: delete_rbac_policy operations: @@ -2535,11 +2889,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router - deprecated_since: null description: Create a router name: create_router operations: &id007 @@ -2548,44 +2902,44 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:distributed - deprecated_since: null description: Specify ``distributed`` attribute when creating a router name: create_router:distributed operations: *id007 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:ha - deprecated_since: null description: Specify ``ha`` attribute when creating a router name: create_router:ha operations: *id007 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:external_gateway_info - deprecated_since: null description: Specify ``external_gateway_info`` information when creating a router name: create_router:external_gateway_info operations: *id007 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:external_gateway_info:network_id - deprecated_since: null description: Specify ``network_id`` in ``external_gateway_info`` information when creating a router name: create_router:external_gateway_info:network_id @@ -2593,11 +2947,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:external_gateway_info:enable_snat - deprecated_since: null description: Specify ``enable_snat`` in ``external_gateway_info`` information when creating a router name: create_router:external_gateway_info:enable_snat @@ -2605,11 +2959,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: create_router:external_gateway_info:external_fixed_ips - deprecated_since: null description: Specify ``external_fixed_ips`` in ``external_gateway_info`` information when creating a router name: create_router:external_gateway_info:external_fixed_ips @@ -2629,11 +2983,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: get_router - deprecated_since: null description: Get a router name: get_router operations: &id008 @@ -2644,22 +2998,22 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: get_router:distributed - deprecated_since: null description: Get ``distributed`` attribute of a router name: get_router:distributed operations: *id008 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: get_router:ha - deprecated_since: null description: Get ``ha`` attribute of a router name: get_router:ha operations: *id008 @@ -2676,11 +3030,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router - deprecated_since: null description: Update a router name: update_router operations: &id009 @@ -2689,44 +3043,44 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:distributed - deprecated_since: null description: Update ``distributed`` attribute of a router name: update_router:distributed operations: *id009 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:ha - deprecated_since: null description: Update ``ha`` attribute of a router name: update_router:ha operations: *id009 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:external_gateway_info - deprecated_since: null description: Update ``external_gateway_info`` information of a router name: update_router:external_gateway_info operations: *id009 scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:external_gateway_info:network_id - deprecated_since: null description: Update ``network_id`` attribute of ``external_gateway_info`` information of a router name: update_router:external_gateway_info:network_id @@ -2734,11 +3088,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:external_gateway_info:enable_snat - deprecated_since: null description: Update ``enable_snat`` attribute of ``external_gateway_info`` information of a router name: update_router:external_gateway_info:enable_snat @@ -2746,11 +3100,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: update_router:external_gateway_info:external_fixed_ips - deprecated_since: null description: Update ``external_fixed_ips`` attribute of ``external_gateway_info`` information of a router name: update_router:external_gateway_info:external_fixed_ips @@ -2780,11 +3134,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: delete_router - deprecated_since: null description: Delete a router name: delete_router operations: @@ -2803,11 +3157,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: add_router_interface - deprecated_since: null description: Add an interface to a router name: add_router_interface operations: @@ -2816,11 +3170,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: W name: remove_router_interface - deprecated_since: null description: Remove an interface from a router name: remove_router_interface operations: @@ -2829,11 +3183,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: Xena name: add_extraroutes - deprecated_since: null description: Add extra route to a router name: add_extraroutes operations: @@ -2842,11 +3196,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The router API now supports system scope and default roles. + deprecated_since: Xena name: remove_extraroutes - deprecated_since: null description: Remove extra route from a router name: remove_extraroutes operations: @@ -2876,11 +3230,12 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: create_security_group - deprecated_since: null description: Create a security group name: create_security_group operations: @@ -2889,11 +3244,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: get_security_group - deprecated_since: null description: Get a security group name: get_security_group operations: @@ -2914,11 +3270,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: update_security_group - deprecated_since: null description: Update a security group name: update_security_group operations: @@ -2937,11 +3294,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: delete_security_group - deprecated_since: null description: Delete a security group name: delete_security_group operations: @@ -2960,11 +3318,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: create_security_group_rule - deprecated_since: null description: Create a security group rule name: create_security_group_rule operations: @@ -2973,11 +3332,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner - deprecated_reason: null deprecated_rule: check_str: rule:admin_owner_or_sg_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: get_security_group_rule - deprecated_since: null description: Get a security group rule name: get_security_group_rule operations: @@ -2988,11 +3348,12 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The security group API now supports system scope and default + roles. + deprecated_since: W name: delete_security_group_rule - deprecated_since: null description: Delete a security group rule name: delete_security_group_rule operations: @@ -3001,11 +3362,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The segment API now supports project scope and default roles. + deprecated_since: W name: create_segment - deprecated_since: null description: Create a segment name: create_segment operations: @@ -3014,11 +3375,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The segment API now supports project scope and default roles. + deprecated_since: W name: get_segment - deprecated_since: null description: Get a segment name: get_segment operations: @@ -3039,11 +3400,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The segment API now supports project scope and default roles. + deprecated_since: W name: update_segment - deprecated_since: null description: Update a segment name: update_segment operations: @@ -3062,11 +3423,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The segment API now supports project scope and default roles. + deprecated_since: W name: delete_segment - deprecated_since: null description: Delete a segment name: delete_segment operations: @@ -3085,11 +3446,12 @@ scope_types: - project - check_str: role:reader - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The Service Providers API now supports project scope and default + roles. + deprecated_since: W name: get_service_provider - deprecated_since: null description: Get service providers name: get_service_provider operations: @@ -3098,11 +3460,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: create_subnet - deprecated_since: null description: Create a subnet name: create_subnet operations: &id010 @@ -3111,22 +3473,22 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: create_subnet:segment_id - deprecated_since: null description: Specify ``segment_id`` attribute when creating a subnet name: create_subnet:segment_id operations: *id010 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: create_subnet:service_types - deprecated_since: null description: Specify ``service_types`` attribute when creating a subnet name: create_subnet:service_types operations: *id010 @@ -3134,11 +3496,11 @@ - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: get_subnet - deprecated_since: null description: Get a subnet name: get_subnet operations: &id011 @@ -3149,11 +3511,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: get_subnet:segment_id - deprecated_since: null description: Get ``segment_id`` attribute of a subnet name: get_subnet:segment_id operations: *id011 @@ -3172,11 +3534,11 @@ - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: update_subnet - deprecated_since: null description: Update a subnet name: update_subnet operations: &id012 @@ -3185,22 +3547,22 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: update_subnet:segment_id - deprecated_since: null description: Update ``segment_id`` attribute of a subnet name: update_subnet:segment_id operations: *id012 scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: update_subnet:service_types - deprecated_since: null description: Update ``service_types`` attribute of a subnet name: update_subnet:service_types operations: *id012 @@ -3219,11 +3581,11 @@ - project - check_str: (rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_network_owner + deprecated_reason: The subnet API now supports system scope and default roles. + deprecated_since: W name: delete_subnet - deprecated_since: null description: Delete a subnet name: delete_subnet operations: @@ -3248,11 +3610,11 @@ operations: [] scope_types: null - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: create_subnetpool - deprecated_since: null description: Create a subnetpool name: create_subnetpool operations: @@ -3261,11 +3623,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: create_subnetpool:shared - deprecated_since: null description: Create a shared subnetpool name: create_subnetpool:shared operations: @@ -3274,11 +3636,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: create_subnetpool:is_default - deprecated_since: null description: Specify ``is_default`` attribute when creating a subnetpool name: create_subnetpool:is_default operations: @@ -3287,11 +3649,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner or rule:shared_subnetpools + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: get_subnetpool - deprecated_since: null description: Get a subnetpool name: get_subnetpool operations: @@ -3312,11 +3674,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: update_subnetpool - deprecated_since: null description: Update a subnetpool name: update_subnetpool operations: @@ -3325,11 +3687,11 @@ scope_types: - project - check_str: rule:admin_only - deprecated_reason: null deprecated_rule: check_str: rule:admin_only + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: update_subnetpool:is_default - deprecated_since: null description: Update ``is_default`` attribute of a subnetpool name: update_subnetpool:is_default operations: @@ -3348,11 +3710,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: delete_subnetpool - deprecated_since: null description: Delete a subnetpool name: delete_subnetpool operations: @@ -3371,11 +3733,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: onboard_network_subnets - deprecated_since: null description: Onboard existing subnet into a subnetpool name: onboard_network_subnets operations: @@ -3384,11 +3746,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: add_prefixes - deprecated_since: null description: Add prefixes to a subnetpool name: add_prefixes operations: @@ -3397,11 +3759,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The subnet pool API now supports system scope and default roles. + deprecated_since: W name: remove_prefixes - deprecated_since: null description: Remove unallocated prefixes from a subnetpool name: remove_prefixes operations: @@ -3410,11 +3772,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: create_trunk - deprecated_since: null description: Create a trunk name: create_trunk operations: @@ -3423,11 +3785,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: get_trunk - deprecated_since: null description: Get a trunk name: get_trunk operations: @@ -3448,11 +3810,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: update_trunk - deprecated_since: null description: Update a trunk name: update_trunk operations: @@ -3471,11 +3833,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: delete_trunk - deprecated_since: null description: Delete a trunk name: delete_trunk operations: @@ -3494,11 +3856,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:reader and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:regular_user + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: get_subports - deprecated_since: null description: List subports attached to a trunk name: get_subports operations: @@ -3507,11 +3869,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: add_subports - deprecated_since: null description: Add subports to a trunk name: add_subports operations: @@ -3520,11 +3882,11 @@ scope_types: - project - check_str: (rule:admin_only) or (role:member and project_id:%(project_id)s) - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: The trunks API now supports system scope and default roles. + deprecated_since: W name: remove_subports - deprecated_since: null description: Delete subports from a trunk name: remove_subports operations: diff --git a/openstack_dashboard/conf/default_policies/nova.yaml b/openstack_dashboard/conf/default_policies/nova.yaml index f7eea48d80..f35686f1ca 100644 --- a/openstack_dashboard/conf/default_policies/nova.yaml +++ b/openstack_dashboard/conf/default_policies/nova.yaml @@ -1,9 +1,17 @@ - check_str: role:admin - deprecated_reason: null deprecated_rule: check_str: is_admin:True + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: rule:admin_api - deprecated_since: null description: Decides what is required for the 'is_admin:True' check to succeed. name: context_is_admin operations: [] @@ -41,41 +49,73 @@ operations: [] scope_types: null - check_str: role:member and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: rule:admin_or_owner - deprecated_since: null description: Default rule for Project level non admin APIs. name: project_member_api operations: [] scope_types: null - check_str: role:reader and project_id:%(project_id)s - deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: rule:admin_or_owner - deprecated_since: null description: Default rule for Project level read only APIs. name: project_reader_api operations: [] scope_types: null - check_str: rule:project_member_api or rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: rule:admin_or_owner - deprecated_since: null description: Default rule for Project Member or admin APIs. name: project_member_or_admin operations: [] scope_types: null - check_str: rule:project_reader_api or rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: is_admin:True or project_id:%(project_id)s + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: rule:admin_or_owner - deprecated_since: null description: Default rule for Project reader or admin APIs. name: project_reader_or_admin operations: [] @@ -193,11 +233,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-attach-interfaces - deprecated_since: null description: List port interfaces attached to a server name: os_compute_api:os-attach-interfaces:list operations: @@ -206,11 +254,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-attach-interfaces - deprecated_since: null description: Show details of a port interface attached to a server name: os_compute_api:os-attach-interfaces:show operations: @@ -219,11 +275,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-attach-interfaces - deprecated_since: null description: Attach an interface to a server name: os_compute_api:os-attach-interfaces:create operations: @@ -232,11 +296,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-attach-interfaces - deprecated_since: null description: Detach an interface from a server name: os_compute_api:os-attach-interfaces:delete operations: @@ -261,11 +333,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-baremetal-nodes - deprecated_since: null description: 'List and show details of bare metal nodes. @@ -279,11 +359,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-baremetal-nodes - deprecated_since: null description: Show action details for a server. name: os_compute_api:os-baremetal-nodes:show operations: @@ -317,11 +405,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-deferred-delete - deprecated_since: null description: Restore a soft deleted server name: os_compute_api:os-deferred-delete:restore operations: @@ -330,11 +426,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-deferred-delete - deprecated_since: null description: Force delete a server before deferred cleanup name: os_compute_api:os-deferred-delete:force operations: @@ -432,11 +536,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-flavor-access - deprecated_since: null description: 'List flavor access information @@ -533,11 +645,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: Associate floating IPs to server. This API is deprecated. name: os_compute_api:os-floating-ips:add operations: @@ -546,11 +666,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: Disassociate floating IPs to server. This API is deprecated. name: os_compute_api:os-floating-ips:remove operations: @@ -559,11 +687,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: List floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:list operations: @@ -572,11 +708,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: Create floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:create operations: @@ -585,11 +729,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: Show floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:show operations: @@ -598,11 +750,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-floating-ips - deprecated_since: null description: Delete floating IPs. This API is deprecated. name: os_compute_api:os-floating-ips:delete operations: @@ -611,11 +771,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'List physical hosts. @@ -627,11 +795,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'Show physical host. @@ -643,11 +819,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'Update physical host. @@ -659,11 +843,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'Reboot physical host. @@ -675,11 +867,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'Shutdown physical host. @@ -691,11 +891,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-hosts - deprecated_since: null description: 'Start physical host. @@ -707,11 +915,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: List all hypervisors. name: os_compute_api:os-hypervisors:list operations: @@ -720,11 +936,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: List all hypervisors with details name: os_compute_api:os-hypervisors:list-detail operations: @@ -733,11 +957,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: Show summary statistics for all hypervisors over all compute nodes. name: os_compute_api:os-hypervisors:statistics operations: @@ -746,11 +978,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: Show details for a hypervisor. name: os_compute_api:os-hypervisors:show operations: @@ -759,11 +999,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: Show the uptime of a hypervisor. name: os_compute_api:os-hypervisors:uptime operations: @@ -772,11 +1020,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: Search hypervisor by hypervisor_hostname pattern. name: os_compute_api:os-hypervisors:search operations: @@ -785,11 +1041,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-hypervisors - deprecated_since: null description: List all servers on hypervisors that can match the provided hypervisor_hostname pattern. name: os_compute_api:os-hypervisors:servers @@ -846,11 +1110,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-instance-actions - deprecated_since: null description: List actions for a server. name: os_compute_api:os-instance-actions:list operations: @@ -859,11 +1131,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-instance-actions - deprecated_since: null description: Show action details for a server. name: os_compute_api:os-instance-actions:show operations: @@ -872,11 +1152,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-instance-usage-audit-log - deprecated_since: null description: List all usage audits. name: os_compute_api:os-instance-usage-audit-log:list operations: @@ -885,11 +1173,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-instance-usage-audit-log - deprecated_since: null description: List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured name: os_compute_api:os-instance-usage-audit-log:show @@ -955,11 +1251,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-used-limits - deprecated_since: null description: 'Show rate and absolute limits of other project. @@ -1036,11 +1340,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-multinic - deprecated_since: null description: 'Add a fixed IP address to a server. @@ -1054,11 +1366,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-multinic - deprecated_since: null description: 'Remove a fixed IP address from a server. @@ -1072,11 +1392,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-networks:view - deprecated_since: null description: 'List networks for the project. @@ -1088,11 +1416,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-networks:view - deprecated_since: null description: 'Show network details. @@ -1210,11 +1546,17 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Rescue/Unrescue API policies are made granular with new policy + + for unrescue and keeping old policy for rescue. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-rescue - deprecated_since: null description: Unrescue a server name: os_compute_api:os-unrescue operations: @@ -1223,11 +1565,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: List security groups. This API is deprecated. name: os_compute_api:os-security-groups:get operations: @@ -1236,11 +1586,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Show security group. This API is deprecated. name: os_compute_api:os-security-groups:show operations: @@ -1249,11 +1607,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Create security group. This API is deprecated. name: os_compute_api:os-security-groups:create operations: @@ -1262,11 +1628,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Update security group. This API is deprecated. name: os_compute_api:os-security-groups:update operations: @@ -1275,11 +1649,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Delete security group. This API is deprecated. name: os_compute_api:os-security-groups:delete operations: @@ -1288,11 +1670,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Create security group Rule. This API is deprecated. name: os_compute_api:os-security-groups:rule:create operations: @@ -1301,11 +1691,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Delete security group Rule. This API is deprecated. name: os_compute_api:os-security-groups:rule:delete operations: @@ -1314,11 +1712,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: List security groups of server. name: os_compute_api:os-security-groups:list operations: @@ -1327,11 +1733,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Add security groups to server. name: os_compute_api:os-security-groups:add operations: @@ -1340,11 +1754,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-security-groups - deprecated_since: null description: Remove security groups from server. name: os_compute_api:os-security-groups:remove operations: @@ -1457,11 +1879,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-server-password - deprecated_since: null description: Show the encrypted administrative password of a server name: os_compute_api:os-server-password:show operations: @@ -1470,11 +1900,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-server-password - deprecated_since: null description: Clear the encrypted administrative password of a server name: os_compute_api:os-server-password:clear operations: @@ -1598,19 +2036,11 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: ' - - Policies for showing flavor extra specs in server APIs response is - - separated as new policy. This policy is deprecated only for that but - - not for list extra specs and showing it in flavor API response. - - ' deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: null + deprecated_since: null name: os_compute_api:os-flavor-extra-specs:index - deprecated_since: 25.0.0 description: Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. @@ -1957,11 +2387,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-services - deprecated_since: null description: List all running Compute services in a region. name: os_compute_api:os-services:list operations: @@ -1970,11 +2408,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-services - deprecated_since: null description: Update a Compute service. name: os_compute_api:os-services:update operations: @@ -1983,11 +2429,19 @@ scope_types: - project - check_str: rule:context_is_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_api + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 21.0.0 name: os_compute_api:os-services - deprecated_since: null description: Delete a Compute service. name: os_compute_api:os-services:delete operations: @@ -2060,11 +2514,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-tenant-networks - deprecated_since: null description: 'List project networks. @@ -2076,11 +2538,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-tenant-networks - deprecated_since: null description: 'Show project network details. @@ -2092,11 +2562,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'List volumes. @@ -2108,11 +2586,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Create volume. @@ -2124,11 +2610,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'List volumes detail. @@ -2140,11 +2634,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Show volume. @@ -2156,11 +2658,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Delete volume. @@ -2172,11 +2682,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'List snapshots. @@ -2188,11 +2706,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Create snapshots. @@ -2204,11 +2730,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'List snapshots details. @@ -2220,11 +2754,19 @@ scope_types: - project - check_str: rule:project_reader_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Show snapshot. @@ -2236,11 +2778,19 @@ scope_types: - project - check_str: rule:project_member_or_admin - deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner + deprecated_reason: ' + + Nova API policies are introducing new default roles with scope_type + + capabilities. Old policies are deprecated and silently going to be ignored + + in nova 23.0.0 release. + + ' + deprecated_since: 22.0.0 name: os_compute_api:os-volumes - deprecated_since: null description: 'Delete snapshot. diff --git a/openstack_dashboard/management/commands/dump_default_policies.py b/openstack_dashboard/management/commands/dump_default_policies.py index 38273a05aa..3f191c63b1 100644 --- a/openstack_dashboard/management/commands/dump_default_policies.py +++ b/openstack_dashboard/management/commands/dump_default_policies.py @@ -44,9 +44,9 @@ def _format_default_policy(default): data['deprecated_rule'] = { 'name': default.deprecated_rule.name, 'check_str': default.deprecated_rule.check_str, + 'deprecated_since': default.deprecated_rule.deprecated_since, + 'deprecated_reason': default.deprecated_rule.deprecated_reason, } - data['deprecated_since'] = default.deprecated_since - data['deprecated_reason'] = default.deprecated_reason return data