- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s description: 'DEPRECATED: This rule will be removed in the Yoga release. Default rule for most non-Admin APIs.' name: admin_or_owner operations: [] scope_types: null - check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s) description: 'DEPRECATED: This rule will be removed in the Yoga release. Default rule for admins of cloud, domain or a project.' name: system_or_domain_or_project_admin operations: [] scope_types: null - check_str: role:admin description: Decides what is required for the 'is_admin:True' check to succeed. name: context_is_admin operations: [] scope_types: null - check_str: is_admin:True or (role:admin and is_admin_project:True) description: Default rule for most Admin APIs. name: admin_api operations: [] scope_types: null - check_str: (role:admin) or (role:reader and project_id:%(project_id)s) description: 'NOTE: this purely role-based rule recognizes only project scope' name: xena_system_admin_or_project_reader operations: [] scope_types: null - check_str: (role:admin) or (role:member and project_id:%(project_id)s) description: 'NOTE: this purely role-based rule recognizes only project scope' name: xena_system_admin_or_project_member operations: [] scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:attachment_create description: Create attachment. name: volume:attachment_create operations: - method: POST path: /attachments scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:attachment_update description: Update attachment. name: volume:attachment_update operations: - method: PUT path: /attachments/{attachment_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:attachment_delete description: Delete attachment. name: volume:attachment_delete operations: - method: DELETE path: /attachments/{attachment_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:attachment_complete description: Mark a volume attachment process as completed (in-use) name: volume:attachment_complete operations: - method: POST path: /attachments/{attachment_id}/action (os-complete) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:multiattach_bootable_volume description: Allow multiattach of bootable volumes. name: volume:multiattach_bootable_volume operations: - method: POST path: /attachments scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: message:get_all description: List messages. name: message:get_all operations: - method: GET path: /messages scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: message:get description: Show message. name: message:get operations: - method: GET path: /messages/{message_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: message:delete description: Delete message. name: message:delete operations: - method: DELETE path: /messages/{message_id} scope_types: null - check_str: rule:admin_api description: List clusters. name: clusters:get_all operations: - method: GET path: /clusters - method: GET path: /clusters/detail scope_types: null - check_str: rule:admin_api description: Show cluster. name: clusters:get operations: - method: GET path: /clusters/{cluster_id} scope_types: null - check_str: rule:admin_api description: Update cluster. name: clusters:update operations: - method: PUT path: /clusters/{cluster_id} scope_types: null - check_str: rule:admin_api description: Clean up workers. name: workers:cleanup operations: - method: POST path: /workers/cleanup scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_snapshot_metadata description: Show snapshot's metadata or one specified metadata with a given key. name: volume:get_snapshot_metadata operations: - method: GET path: /snapshots/{snapshot_id}/metadata - method: GET path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:update_snapshot_metadata description: Update snapshot's metadata or one specified metadata with a given key. name: volume:update_snapshot_metadata operations: - method: POST path: /snapshots/{snapshot_id}/metadata - method: PUT path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:delete_snapshot_metadata description: Delete snapshot's specified metadata with a given key. name: volume:delete_snapshot_metadata operations: - method: DELETE path: /snapshots/{snapshot_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_all_snapshots description: List snapshots. name: volume:get_all_snapshots operations: - method: GET path: /snapshots - method: GET path: /snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:extended_snapshot_attributes description: List or show snapshots with extended attributes. name: volume_extension:extended_snapshot_attributes operations: - method: GET path: /snapshots/{snapshot_id} - method: GET path: /snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:create_snapshot description: Create snapshot. name: volume:create_snapshot operations: - method: POST path: /snapshots scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_snapshot description: Show snapshot. name: volume:get_snapshot operations: - method: GET path: /snapshots/{snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:update_snapshot description: Update snapshot. name: volume:update_snapshot operations: - method: PUT path: /snapshots/{snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:delete_snapshot description: Delete snapshot. name: volume:delete_snapshot operations: - method: DELETE path: /snapshots/{snapshot_id} scope_types: null - check_str: rule:admin_api description: Reset status of a snapshot. name: volume_extension:snapshot_admin_actions:reset_status operations: - method: POST path: /snapshots/{snapshot_id}/action (os-reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: snapshot_extension:snapshot_actions:update_snapshot_status description: Update database fields of snapshot. name: snapshot_extension:snapshot_actions:update_snapshot_status operations: - method: POST path: /snapshots/{snapshot_id}/action (update_snapshot_status) scope_types: null - check_str: rule:admin_api description: Force delete a snapshot. name: volume_extension:snapshot_admin_actions:force_delete operations: - method: POST path: /snapshots/{snapshot_id}/action (os-force_delete) scope_types: null - check_str: rule:admin_api description: List (in detail) of snapshots which are available to manage. name: snapshot_extension:list_manageable operations: - method: GET path: /manageable_snapshots - method: GET path: /manageable_snapshots/detail scope_types: null - check_str: rule:admin_api description: Manage an existing snapshot. name: snapshot_extension:snapshot_manage operations: - method: POST path: /manageable_snapshots scope_types: null - check_str: rule:admin_api description: Stop managing a snapshot. name: snapshot_extension:snapshot_unmanage operations: - method: POST path: /snapshots/{snapshot_id}/action (os-unmanage) scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:get_all description: List backups. name: backup:get_all operations: - method: GET path: /backups - method: GET path: /backups/detail scope_types: null - check_str: rule:admin_api description: List backups or show backup with project attributes. name: backup:backup_project_attribute operations: - method: GET path: /backups/{backup_id} - method: GET path: /backups/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:create description: Create backup. name: backup:create operations: - method: POST path: /backups scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:get description: Show backup. name: backup:get operations: - method: GET path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:update description: Update backup. name: backup:update operations: - method: PUT path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:delete description: Delete backup. name: backup:delete operations: - method: DELETE path: /backups/{backup_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: backup:restore description: Restore backup. name: backup:restore operations: - method: POST path: /backups/{backup_id}/restore scope_types: null - check_str: rule:admin_api description: Import backup. name: backup:backup-import operations: - method: POST path: /backups/{backup_id}/import_record scope_types: null - check_str: rule:admin_api description: Export backup. name: backup:export-import operations: - method: POST path: /backups/{backup_id}/export_record scope_types: null - check_str: rule:admin_api description: Reset status of a backup. name: volume_extension:backup_admin_actions:reset_status operations: - method: POST path: /backups/{backup_id}/action (os-reset_status) scope_types: null - check_str: rule:admin_api description: Force delete a backup. name: volume_extension:backup_admin_actions:force_delete operations: - method: POST path: /backups/{backup_id}/action (os-force_delete) scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:get_all description: List groups. name: group:get_all operations: - method: GET path: /groups - method: GET path: /groups/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:create description: Create group. name: group:create operations: - method: POST path: /groups scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:get description: Show group. name: group:get operations: - method: GET path: /groups/{group_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:update description: Update group. name: group:update operations: - method: PUT path: /groups/{group_id} scope_types: null - check_str: rule:admin_api description: List groups or show group with project attributes. name: group:group_project_attribute operations: - method: GET path: /groups/{group_id} - method: GET path: /groups/detail scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_manage description: Create a group type. name: group:group_types:create operations: - method: POST path: /group_types/ scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_manage description: Update a group type. name: group:group_types:update operations: - method: PUT path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_manage description: Delete a group type. name: group:group_types:delete operations: - method: DELETE path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api description: Show group type with type specs attributes. name: group:access_group_types_specs operations: - method: GET path: /group_types/{group_type_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_specs has been replaced by more granular policies that separately govern GET, POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_specs description: Show a group type spec. name: group:group_types_specs:get operations: - method: GET path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_specs has been replaced by more granular policies that separately govern GET, POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_specs description: List group type specs. name: group:group_types_specs:get_all operations: - method: GET path: /group_types/{group_type_id}/group_specs scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_specs has been replaced by more granular policies that separately govern GET, POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_specs description: Create a group type spec. name: group:group_types_specs:create operations: - method: POST path: /group_types/{group_type_id}/group_specs scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_specs has been replaced by more granular policies that separately govern GET, POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_specs description: Update a group type spec. name: group:group_types_specs:update operations: - method: PUT path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: group:group_types_specs has been replaced by more granular policies that separately govern GET, POST, PUT, and DELETE operations. deprecated_since: X name: group:group_types_specs description: Delete a group type spec. name: group:group_types_specs:delete operations: - method: DELETE path: /group_types/{group_type_id}/group_specs/{g_spec_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:get_all_group_snapshots description: List group snapshots. name: group:get_all_group_snapshots operations: - method: GET path: /group_snapshots - method: GET path: /group_snapshots/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:create_group_snapshot description: Create group snapshot. name: group:create_group_snapshot operations: - method: POST path: /group_snapshots scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:get_group_snapshot description: Show group snapshot. name: group:get_group_snapshot operations: - method: GET path: /group_snapshots/{group_snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:delete_group_snapshot description: Delete group snapshot. name: group:delete_group_snapshot operations: - method: DELETE path: /group_snapshots/{group_snapshot_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:update_group_snapshot description: Update group snapshot. name: group:update_group_snapshot operations: - method: PUT path: /group_snapshots/{group_snapshot_id} scope_types: null - check_str: rule:admin_api description: List group snapshots or show group snapshot with project attributes. name: group:group_snapshot_project_attribute operations: - method: GET path: /group_snapshots/{group_snapshot_id} - method: GET path: /group_snapshots/detail scope_types: null - check_str: rule:admin_api description: Reset status of group snapshot. name: group:reset_group_snapshot_status operations: - method: POST path: /group_snapshots/{g_snapshot_id}/action (reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:delete description: Delete group. name: group:delete operations: - method: POST path: /groups/{group_id}/action (delete) scope_types: null - check_str: rule:admin_api description: Reset status of group. name: group:reset_status operations: - method: POST path: /groups/{group_id}/action (reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:enable_replication description: Enable replication. name: group:enable_replication operations: - method: POST path: /groups/{group_id}/action (enable_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:disable_replication description: Disable replication. name: group:disable_replication operations: - method: POST path: /groups/{group_id}/action (disable_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:failover_replication description: Fail over replication. name: group:failover_replication operations: - method: POST path: /groups/{group_id}/action (failover_replication) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: group:list_replication_targets description: List failover replication. name: group:list_replication_targets operations: - method: POST path: /groups/{group_id}/action (list_replication_targets) scope_types: null - check_str: rule:admin_api description: List qos specs or list all associations. name: volume_extension:qos_specs_manage:get_all operations: - method: GET path: /qos-specs - method: GET path: /qos-specs/{qos_id}/associations scope_types: null - check_str: rule:admin_api description: Show qos specs. name: volume_extension:qos_specs_manage:get operations: - method: GET path: /qos-specs/{qos_id} scope_types: null - check_str: rule:admin_api description: Create qos specs. name: volume_extension:qos_specs_manage:create operations: - method: POST path: /qos-specs scope_types: null - check_str: rule:admin_api description: Update qos specs (including updating association). name: volume_extension:qos_specs_manage:update operations: - method: PUT path: /qos-specs/{qos_id} - method: GET path: /qos-specs/{qos_id}/disassociate_all - method: GET path: /qos-specs/{qos_id}/associate - method: GET path: /qos-specs/{qos_id}/disassociate scope_types: null - check_str: rule:admin_api description: delete qos specs or unset one specified qos key. name: volume_extension:qos_specs_manage:delete operations: - method: DELETE path: /qos-specs/{qos_id} - method: PUT path: /qos-specs/{qos_id}/delete_keys scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: volume_extension:quota_classes has been replaced by more granular policies that separately govern GET and PUT operations. deprecated_since: X name: volume_extension:quota_classes description: Show project quota class. name: volume_extension:quota_classes:get operations: - method: GET path: /os-quota-class-sets/{project_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: volume_extension:quota_classes has been replaced by more granular policies that separately govern GET and PUT operations. deprecated_since: X name: volume_extension:quota_classes description: Update project quota class. name: volume_extension:quota_classes:update operations: - method: PUT path: /os-quota-class-sets/{project_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: null deprecated_since: null name: volume_extension:quotas:show description: Show project quota (including usage and default). name: volume_extension:quotas:show operations: - method: GET path: /os-quota-sets/{project_id} - method: GET path: /os-quota-sets/{project_id}/default - method: GET path: /os-quota-sets/{project_id}?usage=True scope_types: null - check_str: rule:admin_api description: Update project quota. name: volume_extension:quotas:update operations: - method: PUT path: /os-quota-sets/{project_id} scope_types: null - check_str: rule:admin_api description: Delete project quota. name: volume_extension:quotas:delete operations: - method: DELETE path: /os-quota-sets/{project_id} scope_types: null - check_str: rule:admin_api description: Show backend capabilities. name: volume_extension:capabilities operations: - method: GET path: /capabilities/{host_name} scope_types: null - check_str: rule:admin_api description: List all services. name: volume_extension:services:index operations: - method: GET path: /os-services scope_types: null - check_str: rule:admin_api description: Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions. name: volume_extension:services:update operations: - method: PUT path: /os-services/{action} scope_types: null - check_str: rule:admin_api description: Freeze a backend host. name: volume:freeze_host operations: - method: PUT path: /os-services/freeze scope_types: null - check_str: rule:admin_api description: Thaw a backend host. name: volume:thaw_host operations: - method: PUT path: /os-services/thaw scope_types: null - check_str: rule:admin_api description: Failover a backend host. name: volume:failover_host operations: - method: PUT path: /os-services/failover_host scope_types: null - check_str: rule:admin_api description: List all backend pools. name: scheduler_extension:scheduler_stats:get_pools operations: - method: GET path: /scheduler-stats/get_pools scope_types: null - check_str: rule:admin_api description: List, update or show hosts for a project. name: volume_extension:hosts operations: - method: GET path: /os-hosts - method: PUT path: /os-hosts/{host_name} - method: GET path: /os-hosts/{host_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: limits_extension:used_limits description: Show limits with used limit attributes. name: limits_extension:used_limits operations: - method: GET path: /limits scope_types: null - check_str: rule:admin_api description: List (in detail) of volumes which are available to manage. name: volume_extension:list_manageable operations: - method: GET path: /manageable_volumes - method: GET path: /manageable_volumes/detail scope_types: null - check_str: rule:admin_api description: Manage existing volumes. name: volume_extension:volume_manage operations: - method: POST path: /manageable_volumes scope_types: null - check_str: rule:admin_api description: Stop managing a volume. name: volume_extension:volume_unmanage operations: - method: POST path: /volumes/{volume_id}/action (os-unmanage) scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: volume_extension:types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: volume_extension:types_manage description: Create volume type. name: volume_extension:type_create operations: - method: POST path: /types scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: volume_extension:types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: volume_extension:types_manage description: Update volume type. name: volume_extension:type_update operations: - method: PUT path: /types scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:admin_api deprecated_reason: volume_extension:types_manage has been replaced by more granular policies that separately govern POST, PUT, and DELETE operations. deprecated_since: X name: volume_extension:types_manage description: Delete volume type. name: volume_extension:type_delete operations: - method: DELETE path: /types scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:type_get description: Get one specific volume type. name: volume_extension:type_get operations: - method: GET path: /types/{type_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:type_get_all description: List volume types. name: volume_extension:type_get_all operations: - method: GET path: /types/ scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_api deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:access_types_extra_specs description: Include the volume type's extra_specs attribute in the volume type list or show requests. The ability to make these calls is governed by other policies. name: volume_extension:access_types_extra_specs operations: - method: GET path: /types/{type_id} - method: GET path: /types scope_types: null - check_str: rule:admin_api description: Include the volume type's QoS specifications ID attribute in the volume type list or show requests. The ability to make these calls is governed by other policies. name: volume_extension:access_types_qos_specs_id operations: - method: GET path: /types/{type_id} - method: GET path: /types scope_types: null - check_str: rule:admin_api description: 'DEPRECATED: This rule will be removed in the Yoga release.' name: volume_extension:volume_type_encryption operations: [] scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:volume_extension:volume_type_encryption deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a convenience policy that allowed you to set all volume encryption type policies to the same value. We are deprecating this rule to prepare for a future release in which the default values for policies that read, create/update, and delete encryption types will be different from each other.' deprecated_since: X name: volume_extension:volume_type_encryption:create description: Create volume type encryption. name: volume_extension:volume_type_encryption:create operations: - method: POST path: /types/{type_id}/encryption scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:volume_extension:volume_type_encryption deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a convenience policy that allowed you to set all volume encryption type policies to the same value. We are deprecating this rule to prepare for a future release in which the default values for policies that read, create/update, and delete encryption types will be different from each other.' deprecated_since: X name: volume_extension:volume_type_encryption:get description: Show a volume type's encryption type, show an encryption specs item. name: volume_extension:volume_type_encryption:get operations: - method: GET path: /types/{type_id}/encryption - method: GET path: /types/{type_id}/encryption/{key} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:volume_extension:volume_type_encryption deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a convenience policy that allowed you to set all volume encryption type policies to the same value. We are deprecating this rule to prepare for a future release in which the default values for policies that read, create/update, and delete encryption types will be different from each other.' deprecated_since: X name: volume_extension:volume_type_encryption:update description: Update volume type encryption. name: volume_extension:volume_type_encryption:update operations: - method: PUT path: /types/{type_id}/encryption/{encryption_id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:volume_extension:volume_type_encryption deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a convenience policy that allowed you to set all volume encryption type policies to the same value. We are deprecating this rule to prepare for a future release in which the default values for policies that read, create/update, and delete encryption types will be different from each other.' deprecated_since: X name: volume_extension:volume_type_encryption:delete description: Delete volume type encryption. name: volume_extension:volume_type_encryption:delete operations: - method: DELETE path: /types/{type_id}/encryption/{encryption_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_type_access description: Adds the boolean field 'os-volume-type-access:is_public' to the responses for these API calls. The ability to make these calls is governed by other policies. name: volume_extension:volume_type_access operations: - method: GET path: /types - method: GET path: /types/{type_id} - method: POST path: /types scope_types: null - check_str: rule:admin_api description: Add volume type access for project. name: volume_extension:volume_type_access:addProjectAccess operations: - method: POST path: /types/{type_id}/action (addProjectAccess) scope_types: null - check_str: rule:admin_api description: Remove volume type access for project. name: volume_extension:volume_type_access:removeProjectAccess operations: - method: POST path: /types/{type_id}/action (removeProjectAccess) scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: volume_extension:volume_type_access deprecated_reason: 'Reason: ''volume_extension:volume_type_access:get_all_for_type'' is a new policy that protects an API call formerly governed by ''volume_extension:volume_type_access'', but which has been separated for finer-grained policy control.' deprecated_since: X name: volume_extension:volume_type_access:get_all_for_type description: List private volume type access detail, that is, list the projects that have access to this volume type. name: volume_extension:volume_type_access:get_all_for_type operations: - method: GET path: /types/{type_id}/os-volume-type-access scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:extend description: Extend a volume. name: volume:extend operations: - method: POST path: /volumes/{volume_id}/action (os-extend) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:extend_attached_volume description: Extend a attached volume. name: volume:extend_attached_volume operations: - method: POST path: /volumes/{volume_id}/action (os-extend) scope_types: null - check_str: rule:admin_api description: Complete a volume extend operation. name: volume_extension:volume_admin_actions:extend_volume_completion operations: - method: POST path: /volumes/{volume_id}/action (os-extend_volume_completion) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:revert_to_snapshot description: Revert a volume to a snapshot. name: volume:revert_to_snapshot operations: - method: POST path: /volumes/{volume_id}/action (revert) scope_types: null - check_str: rule:admin_api description: Reset status of a volume. name: volume_extension:volume_admin_actions:reset_status operations: - method: POST path: /volumes/{volume_id}/action (os-reset_status) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:retype description: Retype a volume. name: volume:retype operations: - method: POST path: /volumes/{volume_id}/action (os-retype) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:update_readonly_flag description: Update a volume's readonly flag. name: volume:update_readonly_flag operations: - method: POST path: /volumes/{volume_id}/action (os-update_readonly_flag) scope_types: null - check_str: rule:admin_api description: Force delete a volume. name: volume_extension:volume_admin_actions:force_delete operations: - method: POST path: /volumes/{volume_id}/action (os-force_delete) scope_types: null - check_str: rule:admin_api description: Upload a volume to image with public visibility. name: volume_extension:volume_actions:upload_public operations: - method: POST path: /volumes/{volume_id}/action (os-volume_upload_image) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:upload_image description: Upload a volume to image. name: volume_extension:volume_actions:upload_image operations: - method: POST path: /volumes/{volume_id}/action (os-volume_upload_image) scope_types: null - check_str: rule:admin_api description: Force detach a volume. name: volume_extension:volume_admin_actions:force_detach operations: - method: POST path: /volumes/{volume_id}/action (os-force_detach) scope_types: null - check_str: rule:admin_api description: migrate a volume to a specified host. name: volume_extension:volume_admin_actions:migrate_volume operations: - method: POST path: /volumes/{volume_id}/action (os-migrate_volume) scope_types: null - check_str: rule:admin_api description: Complete a volume migration. name: volume_extension:volume_admin_actions:migrate_volume_completion operations: - method: POST path: /volumes/{volume_id}/action (os-migrate_volume_completion) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:initialize_connection description: Initialize volume attachment. name: volume_extension:volume_actions:initialize_connection operations: - method: POST path: /volumes/{volume_id}/action (os-initialize_connection) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:terminate_connection description: Terminate volume attachment. name: volume_extension:volume_actions:terminate_connection operations: - method: POST path: /volumes/{volume_id}/action (os-terminate_connection) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:roll_detaching description: Roll back volume status to 'in-use'. name: volume_extension:volume_actions:roll_detaching operations: - method: POST path: /volumes/{volume_id}/action (os-roll_detaching) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:reserve description: Mark volume as reserved. name: volume_extension:volume_actions:reserve operations: - method: POST path: /volumes/{volume_id}/action (os-reserve) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:unreserve description: Unmark volume as reserved. name: volume_extension:volume_actions:unreserve operations: - method: POST path: /volumes/{volume_id}/action (os-unreserve) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:begin_detaching description: Begin detach volumes. name: volume_extension:volume_actions:begin_detaching operations: - method: POST path: /volumes/{volume_id}/action (os-begin_detaching) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:attach description: Add attachment metadata. name: volume_extension:volume_actions:attach operations: - method: POST path: /volumes/{volume_id}/action (os-attach) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_actions:detach description: Clear attachment metadata. name: volume_extension:volume_actions:detach operations: - method: POST path: /volumes/{volume_id}/action (os-detach) scope_types: null - check_str: rule:xena_system_admin_or_project_member description: Reimage a volume in 'available' or 'error' status. name: volume:reimage operations: - method: POST path: /volumes/{volume_id}/action (os-reimage) scope_types: null - check_str: rule:xena_system_admin_or_project_member description: Reimage a volume in 'reserved' status. name: volume:reimage_reserved operations: - method: POST path: /volumes/{volume_id}/action (os-reimage) scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_all_transfers description: List volume transfer. name: volume:get_all_transfers operations: - method: GET path: /os-volume-transfer - method: GET path: /os-volume-transfer/detail - method: GET path: /volume_transfers - method: GET path: /volume-transfers/detail scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:create_transfer description: Create a volume transfer. name: volume:create_transfer operations: - method: POST path: /os-volume-transfer - method: POST path: /volume_transfers scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_transfer description: Show one specified volume transfer. name: volume:get_transfer operations: - method: GET path: /os-volume-transfer/{transfer_id} - method: GET path: /volume-transfers/{transfer_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:accept_transfer description: Accept a volume transfer. name: volume:accept_transfer operations: - method: POST path: /os-volume-transfer/{transfer_id}/accept - method: POST path: /volume-transfers/{transfer_id}/accept scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:delete_transfer description: Delete volume transfer. name: volume:delete_transfer operations: - method: DELETE path: /os-volume-transfer/{transfer_id} - method: DELETE path: /volume-transfers/{transfer_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_volume_metadata description: Show volume's metadata or one specified metadata with a given key. name: volume:get_volume_metadata operations: - method: GET path: /volumes/{volume_id}/metadata - method: GET path: /volumes/{volume_id}/metadata/{key} - method: POST path: /volumes/{volume_id}/action (os-show_image_metadata) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:create_volume_metadata description: Create volume metadata. name: volume:create_volume_metadata operations: - method: POST path: /volumes/{volume_id}/metadata scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:update_volume_metadata description: Replace a volume's metadata dictionary or update a single metadatum with a given key. name: volume:update_volume_metadata operations: - method: PUT path: /volumes/{volume_id}/metadata - method: PUT path: /volumes/{volume_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:delete_volume_metadata description: Delete a volume's metadatum with the given key. name: volume:delete_volume_metadata operations: - method: DELETE path: /volumes/{volume_id}/metadata/{key} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: volume_extension:volume_image_metadata has been replaced by more granular policies that separately govern show, set, and remove operations. deprecated_since: X name: volume_extension:volume_image_metadata description: Include a volume's image metadata in volume detail responses. The ability to make these calls is governed by other policies. name: volume_extension:volume_image_metadata:show operations: - method: GET path: /volumes/detail - method: GET path: /volumes/{volume_id} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: volume_extension:volume_image_metadata has been replaced by more granular policies that separately govern show, set, and remove operations. deprecated_since: X name: volume_extension:volume_image_metadata description: Set image metadata for a volume name: volume_extension:volume_image_metadata:set operations: - method: POST path: /volumes/{volume_id}/action (os-set_image_metadata) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: volume_extension:volume_image_metadata has been replaced by more granular policies that separately govern show, set, and remove operations. deprecated_since: X name: volume_extension:volume_image_metadata description: Remove specific image metadata from a volume name: volume_extension:volume_image_metadata:remove operations: - method: POST path: /volumes/{volume_id}/action (os-unset_image_metadata) scope_types: null - check_str: rule:admin_api description: Update volume admin metadata. This permission is required to complete these API calls, though the ability to make these calls is governed by other policies. name: volume:update_volume_admin_metadata operations: - method: POST path: /volumes/{volume_id}/action (os-update_readonly_flag) - method: POST path: /volumes/{volume_id}/action (os-attach) scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:types_extra_specs:index description: List type extra specs. name: volume_extension:types_extra_specs:index operations: - method: GET path: /types/{type_id}/extra_specs scope_types: null - check_str: rule:admin_api description: Create type extra specs. name: volume_extension:types_extra_specs:create operations: - method: POST path: /types/{type_id}/extra_specs scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:types_extra_specs:show description: Show one specified type extra specs. name: volume_extension:types_extra_specs:show operations: - method: GET path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null - check_str: rule:admin_api description: Include extra_specs fields that may reveal sensitive information about the deployment that should not be exposed to end users in various volume-type responses that show extra_specs. The ability to make these calls is governed by other policies. name: volume_extension:types_extra_specs:read_sensitive operations: - method: GET path: /types - method: GET path: /types/{type_id} - method: GET path: /types/{type_id}/extra_specs - method: GET path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null - check_str: rule:admin_api description: Update type extra specs. name: volume_extension:types_extra_specs:update operations: - method: PUT path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null - check_str: rule:admin_api description: Delete type extra specs. name: volume_extension:types_extra_specs:delete operations: - method: DELETE path: /types/{type_id}/extra_specs/{extra_spec_key} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:create description: Create volume. name: volume:create operations: - method: POST path: /volumes scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: '' deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:create_from_image description: Create volume from image. name: volume:create_from_image operations: - method: POST path: /volumes scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get description: Show volume. name: volume:get operations: - method: GET path: /volumes/{volume_id} scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:get_all description: List volumes or get summary of volumes. name: volume:get_all operations: - method: GET path: /volumes - method: GET path: /volumes/detail - method: GET path: /volumes/summary scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:update description: Update volume or update a volume's bootable status. name: volume:update operations: - method: PUT path: /volumes - method: POST path: /volumes/{volume_id}/action (os-set_bootable) scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:delete description: Delete volume. name: volume:delete operations: - method: DELETE path: /volumes/{volume_id} scope_types: null - check_str: rule:admin_api description: Force Delete a volume. name: volume:force_delete operations: - method: DELETE path: /volumes/{volume_id} scope_types: null - check_str: rule:admin_api description: List or show volume with host attribute. name: volume_extension:volume_host_attribute operations: - method: GET path: /volumes/{volume_id} - method: GET path: /volumes/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_tenant_attribute description: List or show volume with tenant attribute. name: volume_extension:volume_tenant_attribute operations: - method: GET path: /volumes/{volume_id} - method: GET path: /volumes/detail scope_types: null - check_str: rule:admin_api description: List or show volume with migration status attribute. name: volume_extension:volume_mig_status_attribute operations: - method: GET path: /volumes/{volume_id} - method: GET path: /volumes/detail scope_types: null - check_str: rule:xena_system_admin_or_project_reader deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:volume_encryption_metadata description: Show volume's encryption metadata. name: volume_extension:volume_encryption_metadata operations: - method: GET path: /volumes/{volume_id}/encryption - method: GET path: /volumes/{volume_id}/encryption/{encryption_key} scope_types: null - check_str: rule:xena_system_admin_or_project_member deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume:multiattach description: Create multiattach capable volume. name: volume:multiattach operations: - method: POST path: /volumes scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:system_or_domain_or_project_admin deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:default_set_or_update description: Set or update default volume type. name: volume_extension:default_set_or_update operations: - method: PUT path: /default-types scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:system_or_domain_or_project_admin deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:default_get description: Get default types. name: volume_extension:default_get operations: - method: GET path: /default-types/{project-id} scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: role:admin and system_scope:all deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:default_get_all description: 'Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.' name: volume_extension:default_get_all operations: - method: GET path: /default-types/ scope_types: null - check_str: rule:admin_api deprecated_rule: check_str: rule:system_or_domain_or_project_admin deprecated_reason: Default policies now support the three Keystone default roles, namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See "Policy Personas and Permissions" in the "Cinder Service Configuration" documentation (Xena release) for details. deprecated_since: X name: volume_extension:default_unset description: Unset default type. name: volume_extension:default_unset operations: - method: DELETE path: /default-types/{project-id} scope_types: null