- check_str: role:admin
  deprecated_reason: null
  deprecated_rule:
    check_str: is_admin:True
    name: rule:admin_api
  deprecated_since: null
  description: Decides what is required for the 'is_admin:True' check to succeed.
  name: context_is_admin
  operations: []
  scope_types: null
- check_str: is_admin:True or project_id:%(project_id)s
  deprecated_for_removal: true
  deprecated_reason: '

    Nova API policies are introducing new default roles with scope_type

    capabilities. Old policies are deprecated and silently going to be ignored

    in nova 23.0.0 release.

    '
  deprecated_since: 21.0.0
  description: Default rule for most non-Admin APIs.
  name: admin_or_owner
  operations: []
  scope_types: null
- check_str: is_admin:True
  deprecated_for_removal: true
  deprecated_reason: '

    Nova API policies are introducing new default roles with scope_type

    capabilities. Old policies are deprecated and silently going to be ignored

    in nova 23.0.0 release.

    '
  deprecated_since: 21.0.0
  description: Default rule for most Admin APIs.
  name: admin_api
  operations: []
  scope_types: null
- check_str: role:member and project_id:%(project_id)s
  deprecated_reason: null
  deprecated_rule:
    check_str: is_admin:True or project_id:%(project_id)s
    name: rule:admin_or_owner
  deprecated_since: null
  description: Default rule for Project level non admin APIs.
  name: project_member_api
  operations: []
  scope_types: null
- check_str: role:reader and project_id:%(project_id)s
  deprecated_reason: null
  deprecated_rule:
    check_str: is_admin:True or project_id:%(project_id)s
    name: rule:admin_or_owner
  deprecated_since: null
  description: Default rule for Project level read only APIs.
  name: project_reader_api
  operations: []
  scope_types: null
- check_str: rule:project_member_api or rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: is_admin:True or project_id:%(project_id)s
    name: rule:admin_or_owner
  deprecated_since: null
  description: Default rule for Project Member or admin APIs.
  name: project_member_or_admin
  operations: []
  scope_types: null
- check_str: rule:project_reader_api or rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: is_admin:True or project_id:%(project_id)s
    name: rule:admin_or_owner
  deprecated_since: null
  description: Default rule for Project reader or admin APIs.
  name: project_reader_or_admin
  operations: []
  scope_types: null
- check_str: rule:context_is_admin
  description: Reset the state of a given server
  name: os_compute_api:os-admin-actions:reset_state
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-resetState)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Inject network information into the server
  name: os_compute_api:os-admin-actions:inject_network_info
  operations:
  - method: POST
    path: /servers/{server_id}/action (injectNetworkInfo)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Change the administrative password for a server
  name: os_compute_api:os-admin-password
  operations:
  - method: POST
    path: /servers/{server_id}/action (changePassword)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create or replace metadata for an aggregate
  name: os_compute_api:os-aggregates:set_metadata
  operations:
  - method: POST
    path: /os-aggregates/{aggregate_id}/action (set_metadata)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Add a host to an aggregate
  name: os_compute_api:os-aggregates:add_host
  operations:
  - method: POST
    path: /os-aggregates/{aggregate_id}/action (add_host)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create an aggregate
  name: os_compute_api:os-aggregates:create
  operations:
  - method: POST
    path: /os-aggregates
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Remove a host from an aggregate
  name: os_compute_api:os-aggregates:remove_host
  operations:
  - method: POST
    path: /os-aggregates/{aggregate_id}/action (remove_host)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update name and/or availability zone for an aggregate
  name: os_compute_api:os-aggregates:update
  operations:
  - method: PUT
    path: /os-aggregates/{aggregate_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List all aggregates
  name: os_compute_api:os-aggregates:index
  operations:
  - method: GET
    path: /os-aggregates
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Delete an aggregate
  name: os_compute_api:os-aggregates:delete
  operations:
  - method: DELETE
    path: /os-aggregates/{aggregate_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Show details for an aggregate
  name: os_compute_api:os-aggregates:show
  operations:
  - method: GET
    path: /os-aggregates/{aggregate_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Request image caching for an aggregate
  name: compute:aggregates:images
  operations:
  - method: POST
    path: /os-aggregates/{aggregate_id}/images
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create an assisted volume snapshot
  name: os_compute_api:os-assisted-volume-snapshots:create
  operations:
  - method: POST
    path: /os-assisted-volume-snapshots
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Delete an assisted volume snapshot
  name: os_compute_api:os-assisted-volume-snapshots:delete
  operations:
  - method: DELETE
    path: /os-assisted-volume-snapshots/{snapshot_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-attach-interfaces
  deprecated_since: null
  description: List port interfaces attached to a server
  name: os_compute_api:os-attach-interfaces:list
  operations:
  - method: GET
    path: /servers/{server_id}/os-interface
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-attach-interfaces
  deprecated_since: null
  description: Show details of a port interface attached to a server
  name: os_compute_api:os-attach-interfaces:show
  operations:
  - method: GET
    path: /servers/{server_id}/os-interface/{port_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-attach-interfaces
  deprecated_since: null
  description: Attach an interface to a server
  name: os_compute_api:os-attach-interfaces:create
  operations:
  - method: POST
    path: /servers/{server_id}/os-interface
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-attach-interfaces
  deprecated_since: null
  description: Detach an interface from a server
  name: os_compute_api:os-attach-interfaces:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}/os-interface/{port_id}
  scope_types:
  - project
- check_str: '@'
  description: List availability zone information without host information
  name: os_compute_api:os-availability-zone:list
  operations:
  - method: GET
    path: /os-availability-zone
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List detailed availability zone information with host information
  name: os_compute_api:os-availability-zone:detail
  operations:
  - method: GET
    path: /os-availability-zone/detail
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-baremetal-nodes
  deprecated_since: null
  description: 'List and show details of bare metal nodes.


    These APIs are proxy calls to the Ironic service and are deprecated.

    '
  name: os_compute_api:os-baremetal-nodes:list
  operations:
  - method: GET
    path: /os-baremetal-nodes
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-baremetal-nodes
  deprecated_since: null
  description: Show action details for a server.
  name: os_compute_api:os-baremetal-nodes:show
  operations:
  - method: GET
    path: /os-baremetal-nodes/{node_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Show console connection information for a given console authentication
    token
  name: os_compute_api:os-console-auth-tokens
  operations:
  - method: GET
    path: /os-console-auth-tokens/{console_token}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Show console output for a server
  name: os_compute_api:os-console-output
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-getConsoleOutput)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a back up of a server
  name: os_compute_api:os-create-backup
  operations:
  - method: POST
    path: /servers/{server_id}/action (createBackup)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-deferred-delete
  deprecated_since: null
  description: Restore a soft deleted server
  name: os_compute_api:os-deferred-delete:restore
  operations:
  - method: POST
    path: /servers/{server_id}/action (restore)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-deferred-delete
  deprecated_since: null
  description: Force delete a server before deferred cleanup
  name: os_compute_api:os-deferred-delete:force
  operations:
  - method: POST
    path: /servers/{server_id}/action (forceDelete)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Evacuate a server from a failed host to a new host
  name: os_compute_api:os-evacuate
  operations:
  - method: POST
    path: /servers/{server_id}/action (evacuate)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: 'Return extended attributes for server.


    This rule will control the visibility for a set of servers attributes:


    - ``OS-EXT-SRV-ATTR:host``

    - ``OS-EXT-SRV-ATTR:instance_name``

    - ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3)

    - ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3)


    Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``

    and ``POST /servers/{server_id}/action (rebuild)`` API responses which are

    also controlled by this policy rule, like the ``GET /servers*`` APIs.


    Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute available to

    all users, so this policy has no effect on that field for microversions 2.90

    and greater. Controlling the visibility of this attribute for all microversions

    is therefore deprecated and will be removed in a future release.

    '
  name: os_compute_api:os-extended-server-attributes
  operations:
  - method: GET
    path: /servers/{id}
  - method: GET
    path: /servers/detail
  - method: PUT
    path: /servers/{server_id}
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: '@'
  description: List available extensions and show information for an extension by
    alias
  name: os_compute_api:extensions
  operations:
  - method: GET
    path: /extensions
  - method: GET
    path: /extensions/{alias}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Add flavor access to a tenant
  name: os_compute_api:os-flavor-access:add_tenant_access
  operations:
  - method: POST
    path: /flavors/{flavor_id}/action (addTenantAccess)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Remove flavor access from a tenant
  name: os_compute_api:os-flavor-access:remove_tenant_access
  operations:
  - method: POST
    path: /flavors/{flavor_id}/action (removeTenantAccess)
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-flavor-access
  deprecated_since: null
  description: 'List flavor access information


    Allows access to the full list of tenants that have access

    to a flavor via an os-flavor-access API.

    '
  name: os_compute_api:os-flavor-access
  operations:
  - method: GET
    path: /flavors/{flavor_id}/os-flavor-access
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show an extra spec for a flavor
  name: os_compute_api:os-flavor-extra-specs:show
  operations:
  - method: GET
    path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create extra specs for a flavor
  name: os_compute_api:os-flavor-extra-specs:create
  operations:
  - method: POST
    path: /flavors/{flavor_id}/os-extra_specs/
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update an extra spec for a flavor
  name: os_compute_api:os-flavor-extra-specs:update
  operations:
  - method: PUT
    path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Delete an extra spec for a flavor
  name: os_compute_api:os-flavor-extra-specs:delete
  operations:
  - method: DELETE
    path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List extra specs for a flavor. Starting with microversion 2.61, extra
    specs may be returned in responses for the flavor resource.
  name: os_compute_api:os-flavor-extra-specs:index
  operations:
  - method: GET
    path: /flavors/{flavor_id}/os-extra_specs/
  - method: POST
    path: /flavors
  - method: GET
    path: /flavors/detail
  - method: GET
    path: /flavors/{flavor_id}
  - method: PUT
    path: /flavors/{flavor_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create a flavor
  name: os_compute_api:os-flavor-manage:create
  operations:
  - method: POST
    path: /flavors
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update a flavor
  name: os_compute_api:os-flavor-manage:update
  operations:
  - method: PUT
    path: /flavors/{flavor_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Delete a flavor
  name: os_compute_api:os-flavor-manage:delete
  operations:
  - method: DELETE
    path: /flavors/{flavor_id}
  scope_types:
  - project
- check_str: '@'
  description: List floating IP pools. This API is deprecated.
  name: os_compute_api:os-floating-ip-pools
  operations:
  - method: GET
    path: /os-floating-ip-pools
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: Associate floating IPs to server.  This API is deprecated.
  name: os_compute_api:os-floating-ips:add
  operations:
  - method: POST
    path: /servers/{server_id}/action (addFloatingIp)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: Disassociate floating IPs to server.  This API is deprecated.
  name: os_compute_api:os-floating-ips:remove
  operations:
  - method: POST
    path: /servers/{server_id}/action (removeFloatingIp)
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: List floating IPs. This API is deprecated.
  name: os_compute_api:os-floating-ips:list
  operations:
  - method: GET
    path: /os-floating-ips
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: Create floating IPs. This API is deprecated.
  name: os_compute_api:os-floating-ips:create
  operations:
  - method: POST
    path: /os-floating-ips
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: Show floating IPs. This API is deprecated.
  name: os_compute_api:os-floating-ips:show
  operations:
  - method: GET
    path: /os-floating-ips/{floating_ip_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-floating-ips
  deprecated_since: null
  description: Delete floating IPs. This API is deprecated.
  name: os_compute_api:os-floating-ips:delete
  operations:
  - method: DELETE
    path: /os-floating-ips/{floating_ip_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'List physical hosts.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:list
  operations:
  - method: GET
    path: /os-hosts
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'Show physical host.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:show
  operations:
  - method: GET
    path: /os-hosts/{host_name}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'Update physical host.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:update
  operations:
  - method: PUT
    path: /os-hosts/{host_name}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'Reboot physical host.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:reboot
  operations:
  - method: GET
    path: /os-hosts/{host_name}/reboot
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'Shutdown physical host.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:shutdown
  operations:
  - method: GET
    path: /os-hosts/{host_name}/shutdown
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hosts
  deprecated_since: null
  description: 'Start physical host.


    This API is deprecated in favor of os-hypervisors and os-services.'
  name: os_compute_api:os-hosts:start
  operations:
  - method: GET
    path: /os-hosts/{host_name}/startup
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: List all hypervisors.
  name: os_compute_api:os-hypervisors:list
  operations:
  - method: GET
    path: /os-hypervisors
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: List all hypervisors with details
  name: os_compute_api:os-hypervisors:list-detail
  operations:
  - method: GET
    path: /os-hypervisors/details
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: Show summary statistics for all hypervisors over all compute nodes.
  name: os_compute_api:os-hypervisors:statistics
  operations:
  - method: GET
    path: /os-hypervisors/statistics
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: Show details for a hypervisor.
  name: os_compute_api:os-hypervisors:show
  operations:
  - method: GET
    path: /os-hypervisors/{hypervisor_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: Show the uptime of a hypervisor.
  name: os_compute_api:os-hypervisors:uptime
  operations:
  - method: GET
    path: /os-hypervisors/{hypervisor_id}/uptime
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: Search hypervisor by hypervisor_hostname pattern.
  name: os_compute_api:os-hypervisors:search
  operations:
  - method: GET
    path: /os-hypervisors/{hypervisor_hostname_pattern}/search
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-hypervisors
  deprecated_since: null
  description: List all servers on hypervisors that can match the provided hypervisor_hostname
    pattern.
  name: os_compute_api:os-hypervisors:servers
  operations:
  - method: GET
    path: /os-hypervisors/{hypervisor_hostname_pattern}/servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: 'Add "details" key in action events for a server.


    This check is performed only after the check

    os_compute_api:os-instance-actions:show passes. Beginning with Microversion

    2.84, new field ''details'' is exposed via API which can have more details about

    event failure. That field is controlled by this policy which is system reader

    by default. Making the ''details'' field visible to the non-admin user helps to

    understand the nature of the problem (i.e. if the action can be retried),

    but in the other hand it might leak information about the deployment

    (e.g. the type of the hypervisor).

    '
  name: os_compute_api:os-instance-actions:events:details
  operations:
  - method: GET
    path: /servers/{server_id}/os-instance-actions/{request_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: 'Add events details in action details for a server.

    This check is performed only after the check

    os_compute_api:os-instance-actions:show passes. Beginning with Microversion

    2.51, events details are always included; traceback information is provided

    per event if policy enforcement passes. Beginning with Microversion 2.62,

    each event includes a hashed host identifier and, if policy enforcement

    passes, the name of the host.'
  name: os_compute_api:os-instance-actions:events
  operations:
  - method: GET
    path: /servers/{server_id}/os-instance-actions/{request_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-instance-actions
  deprecated_since: null
  description: List actions for a server.
  name: os_compute_api:os-instance-actions:list
  operations:
  - method: GET
    path: /servers/{server_id}/os-instance-actions
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-instance-actions
  deprecated_since: null
  description: Show action details for a server.
  name: os_compute_api:os-instance-actions:show
  operations:
  - method: GET
    path: /servers/{server_id}/os-instance-actions/{request_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-instance-usage-audit-log
  deprecated_since: null
  description: List all usage audits.
  name: os_compute_api:os-instance-usage-audit-log:list
  operations:
  - method: GET
    path: /os-instance_usage_audit_log
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-instance-usage-audit-log
  deprecated_since: null
  description: List all usage audits occurred before a specified time for all servers
    on all compute hosts where usage auditing is configured
  name: os_compute_api:os-instance-usage-audit-log:show
  operations:
  - method: GET
    path: /os-instance_usage_audit_log/{before_timestamp}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show IP addresses details for a network label of a  server
  name: os_compute_api:ips:show
  operations:
  - method: GET
    path: /servers/{server_id}/ips/{network_label}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List IP addresses that are assigned to a server
  name: os_compute_api:ips:index
  operations:
  - method: GET
    path: /servers/{server_id}/ips
  scope_types:
  - project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
  description: List all keypairs
  name: os_compute_api:os-keypairs:index
  operations:
  - method: GET
    path: /os-keypairs
  scope_types:
  - project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
  description: Create a keypair
  name: os_compute_api:os-keypairs:create
  operations:
  - method: POST
    path: /os-keypairs
  scope_types:
  - project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
  description: Delete a keypair
  name: os_compute_api:os-keypairs:delete
  operations:
  - method: DELETE
    path: /os-keypairs/{keypair_name}
  scope_types:
  - project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
  description: Show details of a keypair
  name: os_compute_api:os-keypairs:show
  operations:
  - method: GET
    path: /os-keypairs/{keypair_name}
  scope_types:
  - project
- check_str: '@'
  description: Show rate and absolute limits for the current user project
  name: os_compute_api:limits
  operations:
  - method: GET
    path: /limits
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-used-limits
  deprecated_since: null
  description: 'Show rate and absolute limits of other project.


    This policy only checks if the user has access to the requested

    project limits. And this check is performed only after the check

    os_compute_api:limits passes'
  name: os_compute_api:limits:other_project
  operations:
  - method: GET
    path: /limits
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Lock a server
  name: os_compute_api:os-lock-server:lock
  operations:
  - method: POST
    path: /servers/{server_id}/action (lock)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Unlock a server
  name: os_compute_api:os-lock-server:unlock
  operations:
  - method: POST
    path: /servers/{server_id}/action (unlock)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: 'Unlock a server, regardless who locked the server.


    This check is performed only after the check

    os_compute_api:os-lock-server:unlock passes'
  name: os_compute_api:os-lock-server:unlock:unlock_override
  operations:
  - method: POST
    path: /servers/{server_id}/action (unlock)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Cold migrate a server without specifying a host
  name: os_compute_api:os-migrate-server:migrate
  operations:
  - method: POST
    path: /servers/{server_id}/action (migrate)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Cold migrate a server to a specified host
  name: os_compute_api:os-migrate-server:migrate:host
  operations:
  - method: POST
    path: /servers/{server_id}/action (migrate)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Live migrate a server to a new host without a reboot
  name: os_compute_api:os-migrate-server:migrate_live
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-migrateLive)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List migrations
  name: os_compute_api:os-migrations:index
  operations:
  - method: GET
    path: /os-migrations
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-multinic
  deprecated_since: null
  description: 'Add a fixed IP address to a server.


    This API is proxy calls to the Network service. This is

    deprecated.'
  name: os_compute_api:os-multinic:add
  operations:
  - method: POST
    path: /servers/{server_id}/action (addFixedIp)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-multinic
  deprecated_since: null
  description: 'Remove a fixed IP address from a server.


    This API is proxy calls to the Network service. This is

    deprecated.'
  name: os_compute_api:os-multinic:remove
  operations:
  - method: POST
    path: /servers/{server_id}/action (removeFixedIp)
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-networks:view
  deprecated_since: null
  description: 'List networks for the project.


    This API is proxy calls to the Network service. This is deprecated.'
  name: os_compute_api:os-networks:list
  operations:
  - method: GET
    path: /os-networks
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-networks:view
  deprecated_since: null
  description: 'Show network details.


    This API is proxy calls to the Network service. This is deprecated.'
  name: os_compute_api:os-networks:show
  operations:
  - method: GET
    path: /os-networks/{network_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Pause a server
  name: os_compute_api:os-pause-server:pause
  operations:
  - method: POST
    path: /servers/{server_id}/action (pause)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Unpause a paused server
  name: os_compute_api:os-pause-server:unpause
  operations:
  - method: POST
    path: /servers/{server_id}/action (unpause)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List quotas for specific quota classes
  name: os_compute_api:os-quota-class-sets:show
  operations:
  - method: GET
    path: /os-quota-class-sets/{quota_class}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update quotas for specific quota class
  name: os_compute_api:os-quota-class-sets:update
  operations:
  - method: PUT
    path: /os-quota-class-sets/{quota_class}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update the quotas
  name: os_compute_api:os-quota-sets:update
  operations:
  - method: PUT
    path: /os-quota-sets/{tenant_id}
  scope_types:
  - project
- check_str: '@'
  description: List default quotas
  name: os_compute_api:os-quota-sets:defaults
  operations:
  - method: GET
    path: /os-quota-sets/{tenant_id}/defaults
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show a quota
  name: os_compute_api:os-quota-sets:show
  operations:
  - method: GET
    path: /os-quota-sets/{tenant_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Revert quotas to defaults
  name: os_compute_api:os-quota-sets:delete
  operations:
  - method: DELETE
    path: /os-quota-sets/{tenant_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show the detail of quota
  name: os_compute_api:os-quota-sets:detail
  operations:
  - method: GET
    path: /os-quota-sets/{tenant_id}/detail
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: 'Generate a URL to access remove server console.


    This policy is for ``POST /remote-consoles`` API and below Server actions APIs

    are deprecated:


    - ``os-getSerialConsole``

    - ``os-getSPICEConsole``

    - ``os-getVNCConsole``.'
  name: os_compute_api:os-remote-consoles
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-getSerialConsole)
  - method: POST
    path: /servers/{server_id}/action (os-getSPICEConsole)
  - method: POST
    path: /servers/{server_id}/action (os-getVNCConsole)
  - method: POST
    path: /servers/{server_id}/remote-consoles
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Rescue a server
  name: os_compute_api:os-rescue
  operations:
  - method: POST
    path: /servers/{server_id}/action (rescue)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-rescue
  deprecated_since: null
  description: Unrescue a server
  name: os_compute_api:os-unrescue
  operations:
  - method: POST
    path: /servers/{server_id}/action (unrescue)
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: List security groups. This API is deprecated.
  name: os_compute_api:os-security-groups:get
  operations:
  - method: GET
    path: /os-security-groups
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Show security group. This API is deprecated.
  name: os_compute_api:os-security-groups:show
  operations:
  - method: GET
    path: /os-security-groups/{security_group_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Create security group. This API is deprecated.
  name: os_compute_api:os-security-groups:create
  operations:
  - method: POST
    path: /os-security-groups
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Update security group. This API is deprecated.
  name: os_compute_api:os-security-groups:update
  operations:
  - method: PUT
    path: /os-security-groups/{security_group_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Delete security group. This API is deprecated.
  name: os_compute_api:os-security-groups:delete
  operations:
  - method: DELETE
    path: /os-security-groups/{security_group_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Create security group Rule. This API is deprecated.
  name: os_compute_api:os-security-groups:rule:create
  operations:
  - method: POST
    path: /os-security-group-rules
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Delete security group Rule. This API is deprecated.
  name: os_compute_api:os-security-groups:rule:delete
  operations:
  - method: DELETE
    path: /os-security-group-rules/{security_group_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: List security groups of server.
  name: os_compute_api:os-security-groups:list
  operations:
  - method: GET
    path: /servers/{server_id}/os-security-groups
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Add security groups to server.
  name: os_compute_api:os-security-groups:add
  operations:
  - method: POST
    path: /servers/{server_id}/action (addSecurityGroup)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-security-groups
  deprecated_since: null
  description: Remove security groups from server.
  name: os_compute_api:os-security-groups:remove
  operations:
  - method: POST
    path: /servers/{server_id}/action (removeSecurityGroup)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Show the usage data for a server
  name: os_compute_api:os-server-diagnostics
  operations:
  - method: GET
    path: /servers/{server_id}/diagnostics
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Create one or more external events
  name: os_compute_api:os-server-external-events:create
  operations:
  - method: POST
    path: /os-server-external-events
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a new server group
  name: os_compute_api:os-server-groups:create
  operations:
  - method: POST
    path: /os-server-groups
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Delete a server group
  name: os_compute_api:os-server-groups:delete
  operations:
  - method: DELETE
    path: /os-server-groups/{server_group_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List all server groups
  name: os_compute_api:os-server-groups:index
  operations:
  - method: GET
    path: /os-server-groups
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List all server groups for all projects
  name: os_compute_api:os-server-groups:index:all_projects
  operations:
  - method: GET
    path: /os-server-groups
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show details of a server group
  name: os_compute_api:os-server-groups:show
  operations:
  - method: GET
    path: /os-server-groups/{server_group_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List all metadata of a server
  name: os_compute_api:server-metadata:index
  operations:
  - method: GET
    path: /servers/{server_id}/metadata
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show metadata for a server
  name: os_compute_api:server-metadata:show
  operations:
  - method: GET
    path: /servers/{server_id}/metadata/{key}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create metadata for a server
  name: os_compute_api:server-metadata:create
  operations:
  - method: POST
    path: /servers/{server_id}/metadata
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Replace metadata for a server
  name: os_compute_api:server-metadata:update_all
  operations:
  - method: PUT
    path: /servers/{server_id}/metadata
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Update metadata from a server
  name: os_compute_api:server-metadata:update
  operations:
  - method: PUT
    path: /servers/{server_id}/metadata/{key}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Delete metadata from a server
  name: os_compute_api:server-metadata:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}/metadata/{key}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-server-password
  deprecated_since: null
  description: Show the encrypted administrative password of a server
  name: os_compute_api:os-server-password:show
  operations:
  - method: GET
    path: /servers/{server_id}/os-server-password
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-server-password
  deprecated_since: null
  description: Clear the encrypted administrative password of a server
  name: os_compute_api:os-server-password:clear
  operations:
  - method: DELETE
    path: /servers/{server_id}/os-server-password
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Delete all the server tags
  name: os_compute_api:os-server-tags:delete_all
  operations:
  - method: DELETE
    path: /servers/{server_id}/tags
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List all tags for given server
  name: os_compute_api:os-server-tags:index
  operations:
  - method: GET
    path: /servers/{server_id}/tags
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Replace all tags on specified server with the new set of tags.
  name: os_compute_api:os-server-tags:update_all
  operations:
  - method: PUT
    path: /servers/{server_id}/tags
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Delete a single tag from the specified server
  name: os_compute_api:os-server-tags:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}/tags/{tag}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Add a single tag to the server if server has no specified tag
  name: os_compute_api:os-server-tags:update
  operations:
  - method: PUT
    path: /servers/{server_id}/tags/{tag}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Check tag existence on the server.
  name: os_compute_api:os-server-tags:show
  operations:
  - method: GET
    path: /servers/{server_id}/tags/{tag}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show the NUMA topology data for a server
  name: compute:server:topology:index
  operations:
  - method: GET
    path: /servers/{server_id}/topology
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Show the NUMA topology data for a server with host NUMA ID and CPU
    pinning information
  name: compute:server:topology:host:index
  operations:
  - method: GET
    path: /servers/{server_id}/topology
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List all servers
  name: os_compute_api:servers:index
  operations:
  - method: GET
    path: /servers
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List all servers with detailed information
  name: os_compute_api:servers:detail
  operations:
  - method: GET
    path: /servers/detail
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List all servers for all projects
  name: os_compute_api:servers:index:get_all_tenants
  operations:
  - method: GET
    path: /servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List all servers with detailed information for  all projects
  name: os_compute_api:servers:detail:get_all_tenants
  operations:
  - method: GET
    path: /servers/detail
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Allow all filters when listing servers
  name: os_compute_api:servers:allow_all_filters
  operations:
  - method: GET
    path: /servers
  - method: GET
    path: /servers/detail
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show a server
  name: os_compute_api:servers:show
  operations:
  - method: GET
    path: /servers/{server_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: '

    Policies for showing flavor extra specs in server APIs response is

    separated as new policy. This policy is deprecated only for that but

    not for list extra specs and showing it in flavor API response.

    '
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-flavor-extra-specs:index
  deprecated_since: 25.0.0
  description: Starting with microversion 2.47, the flavor and its extra specs used
    for a server is also returned in the response when showing server details, updating
    a server or rebuilding a server.
  name: os_compute_api:servers:show:flavor-extra-specs
  operations:
  - method: GET
    path: /servers/detail
  - method: GET
    path: /servers/{server_id}
  - method: PUT
    path: /servers/{server_id}
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    Show a server with additional host status information.


    This means host_status will be shown irrespective of status value. If showing

    only host_status UNKNOWN is desired, use the

    ``os_compute_api:servers:show:host_status:unknown-only`` policy rule.


    Microvision 2.75 added the ``host_status`` attribute in the

    ``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``

    API responses which are also controlled by this policy rule, like the

    ``GET /servers*`` APIs.

    '
  name: os_compute_api:servers:show:host_status
  operations:
  - method: GET
    path: /servers/{server_id}
  - method: GET
    path: /servers/detail
  - method: PUT
    path: /servers/{server_id}
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    Show a server with additional host status information, only if host status is

    UNKNOWN.


    This policy rule will only be enforced when the

    ``os_compute_api:servers:show:host_status`` policy rule does not pass for the

    request. An example policy configuration could be where the

    ``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and

    the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to

    allow everyone.

    '
  name: os_compute_api:servers:show:host_status:unknown-only
  operations:
  - method: GET
    path: /servers/{server_id}
  - method: GET
    path: /servers/detail
  - method: PUT
    path: /servers/{server_id}
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a server
  name: os_compute_api:servers:create
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    Create a server on the specified host and/or node.


    In this case, the server is forced to launch on the specified

    host and/or node by bypassing the scheduler filters unlike the

    ``compute:servers:create:requested_destination`` rule.

    '
  name: os_compute_api:servers:create:forced_host
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    Create a server on the requested compute service host and/or

    hypervisor_hostname.


    In this case, the requested host and/or hypervisor_hostname is

    validated by the scheduler filters unlike the

    ``os_compute_api:servers:create:forced_host`` rule.

    '
  name: compute:servers:create:requested_destination
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a server with the requested volume attached to it
  name: os_compute_api:servers:create:attach_volume
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a server with the requested network attached  to it
  name: os_compute_api:servers:create:attach_network
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create a server with trusted image certificate IDs
  name: os_compute_api:servers:create:trusted_certs
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: '

    This rule controls the compute API validation behavior of creating a server

    with a flavor that has 0 disk, indicating the server should be volume-backed.


    For a flavor with disk=0, the root disk will be set to exactly the size of the

    image used to deploy the instance. However, in this case the filter_scheduler

    cannot select the compute host based on the virtual image size. Therefore, 0

    should only be used for volume booted instances or for testing purposes.


    WARNING: It is a potential security exposure to enable this policy rule

    if users can upload their own images since repeated attempts to

    create a disk=0 flavor instance with a large image can exhaust

    the local disk of the compute (or shared storage cluster). See bug

    https://bugs.launchpad.net/nova/+bug/1739646 for details.

    '
  name: os_compute_api:servers:create:zero_disk_flavor
  operations:
  - method: POST
    path: /servers
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Attach an unshared external network to a server
  name: network:attach_external_network
  operations:
  - method: POST
    path: /servers
  - method: POST
    path: /servers/{server_id}/os-interface
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Delete a server
  name: os_compute_api:servers:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Update a server
  name: os_compute_api:servers:update
  operations:
  - method: PUT
    path: /servers/{server_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Confirm a server resize
  name: os_compute_api:servers:confirm_resize
  operations:
  - method: POST
    path: /servers/{server_id}/action (confirmResize)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Revert a server resize
  name: os_compute_api:servers:revert_resize
  operations:
  - method: POST
    path: /servers/{server_id}/action (revertResize)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Reboot a server
  name: os_compute_api:servers:reboot
  operations:
  - method: POST
    path: /servers/{server_id}/action (reboot)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Resize a server
  name: os_compute_api:servers:resize
  operations:
  - method: POST
    path: /servers/{server_id}/action (resize)
  scope_types:
  - project
- check_str: '!'
  description: 'Resize a server across cells. By default, this is disabled for all
    users and recommended to be tested in a deployment for admin users before opening
    it up to non-admin users. Resizing within a cell is the default preferred behavior
    even if this is enabled. '
  name: compute:servers:resize:cross_cell
  operations:
  - method: POST
    path: /servers/{server_id}/action (resize)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Rebuild a server
  name: os_compute_api:servers:rebuild
  operations:
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Rebuild a server with trusted image certificate IDs
  name: os_compute_api:servers:rebuild:trusted_certs
  operations:
  - method: POST
    path: /servers/{server_id}/action (rebuild)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create an image from a server
  name: os_compute_api:servers:create_image
  operations:
  - method: POST
    path: /servers/{server_id}/action (createImage)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Create an image from a volume backed server
  name: os_compute_api:servers:create_image:allow_volume_backed
  operations:
  - method: POST
    path: /servers/{server_id}/action (createImage)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Start a server
  name: os_compute_api:servers:start
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-start)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Stop a server
  name: os_compute_api:servers:stop
  operations:
  - method: POST
    path: /servers/{server_id}/action (os-stop)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Trigger crash dump in a server
  name: os_compute_api:servers:trigger_crash_dump
  operations:
  - method: POST
    path: /servers/{server_id}/action (trigger_crash_dump)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Show details for an in-progress live migration for a given server
  name: os_compute_api:servers:migrations:show
  operations:
  - method: GET
    path: /servers/{server_id}/migrations/{migration_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Force an in-progress live migration for a given server to complete
  name: os_compute_api:servers:migrations:force_complete
  operations:
  - method: POST
    path: /servers/{server_id}/migrations/{migration_id}/action (force_complete)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Delete(Abort) an in-progress live migration
  name: os_compute_api:servers:migrations:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}/migrations/{migration_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Lists in-progress live migrations for a given server
  name: os_compute_api:servers:migrations:index
  operations:
  - method: GET
    path: /servers/{server_id}/migrations
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-services
  deprecated_since: null
  description: List all running Compute services in a region.
  name: os_compute_api:os-services:list
  operations:
  - method: GET
    path: /os-services
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-services
  deprecated_since: null
  description: Update a Compute service.
  name: os_compute_api:os-services:update
  operations:
  - method: PUT
    path: /os-services/{service_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_api
    name: os_compute_api:os-services
  deprecated_since: null
  description: Delete a Compute service.
  name: os_compute_api:os-services:delete
  operations:
  - method: DELETE
    path: /os-services/{service_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Shelve server
  name: os_compute_api:os-shelve:shelve
  operations:
  - method: POST
    path: /servers/{server_id}/action (shelve)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Unshelve (restore) shelved server
  name: os_compute_api:os-shelve:unshelve
  operations:
  - method: POST
    path: /servers/{server_id}/action (unshelve)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Unshelve (restore) shelve offloaded server to a specific host
  name: os_compute_api:os-shelve:unshelve_to_host
  operations:
  - method: POST
    path: /servers/{server_id}/action (unshelve)
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Shelf-offload (remove) server
  name: os_compute_api:os-shelve:shelve_offload
  operations:
  - method: POST
    path: /servers/{server_id}/action (shelveOffload)
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show usage statistics for a specific tenant
  name: os_compute_api:os-simple-tenant-usage:show
  operations:
  - method: GET
    path: /os-simple-tenant-usage/{tenant_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: List per tenant usage statistics for all tenants
  name: os_compute_api:os-simple-tenant-usage:list
  operations:
  - method: GET
    path: /os-simple-tenant-usage
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Resume suspended server
  name: os_compute_api:os-suspend-server:resume
  operations:
  - method: POST
    path: /servers/{server_id}/action (resume)
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Suspend server
  name: os_compute_api:os-suspend-server:suspend
  operations:
  - method: POST
    path: /servers/{server_id}/action (suspend)
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-tenant-networks
  deprecated_since: null
  description: 'List project networks.


    This API is proxy calls to the Network service. This is deprecated.'
  name: os_compute_api:os-tenant-networks:list
  operations:
  - method: GET
    path: /os-tenant-networks
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-tenant-networks
  deprecated_since: null
  description: 'Show project network details.


    This API is proxy calls to the Network service. This is deprecated.'
  name: os_compute_api:os-tenant-networks:show
  operations:
  - method: GET
    path: /os-tenant-networks/{network_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'List volumes.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:list
  operations:
  - method: GET
    path: /os-volumes
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Create volume.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:create
  operations:
  - method: POST
    path: /os-volumes
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'List volumes detail.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:detail
  operations:
  - method: GET
    path: /os-volumes/detail
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Show volume.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:show
  operations:
  - method: GET
    path: /os-volumes/{volume_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Delete volume.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:delete
  operations:
  - method: DELETE
    path: /os-volumes/{volume_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'List snapshots.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:snapshots:list
  operations:
  - method: GET
    path: /os-snapshots
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Create snapshots.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:snapshots:create
  operations:
  - method: POST
    path: /os-snapshots
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'List snapshots details.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:snapshots:detail
  operations:
  - method: GET
    path: /os-snapshots/detail
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Show snapshot.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:snapshots:show
  operations:
  - method: GET
    path: /os-snapshots/{snapshot_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  deprecated_reason: null
  deprecated_rule:
    check_str: rule:admin_or_owner
    name: os_compute_api:os-volumes
  deprecated_since: null
  description: 'Delete snapshot.


    This API is a proxy call to the Volume service. It is deprecated.'
  name: os_compute_api:os-volumes:snapshots:delete
  operations:
  - method: DELETE
    path: /os-snapshots/{snapshot_id}
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: List volume attachments for an instance
  name: os_compute_api:os-volumes-attachments:index
  operations:
  - method: GET
    path: /servers/{server_id}/os-volume_attachments
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Attach a volume to an instance
  name: os_compute_api:os-volumes-attachments:create
  operations:
  - method: POST
    path: /servers/{server_id}/os-volume_attachments
  scope_types:
  - project
- check_str: rule:project_reader_or_admin
  description: Show details of a volume attachment
  name: os_compute_api:os-volumes-attachments:show
  operations:
  - method: GET
    path: /servers/{server_id}/os-volume_attachments/{volume_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: 'Update a volume attachment.

    New ''update'' policy about ''swap + update'' request (which is possible

    only >2.85) only <swap policy> is checked. We expect <swap policy> to be

    always superset of this policy permission.

    '
  name: os_compute_api:os-volumes-attachments:update
  operations:
  - method: PUT
    path: /servers/{server_id}/os-volume_attachments/{volume_id}
  scope_types:
  - project
- check_str: rule:context_is_admin
  description: Update a volume attachment with a different volumeId
  name: os_compute_api:os-volumes-attachments:swap
  operations:
  - method: PUT
    path: /servers/{server_id}/os-volume_attachments/{volume_id}
  scope_types:
  - project
- check_str: rule:project_member_or_admin
  description: Detach a volume from an instance
  name: os_compute_api:os-volumes-attachments:delete
  operations:
  - method: DELETE
    path: /servers/{server_id}/os-volume_attachments/{volume_id}
  scope_types:
  - project