yatinkarel e3bf69f015 Move deprecated since/reason to deprecated_rule object
[1] moved these attributes to deprecated_rule in wallaby
release. Updated the tool and pulled default conf of services.

[1] https://review.opendev.org/c/openstack/oslo.policy/+/766628

Related-Bug: #2092657
Change-Id: Ib0f4ede94f51e0d6ba48c2a77c0303e702f2ca2f
2025-01-09 13:32:58 +05:30

2860 lines
79 KiB
YAML

- check_str: role:admin
deprecated_rule:
check_str: is_admin:True
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: rule:admin_api
description: Decides what is required for the 'is_admin:True' check to succeed.
name: context_is_admin
operations: []
scope_types: null
- check_str: is_admin:True or project_id:%(project_id)s
deprecated_for_removal: true
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
description: Default rule for most non-Admin APIs.
name: admin_or_owner
operations: []
scope_types: null
- check_str: is_admin:True
deprecated_for_removal: true
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
description: Default rule for most Admin APIs.
name: admin_api
operations: []
scope_types: null
- check_str: role:member and project_id:%(project_id)s
deprecated_rule:
check_str: is_admin:True or project_id:%(project_id)s
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: rule:admin_or_owner
description: Default rule for Project level non admin APIs.
name: project_member_api
operations: []
scope_types: null
- check_str: role:reader and project_id:%(project_id)s
deprecated_rule:
check_str: is_admin:True or project_id:%(project_id)s
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: rule:admin_or_owner
description: Default rule for Project level read only APIs.
name: project_reader_api
operations: []
scope_types: null
- check_str: rule:project_member_api or rule:context_is_admin
deprecated_rule:
check_str: is_admin:True or project_id:%(project_id)s
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: rule:admin_or_owner
description: Default rule for Project Member or admin APIs.
name: project_member_or_admin
operations: []
scope_types: null
- check_str: rule:project_reader_api or rule:context_is_admin
deprecated_rule:
check_str: is_admin:True or project_id:%(project_id)s
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: rule:admin_or_owner
description: Default rule for Project reader or admin APIs.
name: project_reader_or_admin
operations: []
scope_types: null
- check_str: rule:context_is_admin
description: Reset the state of a given server
name: os_compute_api:os-admin-actions:reset_state
operations:
- method: POST
path: /servers/{server_id}/action (os-resetState)
scope_types:
- project
- check_str: rule:context_is_admin
description: Inject network information into the server
name: os_compute_api:os-admin-actions:inject_network_info
operations:
- method: POST
path: /servers/{server_id}/action (injectNetworkInfo)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Change the administrative password for a server
name: os_compute_api:os-admin-password
operations:
- method: POST
path: /servers/{server_id}/action (changePassword)
scope_types:
- project
- check_str: rule:context_is_admin
description: Create or replace metadata for an aggregate
name: os_compute_api:os-aggregates:set_metadata
operations:
- method: POST
path: /os-aggregates/{aggregate_id}/action (set_metadata)
scope_types:
- project
- check_str: rule:context_is_admin
description: Add a host to an aggregate
name: os_compute_api:os-aggregates:add_host
operations:
- method: POST
path: /os-aggregates/{aggregate_id}/action (add_host)
scope_types:
- project
- check_str: rule:context_is_admin
description: Create an aggregate
name: os_compute_api:os-aggregates:create
operations:
- method: POST
path: /os-aggregates
scope_types:
- project
- check_str: rule:context_is_admin
description: Remove a host from an aggregate
name: os_compute_api:os-aggregates:remove_host
operations:
- method: POST
path: /os-aggregates/{aggregate_id}/action (remove_host)
scope_types:
- project
- check_str: rule:context_is_admin
description: Update name and/or availability zone for an aggregate
name: os_compute_api:os-aggregates:update
operations:
- method: PUT
path: /os-aggregates/{aggregate_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: List all aggregates
name: os_compute_api:os-aggregates:index
operations:
- method: GET
path: /os-aggregates
scope_types:
- project
- check_str: rule:context_is_admin
description: Delete an aggregate
name: os_compute_api:os-aggregates:delete
operations:
- method: DELETE
path: /os-aggregates/{aggregate_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Show details for an aggregate
name: os_compute_api:os-aggregates:show
operations:
- method: GET
path: /os-aggregates/{aggregate_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Request image caching for an aggregate
name: compute:aggregates:images
operations:
- method: POST
path: /os-aggregates/{aggregate_id}/images
scope_types:
- project
- check_str: rule:context_is_admin
description: Create an assisted volume snapshot
name: os_compute_api:os-assisted-volume-snapshots:create
operations:
- method: POST
path: /os-assisted-volume-snapshots
scope_types:
- project
- check_str: rule:context_is_admin
description: Delete an assisted volume snapshot
name: os_compute_api:os-assisted-volume-snapshots:delete
operations:
- method: DELETE
path: /os-assisted-volume-snapshots/{snapshot_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-attach-interfaces
description: List port interfaces attached to a server
name: os_compute_api:os-attach-interfaces:list
operations:
- method: GET
path: /servers/{server_id}/os-interface
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-attach-interfaces
description: Show details of a port interface attached to a server
name: os_compute_api:os-attach-interfaces:show
operations:
- method: GET
path: /servers/{server_id}/os-interface/{port_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-attach-interfaces
description: Attach an interface to a server
name: os_compute_api:os-attach-interfaces:create
operations:
- method: POST
path: /servers/{server_id}/os-interface
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-attach-interfaces
description: Detach an interface from a server
name: os_compute_api:os-attach-interfaces:delete
operations:
- method: DELETE
path: /servers/{server_id}/os-interface/{port_id}
scope_types:
- project
- check_str: '@'
description: List availability zone information without host information
name: os_compute_api:os-availability-zone:list
operations:
- method: GET
path: /os-availability-zone
scope_types:
- project
- check_str: rule:context_is_admin
description: List detailed availability zone information with host information
name: os_compute_api:os-availability-zone:detail
operations:
- method: GET
path: /os-availability-zone/detail
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-baremetal-nodes
description: 'List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
'
name: os_compute_api:os-baremetal-nodes:list
operations:
- method: GET
path: /os-baremetal-nodes
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-baremetal-nodes
description: Show action details for a server.
name: os_compute_api:os-baremetal-nodes:show
operations:
- method: GET
path: /os-baremetal-nodes/{node_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Show console connection information for a given console authentication
token
name: os_compute_api:os-console-auth-tokens
operations:
- method: GET
path: /os-console-auth-tokens/{console_token}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Show console output for a server
name: os_compute_api:os-console-output
operations:
- method: POST
path: /servers/{server_id}/action (os-getConsoleOutput)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a back up of a server
name: os_compute_api:os-create-backup
operations:
- method: POST
path: /servers/{server_id}/action (createBackup)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-deferred-delete
description: Restore a soft deleted server
name: os_compute_api:os-deferred-delete:restore
operations:
- method: POST
path: /servers/{server_id}/action (restore)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-deferred-delete
description: Force delete a server before deferred cleanup
name: os_compute_api:os-deferred-delete:force
operations:
- method: POST
path: /servers/{server_id}/action (forceDelete)
scope_types:
- project
- check_str: rule:context_is_admin
description: Evacuate a server from a failed host to a new host
name: os_compute_api:os-evacuate
operations:
- method: POST
path: /servers/{server_id}/action (evacuate)
scope_types:
- project
- check_str: rule:context_is_admin
description: 'Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
- ``OS-EXT-SRV-ATTR:host``
- ``OS-EXT-SRV-ATTR:instance_name``
- ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:launch_index`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:hostname`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:kernel_id`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:ramdisk_id`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:root_device_name`` (since microversion 2.3)
- ``OS-EXT-SRV-ATTR:user_data`` (since microversion 2.3)
Microvision 2.75 added the above attributes in the ``PUT /servers/{server_id}``
and ``POST /servers/{server_id}/action (rebuild)`` API responses which are
also controlled by this policy rule, like the ``GET /servers*`` APIs.
Microversion 2.90 made the ``OS-EXT-SRV-ATTR:hostname`` attribute available to
all users, so this policy has no effect on that field for microversions 2.90
and greater. Controlling the visibility of this attribute for all microversions
is therefore deprecated and will be removed in a future release.
'
name: os_compute_api:os-extended-server-attributes
operations:
- method: GET
path: /servers/{id}
- method: GET
path: /servers/detail
- method: PUT
path: /servers/{server_id}
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: '@'
description: List available extensions and show information for an extension by
alias
name: os_compute_api:extensions
operations:
- method: GET
path: /extensions
- method: GET
path: /extensions/{alias}
scope_types:
- project
- check_str: rule:context_is_admin
description: Add flavor access to a tenant
name: os_compute_api:os-flavor-access:add_tenant_access
operations:
- method: POST
path: /flavors/{flavor_id}/action (addTenantAccess)
scope_types:
- project
- check_str: rule:context_is_admin
description: Remove flavor access from a tenant
name: os_compute_api:os-flavor-access:remove_tenant_access
operations:
- method: POST
path: /flavors/{flavor_id}/action (removeTenantAccess)
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-flavor-access
description: 'List flavor access information
Allows access to the full list of tenants that have access
to a flavor via an os-flavor-access API.
'
name: os_compute_api:os-flavor-access
operations:
- method: GET
path: /flavors/{flavor_id}/os-flavor-access
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show an extra spec for a flavor
name: os_compute_api:os-flavor-extra-specs:show
operations:
- method: GET
path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
scope_types:
- project
- check_str: rule:context_is_admin
description: Create extra specs for a flavor
name: os_compute_api:os-flavor-extra-specs:create
operations:
- method: POST
path: /flavors/{flavor_id}/os-extra_specs/
scope_types:
- project
- check_str: rule:context_is_admin
description: Update an extra spec for a flavor
name: os_compute_api:os-flavor-extra-specs:update
operations:
- method: PUT
path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
scope_types:
- project
- check_str: rule:context_is_admin
description: Delete an extra spec for a flavor
name: os_compute_api:os-flavor-extra-specs:delete
operations:
- method: DELETE
path: /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List extra specs for a flavor. Starting with microversion 2.61, extra
specs may be returned in responses for the flavor resource.
name: os_compute_api:os-flavor-extra-specs:index
operations:
- method: GET
path: /flavors/{flavor_id}/os-extra_specs/
- method: POST
path: /flavors
- method: GET
path: /flavors/detail
- method: GET
path: /flavors/{flavor_id}
- method: PUT
path: /flavors/{flavor_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Create a flavor
name: os_compute_api:os-flavor-manage:create
operations:
- method: POST
path: /flavors
scope_types:
- project
- check_str: rule:context_is_admin
description: Update a flavor
name: os_compute_api:os-flavor-manage:update
operations:
- method: PUT
path: /flavors/{flavor_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Delete a flavor
name: os_compute_api:os-flavor-manage:delete
operations:
- method: DELETE
path: /flavors/{flavor_id}
scope_types:
- project
- check_str: '@'
description: List floating IP pools. This API is deprecated.
name: os_compute_api:os-floating-ip-pools
operations:
- method: GET
path: /os-floating-ip-pools
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: Associate floating IPs to server. This API is deprecated.
name: os_compute_api:os-floating-ips:add
operations:
- method: POST
path: /servers/{server_id}/action (addFloatingIp)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: Disassociate floating IPs to server. This API is deprecated.
name: os_compute_api:os-floating-ips:remove
operations:
- method: POST
path: /servers/{server_id}/action (removeFloatingIp)
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: List floating IPs. This API is deprecated.
name: os_compute_api:os-floating-ips:list
operations:
- method: GET
path: /os-floating-ips
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: Create floating IPs. This API is deprecated.
name: os_compute_api:os-floating-ips:create
operations:
- method: POST
path: /os-floating-ips
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: Show floating IPs. This API is deprecated.
name: os_compute_api:os-floating-ips:show
operations:
- method: GET
path: /os-floating-ips/{floating_ip_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-floating-ips
description: Delete floating IPs. This API is deprecated.
name: os_compute_api:os-floating-ips:delete
operations:
- method: DELETE
path: /os-floating-ips/{floating_ip_id}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'List physical hosts.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:list
operations:
- method: GET
path: /os-hosts
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'Show physical host.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:show
operations:
- method: GET
path: /os-hosts/{host_name}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'Update physical host.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:update
operations:
- method: PUT
path: /os-hosts/{host_name}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'Reboot physical host.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:reboot
operations:
- method: GET
path: /os-hosts/{host_name}/reboot
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'Shutdown physical host.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:shutdown
operations:
- method: GET
path: /os-hosts/{host_name}/shutdown
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-hosts
description: 'Start physical host.
This API is deprecated in favor of os-hypervisors and os-services.'
name: os_compute_api:os-hosts:start
operations:
- method: GET
path: /os-hosts/{host_name}/startup
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: List all hypervisors.
name: os_compute_api:os-hypervisors:list
operations:
- method: GET
path: /os-hypervisors
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: List all hypervisors with details
name: os_compute_api:os-hypervisors:list-detail
operations:
- method: GET
path: /os-hypervisors/details
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: Show summary statistics for all hypervisors over all compute nodes.
name: os_compute_api:os-hypervisors:statistics
operations:
- method: GET
path: /os-hypervisors/statistics
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: Show details for a hypervisor.
name: os_compute_api:os-hypervisors:show
operations:
- method: GET
path: /os-hypervisors/{hypervisor_id}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: Show the uptime of a hypervisor.
name: os_compute_api:os-hypervisors:uptime
operations:
- method: GET
path: /os-hypervisors/{hypervisor_id}/uptime
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: Search hypervisor by hypervisor_hostname pattern.
name: os_compute_api:os-hypervisors:search
operations:
- method: GET
path: /os-hypervisors/{hypervisor_hostname_pattern}/search
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-hypervisors
description: List all servers on hypervisors that can match the provided hypervisor_hostname
pattern.
name: os_compute_api:os-hypervisors:servers
operations:
- method: GET
path: /os-hypervisors/{hypervisor_hostname_pattern}/servers
scope_types:
- project
- check_str: rule:context_is_admin
description: 'Add "details" key in action events for a server.
This check is performed only after the check
os_compute_api:os-instance-actions:show passes. Beginning with Microversion
2.84, new field ''details'' is exposed via API which can have more details about
event failure. That field is controlled by this policy which is system reader
by default. Making the ''details'' field visible to the non-admin user helps to
understand the nature of the problem (i.e. if the action can be retried),
but in the other hand it might leak information about the deployment
(e.g. the type of the hypervisor).
'
name: os_compute_api:os-instance-actions:events:details
operations:
- method: GET
path: /servers/{server_id}/os-instance-actions/{request_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: 'Add events details in action details for a server.
This check is performed only after the check
os_compute_api:os-instance-actions:show passes. Beginning with Microversion
2.51, events details are always included; traceback information is provided
per event if policy enforcement passes. Beginning with Microversion 2.62,
each event includes a hashed host identifier and, if policy enforcement
passes, the name of the host.'
name: os_compute_api:os-instance-actions:events
operations:
- method: GET
path: /servers/{server_id}/os-instance-actions/{request_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-instance-actions
description: List actions for a server.
name: os_compute_api:os-instance-actions:list
operations:
- method: GET
path: /servers/{server_id}/os-instance-actions
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-instance-actions
description: Show action details for a server.
name: os_compute_api:os-instance-actions:show
operations:
- method: GET
path: /servers/{server_id}/os-instance-actions/{request_id}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-instance-usage-audit-log
description: List all usage audits.
name: os_compute_api:os-instance-usage-audit-log:list
operations:
- method: GET
path: /os-instance_usage_audit_log
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-instance-usage-audit-log
description: List all usage audits occurred before a specified time for all servers
on all compute hosts where usage auditing is configured
name: os_compute_api:os-instance-usage-audit-log:show
operations:
- method: GET
path: /os-instance_usage_audit_log/{before_timestamp}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show IP addresses details for a network label of a server
name: os_compute_api:ips:show
operations:
- method: GET
path: /servers/{server_id}/ips/{network_label}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List IP addresses that are assigned to a server
name: os_compute_api:ips:index
operations:
- method: GET
path: /servers/{server_id}/ips
scope_types:
- project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
description: List all keypairs
name: os_compute_api:os-keypairs:index
operations:
- method: GET
path: /os-keypairs
scope_types:
- project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
description: Create a keypair
name: os_compute_api:os-keypairs:create
operations:
- method: POST
path: /os-keypairs
scope_types:
- project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
description: Delete a keypair
name: os_compute_api:os-keypairs:delete
operations:
- method: DELETE
path: /os-keypairs/{keypair_name}
scope_types:
- project
- check_str: (rule:context_is_admin) or user_id:%(user_id)s
description: Show details of a keypair
name: os_compute_api:os-keypairs:show
operations:
- method: GET
path: /os-keypairs/{keypair_name}
scope_types:
- project
- check_str: '@'
description: Show rate and absolute limits for the current user project
name: os_compute_api:limits
operations:
- method: GET
path: /limits
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-used-limits
description: 'Show rate and absolute limits of other project.
This policy only checks if the user has access to the requested
project limits. And this check is performed only after the check
os_compute_api:limits passes'
name: os_compute_api:limits:other_project
operations:
- method: GET
path: /limits
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Lock a server
name: os_compute_api:os-lock-server:lock
operations:
- method: POST
path: /servers/{server_id}/action (lock)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Unlock a server
name: os_compute_api:os-lock-server:unlock
operations:
- method: POST
path: /servers/{server_id}/action (unlock)
scope_types:
- project
- check_str: rule:context_is_admin
description: 'Unlock a server, regardless who locked the server.
This check is performed only after the check
os_compute_api:os-lock-server:unlock passes'
name: os_compute_api:os-lock-server:unlock:unlock_override
operations:
- method: POST
path: /servers/{server_id}/action (unlock)
scope_types:
- project
- check_str: rule:context_is_admin
description: Cold migrate a server without specifying a host
name: os_compute_api:os-migrate-server:migrate
operations:
- method: POST
path: /servers/{server_id}/action (migrate)
scope_types:
- project
- check_str: rule:context_is_admin
description: Cold migrate a server to a specified host
name: os_compute_api:os-migrate-server:migrate:host
operations:
- method: POST
path: /servers/{server_id}/action (migrate)
scope_types:
- project
- check_str: rule:context_is_admin
description: Live migrate a server to a new host without a reboot
name: os_compute_api:os-migrate-server:migrate_live
operations:
- method: POST
path: /servers/{server_id}/action (os-migrateLive)
scope_types:
- project
- check_str: rule:context_is_admin
description: List migrations
name: os_compute_api:os-migrations:index
operations:
- method: GET
path: /os-migrations
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-multinic
description: 'Add a fixed IP address to a server.
This API is proxy calls to the Network service. This is
deprecated.'
name: os_compute_api:os-multinic:add
operations:
- method: POST
path: /servers/{server_id}/action (addFixedIp)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-multinic
description: 'Remove a fixed IP address from a server.
This API is proxy calls to the Network service. This is
deprecated.'
name: os_compute_api:os-multinic:remove
operations:
- method: POST
path: /servers/{server_id}/action (removeFixedIp)
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-networks:view
description: 'List networks for the project.
This API is proxy calls to the Network service. This is deprecated.'
name: os_compute_api:os-networks:list
operations:
- method: GET
path: /os-networks
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-networks:view
description: 'Show network details.
This API is proxy calls to the Network service. This is deprecated.'
name: os_compute_api:os-networks:show
operations:
- method: GET
path: /os-networks/{network_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Pause a server
name: os_compute_api:os-pause-server:pause
operations:
- method: POST
path: /servers/{server_id}/action (pause)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Unpause a paused server
name: os_compute_api:os-pause-server:unpause
operations:
- method: POST
path: /servers/{server_id}/action (unpause)
scope_types:
- project
- check_str: rule:context_is_admin
description: List quotas for specific quota classes
name: os_compute_api:os-quota-class-sets:show
operations:
- method: GET
path: /os-quota-class-sets/{quota_class}
scope_types:
- project
- check_str: rule:context_is_admin
description: Update quotas for specific quota class
name: os_compute_api:os-quota-class-sets:update
operations:
- method: PUT
path: /os-quota-class-sets/{quota_class}
scope_types:
- project
- check_str: rule:context_is_admin
description: Update the quotas
name: os_compute_api:os-quota-sets:update
operations:
- method: PUT
path: /os-quota-sets/{tenant_id}
scope_types:
- project
- check_str: '@'
description: List default quotas
name: os_compute_api:os-quota-sets:defaults
operations:
- method: GET
path: /os-quota-sets/{tenant_id}/defaults
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show a quota
name: os_compute_api:os-quota-sets:show
operations:
- method: GET
path: /os-quota-sets/{tenant_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Revert quotas to defaults
name: os_compute_api:os-quota-sets:delete
operations:
- method: DELETE
path: /os-quota-sets/{tenant_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show the detail of quota
name: os_compute_api:os-quota-sets:detail
operations:
- method: GET
path: /os-quota-sets/{tenant_id}/detail
scope_types:
- project
- check_str: rule:project_member_or_admin
description: 'Generate a URL to access remove server console.
This policy is for ``POST /remote-consoles`` API and below Server actions APIs
are deprecated:
- ``os-getSerialConsole``
- ``os-getSPICEConsole``
- ``os-getVNCConsole``.'
name: os_compute_api:os-remote-consoles
operations:
- method: POST
path: /servers/{server_id}/action (os-getSerialConsole)
- method: POST
path: /servers/{server_id}/action (os-getSPICEConsole)
- method: POST
path: /servers/{server_id}/action (os-getVNCConsole)
- method: POST
path: /servers/{server_id}/remote-consoles
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Rescue a server
name: os_compute_api:os-rescue
operations:
- method: POST
path: /servers/{server_id}/action (rescue)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Rescue/Unrescue API policies are made granular with new policy
for unrescue and keeping old policy for rescue.
'
deprecated_since: 21.0.0
name: os_compute_api:os-rescue
description: Unrescue a server
name: os_compute_api:os-unrescue
operations:
- method: POST
path: /servers/{server_id}/action (unrescue)
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: List security groups. This API is deprecated.
name: os_compute_api:os-security-groups:get
operations:
- method: GET
path: /os-security-groups
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Show security group. This API is deprecated.
name: os_compute_api:os-security-groups:show
operations:
- method: GET
path: /os-security-groups/{security_group_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Create security group. This API is deprecated.
name: os_compute_api:os-security-groups:create
operations:
- method: POST
path: /os-security-groups
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Update security group. This API is deprecated.
name: os_compute_api:os-security-groups:update
operations:
- method: PUT
path: /os-security-groups/{security_group_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Delete security group. This API is deprecated.
name: os_compute_api:os-security-groups:delete
operations:
- method: DELETE
path: /os-security-groups/{security_group_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Create security group Rule. This API is deprecated.
name: os_compute_api:os-security-groups:rule:create
operations:
- method: POST
path: /os-security-group-rules
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Delete security group Rule. This API is deprecated.
name: os_compute_api:os-security-groups:rule:delete
operations:
- method: DELETE
path: /os-security-group-rules/{security_group_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: List security groups of server.
name: os_compute_api:os-security-groups:list
operations:
- method: GET
path: /servers/{server_id}/os-security-groups
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Add security groups to server.
name: os_compute_api:os-security-groups:add
operations:
- method: POST
path: /servers/{server_id}/action (addSecurityGroup)
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-security-groups
description: Remove security groups from server.
name: os_compute_api:os-security-groups:remove
operations:
- method: POST
path: /servers/{server_id}/action (removeSecurityGroup)
scope_types:
- project
- check_str: rule:context_is_admin
description: Show the usage data for a server
name: os_compute_api:os-server-diagnostics
operations:
- method: GET
path: /servers/{server_id}/diagnostics
scope_types:
- project
- check_str: rule:context_is_admin
description: Create one or more external events
name: os_compute_api:os-server-external-events:create
operations:
- method: POST
path: /os-server-external-events
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a new server group
name: os_compute_api:os-server-groups:create
operations:
- method: POST
path: /os-server-groups
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Delete a server group
name: os_compute_api:os-server-groups:delete
operations:
- method: DELETE
path: /os-server-groups/{server_group_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List all server groups
name: os_compute_api:os-server-groups:index
operations:
- method: GET
path: /os-server-groups
scope_types:
- project
- check_str: rule:context_is_admin
description: List all server groups for all projects
name: os_compute_api:os-server-groups:index:all_projects
operations:
- method: GET
path: /os-server-groups
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show details of a server group
name: os_compute_api:os-server-groups:show
operations:
- method: GET
path: /os-server-groups/{server_group_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List all metadata of a server
name: os_compute_api:server-metadata:index
operations:
- method: GET
path: /servers/{server_id}/metadata
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show metadata for a server
name: os_compute_api:server-metadata:show
operations:
- method: GET
path: /servers/{server_id}/metadata/{key}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create metadata for a server
name: os_compute_api:server-metadata:create
operations:
- method: POST
path: /servers/{server_id}/metadata
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Replace metadata for a server
name: os_compute_api:server-metadata:update_all
operations:
- method: PUT
path: /servers/{server_id}/metadata
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Update metadata from a server
name: os_compute_api:server-metadata:update
operations:
- method: PUT
path: /servers/{server_id}/metadata/{key}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Delete metadata from a server
name: os_compute_api:server-metadata:delete
operations:
- method: DELETE
path: /servers/{server_id}/metadata/{key}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-server-password
description: Show the encrypted administrative password of a server
name: os_compute_api:os-server-password:show
operations:
- method: GET
path: /servers/{server_id}/os-server-password
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-server-password
description: Clear the encrypted administrative password of a server
name: os_compute_api:os-server-password:clear
operations:
- method: DELETE
path: /servers/{server_id}/os-server-password
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Delete all the server tags
name: os_compute_api:os-server-tags:delete_all
operations:
- method: DELETE
path: /servers/{server_id}/tags
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List all tags for given server
name: os_compute_api:os-server-tags:index
operations:
- method: GET
path: /servers/{server_id}/tags
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Replace all tags on specified server with the new set of tags.
name: os_compute_api:os-server-tags:update_all
operations:
- method: PUT
path: /servers/{server_id}/tags
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Delete a single tag from the specified server
name: os_compute_api:os-server-tags:delete
operations:
- method: DELETE
path: /servers/{server_id}/tags/{tag}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Add a single tag to the server if server has no specified tag
name: os_compute_api:os-server-tags:update
operations:
- method: PUT
path: /servers/{server_id}/tags/{tag}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Check tag existence on the server.
name: os_compute_api:os-server-tags:show
operations:
- method: GET
path: /servers/{server_id}/tags/{tag}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show the NUMA topology data for a server
name: compute:server:topology:index
operations:
- method: GET
path: /servers/{server_id}/topology
scope_types:
- project
- check_str: rule:context_is_admin
description: Show the NUMA topology data for a server with host NUMA ID and CPU
pinning information
name: compute:server:topology:host:index
operations:
- method: GET
path: /servers/{server_id}/topology
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List all servers
name: os_compute_api:servers:index
operations:
- method: GET
path: /servers
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List all servers with detailed information
name: os_compute_api:servers:detail
operations:
- method: GET
path: /servers/detail
scope_types:
- project
- check_str: rule:context_is_admin
description: List all servers for all projects
name: os_compute_api:servers:index:get_all_tenants
operations:
- method: GET
path: /servers
scope_types:
- project
- check_str: rule:context_is_admin
description: List all servers with detailed information for all projects
name: os_compute_api:servers:detail:get_all_tenants
operations:
- method: GET
path: /servers/detail
scope_types:
- project
- check_str: rule:context_is_admin
description: Allow all filters when listing servers
name: os_compute_api:servers:allow_all_filters
operations:
- method: GET
path: /servers
- method: GET
path: /servers/detail
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show a server
name: os_compute_api:servers:show
operations:
- method: GET
path: /servers/{server_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: null
deprecated_since: null
name: os_compute_api:os-flavor-extra-specs:index
description: Starting with microversion 2.47, the flavor and its extra specs used
for a server is also returned in the response when showing server details, updating
a server or rebuilding a server.
name: os_compute_api:servers:show:flavor-extra-specs
operations:
- method: GET
path: /servers/detail
- method: GET
path: /servers/{server_id}
- method: PUT
path: /servers/{server_id}
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: rule:context_is_admin
description: '
Show a server with additional host status information.
This means host_status will be shown irrespective of status value. If showing
only host_status UNKNOWN is desired, use the
``os_compute_api:servers:show:host_status:unknown-only`` policy rule.
Microvision 2.75 added the ``host_status`` attribute in the
``PUT /servers/{server_id}`` and ``POST /servers/{server_id}/action (rebuild)``
API responses which are also controlled by this policy rule, like the
``GET /servers*`` APIs.
'
name: os_compute_api:servers:show:host_status
operations:
- method: GET
path: /servers/{server_id}
- method: GET
path: /servers/detail
- method: PUT
path: /servers/{server_id}
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: rule:context_is_admin
description: '
Show a server with additional host status information, only if host status is
UNKNOWN.
This policy rule will only be enforced when the
``os_compute_api:servers:show:host_status`` policy rule does not pass for the
request. An example policy configuration could be where the
``os_compute_api:servers:show:host_status`` rule is set to allow admin-only and
the ``os_compute_api:servers:show:host_status:unknown-only`` rule is set to
allow everyone.
'
name: os_compute_api:servers:show:host_status:unknown-only
operations:
- method: GET
path: /servers/{server_id}
- method: GET
path: /servers/detail
- method: PUT
path: /servers/{server_id}
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a server
name: os_compute_api:servers:create
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:context_is_admin
description: '
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified
host and/or node by bypassing the scheduler filters unlike the
``compute:servers:create:requested_destination`` rule.
'
name: os_compute_api:servers:create:forced_host
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:context_is_admin
description: '
Create a server on the requested compute service host and/or
hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is
validated by the scheduler filters unlike the
``os_compute_api:servers:create:forced_host`` rule.
'
name: compute:servers:create:requested_destination
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a server with the requested volume attached to it
name: os_compute_api:servers:create:attach_volume
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a server with the requested network attached to it
name: os_compute_api:servers:create:attach_network
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create a server with trusted image certificate IDs
name: os_compute_api:servers:create:trusted_certs
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:context_is_admin
description: '
This rule controls the compute API validation behavior of creating a server
with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the
image used to deploy the instance. However, in this case the filter_scheduler
cannot select the compute host based on the virtual image size. Therefore, 0
should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule
if users can upload their own images since repeated attempts to
create a disk=0 flavor instance with a large image can exhaust
the local disk of the compute (or shared storage cluster). See bug
https://bugs.launchpad.net/nova/+bug/1739646 for details.
'
name: os_compute_api:servers:create:zero_disk_flavor
operations:
- method: POST
path: /servers
scope_types:
- project
- check_str: rule:context_is_admin
description: Attach an unshared external network to a server
name: network:attach_external_network
operations:
- method: POST
path: /servers
- method: POST
path: /servers/{server_id}/os-interface
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Delete a server
name: os_compute_api:servers:delete
operations:
- method: DELETE
path: /servers/{server_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Update a server
name: os_compute_api:servers:update
operations:
- method: PUT
path: /servers/{server_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Confirm a server resize
name: os_compute_api:servers:confirm_resize
operations:
- method: POST
path: /servers/{server_id}/action (confirmResize)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Revert a server resize
name: os_compute_api:servers:revert_resize
operations:
- method: POST
path: /servers/{server_id}/action (revertResize)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Reboot a server
name: os_compute_api:servers:reboot
operations:
- method: POST
path: /servers/{server_id}/action (reboot)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Resize a server
name: os_compute_api:servers:resize
operations:
- method: POST
path: /servers/{server_id}/action (resize)
scope_types:
- project
- check_str: '!'
description: 'Resize a server across cells. By default, this is disabled for all
users and recommended to be tested in a deployment for admin users before opening
it up to non-admin users. Resizing within a cell is the default preferred behavior
even if this is enabled. '
name: compute:servers:resize:cross_cell
operations:
- method: POST
path: /servers/{server_id}/action (resize)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Rebuild a server
name: os_compute_api:servers:rebuild
operations:
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Rebuild a server with trusted image certificate IDs
name: os_compute_api:servers:rebuild:trusted_certs
operations:
- method: POST
path: /servers/{server_id}/action (rebuild)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create an image from a server
name: os_compute_api:servers:create_image
operations:
- method: POST
path: /servers/{server_id}/action (createImage)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Create an image from a volume backed server
name: os_compute_api:servers:create_image:allow_volume_backed
operations:
- method: POST
path: /servers/{server_id}/action (createImage)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Start a server
name: os_compute_api:servers:start
operations:
- method: POST
path: /servers/{server_id}/action (os-start)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Stop a server
name: os_compute_api:servers:stop
operations:
- method: POST
path: /servers/{server_id}/action (os-stop)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Trigger crash dump in a server
name: os_compute_api:servers:trigger_crash_dump
operations:
- method: POST
path: /servers/{server_id}/action (trigger_crash_dump)
scope_types:
- project
- check_str: rule:context_is_admin
description: Show details for an in-progress live migration for a given server
name: os_compute_api:servers:migrations:show
operations:
- method: GET
path: /servers/{server_id}/migrations/{migration_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Force an in-progress live migration for a given server to complete
name: os_compute_api:servers:migrations:force_complete
operations:
- method: POST
path: /servers/{server_id}/migrations/{migration_id}/action (force_complete)
scope_types:
- project
- check_str: rule:context_is_admin
description: Delete(Abort) an in-progress live migration
name: os_compute_api:servers:migrations:delete
operations:
- method: DELETE
path: /servers/{server_id}/migrations/{migration_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Lists in-progress live migrations for a given server
name: os_compute_api:servers:migrations:index
operations:
- method: GET
path: /servers/{server_id}/migrations
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-services
description: List all running Compute services in a region.
name: os_compute_api:os-services:list
operations:
- method: GET
path: /os-services
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-services
description: Update a Compute service.
name: os_compute_api:os-services:update
operations:
- method: PUT
path: /os-services/{service_id}
scope_types:
- project
- check_str: rule:context_is_admin
deprecated_rule:
check_str: rule:admin_api
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 21.0.0
name: os_compute_api:os-services
description: Delete a Compute service.
name: os_compute_api:os-services:delete
operations:
- method: DELETE
path: /os-services/{service_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Shelve server
name: os_compute_api:os-shelve:shelve
operations:
- method: POST
path: /servers/{server_id}/action (shelve)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Unshelve (restore) shelved server
name: os_compute_api:os-shelve:unshelve
operations:
- method: POST
path: /servers/{server_id}/action (unshelve)
scope_types:
- project
- check_str: rule:context_is_admin
description: Unshelve (restore) shelve offloaded server to a specific host
name: os_compute_api:os-shelve:unshelve_to_host
operations:
- method: POST
path: /servers/{server_id}/action (unshelve)
scope_types:
- project
- check_str: rule:context_is_admin
description: Shelf-offload (remove) server
name: os_compute_api:os-shelve:shelve_offload
operations:
- method: POST
path: /servers/{server_id}/action (shelveOffload)
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show usage statistics for a specific tenant
name: os_compute_api:os-simple-tenant-usage:show
operations:
- method: GET
path: /os-simple-tenant-usage/{tenant_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: List per tenant usage statistics for all tenants
name: os_compute_api:os-simple-tenant-usage:list
operations:
- method: GET
path: /os-simple-tenant-usage
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Resume suspended server
name: os_compute_api:os-suspend-server:resume
operations:
- method: POST
path: /servers/{server_id}/action (resume)
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Suspend server
name: os_compute_api:os-suspend-server:suspend
operations:
- method: POST
path: /servers/{server_id}/action (suspend)
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-tenant-networks
description: 'List project networks.
This API is proxy calls to the Network service. This is deprecated.'
name: os_compute_api:os-tenant-networks:list
operations:
- method: GET
path: /os-tenant-networks
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-tenant-networks
description: 'Show project network details.
This API is proxy calls to the Network service. This is deprecated.'
name: os_compute_api:os-tenant-networks:show
operations:
- method: GET
path: /os-tenant-networks/{network_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'List volumes.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:list
operations:
- method: GET
path: /os-volumes
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Create volume.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:create
operations:
- method: POST
path: /os-volumes
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'List volumes detail.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:detail
operations:
- method: GET
path: /os-volumes/detail
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Show volume.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:show
operations:
- method: GET
path: /os-volumes/{volume_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Delete volume.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:delete
operations:
- method: DELETE
path: /os-volumes/{volume_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'List snapshots.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:snapshots:list
operations:
- method: GET
path: /os-snapshots
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Create snapshots.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:snapshots:create
operations:
- method: POST
path: /os-snapshots
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'List snapshots details.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:snapshots:detail
operations:
- method: GET
path: /os-snapshots/detail
scope_types:
- project
- check_str: rule:project_reader_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Show snapshot.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:snapshots:show
operations:
- method: GET
path: /os-snapshots/{snapshot_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
deprecated_rule:
check_str: rule:admin_or_owner
deprecated_reason: '
Nova API policies are introducing new default roles with scope_type
capabilities. Old policies are deprecated and silently going to be ignored
in nova 23.0.0 release.
'
deprecated_since: 22.0.0
name: os_compute_api:os-volumes
description: 'Delete snapshot.
This API is a proxy call to the Volume service. It is deprecated.'
name: os_compute_api:os-volumes:snapshots:delete
operations:
- method: DELETE
path: /os-snapshots/{snapshot_id}
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: List volume attachments for an instance
name: os_compute_api:os-volumes-attachments:index
operations:
- method: GET
path: /servers/{server_id}/os-volume_attachments
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Attach a volume to an instance
name: os_compute_api:os-volumes-attachments:create
operations:
- method: POST
path: /servers/{server_id}/os-volume_attachments
scope_types:
- project
- check_str: rule:project_reader_or_admin
description: Show details of a volume attachment
name: os_compute_api:os-volumes-attachments:show
operations:
- method: GET
path: /servers/{server_id}/os-volume_attachments/{volume_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: 'Update a volume attachment.
New ''update'' policy about ''swap + update'' request (which is possible
only >2.85) only <swap policy> is checked. We expect <swap policy> to be
always superset of this policy permission.
'
name: os_compute_api:os-volumes-attachments:update
operations:
- method: PUT
path: /servers/{server_id}/os-volume_attachments/{volume_id}
scope_types:
- project
- check_str: rule:context_is_admin
description: Update a volume attachment with a different volumeId
name: os_compute_api:os-volumes-attachments:swap
operations:
- method: PUT
path: /servers/{server_id}/os-volume_attachments/{volume_id}
scope_types:
- project
- check_str: rule:project_member_or_admin
description: Detach a volume from an instance
name: os_compute_api:os-volumes-attachments:delete
operations:
- method: DELETE
path: /servers/{server_id}/os-volume_attachments/{volume_id}
scope_types:
- project