yatinkarel
e3bf69f015
[1] moved these attributes to deprecated_rule in wallaby release. Updated the tool and pulled default conf of services. [1] https://review.opendev.org/c/openstack/oslo.policy/+/766628 Related-Bug: #2092657 Change-Id: Ib0f4ede94f51e0d6ba48c2a77c0303e702f2ca2f
2062 lines
79 KiB
YAML
2062 lines
79 KiB
YAML
- check_str: is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
|
|
description: 'DEPRECATED: This rule will be removed in the Yoga release. Default
|
|
rule for most non-Admin APIs.'
|
|
name: admin_or_owner
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s)
|
|
or (role:admin and project_id:%(project_id)s)
|
|
description: 'DEPRECATED: This rule will be removed in the Yoga release. Default
|
|
rule for admins of cloud, domain or a project.'
|
|
name: system_or_domain_or_project_admin
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: role:admin
|
|
description: Decides what is required for the 'is_admin:True' check to succeed.
|
|
name: context_is_admin
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: is_admin:True or (role:admin and is_admin_project:True)
|
|
description: Default rule for most Admin APIs.
|
|
name: admin_api
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: (role:admin) or (role:reader and project_id:%(project_id)s)
|
|
description: 'NOTE: this purely role-based rule recognizes only project scope'
|
|
name: xena_system_admin_or_project_reader
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: (role:admin) or (role:member and project_id:%(project_id)s)
|
|
description: 'NOTE: this purely role-based rule recognizes only project scope'
|
|
name: xena_system_admin_or_project_member
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:attachment_create
|
|
description: Create attachment.
|
|
name: volume:attachment_create
|
|
operations:
|
|
- method: POST
|
|
path: /attachments
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:attachment_update
|
|
description: Update attachment.
|
|
name: volume:attachment_update
|
|
operations:
|
|
- method: PUT
|
|
path: /attachments/{attachment_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:attachment_delete
|
|
description: Delete attachment.
|
|
name: volume:attachment_delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /attachments/{attachment_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:attachment_complete
|
|
description: Mark a volume attachment process as completed (in-use)
|
|
name: volume:attachment_complete
|
|
operations:
|
|
- method: POST
|
|
path: /attachments/{attachment_id}/action (os-complete)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:multiattach_bootable_volume
|
|
description: Allow multiattach of bootable volumes.
|
|
name: volume:multiattach_bootable_volume
|
|
operations:
|
|
- method: POST
|
|
path: /attachments
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: message:get_all
|
|
description: List messages.
|
|
name: message:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /messages
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: message:get
|
|
description: Show message.
|
|
name: message:get
|
|
operations:
|
|
- method: GET
|
|
path: /messages/{message_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: message:delete
|
|
description: Delete message.
|
|
name: message:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /messages/{message_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List clusters.
|
|
name: clusters:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /clusters
|
|
- method: GET
|
|
path: /clusters/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Show cluster.
|
|
name: clusters:get
|
|
operations:
|
|
- method: GET
|
|
path: /clusters/{cluster_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update cluster.
|
|
name: clusters:update
|
|
operations:
|
|
- method: PUT
|
|
path: /clusters/{cluster_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Clean up workers.
|
|
name: workers:cleanup
|
|
operations:
|
|
- method: POST
|
|
path: /workers/cleanup
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_snapshot_metadata
|
|
description: Show snapshot's metadata or one specified metadata with a given key.
|
|
name: volume:get_snapshot_metadata
|
|
operations:
|
|
- method: GET
|
|
path: /snapshots/{snapshot_id}/metadata
|
|
- method: GET
|
|
path: /snapshots/{snapshot_id}/metadata/{key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:update_snapshot_metadata
|
|
description: Update snapshot's metadata or one specified metadata with a given key.
|
|
name: volume:update_snapshot_metadata
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots/{snapshot_id}/metadata
|
|
- method: PUT
|
|
path: /snapshots/{snapshot_id}/metadata/{key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:delete_snapshot_metadata
|
|
description: Delete snapshot's specified metadata with a given key.
|
|
name: volume:delete_snapshot_metadata
|
|
operations:
|
|
- method: DELETE
|
|
path: /snapshots/{snapshot_id}/metadata/{key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_all_snapshots
|
|
description: List snapshots.
|
|
name: volume:get_all_snapshots
|
|
operations:
|
|
- method: GET
|
|
path: /snapshots
|
|
- method: GET
|
|
path: /snapshots/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:extended_snapshot_attributes
|
|
description: List or show snapshots with extended attributes.
|
|
name: volume_extension:extended_snapshot_attributes
|
|
operations:
|
|
- method: GET
|
|
path: /snapshots/{snapshot_id}
|
|
- method: GET
|
|
path: /snapshots/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:create_snapshot
|
|
description: Create snapshot.
|
|
name: volume:create_snapshot
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_snapshot
|
|
description: Show snapshot.
|
|
name: volume:get_snapshot
|
|
operations:
|
|
- method: GET
|
|
path: /snapshots/{snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:update_snapshot
|
|
description: Update snapshot.
|
|
name: volume:update_snapshot
|
|
operations:
|
|
- method: PUT
|
|
path: /snapshots/{snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:delete_snapshot
|
|
description: Delete snapshot.
|
|
name: volume:delete_snapshot
|
|
operations:
|
|
- method: DELETE
|
|
path: /snapshots/{snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Reset status of a snapshot.
|
|
name: volume_extension:snapshot_admin_actions:reset_status
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots/{snapshot_id}/action (os-reset_status)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: snapshot_extension:snapshot_actions:update_snapshot_status
|
|
description: Update database fields of snapshot.
|
|
name: snapshot_extension:snapshot_actions:update_snapshot_status
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots/{snapshot_id}/action (update_snapshot_status)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Force delete a snapshot.
|
|
name: volume_extension:snapshot_admin_actions:force_delete
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots/{snapshot_id}/action (os-force_delete)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List (in detail) of snapshots which are available to manage.
|
|
name: snapshot_extension:list_manageable
|
|
operations:
|
|
- method: GET
|
|
path: /manageable_snapshots
|
|
- method: GET
|
|
path: /manageable_snapshots/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Manage an existing snapshot.
|
|
name: snapshot_extension:snapshot_manage
|
|
operations:
|
|
- method: POST
|
|
path: /manageable_snapshots
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Stop managing a snapshot.
|
|
name: snapshot_extension:snapshot_unmanage
|
|
operations:
|
|
- method: POST
|
|
path: /snapshots/{snapshot_id}/action (os-unmanage)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:get_all
|
|
description: List backups.
|
|
name: backup:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /backups
|
|
- method: GET
|
|
path: /backups/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List backups or show backup with project attributes.
|
|
name: backup:backup_project_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /backups/{backup_id}
|
|
- method: GET
|
|
path: /backups/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:create
|
|
description: Create backup.
|
|
name: backup:create
|
|
operations:
|
|
- method: POST
|
|
path: /backups
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:get
|
|
description: Show backup.
|
|
name: backup:get
|
|
operations:
|
|
- method: GET
|
|
path: /backups/{backup_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:update
|
|
description: Update backup.
|
|
name: backup:update
|
|
operations:
|
|
- method: PUT
|
|
path: /backups/{backup_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:delete
|
|
description: Delete backup.
|
|
name: backup:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /backups/{backup_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: backup:restore
|
|
description: Restore backup.
|
|
name: backup:restore
|
|
operations:
|
|
- method: POST
|
|
path: /backups/{backup_id}/restore
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Import backup.
|
|
name: backup:backup-import
|
|
operations:
|
|
- method: POST
|
|
path: /backups/{backup_id}/import_record
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Export backup.
|
|
name: backup:export-import
|
|
operations:
|
|
- method: POST
|
|
path: /backups/{backup_id}/export_record
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Reset status of a backup.
|
|
name: volume_extension:backup_admin_actions:reset_status
|
|
operations:
|
|
- method: POST
|
|
path: /backups/{backup_id}/action (os-reset_status)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Force delete a backup.
|
|
name: volume_extension:backup_admin_actions:force_delete
|
|
operations:
|
|
- method: POST
|
|
path: /backups/{backup_id}/action (os-force_delete)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:get_all
|
|
description: List groups.
|
|
name: group:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /groups
|
|
- method: GET
|
|
path: /groups/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:create
|
|
description: Create group.
|
|
name: group:create
|
|
operations:
|
|
- method: POST
|
|
path: /groups
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:get
|
|
description: Show group.
|
|
name: group:get
|
|
operations:
|
|
- method: GET
|
|
path: /groups/{group_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:update
|
|
description: Update group.
|
|
name: group:update
|
|
operations:
|
|
- method: PUT
|
|
path: /groups/{group_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List groups or show group with project attributes.
|
|
name: group:group_project_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /groups/{group_id}
|
|
- method: GET
|
|
path: /groups/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_manage
|
|
description: Create a group type.
|
|
name: group:group_types:create
|
|
operations:
|
|
- method: POST
|
|
path: /group_types/
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_manage
|
|
description: Update a group type.
|
|
name: group:group_types:update
|
|
operations:
|
|
- method: PUT
|
|
path: /group_types/{group_type_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_manage
|
|
description: Delete a group type.
|
|
name: group:group_types:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /group_types/{group_type_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Show group type with type specs attributes.
|
|
name: group:access_group_types_specs
|
|
operations:
|
|
- method: GET
|
|
path: /group_types/{group_type_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_specs has been replaced by more granular
|
|
policies that separately govern GET, POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_specs
|
|
description: Show a group type spec.
|
|
name: group:group_types_specs:get
|
|
operations:
|
|
- method: GET
|
|
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_specs has been replaced by more granular
|
|
policies that separately govern GET, POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_specs
|
|
description: List group type specs.
|
|
name: group:group_types_specs:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /group_types/{group_type_id}/group_specs
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_specs has been replaced by more granular
|
|
policies that separately govern GET, POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_specs
|
|
description: Create a group type spec.
|
|
name: group:group_types_specs:create
|
|
operations:
|
|
- method: POST
|
|
path: /group_types/{group_type_id}/group_specs
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_specs has been replaced by more granular
|
|
policies that separately govern GET, POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_specs
|
|
description: Update a group type spec.
|
|
name: group:group_types_specs:update
|
|
operations:
|
|
- method: PUT
|
|
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: group:group_types_specs has been replaced by more granular
|
|
policies that separately govern GET, POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: group:group_types_specs
|
|
description: Delete a group type spec.
|
|
name: group:group_types_specs:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /group_types/{group_type_id}/group_specs/{g_spec_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:get_all_group_snapshots
|
|
description: List group snapshots.
|
|
name: group:get_all_group_snapshots
|
|
operations:
|
|
- method: GET
|
|
path: /group_snapshots
|
|
- method: GET
|
|
path: /group_snapshots/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:create_group_snapshot
|
|
description: Create group snapshot.
|
|
name: group:create_group_snapshot
|
|
operations:
|
|
- method: POST
|
|
path: /group_snapshots
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:get_group_snapshot
|
|
description: Show group snapshot.
|
|
name: group:get_group_snapshot
|
|
operations:
|
|
- method: GET
|
|
path: /group_snapshots/{group_snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:delete_group_snapshot
|
|
description: Delete group snapshot.
|
|
name: group:delete_group_snapshot
|
|
operations:
|
|
- method: DELETE
|
|
path: /group_snapshots/{group_snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:update_group_snapshot
|
|
description: Update group snapshot.
|
|
name: group:update_group_snapshot
|
|
operations:
|
|
- method: PUT
|
|
path: /group_snapshots/{group_snapshot_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List group snapshots or show group snapshot with project attributes.
|
|
name: group:group_snapshot_project_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /group_snapshots/{group_snapshot_id}
|
|
- method: GET
|
|
path: /group_snapshots/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Reset status of group snapshot.
|
|
name: group:reset_group_snapshot_status
|
|
operations:
|
|
- method: POST
|
|
path: /group_snapshots/{g_snapshot_id}/action (reset_status)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:delete
|
|
description: Delete group.
|
|
name: group:delete
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (delete)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Reset status of group.
|
|
name: group:reset_status
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (reset_status)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:enable_replication
|
|
description: Enable replication.
|
|
name: group:enable_replication
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (enable_replication)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:disable_replication
|
|
description: Disable replication.
|
|
name: group:disable_replication
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (disable_replication)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:failover_replication
|
|
description: Fail over replication.
|
|
name: group:failover_replication
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (failover_replication)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: group:list_replication_targets
|
|
description: List failover replication.
|
|
name: group:list_replication_targets
|
|
operations:
|
|
- method: POST
|
|
path: /groups/{group_id}/action (list_replication_targets)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List qos specs or list all associations.
|
|
name: volume_extension:qos_specs_manage:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /qos-specs
|
|
- method: GET
|
|
path: /qos-specs/{qos_id}/associations
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Show qos specs.
|
|
name: volume_extension:qos_specs_manage:get
|
|
operations:
|
|
- method: GET
|
|
path: /qos-specs/{qos_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Create qos specs.
|
|
name: volume_extension:qos_specs_manage:create
|
|
operations:
|
|
- method: POST
|
|
path: /qos-specs
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update qos specs (including updating association).
|
|
name: volume_extension:qos_specs_manage:update
|
|
operations:
|
|
- method: PUT
|
|
path: /qos-specs/{qos_id}
|
|
- method: GET
|
|
path: /qos-specs/{qos_id}/disassociate_all
|
|
- method: GET
|
|
path: /qos-specs/{qos_id}/associate
|
|
- method: GET
|
|
path: /qos-specs/{qos_id}/disassociate
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: delete qos specs or unset one specified qos key.
|
|
name: volume_extension:qos_specs_manage:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /qos-specs/{qos_id}
|
|
- method: PUT
|
|
path: /qos-specs/{qos_id}/delete_keys
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: volume_extension:quota_classes has been replaced by more granular
|
|
policies that separately govern GET and PUT operations.
|
|
deprecated_since: X
|
|
name: volume_extension:quota_classes
|
|
description: Show project quota class.
|
|
name: volume_extension:quota_classes:get
|
|
operations:
|
|
- method: GET
|
|
path: /os-quota-class-sets/{project_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: volume_extension:quota_classes has been replaced by more granular
|
|
policies that separately govern GET and PUT operations.
|
|
deprecated_since: X
|
|
name: volume_extension:quota_classes
|
|
description: Update project quota class.
|
|
name: volume_extension:quota_classes:update
|
|
operations:
|
|
- method: PUT
|
|
path: /os-quota-class-sets/{project_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: null
|
|
deprecated_since: null
|
|
name: volume_extension:quotas:show
|
|
description: Show project quota (including usage and default).
|
|
name: volume_extension:quotas:show
|
|
operations:
|
|
- method: GET
|
|
path: /os-quota-sets/{project_id}
|
|
- method: GET
|
|
path: /os-quota-sets/{project_id}/default
|
|
- method: GET
|
|
path: /os-quota-sets/{project_id}?usage=True
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update project quota.
|
|
name: volume_extension:quotas:update
|
|
operations:
|
|
- method: PUT
|
|
path: /os-quota-sets/{project_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Delete project quota.
|
|
name: volume_extension:quotas:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /os-quota-sets/{project_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Show backend capabilities.
|
|
name: volume_extension:capabilities
|
|
operations:
|
|
- method: GET
|
|
path: /capabilities/{host_name}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List all services.
|
|
name: volume_extension:services:index
|
|
operations:
|
|
- method: GET
|
|
path: /os-services
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update service, including failover_host, thaw, freeze, disable, enable,
|
|
set-log and get-log actions.
|
|
name: volume_extension:services:update
|
|
operations:
|
|
- method: PUT
|
|
path: /os-services/{action}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Freeze a backend host.
|
|
name: volume:freeze_host
|
|
operations:
|
|
- method: PUT
|
|
path: /os-services/freeze
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Thaw a backend host.
|
|
name: volume:thaw_host
|
|
operations:
|
|
- method: PUT
|
|
path: /os-services/thaw
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Failover a backend host.
|
|
name: volume:failover_host
|
|
operations:
|
|
- method: PUT
|
|
path: /os-services/failover_host
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List all backend pools.
|
|
name: scheduler_extension:scheduler_stats:get_pools
|
|
operations:
|
|
- method: GET
|
|
path: /scheduler-stats/get_pools
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List, update or show hosts for a project.
|
|
name: volume_extension:hosts
|
|
operations:
|
|
- method: GET
|
|
path: /os-hosts
|
|
- method: PUT
|
|
path: /os-hosts/{host_name}
|
|
- method: GET
|
|
path: /os-hosts/{host_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: limits_extension:used_limits
|
|
description: Show limits with used limit attributes.
|
|
name: limits_extension:used_limits
|
|
operations:
|
|
- method: GET
|
|
path: /limits
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List (in detail) of volumes which are available to manage.
|
|
name: volume_extension:list_manageable
|
|
operations:
|
|
- method: GET
|
|
path: /manageable_volumes
|
|
- method: GET
|
|
path: /manageable_volumes/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Manage existing volumes.
|
|
name: volume_extension:volume_manage
|
|
operations:
|
|
- method: POST
|
|
path: /manageable_volumes
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Stop managing a volume.
|
|
name: volume_extension:volume_unmanage
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-unmanage)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: volume_extension:types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: volume_extension:types_manage
|
|
description: Create volume type.
|
|
name: volume_extension:type_create
|
|
operations:
|
|
- method: POST
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: volume_extension:types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: volume_extension:types_manage
|
|
description: Update volume type.
|
|
name: volume_extension:type_update
|
|
operations:
|
|
- method: PUT
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: volume_extension:types_manage has been replaced by more granular
|
|
policies that separately govern POST, PUT, and DELETE operations.
|
|
deprecated_since: X
|
|
name: volume_extension:types_manage
|
|
description: Delete volume type.
|
|
name: volume_extension:type_delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:type_get
|
|
description: Get one specific volume type.
|
|
name: volume_extension:type_get
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:type_get_all
|
|
description: List volume types.
|
|
name: volume_extension:type_get_all
|
|
operations:
|
|
- method: GET
|
|
path: /types/
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_api
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:access_types_extra_specs
|
|
description: Include the volume type's extra_specs attribute in the volume type
|
|
list or show requests. The ability to make these calls is governed by other policies.
|
|
name: volume_extension:access_types_extra_specs
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}
|
|
- method: GET
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Include the volume type's QoS specifications ID attribute in the volume
|
|
type list or show requests. The ability to make these calls is governed by other
|
|
policies.
|
|
name: volume_extension:access_types_qos_specs_id
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}
|
|
- method: GET
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: 'DEPRECATED: This rule will be removed in the Yoga release.'
|
|
name: volume_extension:volume_type_encryption
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:volume_extension:volume_type_encryption
|
|
deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a
|
|
convenience policy that allowed you to set all volume encryption type policies
|
|
to the same value. We are deprecating this rule to prepare for a future release
|
|
in which the default values for policies that read, create/update, and delete
|
|
encryption types will be different from each other.'
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_encryption:create
|
|
description: Create volume type encryption.
|
|
name: volume_extension:volume_type_encryption:create
|
|
operations:
|
|
- method: POST
|
|
path: /types/{type_id}/encryption
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:volume_extension:volume_type_encryption
|
|
deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a
|
|
convenience policy that allowed you to set all volume encryption type policies
|
|
to the same value. We are deprecating this rule to prepare for a future release
|
|
in which the default values for policies that read, create/update, and delete
|
|
encryption types will be different from each other.'
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_encryption:get
|
|
description: Show a volume type's encryption type, show an encryption specs item.
|
|
name: volume_extension:volume_type_encryption:get
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}/encryption
|
|
- method: GET
|
|
path: /types/{type_id}/encryption/{key}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:volume_extension:volume_type_encryption
|
|
deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a
|
|
convenience policy that allowed you to set all volume encryption type policies
|
|
to the same value. We are deprecating this rule to prepare for a future release
|
|
in which the default values for policies that read, create/update, and delete
|
|
encryption types will be different from each other.'
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_encryption:update
|
|
description: Update volume type encryption.
|
|
name: volume_extension:volume_type_encryption:update
|
|
operations:
|
|
- method: PUT
|
|
path: /types/{type_id}/encryption/{encryption_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:volume_extension:volume_type_encryption
|
|
deprecated_reason: 'Reason: ''volume_extension:volume_type_encryption'' was a
|
|
convenience policy that allowed you to set all volume encryption type policies
|
|
to the same value. We are deprecating this rule to prepare for a future release
|
|
in which the default values for policies that read, create/update, and delete
|
|
encryption types will be different from each other.'
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_encryption:delete
|
|
description: Delete volume type encryption.
|
|
name: volume_extension:volume_type_encryption:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /types/{type_id}/encryption/{encryption_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_access
|
|
description: Adds the boolean field 'os-volume-type-access:is_public' to the responses
|
|
for these API calls. The ability to make these calls is governed by other policies.
|
|
name: volume_extension:volume_type_access
|
|
operations:
|
|
- method: GET
|
|
path: /types
|
|
- method: GET
|
|
path: /types/{type_id}
|
|
- method: POST
|
|
path: /types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Add volume type access for project.
|
|
name: volume_extension:volume_type_access:addProjectAccess
|
|
operations:
|
|
- method: POST
|
|
path: /types/{type_id}/action (addProjectAccess)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Remove volume type access for project.
|
|
name: volume_extension:volume_type_access:removeProjectAccess
|
|
operations:
|
|
- method: POST
|
|
path: /types/{type_id}/action (removeProjectAccess)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: volume_extension:volume_type_access
|
|
deprecated_reason: 'Reason: ''volume_extension:volume_type_access:get_all_for_type''
|
|
is a new policy that protects an API call formerly governed by ''volume_extension:volume_type_access'',
|
|
but which has been separated for finer-grained policy control.'
|
|
deprecated_since: X
|
|
name: volume_extension:volume_type_access:get_all_for_type
|
|
description: List private volume type access detail, that is, list the projects
|
|
that have access to this volume type.
|
|
name: volume_extension:volume_type_access:get_all_for_type
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}/os-volume-type-access
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:extend
|
|
description: Extend a volume.
|
|
name: volume:extend
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-extend)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:extend_attached_volume
|
|
description: Extend a attached volume.
|
|
name: volume:extend_attached_volume
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-extend)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Complete a volume extend operation.
|
|
name: volume_extension:volume_admin_actions:extend_volume_completion
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-extend_volume_completion)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:revert_to_snapshot
|
|
description: Revert a volume to a snapshot.
|
|
name: volume:revert_to_snapshot
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (revert)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Reset status of a volume.
|
|
name: volume_extension:volume_admin_actions:reset_status
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-reset_status)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:retype
|
|
description: Retype a volume.
|
|
name: volume:retype
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-retype)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:update_readonly_flag
|
|
description: Update a volume's readonly flag.
|
|
name: volume:update_readonly_flag
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-update_readonly_flag)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Force delete a volume.
|
|
name: volume_extension:volume_admin_actions:force_delete
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-force_delete)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Upload a volume to image with public visibility.
|
|
name: volume_extension:volume_actions:upload_public
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-volume_upload_image)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:upload_image
|
|
description: Upload a volume to image.
|
|
name: volume_extension:volume_actions:upload_image
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-volume_upload_image)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Force detach a volume.
|
|
name: volume_extension:volume_admin_actions:force_detach
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-force_detach)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: migrate a volume to a specified host.
|
|
name: volume_extension:volume_admin_actions:migrate_volume
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-migrate_volume)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Complete a volume migration.
|
|
name: volume_extension:volume_admin_actions:migrate_volume_completion
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-migrate_volume_completion)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:initialize_connection
|
|
description: Initialize volume attachment.
|
|
name: volume_extension:volume_actions:initialize_connection
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-initialize_connection)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:terminate_connection
|
|
description: Terminate volume attachment.
|
|
name: volume_extension:volume_actions:terminate_connection
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-terminate_connection)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:roll_detaching
|
|
description: Roll back volume status to 'in-use'.
|
|
name: volume_extension:volume_actions:roll_detaching
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-roll_detaching)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:reserve
|
|
description: Mark volume as reserved.
|
|
name: volume_extension:volume_actions:reserve
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-reserve)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:unreserve
|
|
description: Unmark volume as reserved.
|
|
name: volume_extension:volume_actions:unreserve
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-unreserve)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:begin_detaching
|
|
description: Begin detach volumes.
|
|
name: volume_extension:volume_actions:begin_detaching
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-begin_detaching)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:attach
|
|
description: Add attachment metadata.
|
|
name: volume_extension:volume_actions:attach
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-attach)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_actions:detach
|
|
description: Clear attachment metadata.
|
|
name: volume_extension:volume_actions:detach
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-detach)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
description: Reimage a volume in 'available' or 'error' status.
|
|
name: volume:reimage
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-reimage)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
description: Reimage a volume in 'reserved' status.
|
|
name: volume:reimage_reserved
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-reimage)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_all_transfers
|
|
description: List volume transfer.
|
|
name: volume:get_all_transfers
|
|
operations:
|
|
- method: GET
|
|
path: /os-volume-transfer
|
|
- method: GET
|
|
path: /os-volume-transfer/detail
|
|
- method: GET
|
|
path: /volume_transfers
|
|
- method: GET
|
|
path: /volume-transfers/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:create_transfer
|
|
description: Create a volume transfer.
|
|
name: volume:create_transfer
|
|
operations:
|
|
- method: POST
|
|
path: /os-volume-transfer
|
|
- method: POST
|
|
path: /volume_transfers
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_transfer
|
|
description: Show one specified volume transfer.
|
|
name: volume:get_transfer
|
|
operations:
|
|
- method: GET
|
|
path: /os-volume-transfer/{transfer_id}
|
|
- method: GET
|
|
path: /volume-transfers/{transfer_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:accept_transfer
|
|
description: Accept a volume transfer.
|
|
name: volume:accept_transfer
|
|
operations:
|
|
- method: POST
|
|
path: /os-volume-transfer/{transfer_id}/accept
|
|
- method: POST
|
|
path: /volume-transfers/{transfer_id}/accept
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:delete_transfer
|
|
description: Delete volume transfer.
|
|
name: volume:delete_transfer
|
|
operations:
|
|
- method: DELETE
|
|
path: /os-volume-transfer/{transfer_id}
|
|
- method: DELETE
|
|
path: /volume-transfers/{transfer_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_volume_metadata
|
|
description: Show volume's metadata or one specified metadata with a given key.
|
|
name: volume:get_volume_metadata
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}/metadata
|
|
- method: GET
|
|
path: /volumes/{volume_id}/metadata/{key}
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-show_image_metadata)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:create_volume_metadata
|
|
description: Create volume metadata.
|
|
name: volume:create_volume_metadata
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/metadata
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:update_volume_metadata
|
|
description: Replace a volume's metadata dictionary or update a single metadatum
|
|
with a given key.
|
|
name: volume:update_volume_metadata
|
|
operations:
|
|
- method: PUT
|
|
path: /volumes/{volume_id}/metadata
|
|
- method: PUT
|
|
path: /volumes/{volume_id}/metadata/{key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:delete_volume_metadata
|
|
description: Delete a volume's metadatum with the given key.
|
|
name: volume:delete_volume_metadata
|
|
operations:
|
|
- method: DELETE
|
|
path: /volumes/{volume_id}/metadata/{key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: volume_extension:volume_image_metadata has been replaced by
|
|
more granular policies that separately govern show, set, and remove operations.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_image_metadata
|
|
description: Include a volume's image metadata in volume detail responses. The
|
|
ability to make these calls is governed by other policies.
|
|
name: volume_extension:volume_image_metadata:show
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/detail
|
|
- method: GET
|
|
path: /volumes/{volume_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: volume_extension:volume_image_metadata has been replaced by
|
|
more granular policies that separately govern show, set, and remove operations.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_image_metadata
|
|
description: Set image metadata for a volume
|
|
name: volume_extension:volume_image_metadata:set
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-set_image_metadata)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: volume_extension:volume_image_metadata has been replaced by
|
|
more granular policies that separately govern show, set, and remove operations.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_image_metadata
|
|
description: Remove specific image metadata from a volume
|
|
name: volume_extension:volume_image_metadata:remove
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-unset_image_metadata)
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update volume admin metadata. This permission is required to complete
|
|
these API calls, though the ability to make these calls is governed by other policies.
|
|
name: volume:update_volume_admin_metadata
|
|
operations:
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-update_readonly_flag)
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-attach)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:types_extra_specs:index
|
|
description: List type extra specs.
|
|
name: volume_extension:types_extra_specs:index
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}/extra_specs
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Create type extra specs.
|
|
name: volume_extension:types_extra_specs:create
|
|
operations:
|
|
- method: POST
|
|
path: /types/{type_id}/extra_specs
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:types_extra_specs:show
|
|
description: Show one specified type extra specs.
|
|
name: volume_extension:types_extra_specs:show
|
|
operations:
|
|
- method: GET
|
|
path: /types/{type_id}/extra_specs/{extra_spec_key}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Include extra_specs fields that may reveal sensitive information about
|
|
the deployment that should not be exposed to end users in various volume-type
|
|
responses that show extra_specs. The ability to make these calls is governed by
|
|
other policies.
|
|
name: volume_extension:types_extra_specs:read_sensitive
|
|
operations:
|
|
- method: GET
|
|
path: /types
|
|
- method: GET
|
|
path: /types/{type_id}
|
|
- method: GET
|
|
path: /types/{type_id}/extra_specs
|
|
- method: GET
|
|
path: /types/{type_id}/extra_specs/{extra_spec_key}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Update type extra specs.
|
|
name: volume_extension:types_extra_specs:update
|
|
operations:
|
|
- method: PUT
|
|
path: /types/{type_id}/extra_specs/{extra_spec_key}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Delete type extra specs.
|
|
name: volume_extension:types_extra_specs:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /types/{type_id}/extra_specs/{extra_spec_key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:create
|
|
description: Create volume.
|
|
name: volume:create
|
|
operations:
|
|
- method: POST
|
|
path: /volumes
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: ''
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:create_from_image
|
|
description: Create volume from image.
|
|
name: volume:create_from_image
|
|
operations:
|
|
- method: POST
|
|
path: /volumes
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get
|
|
description: Show volume.
|
|
name: volume:get
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:get_all
|
|
description: List volumes or get summary of volumes.
|
|
name: volume:get_all
|
|
operations:
|
|
- method: GET
|
|
path: /volumes
|
|
- method: GET
|
|
path: /volumes/detail
|
|
- method: GET
|
|
path: /volumes/summary
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:update
|
|
description: Update volume or update a volume's bootable status.
|
|
name: volume:update
|
|
operations:
|
|
- method: PUT
|
|
path: /volumes
|
|
- method: POST
|
|
path: /volumes/{volume_id}/action (os-set_bootable)
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:delete
|
|
description: Delete volume.
|
|
name: volume:delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /volumes/{volume_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: Force Delete a volume.
|
|
name: volume:force_delete
|
|
operations:
|
|
- method: DELETE
|
|
path: /volumes/{volume_id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List or show volume with host attribute.
|
|
name: volume_extension:volume_host_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}
|
|
- method: GET
|
|
path: /volumes/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_tenant_attribute
|
|
description: List or show volume with tenant attribute.
|
|
name: volume_extension:volume_tenant_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}
|
|
- method: GET
|
|
path: /volumes/detail
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
description: List or show volume with migration status attribute.
|
|
name: volume_extension:volume_mig_status_attribute
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}
|
|
- method: GET
|
|
path: /volumes/detail
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_reader
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:volume_encryption_metadata
|
|
description: Show volume's encryption metadata.
|
|
name: volume_extension:volume_encryption_metadata
|
|
operations:
|
|
- method: GET
|
|
path: /volumes/{volume_id}/encryption
|
|
- method: GET
|
|
path: /volumes/{volume_id}/encryption/{encryption_key}
|
|
scope_types: null
|
|
- check_str: rule:xena_system_admin_or_project_member
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume:multiattach
|
|
description: Create multiattach capable volume.
|
|
name: volume:multiattach
|
|
operations:
|
|
- method: POST
|
|
path: /volumes
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:system_or_domain_or_project_admin
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:default_set_or_update
|
|
description: Set or update default volume type.
|
|
name: volume_extension:default_set_or_update
|
|
operations:
|
|
- method: PUT
|
|
path: /default-types
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:system_or_domain_or_project_admin
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:default_get
|
|
description: Get default types.
|
|
name: volume_extension:default_get
|
|
operations:
|
|
- method: GET
|
|
path: /default-types/{project-id}
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: role:admin and system_scope:all
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:default_get_all
|
|
description: 'Get all default types. WARNING: Changing this might open up too much
|
|
information regarding cloud deployment.'
|
|
name: volume_extension:default_get_all
|
|
operations:
|
|
- method: GET
|
|
path: /default-types/
|
|
scope_types: null
|
|
- check_str: rule:admin_api
|
|
deprecated_rule:
|
|
check_str: rule:system_or_domain_or_project_admin
|
|
deprecated_reason: Default policies now support the three Keystone default roles,
|
|
namely 'admin', 'member', and 'reader' to implement three Cinder "personas". See
|
|
"Policy Personas and Permissions" in the "Cinder Service Configuration" documentation
|
|
(Xena release) for details.
|
|
deprecated_since: X
|
|
name: volume_extension:default_unset
|
|
description: Unset default type.
|
|
name: volume_extension:default_unset
|
|
operations:
|
|
- method: DELETE
|
|
path: /default-types/{project-id}
|
|
scope_types: null
|