policy.yaml¶
Warning
JSON formatted policy file is deprecated since Aodh 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Use the policy.yaml file to define additional access controls that will be
applied to Aodh:
#"context_is_admin": "role:admin"
#"segregation": "rule:context_is_admin"
#"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"
#"default": "rule:context_is_admin or project_id:%(project_id)s"
# Default rule for Project level read only APIs.
#"project_reader": "role:reader and project_id:%(project_id)s"
# Default rule for Project level non admin APIs.
#"project_member": "role:member and project_id:%(project_id)s"
# Default rule for Project member or admin APIs.
#"project_member_or_admin": "rule:project_member or rule:context_is_admin"
# Default rule for Project reader or admin APIs.
#"project_reader_or_admin": "rule:project_reader or rule:context_is_admin"
# Get an alarm.
# GET /v2/alarms/{alarm_id}
# Intended scope(s): project
#"telemetry:get_alarm": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:get_alarm":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:get_alarm":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get all alarms, based on the query provided.
# GET /v2/alarms
# Intended scope(s): project
#"telemetry:get_alarms": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:get_alarms":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:get_alarms":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get alarms of all projects.
# GET /v2/alarms
# Intended scope(s): project
#"telemetry:get_alarms:all_projects": "rule:context_is_admin"
# DEPRECATED
# "telemetry:get_alarms:all_projects":"rule:context_is_admin" has been
# deprecated since W in favor of
# "telemetry:get_alarms:all_projects":"rule:context_is_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get all alarms, based on the query provided.
# POST /v2/query/alarms
# Intended scope(s): project
#"telemetry:query_alarm": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:query_alarm":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:query_alarm":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Create a new alarm.
# POST /v2/alarms
# Intended scope(s): project
#"telemetry:create_alarm": "rule:project_member_or_admin"
# DEPRECATED
# "telemetry:create_alarm":"" has been deprecated since W in favor of
# "telemetry:create_alarm":"rule:project_member_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Modify this alarm.
# PUT /v2/alarms/{alarm_id}
# Intended scope(s): project
#"telemetry:change_alarm": "rule:project_member_or_admin"
# DEPRECATED
# "telemetry:change_alarm":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:change_alarm":"rule:project_member_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Delete this alarm.
# DELETE /v2/alarms/{alarm_id}
# Intended scope(s): project
#"telemetry:delete_alarm": "rule:project_member_or_admin"
# DEPRECATED
# "telemetry:delete_alarm":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:delete_alarm":"rule:project_member_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get the state of this alarm.
# GET /v2/alarms/{alarm_id}/state
# Intended scope(s): project
#"telemetry:get_alarm_state": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:get_alarm_state":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:get_alarm_state":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Set the state of this alarm.
# PUT /v2/alarms/{alarm_id}/state
# Intended scope(s): project
#"telemetry:change_alarm_state": "rule:project_member_or_admin"
# DEPRECATED
# "telemetry:change_alarm_state":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:change_alarm_state":"rule:project_member_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Assembles the alarm history requested.
# GET /v2/alarms/{alarm_id}/history
# Intended scope(s): project
#"telemetry:alarm_history": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:alarm_history":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:alarm_history":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Define query for retrieving AlarmChange data.
# POST /v2/query/alarms/history
# Intended scope(s): project
#"telemetry:query_alarm_history": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:query_alarm_history":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since W in favor of
# "telemetry:query_alarm_history":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get resources quotas for project.
# Get /v2/quotas
# Get /v2/quotas/{project_id}
# Intended scope(s): project
#"telemetry:get_quotas": "rule:project_reader_or_admin"
# DEPRECATED
# "telemetry:get_quotas":"rule:context_is_admin or
# project_id:%(project_id)s" has been deprecated since Epoxy in favor
# of "telemetry:get_quotas":"rule:project_reader_or_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Update resources quotas for project.
# POST /v2/quotas
# Intended scope(s): project
#"telemetry:update_quotas": "rule:context_is_admin"
# DEPRECATED
# "telemetry:update_quotas":"rule:context_is_admin" has been
# deprecated since W in favor of
# "telemetry:update_quotas":"rule:context_is_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Delete resources quotas for project.
# DELETE /v2/quotas/{project_id}
# Intended scope(s): project
#"telemetry:delete_quotas": "rule:context_is_admin"
# DEPRECATED
# "telemetry:delete_quotas":"rule:context_is_admin" has been
# deprecated since W in favor of
# "telemetry:delete_quotas":"rule:context_is_admin".
# The alarm and quota APIs now support system-scope and default roles.
# Get all metrics.
# GET /v2/metrics
# Intended scope(s): project
#"telemetry:get_metrics": "rule:project_reader_or_admin"
# Get all metrics from all projects.
# GET /v2/metrics
# Intended scope(s): project
#"telemetry:get_metrics:all_projects": "rule:context_is_admin"
