Sample Policy File¶
Warning
Using a JSON-formatted policy file is deprecated since Blazar 7.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is a sample blazar policy file for adaptation and use.
The sample policy can also be viewed in file form
.
Important
The sample policy file is auto-generated from blazar when this documentation is built. You must ensure your version of blazar matches the version of this documentation.
# Default rule for most Admin APIs.
#"admin": "is_admin:True or role:admin"
# DEPRECATED
# "admin_or_owner" has been deprecated since 15.0.0.
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# Default rule for most non-Admin APIs.
#"admin_or_owner": "rule:admin or project_id:%(project_id)s"
# Default rule for Project Member (non-Admin) APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_member_api":"role:member and project_id:%(project_id)s".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_api"
# Default rule for Project Reader (read-only) APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"
# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_reader_api":"role:reader and project_id:%(project_id)s".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_api"
# Default rule for Project Member or Admin APIs.
#"project_member_or_admin": "rule:project_member_api or rule:admin"
# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_member_or_admin":"rule:project_member_api or rule:admin".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"
# Default rule for Project Reader or Admin APIs.
#"project_reader_or_admin": "rule:project_reader_api or rule:admin"
# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_reader_or_admin":"rule:project_reader_api or rule:admin".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
# This may be an artifact of new rules being
# included which require legacy fallback
# rules to ensure proper policy behavior.
# Alternatively, this may just be an alias.
# Please evaluate on a case by case basis
# keeping in mind the format for aliased
# rules is:
# "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"
# Policy rule for List/Show Lease(s) API.
# GET /{api_version}/leases
# GET /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:get": "rule:project_reader_or_admin"
# Policy rule for Create Lease API.
# POST /{api_version}/leases
# Intended scope(s): project
#"blazar:leases:post": "rule:project_member_or_admin"
# Policy rule for Update Lease API.
# PUT /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:put": "rule:project_member_or_admin"
# Policy rule for Delete Lease API.
# DELETE /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:delete": "rule:project_member_or_admin"
# Policy rule for List/Show Host(s) API.
# GET /{api_version}/os-hosts
# GET /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:get": "rule:admin"
# Policy rule for Create Host API.
# POST /{api_version}/os-hosts
# Intended scope(s): project
#"blazar:oshosts:post": "rule:admin"
# Policy rule for Update Host API.
# PUT /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:put": "rule:admin"
# Policy rule for Delete Host API.
# DELETE /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:delete": "rule:admin"
# Policy rule for List/Get Host(s) Allocations API.
# GET /{api_version}/os-hosts/allocations
# GET /{api_version}/os-hosts/{host_id}/allocation
# Intended scope(s): project
#"blazar:oshosts:get_allocations": "rule:admin"
# Policy rule for Resource Properties API.
# GET /{api_version}/os-hosts/resource_properties
# Intended scope(s): project
#"blazar:oshosts:get_resource_properties": "rule:admin"
# Policy rule for Resource Properties API.
# PATCH /{api_version}/os-hosts/resource_properties/{property_name}
# Intended scope(s): project
#"blazar:oshosts:update_resource_properties": "rule:admin"
# Policy rule for List/Show FloatingIP(s) API.
# GET /{api_version}/floatingips
# GET /{api_version}/floatingips/{floatingip_id}
# Intended scope(s): project
#"blazar:floatingips:get": "rule:project_reader_or_admin"
# Policy rule for Create Floating IP API.
# POST /{api_version}/floatingips
# Intended scope(s): project
#"blazar:floatingips:post": "rule:admin"
# Policy rule for Delete Floating IP API.
# DELETE /{api_version}/floatingips/{floatingip_id}
# Intended scope(s): project
#"blazar:floatingips:delete": "rule:admin"