Sample Policy File

Warning

Using a JSON-formatted policy file is deprecated since Blazar 7.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is a sample blazar policy file for adaptation and use.

The sample policy can also be viewed in file form.

Important

The sample policy file is auto-generated from blazar when this documentation is built. You must ensure your version of blazar matches the version of this documentation.

# Default rule for most Admin APIs.
#"admin": "is_admin:True or role:admin"

# DEPRECATED
# "admin_or_owner" has been deprecated since 15.0.0.
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# Default rule for most non-Admin APIs.
#"admin_or_owner": "rule:admin or project_id:%(project_id)s"

# Default rule for Project Member (non-Admin) APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"

# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_member_api":"role:member and project_id:%(project_id)s".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_api"

# Default rule for Project Reader (read-only) APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"

# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_reader_api":"role:reader and project_id:%(project_id)s".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_api"

# Default rule for Project Member or Admin APIs.
#"project_member_or_admin": "rule:project_member_api or rule:admin"

# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_member_or_admin":"rule:project_member_api or rule:admin".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"

# Default rule for Project Reader or Admin APIs.
#"project_reader_or_admin": "rule:project_reader_api or rule:admin"

# DEPRECATED
# "rule:admin_or_owner":"rule:admin or project_id:%(project_id)s" has
# been deprecated since 15.0.0 in favor of
# "project_reader_or_admin":"rule:project_reader_api or rule:admin".
# Blazar API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future release.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"

# Policy rule for List/Show Lease(s) API.
# GET  /{api_version}/leases
# GET  /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:get": "rule:project_reader_or_admin"

# Policy rule for Create Lease API.
# POST  /{api_version}/leases
# Intended scope(s): project
#"blazar:leases:post": "rule:project_member_or_admin"

# Policy rule for Update Lease API.
# PUT  /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:put": "rule:project_member_or_admin"

# Policy rule for Delete Lease API.
# DELETE  /{api_version}/leases/{lease_id}
# Intended scope(s): project
#"blazar:leases:delete": "rule:project_member_or_admin"

# Policy rule for List/Show Host(s) API.
# GET  /{api_version}/os-hosts
# GET  /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:get": "rule:admin"

# Policy rule for Create Host API.
# POST  /{api_version}/os-hosts
# Intended scope(s): project
#"blazar:oshosts:post": "rule:admin"

# Policy rule for Update Host API.
# PUT  /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:put": "rule:admin"

# Policy rule for Delete Host API.
# DELETE  /{api_version}/os-hosts/{host_id}
# Intended scope(s): project
#"blazar:oshosts:delete": "rule:admin"

# Policy rule for List/Get Host(s) Allocations API.
# GET  /{api_version}/os-hosts/allocations
# GET  /{api_version}/os-hosts/{host_id}/allocation
# Intended scope(s): project
#"blazar:oshosts:get_allocations": "rule:admin"

# Policy rule for Resource Properties API.
# GET  /{api_version}/os-hosts/resource_properties
# Intended scope(s): project
#"blazar:oshosts:get_resource_properties": "rule:admin"

# Policy rule for Resource Properties API.
# PATCH  /{api_version}/os-hosts/resource_properties/{property_name}
# Intended scope(s): project
#"blazar:oshosts:update_resource_properties": "rule:admin"

# Policy rule for List/Show FloatingIP(s) API.
# GET  /{api_version}/floatingips
# GET  /{api_version}/floatingips/{floatingip_id}
# Intended scope(s): project
#"blazar:floatingips:get": "rule:project_reader_or_admin"

# Policy rule for Create Floating IP API.
# POST  /{api_version}/floatingips
# Intended scope(s): project
#"blazar:floatingips:post": "rule:admin"

# Policy rule for Delete Floating IP API.
# DELETE  /{api_version}/floatingips/{floatingip_id}
# Intended scope(s): project
#"blazar:floatingips:delete": "rule:admin"