Policy configuration

Configuration

The following is an overview of all available policies in Cinder.

cinder

context_is_admin
Default

role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default

is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default

is_admin:True or (role:admin and is_admin_project:True)

Default rule for most Admin APIs.

volume:attachment_create
Default

<empty string>

Operations
  • POST /attachments

Create attachment.

volume:attachment_update
Default

rule:admin_or_owner

Operations
  • PUT /attachments/{attachment_id}

Update attachment.

volume:attachment_delete
Default

rule:admin_or_owner

Operations
  • DELETE /attachments/{attachment_id}

Delete attachment.

volume:attachment_complete
Default

rule:admin_or_owner

Operations
  • POST /attachments/{attachment_id}/action (os-complete)

Mark a volume attachment process as completed (in-use)

volume:multiattach_bootable_volume
Default

rule:admin_or_owner

Operations
  • POST /attachments

Allow multiattach of bootable volumes.

message:get_all
Default

rule:admin_or_owner

Operations
  • GET /messages

List messages.

message:get
Default

rule:admin_or_owner

Operations
  • GET /messages/{message_id}

Show message.

message:delete
Default

rule:admin_or_owner

Operations
  • DELETE /messages/{message_id}

Delete message.

clusters:get_all
Default

rule:admin_api

Operations
  • GET /clusters

  • GET /clusters/detail

List clusters.

clusters:get
Default

rule:admin_api

Operations
  • GET /clusters/{cluster_id}

Show cluster.

clusters:update
Default

rule:admin_api

Operations
  • PUT /clusters/{cluster_id}

Update cluster.

workers:cleanup
Default

rule:admin_api

Operations
  • POST /workers/cleanup

Clean up workers.

volume:get_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}/metadata

  • GET /snapshots/{snapshot_id}/metadata/{key}

Show snapshot’s metadata or one specified metadata with a given key.

volume:update_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • PUT /snapshots/{snapshot_id}/metadata

  • PUT /snapshots/{snapshot_id}/metadata/{key}

Update snapshot’s metadata or one specified metadata with a given key.

volume:delete_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • DELETE /snapshots/{snapshot_id}/metadata/{key}

Delete snapshot’s specified metadata with a given key.

volume:get_all_snapshots
Default

rule:admin_or_owner

Operations
  • GET /snapshots

  • GET /snapshots/detail

List snapshots.

volume_extension:extended_snapshot_attributes
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}

  • GET /snapshots/detail

List or show snapshots with extended attributes.

volume:create_snapshot
Default

rule:admin_or_owner

Operations
  • POST /snapshots

Create snapshot.

volume:get_snapshot
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}

Show snapshot.

volume:update_snapshot
Default

rule:admin_or_owner

Operations
  • PUT /snapshots/{snapshot_id}

Update snapshot.

volume:delete_snapshot
Default

rule:admin_or_owner

Operations
  • DELETE /snapshots/{snapshot_id}

Delete snapshot.

volume_extension:snapshot_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-reset_status)

Reset status of a snapshot.

snapshot_extension:snapshot_actions:update_snapshot_status
Default

<empty string>

Operations
  • POST /snapshots/{snapshot_id}/action (update_snapshot_status)

Update database fields of snapshot.

volume_extension:snapshot_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-force_delete)

Force delete a snapshot.

snapshot_extension:list_manageable
Default

rule:admin_api

Operations
  • GET /manageable_snapshots

  • GET /manageable_snapshots/detail

List (in detail) of snapshots which are available to manage.

snapshot_extension:snapshot_manage
Default

rule:admin_api

Operations
  • POST /manageable_snapshots

Manage an existing snapshot.

snapshot_extension:snapshot_unmanage
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-unmanage)

Stop managing a snapshot.

backup:get_all
Default

rule:admin_or_owner

Operations
  • GET /backups

  • GET /backups/detail

List backups.

backup:backup_project_attribute
Default

rule:admin_api

Operations
  • GET /backups/{backup_id}

  • GET /backups/detail

List backups or show backup with project attributes.

backup:create
Default

<empty string>

Operations
  • POST /backups

Create backup.

backup:get
Default

rule:admin_or_owner

Operations
  • GET /backups/{backup_id}

Show backup.

backup:update
Default

rule:admin_or_owner

Operations
  • PUT /backups/{backup_id}

Update backup.

backup:delete
Default

rule:admin_or_owner

Operations
  • DELETE /backups/{backup_id}

Delete backup.

backup:restore
Default

rule:admin_or_owner

Operations
  • POST /backups/{backup_id}/restore

Restore backup.

backup:backup-import
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/import_record

Import backup.

backup:export-import
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/export_record

Export backup.

volume_extension:backup_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/action (os-reset_status)

Reset status of a backup.

volume_extension:backup_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/action (os-force_delete)

Force delete a backup.

group:get_all
Default

rule:admin_or_owner

Operations
  • GET /groups

  • GET /groups/detail

List groups.

group:create
Default

<empty string>

Operations
  • POST /groups

Create group.

group:get
Default

rule:admin_or_owner

Operations
  • GET /groups/{group_id}

Show group.

group:update
Default

rule:admin_or_owner

Operations
  • PUT /groups/{group_id}

Update group.

group:group_project_attribute
Default

rule:admin_api

Operations
  • GET /groups/{group_id}

  • GET /groups/detail

List groups or show group with project attributes.

group:group_types_manage
Default

rule:admin_api

Operations
  • POST /group_types/

  • PUT /group_types/{group_type_id}

  • DELETE /group_types/{group_type_id}

Create, update or delete a group type.

group:access_group_types_specs
Default

rule:admin_api

Operations
  • GET /group_types/{group_type_id}

Show group type with type specs attributes.

group:group_types_specs
Default

rule:admin_api

Operations
  • GET /group_types/{group_type_id}/group_specs/{g_spec_id}

  • GET /group_types/{group_type_id}/group_specs

  • POST /group_types/{group_type_id}/group_specs

  • PUT /group_types/{group_type_id}/group_specs/{g_spec_id}

  • DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}

Create, show, update and delete group type spec.

group:get_all_group_snapshots
Default

rule:admin_or_owner

Operations
  • GET /group_snapshots

  • GET /group_snapshots/detail

List group snapshots.

group:create_group_snapshot
Default

<empty string>

Operations
  • POST /group_snapshots

Create group snapshot.

group:get_group_snapshot
Default

rule:admin_or_owner

Operations
  • GET /group_snapshots/{group_snapshot_id}

Show group snapshot.

group:delete_group_snapshot
Default

rule:admin_or_owner

Operations
  • DELETE /group_snapshots/{group_snapshot_id}

Delete group snapshot.

group:update_group_snapshot
Default

rule:admin_or_owner

Operations
  • PUT /group_snapshots/{group_snapshot_id}

Update group snapshot.

group:group_snapshot_project_attribute
Default

rule:admin_api

Operations
  • GET /group_snapshots/{group_snapshot_id}

  • GET /group_snapshots/detail

List group snapshots or show group snapshot with project attributes.

group:reset_group_snapshot_status
Default

rule:admin_api

Operations
  • POST /group_snapshots/{g_snapshot_id}/action (reset_status)

Reset status of group snapshot.

group:delete
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (delete)

Delete group.

group:reset_status
Default

rule:admin_api

Operations
  • POST /groups/{group_id}/action (reset_status)

Reset status of group.

group:enable_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (enable_replication)

Enable replication.

group:disable_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (disable_replication)

Disable replication.

group:failover_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (failover_replication)

Fail over replication.

group:list_replication_targets
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (list_replication_targets)

List failover replication.

volume_extension:qos_specs_manage:get_all
Default

rule:admin_api

Operations
  • GET /qos-specs

  • GET /qos-specs/{qos_id}/associations

List qos specs or list all associations.

volume_extension:qos_specs_manage:get
Default

rule:admin_api

Operations
  • GET /qos-specs/{qos_id}

Show qos specs.

volume_extension:qos_specs_manage:create
Default

rule:admin_api

Operations
  • POST /qos-specs

Create qos specs.

volume_extension:qos_specs_manage:update
Default

rule:admin_api

Operations
  • PUT /qos-specs/{qos_id}

  • GET /qos-specs/{qos_id}/disassociate_all

  • GET /qos-specs/{qos_id}/associate

  • GET /qos-specs/{qos_id}/disassociate

Update qos specs (including updating association).

volume_extension:qos_specs_manage:delete
Default

rule:admin_api

Operations
  • DELETE /qos-specs/{qos_id}

  • PUT /qos-specs/{qos_id}/delete_keys

delete qos specs or unset one specified qos key.

volume_extension:quota_classes
Default

rule:admin_api

Operations
  • GET /os-quota-class-sets/{project_id}

  • PUT /os-quota-class-sets/{project_id}

Show or update project quota class.

volume_extension:quotas:show
Default

rule:admin_or_owner

Operations
  • GET /os-quota-sets/{project_id}

  • GET /os-quota-sets/{project_id}/default

  • GET /os-quota-sets/{project_id}?usage=True

Show project quota (including usage and default).

volume_extension:quotas:update
Default

rule:admin_api

Operations
  • PUT /os-quota-sets/{project_id}

Update project quota.

volume_extension:quotas:delete
Default

rule:admin_api

Operations
  • DELETE /os-quota-sets/{project_id}

Delete project quota.

volume_extension:quota_classes:validate_setup_for_nested_quota_use
Default

rule:admin_api

Operations
  • GET /os-quota-sets/validate_setup_for_nested_quota_use

Validate setup for nested quota.

volume_extension:capabilities
Default

rule:admin_api

Operations
  • GET /capabilities/{host_name}

Show backend capabilities.

volume_extension:services:index
Default

rule:admin_api

Operations
  • GET /os-services

List all services.

volume_extension:services:update
Default

rule:admin_api

Operations
  • PUT /os-services/{action}

Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.

volume:freeze_host
Default

rule:admin_api

Operations
  • PUT /os-services/freeze

Freeze a backend host.

volume:thaw_host
Default

rule:admin_api

Operations
  • PUT /os-services/thaw

Thaw a backend host.

volume:failover_host
Default

rule:admin_api

Operations
  • PUT /os-services/failover_host

Failover a backend host.

scheduler_extension:scheduler_stats:get_pools
Default

rule:admin_api

Operations
  • GET /scheduler-stats/get_pools

List all backend pools.

volume_extension:hosts
Default

rule:admin_api

Operations
  • GET /os-hosts

  • PUT /os-hosts/{host_name}

  • GET /os-hosts/{host_id}

List, update or show hosts for a project.

limits_extension:used_limits
Default

rule:admin_or_owner

Operations
  • GET /limits

Show limits with used limit attributes.

volume_extension:list_manageable
Default

rule:admin_api

Operations
  • GET /manageable_volumes

  • GET /manageable_volumes/detail

List (in detail) of volumes which are available to manage.

volume_extension:volume_manage
Default

rule:admin_api

Operations
  • POST /manageable_volumes

Manage existing volumes.

volume_extension:volume_unmanage
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-unmanage)

Stop managing a volume.

volume_extension:types_manage
Default

rule:admin_api

Operations
  • POST /types

  • PUT /types

  • DELETE /types

Create, update and delete volume type.

volume_extension:type_get
Default

<empty string>

Operations
  • GET /types/{type_id}

Get one specific volume type.

volume_extension:type_get_all
Default

<empty string>

Operations
  • GET /types/

List volume types.

volume_extension:volume_type_encryption
Default

rule:admin_api

Operations
  • POST /types/{type_id}/encryption

  • PUT /types/{type_id}/encryption/{encryption_id}

  • GET /types/{type_id}/encryption

  • GET /types/{type_id}/encryption/{encryption_id}

  • DELETE /types/{type_id}/encryption/{encryption_id}

List, show, create, update and delete volume type encryption. This is deprecated in the Stein release and will be removed in the future.

volume_extension:volume_type_encryption:create
Default

rule:volume_extension:volume_type_encryption

Operations
  • POST /types/{type_id}/encryption

Create volume type encryption.

volume_extension:volume_type_encryption:get
Default

rule:volume_extension:volume_type_encryption

Operations
  • GET /types/{type_id}/encryption/{encryption_id}

  • GET /types/{type_id}/encryption

Show, list volume type encryption.

volume_extension:volume_type_encryption:update
Default

rule:volume_extension:volume_type_encryption

Operations
  • PUT /types/{type_id}/encryption/{encryption_id}

Update volume type encryption.

volume_extension:volume_type_encryption:delete
Default

rule:volume_extension:volume_type_encryption

Operations
  • DELETE /types/{type_id}/encryption/{encryption_id}

Delete volume type encryption.

volume_extension:access_types_extra_specs
Default

rule:admin_api

Operations
  • GET /types/{type_id}

  • GET /types

List or show volume type with access type extra specs attribute.

volume_extension:access_types_qos_specs_id
Default

rule:admin_api

Operations
  • GET /types/{type_id}

  • GET /types

List or show volume type with access type qos specs id attribute.

volume_extension:volume_type_access
Default

rule:admin_or_owner

Operations
  • GET /types

  • GET /types/detail

  • GET /types/{type_id}

  • POST /types

Volume type access related APIs.

volume_extension:volume_type_access:addProjectAccess
Default

rule:admin_api

Operations
  • POST /types/{type_id}/action (addProjectAccess)

Add volume type access for project.

volume_extension:volume_type_access:removeProjectAccess
Default

rule:admin_api

Operations
  • POST /types/{type_id}/action (removeProjectAccess)

Remove volume type access for project.

volume:extend
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-extend)

Extend a volume.

volume:extend_attached_volume
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-extend)

Extend a attached volume.

volume:revert_to_snapshot
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (revert)

Revert a volume to a snapshot.

volume_extension:volume_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-reset_status)

Reset status of a volume.

volume:retype
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-retype)

Retype a volume.

volume:update_readonly_flag
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

Update a volume’s readonly flag.

volume_extension:volume_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-force_delete)

Force delete a volume.

volume_extension:volume_actions:upload_public
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image with public visibility.

volume_extension:volume_actions:upload_image
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image.

volume_extension:volume_admin_actions:force_detach
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-force_detach)

Force detach a volume.

volume_extension:volume_admin_actions:migrate_volume
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-migrate_volume)

migrate a volume to a specified host.

volume_extension:volume_admin_actions:migrate_volume_completion
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-migrate_volume_completion)

Complete a volume migration.

volume_extension:volume_actions:initialize_connection
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-initialize_connection)

Initialize volume attachment.

volume_extension:volume_actions:terminate_connection
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-terminate_connection)

Terminate volume attachment.

volume_extension:volume_actions:roll_detaching
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-roll_detaching)

Roll back volume status to ‘in-use’.

volume_extension:volume_actions:reserve
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-reserve)

Mark volume as reserved.

volume_extension:volume_actions:unreserve
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-unreserve)

Unmark volume as reserved.

volume_extension:volume_actions:begin_detaching
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-begin_detaching)

Begin detach volumes.

volume_extension:volume_actions:attach
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-attach)

Add attachment metadata.

volume_extension:volume_actions:detach
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-detach)

Clear attachment metadata.

volume:get_all_transfers
Default

rule:admin_or_owner

Operations
  • GET /os-volume-transfer

  • GET /os-volume-transfer/detail

  • GET /volume_transfers

  • GET /volume-transfers/detail

List volume transfer.

volume:create_transfer
Default

rule:admin_or_owner

Operations
  • POST /os-volume-transfer

  • POST /volume_transfers

Create a volume transfer.

volume:get_transfer
Default

rule:admin_or_owner

Operations
  • GET /os-volume-transfer/{transfer_id}

  • GET /volume-transfers/{transfer_id}

Show one specified volume transfer.

volume:accept_transfer
Default

<empty string>

Operations
  • POST /os-volume-transfer/{transfer_id}/accept

  • POST /volume-transfers/{transfer_id}/accept

Accept a volume transfer.

volume:delete_transfer
Default

rule:admin_or_owner

Operations
  • DELETE /os-volume-transfer/{transfer_id}

  • DELETE /volume-transfers/{transfer_id}

Delete volume transfer.

volume:get_volume_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}/metadata

  • GET /volumes/{volume_id}/metadata/{key}

Show volume’s metadata or one specified metadata with a given key.

volume:create_volume_metadata
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/metadata

Create volume metadata.

volume:update_volume_metadata
Default

rule:admin_or_owner

Operations
  • PUT /volumes/{volume_id}/metadata

  • PUT /volumes/{volume_id}/metadata/{key}

Update volume’s metadata or one specified metadata with a given key.

volume:delete_volume_metadata
Default

rule:admin_or_owner

Operations
  • DELETE /volumes/{volume_id}/metadata/{key}

Delete volume’s specified metadata with a given key.

volume_extension:volume_image_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/detail

  • GET /volumes/{volume_id}

  • POST /volumes/{volume_id}/action (os-set_image_metadata)

  • POST /volumes/{volume_id}/action (os-unset_image_metadata)

Volume’s image metadata related operation, create, delete, show and list.

volume:update_volume_admin_metadata
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

  • POST /volumes/{volume_id}/action (os-attach)

Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs

volume_extension:types_extra_specs:index
Default

rule:admin_api

Operations
  • GET /types/{type_id}/extra_specs

List type extra specs.

volume_extension:types_extra_specs:create
Default

rule:admin_api

Operations
  • POST /types/{type_id}/extra_specs

Create type extra specs.

volume_extension:types_extra_specs:show
Default

rule:admin_api

Operations
  • GET /types/{type_id}/extra_specs/{extra_spec_key}

Show one specified type extra specs.

volume_extension:types_extra_specs:update
Default

rule:admin_api

Operations
  • PUT /types/{type_id}/extra_specs/{extra_spec_key}

Update type extra specs.

volume_extension:types_extra_specs:delete
Default

rule:admin_api

Operations
  • DELETE /types/{type_id}/extra_specs/{extra_spec_key}

Delete type extra specs.

volume:create
Default

<empty string>

Operations
  • POST /volumes

Create volume.

volume:create_from_image
Default

<empty string>

Operations
  • POST /volumes

Create volume from image.

volume:get
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}

Show volume.

volume:get_all
Default

rule:admin_or_owner

Operations
  • GET /volumes

  • GET /volumes/detail

  • GET /volumes/summary

List volumes or get summary of volumes.

volume:update
Default

rule:admin_or_owner

Operations
  • PUT /volumes

  • POST /volumes/{volume_id}/action (os-set_bootable)

Update volume or update a volume’s bootable status.

volume:delete
Default

rule:admin_or_owner

Operations
  • DELETE /volumes/{volume_id}

Delete volume.

volume:force_delete
Default

rule:admin_api

Operations
  • DELETE /volumes/{volume_id}

Force Delete a volume.

volume_extension:volume_host_attribute
Default

rule:admin_api

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with host attribute.

volume_extension:volume_tenant_attribute
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with tenant attribute.

volume_extension:volume_mig_status_attribute
Default

rule:admin_api

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with migration status attribute.

volume_extension:volume_encryption_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}/encryption

  • GET /volumes/{volume_id}/encryption/{encryption_key}

Show volume’s encryption metadata.

volume:multiattach
Default

rule:admin_or_owner

Operations
  • POST /volumes

Create multiattach capable volume.