policy.yaml

The policy.yaml file defines additional access controls that apply to the Block Storage service.

Prior to Cinder 12.0.0 (the Queens release), a JSON policy file was required to run Cinder. From the Queens release onward, the following hold:

  • It is possible to run Cinder safely without a policy file, as sensible default values are defined in the code.

  • If you wish to run Cinder with policies different from the default, you may write a policy file in either JSON or YAML.

    • Given that JSON does not allow comments, we recommend using YAML to write a custom policy file.

  • If you supply a custom policy file, you only need to supply entries for the policies you wish to change from their default values. For instance, if you want to change the default value of “volume:create”, you only need to keep this single rule in your policy config file.

  • The default policy file location is /etc/cinder/policy.yaml. You may override this by specifying a different file location as the value of the policy_file configuration option in the [oslo_policy] section of the the Cinder configuration file.

The following provides a listing of the default policies. It is not recommended to copy this file into /etc/cinder unless you are planning on providing a different policy for an operation that is not the default.

The sample policy file can also be viewed in file form.

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"

# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s"

# Default rule for most Admin APIs.
#"admin_api": "is_admin:True or (role:admin and is_admin_project:True)"

# Default rule for admins of cloud, domain or a project.
#"system_or_domain_or_project_admin": "(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)"

# Create attachment.
# POST  /attachments
#"volume:attachment_create": ""

# Update attachment.
# PUT  /attachments/{attachment_id}
#"volume:attachment_update": "rule:admin_or_owner"

# Delete attachment.
# DELETE  /attachments/{attachment_id}
#"volume:attachment_delete": "rule:admin_or_owner"

# Mark a volume attachment process as completed (in-use)
# POST  /attachments/{attachment_id}/action (os-complete)
#"volume:attachment_complete": "rule:admin_or_owner"

# Allow multiattach of bootable volumes.
# POST  /attachments
#"volume:multiattach_bootable_volume": "rule:admin_or_owner"

# List messages.
# GET  /messages
#"message:get_all": "rule:admin_or_owner"

# Show message.
# GET  /messages/{message_id}
#"message:get": "rule:admin_or_owner"

# Delete message.
# DELETE  /messages/{message_id}
#"message:delete": "rule:admin_or_owner"

# List clusters.
# GET  /clusters
# GET  /clusters/detail
#"clusters:get_all": "rule:admin_api"

# Show cluster.
# GET  /clusters/{cluster_id}
#"clusters:get": "rule:admin_api"

# Update cluster.
# PUT  /clusters/{cluster_id}
#"clusters:update": "rule:admin_api"

# Clean up workers.
# POST  /workers/cleanup
#"workers:cleanup": "rule:admin_api"

# Show snapshot's metadata or one specified metadata with a given key.
# GET  /snapshots/{snapshot_id}/metadata
# GET  /snapshots/{snapshot_id}/metadata/{key}
#"volume:get_snapshot_metadata": "rule:admin_or_owner"

# Update snapshot's metadata or one specified metadata with a given
# key.
# PUT  /snapshots/{snapshot_id}/metadata
# PUT  /snapshots/{snapshot_id}/metadata/{key}
#"volume:update_snapshot_metadata": "rule:admin_or_owner"

# Delete snapshot's specified metadata with a given key.
# DELETE  /snapshots/{snapshot_id}/metadata/{key}
#"volume:delete_snapshot_metadata": "rule:admin_or_owner"

# List snapshots.
# GET  /snapshots
# GET  /snapshots/detail
#"volume:get_all_snapshots": "rule:admin_or_owner"

# List or show snapshots with extended attributes.
# GET  /snapshots/{snapshot_id}
# GET  /snapshots/detail
#"volume_extension:extended_snapshot_attributes": "rule:admin_or_owner"

# Create snapshot.
# POST  /snapshots
#"volume:create_snapshot": "rule:admin_or_owner"

# Show snapshot.
# GET  /snapshots/{snapshot_id}
#"volume:get_snapshot": "rule:admin_or_owner"

# Update snapshot.
# PUT  /snapshots/{snapshot_id}
#"volume:update_snapshot": "rule:admin_or_owner"

# Delete snapshot.
# DELETE  /snapshots/{snapshot_id}
#"volume:delete_snapshot": "rule:admin_or_owner"

# Reset status of a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-reset_status)
#"volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api"

# Update database fields of snapshot.
# POST  /snapshots/{snapshot_id}/action (update_snapshot_status)
#"snapshot_extension:snapshot_actions:update_snapshot_status": ""

# Force delete a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-force_delete)
#"volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api"

# List (in detail) of snapshots which are available to manage.
# GET  /manageable_snapshots
# GET  /manageable_snapshots/detail
#"snapshot_extension:list_manageable": "rule:admin_api"

# Manage an existing snapshot.
# POST  /manageable_snapshots
#"snapshot_extension:snapshot_manage": "rule:admin_api"

# Stop managing a snapshot.
# POST  /snapshots/{snapshot_id}/action (os-unmanage)
#"snapshot_extension:snapshot_unmanage": "rule:admin_api"

# List backups.
# GET  /backups
# GET  /backups/detail
#"backup:get_all": "rule:admin_or_owner"

# List backups or show backup with project attributes.
# GET  /backups/{backup_id}
# GET  /backups/detail
#"backup:backup_project_attribute": "rule:admin_api"

# Create backup.
# POST  /backups
#"backup:create": ""

# Show backup.
# GET  /backups/{backup_id}
#"backup:get": "rule:admin_or_owner"

# Update backup.
# PUT  /backups/{backup_id}
#"backup:update": "rule:admin_or_owner"

# Delete backup.
# DELETE  /backups/{backup_id}
#"backup:delete": "rule:admin_or_owner"

# Restore backup.
# POST  /backups/{backup_id}/restore
#"backup:restore": "rule:admin_or_owner"

# Import backup.
# POST  /backups/{backup_id}/import_record
#"backup:backup-import": "rule:admin_api"

# Export backup.
# POST  /backups/{backup_id}/export_record
#"backup:export-import": "rule:admin_api"

# Reset status of a backup.
# POST  /backups/{backup_id}/action (os-reset_status)
#"volume_extension:backup_admin_actions:reset_status": "rule:admin_api"

# Force delete a backup.
# POST  /backups/{backup_id}/action (os-force_delete)
#"volume_extension:backup_admin_actions:force_delete": "rule:admin_api"

# List groups.
# GET  /groups
# GET  /groups/detail
#"group:get_all": "rule:admin_or_owner"

# Create group.
# POST  /groups
#"group:create": ""

# Show group.
# GET  /groups/{group_id}
#"group:get": "rule:admin_or_owner"

# Update group.
# PUT  /groups/{group_id}
#"group:update": "rule:admin_or_owner"

# List groups or show group with project attributes.
# GET  /groups/{group_id}
# GET  /groups/detail
#"group:group_project_attribute": "rule:admin_api"

# Create, update or delete a group type.
# POST  /group_types/
# PUT  /group_types/{group_type_id}
# DELETE  /group_types/{group_type_id}
#"group:group_types_manage": "rule:admin_api"

# Show group type with type specs attributes.
# GET  /group_types/{group_type_id}
#"group:access_group_types_specs": "rule:admin_api"

# Create, show, update and delete group type spec.
# GET  /group_types/{group_type_id}/group_specs/{g_spec_id}
# GET  /group_types/{group_type_id}/group_specs
# POST  /group_types/{group_type_id}/group_specs
# PUT  /group_types/{group_type_id}/group_specs/{g_spec_id}
# DELETE  /group_types/{group_type_id}/group_specs/{g_spec_id}
#"group:group_types_specs": "rule:admin_api"

# List group snapshots.
# GET  /group_snapshots
# GET  /group_snapshots/detail
#"group:get_all_group_snapshots": "rule:admin_or_owner"

# Create group snapshot.
# POST  /group_snapshots
#"group:create_group_snapshot": ""

# Show group snapshot.
# GET  /group_snapshots/{group_snapshot_id}
#"group:get_group_snapshot": "rule:admin_or_owner"

# Delete group snapshot.
# DELETE  /group_snapshots/{group_snapshot_id}
#"group:delete_group_snapshot": "rule:admin_or_owner"

# Update group snapshot.
# PUT  /group_snapshots/{group_snapshot_id}
#"group:update_group_snapshot": "rule:admin_or_owner"

# List group snapshots or show group snapshot with project attributes.
# GET  /group_snapshots/{group_snapshot_id}
# GET  /group_snapshots/detail
#"group:group_snapshot_project_attribute": "rule:admin_api"

# Reset status of group snapshot.
# POST  /group_snapshots/{g_snapshot_id}/action (reset_status)
#"group:reset_group_snapshot_status": "rule:admin_api"

# Delete group.
# POST  /groups/{group_id}/action (delete)
#"group:delete": "rule:admin_or_owner"

# Reset status of group.
# POST  /groups/{group_id}/action (reset_status)
#"group:reset_status": "rule:admin_api"

# Enable replication.
# POST  /groups/{group_id}/action (enable_replication)
#"group:enable_replication": "rule:admin_or_owner"

# Disable replication.
# POST  /groups/{group_id}/action (disable_replication)
#"group:disable_replication": "rule:admin_or_owner"

# Fail over replication.
# POST  /groups/{group_id}/action (failover_replication)
#"group:failover_replication": "rule:admin_or_owner"

# List failover replication.
# POST  /groups/{group_id}/action (list_replication_targets)
#"group:list_replication_targets": "rule:admin_or_owner"

# List qos specs or list all associations.
# GET  /qos-specs
# GET  /qos-specs/{qos_id}/associations
#"volume_extension:qos_specs_manage:get_all": "rule:admin_api"

# Show qos specs.
# GET  /qos-specs/{qos_id}
#"volume_extension:qos_specs_manage:get": "rule:admin_api"

# Create qos specs.
# POST  /qos-specs
#"volume_extension:qos_specs_manage:create": "rule:admin_api"

# Update qos specs (including updating association).
# PUT  /qos-specs/{qos_id}
# GET  /qos-specs/{qos_id}/disassociate_all
# GET  /qos-specs/{qos_id}/associate
# GET  /qos-specs/{qos_id}/disassociate
#"volume_extension:qos_specs_manage:update": "rule:admin_api"

# delete qos specs or unset one specified qos key.
# DELETE  /qos-specs/{qos_id}
# PUT  /qos-specs/{qos_id}/delete_keys
#"volume_extension:qos_specs_manage:delete": "rule:admin_api"

# Show or update project quota class.
# GET  /os-quota-class-sets/{project_id}
# PUT  /os-quota-class-sets/{project_id}
#"volume_extension:quota_classes": "rule:admin_api"

# Show project quota (including usage and default).
# GET  /os-quota-sets/{project_id}
# GET  /os-quota-sets/{project_id}/default
# GET  /os-quota-sets/{project_id}?usage=True
#"volume_extension:quotas:show": "rule:admin_or_owner"

# Update project quota.
# PUT  /os-quota-sets/{project_id}
#"volume_extension:quotas:update": "rule:admin_api"

# Delete project quota.
# DELETE  /os-quota-sets/{project_id}
#"volume_extension:quotas:delete": "rule:admin_api"

# Validate setup for nested quota.
# GET  /os-quota-sets/validate_setup_for_nested_quota_use
#"volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api"

# Show backend capabilities.
# GET  /capabilities/{host_name}
#"volume_extension:capabilities": "rule:admin_api"

# List all services.
# GET  /os-services
#"volume_extension:services:index": "rule:admin_api"

# Update service, including failover_host, thaw, freeze, disable,
# enable, set-log and get-log actions.
# PUT  /os-services/{action}
#"volume_extension:services:update": "rule:admin_api"

# Freeze a backend host.
# PUT  /os-services/freeze
#"volume:freeze_host": "rule:admin_api"

# Thaw a backend host.
# PUT  /os-services/thaw
#"volume:thaw_host": "rule:admin_api"

# Failover a backend host.
# PUT  /os-services/failover_host
#"volume:failover_host": "rule:admin_api"

# List all backend pools.
# GET  /scheduler-stats/get_pools
#"scheduler_extension:scheduler_stats:get_pools": "rule:admin_api"

# List, update or show hosts for a project.
# GET  /os-hosts
# PUT  /os-hosts/{host_name}
# GET  /os-hosts/{host_id}
#"volume_extension:hosts": "rule:admin_api"

# Show limits with used limit attributes.
# GET  /limits
#"limits_extension:used_limits": "rule:admin_or_owner"

# List (in detail) of volumes which are available to manage.
# GET  /manageable_volumes
# GET  /manageable_volumes/detail
#"volume_extension:list_manageable": "rule:admin_api"

# Manage existing volumes.
# POST  /manageable_volumes
#"volume_extension:volume_manage": "rule:admin_api"

# Stop managing a volume.
# POST  /volumes/{volume_id}/action (os-unmanage)
#"volume_extension:volume_unmanage": "rule:admin_api"

# Create, update and delete volume type.
# POST  /types
# PUT  /types
# DELETE  /types
#"volume_extension:types_manage": "rule:admin_api"

# Get one specific volume type.
# GET  /types/{type_id}
#"volume_extension:type_get": ""

# List volume types.
# GET  /types/
#"volume_extension:type_get_all": ""

# Base policy for all volume type encryption type operations.  This
# can be used to set the policies for a volume type's encryption type
# create, show, update, and delete actions in one place, or any of
# those may be set individually using the following policy targets for
# finer grained control.
# POST  /types/{type_id}/encryption
# PUT  /types/{type_id}/encryption/{encryption_id}
# GET  /types/{type_id}/encryption
# GET  /types/{type_id}/encryption/{key}
# DELETE  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption": "rule:admin_api"

# Create volume type encryption.
# POST  /types/{type_id}/encryption
#"volume_extension:volume_type_encryption:create": "rule:volume_extension:volume_type_encryption"

# Show a volume type's encryption type, show an encryption specs item.
# GET  /types/{type_id}/encryption
# GET  /types/{type_id}/encryption/{key}
#"volume_extension:volume_type_encryption:get": "rule:volume_extension:volume_type_encryption"

# Update volume type encryption.
# PUT  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:update": "rule:volume_extension:volume_type_encryption"

# Delete volume type encryption.
# DELETE  /types/{type_id}/encryption/{encryption_id}
#"volume_extension:volume_type_encryption:delete": "rule:volume_extension:volume_type_encryption"

# List or show volume type with access type extra specs attribute.
# GET  /types/{type_id}
# GET  /types
#"volume_extension:access_types_extra_specs": "rule:admin_api"

# List or show volume type with access type qos specs id attribute.
# GET  /types/{type_id}
# GET  /types
#"volume_extension:access_types_qos_specs_id": "rule:admin_api"

# Volume type access related APIs.
# GET  /types
# GET  /types/detail
# GET  /types/{type_id}
# POST  /types
#"volume_extension:volume_type_access": "rule:admin_or_owner"

# Add volume type access for project.
# POST  /types/{type_id}/action (addProjectAccess)
#"volume_extension:volume_type_access:addProjectAccess": "rule:admin_api"

# Remove volume type access for project.
# POST  /types/{type_id}/action (removeProjectAccess)
#"volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api"

# Extend a volume.
# POST  /volumes/{volume_id}/action (os-extend)
#"volume:extend": "rule:admin_or_owner"

# Extend a attached volume.
# POST  /volumes/{volume_id}/action (os-extend)
#"volume:extend_attached_volume": "rule:admin_or_owner"

# Revert a volume to a snapshot.
# POST  /volumes/{volume_id}/action (revert)
#"volume:revert_to_snapshot": "rule:admin_or_owner"

# Reset status of a volume.
# POST  /volumes/{volume_id}/action (os-reset_status)
#"volume_extension:volume_admin_actions:reset_status": "rule:admin_api"

# Retype a volume.
# POST  /volumes/{volume_id}/action (os-retype)
#"volume:retype": "rule:admin_or_owner"

# Update a volume's readonly flag.
# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
#"volume:update_readonly_flag": "rule:admin_or_owner"

# Force delete a volume.
# POST  /volumes/{volume_id}/action (os-force_delete)
#"volume_extension:volume_admin_actions:force_delete": "rule:admin_api"

# Upload a volume to image with public visibility.
# POST  /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_public": "rule:admin_api"

# Upload a volume to image.
# POST  /volumes/{volume_id}/action (os-volume_upload_image)
#"volume_extension:volume_actions:upload_image": "rule:admin_or_owner"

# Force detach a volume.
# POST  /volumes/{volume_id}/action (os-force_detach)
#"volume_extension:volume_admin_actions:force_detach": "rule:admin_api"

# migrate a volume to a specified host.
# POST  /volumes/{volume_id}/action (os-migrate_volume)
#"volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api"

# Complete a volume migration.
# POST  /volumes/{volume_id}/action (os-migrate_volume_completion)
#"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api"

# Initialize volume attachment.
# POST  /volumes/{volume_id}/action (os-initialize_connection)
#"volume_extension:volume_actions:initialize_connection": "rule:admin_or_owner"

# Terminate volume attachment.
# POST  /volumes/{volume_id}/action (os-terminate_connection)
#"volume_extension:volume_actions:terminate_connection": "rule:admin_or_owner"

# Roll back volume status to 'in-use'.
# POST  /volumes/{volume_id}/action (os-roll_detaching)
#"volume_extension:volume_actions:roll_detaching": "rule:admin_or_owner"

# Mark volume as reserved.
# POST  /volumes/{volume_id}/action (os-reserve)
#"volume_extension:volume_actions:reserve": "rule:admin_or_owner"

# Unmark volume as reserved.
# POST  /volumes/{volume_id}/action (os-unreserve)
#"volume_extension:volume_actions:unreserve": "rule:admin_or_owner"

# Begin detach volumes.
# POST  /volumes/{volume_id}/action (os-begin_detaching)
#"volume_extension:volume_actions:begin_detaching": "rule:admin_or_owner"

# Add attachment metadata.
# POST  /volumes/{volume_id}/action (os-attach)
#"volume_extension:volume_actions:attach": "rule:admin_or_owner"

# Clear attachment metadata.
# POST  /volumes/{volume_id}/action (os-detach)
#"volume_extension:volume_actions:detach": "rule:admin_or_owner"

# List volume transfer.
# GET  /os-volume-transfer
# GET  /os-volume-transfer/detail
# GET  /volume_transfers
# GET  /volume-transfers/detail
#"volume:get_all_transfers": "rule:admin_or_owner"

# Create a volume transfer.
# POST  /os-volume-transfer
# POST  /volume_transfers
#"volume:create_transfer": "rule:admin_or_owner"

# Show one specified volume transfer.
# GET  /os-volume-transfer/{transfer_id}
# GET  /volume-transfers/{transfer_id}
#"volume:get_transfer": "rule:admin_or_owner"

# Accept a volume transfer.
# POST  /os-volume-transfer/{transfer_id}/accept
# POST  /volume-transfers/{transfer_id}/accept
#"volume:accept_transfer": ""

# Delete volume transfer.
# DELETE  /os-volume-transfer/{transfer_id}
# DELETE  /volume-transfers/{transfer_id}
#"volume:delete_transfer": "rule:admin_or_owner"

# Show volume's metadata or one specified metadata with a given key.
# GET  /volumes/{volume_id}/metadata
# GET  /volumes/{volume_id}/metadata/{key}
#"volume:get_volume_metadata": "rule:admin_or_owner"

# Create volume metadata.
# POST  /volumes/{volume_id}/metadata
#"volume:create_volume_metadata": "rule:admin_or_owner"

# Update volume's metadata or one specified metadata with a given key.
# PUT  /volumes/{volume_id}/metadata
# PUT  /volumes/{volume_id}/metadata/{key}
#"volume:update_volume_metadata": "rule:admin_or_owner"

# Delete volume's specified metadata with a given key.
# DELETE  /volumes/{volume_id}/metadata/{key}
#"volume:delete_volume_metadata": "rule:admin_or_owner"

# Volume's image metadata related operation, create, delete, show and
# list.
# GET  /volumes/detail
# GET  /volumes/{volume_id}
# POST  /volumes/{volume_id}/action (os-set_image_metadata)
# POST  /volumes/{volume_id}/action (os-unset_image_metadata)
#"volume_extension:volume_image_metadata": "rule:admin_or_owner"

# Update volume admin metadata. It's used in `attach` and `os-
# update_readonly_flag` APIs
# POST  /volumes/{volume_id}/action (os-update_readonly_flag)
# POST  /volumes/{volume_id}/action (os-attach)
#"volume:update_volume_admin_metadata": "rule:admin_api"

# List type extra specs.
# GET  /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:index": "rule:admin_api"

# Create type extra specs.
# POST  /types/{type_id}/extra_specs
#"volume_extension:types_extra_specs:create": "rule:admin_api"

# Show one specified type extra specs.
# GET  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:show": "rule:admin_api"

# Update type extra specs.
# PUT  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:update": "rule:admin_api"

# Delete type extra specs.
# DELETE  /types/{type_id}/extra_specs/{extra_spec_key}
#"volume_extension:types_extra_specs:delete": "rule:admin_api"

# Create volume.
# POST  /volumes
#"volume:create": ""

# Create volume from image.
# POST  /volumes
#"volume:create_from_image": ""

# Show volume.
# GET  /volumes/{volume_id}
#"volume:get": "rule:admin_or_owner"

# List volumes or get summary of volumes.
# GET  /volumes
# GET  /volumes/detail
# GET  /volumes/summary
#"volume:get_all": "rule:admin_or_owner"

# Update volume or update a volume's bootable status.
# PUT  /volumes
# POST  /volumes/{volume_id}/action (os-set_bootable)
#"volume:update": "rule:admin_or_owner"

# Delete volume.
# DELETE  /volumes/{volume_id}
#"volume:delete": "rule:admin_or_owner"

# Force Delete a volume.
# DELETE  /volumes/{volume_id}
#"volume:force_delete": "rule:admin_api"

# List or show volume with host attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_host_attribute": "rule:admin_api"

# List or show volume with tenant attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_tenant_attribute": "rule:admin_or_owner"

# List or show volume with migration status attribute.
# GET  /volumes/{volume_id}
# GET  /volumes/detail
#"volume_extension:volume_mig_status_attribute": "rule:admin_api"

# Show volume's encryption metadata.
# GET  /volumes/{volume_id}/encryption
# GET  /volumes/{volume_id}/encryption/{encryption_key}
#"volume_extension:volume_encryption_metadata": "rule:admin_or_owner"

# Create multiattach capable volume.
# POST  /volumes
#"volume:multiattach": "rule:admin_or_owner"

# Set or update default volume type.
# PUT  /default-types
# Intended scope(s): system
#"volume_extension:default_set_or_update": "rule:system_or_domain_or_project_admin"

# Get default types.
# GET  /default-types/{project-id}
# Intended scope(s): system
#"volume_extension:default_get": "rule:system_or_domain_or_project_admin"

# Get all default types. WARNING: Changing this might open up too much
# information regarding cloud deployment.
# GET  /default-types/
# Intended scope(s): system
#"volume_extension:default_get_all": "role:admin and system_scope:all"

# Unset default type.
# DELETE  /default-types/{project-id}
# Intended scope(s): system
#"volume_extension:default_unset": "rule:system_or_domain_or_project_admin"