Policy configuration

Configuration

The following is an overview of all available policies in Cinder. For information on how to write a custom policy file to modify these policies, see policy.yaml in the Cinder configuration documentation.

cinder

context_is_admin
Default

role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default

is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default

is_admin:True or (role:admin and is_admin_project:True)

Default rule for most Admin APIs.

system_or_domain_or_project_admin
Default

(role:admin and system_scope:all) or (role:admin and domain_id:%(domain_id)s) or (role:admin and project_id:%(project_id)s)

Default rule for admins of cloud, domain or a project.

volume:attachment_create
Default

<empty string>

Operations
  • POST /attachments

Create attachment.

volume:attachment_update
Default

rule:admin_or_owner

Operations
  • PUT /attachments/{attachment_id}

Update attachment.

volume:attachment_delete
Default

rule:admin_or_owner

Operations
  • DELETE /attachments/{attachment_id}

Delete attachment.

volume:attachment_complete
Default

rule:admin_or_owner

Operations
  • POST /attachments/{attachment_id}/action (os-complete)

Mark a volume attachment process as completed (in-use)

volume:multiattach_bootable_volume
Default

rule:admin_or_owner

Operations
  • POST /attachments

Allow multiattach of bootable volumes.

message:get_all
Default

rule:admin_or_owner

Operations
  • GET /messages

List messages.

message:get
Default

rule:admin_or_owner

Operations
  • GET /messages/{message_id}

Show message.

message:delete
Default

rule:admin_or_owner

Operations
  • DELETE /messages/{message_id}

Delete message.

clusters:get_all
Default

rule:admin_api

Operations
  • GET /clusters

  • GET /clusters/detail

List clusters.

clusters:get
Default

rule:admin_api

Operations
  • GET /clusters/{cluster_id}

Show cluster.

clusters:update
Default

rule:admin_api

Operations
  • PUT /clusters/{cluster_id}

Update cluster.

workers:cleanup
Default

rule:admin_api

Operations
  • POST /workers/cleanup

Clean up workers.

volume:get_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}/metadata

  • GET /snapshots/{snapshot_id}/metadata/{key}

Show snapshot’s metadata or one specified metadata with a given key.

volume:update_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • PUT /snapshots/{snapshot_id}/metadata

  • PUT /snapshots/{snapshot_id}/metadata/{key}

Update snapshot’s metadata or one specified metadata with a given key.

volume:delete_snapshot_metadata
Default

rule:admin_or_owner

Operations
  • DELETE /snapshots/{snapshot_id}/metadata/{key}

Delete snapshot’s specified metadata with a given key.

volume:get_all_snapshots
Default

rule:admin_or_owner

Operations
  • GET /snapshots

  • GET /snapshots/detail

List snapshots.

volume_extension:extended_snapshot_attributes
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}

  • GET /snapshots/detail

List or show snapshots with extended attributes.

volume:create_snapshot
Default

rule:admin_or_owner

Operations
  • POST /snapshots

Create snapshot.

volume:get_snapshot
Default

rule:admin_or_owner

Operations
  • GET /snapshots/{snapshot_id}

Show snapshot.

volume:update_snapshot
Default

rule:admin_or_owner

Operations
  • PUT /snapshots/{snapshot_id}

Update snapshot.

volume:delete_snapshot
Default

rule:admin_or_owner

Operations
  • DELETE /snapshots/{snapshot_id}

Delete snapshot.

volume_extension:snapshot_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-reset_status)

Reset status of a snapshot.

snapshot_extension:snapshot_actions:update_snapshot_status
Default

<empty string>

Operations
  • POST /snapshots/{snapshot_id}/action (update_snapshot_status)

Update database fields of snapshot.

volume_extension:snapshot_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-force_delete)

Force delete a snapshot.

snapshot_extension:list_manageable
Default

rule:admin_api

Operations
  • GET /manageable_snapshots

  • GET /manageable_snapshots/detail

List (in detail) of snapshots which are available to manage.

snapshot_extension:snapshot_manage
Default

rule:admin_api

Operations
  • POST /manageable_snapshots

Manage an existing snapshot.

snapshot_extension:snapshot_unmanage
Default

rule:admin_api

Operations
  • POST /snapshots/{snapshot_id}/action (os-unmanage)

Stop managing a snapshot.

backup:get_all
Default

rule:admin_or_owner

Operations
  • GET /backups

  • GET /backups/detail

List backups.

backup:backup_project_attribute
Default

rule:admin_api

Operations
  • GET /backups/{backup_id}

  • GET /backups/detail

List backups or show backup with project attributes.

backup:create
Default

<empty string>

Operations
  • POST /backups

Create backup.

backup:get
Default

rule:admin_or_owner

Operations
  • GET /backups/{backup_id}

Show backup.

backup:update
Default

rule:admin_or_owner

Operations
  • PUT /backups/{backup_id}

Update backup.

backup:delete
Default

rule:admin_or_owner

Operations
  • DELETE /backups/{backup_id}

Delete backup.

backup:restore
Default

rule:admin_or_owner

Operations
  • POST /backups/{backup_id}/restore

Restore backup.

backup:backup-import
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/import_record

Import backup.

backup:export-import
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/export_record

Export backup.

volume_extension:backup_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/action (os-reset_status)

Reset status of a backup.

volume_extension:backup_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /backups/{backup_id}/action (os-force_delete)

Force delete a backup.

group:get_all
Default

rule:admin_or_owner

Operations
  • GET /groups

  • GET /groups/detail

List groups.

group:create
Default

<empty string>

Operations
  • POST /groups

Create group.

group:get
Default

rule:admin_or_owner

Operations
  • GET /groups/{group_id}

Show group.

group:update
Default

rule:admin_or_owner

Operations
  • PUT /groups/{group_id}

Update group.

group:group_project_attribute
Default

rule:admin_api

Operations
  • GET /groups/{group_id}

  • GET /groups/detail

List groups or show group with project attributes.

group:group_types_manage
Default

rule:admin_api

Operations
  • POST /group_types/

  • PUT /group_types/{group_type_id}

  • DELETE /group_types/{group_type_id}

Create, update or delete a group type.

group:access_group_types_specs
Default

rule:admin_api

Operations
  • GET /group_types/{group_type_id}

Show group type with type specs attributes.

group:group_types_specs
Default

rule:admin_api

Operations
  • GET /group_types/{group_type_id}/group_specs/{g_spec_id}

  • GET /group_types/{group_type_id}/group_specs

  • POST /group_types/{group_type_id}/group_specs

  • PUT /group_types/{group_type_id}/group_specs/{g_spec_id}

  • DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}

Create, show, update and delete group type spec.

group:get_all_group_snapshots
Default

rule:admin_or_owner

Operations
  • GET /group_snapshots

  • GET /group_snapshots/detail

List group snapshots.

group:create_group_snapshot
Default

<empty string>

Operations
  • POST /group_snapshots

Create group snapshot.

group:get_group_snapshot
Default

rule:admin_or_owner

Operations
  • GET /group_snapshots/{group_snapshot_id}

Show group snapshot.

group:delete_group_snapshot
Default

rule:admin_or_owner

Operations
  • DELETE /group_snapshots/{group_snapshot_id}

Delete group snapshot.

group:update_group_snapshot
Default

rule:admin_or_owner

Operations
  • PUT /group_snapshots/{group_snapshot_id}

Update group snapshot.

group:group_snapshot_project_attribute
Default

rule:admin_api

Operations
  • GET /group_snapshots/{group_snapshot_id}

  • GET /group_snapshots/detail

List group snapshots or show group snapshot with project attributes.

group:reset_group_snapshot_status
Default

rule:admin_api

Operations
  • POST /group_snapshots/{g_snapshot_id}/action (reset_status)

Reset status of group snapshot.

group:delete
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (delete)

Delete group.

group:reset_status
Default

rule:admin_api

Operations
  • POST /groups/{group_id}/action (reset_status)

Reset status of group.

group:enable_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (enable_replication)

Enable replication.

group:disable_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (disable_replication)

Disable replication.

group:failover_replication
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (failover_replication)

Fail over replication.

group:list_replication_targets
Default

rule:admin_or_owner

Operations
  • POST /groups/{group_id}/action (list_replication_targets)

List failover replication.

volume_extension:qos_specs_manage:get_all
Default

rule:admin_api

Operations
  • GET /qos-specs

  • GET /qos-specs/{qos_id}/associations

List qos specs or list all associations.

volume_extension:qos_specs_manage:get
Default

rule:admin_api

Operations
  • GET /qos-specs/{qos_id}

Show qos specs.

volume_extension:qos_specs_manage:create
Default

rule:admin_api

Operations
  • POST /qos-specs

Create qos specs.

volume_extension:qos_specs_manage:update
Default

rule:admin_api

Operations
  • PUT /qos-specs/{qos_id}

  • GET /qos-specs/{qos_id}/disassociate_all

  • GET /qos-specs/{qos_id}/associate

  • GET /qos-specs/{qos_id}/disassociate

Update qos specs (including updating association).

volume_extension:qos_specs_manage:delete
Default

rule:admin_api

Operations
  • DELETE /qos-specs/{qos_id}

  • PUT /qos-specs/{qos_id}/delete_keys

delete qos specs or unset one specified qos key.

volume_extension:quota_classes
Default

rule:admin_api

Operations
  • GET /os-quota-class-sets/{project_id}

  • PUT /os-quota-class-sets/{project_id}

Show or update project quota class.

volume_extension:quotas:show
Default

rule:admin_or_owner

Operations
  • GET /os-quota-sets/{project_id}

  • GET /os-quota-sets/{project_id}/default

  • GET /os-quota-sets/{project_id}?usage=True

Show project quota (including usage and default).

volume_extension:quotas:update
Default

rule:admin_api

Operations
  • PUT /os-quota-sets/{project_id}

Update project quota.

volume_extension:quotas:delete
Default

rule:admin_api

Operations
  • DELETE /os-quota-sets/{project_id}

Delete project quota.

volume_extension:capabilities
Default

rule:admin_api

Operations
  • GET /capabilities/{host_name}

Show backend capabilities.

volume_extension:services:index
Default

rule:admin_api

Operations
  • GET /os-services

List all services.

volume_extension:services:update
Default

rule:admin_api

Operations
  • PUT /os-services/{action}

Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.

volume:freeze_host
Default

rule:admin_api

Operations
  • PUT /os-services/freeze

Freeze a backend host.

volume:thaw_host
Default

rule:admin_api

Operations
  • PUT /os-services/thaw

Thaw a backend host.

volume:failover_host
Default

rule:admin_api

Operations
  • PUT /os-services/failover_host

Failover a backend host.

scheduler_extension:scheduler_stats:get_pools
Default

rule:admin_api

Operations
  • GET /scheduler-stats/get_pools

List all backend pools.

volume_extension:hosts
Default

rule:admin_api

Operations
  • GET /os-hosts

  • PUT /os-hosts/{host_name}

  • GET /os-hosts/{host_id}

List, update or show hosts for a project.

limits_extension:used_limits
Default

rule:admin_or_owner

Operations
  • GET /limits

Show limits with used limit attributes.

volume_extension:list_manageable
Default

rule:admin_api

Operations
  • GET /manageable_volumes

  • GET /manageable_volumes/detail

List (in detail) of volumes which are available to manage.

volume_extension:volume_manage
Default

rule:admin_api

Operations
  • POST /manageable_volumes

Manage existing volumes.

volume_extension:volume_unmanage
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-unmanage)

Stop managing a volume.

volume_extension:types_manage
Default

rule:admin_api

Operations
  • POST /types

  • PUT /types

  • DELETE /types

Create, update and delete volume type.

volume_extension:type_get
Default

<empty string>

Operations
  • GET /types/{type_id}

Get one specific volume type.

volume_extension:type_get_all
Default

<empty string>

Operations
  • GET /types/

List volume types.

volume_extension:volume_type_encryption
Default

rule:admin_api

Operations
  • POST /types/{type_id}/encryption

  • PUT /types/{type_id}/encryption/{encryption_id}

  • GET /types/{type_id}/encryption

  • GET /types/{type_id}/encryption/{key}

  • DELETE /types/{type_id}/encryption/{encryption_id}

Base policy for all volume type encryption type operations. This can be used to set the policies for a volume type’s encryption type create, show, update, and delete actions in one place, or any of those may be set individually using the following policy targets for finer grained control.

volume_extension:volume_type_encryption:create
Default

rule:volume_extension:volume_type_encryption

Operations
  • POST /types/{type_id}/encryption

Create volume type encryption.

volume_extension:volume_type_encryption:get
Default

rule:volume_extension:volume_type_encryption

Operations
  • GET /types/{type_id}/encryption

  • GET /types/{type_id}/encryption/{key}

Show a volume type’s encryption type, show an encryption specs item.

volume_extension:volume_type_encryption:update
Default

rule:volume_extension:volume_type_encryption

Operations
  • PUT /types/{type_id}/encryption/{encryption_id}

Update volume type encryption.

volume_extension:volume_type_encryption:delete
Default

rule:volume_extension:volume_type_encryption

Operations
  • DELETE /types/{type_id}/encryption/{encryption_id}

Delete volume type encryption.

volume_extension:access_types_extra_specs
Default

rule:admin_api

Operations
  • GET /types/{type_id}

  • GET /types

List or show volume type with access type extra specs attribute.

volume_extension:access_types_qos_specs_id
Default

rule:admin_api

Operations
  • GET /types/{type_id}

  • GET /types

List or show volume type with access type qos specs id attribute.

volume_extension:volume_type_access
Default

rule:admin_or_owner

Operations
  • GET /types

  • GET /types/detail

  • GET /types/{type_id}

  • POST /types

Volume type access related APIs.

volume_extension:volume_type_access:addProjectAccess
Default

rule:admin_api

Operations
  • POST /types/{type_id}/action (addProjectAccess)

Add volume type access for project.

volume_extension:volume_type_access:removeProjectAccess
Default

rule:admin_api

Operations
  • POST /types/{type_id}/action (removeProjectAccess)

Remove volume type access for project.

volume:extend
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-extend)

Extend a volume.

volume:extend_attached_volume
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-extend)

Extend a attached volume.

volume:revert_to_snapshot
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (revert)

Revert a volume to a snapshot.

volume_extension:volume_admin_actions:reset_status
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-reset_status)

Reset status of a volume.

volume:retype
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-retype)

Retype a volume.

volume:update_readonly_flag
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

Update a volume’s readonly flag.

volume_extension:volume_admin_actions:force_delete
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-force_delete)

Force delete a volume.

volume_extension:volume_actions:upload_public
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image with public visibility.

volume_extension:volume_actions:upload_image
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image.

volume_extension:volume_admin_actions:force_detach
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-force_detach)

Force detach a volume.

volume_extension:volume_admin_actions:migrate_volume
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-migrate_volume)

migrate a volume to a specified host.

volume_extension:volume_admin_actions:migrate_volume_completion
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-migrate_volume_completion)

Complete a volume migration.

volume_extension:volume_actions:initialize_connection
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-initialize_connection)

Initialize volume attachment.

volume_extension:volume_actions:terminate_connection
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-terminate_connection)

Terminate volume attachment.

volume_extension:volume_actions:roll_detaching
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-roll_detaching)

Roll back volume status to ‘in-use’.

volume_extension:volume_actions:reserve
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-reserve)

Mark volume as reserved.

volume_extension:volume_actions:unreserve
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-unreserve)

Unmark volume as reserved.

volume_extension:volume_actions:begin_detaching
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-begin_detaching)

Begin detach volumes.

volume_extension:volume_actions:attach
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-attach)

Add attachment metadata.

volume_extension:volume_actions:detach
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/action (os-detach)

Clear attachment metadata.

volume:get_all_transfers
Default

rule:admin_or_owner

Operations
  • GET /os-volume-transfer

  • GET /os-volume-transfer/detail

  • GET /volume_transfers

  • GET /volume-transfers/detail

List volume transfer.

volume:create_transfer
Default

rule:admin_or_owner

Operations
  • POST /os-volume-transfer

  • POST /volume_transfers

Create a volume transfer.

volume:get_transfer
Default

rule:admin_or_owner

Operations
  • GET /os-volume-transfer/{transfer_id}

  • GET /volume-transfers/{transfer_id}

Show one specified volume transfer.

volume:accept_transfer
Default

<empty string>

Operations
  • POST /os-volume-transfer/{transfer_id}/accept

  • POST /volume-transfers/{transfer_id}/accept

Accept a volume transfer.

volume:delete_transfer
Default

rule:admin_or_owner

Operations
  • DELETE /os-volume-transfer/{transfer_id}

  • DELETE /volume-transfers/{transfer_id}

Delete volume transfer.

volume:get_volume_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}/metadata

  • GET /volumes/{volume_id}/metadata/{key}

Show volume’s metadata or one specified metadata with a given key.

volume:create_volume_metadata
Default

rule:admin_or_owner

Operations
  • POST /volumes/{volume_id}/metadata

Create volume metadata.

volume:update_volume_metadata
Default

rule:admin_or_owner

Operations
  • PUT /volumes/{volume_id}/metadata

  • PUT /volumes/{volume_id}/metadata/{key}

Update volume’s metadata or one specified metadata with a given key.

volume:delete_volume_metadata
Default

rule:admin_or_owner

Operations
  • DELETE /volumes/{volume_id}/metadata/{key}

Delete volume’s specified metadata with a given key.

volume_extension:volume_image_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/detail

  • GET /volumes/{volume_id}

  • POST /volumes/{volume_id}/action (os-set_image_metadata)

  • POST /volumes/{volume_id}/action (os-unset_image_metadata)

Volume’s image metadata related operation, create, delete, show and list.

volume:update_volume_admin_metadata
Default

rule:admin_api

Operations
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

  • POST /volumes/{volume_id}/action (os-attach)

Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs

volume_extension:types_extra_specs:index
Default

rule:admin_api

Operations
  • GET /types/{type_id}/extra_specs

List type extra specs.

volume_extension:types_extra_specs:create
Default

rule:admin_api

Operations
  • POST /types/{type_id}/extra_specs

Create type extra specs.

volume_extension:types_extra_specs:show
Default

rule:admin_api

Operations
  • GET /types/{type_id}/extra_specs/{extra_spec_key}

Show one specified type extra specs.

volume_extension:types_extra_specs:update
Default

rule:admin_api

Operations
  • PUT /types/{type_id}/extra_specs/{extra_spec_key}

Update type extra specs.

volume_extension:types_extra_specs:delete
Default

rule:admin_api

Operations
  • DELETE /types/{type_id}/extra_specs/{extra_spec_key}

Delete type extra specs.

volume:create
Default

<empty string>

Operations
  • POST /volumes

Create volume.

volume:create_from_image
Default

<empty string>

Operations
  • POST /volumes

Create volume from image.

volume:get
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}

Show volume.

volume:get_all
Default

rule:admin_or_owner

Operations
  • GET /volumes

  • GET /volumes/detail

  • GET /volumes/summary

List volumes or get summary of volumes.

volume:update
Default

rule:admin_or_owner

Operations
  • PUT /volumes

  • POST /volumes/{volume_id}/action (os-set_bootable)

Update volume or update a volume’s bootable status.

volume:delete
Default

rule:admin_or_owner

Operations
  • DELETE /volumes/{volume_id}

Delete volume.

volume:force_delete
Default

rule:admin_api

Operations
  • DELETE /volumes/{volume_id}

Force Delete a volume.

volume_extension:volume_host_attribute
Default

rule:admin_api

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with host attribute.

volume_extension:volume_tenant_attribute
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with tenant attribute.

volume_extension:volume_mig_status_attribute
Default

rule:admin_api

Operations
  • GET /volumes/{volume_id}

  • GET /volumes/detail

List or show volume with migration status attribute.

volume_extension:volume_encryption_metadata
Default

rule:admin_or_owner

Operations
  • GET /volumes/{volume_id}/encryption

  • GET /volumes/{volume_id}/encryption/{encryption_key}

Show volume’s encryption metadata.

volume:multiattach
Default

rule:admin_or_owner

Operations
  • POST /volumes

Create multiattach capable volume.

volume_extension:default_set_or_update
Default

rule:system_or_domain_or_project_admin

Operations
  • PUT /default-types

Scope Types
  • system

Set or update default volume type.

volume_extension:default_get
Default

rule:system_or_domain_or_project_admin

Operations
  • GET /default-types/{project-id}

Scope Types
  • system

Get default types.

volume_extension:default_get_all
Default

role:admin and system_scope:all

Operations
  • GET /default-types/

Scope Types
  • system

Get all default types. WARNING: Changing this might open up too much information regarding cloud deployment.

volume_extension:default_unset
Default

rule:system_or_domain_or_project_admin

Operations
  • DELETE /default-types/{project-id}

Scope Types
  • system

Unset default type.