Cyborg Policies

The following is an overview of all available policies in Cyborg.

Warning

JSON formatted policy file is deprecated since Cyborg (Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.

For a sample configuration file, refer to Cyborg Sample Policy.

cyborg.api

system_admin_api
Default:

role:admin and system_scope:all

Default rule for System Admin APIs.

system_reader_api
Default:

role:reader and system_scope:all

Default rule for System level read only APIs.

project_admin_api
Default:

role:admin and project_id:%(project_id)s

Default rule for Project level admin APIs.

project_member_api
Default:

role:member and project_id:%(project_id)s

Default rule for Project level non admin APIs.

project_reader_api
Default:

role:reader and project_id:%(project_id)s

Default rule for Project level read only APIs.

system_admin_or_owner
Default:

rule:system_admin_api or rule:project_member_api

Default rule for system_admin+owner APIs.

system_or_project_reader
Default:

rule:system_reader_api or rule:project_reader_api

Default rule for System+Project read only APIs.

public_api
Default:

is_public_api:True

legacy rule of Internal flag for public API routes

allow
Default:

@

legacy rule: any access will be passed

deny
Default:

!

legacy rule: all access will be forbidden

default
Default:

rule:admin_or_owner

Legacy rule for default rule

admin_api
Default:

role:admin or role:administrator

Legacy rule for cloud admin access

is_admin
Default:

rule:admin_api

Full read/write API access

admin_or_owner
Default:

is_admin:True or project_id:%(project_id)s

Admin or owner API access

admin_or_user
Default:

is_admin:True or user_id:%(user_id)s

Admin or user API access

cyborg:device_profile:get_all
Default:

rule:system_or_project_reader

Operations:
  • GET /v2/device_profiles

Scope Types:
  • system

  • project

Retrieve all device_profiles

cyborg:device_profile:get_one
Default:

rule:system_or_project_reader

Operations:
  • GET /v2/device_profiles/{device_profiles_uuid}

Scope Types:
  • system

  • project

Retrieve a specific device_profile

cyborg:device_profile:create
Default:

rule:system_admin_api

Operations:
  • POST /v2/device_profiles

Scope Types:
  • system

Create a device_profile

cyborg:device_profile:delete
Default:

rule:system_admin_api

Operations:
  • DELETE /v2/device_profiles/{device_profiles_uuid}

  • DELETE /v2/device_profiles?value={device_profile_name1}

Scope Types:
  • system

Delete device_profile(s)

cyborg:device:get_one
Default:

rule:allow

Show device detail

cyborg:device:get_all
Default:

rule:allow

Retrieve all device records

cyborg:device:disable
Default:

rule:admin_api

Disable a device

cyborg:device:enable
Default:

rule:admin_api

Enable a device

cyborg:deployable:get_one
Default:

rule:allow

Show deployable detail

cyborg:deployable:get_all
Default:

rule:allow

Retrieve all deployable records

cyborg:deployable:program
Default:

rule:allow

FPGA programming.

cyborg:attribute:get_one
Default:

rule:allow

Show attribute detail

cyborg:attribute:get_all
Default:

rule:allow

Retrieve all attribute records

cyborg:attribute:create
Default:

rule:allow

Create an attribute record

cyborg:attribute:delete
Default:

rule:allow

Delete attribute records.

cyborg:arq:get_all
Default:

rule:default

Retrieve accelerator request records.

cyborg:arq:get_one
Default:

rule:default

Get an accelerator request record.

cyborg:arq:create
Default:

rule:allow

Create accelerator request records.

cyborg:arq:delete
Default:

rule:default

Delete accelerator request records.

cyborg:arq:update
Default:

rule:default

Update accelerator request records.

cyborg:fpga:get_one
Default:

rule:allow

Show fpga detail

cyborg:fpga:get_all
Default:

rule:allow

Retrieve all fpga records

cyborg:fpga:update
Default:

rule:allow

Update fpga records