Nova PolicyΒΆ

The following is a sample nova policy file, autogenerated from nova when this documentation is built. To prevent conflicts, ensure your version of nova aligns with the version of this documentation.

The sample policy can also be viewed in file form.

# Reset the state of a given server
# POST /servers/{server_id}/action (os-resetState)
#"os_compute_api:os-admin-actions:reset_state": "rule:admin_api"

# Inject network information into the server
# POST /servers/{server_id}/action (injectNetworkInfo)
#"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"

# Reset networking on a server
# POST /servers/{server_id}/action (resetNetwork)
#"os_compute_api:os-admin-actions:reset_network": "rule:admin_api"

# Change the administrative password for a server
# POST /servers/{server_id}/action (changePassword)
#"os_compute_api:os-admin-password": "rule:admin_or_owner"

# Create, list, update, and delete guest agent builds
#
# This is XenAPI driver specific. It is used to force the upgrade of
# the
# XenAPI guest agent on instance boot.
#
# GET /os-agents
# POST /os-agents
# PUT /os-agents/{agent_build_id}
# DELETE /os-agents/{agent_build_id}
#"os_compute_api:os-agents": "rule:admin_api"

# Create or replace metadata for an aggregate
# POST /os-aggregates/{aggregate_id}/action (set_metadata)
#"os_compute_api:os-aggregates:set_metadata": "rule:admin_api"

# Add a host to an aggregate.
# POST /os-aggregates/{aggregate_id}/action (add_host)
#"os_compute_api:os-aggregates:add_host": "rule:admin_api"

# Create an aggregate
# POST /os-aggregates
#"os_compute_api:os-aggregates:create": "rule:admin_api"

# Remove a host from an aggregate
# POST /os-aggregates/{aggregate_id}/action (remove_host)
#"os_compute_api:os-aggregates:remove_host": "rule:admin_api"

# Update name and/or availability zone for an aggregate
# PUT /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:update": "rule:admin_api"

# List all aggregates
# GET /os-aggregates
#"os_compute_api:os-aggregates:index": "rule:admin_api"

# Delete an aggregate
# DELETE /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:delete": "rule:admin_api"

# Show details for an aggregate.
# GET /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:show": "rule:admin_api"

# Create an assisted volume snapshot
# POST /os-assisted-volume-snapshots
#"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"

# Delete an assisted volume snapshot
# DELETE /os-assisted-volume-snapshots/{snapshot_id}
#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"

# List port interfaces or show details of a port interface attached to
# a server
# GET /servers/{server_id}/os-interface
# GET /servers/{server_id}/os-interface/{port_id}
#"os_compute_api:os-attach-interfaces": "rule:admin_or_owner"

# Attach an interface to a server
# POST /servers/{server_id}/os-interface
#"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"

# Detach an interface from a server
# DELETE /servers/{server_id}/os-interface/{port_id}
#"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"

# Lists availability zone information without host information
# GET os-availability-zone
#"os_compute_api:os-availability-zone:list": "rule:admin_or_owner"

# Lists detailed availability zone information with host information
# GET /os-availability-zone/detail
#"os_compute_api:os-availability-zone:detail": "rule:admin_api"

# List and show details of bare metal nodes.
#
# These APIs are proxy calls to the Ironic service and are deprecated.
#
# GET /os-baremetal-nodes
# GET /os-baremetal-nodes/{node_id}
#"os_compute_api:os-baremetal-nodes": "rule:admin_api"

#
#"context_is_admin": "role:admin"

#
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

#
#"admin_api": "is_admin:True"

#
#"network:attach_external_network": "is_admin:True"

# Update an existing cell
# PUT /os-cells/{cell_id}
#"os_compute_api:os-cells:update": "rule:admin_api"

# Create a new cell
# POST /os-cells
#"os_compute_api:os-cells:create": "rule:admin_api"

# List and get detailed info of a given cell or all cells
# GET /os-cells
# GET /os-cells/detail
# GET /os-cells/info
# GET /os-cells/capacities
# GET /os-cells/{cell_id}
#"os_compute_api:os-cells": "rule:admin_api"

# Sync instances info in all cells
# POST /os-cells/sync_instances
#"os_compute_api:os-cells:sync_instances": "rule:admin_api"

# Remove a cell
# DELETE /os-cells/{cell_id}
#"os_compute_api:os-cells:delete": "rule:admin_api"

# Different cell filter to route a build away from a particular cell
#
# This policy is read by nova-scheduler process.
#
#"cells_scheduler_filter:DifferentCellFilter": "is_admin:True"

# Target cell filter to route a build to a particular cell
#
# This policy is read by nova-scheduler process.
#
#"cells_scheduler_filter:TargetCellFilter": "is_admin:True"

# Add 'config_drive' attribute in the server response.
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-config-drive": "rule:admin_or_owner"

# Show console connection information for a given console
# authentication token
# GET /os-console-auth-tokens/{console_token}
#"os_compute_api:os-console-auth-tokens": "rule:admin_api"

# Show console output for a server
# POST /servers/{server_id}/action (os-getConsoleOutput)
#"os_compute_api:os-console-output": "rule:admin_or_owner"

# Create a console for a server instance
# POST /servers/{server_id}/consoles
#"os_compute_api:os-consoles:create": "rule:admin_or_owner"

# Show console details for a server instance
# GET /servers/{server_id}/consoles/{console_id}
#"os_compute_api:os-consoles:show": "rule:admin_or_owner"

# Delete a console for a server instance
# DELETE /servers/{server_id}/consoles/{console_id}
#"os_compute_api:os-consoles:delete": "rule:admin_or_owner"

# List all consoles for a server instance
# GET /servers/{server_id}/consoles
#"os_compute_api:os-consoles:index": "rule:admin_or_owner"

# Create a back up of a server
# POST /servers/{server_id}/action (createBackup)
#"os_compute_api:os-create-backup": "rule:admin_or_owner"

# Restore a soft deleted server or force delete a server before
# deferred cleanup
# POST /servers/{server_id}/action (restore)
# POST /servers/{server_id}/action (forceDelete)
#"os_compute_api:os-deferred-delete": "rule:admin_or_owner"

# Evacuate a server from a failed host to a new host
# POST /servers/{server_id}/action (evacuate)
#"os_compute_api:os-evacuate": "rule:admin_api"

# Add `OS-EXT-AZ:availability_zone` into the server response.
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"

# Return extended attributes for server.
#
# This rule will control the visibility for a set of servers
# attributes:
#     OS-EXT-SRV-ATTR:host
#     OS-EXT-SRV-ATTR:instance_name
#     OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)
#     OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)
#     OS-EXT-SRV-ATTR:hostname (since microversion 2.3)
#     OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)
#     OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)
#     OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)
#     OS-EXT-SRV-ATTR:user_data (since microversion 2.3)
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-extended-server-attributes": "rule:admin_api"

# Return extended status in the response of server.
#
# This policy will control the visibility for a set of attributes:
#     OS-EXT-STS:task_state
#     OS-EXT-STS:vm_state
#     OS-EXT-STS:power_state
#
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-extended-status": "rule:admin_or_owner"

# Return 'os-extended-volumes:volumes_attached' in the response of
# server.
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-extended-volumes": "rule:admin_or_owner"

# Lists available extensions and shows information for an extension by
# alias.
# GET /extensions
# GET /extensions/{alias}
#"os_compute_api:extensions": "rule:admin_or_owner"

#
#"os_compute_api:os-fixed-ips": "rule:admin_api"

# Add flavor access to a tenant
# POST /flavors/{flavor_id}/action (addTenantAccess)
#"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"

# Remove flavor access from a tenant
# POST /flavors/{flavor_id}/action (removeTenantAccess)
#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"

# Allow the listing of flavor access information
#
# Adds the os-flavor-access:is_public key into several flavor APIs.
#
# It also allows access to the full list of tenants that have access
# to a flavor via an os-flavor-access API.
#
# GET /flavors/{flavor_id}/os-flavor-access
# GET /flavors/detail
# GET /flavors/{flavor_id}
# POST /flavors
#"os_compute_api:os-flavor-access": "rule:admin_or_owner"

# Show an extra spec for a flavor
# GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"

# Create extra specs for a flavor
# POST /flavors/{flavor_id}/os-extra_specs/
#"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"

# Update an extra spec for a flavor
# PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"

# Delete an extra spec for a flavor
# DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"

# List extra specs for a flavor
# GET /flavors/{flavor_id}/os-extra_specs/
#"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"

# Create and delete Flavors
# POST /flavors
# DELETE /flavors/{flavor_id}
#"os_compute_api:os-flavor-manage": "rule:admin_api"

# Adds the rxtx_factor key into some Flavor APIs
# GET /flavors/detail
# GET /flavors/{flavor_id}
# POST /flavors
#"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"

#
#"os_compute_api:flavors": "rule:admin_or_owner"

# List registered DNS domains, and CRUD actions on domain names.
#
# Note this only works with nova-network and this API is deprecated.
# GET /os-floating-ip-dns
# GET /os-floating-ip-dns/{domain}/entries/{ip}
# GET /os-floating-ip-dns/{domain}/entries/{name}
# PUT /os-floating-ip-dns/{domain}/entries/{name}
# DELETE /os-floating-ip-dns/{domain}/entries/{name}
#"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"

# Create or update a DNS domain.
# PUT /os-floating-ip-dns/{domain}
#"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"

# Delete a DNS domain.
# DELETE /os-floating-ip-dns/{domain}
#"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"

# List floating IP pools. This API is deprecated.
# GET /os-floating-ip-pools
#"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"

# Manage a project's floating IPs. These APIs are all deprecated.
# POST /servers/{server_id}/action (addFloatingIp)
# POST /servers/{server_id}/action (removeFloatingIp)
# GET /os-floating-ips
# POST /os-floating-ips
# GET /os-floating-ips/{floating_ip_id}
# DELETE /os-floating-ips/{floating_ip_id}
#"os_compute_api:os-floating-ips": "rule:admin_or_owner"

# Bulk-create, delete, and list floating IPs. API is deprecated.
# GET /os-floating-ips-bulk
# POST /os-floating-ips-bulk
# PUT /os-floating-ips-bulk/delete
# GET /os-floating-ips-bulk/{host_name}
#"os_compute_api:os-floating-ips-bulk": "rule:admin_api"

# Pings instances for all projects and reports which instances
# are alive.
#
# os-fping API is deprecated as this works only with nova-network
# which itself is deprecated.
# GET /os-fping?all_tenants=true
#"os_compute_api:os-fping:all_tenants": "rule:admin_api"

# Pings instances, particular instance and reports which instances
# are alive.
#
# os-fping API is deprecated as this works only with nova-network
# which itself is deprecated.
# GET /os-fping
# GET /os-fping/{instance_id}
#"os_compute_api:os-fping": "rule:admin_or_owner"

#
#"os_compute_api:os-hide-server-addresses": "is_admin:False"

#
#"os_compute_api:os-hosts": "rule:admin_api"

# Policy rule for hypervisor related APIs.
#
# This rule will be checked for the following APIs:
#
# List all hypervisors, list all hypervisors with details, show
# summary statistics for all hypervisors over all compute nodes,
# show details for a hypervisor, show the uptime of a hypervisor,
# search hypervisor by hypervisor_hostname pattern and list all
# servers on hypervisors that can match the provided
# hypervisor_hostname
# pattern.
# GET /os-hypervisors
# GET /os-hypervisors/details
# GET /os-hypervisors/statistics
# GET /os-hypervisors/{hypervisor_id}
# GET /os-hypervisors/{hypervisor_id}/uptime
# GET /os-hypervisors/{hypervisor_hostname_pattern}/search
# GET /os-hypervisors/{hypervisor_hostname_pattern}/servers
#"os_compute_api:os-hypervisors": "rule:admin_api"

# Add 'OS-EXT-IMG-SIZE:size' attribute in the image response.
# GET /images/{id}
# GET /images/detail
#"os_compute_api:image-size": "rule:admin_or_owner"

# Add events details in action details for a server.
#
# This check is performed only after the check
# os_compute_api:os-instance-actions passes
# GET /servers/{server_id}/os-instance-actions/{request_id}
#"os_compute_api:os-instance-actions:events": "rule:admin_api"

# List actions and show action details for a server.
# GET /servers/{server_id}/os-instance-actions
# GET /servers/{server_id}/os-instance-actions/{request_id}
#"os_compute_api:os-instance-actions": "rule:admin_or_owner"

# Lists all usage audits and that occurred before a specified time
# for all servers on all compute hosts where usage auditing is
# configured.
# GET /os-instance_usage_audit_log
# GET /os-instance_usage_audit_log/{before_timestamp}
#"os_compute_api:os-instance-usage-audit-log": "rule:admin_api"

# Shows IP addresses details for a network label of a server.
# GET /servers/{server_id}/ips/{network_label}
#"os_compute_api:ips:show": "rule:admin_or_owner"

# Lists IP addresses that are assigned to a server.
# GET /servers/{server_id}/ips
#"os_compute_api:ips:index": "rule:admin_or_owner"

# List all keypairs
# GET /os-keypairs
#"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"

# Create a keypair
# POST /os-keypairs
#"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"

# Delete a keypair
# DELETE /os-keypairs/{keypair_name}
#"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"

# Show details of a keypair
# GET /os-keypairs/{keypair_name}
#"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"

# Return 'key_name' in the response of server.
# GET /servers/{id}
# GET /servers/detail
#"os_compute_api:os-keypairs": "rule:admin_or_owner"

#
#"os_compute_api:limits": "rule:admin_or_owner"

# Lock a server
# POST /servers/{server_id}/action (lock)
#"os_compute_api:os-lock-server:lock": "rule:admin_or_owner"

# Unlock a server
# POST /servers/{server_id}/action (unlock)
#"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"

# Unlock a server, regardless who locked the server.
#
#         This check is performed only after the check
#         os_compute_api:os-lock-server:unlock passes
# POST /servers/{server_id}/action (unlock)
#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"

# Cold migrate a server to a host
# POST /servers/{server_id}/action (migrate)
#"os_compute_api:os-migrate-server:migrate": "rule:admin_api"

# Live migrate a server to a new host without a reboot
# POST /servers/{server_id}/action (os-migrateLive)
#"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"

# List migrations
# GET /os-migrations
#"os_compute_api:os-migrations:index": "rule:admin_api"

#
#"os_compute_api:os-multinic": "rule:admin_or_owner"

#
#"os_compute_api:os-networks": "rule:admin_api"

#
#"os_compute_api:os-networks:view": "rule:admin_or_owner"

#
#"os_compute_api:os-networks-associate": "rule:admin_api"

# Pause a server.
# POST /servers/{server_id}/action (pause)
#"os_compute_api:os-pause-server:pause": "rule:admin_or_owner"

# Unpause a paused server.
# POST /servers/{server_id}/action (unpause)
#"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"

# List quotas for specific quota classs
# GET /os-quota-class-sets/{quota_class}
#"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"

# Update quotas for specific quota class
# PUT /os-quota-class-sets/{quota_class}
#"os_compute_api:os-quota-class-sets:update": "rule:admin_api"

# Update the quotas
# PUT /os-quota-sets/{tenant_id}
#"os_compute_api:os-quota-sets:update": "rule:admin_api"

# List default quotas
# GET /os-quota-sets/{tenant_id}/defaults
#"os_compute_api:os-quota-sets:defaults": "@"

# Show a quota
# GET /os-quota-sets/{tenant_id}
#"os_compute_api:os-quota-sets:show": "rule:admin_or_owner"

# Revert quotas to defaults
# DELETE /os-quota-sets/{tenant_id}
#"os_compute_api:os-quota-sets:delete": "rule:admin_api"

# Show the detail of quota
# GET /os-quota-sets/{tenant_id}/detail
#"os_compute_api:os-quota-sets:detail": "rule:admin_api"

# Generates a URL to access remove server console
# POST /servers/{server_id}/action (os-getRDPConsole)
# POST /servers/{server_id}/action (os-getSerialConsole)
# POST /servers/{server_id}/action (os-getSPICEConsole)
# POST /servers/{server_id}/action (os-getVNCConsole)
# POST /servers/{server_id}/remote-consoles
#"os_compute_api:os-remote-consoles": "rule:admin_or_owner"

# Rescue/unrescue a server
# POST /servers/{server_id}/action (rescue)
# POST /servers/{server_id}/action (unrescue)
#"os_compute_api:os-rescue": "rule:admin_or_owner"

# Lists, shows information for, creates and deletes default security
# group rules.
#
# These API's are only available with nova-network which is now
# deprecated.
# GET /os-security-group-default-rules
# GET /os-security-group-default-
# rules/{security_group_default_rule_id}
# POST /os-security-group-default-rules
# DELETE /os-security-group-default-
# rules/{security_group_default_rule_id}
#"os_compute_api:os-security-group-default-rules": "rule:admin_api"

# This policy checks permission on security groups related APIs.
#
# APIs which are directly related to security groups resource are
# deprecated:
# Lists, shows information for, creates, updates and deletes
# security groups. Creates and deletes security group rules. All these
# API's are deprecated.
#
# APIs which are related to server resource are not deprecated:
# Lists Security Groups for a server. Add Security Group to a server
# and remove security group from a server. Expand security_groups in
# server representation
# GET /os-security-groups
# GET /os-security-groups/{security_group_id}
# POST /os-security-groups
# PUT /os-security-groups/{security_group_id}
# DELETE /os-security-groups/{security_group_id}
# GET /servers/{server_id}/os-security-groups
# POST /servers/{server_id}/action (addSecurityGroup)
# POST /servers/{server_id}/action (removeSecurityGroup)
# POST /servers
# GET /servers/{server_id}
# GET /servers/detail
#"os_compute_api:os-security-groups": "rule:admin_or_owner"

# Shows the usage data for a server
# GET /servers/{server_id}/diagnostics
#"os_compute_api:os-server-diagnostics": "rule:admin_api"

# Creates one or more external events
# POST /os-server-external-events
#"os_compute_api:os-server-external-events:create": "rule:admin_api"

#
#"os_compute_api:os-server-groups": "rule:admin_or_owner"

# Create a new server group
# POST /os-server-groups
#"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"

# Delete a server group
# DELETE /os-server-groups/{server_group_id}
#"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"

# List all server groups
# GET /os-server-groups
#"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"

# Show details of a server group
# GET /os-server-groups/{server_group_id}
#"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

# List all metadata of a server
# GET /servers/server_id/metadata
#"os_compute_api:server-metadata:index": "rule:admin_or_owner"

# Show metadata for a server
# GET /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:show": "rule:admin_or_owner"

# Create metadata for a server
# POST /servers/server_id/metadata
#"os_compute_api:server-metadata:create": "rule:admin_or_owner"

# Replace metadata for a server
# PUT /servers/server_id/metadata
#"os_compute_api:server-metadata:update_all": "rule:admin_or_owner"

# Update metadata from a server
# PUT /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:update": "rule:admin_or_owner"

# Delete metadata from a server
# DELETE /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:delete": "rule:admin_or_owner"

# Show and clear the encrypted administrative password of a server
# GET /servers/{server_id}/os-server-password
# DELETE /servers/{server_id}/os-server-password
#"os_compute_api:os-server-password": "rule:admin_or_owner"

# Delete all the server tags
# DELETE /servers/{server_id}/tags
#"os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"

# List all tags for given server
# GET /servers/{server_id}/tags
#"os_compute_api:os-server-tags:index": "rule:admin_or_owner"

# Replace all tags on specified server with the new set of tags.
# PUT /servers/{server_id}/tags
#"os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"

# Delete a single tag from the specified server
# DELETE /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:delete": "rule:admin_or_owner"

# Add a single tag to the server if server has no specified tag
# PUT /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:update": "rule:admin_or_owner"

# Check tag existence on the server.
# GET /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:show": "rule:admin_or_owner"

#
#"os_compute_api:os-server-usage": "rule:admin_or_owner"

# List all servers
# GET /servers
#"os_compute_api:servers:index": "rule:admin_or_owner"

# List all servers with detailed information
# GET /servers/detail
#"os_compute_api:servers:detail": "rule:admin_or_owner"

# List all servers for all projects
# GET /servers
#"os_compute_api:servers:index:get_all_tenants": "rule:admin_api"

# List all servers with detailed information for all projects
# GET /servers/detail
#"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"

# Show a server
# GET /servers/{server_id}
#"os_compute_api:servers:show": "rule:admin_or_owner"

# Show a server with additional host status information
# GET /servers/{server_id}
# GET /servers/detail
#"os_compute_api:servers:show:host_status": "rule:admin_api"

# Create a server
# POST /servers
#"os_compute_api:servers:create": "rule:admin_or_owner"

# Create a server on the specified host
# POST /servers
#"os_compute_api:servers:create:forced_host": "rule:admin_api"

# Create a server with the requested volume attached to it
# POST /servers
#"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"

# Create a server with the requested network attached to it
# POST /servers
#"os_compute_api:servers:create:attach_network": "rule:admin_or_owner"

# Delete a server
# DELETE /servers/{server_id}
#"os_compute_api:servers:delete": "rule:admin_or_owner"

# Update a server
# PUT /servers/{server_id}
#"os_compute_api:servers:update": "rule:admin_or_owner"

# Confirm a server resize
# POST /servers/{server_id}/action (confirmResize)
#"os_compute_api:servers:confirm_resize": "rule:admin_or_owner"

# Revert a server resize
# POST /servers/{server_id}/action (revertResize)
#"os_compute_api:servers:revert_resize": "rule:admin_or_owner"

# Reboot a server
# POST /servers/{server_id}/action (reboot)
#"os_compute_api:servers:reboot": "rule:admin_or_owner"

# Resize a server
# POST /servers/{server_id}/action (resize)
#"os_compute_api:servers:resize": "rule:admin_or_owner"

# Rebuild a server
# POST /servers/{server_id}/action (rebuild)
#"os_compute_api:servers:rebuild": "rule:admin_or_owner"

# Create an image from a server
# POST /servers/{server_id}/action (createImage)
#"os_compute_api:servers:create_image": "rule:admin_or_owner"

# Create an image from a volume backed server
# POST /servers/{server_id}/action (createImage)
#"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"

# Start a server
# POST /servers/{server_id}/action (os-start)
#"os_compute_api:servers:start": "rule:admin_or_owner"

# Stop a server
# POST /servers/{server_id}/action (os-stop)
#"os_compute_api:servers:stop": "rule:admin_or_owner"

# Trigger crash dump in a server
# POST /servers/{server_id}/action (trigger_crash_dump)
#"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"

# Show details for an in-progress live migration for a given server
# GET /servers/{server_id}/migrations/{migration_id}
#"os_compute_api:servers:migrations:show": "rule:admin_api"

# Force an in-progress live migration for a given server to complete
# POST /servers/{server_id}/migrations/{migration_id}/action
# (force_complete)
#"os_compute_api:servers:migrations:force_complete": "rule:admin_api"

# Delete(Abort) an in-progress live migration
# DELETE /servers/{server_id}/migrations/{migration_id}
#"os_compute_api:servers:migrations:delete": "rule:admin_api"

# Lists in-progress live migrations for a given server
# GET /servers/{server_id}/migrations
#"os_compute_api:servers:migrations:index": "rule:admin_api"

# Lists all running Compute services in a region, enables or disables
# scheduling for a Compute service, logs disabled Compute service
# information, set or unset forced_down flag for the compute service
# and deletes a Compute service.
# GET /os-services
# PUT /os-services/enable
# PUT /os-services/disable
# PUT /os-services/disable-log-reason
# PUT /os-services/force-down
# DELETE /os-services/{service_id}
#"os_compute_api:os-services": "rule:admin_api"

# Shelve Server
# POST /servers/{server_id}/action (shelve)
#"os_compute_api:os-shelve:shelve": "rule:admin_or_owner"

# Unshelve (Restore) Shelved Server
# POST /servers/{server_id}/action (unshelve)
#"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"

# Shelf-Offload (Remove) Server
# POST /servers/{server_id}/action (shelveOffload)
#"os_compute_api:os-shelve:shelve_offload": "rule:admin_api"

# Show usage statistics for a specific tenant.
# GET /os-simple-tenant-usage/{tenant_id}
#"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"

# List per tenant usage statistics for all tenants.
# GET /os-simple-tenant-usage
#"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"

# Resume suspended server
# POST /servers/{server_id}/action (resume)
#"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"

# Suspend server
# POST /servers/{server_id}/action (suspend)
#"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"

# Creates, lists, shows information for, and deletes
# project networks.
#
# These APIs are proxy calls to the Network service. These are all
# deprecated.
# GET /os-tenant-networks
# POST /os-tenant-networks
# GET /os-tenant-networks/{network_id}
# DELETE /os-tenant-networks/{network_id}
#"os_compute_api:os-tenant-networks": "rule:admin_or_owner"

# Shows rate and absolute limits for the project.
#
# This policy only checks if the user has access to the requested
# project limits. And this check is performed only after the check
# os_compute_api:limits passes
# GET /limits
#"os_compute_api:os-used-limits": "rule:admin_api"

# List Virtual Interfaces.
#
# This works only with the nova-network service, which is now
# deprecated
# GET /servers/{server_id}/os-virtual-interfaces
#"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"

# Manages volumes for use with the Compute API.
#
# Lists, shows details, creates, and deletes volumes. These APIs are
# proxy calls
# to the Volume service. These are all deprecated.
# GET /os-volumes
# POST /os-volumes
# GET /os-volumes/detail
# GET /os-volumes/{volume_id}
# DELETE /os-volumes/{volume_id}
#"os_compute_api:os-volumes": "rule:admin_or_owner"

# List volume attachments for an instance
# GET /servers/{server_id}/os-volume_attachments
#"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"

# Attach a volume to an instance
# POST /servers/{server_id}/os-volume_attachments
#"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"

# Show details of a volume attachment
# GET /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"

# Update a volume attachment
# PUT /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:update": "rule:admin_api"

# Detach a volume from an instance
# DELETE /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"