Nova PolicyΒΆ

The following is a sample nova policy file, autogenerated from nova when this documentation is built. To prevent conflicts, ensure your version of nova aligns with the version of this documentation.

The sample policy can also be viewed in file form.

#
#"os_compute_api:os-admin-actions:discoverable": "@"

# Reset the state of a given server
# POST /servers/{server_id}/action (os-resetState)
#"os_compute_api:os-admin-actions:reset_state": "rule:admin_api"

# Inject network information into the server
# POST /servers/{server_id}/action (injectNetworkInfo)
#"os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api"

# Reset networking on a server
# POST /servers/{server_id}/action (resetNetwork)
#"os_compute_api:os-admin-actions:reset_network": "rule:admin_api"

#
#"os_compute_api:os-admin-password:discoverable": "@"

#
#"os_compute_api:os-admin-password": "rule:admin_or_owner"

# Create, list, update, and delete guest agent builds
#
# This is XenAPI driver specific. It is used to force the upgrade of
# the
# XenAPI guest agent on instance boot.
#
# GET /os-agents
# POST /os-agents
# PUT /os-agents/{agent_build_id}
# DELETE /os-agents/{agent_build_id}
#"os_compute_api:os-agents": "rule:admin_api"

#
#"os_compute_api:os-agents:discoverable": "@"

# Create or replace metadata for an aggregate
# POST /os-aggregates/{aggregate_id}/action (set_metadata)
#"os_compute_api:os-aggregates:set_metadata": "rule:admin_api"

# Add a host to an aggregate.
# POST /os-aggregates/{aggregate_id}/action (add_host)
#"os_compute_api:os-aggregates:add_host": "rule:admin_api"

#
#"os_compute_api:os-aggregates:discoverable": "@"

# Create an aggregate
# POST /os-aggregates
#"os_compute_api:os-aggregates:create": "rule:admin_api"

# Remove a host from an aggregate
# POST /os-aggregates/{aggregate_id}/action (remove_host)
#"os_compute_api:os-aggregates:remove_host": "rule:admin_api"

# Update name and/or availability zone for an aggregate
# PUT /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:update": "rule:admin_api"

# List all aggregates
# GET /os-aggregates
#"os_compute_api:os-aggregates:index": "rule:admin_api"

# Delete an aggregate
# DELETE /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:delete": "rule:admin_api"

# Show details for an aggregate.
# GET /os-aggregates/{aggregate_id}
#"os_compute_api:os-aggregates:show": "rule:admin_api"

# Create an assisted volume snapshot
# POST /os-assisted-volume-snapshots
#"os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api"

# Delete an assisted volume snapshot
# DELETE /os-assisted-volume-snapshots/{snapshot_id}
#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api"

#
#"os_compute_api:os-assisted-volume-snapshots:discoverable": "@"

# List port interfaces or show details of a port interface attached to
# a server
# GET /servers/{server_id}/os-interface
# GET /servers/{server_id}/os-interface/{port_id}
#"os_compute_api:os-attach-interfaces": "rule:admin_or_owner"

#
#"os_compute_api:os-attach-interfaces:discoverable": "@"

# Attach an interface to a server
# POST /servers/{server_id}/os-interface
#"os_compute_api:os-attach-interfaces:create": "rule:admin_or_owner"

# Detach an interface from a server
# DELETE /servers/{server_id}/os-interface/{port_id}
#"os_compute_api:os-attach-interfaces:delete": "rule:admin_or_owner"

# Lists availability zone information without host information
# GET os-availability-zone
#"os_compute_api:os-availability-zone:list": "rule:admin_or_owner"

#
#"os_compute_api:os-availability-zone:discoverable": "@"

# Lists detailed availability zone information with host information
# GET /os-availability-zone/detail
#"os_compute_api:os-availability-zone:detail": "rule:admin_api"

#
#"os_compute_api:os-baremetal-nodes:discoverable": "@"

# List and show details of bare metal nodes.
#
# These APIs are proxy calls to the Ironic service and are deprecated.
#
# GET /os-baremetal-nodes
# GET /os-baremetal-nodes/{node_id}
#"os_compute_api:os-baremetal-nodes": "rule:admin_api"

#
#"context_is_admin": "role:admin"

#
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

#
#"admin_api": "is_admin:True"

#
#"network:attach_external_network": "is_admin:True"

#
#"os_compute_api:os-block-device-mapping:discoverable": "@"

#
#"os_compute_api:os-block-device-mapping-v1:discoverable": "@"

#
#"os_compute_api:os-cells:discoverable": "@"

# Update an existing cell
# PUT /os-cells/{cell_id}
#"os_compute_api:os-cells:update": "rule:admin_api"

# Create a new cell
# POST /os-cells
#"os_compute_api:os-cells:create": "rule:admin_api"

# List and get detailed info of a given cell or all cells
# GET /os-cells
# GET /os-cells/detail
# GET /os-cells/info
# GET /os-cells/capacities
# GET /os-cells/{cell_id}
#"os_compute_api:os-cells": "rule:admin_api"

# Sync instances info in all cells
# POST /os-cells/sync_instances
#"os_compute_api:os-cells:sync_instances": "rule:admin_api"

# Remove a cell
# DELETE /os-cells/{cell_id}
#"os_compute_api:os-cells:delete": "rule:admin_api"

# Different cell filter to route a build away from a particular cell
#
# This policy is read by nova-scheduler process.
#
#"cells_scheduler_filter:DifferentCellFilter": "is_admin:True"

# Target cell filter to route a build to a particular cell
#
# This policy is read by nova-scheduler process.
#
#"cells_scheduler_filter:TargetCellFilter": "is_admin:True"

#
#"os_compute_api:os-certificates:discoverable": "@"

# Create a root certificate. This API is deprecated.
# POST /os-certificates
#"os_compute_api:os-certificates:create": "rule:admin_or_owner"

# Show details for a root certificate.  This API is deprecated.
# GET /os-certificates/root
#"os_compute_api:os-certificates:show": "rule:admin_or_owner"

#
#"os_compute_api:os-cloudpipe": "rule:admin_api"

#
#"os_compute_api:os-cloudpipe:discoverable": "@"

#
#"os_compute_api:os-config-drive:discoverable": "@"

#
#"os_compute_api:os-config-drive": "rule:admin_or_owner"

#
#"os_compute_api:os-console-auth-tokens:discoverable": "@"

# Show console connection information for a given console
# authentication token
# GET /os-console-auth-tokens/{console_token}
#"os_compute_api:os-console-auth-tokens": "rule:admin_api"

#
#"os_compute_api:os-console-output:discoverable": "@"

# Show console output for a server
# POST /servers/{server_id}/action (os-getConsoleOutput)
#"os_compute_api:os-console-output": "rule:admin_or_owner"

# Create a console for a server instance
# POST /servers/{server_id}/consoles
#"os_compute_api:os-consoles:create": "rule:admin_or_owner"

# Show console details for a server instance
# GET /servers/{server_id}/consoles/{console_id}
#"os_compute_api:os-consoles:show": "rule:admin_or_owner"

# Delete a console for a server instance
# DELETE /servers/{server_id}/consoles/{console_id}
#"os_compute_api:os-consoles:delete": "rule:admin_or_owner"

#
#"os_compute_api:os-consoles:discoverable": "@"

# List all consoles for a server instance
# GET /servers/{server_id}/consoles
#"os_compute_api:os-consoles:index": "rule:admin_or_owner"

#
#"os_compute_api:os-create-backup:discoverable": "@"

# Create a back up of a server
# POST /servers/{server_id}/action (createBackup)
#"os_compute_api:os-create-backup": "rule:admin_or_owner"

#
#"os_compute_api:os-deferred-delete:discoverable": "@"

# Restore a soft deleted server or force delete a server before
# deferred cleanup
# POST /servers/{server_id}/action (restore)
# POST /servers/{server_id}/action (forceDelete)
#"os_compute_api:os-deferred-delete": "rule:admin_or_owner"

#
#"os_compute_api:os-evacuate:discoverable": "@"

# Evacuate a server from a failed host to a new host
# POST /servers/{server_id}/action (evacuate)
#"os_compute_api:os-evacuate": "rule:admin_api"

#
#"os_compute_api:os-extended-availability-zone": "rule:admin_or_owner"

#
#"os_compute_api:os-extended-availability-zone:discoverable": "@"

#
#"os_compute_api:os-extended-server-attributes": "rule:admin_api"

#
#"os_compute_api:os-extended-server-attributes:discoverable": "@"

#
#"os_compute_api:os-extended-status:discoverable": "@"

#
#"os_compute_api:os-extended-status": "rule:admin_or_owner"

#
#"os_compute_api:os-extended-volumes": "rule:admin_or_owner"

#
#"os_compute_api:os-extended-volumes:discoverable": "@"

#
#"os_compute_api:extension_info:discoverable": "@"

#
#"os_compute_api:extensions": "rule:admin_or_owner"

#
#"os_compute_api:extensions:discoverable": "@"

#
#"os_compute_api:os-fixed-ips:discoverable": "@"

#
#"os_compute_api:os-fixed-ips": "rule:admin_api"

#
#"os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api"

#
#"os_compute_api:os-flavor-access:discoverable": "@"

#
#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api"

#
#"os_compute_api:os-flavor-access": "rule:admin_or_owner"

# Show an extra spec for a flavor
# GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:show": "rule:admin_or_owner"

# Create extra specs for a flavor
# POST /flavors/{flavor_id}/os-extra_specs/
#"os_compute_api:os-flavor-extra-specs:create": "rule:admin_api"

#
#"os_compute_api:os-flavor-extra-specs:discoverable": "@"

# Update an extra spec for a flavor
# PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:update": "rule:admin_api"

# Delete an extra spec for a flavor
# DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
#"os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api"

# List extra specs for a flavor
# GET /flavors/{flavor_id}/os-extra_specs/
#"os_compute_api:os-flavor-extra-specs:index": "rule:admin_or_owner"

#
#"os_compute_api:os-flavor-manage": "rule:admin_api"

#
#"os_compute_api:os-flavor-manage:discoverable": "@"

#
#"os_compute_api:os-flavor-rxtx": "rule:admin_or_owner"

#
#"os_compute_api:os-flavor-rxtx:discoverable": "@"

#
#"os_compute_api:flavors:discoverable": "@"

#
#"os_compute_api:flavors": "rule:admin_or_owner"

#
#"os_compute_api:os-floating-ip-dns": "rule:admin_or_owner"

#
#"os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api"

#
#"os_compute_api:os-floating-ip-dns:discoverable": "@"

#
#"os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api"

#
#"os_compute_api:os-floating-ip-pools:discoverable": "@"

#
#"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"

#
#"os_compute_api:os-floating-ips": "rule:admin_or_owner"

#
#"os_compute_api:os-floating-ips:discoverable": "@"

#
#"os_compute_api:os-floating-ips-bulk:discoverable": "@"

#
#"os_compute_api:os-floating-ips-bulk": "rule:admin_api"

#
#"os_compute_api:os-fping:all_tenants": "rule:admin_api"

#
#"os_compute_api:os-fping:discoverable": "@"

#
#"os_compute_api:os-fping": "rule:admin_or_owner"

#
#"os_compute_api:os-hide-server-addresses:discoverable": "@"

#
#"os_compute_api:os-hide-server-addresses": "is_admin:False"

#
#"os_compute_api:os-hosts:discoverable": "@"

#
#"os_compute_api:os-hosts": "rule:admin_api"

#
#"os_compute_api:os-hypervisors:discoverable": "@"

#
#"os_compute_api:os-hypervisors": "rule:admin_api"

#
#"os_compute_api:image-metadata:discoverable": "@"

#
#"os_compute_api:image-size:discoverable": "@"

#
#"os_compute_api:image-size": "rule:admin_or_owner"

#
#"os_compute_api:images:discoverable": "@"

#
#"os_compute_api:os-instance-actions:events": "rule:admin_api"

#
#"os_compute_api:os-instance-actions": "rule:admin_or_owner"

#
#"os_compute_api:os-instance-actions:discoverable": "@"

#
#"os_compute_api:os-instance-usage-audit-log": "rule:admin_api"

#
#"os_compute_api:os-instance-usage-audit-log:discoverable": "@"

#
#"os_compute_api:ips:discoverable": "@"

#
#"os_compute_api:ips:show": "rule:admin_or_owner"

#
#"os_compute_api:ips:index": "rule:admin_or_owner"

#
#"os_compute_api:os-keypairs:discoverable": "@"

# List all keypairs
# GET /os-keypairs
#"os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s"

# Create a keypair
# POST /os-keypairs
#"os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s"

# Delete a keypair
# DELETE /os-keypairs/{keypair_name}
#"os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s"

# Show details of a keypair
# GET /os-keypairs/{keypair_name}
#"os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s"

#
#"os_compute_api:os-keypairs": "rule:admin_or_owner"

#
#"os_compute_api:limits:discoverable": "@"

#
#"os_compute_api:limits": "rule:admin_or_owner"

#
#"os_compute_api:os-lock-server:discoverable": "@"

# Lock a server
# POST /servers/{server_id}/action (lock)
#"os_compute_api:os-lock-server:lock": "rule:admin_or_owner"

# Unlock a server
# POST /servers/{server_id}/action (unlock)
#"os_compute_api:os-lock-server:unlock": "rule:admin_or_owner"

# Unlock a server, regardless who locked the server.
#
#         This check is performed only after the check
#         os_compute_api:os-lock-server:unlock passes
# POST /servers/{server_id}/action (unlock)
#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api"

#
#"os_compute_api:os-migrate-server:migrate": "rule:admin_api"

#
#"os_compute_api:os-migrate-server:discoverable": "@"

#
#"os_compute_api:os-migrate-server:migrate_live": "rule:admin_api"

#
#"os_compute_api:os-migrations:index": "rule:admin_api"

#
#"os_compute_api:os-migrations:discoverable": "@"

#
#"os_compute_api:os-multinic": "rule:admin_or_owner"

#
#"os_compute_api:os-multinic:discoverable": "@"

#
#"os_compute_api:os-multiple-create:discoverable": "@"

#
#"os_compute_api:os-networks:discoverable": "@"

#
#"os_compute_api:os-networks": "rule:admin_api"

#
#"os_compute_api:os-networks:view": "rule:admin_or_owner"

#
#"os_compute_api:os-networks-associate": "rule:admin_api"

#
#"os_compute_api:os-networks-associate:discoverable": "@"

#
#"os_compute_api:os-pause-server:discoverable": "@"

# Pause a server.
# POST /servers/{server_id}/action (pause)
#"os_compute_api:os-pause-server:pause": "rule:admin_or_owner"

# Unpause a paused server.
# POST /servers/{server_id}/action (unpause)
#"os_compute_api:os-pause-server:unpause": "rule:admin_or_owner"

#
#"os_compute_api:os-pci:index": "rule:admin_api"

#
#"os_compute_api:os-pci:detail": "rule:admin_api"

#
#"os_compute_api:os-pci:pci_servers": "rule:admin_or_owner"

#
#"os_compute_api:os-pci:show": "rule:admin_api"

#
#"os_compute_api:os-pci:discoverable": "@"

#
#"os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s"

#
#"os_compute_api:os-quota-class-sets:discoverable": "@"

#
#"os_compute_api:os-quota-class-sets:update": "rule:admin_api"

#
#"os_compute_api:os-quota-sets:update": "rule:admin_api"

#
#"os_compute_api:os-quota-sets:defaults": "@"

#
#"os_compute_api:os-quota-sets:show": "rule:admin_or_owner"

#
#"os_compute_api:os-quota-sets:delete": "rule:admin_api"

#
#"os_compute_api:os-quota-sets:discoverable": "@"

#
#"os_compute_api:os-quota-sets:detail": "rule:admin_api"

#
#"os_compute_api:os-remote-consoles": "rule:admin_or_owner"

#
#"os_compute_api:os-remote-consoles:discoverable": "@"

#
#"os_compute_api:os-rescue:discoverable": "@"

# Rescue/unrescue a server
# POST /servers/{server_id}/action (rescue)
# POST /servers/{server_id}/action (unrescue)
#"os_compute_api:os-rescue": "rule:admin_or_owner"

#
#"os_compute_api:os-scheduler-hints:discoverable": "@"

#
#"os_compute_api:os-security-group-default-rules:discoverable": "@"

#
#"os_compute_api:os-security-group-default-rules": "rule:admin_api"

#
#"os_compute_api:os-security-groups": "rule:admin_or_owner"

#
#"os_compute_api:os-security-groups:discoverable": "@"

#
#"os_compute_api:os-server-diagnostics": "rule:admin_api"

#
#"os_compute_api:os-server-diagnostics:discoverable": "@"

#
#"os_compute_api:os-server-external-events:create": "rule:admin_api"

#
#"os_compute_api:os-server-external-events:discoverable": "@"

#
#"os_compute_api:os-server-groups:discoverable": "@"

#
#"os_compute_api:os-server-groups": "rule:admin_or_owner"

# Create a new server group
# POST /os-server-groups
#"os_compute_api:os-server-groups:create": "rule:os_compute_api:os-server-groups"

# Delete a server group
# DELETE /os-server-groups/{server_group_id}
#"os_compute_api:os-server-groups:delete": "rule:os_compute_api:os-server-groups"

# List all server groups
# GET /os-server-groups
#"os_compute_api:os-server-groups:index": "rule:os_compute_api:os-server-groups"

# Show details of a server group
# GET /os-server-groups/{server_group_id}
#"os_compute_api:os-server-groups:show": "rule:os_compute_api:os-server-groups"

#
#"os_compute_api:server-metadata:discoverable": "@"

# List all metadata of a server
# GET /servers/server_id/metadata
#"os_compute_api:server-metadata:index": "rule:admin_or_owner"

# Show metadata for a server
# GET /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:show": "rule:admin_or_owner"

# Create metadata for a server
# POST /servers/server_id/metadata
#"os_compute_api:server-metadata:create": "rule:admin_or_owner"

# Replace metadata for a server
# PUT /servers/server_id/metadata
#"os_compute_api:server-metadata:update_all": "rule:admin_or_owner"

# Update metadata from a server
# PUT /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:update": "rule:admin_or_owner"

# Delete metadata from a server
# DELETE /servers/server_id/metadata/{key}
#"os_compute_api:server-metadata:delete": "rule:admin_or_owner"

#
#"os_compute_api:os-server-password": "rule:admin_or_owner"

#
#"os_compute_api:os-server-password:discoverable": "@"

# Delete all the server tags
# DELETE /servers/{server_id}/tags
#"os_compute_api:os-server-tags:delete_all": "rule:admin_or_owner"

# List all tags for given server
# GET /servers/{server_id}/tags
#"os_compute_api:os-server-tags:index": "rule:admin_or_owner"

# Replace all tags on specified server with the new set of tags.
# PUT /servers/{server_id}/tags
#"os_compute_api:os-server-tags:update_all": "rule:admin_or_owner"

# Delete a single tag from the specified server
# DELETE /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:delete": "rule:admin_or_owner"

# Add a single tag to the server if server has no specified tag
# PUT /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:update": "rule:admin_or_owner"

# Check tag existence on the server.
# GET /servers/{server_id}/tags/{tag}
#"os_compute_api:os-server-tags:show": "rule:admin_or_owner"

#
#"os_compute_api:os-server-tags:discoverable": "@"

#
#"os_compute_api:os-server-usage": "rule:admin_or_owner"

#
#"os_compute_api:os-server-usage:discoverable": "@"

#
#"os_compute_api:servers:index": "rule:admin_or_owner"

#
#"os_compute_api:servers:detail": "rule:admin_or_owner"

#
#"os_compute_api:servers:detail:get_all_tenants": "rule:admin_api"

#
#"os_compute_api:servers:index:get_all_tenants": "rule:admin_api"

#
#"os_compute_api:servers:show": "rule:admin_or_owner"

#
#"os_compute_api:servers:show:host_status": "rule:admin_api"

#
#"os_compute_api:servers:create": "rule:admin_or_owner"

#
#"os_compute_api:servers:create:forced_host": "rule:admin_api"

#
#"os_compute_api:servers:create:attach_volume": "rule:admin_or_owner"

#
#"os_compute_api:servers:create:attach_network": "rule:admin_or_owner"

#
#"os_compute_api:servers:delete": "rule:admin_or_owner"

#
#"os_compute_api:servers:update": "rule:admin_or_owner"

#
#"os_compute_api:servers:confirm_resize": "rule:admin_or_owner"

#
#"os_compute_api:servers:revert_resize": "rule:admin_or_owner"

#
#"os_compute_api:servers:reboot": "rule:admin_or_owner"

#
#"os_compute_api:servers:resize": "rule:admin_or_owner"

#
#"os_compute_api:servers:rebuild": "rule:admin_or_owner"

#
#"os_compute_api:servers:create_image": "rule:admin_or_owner"

#
#"os_compute_api:servers:create_image:allow_volume_backed": "rule:admin_or_owner"

#
#"os_compute_api:servers:start": "rule:admin_or_owner"

#
#"os_compute_api:servers:stop": "rule:admin_or_owner"

#
#"os_compute_api:servers:trigger_crash_dump": "rule:admin_or_owner"

#
#"os_compute_api:servers:discoverable": "@"

#
#"os_compute_api:servers:migrations:show": "rule:admin_api"

#
#"os_compute_api:servers:migrations:force_complete": "rule:admin_api"

#
#"os_compute_api:servers:migrations:delete": "rule:admin_api"

#
#"os_compute_api:servers:migrations:index": "rule:admin_api"

#
#"os_compute_api:server-migrations:discoverable": "@"

#
#"os_compute_api:os-services": "rule:admin_api"

#
#"os_compute_api:os-services:discoverable": "@"

# Shelve Server
# POST /servers/{server_id}/action (shelve)
#"os_compute_api:os-shelve:shelve": "rule:admin_or_owner"

# Unshelve (Restore) Shelved Server
# POST /servers/{server_id}/action (unshelve)
#"os_compute_api:os-shelve:unshelve": "rule:admin_or_owner"

# Shelf-Offload (Remove) Server
# POST /servers/{server_id}/action (shelveOffload)
#"os_compute_api:os-shelve:shelve_offload": "rule:admin_api"

#
#"os_compute_api:os-shelve:discoverable": "@"

# Show usage statistics for a specific tenant.
# GET /os-simple-tenant-usage/{tenant_id}
#"os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner"

# List per tenant usage statistics for all tenants.
# GET /os-simple-tenant-usage
#"os_compute_api:os-simple-tenant-usage:list": "rule:admin_api"

#
#"os_compute_api:os-simple-tenant-usage:discoverable": "@"

# Resume suspended server
# POST /servers/{server_id}/action (resume)
#"os_compute_api:os-suspend-server:resume": "rule:admin_or_owner"

# Suspend server
# POST /servers/{server_id}/action (suspend)
#"os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner"

#
#"os_compute_api:os-suspend-server:discoverable": "@"

# Creates, lists, shows information for, and deletes
# project networks.
#
# These APIs are proxy calls to the Network service. These are all
# deprecated.
# GET /os-tenant-networks
# POST /os-tenant-networks
# GET /os-tenant-networks/{network_id}
# DELETE /os-tenant-networks/{network_id}
#"os_compute_api:os-tenant-networks": "rule:admin_or_owner"

#
#"os_compute_api:os-tenant-networks:discoverable": "@"

#
#"os_compute_api:os-used-limits:discoverable": "@"

# Shows rate and absolute limits for the project.
#
# This policy only checks if the user has access to the requested
# project limits. And this check is performed only after the check
# os_compute_api:limits passes
# GET /limits
#"os_compute_api:os-used-limits": "rule:admin_api"

#
#"os_compute_api:os-user-data:discoverable": "@"

#
#"os_compute_api:versions:discoverable": "@"

#
#"os_compute_api:os-virtual-interfaces:discoverable": "@"

# List Virtual Interfaces.
#
# This works only with the nova-network service, which is now
# deprecated
# GET /servers/{server_id}/os-virtual-interfaces
#"os_compute_api:os-virtual-interfaces": "rule:admin_or_owner"

#
#"os_compute_api:os-volumes:discoverable": "@"

# Manages volumes for use with the Compute API.
#
# Lists, shows details, creates, and deletes volumes. These APIs are
# proxy calls
# to the Volume service. These are all deprecated.
# GET /os-volumes
# POST /os-volumes
# GET /os-volumes/detail
# GET /os-volumes/{volume_id}
# DELETE /os-volumes/{volume_id}
#"os_compute_api:os-volumes": "rule:admin_or_owner"

# List volume attachments for an instance
# GET /servers/{server_id}/os-volume_attachments
#"os_compute_api:os-volumes-attachments:index": "rule:admin_or_owner"

# Attach a volume to an instance
# POST /servers/{server_id}/os-volume_attachments
#"os_compute_api:os-volumes-attachments:create": "rule:admin_or_owner"

# Show details of a volume attachment
# GET /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:show": "rule:admin_or_owner"

#
#"os_compute_api:os-volumes-attachments:discoverable": "@"

# Update a volume attachment
# PUT /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:update": "rule:admin_api"

# Detach a volume from an instance
# DELETE /servers/{server_id}/os-volume_attachments/{attachment_id}
#"os_compute_api:os-volumes-attachments:delete": "rule:admin_or_owner"