Heat Sample Policy

Warning

JSON formatted policy file is deprecated since Heat 17.0.0 (Xena). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is a sample heat policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific heat APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.

If you wish build a policy file, you can also use tox -e genpolicy to generate it.

The sample policy file can also be downloaded in file form.

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "(role:admin and is_admin_project:True) OR (role:admin and system_scope:all)"

# Default rule for project admin.
#"project_admin": "role:admin"

# Default rule for deny stack user.
#"deny_stack_user": "not role:heat_stack_user"

# Default rule for deny everybody.
#"deny_everybody": "!"

# Default rule for allow everybody.
#"allow_everybody": ""

# Performs non-lifecycle operations on the stack (Snapshot, Resume,
# Cancel update, or check stack resources). This is the default for
# all actions but can be overridden by more specific policies for
# individual actions.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
#"actions:action": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:action":"rule:deny_stack_user" has been deprecated since W
# in favor of "actions:action":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Create stack snapshot
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:snapshot":"rule:deny_stack_user" has been deprecated since
# W in favor of "actions:snapshot":"(role:admin and system_scope:all)
# or (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Suspend a stack.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:suspend": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:suspend":"rule:deny_stack_user" has been deprecated since W
# in favor of "actions:suspend":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Resume a suspended stack.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:resume": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:resume":"rule:deny_stack_user" has been deprecated since W
# in favor of "actions:resume":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Check stack resources.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:check": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "actions:check":"rule:deny_stack_user" has been deprecated since W
# in favor of "actions:check":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Cancel stack operation and roll back.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:cancel_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:cancel_update":"rule:deny_stack_user" has been deprecated
# since W in favor of "actions:cancel_update":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Cancel stack operation without rolling back.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
# Intended scope(s): system, project
#"actions:cancel_without_rollback": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "actions:cancel_without_rollback":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "actions:cancel_without_rollback":"(role:admin and system_scope:all)
# or (role:member and project_id:%(project_id)s)".
# The actions API now supports system scope and default roles.

# Show build information.
# GET  /v1/{tenant_id}/build_info
# Intended scope(s): system, project
#"build_info:build_info": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "build_info:build_info":"rule:deny_stack_user" has been deprecated
# since W in favor of "build_info:build_info":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The build API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:ListStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:ListStacks":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:ListStacks":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:CreateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:CreateStack":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:CreateStack":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:DescribeStacks": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:DescribeStacks":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:DescribeStacks":"(role:reader and system_scope:all)
# or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:DeleteStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:DeleteStack":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:DeleteStack":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:UpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:UpdateStack":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:UpdateStack":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:CancelUpdateStack": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:CancelUpdateStack":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:CancelUpdateStack":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:DescribeStackEvents": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:DescribeStackEvents":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:DescribeStackEvents":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:ValidateTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:ValidateTemplate":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:ValidateTemplate":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:GetTemplate": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:GetTemplate":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:GetTemplate":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:EstimateTemplateCost": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:EstimateTemplateCost":"rule:deny_stack_user" has
# been deprecated since W in favor of
# "cloudformation:EstimateTemplateCost":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:DescribeStackResource": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:DescribeStackResource":"rule:allow_everybody" has
# been deprecated since W in favor of
# "cloudformation:DescribeStackResource":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s) or
# (role:heat_stack_user and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:DescribeStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:DescribeStackResources":"rule:deny_stack_user" has
# been deprecated since W in favor of
# "cloudformation:DescribeStackResources":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# Intended scope(s): system, project
#"cloudformation:ListStackResources": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "cloudformation:ListStackResources":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "cloudformation:ListStackResources":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The cloud formation API now supports system scope and default roles.

# List events.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events
# Intended scope(s): system, project
#"events:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "events:index":"rule:deny_stack_user" has been deprecated since W in
# favor of "events:index":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The events API now supports system scope and default roles.

# Show event.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}
# Intended scope(s): system, project
#"events:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "events:show":"rule:deny_stack_user" has been deprecated since W in
# favor of "events:show":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The events API now supports system scope and default roles.

# List resources.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources
# Intended scope(s): system, project
#"resource:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "resource:index":"rule:deny_stack_user" has been deprecated since W
# in favor of "resource:index":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The resources API now supports system scope and default roles.

# Show resource metadata.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata
# Intended scope(s): system, project
#"resource:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"

# DEPRECATED
# "resource:metadata":"rule:allow_everybody" has been deprecated since
# W in favor of "resource:metadata":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s) or
# (role:heat_stack_user and project_id:%(project_id)s)".
# The resources API now supports system scope and default roles.

# Signal resource.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal
# Intended scope(s): system, project
#"resource:signal": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"

# DEPRECATED
# "resource:signal":"rule:allow_everybody" has been deprecated since W
# in favor of "resource:signal":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s) or (role:heat_stack_user
# and project_id:%(project_id)s)".
# The resources API now supports system scope and default roles.

# Mark resource as unhealthy.
# PATCH  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}
# Intended scope(s): system, project
#"resource:mark_unhealthy": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "resource:mark_unhealthy":"rule:deny_stack_user" has been deprecated
# since W in favor of "resource:mark_unhealthy":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The resources API now supports system scope and default roles.

# Show resource.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}
# Intended scope(s): system, project
#"resource:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "resource:show":"rule:deny_stack_user" has been deprecated since W
# in favor of "resource:show":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The resources API now supports system scope and default roles.

#"resource_types:OS::Nova::Flavor": "rule:project_admin"

#"resource_types:OS::Cinder::EncryptedVolumeType": "rule:project_admin"

#"resource_types:OS::Cinder::VolumeType": "rule:project_admin"

#"resource_types:OS::Cinder::Quota": "rule:project_admin"

#"resource_types:OS::Neutron::Quota": "rule:project_admin"

#"resource_types:OS::Nova::Quota": "rule:project_admin"

#"resource_types:OS::Octavia::Quota": "rule:project_admin"

#"resource_types:OS::Manila::ShareType": "rule:project_admin"

#"resource_types:OS::Neutron::ProviderNet": "rule:project_admin"

#"resource_types:OS::Neutron::QoSPolicy": "rule:project_admin"

#"resource_types:OS::Neutron::QoSBandwidthLimitRule": "rule:project_admin"

#"resource_types:OS::Neutron::QoSDscpMarkingRule": "rule:project_admin"

#"resource_types:OS::Neutron::QoSMinimumBandwidthRule": "rule:project_admin"

#"resource_types:OS::Neutron::Segment": "rule:project_admin"

#"resource_types:OS::Nova::HostAggregate": "rule:project_admin"

#"resource_types:OS::Cinder::QoSSpecs": "rule:project_admin"

#"resource_types:OS::Cinder::QoSAssociation": "rule:project_admin"

#"resource_types:OS::Keystone::*": "rule:project_admin"

#"resource_types:OS::Blazar::Host": "rule:project_admin"

#"resource_types:OS::Octavia::Flavor": "rule:project_admin"

#"resource_types:OS::Octavia::FlavorProfile": "rule:project_admin"

#"service:index": "role:reader and system_scope:all"

# DEPRECATED
# "service:index":"rule:context_is_admin" has been deprecated since W
# in favor of "service:index":"role:reader and system_scope:all".
# The service API now supports system scope and default roles.

# List configs globally.
# GET  /v1/{tenant_id}/software_configs
# Intended scope(s): system, project
#"software_configs:global_index": "role:reader and system_scope:all"

# DEPRECATED
# "software_configs:global_index":"rule:deny_everybody" has been
# deprecated since W in favor of
# "software_configs:global_index":"role:reader and system_scope:all".
# The software configuration API now support system scope and default
# roles.

# List configs.
# GET  /v1/{tenant_id}/software_configs
# Intended scope(s): system, project
#"software_configs:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "software_configs:index":"rule:deny_stack_user" has been deprecated
# since W in favor of "software_configs:index":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The software configuration API now support system scope and default
# roles.

# Create config.
# POST  /v1/{tenant_id}/software_configs
# Intended scope(s): system, project
#"software_configs:create": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "software_configs:create":"rule:deny_stack_user" has been deprecated
# since W in favor of "software_configs:create":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The software configuration API now support system scope and default
# roles.

# Show config details.
# GET  /v1/{tenant_id}/software_configs/{config_id}
# Intended scope(s): system, project
#"software_configs:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "software_configs:show":"rule:deny_stack_user" has been deprecated
# since W in favor of "software_configs:show":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The software configuration API now support system scope and default
# roles.

# Delete config.
# DELETE  /v1/{tenant_id}/software_configs/{config_id}
# Intended scope(s): system, project
#"software_configs:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "software_configs:delete":"rule:deny_stack_user" has been deprecated
# since W in favor of "software_configs:delete":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The software configuration API now support system scope and default
# roles.

# List deployments.
# GET  /v1/{tenant_id}/software_deployments
# Intended scope(s): system, project
#"software_deployments:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "software_deployments:index":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "software_deployments:index":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The software deployment API now supports system scope and default
# roles.

# Create deployment.
# POST  /v1/{tenant_id}/software_deployments
# Intended scope(s): system, project
#"software_deployments:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "software_deployments:create":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "software_deployments:create":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The software deployment API now supports system scope and default
# roles.

# Show deployment details.
# GET  /v1/{tenant_id}/software_deployments/{deployment_id}
# Intended scope(s): system, project
#"software_deployments:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "software_deployments:show":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "software_deployments:show":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The software deployment API now supports system scope and default
# roles.

# Update deployment.
# PUT  /v1/{tenant_id}/software_deployments/{deployment_id}
# Intended scope(s): system, project
#"software_deployments:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "software_deployments:update":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "software_deployments:update":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The software deployment API now supports system scope and default
# roles.

# Delete deployment.
# DELETE  /v1/{tenant_id}/software_deployments/{deployment_id}
# Intended scope(s): system, project
#"software_deployments:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "software_deployments:delete":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "software_deployments:delete":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The software deployment API now supports system scope and default
# roles.

# Show server configuration metadata.
# GET  /v1/{tenant_id}/software_deployments/metadata/{server_id}
# Intended scope(s): system, project
#"software_deployments:metadata": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"

# Abandon stack.
# DELETE  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon
# Intended scope(s): system, project
#"stacks:abandon": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:abandon":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:abandon":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Create stack.
# POST  /v1/{tenant_id}/stacks
# Intended scope(s): system, project
#"stacks:create": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:create":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:create":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Delete stack.
# DELETE  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
# Intended scope(s): system, project
#"stacks:delete": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:delete":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:delete":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List stacks in detail.
# GET  /v1/{tenant_id}/stacks
# Intended scope(s): system, project
#"stacks:detail": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:detail":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:detail":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Export stack.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export
# Intended scope(s): system, project
#"stacks:export": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:export":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:export":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Generate stack template.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
# Intended scope(s): system, project
#"stacks:generate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:generate_template":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:generate_template":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List stacks globally.
# GET  /v1/{tenant_id}/stacks
# Intended scope(s): system, project
#"stacks:global_index": "role:reader and system_scope:all"

# DEPRECATED
# "stacks:global_index":"rule:deny_everybody" has been deprecated
# since W in favor of "stacks:global_index":"role:reader and
# system_scope:all".
# The stack API now supports system scope and default roles.

# List stacks.
# GET  /v1/{tenant_id}/stacks
# Intended scope(s): system, project
#"stacks:index": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:index":"rule:deny_stack_user" has been deprecated since W in
# favor of "stacks:index":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List resource types.
# GET  /v1/{tenant_id}/resource_types
# Intended scope(s): system, project
#"stacks:list_resource_types": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:list_resource_types":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:list_resource_types":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List template versions.
# GET  /v1/{tenant_id}/template_versions
# Intended scope(s): system, project
#"stacks:list_template_versions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:list_template_versions":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:list_template_versions":"(role:reader and system_scope:all)
# or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List template functions.
# GET  /v1/{tenant_id}/template_versions/{template_version}/functions
# Intended scope(s): system, project
#"stacks:list_template_functions": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:list_template_functions":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:list_template_functions":"(role:reader and system_scope:all)
# or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Find stack.
# GET  /v1/{tenant_id}/stacks/{stack_identity}
# Intended scope(s): system, project
#"stacks:lookup": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or (role:heat_stack_user and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:lookup":"rule:allow_everybody" has been deprecated since W
# in favor of "stacks:lookup":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s) or (role:heat_stack_user
# and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Preview stack.
# POST  /v1/{tenant_id}/stacks/preview
# Intended scope(s): system, project
#"stacks:preview": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:preview":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:preview":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Show resource type schema.
# GET  /v1/{tenant_id}/resource_types/{type_name}
# Intended scope(s): system, project
#"stacks:resource_schema": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:resource_schema":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:resource_schema":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Show stack.
# GET  /v1/{tenant_id}/stacks/{stack_identity}
# Intended scope(s): system, project
#"stacks:show": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:show":"rule:deny_stack_user" has been deprecated since W in
# favor of "stacks:show":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Get stack template.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
# Intended scope(s): system, project
#"stacks:template": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:template":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:template":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Get stack environment.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment
# Intended scope(s): system, project
#"stacks:environment": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:environment":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:environment":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Get stack files.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files
# Intended scope(s): system, project
#"stacks:files": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:files":"rule:deny_stack_user" has been deprecated since W in
# favor of "stacks:files":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Update stack.
# PUT  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
# Intended scope(s): system, project
#"stacks:update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:update":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:update":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Update stack (PATCH).
# PATCH  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
# Intended scope(s): system, project
#"stacks:update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:update_patch":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:update_patch":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Update stack (PATCH) with no changes.
# PATCH  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
# Intended scope(s): system, project
#"stacks:update_no_change": "rule:stacks:update_patch"

# Preview update stack.
# PUT  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
# Intended scope(s): system, project
#"stacks:preview_update": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:preview_update":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:preview_update":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Preview update stack (PATCH).
# PATCH  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
# Intended scope(s): system, project
#"stacks:preview_update_patch": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:preview_update_patch":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:preview_update_patch":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Validate template.
# POST  /v1/{tenant_id}/validate
# Intended scope(s): system, project
#"stacks:validate_template": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:validate_template":"rule:deny_stack_user" has been
# deprecated since W in favor of
# "stacks:validate_template":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Snapshot Stack.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
# Intended scope(s): system, project
#"stacks:snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:snapshot":"rule:deny_stack_user" has been deprecated since W
# in favor of "stacks:snapshot":"(role:admin and system_scope:all) or
# (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Show snapshot.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
# Intended scope(s): system, project
#"stacks:show_snapshot": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:show_snapshot":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:show_snapshot":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Delete snapshot.
# DELETE  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
# Intended scope(s): system, project
#"stacks:delete_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:delete_snapshot":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:delete_snapshot":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List snapshots.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
# Intended scope(s): system, project
#"stacks:list_snapshots": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:list_snapshots":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:list_snapshots":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Restore snapshot.
# POST  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore
# Intended scope(s): system, project
#"stacks:restore_snapshot": "(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:restore_snapshot":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:restore_snapshot":"(role:admin and
# system_scope:all) or (role:member and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# List outputs.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs
# Intended scope(s): system, project
#"stacks:list_outputs": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:list_outputs":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:list_outputs":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.

# Show outputs.
# GET  /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}
# Intended scope(s): system, project
#"stacks:show_output": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"

# DEPRECATED
# "stacks:show_output":"rule:deny_stack_user" has been deprecated
# since W in favor of "stacks:show_output":"(role:reader and
# system_scope:all) or (role:reader and project_id:%(project_id)s)".
# The stack API now supports system scope and default roles.