Policies¶
Warning
JSON formatted policy files were deprecated in the Wallaby development
cycle due to the Victoria deprecation by the olso.policy
library.
Use the oslopolicy-convert-json-to-yaml tool
to convert the existing JSON to YAML formatted policy file in backward
compatible way.
The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.
ironic.api¶
admin_api
- Default:
role:admin or role:administrator
Legacy rule for cloud admin access
public_api
- Default:
is_public_api:True
Internal flag for public API routes
show_password
- Default:
!
Show or mask secrets within node driver information in API responses. This setting should be used with the utmost care as its use can present a security risk.
show_instance_secrets
- Default:
!
Show or mask secrets within instance information in API responses. This setting should be used with the utmost care as its use can present a security risk.
service_role
- Default:
role:service and project_name:%(config.service_project_name)s
Rule to match service role usage with a service project, delineated as a separate rule to enable customization.
is_member
- Default:
(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)
May be used to restrict access to specific projects
is_observer
- Default:
rule:is_member and (role:observer or role:baremetal_observer)
Read-only API access
is_admin
- Default:
rule:admin_api or (rule:is_member and role:baremetal_admin)
Full read/write API access
is_node_owner
- Default:
project_id:%(node.owner)s
Owner of node
is_node_lessee
- Default:
project_id:%(node.lessee)s
Lessee of node
is_allocation_owner
- Default:
project_id:%(allocation.owner)s
Owner of allocation
baremetal:node:create
- Default:
(role:admin and system_scope:all) or (role:service and system_scope:all)
- Operations:
POST
/nodes
- Scope Types:
system
project
Create Node records
baremetal:node:create:self_owned_node
- Default:
(role:admin) or (role:service)
- Operations:
POST
/nodes
- Scope Types:
system
project
Create node records which will be tracked as owned by the associated user project.
baremetal:node:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/nodes
GET
/nodes/detail
- Scope Types:
system
project
Retrieve multiple Node records, filtered by an explicit owner or the client project_id
baremetal:node:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/nodes
GET
/nodes/detail
- Scope Types:
system
project
Retrieve multiple Node records
baremetal:node:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Retrieve a single Node record
baremetal:node:get:filter_threshold
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Filter to allow operators to govern the threshold where information should be filtered. Non-authorized users will be subjected to additional API policy checks for API content response bodies.
baremetal:node:get:last_error
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Governs if the node last_error field is masked from API clients with insufficient privileges.
baremetal:node:get:reservation
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Governs if the node reservation field is masked from API clients with insufficient privileges.
baremetal:node:get:driver_internal_info
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Governs if the node driver_internal_info field is masked from API clients with insufficient privileges.
baremetal:node:get:driver_info
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}
- Scope Types:
system
project
Governs if the driver_info field is masked from API clients with insufficient privileges.
baremetal:node:update:driver_info
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node driver_info field can be updated via the API clients.
baremetal:node:update:properties
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node properties field can be updated via the API clients.
baremetal:node:update:chassis_uuid
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node chassis_uuid field can be updated via the API clients.
baremetal:node:update:instance_uuid
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node instance_uuid field can be updated via the API clients.
baremetal:node:update:lessee
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node lessee field can be updated via the API clients.
baremetal:node:update:owner
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node owner field can be updated via the API clients.
baremetal:node:update:driver_interfaces
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node driver and driver interfaces field can be updated via the API clients.
baremetal:node:update:network_data
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node driver_info field can be updated via the API clients.
baremetal:node:update:conductor_group
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node conductor_group field can be updated via the API clients.
baremetal:node:update:name
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node name field can be updated via the API clients.
baremetal:node:update:retired
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node retired and retired reason can be updated by API clients.
baremetal:node:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Generalized update of node records
baremetal:node:update_extra
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Update Node extra field
baremetal:node:update_instance_info
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Update Node instance_info field
baremetal:node:update_owner_provisioned
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
Update Node owner even when Node is provisioned
baremetal:node:delete
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/nodes/{node_ident}
- Scope Types:
system
project
Delete Node records
baremetal:node:delete:self_owned_node
- Default:
role:admin and project_id:%(node.owner)s
- Operations:
DELETE
/nodes/{node_ident}
- Scope Types:
system
project
Delete node records which are associated with the requesting project.
baremetal:node:validate
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/validate
- Scope Types:
system
project
Request active validation of Nodes
baremetal:node:set_maintenance
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/maintenance
- Scope Types:
system
project
Set maintenance flag, taking a Node out of service
baremetal:node:clear_maintenance
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/nodes/{node_ident}/maintenance
- Scope Types:
system
project
Clear maintenance flag, placing the Node into service again
baremetal:node:get_boot_device
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/management/boot_device
GET
/nodes/{node_ident}/management/boot_device/supported
- Scope Types:
system
project
Retrieve Node boot device metadata
baremetal:node:set_boot_device
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/management/boot_device
- Scope Types:
system
project
Change Node boot device
baremetal:node:get_indicator_state
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/management/indicators/{component}/{indicator}
GET
/nodes/{node_ident}/management/indicators
- Scope Types:
system
project
Retrieve Node indicators and their states
baremetal:node:set_indicator_state
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/management/indicators/{component}/{indicator}
- Scope Types:
system
project
Change Node indicator state
baremetal:node:inject_nmi
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/management/inject_nmi
- Scope Types:
system
project
Inject NMI for a node
baremetal:node:get_states
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/states
- Scope Types:
system
project
View Node power and provision state
baremetal:node:set_power_state
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
PUT
/nodes/{node_ident}/states/power
- Scope Types:
system
project
Change Node power status
baremetal:node:set_boot_mode
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
PUT
/nodes/{node_ident}/states/boot_mode
- Scope Types:
system
project
Change Node boot mode
baremetal:node:set_secure_boot
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
PUT
/nodes/{node_ident}/states/secure_boot
- Scope Types:
system
project
Change Node secure boot state
baremetal:node:set_provision_state
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/states/provision
- Scope Types:
system
project
Change Node provision status
baremetal:node:set_provision_state:clean_steps
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/states/provision
- Scope Types:
system
project
Allow execution of arbitrary steps on a node
baremetal:node:set_provision_state:service_steps
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/states/provision
- Scope Types:
system
project
Allow execution of arbitrary steps on a node
baremetal:node:set_raid_state
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/states/raid
- Scope Types:
system
project
Change Node RAID status
baremetal:node:get_console
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/states/console
- Scope Types:
system
project
Get Node console connection information
baremetal:node:set_console_state
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/states/console
- Scope Types:
system
project
Change Node console status
baremetal:node:vif:list
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/vifs
- Scope Types:
system
project
List VIFs attached to node
baremetal:node:vif:attach
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
POST
/nodes/{node_ident}/vifs
- Scope Types:
system
project
Attach a VIF to a node
baremetal:node:vif:detach
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/nodes/{node_ident}/vifs/{node_vif_ident}
- Scope Types:
system
project
Detach a VIF from a node
baremetal:node:traits:list
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/traits
- Scope Types:
system
project
List node traits
baremetal:node:traits:set
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PUT
/nodes/{node_ident}/traits
PUT
/nodes/{node_ident}/traits/{trait}
- Scope Types:
system
project
Add a trait to, or replace all traits of, a node
baremetal:node:traits:delete
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/nodes/{node_ident}/traits
DELETE
/nodes/{node_ident}/traits/{trait}
- Scope Types:
system
project
Remove one or all traits from a node
baremetal:node:bios:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/bios
GET
/nodes/{node_ident}/bios/{setting}
- Scope Types:
system
project
Retrieve Node BIOS information
baremetal:node:disable_cleaning
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
Disable Node disk cleaning
baremetal:node:history:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/history
GET
/nodes/{node_ident}/history/{event_ident}
- Scope Types:
system
project
Filter to allow operators to retrieve history records for a node.
baremetal:node:inventory:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:reader and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/inventory
- Scope Types:
system
project
Retrieve introspection data for a node.
baremetal:node:update:shard
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node shard field can be updated via the API clients.
baremetal:shards:get
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/shards
- Scope Types:
system
project
Governs if shards can be read via the API clients.
baremetal:node:update:parent_node
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/nodes/{node_ident}
- Scope Types:
system
project
Governs if node parent_node field can be updated via the API clients.
baremetal:node:firmware:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/firmware
- Scope Types:
system
project
Retrieve Node Firmware components information
baremetal:node:vmedia:attach
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
POST
/nodes/{node_ident}/vmedia
- Scope Types:
system
project
Attach a virtual media device to a node
baremetal:node:vmedia:detach
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and system_scope:all)
- Operations:
DELETE
/nodes/{node_ident}/vmedia
- Scope Types:
system
project
Detach a virtual media device from a node
baremetal:node:vmedia:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/nodes/{node_ident}/vmedia
- Scope Types:
system
project
Get virtual media device details from a node
baremetal:port:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/ports/{port_id}
GET
/nodes/{node_ident}/ports
GET
/nodes/{node_ident}/ports/detail
GET
/portgroups/{portgroup_ident}/ports
GET
/portgroups/{portgroup_ident}/ports/detail
- Scope Types:
system
project
Retrieve Port records
baremetal:port:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/ports
GET
/ports/detail
- Scope Types:
system
project
Retrieve multiple Port records, filtered by owner
baremetal:port:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/ports
GET
/ports/detail
- Scope Types:
system
project
Retrieve multiple Port records
baremetal:port:create
- Default:
(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
POST
/ports
- Scope Types:
system
project
Create Port records
baremetal:port:delete
- Default:
(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/ports/{port_id}
- Scope Types:
system
project
Delete Port records
baremetal:port:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/ports/{port_id}
- Scope Types:
system
project
Update Port records
baremetal:portgroup:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/portgroups
GET
/portgroups/detail
GET
/portgroups/{portgroup_ident}
GET
/nodes/{node_ident}/portgroups
GET
/nodes/{node_ident}/portgroups/detail
- Scope Types:
system
project
Retrieve Portgroup records
baremetal:portgroup:create
- Default:
(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
POST
/portgroups
- Scope Types:
system
project
Create Portgroup records
baremetal:portgroup:delete
- Default:
(role:admin and system_scope:all) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/portgroups/{portgroup_ident}
- Scope Types:
system
project
Delete Portgroup records
baremetal:portgroup:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/portgroups/{portgroup_ident}
- Scope Types:
system
project
Update Portgroup records
baremetal:portgroup:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/portgroups
GET
/portgroups/detail
- Scope Types:
system
project
Retrieve multiple Port records, filtered by owner
baremetal:portgroup:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/portgroups
GET
/portgroups/detail
- Scope Types:
system
project
Retrieve multiple Port records
baremetal:chassis:get
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/chassis
GET
/chassis/detail
GET
/chassis/{chassis_id}
- Scope Types:
system
Retrieve Chassis records
baremetal:chassis:create
- Default:
role:admin and system_scope:all
- Operations:
POST
/chassis
- Scope Types:
system
Create Chassis records
baremetal:chassis:delete
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/chassis/{chassis_id}
- Scope Types:
system
Delete Chassis records
baremetal:chassis:update
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/chassis/{chassis_id}
- Scope Types:
system
Update Chassis records
baremetal:driver:get
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/drivers
GET
/drivers/{driver_name}
- Scope Types:
system
View list of available drivers
baremetal:driver:get_properties
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/drivers/{driver_name}/properties
- Scope Types:
system
View driver-specific properties
baremetal:driver:get_raid_logical_disk_properties
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/drivers/{driver_name}/raid/logical_disk_properties
- Scope Types:
system
View driver-specific RAID metadata
baremetal:node:vendor_passthru
- Default:
role:admin and system_scope:all
- Operations:
GET
nodes/{node_ident}/vendor_passthru/methods
GET
nodes/{node_ident}/vendor_passthru?method={method_name}
PUT
nodes/{node_ident}/vendor_passthru?method={method_name}
POST
nodes/{node_ident}/vendor_passthru?method={method_name}
PATCH
nodes/{node_ident}/vendor_passthru?method={method_name}
DELETE
nodes/{node_ident}/vendor_passthru?method={method_name}
- Scope Types:
system
project
Access vendor-specific Node functions
baremetal:driver:vendor_passthru
- Default:
role:admin and system_scope:all
- Operations:
GET
drivers/{driver_name}/vendor_passthru/methods
GET
drivers/{driver_name}/vendor_passthru?method={method_name}
PUT
drivers/{driver_name}/vendor_passthru?method={method_name}
POST
drivers/{driver_name}/vendor_passthru?method={method_name}
PATCH
drivers/{driver_name}/vendor_passthru?method={method_name}
DELETE
drivers/{driver_name}/vendor_passthru?method={method_name}
- Scope Types:
system
Access vendor-specific Driver functions
baremetal:node:ipa_heartbeat
- Default:
<empty string>
- Operations:
POST
/heartbeat/{node_ident}
Receive heartbeats from IPA ramdisk
baremetal:driver:ipa_lookup
- Default:
<empty string>
- Operations:
GET
/lookup
Access IPA ramdisk functions
baremetal:driver:ipa_continue_inspection
- Default:
<empty string>
- Operations:
POST
/continue_inspection
Receive inspection data from the ramdisk
baremetal:volume:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/volume/connectors
GET
/volume/targets
GET
/nodes/{node_ident}/volume/connectors
GET
/nodes/{node_ident}/volume/targets
- Scope Types:
system
project
Retrieve a list of all Volume connector and target records
baremetal:volume:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/volume/connectors
GET
/volume/targets
GET
/nodes/{node_ident}/volume/connectors
GET
/nodes/{node_ident}/volume/targets
- Scope Types:
system
project
Retrieve a list of Volume connector and target records
baremetal:volume:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and (project_id:%(node.owner)s or project_id:%(node.lessee)s)) or (role:service and project_id:%(node.owner)s)
- Operations:
GET
/volume
GET
/volume/connectors
GET
/volume/connectors/{volume_connector_id}
GET
/volume/targets
GET
/volume/targets/{volume_target_id}
GET
/nodes/{node_ident}/volume
GET
/nodes/{node_ident}/volume/connectors
GET
/nodes/{node_ident}/volume/targets
- Scope Types:
system
project
Retrieve Volume connector and target records
baremetal:volume:create
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
POST
/volume/connectors
POST
/volume/targets
- Scope Types:
system
project
Create Volume connector and target records
baremetal:volume:delete
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:admin and project_id:%(node.owner)s) or (role:manager and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
DELETE
/volume/connectors/{volume_connector_id}
DELETE
/volume/targets/{volume_target_id}
- Scope Types:
system
project
Delete Volume connector and target records
baremetal:volume:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:service and system_scope:all) or (role:member and project_id:%(node.owner)s) or (role:admin and project_id:%(node.lessee)s) or (role:manager and project_id:%(node.lessee)s) or (role:service and project_id:%(node.owner)s)
- Operations:
PATCH
/volume/connectors/{volume_connector_id}
PATCH
/volume/targets/{volume_target_id}
- Scope Types:
system
project
Update Volume connector and target records
baremetal:volume:view_target_properties
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:admin)
- Operations:
GET
/volume/connectors/{volume_connector_id}
GET
/volume/targets/{volume_target_id}
- Scope Types:
system
project
Ability to view volume target properties
baremetal:conductor:get
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/conductors
GET
/conductors/{hostname}
- Scope Types:
system
project
Retrieve Conductor records
baremetal:allocation:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and project_id:%(allocation.owner)s)
- Operations:
GET
/allocations/{allocation_id}
GET
/nodes/{node_ident}/allocation
- Scope Types:
system
project
Retrieve Allocation records
baremetal:allocation:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/allocations
- Scope Types:
system
project
Retrieve multiple Allocation records, filtered by owner
baremetal:allocation:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/allocations
- Scope Types:
system
project
Retrieve multiple Allocation records
baremetal:allocation:create
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member)
- Operations:
POST
/allocations
- Scope Types:
system
project
Create Allocation records
baremetal:allocation:create_restricted
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
POST
/allocations
- Scope Types:
system
project
Create Allocation records with a specific owner.
baremetal:allocation:delete
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and project_id:%(allocation.owner)s)
- Operations:
DELETE
/allocations/{allocation_id}
DELETE
/nodes/{node_ident}/allocation
- Scope Types:
system
project
Delete Allocation records
baremetal:allocation:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:member and project_id:%(allocation.owner)s)
- Operations:
PATCH
/allocations/{allocation_id}
- Scope Types:
system
project
Change name and extra fields of an allocation
baremetal:allocation:create_pre_rbac
- Default:
(rule:is_member and role:baremetal_admin) or (is_admin_project:True and role:admin)
- Operations:
PATCH
/allocations/{allocation_id}
- Scope Types:
project
Logical restrictor to prevent legacy allocation rule missuse - Requires blank allocations to originate from the legacy baremetal_admin.
baremetal:events:post
- Default:
role:admin and system_scope:all
- Operations:
POST
/events
- Scope Types:
system
Post events
baremetal:deploy_template:get
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/deploy_templates
GET
/deploy_templates/{deploy_template_ident}
- Scope Types:
system
project
Retrieve Deploy Template records
baremetal:deploy_template:create
- Default:
role:admin and system_scope:all
- Operations:
POST
/deploy_templates
- Scope Types:
system
project
Create Deploy Template records
baremetal:deploy_template:delete
- Default:
role:admin and system_scope:all
- Operations:
DELETE
/deploy_templates/{deploy_template_ident}
- Scope Types:
system
project
Delete Deploy Template records
baremetal:deploy_template:update
- Default:
role:admin and system_scope:all
- Operations:
PATCH
/deploy_templates/{deploy_template_ident}
- Scope Types:
system
project
Update Deploy Template records
baremetal:runbook:get
- Default:
((role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role) or (role:reader and project_id:%(runbook.owner)s) or role:service
- Operations:
GET
/runbooks/{runbook_ident}
- Scope Types:
system
project
Retrieve a single runbook record
baremetal:runbook:list
- Default:
(role:reader) or (role:service)
- Operations:
GET
/runbooks
- Scope Types:
system
project
Retrieve multiple runbook records, filtered by an explicit owner or the client project_id
baremetal:runbook:list_all
- Default:
(role:reader and system_scope:all) or (role:service and system_scope:all) or rule:service_role
- Operations:
GET
/runbooks
- Scope Types:
system
project
Retrieve all runbook records
baremetal:runbook:create
- Default:
((role:member and system_scope:all) or rule:service_role) or role:manager or role:service
- Operations:
POST
/runbooks
- Scope Types:
system
project
Create Runbook records
baremetal:runbook:delete
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service
- Operations:
DELETE
/runbooks/{runbook_ident}
- Scope Types:
system
project
Delete a runbook record
baremetal:runbook:update
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service
- Operations:
PATCH
/runbooks/{runbook_ident}
- Scope Types:
system
project
Update a runbook record
baremetal:runbook:update:public
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/runbooks/{runbook_ident}/public
- Scope Types:
system
project
Set and unset a runbook as public
baremetal:runbook:update:owner
- Default:
(role:member and system_scope:all) or rule:service_role
- Operations:
PATCH
/runbooks/{runbook_ident}/owner
- Scope Types:
system
project
Set and unset the owner of a runbook
baremetal:runbook:use
- Default:
((role:member and system_scope:all) or rule:service_role) or (role:manager and project_id:%(runbook.owner)s) or role:service
- Operations:
PUT
/nodes/{node_ident}/states/provision
- Scope Types:
system
project
Allowed to use a runbook for node operations