Policies

Policies

The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.

ironic.api

admin_api
Default:role:admin or role:administrator

Legacy rule for cloud admin access

public_api
Default:is_public_api:True

Internal flag for public API routes

show_password
Default:!

Show or mask secrets within node driver information in API responses

show_instance_secrets
Default:!

Show or mask secrets within instance information in API responses

is_member
Default:(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)

May be used to restrict access to specific projects

is_observer
Default:rule:is_member and (role:observer or role:baremetal_observer)

Read-only API access

is_admin
Default:rule:admin_api or (rule:is_member and role:baremetal_admin)

Full read/write API access

baremetal:node:create
Default:

rule:is_admin

Operations:
  • POST /nodes

Create Node records

baremetal:node:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /nodes
  • GET /nodes/detail
  • GET /nodes/{node_ident}

Retrieve Node records

baremetal:node:update
Default:

rule:is_admin

Operations:
  • PATCH /nodes/{node_ident}

Update Node records

baremetal:node:delete
Default:

rule:is_admin

Operations:
  • DELETE /nodes/{node_ident}

Delete Node records

baremetal:node:validate
Default:

rule:is_admin

Operations:
  • GET /nodes/{node_ident}/validate

Request active validation of Nodes

baremetal:node:set_maintenance
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/maintenance

Set maintenance flag, taking a Node out of service

baremetal:node:clear_maintenance
Default:

rule:is_admin

Operations:
  • DELETE /nodes/{node_ident}/maintenance

Clear maintenance flag, placing the Node into service again

baremetal:node:get_boot_device
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /nodes/{node_ident}/management/boot_device
  • GET /nodes/{node_ident}/management/boot_device/supported

Retrieve Node boot device metadata

baremetal:node:set_boot_device
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/management/boot_device

Change Node boot device

baremetal:node:inject_nmi
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/management/inject_nmi

Inject NMI for a node

baremetal:node:get_states
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /nodes/{node_ident}/states

View Node power and provision state

baremetal:node:set_power_state
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/states/power

Change Node power status

baremetal:node:set_provision_state
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/states/provision

Change Node provision status

baremetal:node:set_raid_state
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/states/raid

Change Node RAID status

baremetal:node:get_console
Default:

rule:is_admin

Operations:
  • GET /nodes/{node_ident}/states/console

Get Node console connection information

baremetal:node:set_console_state
Default:

rule:is_admin

Operations:
  • PUT /nodes/{node_ident}/states/console

Change Node console status

baremetal:node:vif:list
Default:

rule:is_admin

Operations:
  • GET /nodes/{node_ident}/vifs

List VIFs attached to node

baremetal:node:vif:attach
Default:

rule:is_admin

Operations:
  • POST /nodes/{node_ident}/vifs

Attach a VIF to a node

baremetal:node:vif:detach
Default:

rule:is_admin

Operations:
  • DELETE /nodes/{node_ident}/vifs/{node_vif_ident}

Detach a VIF from a node

baremetal:port:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /ports
  • GET /ports/detail
  • GET /ports/{port_id}
  • GET /nodes/{node_ident}/ports
  • GET /nodes/{node_ident}/ports/detail
  • GET /portgroups/{portgroup_ident}/ports
  • GET /portgroups/{portgroup_ident}/ports/detail

Retrieve Port records

baremetal:port:create
Default:

rule:is_admin

Operations:
  • POST /ports

Create Port records

baremetal:port:delete
Default:

rule:is_admin

Operations:
  • DELETE /ports/{port_id}

Delete Port records

baremetal:port:update
Default:

rule:is_admin

Operations:
  • PATCH /ports/{port_id}

Update Port records

baremetal:portgroup:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /portgroups
  • GET /portgroups/detail
  • GET /portgroups/{portgroup_ident}
  • GET /nodes/{node_ident}/portgroups
  • GET /nodes/{node_ident}/portgroups/detail

Retrieve Portgroup records

baremetal:portgroup:create
Default:

rule:is_admin

Operations:
  • POST /portgroups

Create Portgroup records

baremetal:portgroup:delete
Default:

rule:is_admin

Operations:
  • DELETE /portgroups/{portgroup_ident}

Delete Portgroup records

baremetal:portgroup:update
Default:

rule:is_admin

Operations:
  • PATCH /portgroups/{portgroup_ident}

Update Portgroup records

baremetal:chassis:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /chassis
  • GET /chassis/detail
  • GET /chassis/{chassis_id}

Retrieve Chassis records

baremetal:chassis:create
Default:

rule:is_admin

Operations:
  • POST /chassis

Create Chassis records

baremetal:chassis:delete
Default:

rule:is_admin

Operations:
  • DELETE /chassis/{chassis_id}

Delete Chassis records

baremetal:chassis:update
Default:

rule:is_admin

Operations:
  • PATCH /chassis/{chassis_id}

Update Chassis records

baremetal:driver:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /drivers
  • GET /drivers/{driver_name}

View list of available drivers

baremetal:driver:get_properties
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /drivers/{driver_name}/properties

View driver-specific properties

baremetal:driver:get_raid_logical_disk_properties
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /drivers/{driver_name}/raid/logical_disk_properties

View driver-specific RAID metadata

baremetal:node:vendor_passthru
Default:

rule:is_admin

Operations:
  • GET nodes/{node_ident}/vendor_passthru/methods
  • GET nodes/{node_ident}/vendor_passthru?method={method_name}
  • PUT nodes/{node_ident}/vendor_passthru?method={method_name}
  • POST nodes/{node_ident}/vendor_passthru?method={method_name}
  • PATCH nodes/{node_ident}/vendor_passthru?method={method_name}
  • DELETE nodes/{node_ident}/vendor_passthru?method={method_name}

Access vendor-specific Node functions

baremetal:driver:vendor_passthru
Default:

rule:is_admin

Operations:
  • GET drivers/{driver_name}/vendor_passthru/methods
  • GET drivers/{driver_name}/vendor_passthru?method={method_name}
  • PUT drivers/{driver_name}/vendor_passthru?method={method_name}
  • POST drivers/{driver_name}/vendor_passthru?method={method_name}
  • PATCH drivers/{driver_name}/vendor_passthru?method={method_name}
  • DELETE drivers/{driver_name}/vendor_passthru?method={method_name}

Access vendor-specific Driver functions

baremetal:node:ipa_heartbeat
Default:

rule:public_api

Operations:
  • POST /heartbeat/{node_ident}

Send heartbeats from IPA ramdisk

baremetal:driver:ipa_lookup
Default:

rule:public_api

Operations:
  • GET /lookup

Access IPA ramdisk functions

baremetal:volume:get
Default:

rule:is_admin or rule:is_observer

Operations:
  • GET /volume
  • GET /volume/connectors
  • GET /volume/connectors/{volume_connector_id}
  • GET /volume/targets
  • GET /volume/targets/{volume_target_id}
  • GET /nodes/{node_ident}/volume
  • GET /nodes/{node_ident}/volume/connectors
  • GET /nodes/{node_ident}/volume/targets

Retrieve Volume connector and target records

baremetal:volume:create
Default:

rule:is_admin

Operations:
  • POST /volume/connectors
  • POST /volume/targets

Create Volume connector and target records

baremetal:volume:delete
Default:

rule:is_admin

Operations:
  • DELETE /volume/connectors/{volume_connector_id}
  • DELETE /volume/targets/{volume_target_id}

Delete Volume connector and target records

baremetal:volume:update
Default:

rule:is_admin

Operations:
  • PATCH /volume/connectors/{volume_connector_id}
  • PATCH /volume/targets/{volume_target_id}

Update Volume connector and target records

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.