Policy configuration¶

Configuration¶

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.

magnum¶

context_is_admin

Default:: role:admin

(no description provided)

admin_or_owner

Default:: is_admin:True or project_id:%(project_id)s

(no description provided)

admin_or_user

Default:: is_admin:True or user_id:%(user_id)s

(no description provided)

is_user

Default:: user_id:%(user_id)s

(no description provided)

cluster_user

Default:: user_id:%(trustee_user_id)s

(no description provided)

deny_cluster_user

Default:: not domain_id:%(trustee_domain_id)s

(no description provided)

project_member

Default:: role:member and project_id:%(project_id)s

(no description provided)

project_reader

Default:: role:reader and project_id:%(project_id)s

(no description provided)

admin_or_project_reader

Default:: (rule:context_is_admin) or (rule:project_reader)

(no description provided)

admin_or_project_member

Default:: (rule:context_is_admin) or (rule:project_member)

(no description provided)

admin_or_project_member_user

Default:: (rule:context_is_admin) or ((rule:project_member) and (rule:is_user))

(no description provided)

user_or_cluster_user

Default:: ((rule:is_user) or (rule:cluster_user))

(no description provided)

admin_or_user_or_cluster_user

Default:: ((rule:context_is_admin) or (rule:user_or_cluster_user))

(no description provided)

admin_or_project_member_cluster_user

Default:: (rule:context_is_admin) or ((rule:project_member) and (rule:cluster_user))

(no description provided)

admin_or_project_member_user_or_cluster_user

Default:: (rule:context_is_admin) or ((rule:project_member) and (rule:user_or_cluster_user))

(no description provided)

project_member_deny_cluster_user

Default:: ((rule:project_member) and (rule:deny_cluster_user))

(no description provided)

admin_or_project_member_deny_cluster_user

Default:: (rule:context_is_admin) or (rule:project_member_deny_cluster_user)

(no description provided)

project_reader_deny_cluster_user

Default:: ((rule:project_reader) and (rule:deny_cluster_user))

(no description provided)

admin_or_project_reader_deny_cluster_user

Default:: (rule:context_is_admin) or (rule:project_reader_deny_cluster_user)

(no description provided)

admin_or_project_reader_user

Default:: (rule:context_is_admin) or ((rule:project_reader) and (rule:is_user))

(no description provided)

certificate:create

Default:

rule:admin_or_project_member_user

Operations:

POST /v1/certificates

Scope Types:

project

Sign a new certificate by the CA.

certificate:get

Default:

rule:admin_or_project_reader_user

Operations:

GET /v1/certificates/{cluster_uuid}

Scope Types:

project

Retrieve CA information about the given cluster.

certificate:rotate_ca

Default:

rule:admin_or_project_member

Operations:

PATCH /v1/certificates/{cluster_uuid}

Scope Types:

project

Rotate the CA certificate on the given cluster.

cluster:create

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

POST /v1/clusters

Scope Types:

project

Create a new cluster.

cluster:delete

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

DELETE /v1/clusters/{cluster_ident}

Scope Types:

project

Delete a cluster.

cluster:delete_all_projects

Default:

rule:context_is_admin

Operations:

DELETE /v1/clusters/{cluster_ident}

Delete a cluster from any project.

cluster:detail

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clusters

Scope Types:

project

Retrieve a list of clusters with detail.

cluster:detail_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clusters

Retrieve a list of clusters with detail across projects.

cluster:get

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clusters/{cluster_ident}

Scope Types:

project

Retrieve information about the given cluster.

cluster:get_one_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster across projects.

cluster:get_all

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clusters/

Scope Types:

project

Retrieve a list of clusters.

cluster:get_all_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clusters/

Retrieve a list of all clusters across projects.

cluster:update

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

PATCH /v1/clusters/{cluster_ident}

Scope Types:

project

Update an existing cluster.

cluster:update_health_status

Default:

rule:admin_or_project_member_user_or_cluster_user

Operations:

PATCH /v1/clusters/{cluster_ident}

Scope Types:

project

Update the health status of an existing cluster.

cluster:update_all_projects

Default:

rule:context_is_admin

Operations:

PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:resize

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

POST /v1/clusters/{cluster_ident}/actions/resize

Scope Types:

project

Resize an existing cluster.

cluster:upgrade

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

POST /v1/clusters/{cluster_ident}/actions/upgrade

Scope Types:

project

Upgrade an existing cluster.

cluster:upgrade_all_projects

Default:

rule:context_is_admin

Operations:

POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster across all projects.

clustertemplate:create

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

POST /v1/clustertemplates

Scope Types:

project

Create a new cluster template.

clustertemplate:delete

Default:

rule:admin_or_project_member

Operations:

DELETE /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

project

Delete a cluster template.

clustertemplate:delete_all_projects

Default:

rule:context_is_admin

Operations:

DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template from any project.

clustertemplate:detail_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates with detail across projects.

clustertemplate:detail

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clustertemplates

Scope Types:

project

Retrieve a list of cluster templates with detail.

clustertemplate:get

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

project

Retrieve information about the given cluster template.

clustertemplate:get_one_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template across project.

clustertemplate:get_all

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/clustertemplates

Scope Types:

project

Retrieve a list of cluster templates.

clustertemplate:get_all_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clustertemplates

Retrieve a list of cluster templates across projects.

clustertemplate:update

Default:

rule:admin_or_project_member

Operations:

PATCH /v1/clustertemplate/{clustertemplate_ident}

Scope Types:

project

Update an existing cluster template.

clustertemplate:update_all_projects

Default:

rule:context_is_admin

Operations:

PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:publish

Default:

rule:context_is_admin

Operations:

POST /v1/clustertemplates
PATCH /v1/clustertemplates

Publish an existing cluster template.

credential:rotate

Default:

rule:project_member_deny_cluster_user

Operations:

PATCH /v1/credentials/{cluster_uuid}

Scope Types:

project

Rotate the credential of a cluster.

federation:create

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

POST /v1/federations

Scope Types:

project

Create a new federation.

federation:delete

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

DELETE /v1/federations/{federation_ident}

Scope Types:

project

Delete a federation.

federation:detail

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/federations

Scope Types:

project

Retrieve a list of federations with detail.

federation:get

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/federations/{federation_ident}

Scope Types:

project

Retrieve information about the given federation.

federation:get_all

Default:

rule:admin_or_project_reader_deny_cluster_user

Operations:

GET /v1/federations/

Scope Types:

project

Retrieve a list of federations.

federation:update

Default:

rule:admin_or_project_member_deny_cluster_user

Operations:

PATCH /v1/federations/{federation_ident}

Scope Types:

project

Update an existing federation.

magnum-service:get_all

Default:

rule:context_is_admin

Operations:

GET /v1/mservices

Retrieve a list of magnum-services.

quota:create

Default:

rule:context_is_admin

Operations:

POST /v1/quotas

Create quota.

quota:delete

Default:

rule:context_is_admin

Operations:

DELETE /v1/quotas/{project_id}/{resource}

Delete quota for a given project_id and resource.

quota:get

Default:

rule:admin_or_project_reader

Operations:

GET /v1/quotas/{project_id}/{resource}

Scope Types:

project

Retrieve Quota information for the given project_id.

quota:get_all

Default:

rule:context_is_admin

Operations:

GET /v1/quotas

Retrieve a list of quotas.

quota:update

Default:

rule:context_is_admin

Operations:

PATCH /v1/quotas/{project_id}/{resource}

Update quota for a given project_id.

stats:get_all

Default:

rule:admin_or_project_reader

Operations:

GET /v1/stats

Scope Types:

project

Retrieve magnum stats.

nodegroup:get

Default:

rule:admin_or_project_reader

Operations:

GET /v1/clusters/{cluster_id}/nodegroup/{nodegroup}

Scope Types:

project

Retrieve information about the given nodegroup.

nodegroup:get_all

Default:

rule:admin_or_project_reader

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/

Scope Types:

project

Retrieve a list of nodegroups that belong to a cluster.

nodegroup:get_all_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups across projects.

nodegroup:get_one_all_projects

Default:

rule:context_is_admin

Operations:

GET /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Retrieve infornation for a given nodegroup.

nodegroup:create

Default:

rule:admin_or_project_member

Operations:

POST /v1/clusters/{cluster_id}/nodegroups/

Scope Types:

project

Create a new nodegroup.

nodegroup:delete

Default:

rule:admin_or_project_member

Operations:

DELETE /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Scope Types:

project

Delete a nodegroup.

nodegroup:update

Default:

rule:admin_or_project_member

Operations:

PATCH /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Scope Types:

project

Update an existing nodegroup.

Policy configuration

Policy configuration¶

Configuration¶

magnum¶

magnum 21.0.1.dev3

Page Contents