Policy configuration

Configuration

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is an overview of all available policies in Magnum. For a sample configuration file, refer to policy.yaml.

magnum

context_is_admin
Default

role:admin

(no description provided)

admin_or_owner
Default

is_admin:True or project_id:%(project_id)s

(no description provided)

admin_api
Default

rule:context_is_admin

(no description provided)

admin_or_user
Default

is_admin:True or user_id:%(user_id)s

(no description provided)

cluster_user
Default

user_id:%(trustee_user_id)s

(no description provided)

deny_cluster_user
Default

not domain_id:%(trustee_domain_id)s

(no description provided)

bay:create
Default

rule:deny_cluster_user

Operations
  • POST /v1/bays

Create a new bay.

bay:delete
Default

rule:deny_cluster_user

Operations
  • DELETE /v1/bays/{bay_ident}

Delete a bay.

bay:detail
Default

rule:deny_cluster_user

Operations
  • GET /v1/bays

Retrieve a list of bays with detail.

bay:get
Default

rule:deny_cluster_user

Operations
  • GET /v1/bays/{bay_ident}

Retrieve information about the given bay.

bay:get_all
Default

rule:deny_cluster_user

Operations
  • GET /v1/bays/

Retrieve a list of bays.

bay:update
Default

rule:deny_cluster_user

Operations
  • PATCH /v1/bays/{bay_ident}

Update an existing bay.

baymodel:create
Default

rule:deny_cluster_user

Operations
  • POST /v1/baymodels

Create a new baymodel.

baymodel:delete
Default

rule:deny_cluster_user

Operations
  • DELETE /v1/baymodels/{baymodel_ident}

Delete a baymodel.

baymodel:detail
Default

rule:deny_cluster_user

Operations
  • GET /v1/baymodels

Retrieve a list of baymodel with detail.

baymodel:get
Default

rule:deny_cluster_user

Operations
  • GET /v1/baymodels/{baymodel_ident}

Retrieve information about the given baymodel.

baymodel:get_all
Default

rule:deny_cluster_user

Operations
  • GET /v1/baymodels

Retrieve a list of baymodel.

baymodel:update
Default

rule:deny_cluster_user

Operations
  • PATCH /v1/baymodels/{baymodel_ident}

Update an existing baymodel.

baymodel:publish
Default

rule:admin_api

Operations
  • POST /v1/baymodels

  • PATCH /v1/baymodels

Publish an existing baymodel.

certificate:create
Default

rule:admin_or_user or rule:cluster_user

Operations
  • POST /v1/certificates

Sign a new certificate by the CA.

certificate:get
Default

rule:admin_or_user or rule:cluster_user

Operations
  • GET /v1/certificates/{bay_uuid/cluster_uuid}

Retrieve CA information about the given bay/cluster.

certificate:rotate_ca
Default

rule:admin_or_owner

Operations
  • PATCH /v1/certificates/{bay_uuid/cluster_uuid}

Rotate the CA certificate on the given bay/cluster.

cluster:create
Default

rule:deny_cluster_user

Operations
  • POST /v1/clusters

Create a new cluster.

cluster:delete
Default

rule:deny_cluster_user

Operations
  • DELETE /v1/clusters/{cluster_ident}

Delete a cluster.

cluster:delete_all_projects
Default

rule:admin_api

Operations
  • DELETE /v1/clusters/{cluster_ident}

Delete a cluster from any project.

cluster:detail
Default

rule:deny_cluster_user

Operations
  • GET /v1/clusters

Retrieve a list of clusters with detail.

cluster:detail_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clusters

Retrieve a list of clusters with detail across projects.

cluster:get
Default

rule:deny_cluster_user

Operations
  • GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster.

cluster:get_one_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clusters/{cluster_ident}

Retrieve information about the given cluster across projects.

cluster:get_all
Default

rule:deny_cluster_user

Operations
  • GET /v1/clusters/

Retrieve a list of clusters.

cluster:get_all_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clusters/

Retrieve a list of all clusters across projects.

cluster:update
Default

rule:deny_cluster_user

Operations
  • PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:update_health_status
Default

rule:admin_or_user or rule:cluster_user

Operations
  • PATCH /v1/clusters/{cluster_ident}

Update the health status of an existing cluster.

cluster:update_all_projects
Default

rule:admin_api

Operations
  • PATCH /v1/clusters/{cluster_ident}

Update an existing cluster.

cluster:resize
Default

rule:deny_cluster_user

Operations
  • POST /v1/clusters/{cluster_ident}/actions/resize

Resize an existing cluster.

cluster:upgrade
Default

rule:deny_cluster_user

Operations
  • POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster.

cluster:upgrade_all_projects
Default

rule:admin_api

Operations
  • POST /v1/clusters/{cluster_ident}/actions/upgrade

Upgrade an existing cluster across all projects.

clustertemplate:create
Default

rule:deny_cluster_user

Operations
  • POST /v1/clustertemplates

Create a new cluster template.

clustertemplate:delete
Default

rule:deny_cluster_user

Operations
  • DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template.

clustertemplate:delete_all_projects
Default

rule:admin_api

Operations
  • DELETE /v1/clustertemplate/{clustertemplate_ident}

Delete a cluster template from any project.

clustertemplate:detail_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clustertemplates

Retrieve a list of cluster templates with detail across projects.

clustertemplate:detail
Default

rule:deny_cluster_user

Operations
  • GET /v1/clustertemplates

Retrieve a list of cluster templates with detail.

clustertemplate:get
Default

rule:deny_cluster_user

Operations
  • GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template.

clustertemplate:get_one_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clustertemplate/{clustertemplate_ident}

Retrieve information about the given cluster template across project.

clustertemplate:get_all
Default

rule:deny_cluster_user

Operations
  • GET /v1/clustertemplates

Retrieve a list of cluster templates.

clustertemplate:get_all_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clustertemplates

Retrieve a list of cluster templates across projects.

clustertemplate:update
Default

rule:deny_cluster_user

Operations
  • PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:update_all_projects
Default

rule:admin_api

Operations
  • PATCH /v1/clustertemplate/{clustertemplate_ident}

Update an existing cluster template.

clustertemplate:publish
Default

rule:admin_api

Operations
  • POST /v1/clustertemplates

  • PATCH /v1/clustertemplates

Publish an existing cluster template.

federation:create
Default

rule:deny_cluster_user

Operations
  • POST /v1/federations

Create a new federation.

federation:delete
Default

rule:deny_cluster_user

Operations
  • DELETE /v1/federations/{federation_ident}

Delete a federation.

federation:detail
Default

rule:deny_cluster_user

Operations
  • GET /v1/federations

Retrieve a list of federations with detail.

federation:get
Default

rule:deny_cluster_user

Operations
  • GET /v1/federations/{federation_ident}

Retrieve information about the given federation.

federation:get_all
Default

rule:deny_cluster_user

Operations
  • GET /v1/federations/

Retrieve a list of federations.

federation:update
Default

rule:deny_cluster_user

Operations
  • PATCH /v1/federations/{federation_ident}

Update an existing federation.

magnum-service:get_all
Default

rule:admin_api

Operations
  • GET /v1/mservices

Retrieve a list of magnum-services.

quota:create
Default

rule:admin_api

Operations
  • POST /v1/quotas

Create quota.

quota:delete
Default

rule:admin_api

Operations
  • DELETE /v1/quotas/{project_id}/{resource}

Delete quota for a given project_id and resource.

quota:get
Default

rule:admin_or_owner

Operations
  • GET /v1/quotas/{project_id}/{resource}

Retrieve Quota information for the given project_id.

quota:get_all
Default

rule:admin_api

Operations
  • GET /v1/quotas

Retrieve a list of quotas.

quota:update
Default

rule:admin_api

Operations
  • PATCH /v1/quotas/{project_id}/{resource}

Update quota for a given project_id.

stats:get_all
Default

rule:admin_or_owner

Operations
  • GET /v1/stats

Retrieve magnum stats.

nodegroup:get
Default

rule:admin_or_owner

Operations
  • GET /v1/clusters/{cluster_id}/nodegroup/{nodegroup}

Retrieve information about the given nodegroup.

nodegroup:get_all
Default

rule:admin_or_owner

Operations
  • GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups that belong to a cluster.

nodegroup:get_all_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clusters/{cluster_id}/nodegroups/

Retrieve a list of nodegroups across projects.

nodegroup:get_one_all_projects
Default

rule:admin_api

Operations
  • GET /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Retrieve infornation for a given nodegroup.

nodegroup:create
Default

rule:admin_or_owner

Operations
  • POST /v1/clusters/{cluster_id}/nodegroups/

Create a new nodegroup.

nodegroup:delete
Default

rule:admin_or_owner

Operations
  • DELETE /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Delete a nodegroup.

nodegroup:update
Default

rule:admin_or_owner

Operations
  • PATCH /v1/clusters/{cluster_id}/nodegroups/{nodegroup}

Update an existing nodegroup.