policy.yaml

Warning

JSON formatted policy file is deprecated since Magnum 12.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Use the policy.yaml file to define additional access controls that apply to the Container Infrastructure Management service:

"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "rule:context_is_admin"
"admin_or_user": "is_admin:True or user_id:%(user_id)s"
"cluster_user": "user_id:%(trustee_user_id)s"
"deny_cluster_user": "not domain_id:%(trustee_domain_id)s"
"bay:create": "rule:deny_cluster_user"
"bay:delete": "rule:deny_cluster_user"
"bay:detail": "rule:deny_cluster_user"
"bay:get": "rule:deny_cluster_user"
"bay:get_all": "rule:deny_cluster_user"
"bay:update": "rule:deny_cluster_user"
"baymodel:create": "rule:deny_cluster_user"
"baymodel:delete": "rule:deny_cluster_user"
"baymodel:detail": "rule:deny_cluster_user"
"baymodel:get": "rule:deny_cluster_user"
"baymodel:get_all": "rule:deny_cluster_user"
"baymodel:update": "rule:deny_cluster_user"
"baymodel:publish": "rule:admin_api"
"certificate:create": "rule:admin_or_user or rule:cluster_user"
"certificate:get": "rule:admin_or_user or rule:cluster_user"
"certificate:rotate_ca": "rule:admin_or_owner"
"cluster:create": "rule:deny_cluster_user"
"cluster:delete": "rule:deny_cluster_user"
"cluster:delete_all_projects": "rule:admin_api"
"cluster:detail": "rule:deny_cluster_user"
"cluster:detail_all_projects": "rule:admin_api"
"cluster:get": "rule:deny_cluster_user"
"cluster:get_one_all_projects": "rule:admin_api"
"cluster:get_all": "rule:deny_cluster_user"
"cluster:get_all_all_projects": "rule:admin_api"
"cluster:update": "rule:deny_cluster_user"
"cluster:update_health_status": "rule:admin_or_user or rule:cluster_user"
"cluster:update_all_projects": "rule:admin_api"
"cluster:resize": "rule:deny_cluster_user"
"cluster:upgrade": "rule:deny_cluster_user"
"cluster:upgrade_all_projects": "rule:admin_api"
"clustertemplate:create": "rule:deny_cluster_user"
"clustertemplate:delete": "rule:admin_or_owner"
"clustertemplate:delete_all_projects": "rule:admin_api"
"clustertemplate:detail_all_projects": "rule:admin_api"
"clustertemplate:detail": "rule:deny_cluster_user"
"clustertemplate:get": "rule:deny_cluster_user"
"clustertemplate:get_one_all_projects": "rule:admin_api"
"clustertemplate:get_all": "rule:deny_cluster_user"
"clustertemplate:get_all_all_projects": "rule:admin_api"
"clustertemplate:update": "rule:admin_or_owner"
"clustertemplate:update_all_projects": "rule:admin_api"
"clustertemplate:publish": "rule:admin_api"
"federation:create": "rule:deny_cluster_user"
"federation:delete": "rule:deny_cluster_user"
"federation:detail": "rule:deny_cluster_user"
"federation:get": "rule:deny_cluster_user"
"federation:get_all": "rule:deny_cluster_user"
"federation:update": "rule:deny_cluster_user"
"magnum-service:get_all": "rule:admin_api"
"quota:create": "rule:admin_api"
"quota:delete": "rule:admin_api"
"quota:get": "rule:admin_or_owner"
"quota:get_all": "rule:admin_api"
"quota:update": "rule:admin_api"
"stats:get_all": "rule:admin_or_owner"
"nodegroup:get": "rule:admin_or_owner"
"nodegroup:get_all": "rule:admin_or_owner"
"nodegroup:get_all_all_projects": "rule:admin_api"
"nodegroup:get_one_all_projects": "rule:admin_api"
"nodegroup:create": "rule:admin_or_owner"
"nodegroup:delete": "rule:admin_or_owner"
"nodegroup:update": "rule:admin_or_owner"