Manila Sample Policy

The following is a sample Manila policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary. It is here to help explain which policy operations protect specific Manila API, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default. For instance, if you want to change the default value of “share:create”, you only need to keep this single rule in your policy config file (/etc/manila/policy.json).

#
#"context_is_admin": "role:admin"

#
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

#
#"default": "rule:admin_or_owner"

#
#"admin_api": "is_admin:True"

# Get all storage availability zones.
# GET  /os-availability-zone
# GET  /availability-zone
#"availability_zone:index": "rule:default"

# Get information regarding backends (and storage pools) known to the
# scheduler.
# GET  /scheduler-stats/pools
# GET  /scheduler-stats/pools?{query}
#"scheduler_stats:pools:index": "rule:admin_api"

# Get detailed information regarding backends (and storage pools)
# known to the scheduler.
# GET  /scheduler-stats/pools/detail?{query}
# GET  /scheduler-stats/pools/detail
#"scheduler_stats:pools:detail": "rule:admin_api"

# Create share.
# POST  /shares
#"share:create": ""

# Create shares visible across all projects in the cloud. This option
# will default to rule:admin_api in the 9.0.0 (Train) release of the
# OpenStack Shared File Systems (manila) service.
# POST  /shares
#"share:create_public_share": "rule:admin_api"

# DEPRECATED "share:create_public_share":"rule:default" has been
# deprecated since S in favor of
# "share:create_public_share":"rule:admin_api". Public shares must be
# accessible across the cloud, irrespective of project namespaces. To
# avoid unintended consequences, rule:admin_api serves as a better
# default for this policy.
# Get share.
# GET  /shares/{share_id}
#"share:get": "rule:default"

# List shares.
# GET  /shares
# GET  /shares/detail
#"share:get_all": "rule:default"

# Update share.
# PUT  /shares
#"share:update": "rule:default"

# Update shares to be visible across all projects in the cloud. This
# option will default to rule:admin_api in the 9.0.0 (Train) release
# of the OpenStack Shared File Systems (manila) service.
# PUT  /shares
#"share:set_public_share": "rule:admin_api"

# DEPRECATED "share:set_public_share":"rule:default" has been
# deprecated since S in favor of
# "share:set_public_share":"rule:admin_api". Public shares must be
# accessible across the cloud, irrespective of project namespaces. To
# avoid unintended consequences, rule:admin_api serves as a better
# default for this policy.
# Delete share.
# DELETE  /shares/{share_id}
#"share:delete": "rule:default"

# Force Delete a share.
# DELETE  /shares/{share_id}
#"share:force_delete": "rule:admin_api"

# Manage share.
# POST  /shares/manage
#"share:manage": "rule:admin_api"

# Unmanage share.
# POST  /shares/unmanage
#"share:unmanage": "rule:admin_api"

# Create share snapshot.
# POST  /snapshots
#"share:create_snapshot": "rule:default"

# List share by host.
# GET  /shares
# GET  /shares/detail
#"share:list_by_host": "rule:admin_api"

# List share by server id.
# GET  /shares
# GET  /shares/detail
#"share:list_by_share_server_id": "rule:admin_api"

# Get share access rule, it under deny access operation.
# POST  /shares/{share_id}/action
#"share:access_get": "rule:default"

# List share access rules.
# GET  /shares/{share_id}/action
#"share:access_get_all": "rule:default"

# Extend share.
# POST  /shares/{share_id}/action
#"share:extend": "rule:default"

# Shrink share.
# POST  /shares/{share_id}/action
#"share:shrink": "rule:default"

# Migrate a share to the specified host.
# POST  /shares/{share_id}/action
#"share:migration_start": "rule:admin_api"

# Invokes 2nd phase of share migration.
# POST  /shares/{share_id}/action
#"share:migration_complete": "rule:admin_api"

# Attempts to cancel share migration.
# POST  /shares/{share_id}/action
#"share:migration_cancel": "rule:admin_api"

# Retrieve share migration progress for a given share.
# POST  /shares/{share_id}/action
#"share:migration_get_progress": "rule:admin_api"

# Reset task state.
# POST  /shares/{share_id}/action
#"share:reset_task_state": "rule:admin_api"

# Reset status.
# POST  /shares/{share_id}/action
#"share:reset_status": "rule:admin_api"

# Revert a share to a snapshot.
# POST  /shares/{share_id}/action
#"share:revert_to_snapshot": "rule:default"

# Add share access rule.
# POST  /shares/{share_id}/action
#"share:allow_access": "rule:default"

# Remove share access rule.
# POST  /shares/{share_id}/action
#"share:deny_access": "rule:default"

# Delete share snapshot.
# DELETE  /snapshots/{snapshot_id}
#"share:delete_snapshot": "rule:default"

# Update share snapshot.
# PUT  /snapshots/{snapshot_id}/action
#"share:snapshot_update": "rule:default"

# Update share metadata.
# PUT  /shares/{share_id}/metadata
#"share:update_share_metadata": "rule:default"

# Delete share metadata.
# DELETE  /shares/{share_id}/metadata/{key}
#"share:delete_share_metadata": "rule:default"

# Get share metadata.
# GET  /shares/{share_id}/metadata
#"share:get_share_metadata": "rule:default"

# Return data about the requested export location.
# POST  /share_instances/{share_instance_id}/export_locations
#"share_instance_export_location:index": "rule:admin_api"

# Return data about the requested export location.
# GET  /share_instances/{share_instance_id}/export_locations/{export_location_id}
#"share_instance_export_location:show": "rule:admin_api"

# Create share type.
# POST  /types
#"share_type:create": "rule:admin_api"

# Update share type.
# PUT  /types/{share_type_id}
#"share_type:update": "rule:admin_api"

# Get share type.
# GET  /types/{share_type_id}
#"share_type:show": "rule:default"

# List share types.
# GET  /types
# GET  /types?is_public=all
#"share_type:index": "rule:default"

# Get default share type.
# GET  /types/default
#"share_type:default": "rule:default"

# Delete share type.
# DELETE  /types/{share_type_id}
#"share_type:delete": "rule:admin_api"

# List share type project access.
# GET  /types/{share_type_id}
#"share_type:list_project_access": "rule:admin_api"

# Add share type to project.
# POST  /types/{share_type_id}/action
#"share_type:add_project_access": "rule:admin_api"

# Remove share type from project.
# POST  /types/{share_type_id}/action
#"share_type:remove_project_access": "rule:admin_api"

# Create share type extra spec.
# POST  /types/{share_type_id}/extra_specs
#"share_types_extra_spec:create": "rule:admin_api"

# Get share type extra specs of a given share type.
# GET  /types/{share_type_id}/extra_specs
#"share_types_extra_spec:show": "rule:admin_api"

# Get details of a share type extra spec.
# GET  /types/{share_type_id}/extra_specs/{extra_spec_id}
#"share_types_extra_spec:index": "rule:admin_api"

# Update share type extra spec.
# PUT  /types/{share_type_id}/extra_specs
#"share_types_extra_spec:update": "rule:admin_api"

# Delete share type extra spec.
# DELETE  /types/{share_type_id}/extra_specs/{key}
#"share_types_extra_spec:delete": "rule:admin_api"

# Get share snapshot.
# GET  /snapshots/{snapshot_id}
#"share_snapshot:get_snapshot": "rule:default"

# Get all share snapshots.
# GET  /snapshots
# GET  /snapshots/detail
# GET  /snapshots?{query}
# GET  /snapshots/detail?{query}
#"share_snapshot:get_all_snapshots": "rule:default"

# Force Delete a share snapshot.
# DELETE  /snapshots/{snapshot_id}
#"share_snapshot:force_delete": "rule:admin_api"

# Manage share snapshot.
# POST  /snapshots/manage
#"share_snapshot:manage_snapshot": "rule:admin_api"

# Unmanage share snapshot.
# POST  /snapshots/{snapshot_id}/action
#"share_snapshot:unmanage_snapshot": "rule:admin_api"

# Reset status.
# POST  /snapshots/{snapshot_id}/action
#"share_snapshot:reset_status": "rule:admin_api"

# List access rules of a share snapshot.
# GET  /snapshots/{snapshot_id}/access-list
#"share_snapshot:access_list": "rule:default"

# Allow access to a share snapshot.
# POST  /snapshots/{snapshot_id}/action
#"share_snapshot:allow_access": "rule:default"

# Deny access to a share snapshot.
# POST  /snapshots/{snapshot_id}/action
#"share_snapshot:deny_access": "rule:default"

# List export locations of a share snapshot.
# GET  /snapshots/{snapshot_id}/export-locations/
#"share_snapshot_export_location:index": "rule:default"

# Get details of a specified export location of a share snapshot.
# GET  /snapshots/{snapshot_id}/export-locations/{export_location_id}
#"share_snapshot_export_location:show": "rule:default"

# Get share snapshot instance.
# GET  /snapshot-instances/{snapshot_instance_id}
#"share_snapshot_instance:show": "rule:admin_api"

# Get all share snapshot instances.
# GET  /snapshot-instances
# GET  /snapshot-instances?{query}
#"share_snapshot_instance:index": "rule:admin_api"

# Get details of share snapshot instances.
# GET  /snapshot-instances/detail
# GET  /snapshot-instances/detail?{query}
#"share_snapshot_instance:detail": "rule:admin_api"

# Reset share snapshot instance's status.
# POST  /snapshot-instances/{snapshot_instance_id}/action
#"share_snapshot_instance:reset_status": "rule:admin_api"

# List export locations of a share snapshot instance.
# GET  /snapshot-instances/{snapshot_instance_id}/export-locations
#"share_snapshot_instance_export_location:index": "rule:admin_api"

# Show details of a specified export location of a share snapshot
# instance.
# GET  /snapshot-instances/{snapshot_instance_id}/export-locations/{export_location_id}
#"share_snapshot_instance_export_location:show": "rule:admin_api"

# Get share servers.
# GET  /share-servers
# GET  /share-servers?{query}
#"share_server:index": "rule:admin_api"

# Show share server.
# GET  /share-servers/{server_id}
#"share_server:show": "rule:admin_api"

# Get share server details.
# GET  /share-servers/{server_id}/details
#"share_server:details": "rule:admin_api"

# Delete share server.
# DELETE  /share-servers/{server_id}
#"share_server:delete": "rule:admin_api"

# Manage share server.
# POST  /share-servers/manage
#"share_server:manage_share_server": "rule:admin_api"

# Unmanage share server.
# POST  /share-servers/{share_server_id}/action
#"share_server:unmanage_share_server": "rule:admin_api"

# Reset the status of a share server.
# POST  /share-servers/{share_server_id}/action
#"share_server:reset_status": "rule:admin_api"

# Return a list of all running services.
# GET  /os-services
# GET  /os-services?{query}
# GET  /services
# GET  /services?{query}
#"service:index": "rule:admin_api"

# Enable/Disable scheduling for a service.
# PUT  /os-services/disable
# PUT  /os-services/enable
# PUT  /services/disable
# PUT  /services/enable
#"service:update": "rule:admin_api"

# Update the quotas for a project/user and/or share type.
# PUT  /quota-sets/{tenant_id}
# PUT  /quota-sets/{tenant_id}?user_id={user_id}
# PUT  /quota-sets/{tenant_id}?share_type={share_type_id}
# PUT  /os-quota-sets/{tenant_id}
# PUT  /os-quota-sets/{tenant_id}?user_id={user_id}
#"quota_set:update": "rule:admin_api"

# List the quotas for a tenant/user.
# GET  /quota-sets/{tenant_id}/defaults
# GET  /os-quota-sets/{tenant_id}/defaults
#"quota_set:show": "rule:default"

# Delete quota for a tenant/user or tenant/share-type. The quota will
# revert back to default (Admin only).
# DELETE  /quota-sets/{tenant_id}
# DELETE  /quota-sets/{tenant_id}?user_id={user_id}
# DELETE  /quota-sets/{tenant_id}?share_type={share_type_id}
# DELETE  /os-quota-sets/{tenant_id}
# DELETE  /os-quota-sets/{tenant_id}?user_id={user_id}
#"quota_set:delete": "rule:admin_api"

# Update quota class.
# PUT  /quota-class-sets/{class_name}
# PUT  /os-quota-class-sets/{class_name}
#"quota_class_set:update": "rule:admin_api"

# Get quota class.
# GET  /quota-class-sets/{class_name}
# GET  /os-quota-class-sets/{class_name}
#"quota_class_set:show": "rule:default"

# Create share group type specs.
# POST  /share-group-types/{share_group_type_id}/group-specs
#"share_group_types_spec:create": "rule:admin_api"

# Get share group type specs.
# GET  /share-group-types/{share_group_type_id}/group-specs
#"share_group_types_spec:index": "rule:admin_api"

# Get details of a share group type spec.
# GET  /share-group-types/{share_group_type_id}/group-specs/{key}
#"share_group_types_spec:show": "rule:admin_api"

# Update a share group type spec.
# PUT  /share-group-types/{share_group_type_id}/group-specs/{key}
#"share_group_types_spec:update": "rule:admin_api"

# Delete a share group type spec.
# DELETE  /share-group-types/{share_group_type_id}/group-specs/{key}
#"share_group_types_spec:delete": "rule:admin_api"

# Create a new share group type.
# POST  /share-group-types
#"share_group_type:create": "rule:admin_api"

# Get the list of share group types.
# GET  /share-group-types
# GET  /share-group-types?is_public=all
#"share_group_type:index": "rule:default"

# Get details regarding the specified share group type.
# GET  /share-group-types/{share_group_type_id}
#"share_group_type:show": "rule:default"

# Get the default share group type.
# GET  /share-group-types/default
#"share_group_type:default": "rule:default"

# Delete an existing group type.
# DELETE  /share-group-types/{share_group_type_id}
#"share_group_type:delete": "rule:admin_api"

# Get project access by share group type.
# POST  /share-group-types/{share_group_type_id}/access
#"share_group_type:list_project_access": "rule:admin_api"

# Allow project to use the share group type.
# POST  /share-group-types/{share_group_type_id}/action
#"share_group_type:add_project_access": "rule:admin_api"

# Deny project access to use the share group type.
# POST  /share-group-types/{share_group_type_id}/action
#"share_group_type:remove_project_access": "rule:admin_api"

# Create a new share group snapshot.
# POST  /share-group-snapshots
#"share_group_snapshot:create": "rule:default"

# Get details of a share group snapshot.
# GET  /share-group-snapshots/{share_group_snapshot_id}
#"share_group_snapshot:get": "rule:default"

# Get all share group snapshots.
# GET  /share-group-snapshots
# GET  /share-group-snapshots/detail
# GET  /share-group-snapshots/{query}
# GET  /share-group-snapshots/detail?{query}
#"share_group_snapshot:get_all": "rule:default"

# Update a share group snapshot.
# PUT  /share-group-snapshots/{share_group_snapshot_id}
#"share_group_snapshot:update": "rule:default"

# Delete a share group snapshot.
# DELETE  /share-group-snapshots/{share_group_snapshot_id}
#"share_group_snapshot:delete": "rule:default"

# Force delete a share group snapshot.
# POST  /share-group-snapshots/{share_group_snapshot_id}/action
#"share_group_snapshot:force_delete": "rule:admin_api"

# Reset a share group snapshot's status.
# POST  /share-group-snapshots/{share_group_snapshot_id}/action
#"share_group_snapshot:reset_status": "rule:admin_api"

# Create share group.
# POST  /share-groups
#"share_group:create": "rule:default"

# Get details of a share group.
# GET  /share-groups/{share_group_id}
#"share_group:get": "rule:default"

# Get all share groups.
# GET  /share-groups
# GET  /share-groups/detail
# GET  /share-groups?{query}
# GET  /share-groups/detail?{query}
#"share_group:get_all": "rule:default"

# Update share group.
# PUT  /share-groups/{share_group_id}
#"share_group:update": "rule:default"

# Delete share group.
# DELETE  /share-groups/{share_group_id}
#"share_group:delete": "rule:default"

# Force delete a share group.
# POST  /share-groups/{share_group_id}/action
#"share_group:force_delete": "rule:admin_api"

# Reset share group's status.
# POST  /share-groups/{share_group_id}/action
#"share_group:reset_status": "rule:admin_api"

# Create share replica.
# POST  /share-replicas
#"share_replica:create": "rule:default"

# Get all share replicas.
# GET  /share-replicas
# GET  /share-replicas/detail
# GET  /share-replicas/detail?share_id={share_id}
#"share_replica:get_all": "rule:default"

# Get details of a share replica.
# GET  /share-replicas/{share_replica_id}
#"share_replica:show": "rule:default"

# Delete a share replica.
# DELETE  /share-replicas/{share_replica_id}
#"share_replica:delete": "rule:default"

# Force delete a share replica.
# POST  /share-replicas/{share_replica_id}/action
#"share_replica:force_delete": "rule:admin_api"

# Promote a non-active share replica to active.
# POST  /share-replicas/{share_replica_id}/action
#"share_replica:promote": "rule:default"

# Resync a share replica that is out of sync.
# POST  /share-replicas/{share_replica_id}/action
#"share_replica:resync": "rule:admin_api"

# Reset share replica's replica_state attribute.
# POST  /share-replicas/{share_replica_id}/action
#"share_replica:reset_replica_state": "rule:admin_api"

# Reset share replica's status.
# POST  /share-replicas/{share_replica_id}/action
#"share_replica:reset_status": "rule:admin_api"

# Get all export locations of a given share replica.
# GET  /share-replicas/{share_replica_id}/export-locations
#"share_replica_export_location:index": "rule:default"

# Get details about the requested share replica export location.
# GET  /share-replicas/{share_replica_id}/export-locations/{export_location_id}
#"share_replica_export_location:show": "rule:default"

# Create share network.
# POST  /share-networks
#"share_network:create": "rule:default"

# Get details of a share network.
# GET  /share-networks/{share_network_id}
#"share_network:show": "rule:default"

# Get all share networks.
# GET  /share-networks
# GET  /share-networks?{query}
#"share_network:index": "rule:default"

# Get details of share networks .
# GET  /share-networks/detail?{query}
# GET  /share-networks/detail
#"share_network:detail": "rule:default"

# Update a share network.
# PUT  /share-networks/{share_network_id}
#"share_network:update": "rule:default"

# Delete a share network.
# DELETE  /share-networks/{share_network_id}
#"share_network:delete": "rule:default"

# Add security service to share network.
# POST  /share-networks/{share_network_id}/action
#"share_network:add_security_service": "rule:default"

# Remove security service from share network.
# POST  /share-networks/{share_network_id}/action
#"share_network:remove_security_service": "rule:default"

# Get share networks belonging to all projects.
# GET  /share-networks?all_tenants=1
# GET  /share-networks/detail?all_tenants=1
#"share_network:get_all_share_networks": "rule:admin_api"

# Create a new share network subnet.
# POST  /share-networks/{share_network_id}/subnets
#"share_network_subnet:create": "rule:default"

# Delete a share network subnet.
# DELETE  /share-networks/{share_network_id}/subnets/{share_network_subnet_id}
#"share_network_subnet:delete": "rule:default"

# Shows a share network subnet.
# GET  /share-networks/{share_network_id}/subnets/{share_network_subnet_id}
#"share_network_subnet:show": "rule:default"

# Get all share network subnets.
# GET  /share-networks/{share_network_id}/subnets
#"share_network_subnet:index": "rule:default"

# Create security service.
# POST  /security-services
#"security_service:create": "rule:default"

# Get details of a security service.
# GET  /security-services/{security_service_id}
#"security_service:show": "rule:default"

# Get details of all security services.
# GET  /security-services/detail?{query}
# GET  /security-services/detail
#"security_service:detail": "rule:default"

# Get all security services.
# GET  /security-services
# GET  /security-services?{query}
#"security_service:index": "rule:default"

# Update a security service.
# PUT  /security-services/{security_service_id}
#"security_service:update": "rule:default"

# Delete a security service.
# DELETE  /security-services/{security_service_id}
#"security_service:delete": "rule:default"

# Get security services of all projects.
# GET  /security-services?all_tenants=1
# GET  /security-services/detail?all_tenants=1
#"security_service:get_all_security_services": "rule:admin_api"

# Get all export locations of a given share.
# GET  /shares/{share_id}/export_locations
#"share_export_location:index": "rule:default"

# Get details about the requested export location.
# GET  /shares/{share_id}/export_locations/{export_location_id}
#"share_export_location:show": "rule:default"

# Get all share instances.
# GET  /share_instances
# GET  /share_instances?{query}
#"share_instance:index": "rule:admin_api"

# Get details of a share instance.
# GET  /share_instances/{share_instance_id}
#"share_instance:show": "rule:admin_api"

# Force delete a share instance.
# POST  /share_instances/{share_instance_id}/action
#"share_instance:force_delete": "rule:admin_api"

# Reset share instance's status.
# POST  /share_instances/{share_instance_id}/action
#"share_instance:reset_status": "rule:admin_api"

# Get details of a given message.
# GET  /messages/{message_id}
#"message:get": "rule:default"

# Get all messages.
# GET  /messages
# GET  /messages?{query}
#"message:get_all": "rule:default"

# Delete a message.
# DELETE  /messages/{message_id}
#"message:delete": "rule:default"

# Get details of a share access rule.
# GET  /share-access-rules/{share_access_id}
#"share_access_rule:get": "rule:default"

# List access rules of a given share.
# GET  /share-access-rules?share_id={share_id}&key1=value1&key2=value2
#"share_access_rule:index": "rule:default"

# Set metadata for a share access rule.
# PUT  /share-access-rules/{share_access_id}/metadata
#"share_access_metadata:update": "rule:default"

# Delete metadata for a share access rule.
# DELETE  /share-access-rules/{share_access_id}/metadata/{key}
#"share_access_metadata:delete": "rule:default"