Policy Reference¶
Warning
JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.
The following is an overview of all available policies in neutron.
For a sample policy file, refer to Sample Policy File.
neutron¶
context_is_admin
- Default:
role:admin
Rule for cloud admin access
service_api
- Default:
role:service
Default rule for the service-to-service APIs.
owner
- Default:
tenant_id:%(tenant_id)s
Rule for resource owner access
admin_or_owner
- Default:
rule:context_is_admin or rule:owner
Rule for admin or owner access
context_is_advsvc
- Default:
role:advsvc
Rule for advsvc role access
admin_or_network_owner
- Default:
rule:context_is_admin or tenant_id:%(network:tenant_id)s
Rule for admin or network owner access
admin_owner_or_network_owner
- Default:
rule:owner or rule:admin_or_network_owner
Rule for resource owner, admin or network owner access
network_owner
- Default:
tenant_id:%(network:tenant_id)s
Rule for network owner access
admin_only
- Default:
rule:context_is_admin
Rule for admin-only access
regular_user
- Default:
<empty string>
Rule for regular user access
shared
- Default:
field:networks:shared=True
Rule of shared network
default
- Default:
rule:admin_or_owner
Default access rule
admin_or_ext_parent_owner
- Default:
rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
Rule for common parent owner check
ext_parent_owner
- Default:
tenant_id:%(ext_parent:tenant_id)s
Rule for common parent owner check
sg_owner
- Default:
tenant_id:%(security_group:tenant_id)s
Rule for security group owner access
shared_address_groups
- Default:
field:address_groups:shared=True
Definition of a shared address group
get_address_group
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups
- Operations:
GET
/address-groups
GET
/address-groups/{id}
- Scope Types:
project
Get an address group
shared_address_scopes
- Default:
field:address_scopes:shared=True
Definition of a shared address scope
create_address_scope
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/address-scopes
- Scope Types:
project
Create an address scope
create_address_scope:shared
- Default:
rule:admin_only
- Operations:
POST
/address-scopes
- Scope Types:
project
Create a shared address scope
get_address_scope
- Default:
rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes
- Operations:
GET
/address-scopes
GET
/address-scopes/{id}
- Scope Types:
project
Get an address scope
update_address_scope
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/address-scopes/{id}
- Scope Types:
project
Update an address scope
update_address_scope:shared
- Default:
rule:admin_only
- Operations:
PUT
/address-scopes/{id}
- Scope Types:
project
Update
shared
attribute of an address scopedelete_address_scope
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/address-scopes/{id}
- Scope Types:
project
Delete an address scope
create_agent
- Default:
rule:admin_only
- Operations:
POST
/agents/{id}
- Scope Types:
project
Create an agent
get_agent
- Default:
rule:admin_only
- Operations:
GET
/agents
GET
/agents/{id}
- Scope Types:
project
Get an agent
update_agent
- Default:
rule:admin_only
- Operations:
PUT
/agents/{id}
- Scope Types:
project
Update an agent
delete_agent
- Default:
rule:admin_only
- Operations:
DELETE
/agents/{id}
- Scope Types:
project
Delete an agent
create_dhcp-network
- Default:
rule:admin_only
- Operations:
POST
/agents/{agent_id}/dhcp-networks
- Scope Types:
project
Add a network to a DHCP agent
get_dhcp-networks
- Default:
rule:admin_only
- Operations:
GET
/agents/{agent_id}/dhcp-networks
- Scope Types:
project
List networks on a DHCP agent
delete_dhcp-network
- Default:
rule:admin_only
- Operations:
DELETE
/agents/{agent_id}/dhcp-networks/{network_id}
- Scope Types:
project
Remove a network from a DHCP agent
create_l3-router
- Default:
rule:admin_only
- Operations:
POST
/agents/{agent_id}/l3-routers
- Scope Types:
project
Add a router to an L3 agent
get_l3-routers
- Default:
rule:admin_only
- Operations:
GET
/agents/{agent_id}/l3-routers
- Scope Types:
project
List routers on an L3 agent
delete_l3-router
- Default:
rule:admin_only
- Operations:
DELETE
/agents/{agent_id}/l3-routers/{router_id}
- Scope Types:
project
Remove a router from an L3 agent
get_dhcp-agents
- Default:
rule:admin_only
- Operations:
GET
/networks/{network_id}/dhcp-agents
- Scope Types:
project
List DHCP agents hosting a network
get_l3-agents
- Default:
rule:admin_only
- Operations:
GET
/routers/{router_id}/l3-agents
- Scope Types:
project
List L3 agents hosting a router
get_auto_allocated_topology
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/auto-allocated-topology/{project_id}
- Scope Types:
project
Get a project’s auto-allocated topology
delete_auto_allocated_topology
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/auto-allocated-topology/{project_id}
- Scope Types:
project
Delete a project’s auto-allocated topology
get_availability_zone
- Default:
role:reader
- Operations:
GET
/availability_zones
- Scope Types:
project
List availability zones
create_default_security_group_rule
- Default:
rule:admin_only
- Operations:
POST
/default-security-group-rules
- Scope Types:
project
Create a templated of the security group rule
get_default_security_group_rule
- Default:
role:reader
- Operations:
GET
/default-security-group-rules
GET
/default-security-group-rules/{id}
- Scope Types:
project
Get a templated of the security group rule
delete_default_security_group_rule
- Default:
rule:admin_only
- Operations:
DELETE
/default-security-group-rules/{id}
- Scope Types:
project
Delete a templated of the security group rule
create_flavor
- Default:
rule:admin_only
- Operations:
POST
/flavors
- Scope Types:
project
Create a flavor
get_flavor
- Default:
role:reader
- Operations:
GET
/flavors
GET
/flavors/{id}
- Scope Types:
project
Get a flavor
update_flavor
- Default:
rule:admin_only
- Operations:
PUT
/flavors/{id}
- Scope Types:
project
Update a flavor
delete_flavor
- Default:
rule:admin_only
- Operations:
DELETE
/flavors/{id}
- Scope Types:
project
Delete a flavor
create_service_profile
- Default:
rule:admin_only
- Operations:
POST
/service_profiles
- Scope Types:
project
Create a service profile
get_service_profile
- Default:
rule:admin_only
- Operations:
GET
/service_profiles
GET
/service_profiles/{id}
- Scope Types:
project
Get a service profile
update_service_profile
- Default:
rule:admin_only
- Operations:
PUT
/service_profiles/{id}
- Scope Types:
project
Update a service profile
delete_service_profile
- Default:
rule:admin_only
- Operations:
DELETE
/service_profiles/{id}
- Scope Types:
project
Delete a service profile
get_flavor_service_profile
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Scope Types:
project
Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.
create_flavor_service_profile
- Default:
rule:admin_only
- Operations:
POST
/flavors/{flavor_id}/service_profiles
- Scope Types:
project
Associate a flavor with a service profile
delete_flavor_service_profile
- Default:
rule:admin_only
- Operations:
DELETE
/flavors/{flavor_id}/service_profiles/{profile_id}
- Scope Types:
project
Disassociate a flavor with a service profile
create_floatingip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/floatingips
- Scope Types:
project
Create a floating IP
create_floatingip:floating_ip_address
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/floatingips
- Scope Types:
project
Create a floating IP with a specific IP address
create_floatingips_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/floatingips/{id}/tags
- Scope Types:
project
Create the floating IP tags
get_floatingip
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/floatingips
GET
/floatingips/{id}
- Scope Types:
project
Get a floating IP
get_floatingips_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/floatingips/{id}/tags
GET
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Get the floating IP tags
update_floatingip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/floatingips/{id}
- Scope Types:
project
Update a floating IP
update_floatingips_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/floatingips/{id}/tags
PUT
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Update the floating IP tags
delete_floatingip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/floatingips/{id}
- Scope Types:
project
Delete a floating IP
delete_floatingips_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/floatingips/{id}/tags
DELETE
/floatingips/{id}/tags/{tag_id}
- Scope Types:
project
Delete the floating IP tags
get_floatingip_pool
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/floatingip_pools
- Scope Types:
project
Get floating IP pools
create_floatingip_port_forwarding
- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)
- Operations:
POST
/floatingips/{floatingip_id}/port_forwardings
- Scope Types:
project
Create a floating IP port forwarding
get_floatingip_port_forwarding
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/floatingips/{floatingip_id}/port_forwardings
GET
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Get a floating IP port forwarding
update_floatingip_port_forwarding
- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)
- Operations:
PUT
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Update a floating IP port forwarding
delete_floatingip_port_forwarding
- Default:
(rule:admin_only) or (role:member and rule:ext_parent_owner)
- Operations:
DELETE
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- Scope Types:
project
Delete a floating IP port forwarding
create_router_conntrack_helper
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
POST
/routers/{router_id}/conntrack_helpers
- Scope Types:
project
Create a router conntrack helper
get_router_conntrack_helper
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
GET
/routers/{router_id}/conntrack_helpers
GET
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Get a router conntrack helper
update_router_conntrack_helper
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
PUT
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Update a router conntrack helper
delete_router_conntrack_helper
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
DELETE
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- Scope Types:
project
Delete a router conntrack helper
create_local_ip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/local-ips
- Scope Types:
project
Create a Local IP
get_local_ip
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/local-ips
GET
/local-ips/{id}
- Scope Types:
project
Get a Local IP
update_local_ip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/local-ips/{id}
- Scope Types:
project
Update a Local IP
delete_local_ip
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/local-ips/{id}
- Scope Types:
project
Delete a Local IP
create_local_ip_port_association
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
POST
/local_ips/{local_ip_id}/port_associations
- Scope Types:
project
Create a Local IP port association
get_local_ip_port_association
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
GET
/local_ips/{local_ip_id}/port_associations
GET
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- Scope Types:
project
Get a Local IP port association
delete_local_ip_port_association
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
- Operations:
DELETE
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- Scope Types:
project
Delete a Local IP port association
get_loggable_resource
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
GET
/log/loggable-resources
- Scope Types:
project
Get loggable resources
create_log
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/log/logs
- Scope Types:
project
Create a network log
get_log
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
GET
/log/logs
GET
/log/logs/{id}
- Scope Types:
project
Get a network log
update_log
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
PUT
/log/logs/{id}
- Scope Types:
project
Update a network log
delete_log
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
DELETE
/log/logs/{id}
- Scope Types:
project
Delete a network log
create_metering_label
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/metering/metering-labels
- Scope Types:
project
Create a metering label
get_metering_label
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/metering/metering-labels
GET
/metering/metering-labels/{id}
- Scope Types:
project
Get a metering label
delete_metering_label
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
DELETE
/metering/metering-labels/{id}
- Scope Types:
project
Delete a metering label
create_metering_label_rule
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/metering/metering-label-rules
- Scope Types:
project
Create a metering label rule
get_metering_label_rule
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/metering/metering-label-rules
GET
/metering/metering-label-rules/{id}
- Scope Types:
project
Get a metering label rule
delete_metering_label_rule
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
DELETE
/metering/metering-label-rules/{id}
- Scope Types:
project
Delete a metering label rule
create_ndp_proxy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/ndp_proxies
- Scope Types:
project
Create a ndp proxy
get_ndp_proxy
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/ndp_proxies
GET
/ndp_proxies/{id}
- Scope Types:
project
Get a ndp proxy
update_ndp_proxy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/ndp_proxies/{id}
- Scope Types:
project
Update a ndp proxy
delete_ndp_proxy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/ndp_proxies/{id}
- Scope Types:
project
Delete a ndp proxy
external
- Default:
field:networks:router:external=True
Definition of an external network
create_network
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/networks
- Scope Types:
project
Create a network
create_network:shared
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Create a shared network
create_network:router:external
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Create an external network
create_network:is_default
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Specify
is_default
attribute when creating a networkcreate_network:port_security_enabled
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/networks
- Scope Types:
project
Specify
port_security_enabled
attribute when creating a networkcreate_network:segments
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Specify
segments
attribute when creating a networkcreate_network:provider:network_type
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:network_type
when creating a networkcreate_network:provider:physical_network
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:physical_network
when creating a networkcreate_network:provider:segmentation_id
- Default:
rule:admin_only
- Operations:
POST
/networks
- Scope Types:
project
Specify
provider:segmentation_id
when creating a networkcreate_networks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/networks/{id}/tags
- Scope Types:
project
Create the network tags
get_network
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc
- Operations:
GET
/networks
GET
/networks/{id}
- Scope Types:
project
Get a network
get_network:segments
- Default:
rule:admin_only
- Operations:
GET
/networks
GET
/networks/{id}
- Scope Types:
project
Get
segments
attribute of a networkget_network:provider:network_type
- Default:
rule:admin_only
- Operations:
GET
/networks
GET
/networks/{id}
- Scope Types:
project
Get
provider:network_type
attribute of a networkget_network:provider:physical_network
- Default:
rule:admin_only
- Operations:
GET
/networks
GET
/networks/{id}
- Scope Types:
project
Get
provider:physical_network
attribute of a networkget_network:provider:segmentation_id
- Default:
rule:admin_only
- Operations:
GET
/networks
GET
/networks/{id}
- Scope Types:
project
Get
provider:segmentation_id
attribute of a networkget_networks_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc
- Operations:
GET
/networks/{id}/tags
GET
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Get the network tags
update_network
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update a network
update_network:segments
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
segments
attribute of a networkupdate_network:shared
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
shared
attribute of a networkupdate_network:provider:network_type
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:network_type
attribute of a networkupdate_network:provider:physical_network
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:physical_network
attribute of a networkupdate_network:provider:segmentation_id
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
provider:segmentation_id
attribute of a networkupdate_network:router:external
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
router:external
attribute of a networkupdate_network:is_default
- Default:
rule:admin_only
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
is_default
attribute of a networkupdate_network:port_security_enabled
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/networks/{id}
- Scope Types:
project
Update
port_security_enabled
attribute of a networkupdate_networks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/networks/{id}/tags
PUT
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Update the network tags
delete_network
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/networks/{id}
- Scope Types:
project
Delete a network
delete_networks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/networks/{id}/tags
DELETE
/networks/{id}/tags/{tag_id}
- Scope Types:
project
Delete the network tags
get_network_ip_availability
- Default:
rule:admin_only
- Operations:
GET
/network-ip-availabilities
GET
/network-ip-availabilities/{network_id}
- Scope Types:
project
Get network IP availability
create_network_segment_range
- Default:
rule:admin_only
- Operations:
POST
/network_segment_ranges
- Scope Types:
project
Create a network segment range
create_network_segment_ranges_tags
- Default:
rule:admin_only
- Operations:
POST
/network_segment_ranges/{id}/tags
- Scope Types:
project
Create the network segment range tags
get_network_segment_range
- Default:
rule:admin_only
- Operations:
GET
/network_segment_ranges
GET
/network_segment_ranges/{id}
- Scope Types:
project
Get a network segment range
get_network_segment_ranges_tags
- Default:
rule:admin_only
- Operations:
GET
/network_segment_ranges/{id}/tags
GET
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Get the network segment range tags
update_network_segment_range
- Default:
rule:admin_only
- Operations:
PUT
/network_segment_ranges/{id}
- Scope Types:
project
Update a network segment range
update_network_segment_ranges_tags
- Default:
rule:admin_only
- Operations:
PUT
/network_segment_ranges/{id}/tags
PUT
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Update the network segment range tags
delete_network_segment_range
- Default:
rule:admin_only
- Operations:
DELETE
/network_segment_ranges/{id}
- Scope Types:
project
Delete a network segment range
delete_network_segment_ranges_tags
- Default:
rule:admin_only
- Operations:
DELETE
/network_segment_ranges/{id}/tags
DELETE
/network_segment_ranges/{id}/tags/{tag_id}
- Scope Types:
project
Delete the network segment range tags
get_port_binding
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
GET
/ports/{port_id}/bindings/
- Scope Types:
project
Get port binding information
create_port_binding
- Default:
rule:service_api
- Operations:
POST
/ports/{port_id}/bindings/
- Scope Types:
project
Create port binding on the host
delete_port_binding
- Default:
rule:service_api
- Operations:
DELETE
/ports/{port_id}/bindings/
- Scope Types:
project
Delete port binding on the host
activate
- Default:
rule:service_api
- Operations:
PUT
/ports/{port_id}/bindings/{host}
- Scope Types:
project
Activate port binding on the host
network_device
- Default:
field:port:device_owner=~^network:
Definition of port with network device_owner
admin_or_data_plane_int
- Default:
rule:context_is_admin or role:data_plane_integrator
Rule for data plane integration
create_port
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api
- Operations:
POST
/ports
- Scope Types:
project
Create a port
create_port:device_owner
- Default:
not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
POST
/ports
- Scope Types:
project
Specify
device_owner
attribute when creating a portcreate_port:mac_address
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
POST
/ports
- Scope Types:
project
Specify
mac_address
attribute when creating a portcreate_port:fixed_ips
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared
- Operations:
POST
/ports
- Scope Types:
project
Specify
fixed_ips
information when creating a portcreate_port:fixed_ips:ip_address
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
POST
/ports
- Scope Types:
project
Specify IP address in
fixed_ips
when creating a portcreate_port:fixed_ips:subnet_id
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared
- Operations:
POST
/ports
- Scope Types:
project
Specify subnet ID in
fixed_ips
when creating a portcreate_port:port_security_enabled
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
POST
/ports
- Scope Types:
project
Specify
port_security_enabled
attribute when creating a portcreate_port:binding:host_id
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:host_id
attribute when creating a portcreate_port:binding:profile
- Default:
rule:service_api
- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:profile
attribute when creating a portcreate_port:binding:vnic_type
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api
- Operations:
POST
/ports
- Scope Types:
project
Specify
binding:vnic_type
attribute when creating a portcreate_port:allowed_address_pairs
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
POST
/ports
- Scope Types:
project
Specify
allowed_address_pairs
attribute when creating a portcreate_port:allowed_address_pairs:mac_address
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
POST
/ports
- Scope Types:
project
Specify
mac_address` of `allowed_address_pairs
attribute when creating a portcreate_port:allowed_address_pairs:ip_address
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
POST
/ports
- Scope Types:
project
Specify
ip_address
ofallowed_address_pairs
attribute when creating a portcreate_port:hints
- Default:
rule:admin_only
- Operations:
POST
/ports
- Scope Types:
project
Specify
hints
attribute when creating a portcreate_port:trusted
- Default:
rule:admin_only
- Operations:
POST
/ports
- Scope Types:
project
Specify
trusted
attribute when creating a portcreate_ports_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc
- Operations:
POST
/ports/{id}/tags
- Scope Types:
project
Create the port tags
get_port
- Default:
(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get a port
get_port:binding:vif_type
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
binding:vif_type
attribute of a portget_port:binding:vif_details
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
binding:vif_details
attribute of a portget_port:binding:host_id
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
binding:host_id
attribute of a portget_port:binding:profile
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
binding:profile
attribute of a portget_port:resource_request
- Default:
rule:admin_only
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
resource_request
attribute of a portget_port:hints
- Default:
rule:admin_only
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
hints
attribute of a portget_port:trusted
- Default:
rule:admin_only
- Operations:
GET
/ports
GET
/ports/{id}
- Scope Types:
project
Get
trusted
attribute of a portget_ports_tags
- Default:
rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s
- Operations:
GET
/ports/{id}/tags
GET
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Get the port tags
update_port
- Default:
(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update a port
update_port:device_owner
- Default:
not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
device_owner
attribute of a portupdate_port:mac_address
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
mac_address
attribute of a portupdate_port:fixed_ips
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify
fixed_ips
information when updating a portupdate_port:fixed_ips:ip_address
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify IP address in
fixed_ips
information when updating a portupdate_port:fixed_ips:subnet_id
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Specify subnet ID in
fixed_ips
information when updating a portupdate_port:port_security_enabled
- Default:
(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
port_security_enabled
attribute of a portupdate_port:binding:host_id
- Default:
(rule:admin_only) or (rule:service_api)
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:host_id
attribute of a portupdate_port:binding:profile
- Default:
rule:service_api
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:profile
attribute of a portupdate_port:binding:vnic_type
- Default:
(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
binding:vnic_type
attribute of a portupdate_port:allowed_address_pairs
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
allowed_address_pairs
attribute of a portupdate_port:allowed_address_pairs:mac_address
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
mac_address
ofallowed_address_pairs
attribute of a portupdate_port:allowed_address_pairs:ip_address
- Default:
(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
ip_address
ofallowed_address_pairs
attribute of a portupdate_port:data_plane_status
- Default:
rule:admin_only or role:data_plane_integrator
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
data_plane_status
attribute of a portupdate_port:hints
- Default:
rule:admin_only
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
hints
attribute of a portupdate_port:trusted
- Default:
rule:admin_only
- Operations:
PUT
/ports/{id}
- Scope Types:
project
Update
trusted
attribute of a portupdate_ports_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc
- Operations:
PUT
/ports/{id}/tags
PUT
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Update the port tags
delete_port
- Default:
(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s
- Operations:
DELETE
/ports/{id}
- Scope Types:
project
Delete a port
delete_ports_tags
- Default:
rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
DELETE
/ports/{id}/tags
DELETE
/ports/{id}/tags/{tag_id}
- Scope Types:
project
Delete the port tags
shared_qos_policy
- Default:
field:policies:shared=True
Rule of shared qos policy
get_policy
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy
- Operations:
GET
/qos/policies
GET
/qos/policies/{id}
- Scope Types:
project
Get QoS policies
get_policies_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy
- Operations:
GET
/qos/policies/{id}/tags
GET
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Get QoS policy tags
create_policy
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/qos/policies
- Scope Types:
project
Create a QoS policy
create_policies_tags
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
POST
/qos/policies/{id}/tags
- Scope Types:
project
Create the QoS policy tags
update_policy
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
PUT
/qos/policies/{id}
- Scope Types:
project
Update a QoS policy
update_policies_tags
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
PUT
/qos/policies/{id}/tags
PUT
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Update the QoS policy tags
delete_policy
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
DELETE
/qos/policies/{id}
- Scope Types:
project
Delete a QoS policy
delete_policies_tags
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
DELETE
/qos/policies/{id}/tags
DELETE
/qos/policies/{id}/tags/{tag_id}
- Scope Types:
project
Delete the QoS policy tags
get_rule_type
- Default:
role:reader
- Operations:
GET
/qos/rule-types
GET
/qos/rule-types/{rule_type}
- Scope Types:
project
Get available QoS rule types
get_policy_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/policies/{policy_id}/bandwidth_limit_rules
GET
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Get a QoS bandwidth limit rule
create_policy_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
POST
/qos/policies/{policy_id}/bandwidth_limit_rules
- Scope Types:
project
Create a QoS bandwidth limit rule
update_policy_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Update a QoS bandwidth limit rule
delete_policy_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- Scope Types:
project
Delete a QoS bandwidth limit rule
get_policy_packet_rate_limit_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/policies/{policy_id}/packet_rate_limit_rules
GET
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Get a QoS packet rate limit rule
create_policy_packet_rate_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
POST
/qos/policies/{policy_id}/packet_rate_limit_rules
- Scope Types:
project
Create a QoS packet rate limit rule
update_policy_packet_rate_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Update a QoS packet rate limit rule
delete_policy_packet_rate_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- Scope Types:
project
Delete a QoS packet rate limit rule
get_policy_dscp_marking_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/policies/{policy_id}/dscp_marking_rules
GET
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Get a QoS DSCP marking rule
create_policy_dscp_marking_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
POST
/qos/policies/{policy_id}/dscp_marking_rules
- Scope Types:
project
Create a QoS DSCP marking rule
update_policy_dscp_marking_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Update a QoS DSCP marking rule
delete_policy_dscp_marking_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- Scope Types:
project
Delete a QoS DSCP marking rule
get_policy_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/policies/{policy_id}/minimum_bandwidth_rules
GET
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Get a QoS minimum bandwidth rule
create_policy_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
POST
/qos/policies/{policy_id}/minimum_bandwidth_rules
- Scope Types:
project
Create a QoS minimum bandwidth rule
update_policy_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Update a QoS minimum bandwidth rule
delete_policy_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- Scope Types:
project
Delete a QoS minimum bandwidth rule
get_policy_minimum_packet_rate_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/policies/{policy_id}/minimum_packet_rate_rules
GET
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Get a QoS minimum packet rate rule
create_policy_minimum_packet_rate_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
POST
/qos/policies/{policy_id}/minimum_packet_rate_rules
- Scope Types:
project
Create a QoS minimum packet rate rule
update_policy_minimum_packet_rate_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Update a QoS minimum packet rate rule
delete_policy_minimum_packet_rate_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- Scope Types:
project
Delete a QoS minimum packet rate rule
get_alias_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Get a QoS bandwidth limit rule through alias
update_alias_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Update a QoS bandwidth limit rule through alias
delete_alias_bandwidth_limit_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/alias_bandwidth_limit_rules/{rule_id}/
- Scope Types:
project
Delete a QoS bandwidth limit rule through alias
get_alias_dscp_marking_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Get a QoS DSCP marking rule through alias
update_alias_dscp_marking_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Update a QoS DSCP marking rule through alias
delete_alias_dscp_marking_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/alias_dscp_marking_rules/{rule_id}/
- Scope Types:
project
Delete a QoS DSCP marking rule through alias
get_alias_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
- Operations:
GET
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Get a QoS minimum bandwidth rule through alias
update_alias_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
PUT
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Update a QoS minimum bandwidth rule through alias
delete_alias_minimum_bandwidth_rule
- Default:
(rule:admin_only) or (role:manager and rule:ext_parent_owner)
- Operations:
DELETE
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- Scope Types:
project
Delete a QoS minimum bandwidth rule through alias
get_alias_minimum_packet_rate_rule
- Default:
rule:get_policy_minimum_packet_rate_rule
- Operations:
GET
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Get a QoS minimum packet rate rule through alias
update_alias_minimum_packet_rate_rule
- Default:
rule:update_policy_minimum_packet_rate_rule
- Operations:
PUT
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Update a QoS minimum packet rate rule through alias
delete_alias_minimum_packet_rate_rule
- Default:
rule:delete_policy_minimum_packet_rate_rule
- Operations:
DELETE
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- Scope Types:
project
Delete a QoS minimum packet rate rule through alias
get_quota
- Default:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)
- Operations:
GET
/quota
GET
/quota/{id}
- Scope Types:
project
Get a resource quota
update_quota
- Default:
rule:admin_only
- Operations:
PUT
/quota/{id}
- Scope Types:
project
Update a resource quota
delete_quota
- Default:
rule:admin_only
- Operations:
DELETE
/quota/{id}
- Scope Types:
project
Delete a resource quota
restrict_wildcard
- Default:
(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only
Definition of a wildcard target_project
create_rbac_policy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/rbac-policies
- Scope Types:
project
Create an RBAC policy
create_rbac_policy:target_tenant
- Default:
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)
- Operations:
POST
/rbac-policies
- Scope Types:
project
Specify
target_tenant
when creating an RBAC policycreate_rbac_policy:target_project
- Default:
rule:admin_only or not field:rbac_policy:target_project=*
- Operations:
POST
/rbac-policies
- Scope Types:
project
Specify
target_project
when creating an RBAC policyupdate_rbac_policy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update an RBAC policy
update_rbac_policy:target_tenant
- Default:
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)
- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update
target_tenant
attribute of an RBAC policyupdate_rbac_policy:target_project
- Default:
rule:admin_only or not field:rbac_policy:target_project=*
- Operations:
PUT
/rbac-policies/{id}
- Scope Types:
project
Update
target_project
attribute of an RBAC policyget_rbac_policy
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/rbac-policies
GET
/rbac-policies/{id}
- Scope Types:
project
Get an RBAC policy
delete_rbac_policy
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/rbac-policies/{id}
- Scope Types:
project
Delete an RBAC policy
create_router
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/routers
- Scope Types:
project
Create a router
create_router:distributed
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
distributed
attribute when creating a routercreate_router:ha
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
ha
attribute when creating a routercreate_router:external_gateway_info
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/routers
- Scope Types:
project
Specify
external_gateway_info
information when creating a routercreate_router:external_gateway_info:network_id
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/routers
- Scope Types:
project
Specify
network_id
inexternal_gateway_info
information when creating a routercreate_router:external_gateway_info:enable_snat
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_snat
inexternal_gateway_info
information when creating a routercreate_router:external_gateway_info:external_fixed_ips
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
external_fixed_ips
inexternal_gateway_info
information when creating a routercreate_router:enable_default_route_bfd
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_bfd
attribute when creating a routercreate_router:enable_default_route_ecmp
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_ecmp
attribute when creating a routercreate_routers_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/routers/{id}/tags
- Scope Types:
project
Create the router tags
get_router
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/routers
GET
/routers/{id}
- Scope Types:
project
Get a router
get_router:distributed
- Default:
rule:admin_only
- Operations:
GET
/routers
GET
/routers/{id}
- Scope Types:
project
Get
distributed
attribute of a routerget_router:ha
- Default:
rule:admin_only
- Operations:
GET
/routers
GET
/routers/{id}
- Scope Types:
project
Get
ha
attribute of a routerget_routers_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/routers/{id}/tags
GET
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Get the router tags
update_router
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update a router
update_router:distributed
- Default:
rule:admin_only
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
distributed
attribute of a routerupdate_router:ha
- Default:
rule:admin_only
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
ha
attribute of a routerupdate_router:external_gateway_info
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
external_gateway_info
information of a routerupdate_router:external_gateway_info:network_id
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
network_id
attribute ofexternal_gateway_info
information of a routerupdate_router:external_gateway_info:enable_snat
- Default:
rule:admin_only
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
enable_snat
attribute ofexternal_gateway_info
information of a routerupdate_router:external_gateway_info:external_fixed_ips
- Default:
rule:admin_only
- Operations:
PUT
/routers/{id}
- Scope Types:
project
Update
external_fixed_ips
attribute ofexternal_gateway_info
information of a routerupdate_router:enable_default_route_bfd
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_bfd
attribute when updating a routerupdate_router:enable_default_route_ecmp
- Default:
rule:admin_only
- Operations:
POST
/routers
- Scope Types:
project
Specify
enable_default_route_ecmp
attribute when updating a routerupdate_routers_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}/tags
PUT
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Update the router tags
delete_router
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/routers/{id}
- Scope Types:
project
Delete a router
delete_routers_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/routers/{id}/tags
DELETE
/routers/{id}/tags/{tag_id}
- Scope Types:
project
Delete the router tags
add_router_interface
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}/add_router_interface
- Scope Types:
project
Add an interface to a router
remove_router_interface
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}/remove_router_interface
- Scope Types:
project
Remove an interface from a router
add_extraroutes
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}/add_extraroutes
- Scope Types:
project
Add extra route to a router
remove_extraroutes
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/routers/{id}/remove_extraroutes
- Scope Types:
project
Remove extra route from a router
admin_or_sg_owner
- Default:
rule:context_is_admin or tenant_id:%(security_group:tenant_id)s
Rule for admin or security group owner access
admin_owner_or_sg_owner
- Default:
rule:owner or rule:admin_or_sg_owner
Rule for resource owner, admin or security group owner access
shared_security_group
- Default:
field:security_groups:shared=True
Definition of a shared security group
rule_default_sg
- Default:
field:security_group_rules:belongs_to_default_sg=True
Definition of a security group rule that belongs to the project default security group
create_security_group
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/security-groups
- Scope Types:
project
Create a security group
create_security_groups_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/security-groups/{id}/tags
- Scope Types:
project
Create the security group tags
get_security_group
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group
- Operations:
GET
/security-groups
GET
/security-groups/{id}
- Scope Types:
project
Get a security group
get_security_groups_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group
- Operations:
GET
/security-groups/{id}/tags
GET
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Get the security group tags
update_security_group
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/security-groups/{id}
- Scope Types:
project
Update a security group
update_security_groups_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/security-groups/{id}/tags
PUT
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Update the security group tags
delete_security_group
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/security-groups/{id}
- Scope Types:
project
Delete a security group
delete_security_groups_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/security-groups/{id}/tags
DELETE
/security-groups/{id}/tags/{tag_id}
- Scope Types:
project
Delete the security group tags
create_security_group_rule
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/security-group-rules
- Scope Types:
project
Create a security group rule
get_security_group_rule
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner
- Operations:
GET
/security-group-rules
GET
/security-group-rules/{id}
- Scope Types:
project
Get a security group rule
delete_security_group_rule
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/security-group-rules/{id}
- Scope Types:
project
Delete a security group rule
create_segment
- Default:
rule:admin_only
- Operations:
POST
/segments
- Scope Types:
project
Create a segment
create_segments_tags
- Default:
rule:admin_only
- Operations:
POST
/segments/{id}/tags
- Scope Types:
project
Create the segment tags
get_segment
- Default:
rule:admin_only
- Operations:
GET
/segments
GET
/segments/{id}
- Scope Types:
project
Get a segment
get_segments_tags
- Default:
rule:admin_only
- Operations:
GET
/segments/{id}/tags
GET
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Get the segment tags
update_segment
- Default:
rule:admin_only
- Operations:
PUT
/segments/{id}
- Scope Types:
project
Update a segment
update_segments_tags
- Default:
rule:admin_only
- Operations:
PUT
/segments/{id}/tags
PUT
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Update the segment tags
delete_segment
- Default:
rule:admin_only
- Operations:
DELETE
/segments/{id}
- Scope Types:
project
Delete a segment
delete_segments_tags
- Default:
rule:admin_only
- Operations:
DELETE
/segments/{id}/tags
DELETE
/segments/{id}/tags/{tag_id}
- Scope Types:
project
Delete the segment tags
get_service_provider
- Default:
role:reader
- Operations:
GET
/service-providers
- Scope Types:
project
Get service providers
external_network
- Default:
field:subnets:router:external=True
Definition of a subnet that belongs to an external network
create_subnet
- Default:
(rule:admin_only) or (role:member and rule:network_owner)
- Operations:
POST
/subnets
- Scope Types:
project
Create a subnet
create_subnet:segment_id
- Default:
rule:admin_only
- Operations:
POST
/subnets
- Scope Types:
project
Specify
segment_id
attribute when creating a subnetcreate_subnet:service_types
- Default:
rule:admin_only
- Operations:
POST
/subnets
- Scope Types:
project
Specify
service_types
attribute when creating a subnetcreate_subnets_tags
- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
POST
/subnets/{id}/tags
- Scope Types:
project
Create the subnet tags
get_subnet
- Default:
role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
GET
/subnets
GET
/subnets/{id}
- Scope Types:
project
Get a subnet
get_subnet:segment_id
- Default:
rule:admin_only
- Operations:
GET
/subnets
GET
/subnets/{id}
- Scope Types:
project
Get
segment_id
attribute of a subnetget_subnets_tags
- Default:
role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
GET
/subnets/{id}/tags
GET
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Get the subnet tags
update_subnet
- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update a subnet
update_subnet:segment_id
- Default:
rule:admin_only
- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update
segment_id
attribute of a subnetupdate_subnet:service_types
- Default:
rule:admin_only
- Operations:
PUT
/subnets/{id}
- Scope Types:
project
Update
service_types
attribute of a subnetupdate_subnets_tags
- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
PUT
/subnets/{id}/tags
PUT
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Update the subnet tags
delete_subnet
- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
DELETE
/subnets/{id}
- Scope Types:
project
Delete a subnet
delete_subnets_tags
- Default:
role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)
- Operations:
DELETE
/subnets/{id}/tags
DELETE
/subnets/{id}/tags/{tag_id}
- Scope Types:
project
Delete the subnet tags
shared_subnetpools
- Default:
field:subnetpools:shared=True
Definition of a shared subnetpool
create_subnetpool
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/subnetpools
- Scope Types:
project
Create a subnetpool
create_subnetpool:shared
- Default:
rule:admin_only
- Operations:
POST
/subnetpools
- Scope Types:
project
Create a shared subnetpool
create_subnetpool:is_default
- Default:
rule:admin_only
- Operations:
POST
/subnetpools
- Scope Types:
project
Specify
is_default
attribute when creating a subnetpoolcreate_subnetpools_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/subnetpools/{id}/tags
- Scope Types:
project
Create the subnetpool tags
get_subnetpool
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools
- Operations:
GET
/subnetpools
GET
/subnetpools/{id}
- Scope Types:
project
Get a subnetpool
get_subnetpools_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools
- Operations:
GET
/subnetpools/{id}/tags
GET
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Get the subnetpool tags
update_subnetpool
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/subnetpools/{id}
- Scope Types:
project
Update a subnetpool
update_subnetpool:is_default
- Default:
rule:admin_only
- Operations:
PUT
/subnetpools/{id}
- Scope Types:
project
Update
is_default
attribute of a subnetpoolupdate_subnetpools_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/subnetpools/{id}/tags
PUT
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Update the subnetpool tags
delete_subnetpool
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/subnetpools/{id}
- Scope Types:
project
Delete a subnetpool
delete_subnetpools_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/subnetpools/{id}/tags
DELETE
/subnetpools/{id}/tags/{tag_id}
- Scope Types:
project
Delete the subnetpool tags
onboard_network_subnets
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/subnetpools/{id}/onboard_network_subnets
- Scope Types:
project
Onboard existing subnet into a subnetpool
add_prefixes
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/subnetpools/{id}/add_prefixes
- Scope Types:
project
Add prefixes to a subnetpool
remove_prefixes
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/subnetpools/{id}/remove_prefixes
- Scope Types:
project
Remove unallocated prefixes from a subnetpool
create_trunk
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/trunks
- Scope Types:
project
Create a trunk
create_trunks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
POST
/trunks/{id}/tags
- Scope Types:
project
Create the trunk tags
get_trunk
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/trunks
GET
/trunks/{id}
- Scope Types:
project
Get a trunk
get_trunks_tags
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/trunks/{id}/tags
GET
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Get the trunk tags
update_trunk
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/trunks/{id}
- Scope Types:
project
Update a trunk
update_trunks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/trunks/{id}/tags
PUT
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Update the trunk tags
delete_trunk
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/trunks/{id}
- Scope Types:
project
Delete a trunk
delete_trunks_tags
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
DELETE
/trunks/{id}/tags
DELETE
/trunks/{id}/tags/{tag_id}
- Scope Types:
project
Delete a trunk
get_subports
- Default:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
- Operations:
GET
/trunks/{id}/get_subports
- Scope Types:
project
List subports attached to a trunk
add_subports
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/trunks/{id}/add_subports
- Scope Types:
project
Add subports to a trunk
remove_subports
- Default:
(rule:admin_only) or (role:member and project_id:%(project_id)s)
- Operations:
PUT
/trunks/{id}/remove_subports
- Scope Types:
project
Delete subports from a trunk