Policy Reference

Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.

The following is an overview of all available policies in neutron.

For a sample policy file, refer to Sample Policy File.

neutron

context_is_admin
Default

role:admin

Rule for cloud admin access

owner
Default

tenant_id:%(tenant_id)s

Rule for resource owner access

admin_or_owner
Default

rule:context_is_admin or rule:owner

Rule for admin or owner access

context_is_advsvc
Default

role:advsvc

Rule for advsvc role access

admin_or_network_owner
Default

rule:context_is_admin or tenant_id:%(network:tenant_id)s

Rule for admin or network owner access

admin_owner_or_network_owner
Default

rule:owner or rule:admin_or_network_owner

Rule for resource owner, admin or network owner access

admin_only
Default

rule:context_is_admin

Rule for admin-only access

regular_user
Default

<empty string>

Rule for regular user access

shared
Default

field:networks:shared=True

Rule of shared network

default
Default

rule:admin_or_owner

Default access rule

admin_or_ext_parent_owner
Default

rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

shared_address_scopes
Default

field:address_scopes:shared=True

Definition of a shared address scope

create_address_scope
Default

rule:regular_user

Operations
  • POST /address-scopes

Create an address scope

create_address_scope:shared
Default

rule:admin_only

Operations
  • POST /address-scopes

Create a shared address scope

get_address_scope
Default

rule:admin_or_owner or rule:shared_address_scopes

Operations
  • GET /address-scopes

  • GET /address-scopes/{id}

Get an address scope

update_address_scope
Default

rule:admin_or_owner

Operations
  • PUT /address-scopes/{id}

Update an address scope

update_address_scope:shared
Default

rule:admin_only

Operations
  • PUT /address-scopes/{id}

Update shared attribute of an address scope

delete_address_scope
Default

rule:admin_or_owner

Operations
  • DELETE /address-scopes/{id}

Delete an address scope

get_agent
Default

rule:admin_only

Operations
  • GET /agents

  • GET /agents/{id}

Get an agent

update_agent
Default

rule:admin_only

Operations
  • PUT /agents/{id}

Update an agent

delete_agent
Default

rule:admin_only

Operations
  • DELETE /agents/{id}

Delete an agent

create_dhcp-network
Default

rule:admin_only

Operations
  • POST /agents/{agent_id}/dhcp-networks

Add a network to a DHCP agent

get_dhcp-networks
Default

rule:admin_only

Operations
  • GET /agents/{agent_id}/dhcp-networks

List networks on a DHCP agent

delete_dhcp-network
Default

rule:admin_only

Operations
  • DELETE /agents/{agent_id}/dhcp-networks/{network_id}

Remove a network from a DHCP agent

create_l3-router
Default

rule:admin_only

Operations
  • POST /agents/{agent_id}/l3-routers

Add a router to an L3 agent

get_l3-routers
Default

rule:admin_only

Operations
  • GET /agents/{agent_id}/l3-routers

List routers on an L3 agent

delete_l3-router
Default

rule:admin_only

Operations
  • DELETE /agents/{agent_id}/l3-routers/{router_id}

Remove a router from an L3 agent

get_dhcp-agents
Default

rule:admin_only

Operations
  • GET /networks/{network_id}/dhcp-agents

List DHCP agents hosting a network

get_l3-agents
Default

rule:admin_only

Operations
  • GET /routers/{router_id}/l3-agents

List L3 agents hosting a router

get_auto_allocated_topology
Default

rule:admin_or_owner

Operations
  • GET /auto-allocated-topology/{project_id}

Get a project’s auto-allocated topology

delete_auto_allocated_topology
Default

rule:admin_or_owner

Operations
  • DELETE /auto-allocated-topology/{project_id}

Delete a project’s auto-allocated topology

get_availability_zone
Default

rule:regular_user

Operations
  • GET /availability_zones

List availability zones

create_flavor
Default

rule:admin_only

Operations
  • POST /flavors

Create a flavor

get_flavor
Default

rule:regular_user

Operations
  • GET /flavors

  • GET /flavors/{id}

Get a flavor

update_flavor
Default

rule:admin_only

Operations
  • PUT /flavors/{id}

Update a flavor

delete_flavor
Default

rule:admin_only

Operations
  • DELETE /flavors/{id}

Delete a flavor

create_service_profile
Default

rule:admin_only

Operations
  • POST /service_profiles

Create a service profile

get_service_profile
Default

rule:admin_only

Operations
  • GET /service_profiles

  • GET /service_profiles/{id}

Get a service profile

update_service_profile
Default

rule:admin_only

Operations
  • PUT /service_profiles/{id}

Update a service profile

delete_service_profile
Default

rule:admin_only

Operations
  • DELETE /service_profiles/{id}

Delete a service profile

get_flavor_service_profile
Default

rule:regular_user

Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.

create_flavor_service_profile
Default

rule:admin_only

Operations
  • POST /flavors/{flavor_id}/service_profiles

Associate a flavor with a service profile

delete_flavor_service_profile
Default

rule:admin_only

Operations
  • DELETE /flavors/{flavor_id}/service_profiles/{profile_id}

Disassociate a flavor with a service profile

create_floatingip
Default

rule:regular_user

Operations
  • POST /floatingips

Create a floating IP

create_floatingip:floating_ip_address
Default

rule:admin_only

Operations
  • POST /floatingips

Create a floating IP with a specific IP address

get_floatingip
Default

rule:admin_or_owner

Operations
  • GET /floatingips

  • GET /floatingips/{id}

Get a floating IP

update_floatingip
Default

rule:admin_or_owner

Operations
  • PUT /floatingips/{id}

Update a floating IP

delete_floatingip
Default

rule:admin_or_owner

Operations
  • DELETE /floatingips/{id}

Delete a floating IP

get_floatingip_pool
Default

rule:regular_user

Operations
  • GET /floatingip_pools

Get floating IP pools

create_floatingip_port_forwarding
Default

rule:admin_or_ext_parent_owner

Operations
  • POST /floatingips/{floatingip_id}/port_forwardings

Create a floating IP port forwarding

get_floatingip_port_forwarding
Default

rule:admin_or_ext_parent_owner

Operations
  • GET /floatingips/{floatingip_id}/port_forwardings

  • GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Get a floating IP port forwarding

update_floatingip_port_forwarding
Default

rule:admin_or_ext_parent_owner

Operations
  • PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Update a floating IP port forwarding

delete_floatingip_port_forwarding
Default

rule:admin_or_ext_parent_owner

Operations
  • DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Delete a floating IP port forwarding

create_router_conntrack_helper
Default

rule:admin_or_ext_parent_owner

Operations
  • POST /routers/{router_id}/conntrack_helpers

Create a router conntrack helper

get_router_conntrack_helper
Default

rule:admin_or_ext_parent_owner

Operations
  • GET /routers/{router_id}/conntrack_helpers

  • GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Get a router conntrack helper

update_router_conntrack_helper
Default

rule:admin_or_ext_parent_owner

Operations
  • PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Update a router conntrack helper

delete_router_conntrack_helper
Default

rule:admin_or_ext_parent_owner

Operations
  • DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Delete a router conntrack helper

get_loggable_resource
Default

rule:admin_only

Operations
  • GET /log/loggable-resources

Get loggable resources

create_log
Default

rule:admin_only

Operations
  • POST /log/logs

Create a network log

get_log
Default

rule:admin_only

Operations
  • GET /log/logs

  • GET /log/logs/{id}

Get a network log

update_log
Default

rule:admin_only

Operations
  • PUT /log/logs/{id}

Update a network log

delete_log
Default

rule:admin_only

Operations
  • DELETE /log/logs/{id}

Delete a network log

create_metering_label
Default

rule:admin_only

Operations
  • POST /metering/metering-labels

Create a metering label

get_metering_label
Default

rule:admin_only

Operations
  • GET /metering/metering-labels

  • GET /metering/metering-labels/{id}

Get a metering label

delete_metering_label
Default

rule:admin_only

Operations
  • DELETE /metering/metering-labels/{id}

Delete a metering label

create_metering_label_rule
Default

rule:admin_only

Operations
  • POST /metering/metering-label-rules

Create a metering label rule

get_metering_label_rule
Default

rule:admin_only

Operations
  • GET /metering/metering-label-rules

  • GET /metering/metering-label-rules/{id}

Get a metering label rule

delete_metering_label_rule
Default

rule:admin_only

Operations
  • DELETE /metering/metering-label-rules/{id}

Delete a metering label rule

external
Default

field:networks:router:external=True

Definition of an external network

create_network
Default

rule:regular_user

Operations
  • POST /networks

Create a network

create_network:shared
Default

rule:admin_only

Operations
  • POST /networks

Create a shared network

create_network:router:external
Default

rule:admin_only

Operations
  • POST /networks

Create an external network

create_network:is_default
Default

rule:admin_only

Operations
  • POST /networks

Specify is_default attribute when creating a network

create_network:port_security_enabled
Default

rule:regular_user

Operations
  • POST /networks

Specify port_security_enabled attribute when creating a network

create_network:segments
Default

rule:admin_only

Operations
  • POST /networks

Specify segments attribute when creating a network

create_network:provider:network_type
Default

rule:admin_only

Operations
  • POST /networks

Specify provider:network_type when creating a network

create_network:provider:physical_network
Default

rule:admin_only

Operations
  • POST /networks

Specify provider:physical_network when creating a network

create_network:provider:segmentation_id
Default

rule:admin_only

Operations
  • POST /networks

Specify provider:segmentation_id when creating a network

get_network
Default

rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc

Operations
  • GET /networks

  • GET /networks/{id}

Get a network

get_network:router:external
Default

rule:regular_user

Operations
  • GET /networks

  • GET /networks/{id}

Get router:external attribute of a network

get_network:segments
Default

rule:admin_only

Operations
  • GET /networks

  • GET /networks/{id}

Get segments attribute of a network

get_network:provider:network_type
Default

rule:admin_only

Operations
  • GET /networks

  • GET /networks/{id}

Get provider:network_type attribute of a network

get_network:provider:physical_network
Default

rule:admin_only

Operations
  • GET /networks

  • GET /networks/{id}

Get provider:physical_network attribute of a network

get_network:provider:segmentation_id
Default

rule:admin_only

Operations
  • GET /networks

  • GET /networks/{id}

Get provider:segmentation_id attribute of a network

update_network
Default

rule:admin_or_owner

Operations
  • PUT /networks/{id}

Update a network

update_network:segments
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update segments attribute of a network

update_network:shared
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update shared attribute of a network

update_network:provider:network_type
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update provider:network_type attribute of a network

update_network:provider:physical_network
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update provider:physical_network attribute of a network

update_network:provider:segmentation_id
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update provider:segmentation_id attribute of a network

update_network:router:external
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update router:external attribute of a network

update_network:is_default
Default

rule:admin_only

Operations
  • PUT /networks/{id}

Update is_default attribute of a network

update_network:port_security_enabled
Default

rule:admin_or_owner

Operations
  • PUT /networks/{id}

Update port_security_enabled attribute of a network

delete_network
Default

rule:admin_or_owner

Operations
  • DELETE /networks/{id}

Delete a network

get_network_ip_availability
Default

rule:admin_only

Operations
  • GET /network-ip-availabilities

  • GET /network-ip-availabilities/{network_id}

Get network IP availability

create_network_segment_range
Default

rule:admin_only

Operations
  • POST /network_segment_ranges

Create a network segment range

get_network_segment_range
Default

rule:admin_only

Operations
  • GET /network_segment_ranges

  • GET /network_segment_ranges/{id}

Get a network segment range

update_network_segment_range
Default

rule:admin_only

Operations
  • PUT /network_segment_ranges/{id}

Update a network segment range

delete_network_segment_range
Default

rule:admin_only

Operations
  • DELETE /network_segment_ranges/{id}

Delete a network segment range

network_device
Default

field:port:device_owner=~^network:

Definition of port with network device_owner

admin_or_data_plane_int
Default

rule:context_is_admin or role:data_plane_integrator

Rule for data plane integration

create_port
Default

rule:regular_user

Operations
  • POST /ports

Create a port

create_port:device_owner
Default

not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • POST /ports

Specify device_owner attribute when creting a port

create_port:mac_address
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • POST /ports

Specify mac_address attribute when creating a port

create_port:fixed_ips
Default

rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared

Operations
  • POST /ports

Specify fixed_ips information when creating a port

create_port:fixed_ips:ip_address
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • POST /ports

Specify IP address in fixed_ips when creating a port

create_port:fixed_ips:subnet_id
Default

rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared

Operations
  • POST /ports

Specify subnet ID in fixed_ips when creating a port

create_port:port_security_enabled
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • POST /ports

Specify port_security_enabled attribute when creating a port

create_port:binding:host_id
Default

rule:admin_only

Operations
  • POST /ports

Specify binding:host_id attribute when creating a port

create_port:binding:profile
Default

rule:admin_only

Operations
  • POST /ports

Specify binding:profile attribute when creating a port

create_port:binding:vnic_type
Default

rule:regular_user

Operations
  • POST /ports

Specify binding:vnic_type attribute when creating a port

create_port:allowed_address_pairs
Default

rule:admin_or_network_owner

Operations
  • POST /ports

Specify allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:mac_address
Default

rule:admin_or_network_owner

Operations
  • POST /ports

Specify mac_address` of `allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:ip_address
Default

rule:admin_or_network_owner

Operations
  • POST /ports

Specify ip_address of allowed_address_pairs attribute when creating a port

get_port
Default

rule:context_is_advsvc or rule:admin_owner_or_network_owner

Operations
  • GET /ports

  • GET /ports/{id}

Get a port

get_port:binding:vif_type
Default

rule:admin_only

Operations
  • GET /ports

  • GET /ports/{id}

Get binding:vif_type attribute of a port

get_port:binding:vif_details
Default

rule:admin_only

Operations
  • GET /ports

  • GET /ports/{id}

Get binding:vif_details attribute of a port

get_port:binding:host_id
Default

rule:admin_only

Operations
  • GET /ports

  • GET /ports/{id}

Get binding:host_id attribute of a port

get_port:binding:profile
Default

rule:admin_only

Operations
  • GET /ports

  • GET /ports/{id}

Get binding:profile attribute of a port

get_port:resource_request
Default

rule:admin_only

Operations
  • GET /ports

  • GET /ports/{id}

Get resource_request attribute of a port

update_port
Default

rule:admin_or_owner or rule:context_is_advsvc

Operations
  • PUT /ports/{id}

Update a port

update_port:device_owner
Default

not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Update device_owner attribute of a port

update_port:mac_address
Default

rule:admin_only or rule:context_is_advsvc

Operations
  • PUT /ports/{id}

Update mac_address attribute of a port

update_port:fixed_ips
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Specify fixed_ips information when updating a port

update_port:fixed_ips:ip_address
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Specify IP address in fixed_ips information when updating a port

update_port:fixed_ips:subnet_id
Default

rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared

Operations
  • PUT /ports/{id}

Specify subnet ID in fixed_ips information when updating a port

update_port:port_security_enabled
Default

rule:context_is_advsvc or rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Update port_security_enabled attribute of a port

update_port:binding:host_id
Default

rule:admin_only

Operations
  • PUT /ports/{id}

Update binding:host_id attribute of a port

update_port:binding:profile
Default

rule:admin_only

Operations
  • PUT /ports/{id}

Update binding:profile attribute of a port

update_port:binding:vnic_type
Default

rule:admin_or_owner or rule:context_is_advsvc

Operations
  • PUT /ports/{id}

Update binding:vnic_type attribute of a port

update_port:allowed_address_pairs
Default

rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Update allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:mac_address
Default

rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Update mac_address of allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:ip_address
Default

rule:admin_or_network_owner

Operations
  • PUT /ports/{id}

Update ip_address of allowed_address_pairs attribute of a port

update_port:data_plane_status
Default

rule:admin_or_data_plane_int

Operations
  • PUT /ports/{id}

Update data_plane_status attribute of a port

delete_port
Default

rule:context_is_advsvc or rule:admin_owner_or_network_owner

Operations
  • DELETE /ports/{id}

Delete a port

get_policy
Default

rule:regular_user

Operations
  • GET /qos/policies

  • GET /qos/policies/{id}

Get QoS policies

create_policy
Default

rule:admin_only

Operations
  • POST /qos/policies

Create a QoS policy

update_policy
Default

rule:admin_only

Operations
  • PUT /qos/policies/{id}

Update a QoS policy

delete_policy
Default

rule:admin_only

Operations
  • DELETE /qos/policies/{id}

Delete a QoS policy

get_rule_type
Default

rule:regular_user

Operations
  • GET /qos/rule-types

  • GET /qos/rule-types/{rule_type}

Get available QoS rule types

get_policy_bandwidth_limit_rule
Default

rule:regular_user

Operations
  • GET /qos/policies/{policy_id}/bandwidth_limit_rules

  • GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Get a QoS bandwidth limit rule

create_policy_bandwidth_limit_rule
Default

rule:admin_only

Operations
  • POST /qos/policies/{policy_id}/bandwidth_limit_rules

Create a QoS bandwidth limit rule

update_policy_bandwidth_limit_rule
Default

rule:admin_only

Operations
  • PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Update a QoS bandwidth limit rule

delete_policy_bandwidth_limit_rule
Default

rule:admin_only

Operations
  • DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Delete a QoS bandwidth limit rule

get_policy_dscp_marking_rule
Default

rule:regular_user

Operations
  • GET /qos/policies/{policy_id}/dscp_marking_rules

  • GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Get a QoS DSCP marking rule

create_policy_dscp_marking_rule
Default

rule:admin_only

Operations
  • POST /qos/policies/{policy_id}/dscp_marking_rules

Create a QoS DSCP marking rule

update_policy_dscp_marking_rule
Default

rule:admin_only

Operations
  • PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Update a QoS DSCP marking rule

delete_policy_dscp_marking_rule
Default

rule:admin_only

Operations
  • DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Delete a QoS DSCP marking rule

get_policy_minimum_bandwidth_rule
Default

rule:regular_user

Operations
  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules

  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Get a QoS minimum bandwidth rule

create_policy_minimum_bandwidth_rule
Default

rule:admin_only

Operations
  • POST /qos/policies/{policy_id}/minimum_bandwidth_rules

Create a QoS minimum bandwidth rule

update_policy_minimum_bandwidth_rule
Default

rule:admin_only

Operations
  • PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Update a QoS minimum bandwidth rule

delete_policy_minimum_bandwidth_rule
Default

rule:admin_only

Operations
  • DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Delete a QoS minimum bandwidth rule

get_alias_bandwidth_limit_rule
Default

rule:get_policy_bandwidth_limit_rule

Operations
  • GET /qos/alias_bandwidth_limit_rules/{rule_id}/

Get a QoS bandwidth limit rule through alias

update_alias_bandwidth_limit_rule
Default

rule:update_policy_bandwidth_limit_rule

Operations
  • PUT /qos/alias_bandwidth_limit_rules/{rule_id}/

Update a QoS bandwidth limit rule through alias

delete_alias_bandwidth_limit_rule
Default

rule:delete_policy_bandwidth_limit_rule

Operations
  • DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/

Delete a QoS bandwidth limit rule through alias

get_alias_dscp_marking_rule
Default

rule:get_policy_dscp_marking_rule

Operations
  • GET /qos/alias_dscp_marking_rules/{rule_id}/

Get a QoS DSCP marking rule through alias

update_alias_dscp_marking_rule
Default

rule:update_policy_dscp_marking_rule

Operations
  • PUT /qos/alias_dscp_marking_rules/{rule_id}/

Update a QoS DSCP marking rule through alias

delete_alias_dscp_marking_rule
Default

rule:delete_policy_dscp_marking_rule

Operations
  • DELETE /qos/alias_dscp_marking_rules/{rule_id}/

Delete a QoS DSCP marking rule through alias

get_alias_minimum_bandwidth_rule
Default

rule:get_policy_minimum_bandwidth_rule

Operations
  • GET /qos/alias_minimum_bandwidth_rules/{rule_id}/

Get a QoS minimum bandwidth rule through alias

update_alias_minimum_bandwidth_rule
Default

rule:update_policy_minimum_bandwidth_rule

Operations
  • PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/

Update a QoS minimum bandwidth rule through alias

delete_alias_minimum_bandwidth_rule
Default

rule:delete_policy_minimum_bandwidth_rule

Operations
  • DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/

Delete a QoS minimum bandwidth rule through alias

restrict_wildcard
Default

(not field:rbac_policy:target_tenant=*) or rule:admin_only

Definition of a wildcard target_tenant

create_rbac_policy
Default

rule:regular_user

Operations
  • POST /rbac-policies

Create an RBAC policy

create_rbac_policy:target_tenant
Default

rule:restrict_wildcard

Operations
  • POST /rbac-policies

Specify target_tenant when creating an RBAC policy

update_rbac_policy
Default

rule:admin_or_owner

Operations
  • PUT /rbac-policies/{id}

Update an RBAC policy

update_rbac_policy:target_tenant
Default

rule:restrict_wildcard and rule:admin_or_owner

Operations
  • PUT /rbac-policies/{id}

Update target_tenant attribute of an RBAC policy

get_rbac_policy
Default

rule:admin_or_owner

Operations
  • GET /rbac-policies

  • GET /rbac-policies/{id}

Get an RBAC policy

delete_rbac_policy
Default

rule:admin_or_owner

Operations
  • DELETE /rbac-policies/{id}

Delete an RBAC policy

create_router
Default

rule:regular_user

Operations
  • POST /routers

Create a router

create_router:distributed
Default

rule:admin_only

Operations
  • POST /routers

Specify distributed attribute when creating a router

create_router:ha
Default

rule:admin_only

Operations
  • POST /routers

Specify ha attribute when creating a router

create_router:external_gateway_info
Default

rule:admin_or_owner

Operations
  • POST /routers

Specify external_gateway_info information when creating a router

create_router:external_gateway_info:network_id
Default

rule:admin_or_owner

Operations
  • POST /routers

Specify network_id in external_gateway_info information when creating a router

create_router:external_gateway_info:enable_snat
Default

rule:admin_only

Operations
  • POST /routers

Specify enable_snat in external_gateway_info information when creating a router

create_router:external_gateway_info:external_fixed_ips
Default

rule:admin_only

Operations
  • POST /routers

Specify external_fixed_ips in external_gateway_info information when creating a router

get_router
Default

rule:admin_or_owner

Operations
  • GET /routers

  • GET /routers/{id}

Get a router

get_router:distributed
Default

rule:admin_only

Operations
  • GET /routers

  • GET /routers/{id}

Get distributed attribute of a router

get_router:ha
Default

rule:admin_only

Operations
  • GET /routers

  • GET /routers/{id}

Get ha attribute of a router

update_router
Default

rule:admin_or_owner

Operations
  • PUT /routers/{id}

Update a router

update_router:distributed
Default

rule:admin_only

Operations
  • PUT /routers/{id}

Update distributed attribute of a router

update_router:ha
Default

rule:admin_only

Operations
  • PUT /routers/{id}

Update ha attribute of a router

update_router:external_gateway_info
Default

rule:admin_or_owner

Operations
  • PUT /routers/{id}

Update external_gateway_info information of a router

update_router:external_gateway_info:network_id
Default

rule:admin_or_owner

Operations
  • PUT /routers/{id}

Update network_id attribute of external_gateway_info information of a router

update_router:external_gateway_info:enable_snat
Default

rule:admin_only

Operations
  • PUT /routers/{id}

Update enable_snat attribute of external_gateway_info information of a router

update_router:external_gateway_info:external_fixed_ips
Default

rule:admin_only

Operations
  • PUT /routers/{id}

Update external_fixed_ips attribute of external_gateway_info information of a router

delete_router
Default

rule:admin_or_owner

Operations
  • DELETE /routers/{id}

Delete a router

add_router_interface
Default

rule:admin_or_owner

Operations
  • PUT /routers/{id}/add_router_interface

Add an interface to a router

remove_router_interface
Default

rule:admin_or_owner

Operations
  • PUT /routers/{id}/remove_router_interface

Remove an interface from a router

create_security_group
Default

rule:admin_or_owner

Operations
  • POST /security-groups

Create a security group

get_security_group
Default

rule:regular_user

Operations
  • GET /security-groups

  • GET /security-groups/{id}

Get a security group

update_security_group
Default

rule:admin_or_owner

Operations
  • PUT /security-groups/{id}

Update a security group

delete_security_group
Default

rule:admin_or_owner

Operations
  • DELETE /security-groups/{id}

Delete a security group

create_security_group_rule
Default

rule:admin_or_owner

Operations
  • POST /security-group-rules

Create a security group rule

get_security_group_rule
Default

rule:admin_or_owner

Operations
  • GET /security-group-rules

  • GET /security-group-rules/{id}

Get a security group rule

delete_security_group_rule
Default

rule:admin_or_owner

Operations
  • DELETE /security-group-rules/{id}

Delete a security group rule

create_segment
Default

rule:admin_only

Operations
  • POST /segments

Create a segment

get_segment
Default

rule:admin_only

Operations
  • GET /segments

  • GET /segments/{id}

Get a segment

update_segment
Default

rule:admin_only

Operations
  • PUT /segments/{id}

Update a segment

delete_segment
Default

rule:admin_only

Operations
  • DELETE /segments/{id}

Delete a segment

get_service_provider
Default

rule:regular_user

Operations
  • GET /service-providers

Get service providers

create_subnet
Default

rule:admin_or_network_owner

Operations
  • POST /subnets

Create a subnet

create_subnet:segment_id
Default

rule:admin_only

Operations
  • POST /subnets

Specify segment_id attribute when creating a subnet

create_subnet:service_types
Default

rule:admin_only

Operations
  • POST /subnets

Specify service_types attribute when creating a subnet

get_subnet
Default

rule:admin_or_owner or rule:shared

Operations
  • GET /subnets

  • GET /subnets/{id}

Get a subnet

get_subnet:segment_id
Default

rule:admin_only

Operations
  • GET /subnets

  • GET /subnets/{id}

Get segment_id attribute of a subnet

update_subnet
Default

rule:admin_or_network_owner

Operations
  • PUT /subnets/{id}

Update a subnet

update_subnet:segment_id
Default

rule:admin_only

Operations
  • PUT /subnets/{id}

Update segment_id attribute of a subnet

update_subnet:service_types
Default

rule:admin_only

Operations
  • PUT /subnets/{id}

Update service_types attribute of a subnet

delete_subnet
Default

rule:admin_or_network_owner

Operations
  • DELETE /subnets/{id}

Delete a subnet

shared_subnetpools
Default

field:subnetpools:shared=True

Definition of a shared subnetpool

create_subnetpool
Default

rule:regular_user

Operations
  • POST /subnetpools

Create a subnetpool

create_subnetpool:shared
Default

rule:admin_only

Operations
  • POST /subnetpools

Create a shared subnetpool

create_subnetpool:is_default
Default

rule:admin_only

Operations
  • POST /subnetpools

Specify is_default attribute when creating a subnetpool

get_subnetpool
Default

rule:admin_or_owner or rule:shared_subnetpools

Operations
  • GET /subnetpools

  • GET /subnetpools/{id}

Get a subnetpool

update_subnetpool
Default

rule:admin_or_owner

Operations
  • PUT /subnetpools/{id}

Update a subnetpool

update_subnetpool:is_default
Default

rule:admin_only

Operations
  • PUT /subnetpools/{id}

Update is_default attribute of a subnetpool

delete_subnetpool
Default

rule:admin_or_owner

Operations
  • DELETE /subnetpools/{id}

Delete a subnetpool

onboard_network_subnets
Default

rule:admin_or_owner

Operations
  • Put /subnetpools/{id}/onboard_network_subnets

Onboard existing subnet into a subnetpool

add_prefixes
Default

rule:admin_or_owner

Operations
  • Put /subnetpools/{id}/add_prefixes

Add prefixes to a subnetpool

remove_prefixes
Default

rule:admin_or_owner

Operations
  • Put /subnetpools/{id}/remove_prefixes

Remove unallocated prefixes from a subnetpool

create_trunk
Default

rule:regular_user

Operations
  • POST /trunks

Create a trunk

get_trunk
Default

rule:admin_or_owner

Operations
  • GET /trunks

  • GET /trunks/{id}

Get a trunk

update_trunk
Default

rule:admin_or_owner

Operations
  • PUT /trunks/{id}

Update a trunk

delete_trunk
Default

rule:admin_or_owner

Operations
  • DELETE /trunks/{id}

Delete a trunk

get_subports
Default

rule:regular_user

Operations
  • GET /trunks/{id}/get_subports

List subports attached to a trunk

add_subports
Default

rule:admin_or_owner

Operations
  • PUT /trunks/{id}/add_subports

Add subports to a trunk

remove_subports
Default

rule:admin_or_owner

Operations
  • PUT /trunks/{id}/remove_subports

Delete subports from a trunk