Policy Reference

Warning

JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.

The following is an overview of all available policies in neutron.

For a sample policy file, refer to Sample Policy File.

neutron

context_is_admin
Default:

role:admin

Rule for cloud admin access

service_api
Default:

role:service

Default rule for the service-to-service APIs.

owner
Default:

tenant_id:%(tenant_id)s

Rule for resource owner access

admin_or_owner
Default:

rule:context_is_admin or rule:owner

Rule for admin or owner access

context_is_advsvc
Default:

role:advsvc

Rule for advsvc role access

admin_or_network_owner
Default:

rule:context_is_admin or tenant_id:%(network:tenant_id)s

Rule for admin or network owner access

admin_owner_or_network_owner
Default:

rule:owner or rule:admin_or_network_owner

Rule for resource owner, admin or network owner access

network_owner
Default:

tenant_id:%(network:tenant_id)s

Rule for network owner access

admin_only
Default:

rule:context_is_admin

Rule for admin-only access

regular_user
Default:

<empty string>

Rule for regular user access

shared
Default:

field:networks:shared=True

Rule of shared network

default
Default:

rule:admin_or_owner

Default access rule

admin_or_ext_parent_owner
Default:

rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

ext_parent_owner
Default:

tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

sg_owner
Default:

tenant_id:%(security_group:tenant_id)s

Rule for security group owner access

shared_address_groups
Default:

field:address_groups:shared=True

Definition of a shared address group

get_address_group
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups

Operations:
  • GET /address-groups

  • GET /address-groups/{id}

Scope Types:
  • project

Get an address group

shared_address_scopes
Default:

field:address_scopes:shared=True

Definition of a shared address scope

create_address_scope
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /address-scopes

Scope Types:
  • project

Create an address scope

create_address_scope:shared
Default:

rule:admin_only

Operations:
  • POST /address-scopes

Scope Types:
  • project

Create a shared address scope

get_address_scope
Default:

rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes

Operations:
  • GET /address-scopes

  • GET /address-scopes/{id}

Scope Types:
  • project

Get an address scope

update_address_scope
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /address-scopes/{id}

Scope Types:
  • project

Update an address scope

update_address_scope:shared
Default:

rule:admin_only

Operations:
  • PUT /address-scopes/{id}

Scope Types:
  • project

Update shared attribute of an address scope

delete_address_scope
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /address-scopes/{id}

Scope Types:
  • project

Delete an address scope

create_agent
Default:

rule:admin_only

Operations:
  • POST /agents/{id}

Scope Types:
  • project

Create an agent

get_agent
Default:

rule:admin_only

Operations:
  • GET /agents

  • GET /agents/{id}

Scope Types:
  • project

Get an agent

update_agent
Default:

rule:admin_only

Operations:
  • PUT /agents/{id}

Scope Types:
  • project

Update an agent

delete_agent
Default:

rule:admin_only

Operations:
  • DELETE /agents/{id}

Scope Types:
  • project

Delete an agent

create_dhcp-network
Default:

rule:admin_only

Operations:
  • POST /agents/{agent_id}/dhcp-networks

Scope Types:
  • project

Add a network to a DHCP agent

get_dhcp-networks
Default:

rule:admin_only

Operations:
  • GET /agents/{agent_id}/dhcp-networks

Scope Types:
  • project

List networks on a DHCP agent

delete_dhcp-network
Default:

rule:admin_only

Operations:
  • DELETE /agents/{agent_id}/dhcp-networks/{network_id}

Scope Types:
  • project

Remove a network from a DHCP agent

create_l3-router
Default:

rule:admin_only

Operations:
  • POST /agents/{agent_id}/l3-routers

Scope Types:
  • project

Add a router to an L3 agent

get_l3-routers
Default:

rule:admin_only

Operations:
  • GET /agents/{agent_id}/l3-routers

Scope Types:
  • project

List routers on an L3 agent

delete_l3-router
Default:

rule:admin_only

Operations:
  • DELETE /agents/{agent_id}/l3-routers/{router_id}

Scope Types:
  • project

Remove a router from an L3 agent

get_dhcp-agents
Default:

rule:admin_only

Operations:
  • GET /networks/{network_id}/dhcp-agents

Scope Types:
  • project

List DHCP agents hosting a network

get_l3-agents
Default:

rule:admin_only

Operations:
  • GET /routers/{router_id}/l3-agents

Scope Types:
  • project

List L3 agents hosting a router

get_auto_allocated_topology
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /auto-allocated-topology/{project_id}

Scope Types:
  • project

Get a project’s auto-allocated topology

delete_auto_allocated_topology
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /auto-allocated-topology/{project_id}

Scope Types:
  • project

Delete a project’s auto-allocated topology

get_availability_zone
Default:

role:reader

Operations:
  • GET /availability_zones

Scope Types:
  • project

List availability zones

create_default_security_group_rule
Default:

rule:admin_only

Operations:
  • POST /default-security-group-rules

Scope Types:
  • project

Create a templated of the security group rule

get_default_security_group_rule
Default:

role:reader

Operations:
  • GET /default-security-group-rules

  • GET /default-security-group-rules/{id}

Scope Types:
  • project

Get a templated of the security group rule

delete_default_security_group_rule
Default:

rule:admin_only

Operations:
  • DELETE /default-security-group-rules/{id}

Scope Types:
  • project

Delete a templated of the security group rule

create_flavor
Default:

rule:admin_only

Operations:
  • POST /flavors

Scope Types:
  • project

Create a flavor

get_flavor
Default:

role:reader

Operations:
  • GET /flavors

  • GET /flavors/{id}

Scope Types:
  • project

Get a flavor

update_flavor
Default:

rule:admin_only

Operations:
  • PUT /flavors/{id}

Scope Types:
  • project

Update a flavor

delete_flavor
Default:

rule:admin_only

Operations:
  • DELETE /flavors/{id}

Scope Types:
  • project

Delete a flavor

create_service_profile
Default:

rule:admin_only

Operations:
  • POST /service_profiles

Scope Types:
  • project

Create a service profile

get_service_profile
Default:

rule:admin_only

Operations:
  • GET /service_profiles

  • GET /service_profiles/{id}

Scope Types:
  • project

Get a service profile

update_service_profile
Default:

rule:admin_only

Operations:
  • PUT /service_profiles/{id}

Scope Types:
  • project

Update a service profile

delete_service_profile
Default:

rule:admin_only

Operations:
  • DELETE /service_profiles/{id}

Scope Types:
  • project

Delete a service profile

get_flavor_service_profile
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Scope Types:
  • project

Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.

create_flavor_service_profile
Default:

rule:admin_only

Operations:
  • POST /flavors/{flavor_id}/service_profiles

Scope Types:
  • project

Associate a flavor with a service profile

delete_flavor_service_profile
Default:

rule:admin_only

Operations:
  • DELETE /flavors/{flavor_id}/service_profiles/{profile_id}

Scope Types:
  • project

Disassociate a flavor with a service profile

create_floatingip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /floatingips

Scope Types:
  • project

Create a floating IP

create_floatingip:floating_ip_address
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /floatingips

Scope Types:
  • project

Create a floating IP with a specific IP address

create_floatingips_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /floatingips/{id}/tags

Scope Types:
  • project

Create the floating IP tags

get_floatingip
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /floatingips

  • GET /floatingips/{id}

Scope Types:
  • project

Get a floating IP

get_floatingips_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /floatingips/{id}/tags

  • GET /floatingips/{id}/tags/{tag_id}

Scope Types:
  • project

Get the floating IP tags

update_floatingip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /floatingips/{id}

Scope Types:
  • project

Update a floating IP

update_floatingips_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /floatingips/{id}/tags

  • PUT /floatingips/{id}/tags/{tag_id}

Scope Types:
  • project

Update the floating IP tags

delete_floatingip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /floatingips/{id}

Scope Types:
  • project

Delete a floating IP

delete_floatingips_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /floatingips/{id}/tags

  • DELETE /floatingips/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the floating IP tags

get_floatingip_pool
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /floatingip_pools

Scope Types:
  • project

Get floating IP pools

create_floatingip_port_forwarding
Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:
  • POST /floatingips/{floatingip_id}/port_forwardings

Scope Types:
  • project

Create a floating IP port forwarding

get_floatingip_port_forwarding
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /floatingips/{floatingip_id}/port_forwardings

  • GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:
  • project

Get a floating IP port forwarding

update_floatingip_port_forwarding
Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:
  • PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:
  • project

Update a floating IP port forwarding

delete_floatingip_port_forwarding
Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:
  • DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:
  • project

Delete a floating IP port forwarding

create_router_conntrack_helper
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • POST /routers/{router_id}/conntrack_helpers

Scope Types:
  • project

Create a router conntrack helper

get_router_conntrack_helper
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • GET /routers/{router_id}/conntrack_helpers

  • GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:
  • project

Get a router conntrack helper

update_router_conntrack_helper
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:
  • project

Update a router conntrack helper

delete_router_conntrack_helper
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:
  • project

Delete a router conntrack helper

create_local_ip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /local-ips

Scope Types:
  • project

Create a Local IP

get_local_ip
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /local-ips

  • GET /local-ips/{id}

Scope Types:
  • project

Get a Local IP

update_local_ip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /local-ips/{id}

Scope Types:
  • project

Update a Local IP

delete_local_ip
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /local-ips/{id}

Scope Types:
  • project

Delete a Local IP

create_local_ip_port_association
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • POST /local_ips/{local_ip_id}/port_associations

Scope Types:
  • project

Create a Local IP port association

get_local_ip_port_association
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • GET /local_ips/{local_ip_id}/port_associations

  • GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id}

Scope Types:
  • project

Get a Local IP port association

delete_local_ip_port_association
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:
  • DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id}

Scope Types:
  • project

Delete a Local IP port association

get_loggable_resource
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • GET /log/loggable-resources

Scope Types:
  • project

Get loggable resources

create_log
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /log/logs

Scope Types:
  • project

Create a network log

get_log
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • GET /log/logs

  • GET /log/logs/{id}

Scope Types:
  • project

Get a network log

update_log
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • PUT /log/logs/{id}

Scope Types:
  • project

Update a network log

delete_log
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • DELETE /log/logs/{id}

Scope Types:
  • project

Delete a network log

create_metering_label
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /metering/metering-labels

Scope Types:
  • project

Create a metering label

get_metering_label
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /metering/metering-labels

  • GET /metering/metering-labels/{id}

Scope Types:
  • project

Get a metering label

delete_metering_label
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • DELETE /metering/metering-labels/{id}

Scope Types:
  • project

Delete a metering label

create_metering_label_rule
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /metering/metering-label-rules

Scope Types:
  • project

Create a metering label rule

get_metering_label_rule
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /metering/metering-label-rules

  • GET /metering/metering-label-rules/{id}

Scope Types:
  • project

Get a metering label rule

delete_metering_label_rule
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • DELETE /metering/metering-label-rules/{id}

Scope Types:
  • project

Delete a metering label rule

create_ndp_proxy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /ndp_proxies

Scope Types:
  • project

Create a ndp proxy

get_ndp_proxy
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /ndp_proxies

  • GET /ndp_proxies/{id}

Scope Types:
  • project

Get a ndp proxy

update_ndp_proxy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /ndp_proxies/{id}

Scope Types:
  • project

Update a ndp proxy

delete_ndp_proxy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /ndp_proxies/{id}

Scope Types:
  • project

Delete a ndp proxy

external
Default:

field:networks:router:external=True

Definition of an external network

create_network
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /networks

Scope Types:
  • project

Create a network

create_network:shared
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Create a shared network

create_network:router:external
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Create an external network

create_network:is_default
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Specify is_default attribute when creating a network

create_network:port_security_enabled
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /networks

Scope Types:
  • project

Specify port_security_enabled attribute when creating a network

create_network:segments
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Specify segments attribute when creating a network

create_network:provider:network_type
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Specify provider:network_type when creating a network

create_network:provider:physical_network
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Specify provider:physical_network when creating a network

create_network:provider:segmentation_id
Default:

rule:admin_only

Operations:
  • POST /networks

Scope Types:
  • project

Specify provider:segmentation_id when creating a network

create_networks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /networks/{id}/tags

Scope Types:
  • project

Create the network tags

get_network
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc

Operations:
  • GET /networks

  • GET /networks/{id}

Scope Types:
  • project

Get a network

get_network:segments
Default:

rule:admin_only

Operations:
  • GET /networks

  • GET /networks/{id}

Scope Types:
  • project

Get segments attribute of a network

get_network:provider:network_type
Default:

rule:admin_only

Operations:
  • GET /networks

  • GET /networks/{id}

Scope Types:
  • project

Get provider:network_type attribute of a network

get_network:provider:physical_network
Default:

rule:admin_only

Operations:
  • GET /networks

  • GET /networks/{id}

Scope Types:
  • project

Get provider:physical_network attribute of a network

get_network:provider:segmentation_id
Default:

rule:admin_only

Operations:
  • GET /networks

  • GET /networks/{id}

Scope Types:
  • project

Get provider:segmentation_id attribute of a network

get_networks_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc

Operations:
  • GET /networks/{id}/tags

  • GET /networks/{id}/tags/{tag_id}

Scope Types:
  • project

Get the network tags

update_network
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update a network

update_network:segments
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update segments attribute of a network

update_network:shared
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update shared attribute of a network

update_network:provider:network_type
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update provider:network_type attribute of a network

update_network:provider:physical_network
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update provider:physical_network attribute of a network

update_network:provider:segmentation_id
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update provider:segmentation_id attribute of a network

update_network:router:external
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update router:external attribute of a network

update_network:is_default
Default:

rule:admin_only

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update is_default attribute of a network

update_network:port_security_enabled
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /networks/{id}

Scope Types:
  • project

Update port_security_enabled attribute of a network

update_networks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /networks/{id}/tags

  • PUT /networks/{id}/tags/{tag_id}

Scope Types:
  • project

Update the network tags

delete_network
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /networks/{id}

Scope Types:
  • project

Delete a network

delete_networks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /networks/{id}/tags

  • DELETE /networks/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the network tags

get_network_ip_availability
Default:

rule:admin_only

Operations:
  • GET /network-ip-availabilities

  • GET /network-ip-availabilities/{network_id}

Scope Types:
  • project

Get network IP availability

create_network_segment_range
Default:

rule:admin_only

Operations:
  • POST /network_segment_ranges

Scope Types:
  • project

Create a network segment range

create_network_segment_ranges_tags
Default:

rule:admin_only

Operations:
  • POST /network_segment_ranges/{id}/tags

Scope Types:
  • project

Create the network segment range tags

get_network_segment_range
Default:

rule:admin_only

Operations:
  • GET /network_segment_ranges

  • GET /network_segment_ranges/{id}

Scope Types:
  • project

Get a network segment range

get_network_segment_ranges_tags
Default:

rule:admin_only

Operations:
  • GET /network_segment_ranges/{id}/tags

  • GET /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:
  • project

Get the network segment range tags

update_network_segment_range
Default:

rule:admin_only

Operations:
  • PUT /network_segment_ranges/{id}

Scope Types:
  • project

Update a network segment range

update_network_segment_ranges_tags
Default:

rule:admin_only

Operations:
  • PUT /network_segment_ranges/{id}/tags

  • PUT /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:
  • project

Update the network segment range tags

delete_network_segment_range
Default:

rule:admin_only

Operations:
  • DELETE /network_segment_ranges/{id}

Scope Types:
  • project

Delete a network segment range

delete_network_segment_ranges_tags
Default:

rule:admin_only

Operations:
  • DELETE /network_segment_ranges/{id}/tags

  • DELETE /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the network segment range tags

get_port_binding
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • GET /ports/{port_id}/bindings/

Scope Types:
  • project

Get port binding information

create_port_binding
Default:

rule:service_api

Operations:
  • POST /ports/{port_id}/bindings/

Scope Types:
  • project

Create port binding on the host

delete_port_binding
Default:

rule:service_api

Operations:
  • DELETE /ports/{port_id}/bindings/

Scope Types:
  • project

Delete port binding on the host

activate
Default:

rule:service_api

Operations:
  • PUT /ports/{port_id}/bindings/{host}

Scope Types:
  • project

Activate port binding on the host

network_device
Default:

field:port:device_owner=~^network:

Definition of port with network device_owner

admin_or_data_plane_int
Default:

rule:context_is_admin or role:data_plane_integrator

Rule for data plane integration

create_port
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api

Operations:
  • POST /ports

Scope Types:
  • project

Create a port

create_port:device_owner
Default:

not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • POST /ports

Scope Types:
  • project

Specify device_owner attribute when creating a port

create_port:mac_address
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • POST /ports

Scope Types:
  • project

Specify mac_address attribute when creating a port

create_port:fixed_ips
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared

Operations:
  • POST /ports

Scope Types:
  • project

Specify fixed_ips information when creating a port

create_port:fixed_ips:ip_address
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • POST /ports

Scope Types:
  • project

Specify IP address in fixed_ips when creating a port

create_port:fixed_ips:subnet_id
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared

Operations:
  • POST /ports

Scope Types:
  • project

Specify subnet ID in fixed_ips when creating a port

create_port:port_security_enabled
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • POST /ports

Scope Types:
  • project

Specify port_security_enabled attribute when creating a port

create_port:binding:host_id
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • POST /ports

Scope Types:
  • project

Specify binding:host_id attribute when creating a port

create_port:binding:profile
Default:

rule:service_api

Operations:
  • POST /ports

Scope Types:
  • project

Specify binding:profile attribute when creating a port

create_port:binding:vnic_type
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api

Operations:
  • POST /ports

Scope Types:
  • project

Specify binding:vnic_type attribute when creating a port

create_port:allowed_address_pairs
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • POST /ports

Scope Types:
  • project

Specify allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:mac_address
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • POST /ports

Scope Types:
  • project

Specify mac_address` of `allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:ip_address
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • POST /ports

Scope Types:
  • project

Specify ip_address of allowed_address_pairs attribute when creating a port

create_port:hints
Default:

rule:admin_only

Operations:
  • POST /ports

Scope Types:
  • project

Specify hints attribute when creating a port

create_port:trusted
Default:

rule:admin_only

Operations:
  • POST /ports

Scope Types:
  • project

Specify trusted attribute when creating a port

create_ports_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations:
  • POST /ports/{id}/tags

Scope Types:
  • project

Create the port tags

get_port
Default:

(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get a port

get_port:binding:vif_type
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get binding:vif_type attribute of a port

get_port:binding:vif_details
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get binding:vif_details attribute of a port

get_port:binding:host_id
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get binding:host_id attribute of a port

get_port:binding:profile
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get binding:profile attribute of a port

get_port:resource_request
Default:

rule:admin_only

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get resource_request attribute of a port

get_port:hints
Default:

rule:admin_only

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get hints attribute of a port

get_port:trusted
Default:

rule:admin_only

Operations:
  • GET /ports

  • GET /ports/{id}

Scope Types:
  • project

Get trusted attribute of a port

get_ports_tags
Default:

rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s

Operations:
  • GET /ports/{id}/tags

  • GET /ports/{id}/tags/{tag_id}

Scope Types:
  • project

Get the port tags

update_port
Default:

(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update a port

update_port:device_owner
Default:

not rule:network_device or (rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update device_owner attribute of a port

update_port:mac_address
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update mac_address attribute of a port

update_port:fixed_ips
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Specify fixed_ips information when updating a port

update_port:fixed_ips:ip_address
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Specify IP address in fixed_ips information when updating a port

update_port:fixed_ips:subnet_id
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner or rule:shared

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Specify subnet ID in fixed_ips information when updating a port

update_port:port_security_enabled
Default:

(rule:admin_only) or (rule:service_api) or role:manager and project_id:%(project_id)s or role:member and rule:network_owner

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update port_security_enabled attribute of a port

update_port:binding:host_id
Default:

(rule:admin_only) or (rule:service_api)

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update binding:host_id attribute of a port

update_port:binding:profile
Default:

rule:service_api

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update binding:profile attribute of a port

update_port:binding:vnic_type
Default:

(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update binding:vnic_type attribute of a port

update_port:allowed_address_pairs
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:mac_address
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update mac_address of allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:ip_address
Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:manager and project_id:%(project_id)s

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update ip_address of allowed_address_pairs attribute of a port

update_port:data_plane_status
Default:

rule:admin_only or role:data_plane_integrator

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update data_plane_status attribute of a port

update_port:hints
Default:

rule:admin_only

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update hints attribute of a port

update_port:trusted
Default:

rule:admin_only

Operations:
  • PUT /ports/{id}

Scope Types:
  • project

Update trusted attribute of a port

update_ports_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations:
  • PUT /ports/{id}/tags

  • PUT /ports/{id}/tags/{tag_id}

Scope Types:
  • project

Update the port tags

delete_port
Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s

Operations:
  • DELETE /ports/{id}

Scope Types:
  • project

Delete a port

delete_ports_tags
Default:

rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • DELETE /ports/{id}/tags

  • DELETE /ports/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the port tags

shared_qos_policy
Default:

field:policies:shared=True

Rule of shared qos policy

get_policy
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy

Operations:
  • GET /qos/policies

  • GET /qos/policies/{id}

Scope Types:
  • project

Get QoS policies

get_policies_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy

Operations:
  • GET /qos/policies/{id}/tags

  • GET /qos/policies/{id}/tags/{tag_id}

Scope Types:
  • project

Get QoS policy tags

create_policy
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /qos/policies

Scope Types:
  • project

Create a QoS policy

create_policies_tags
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • POST /qos/policies/{id}/tags

Scope Types:
  • project

Create the QoS policy tags

update_policy
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • PUT /qos/policies/{id}

Scope Types:
  • project

Update a QoS policy

update_policies_tags
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • PUT /qos/policies/{id}/tags

  • PUT /qos/policies/{id}/tags/{tag_id}

Scope Types:
  • project

Update the QoS policy tags

delete_policy
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • DELETE /qos/policies/{id}

Scope Types:
  • project

Delete a QoS policy

delete_policies_tags
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • DELETE /qos/policies/{id}/tags

  • DELETE /qos/policies/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the QoS policy tags

get_rule_type
Default:

role:reader

Operations:
  • GET /qos/rule-types

  • GET /qos/rule-types/{rule_type}

Scope Types:
  • project

Get available QoS rule types

get_policy_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/policies/{policy_id}/bandwidth_limit_rules

  • GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:
  • project

Get a QoS bandwidth limit rule

create_policy_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • POST /qos/policies/{policy_id}/bandwidth_limit_rules

Scope Types:
  • project

Create a QoS bandwidth limit rule

update_policy_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:
  • project

Update a QoS bandwidth limit rule

delete_policy_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:
  • project

Delete a QoS bandwidth limit rule

get_policy_packet_rate_limit_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/policies/{policy_id}/packet_rate_limit_rules

  • GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:
  • project

Get a QoS packet rate limit rule

create_policy_packet_rate_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • POST /qos/policies/{policy_id}/packet_rate_limit_rules

Scope Types:
  • project

Create a QoS packet rate limit rule

update_policy_packet_rate_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:
  • project

Update a QoS packet rate limit rule

delete_policy_packet_rate_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:
  • project

Delete a QoS packet rate limit rule

get_policy_dscp_marking_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/policies/{policy_id}/dscp_marking_rules

  • GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:
  • project

Get a QoS DSCP marking rule

create_policy_dscp_marking_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • POST /qos/policies/{policy_id}/dscp_marking_rules

Scope Types:
  • project

Create a QoS DSCP marking rule

update_policy_dscp_marking_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:
  • project

Update a QoS DSCP marking rule

delete_policy_dscp_marking_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:
  • project

Delete a QoS DSCP marking rule

get_policy_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules

  • GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:
  • project

Get a QoS minimum bandwidth rule

create_policy_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • POST /qos/policies/{policy_id}/minimum_bandwidth_rules

Scope Types:
  • project

Create a QoS minimum bandwidth rule

update_policy_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:
  • project

Update a QoS minimum bandwidth rule

delete_policy_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:
  • project

Delete a QoS minimum bandwidth rule

get_policy_minimum_packet_rate_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/policies/{policy_id}/minimum_packet_rate_rules

  • GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:
  • project

Get a QoS minimum packet rate rule

create_policy_minimum_packet_rate_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • POST /qos/policies/{policy_id}/minimum_packet_rate_rules

Scope Types:
  • project

Create a QoS minimum packet rate rule

update_policy_minimum_packet_rate_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:
  • project

Update a QoS minimum packet rate rule

delete_policy_minimum_packet_rate_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:
  • project

Delete a QoS minimum packet rate rule

get_alias_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:
  • project

Get a QoS bandwidth limit rule through alias

update_alias_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:
  • project

Update a QoS bandwidth limit rule through alias

delete_alias_bandwidth_limit_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:
  • project

Delete a QoS bandwidth limit rule through alias

get_alias_dscp_marking_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:
  • project

Get a QoS DSCP marking rule through alias

update_alias_dscp_marking_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:
  • project

Update a QoS DSCP marking rule through alias

delete_alias_dscp_marking_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:
  • project

Delete a QoS DSCP marking rule through alias

get_alias_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:
  • GET /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:
  • project

Get a QoS minimum bandwidth rule through alias

update_alias_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:
  • project

Update a QoS minimum bandwidth rule through alias

delete_alias_minimum_bandwidth_rule
Default:

(rule:admin_only) or (role:manager and rule:ext_parent_owner)

Operations:
  • DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:
  • project

Delete a QoS minimum bandwidth rule through alias

get_alias_minimum_packet_rate_rule
Default:

rule:get_policy_minimum_packet_rate_rule

Operations:
  • GET /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:
  • project

Get a QoS minimum packet rate rule through alias

update_alias_minimum_packet_rate_rule
Default:

rule:update_policy_minimum_packet_rate_rule

Operations:
  • PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:
  • project

Update a QoS minimum packet rate rule through alias

delete_alias_minimum_packet_rate_rule
Default:

rule:delete_policy_minimum_packet_rate_rule

Operations:
  • DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:
  • project

Delete a QoS minimum packet rate rule through alias

get_quota
Default:

(rule:admin_only) or (role:manager and project_id:%(project_id)s)

Operations:
  • GET /quota

  • GET /quota/{id}

Scope Types:
  • project

Get a resource quota

update_quota
Default:

rule:admin_only

Operations:
  • PUT /quota/{id}

Scope Types:
  • project

Update a resource quota

delete_quota
Default:

rule:admin_only

Operations:
  • DELETE /quota/{id}

Scope Types:
  • project

Delete a resource quota

restrict_wildcard
Default:

(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only

Definition of a wildcard target_project

create_rbac_policy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /rbac-policies

Scope Types:
  • project

Create an RBAC policy

create_rbac_policy:target_tenant
Default:

rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)

Operations:
  • POST /rbac-policies

Scope Types:
  • project

Specify target_tenant when creating an RBAC policy

create_rbac_policy:target_project
Default:

rule:admin_only or not field:rbac_policy:target_project=*

Operations:
  • POST /rbac-policies

Scope Types:
  • project

Specify target_project when creating an RBAC policy

update_rbac_policy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /rbac-policies/{id}

Scope Types:
  • project

Update an RBAC policy

update_rbac_policy:target_tenant
Default:

rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)

Operations:
  • PUT /rbac-policies/{id}

Scope Types:
  • project

Update target_tenant attribute of an RBAC policy

update_rbac_policy:target_project
Default:

rule:admin_only or not field:rbac_policy:target_project=*

Operations:
  • PUT /rbac-policies/{id}

Scope Types:
  • project

Update target_project attribute of an RBAC policy

get_rbac_policy
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /rbac-policies

  • GET /rbac-policies/{id}

Scope Types:
  • project

Get an RBAC policy

delete_rbac_policy
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /rbac-policies/{id}

Scope Types:
  • project

Delete an RBAC policy

create_router
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /routers

Scope Types:
  • project

Create a router

create_router:distributed
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify distributed attribute when creating a router

create_router:ha
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify ha attribute when creating a router

create_router:external_gateway_info
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /routers

Scope Types:
  • project

Specify external_gateway_info information when creating a router

create_router:external_gateway_info:network_id
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /routers

Scope Types:
  • project

Specify network_id in external_gateway_info information when creating a router

create_router:external_gateway_info:enable_snat
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify enable_snat in external_gateway_info information when creating a router

create_router:external_gateway_info:external_fixed_ips
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify external_fixed_ips in external_gateway_info information when creating a router

create_router:enable_default_route_bfd
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify enable_default_route_bfd attribute when creating a router

create_router:enable_default_route_ecmp
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify enable_default_route_ecmp attribute when creating a router

create_routers_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /routers/{id}/tags

Scope Types:
  • project

Create the router tags

get_router
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /routers

  • GET /routers/{id}

Scope Types:
  • project

Get a router

get_router:distributed
Default:

rule:admin_only

Operations:
  • GET /routers

  • GET /routers/{id}

Scope Types:
  • project

Get distributed attribute of a router

get_router:ha
Default:

rule:admin_only

Operations:
  • GET /routers

  • GET /routers/{id}

Scope Types:
  • project

Get ha attribute of a router

get_routers_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /routers/{id}/tags

  • GET /routers/{id}/tags/{tag_id}

Scope Types:
  • project

Get the router tags

update_router
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update a router

update_router:distributed
Default:

rule:admin_only

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update distributed attribute of a router

update_router:ha
Default:

rule:admin_only

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update ha attribute of a router

update_router:external_gateway_info
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update external_gateway_info information of a router

update_router:external_gateway_info:network_id
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update network_id attribute of external_gateway_info information of a router

update_router:external_gateway_info:enable_snat
Default:

rule:admin_only

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update enable_snat attribute of external_gateway_info information of a router

update_router:external_gateway_info:external_fixed_ips
Default:

rule:admin_only

Operations:
  • PUT /routers/{id}

Scope Types:
  • project

Update external_fixed_ips attribute of external_gateway_info information of a router

update_router:enable_default_route_bfd
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify enable_default_route_bfd attribute when updating a router

update_router:enable_default_route_ecmp
Default:

rule:admin_only

Operations:
  • POST /routers

Scope Types:
  • project

Specify enable_default_route_ecmp attribute when updating a router

update_routers_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}/tags

  • PUT /routers/{id}/tags/{tag_id}

Scope Types:
  • project

Update the router tags

delete_router
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /routers/{id}

Scope Types:
  • project

Delete a router

delete_routers_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /routers/{id}/tags

  • DELETE /routers/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the router tags

add_router_interface
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}/add_router_interface

Scope Types:
  • project

Add an interface to a router

remove_router_interface
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}/remove_router_interface

Scope Types:
  • project

Remove an interface from a router

add_extraroutes
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}/add_extraroutes

Scope Types:
  • project

Add extra route to a router

remove_extraroutes
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /routers/{id}/remove_extraroutes

Scope Types:
  • project

Remove extra route from a router

admin_or_sg_owner
Default:

rule:context_is_admin or tenant_id:%(security_group:tenant_id)s

Rule for admin or security group owner access

admin_owner_or_sg_owner
Default:

rule:owner or rule:admin_or_sg_owner

Rule for resource owner, admin or security group owner access

shared_security_group
Default:

field:security_groups:shared=True

Definition of a shared security group

rule_default_sg
Default:

field:security_group_rules:belongs_to_default_sg=True

Definition of a security group rule that belongs to the project default security group

create_security_group
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /security-groups

Scope Types:
  • project

Create a security group

create_security_groups_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /security-groups/{id}/tags

Scope Types:
  • project

Create the security group tags

get_security_group
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group

Operations:
  • GET /security-groups

  • GET /security-groups/{id}

Scope Types:
  • project

Get a security group

get_security_groups_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group

Operations:
  • GET /security-groups/{id}/tags

  • GET /security-groups/{id}/tags/{tag_id}

Scope Types:
  • project

Get the security group tags

update_security_group
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /security-groups/{id}

Scope Types:
  • project

Update a security group

update_security_groups_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /security-groups/{id}/tags

  • PUT /security-groups/{id}/tags/{tag_id}

Scope Types:
  • project

Update the security group tags

delete_security_group
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /security-groups/{id}

Scope Types:
  • project

Delete a security group

delete_security_groups_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /security-groups/{id}/tags

  • DELETE /security-groups/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the security group tags

create_security_group_rule
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /security-group-rules

Scope Types:
  • project

Create a security group rule

get_security_group_rule
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner

Operations:
  • GET /security-group-rules

  • GET /security-group-rules/{id}

Scope Types:
  • project

Get a security group rule

delete_security_group_rule
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /security-group-rules/{id}

Scope Types:
  • project

Delete a security group rule

create_segment
Default:

rule:admin_only

Operations:
  • POST /segments

Scope Types:
  • project

Create a segment

create_segments_tags
Default:

rule:admin_only

Operations:
  • POST /segments/{id}/tags

Scope Types:
  • project

Create the segment tags

get_segment
Default:

rule:admin_only

Operations:
  • GET /segments

  • GET /segments/{id}

Scope Types:
  • project

Get a segment

get_segments_tags
Default:

rule:admin_only

Operations:
  • GET /segments/{id}/tags

  • GET /segments/{id}/tags/{tag_id}

Scope Types:
  • project

Get the segment tags

update_segment
Default:

rule:admin_only

Operations:
  • PUT /segments/{id}

Scope Types:
  • project

Update a segment

update_segments_tags
Default:

rule:admin_only

Operations:
  • PUT /segments/{id}/tags

  • PUT /segments/{id}/tags/{tag_id}

Scope Types:
  • project

Update the segment tags

delete_segment
Default:

rule:admin_only

Operations:
  • DELETE /segments/{id}

Scope Types:
  • project

Delete a segment

delete_segments_tags
Default:

rule:admin_only

Operations:
  • DELETE /segments/{id}/tags

  • DELETE /segments/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the segment tags

get_service_provider
Default:

role:reader

Operations:
  • GET /service-providers

Scope Types:
  • project

Get service providers

external_network
Default:

field:subnets:router:external=True

Definition of a subnet that belongs to an external network

create_subnet
Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • POST /subnets

Scope Types:
  • project

Create a subnet

create_subnet:segment_id
Default:

rule:admin_only

Operations:
  • POST /subnets

Scope Types:
  • project

Specify segment_id attribute when creating a subnet

create_subnet:service_types
Default:

rule:admin_only

Operations:
  • POST /subnets

Scope Types:
  • project

Specify service_types attribute when creating a subnet

create_subnets_tags
Default:

role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • POST /subnets/{id}/tags

Scope Types:
  • project

Create the subnet tags

get_subnet
Default:

role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • GET /subnets

  • GET /subnets/{id}

Scope Types:
  • project

Get a subnet

get_subnet:segment_id
Default:

rule:admin_only

Operations:
  • GET /subnets

  • GET /subnets/{id}

Scope Types:
  • project

Get segment_id attribute of a subnet

get_subnets_tags
Default:

role:reader and project_id:%(project_id)s or rule:shared or rule:external_network or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • GET /subnets/{id}/tags

  • GET /subnets/{id}/tags/{tag_id}

Scope Types:
  • project

Get the subnet tags

update_subnet
Default:

role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • PUT /subnets/{id}

Scope Types:
  • project

Update a subnet

update_subnet:segment_id
Default:

rule:admin_only

Operations:
  • PUT /subnets/{id}

Scope Types:
  • project

Update segment_id attribute of a subnet

update_subnet:service_types
Default:

rule:admin_only

Operations:
  • PUT /subnets/{id}

Scope Types:
  • project

Update service_types attribute of a subnet

update_subnets_tags
Default:

role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • PUT /subnets/{id}/tags

  • PUT /subnets/{id}/tags/{tag_id}

Scope Types:
  • project

Update the subnet tags

delete_subnet
Default:

role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • DELETE /subnets/{id}

Scope Types:
  • project

Delete a subnet

delete_subnets_tags
Default:

role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:
  • DELETE /subnets/{id}/tags

  • DELETE /subnets/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the subnet tags

shared_subnetpools
Default:

field:subnetpools:shared=True

Definition of a shared subnetpool

create_subnetpool
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /subnetpools

Scope Types:
  • project

Create a subnetpool

create_subnetpool:shared
Default:

rule:admin_only

Operations:
  • POST /subnetpools

Scope Types:
  • project

Create a shared subnetpool

create_subnetpool:is_default
Default:

rule:admin_only

Operations:
  • POST /subnetpools

Scope Types:
  • project

Specify is_default attribute when creating a subnetpool

create_subnetpools_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /subnetpools/{id}/tags

Scope Types:
  • project

Create the subnetpool tags

get_subnetpool
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations:
  • GET /subnetpools

  • GET /subnetpools/{id}

Scope Types:
  • project

Get a subnetpool

get_subnetpools_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations:
  • GET /subnetpools/{id}/tags

  • GET /subnetpools/{id}/tags/{tag_id}

Scope Types:
  • project

Get the subnetpool tags

update_subnetpool
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /subnetpools/{id}

Scope Types:
  • project

Update a subnetpool

update_subnetpool:is_default
Default:

rule:admin_only

Operations:
  • PUT /subnetpools/{id}

Scope Types:
  • project

Update is_default attribute of a subnetpool

update_subnetpools_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /subnetpools/{id}/tags

  • PUT /subnetpools/{id}/tags/{tag_id}

Scope Types:
  • project

Update the subnetpool tags

delete_subnetpool
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /subnetpools/{id}

Scope Types:
  • project

Delete a subnetpool

delete_subnetpools_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /subnetpools/{id}/tags

  • DELETE /subnetpools/{id}/tags/{tag_id}

Scope Types:
  • project

Delete the subnetpool tags

onboard_network_subnets
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /subnetpools/{id}/onboard_network_subnets

Scope Types:
  • project

Onboard existing subnet into a subnetpool

add_prefixes
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /subnetpools/{id}/add_prefixes

Scope Types:
  • project

Add prefixes to a subnetpool

remove_prefixes
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /subnetpools/{id}/remove_prefixes

Scope Types:
  • project

Remove unallocated prefixes from a subnetpool

create_trunk
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /trunks

Scope Types:
  • project

Create a trunk

create_trunks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • POST /trunks/{id}/tags

Scope Types:
  • project

Create the trunk tags

get_trunk
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /trunks

  • GET /trunks/{id}

Scope Types:
  • project

Get a trunk

get_trunks_tags
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /trunks/{id}/tags

  • GET /trunks/{id}/tags/{tag_id}

Scope Types:
  • project

Get the trunk tags

update_trunk
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /trunks/{id}

Scope Types:
  • project

Update a trunk

update_trunks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /trunks/{id}/tags

  • PUT /trunks/{id}/tags/{tag_id}

Scope Types:
  • project

Update the trunk tags

delete_trunk
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /trunks/{id}

Scope Types:
  • project

Delete a trunk

delete_trunks_tags
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • DELETE /trunks/{id}/tags

  • DELETE /trunks/{id}/tags/{tag_id}

Scope Types:
  • project

Delete a trunk

get_subports
Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:
  • GET /trunks/{id}/get_subports

Scope Types:
  • project

List subports attached to a trunk

add_subports
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /trunks/{id}/add_subports

Scope Types:
  • project

Add subports to a trunk

remove_subports
Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:
  • PUT /trunks/{id}/remove_subports

Scope Types:
  • project

Delete subports from a trunk