Policy Reference¶
Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.
The following is an overview of all available policies in neutron.
For a sample policy file, refer to Sample Policy File.
neutron¶
context_is_admin- Default
role:admin
Rule for cloud admin access
owner- Default
tenant_id:%(tenant_id)s
Rule for resource owner access
admin_or_owner- Default
rule:context_is_admin or rule:owner
Rule for admin or owner access
context_is_advsvc- Default
role:advsvc
Rule for advsvc role access
admin_or_network_owner- Default
rule:context_is_admin or tenant_id:%(network:tenant_id)s
Rule for admin or network owner access
admin_owner_or_network_owner- Default
rule:owner or rule:admin_or_network_owner
Rule for resource owner, admin or network owner access
admin_only- Default
rule:context_is_admin
Rule for admin-only access
regular_user- Default
<empty string>
Rule for regular user access
shared- Default
field:networks:shared=True
Rule of shared network
default- Default
rule:admin_or_owner
Default access rule
admin_or_ext_parent_owner- Default
rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
Rule for common parent owner check
shared_address_scopes- Default
field:address_scopes:shared=True
Definition of a shared address scope
create_address_scope- Default
rule:regular_user- Operations
POST
/address-scopes
Create an address scope
create_address_scope:shared- Default
rule:admin_only- Operations
POST
/address-scopes
Create a shared address scope
get_address_scope- Default
rule:admin_or_owner or rule:shared_address_scopes- Operations
GET
/address-scopesGET
/address-scopes/{id}
Get an address scope
update_address_scope- Default
rule:admin_or_owner- Operations
PUT
/address-scopes/{id}
Update an address scope
update_address_scope:shared- Default
rule:admin_only- Operations
PUT
/address-scopes/{id}
Update
sharedattribute of an address scopedelete_address_scope- Default
rule:admin_or_owner- Operations
DELETE
/address-scopes/{id}
Delete an address scope
get_agent- Default
rule:admin_only- Operations
GET
/agentsGET
/agents/{id}
Get an agent
update_agent- Default
rule:admin_only- Operations
PUT
/agents/{id}
Update an agent
delete_agent- Default
rule:admin_only- Operations
DELETE
/agents/{id}
Delete an agent
create_dhcp-network- Default
rule:admin_only- Operations
POST
/agents/{agent_id}/dhcp-networks
Add a network to a DHCP agent
get_dhcp-networks- Default
rule:admin_only- Operations
GET
/agents/{agent_id}/dhcp-networks
List networks on a DHCP agent
delete_dhcp-network- Default
rule:admin_only- Operations
DELETE
/agents/{agent_id}/dhcp-networks/{network_id}
Remove a network from a DHCP agent
create_l3-router- Default
rule:admin_only- Operations
POST
/agents/{agent_id}/l3-routers
Add a router to an L3 agent
get_l3-routers- Default
rule:admin_only- Operations
GET
/agents/{agent_id}/l3-routers
List routers on an L3 agent
delete_l3-router- Default
rule:admin_only- Operations
DELETE
/agents/{agent_id}/l3-routers/{router_id}
Remove a router from an L3 agent
get_dhcp-agents- Default
rule:admin_only- Operations
GET
/networks/{network_id}/dhcp-agents
List DHCP agents hosting a network
get_l3-agents- Default
rule:admin_only- Operations
GET
/routers/{router_id}/l3-agents
List L3 agents hosting a router
get_auto_allocated_topology- Default
rule:admin_or_owner- Operations
GET
/auto-allocated-topology/{project_id}
Get a project’s auto-allocated topology
delete_auto_allocated_topology- Default
rule:admin_or_owner- Operations
DELETE
/auto-allocated-topology/{project_id}
Delete a project’s auto-allocated topology
get_availability_zone- Default
rule:regular_user- Operations
GET
/availability_zones
List availability zones
create_flavor- Default
rule:admin_only- Operations
POST
/flavors
Create a flavor
get_flavor- Default
rule:regular_user- Operations
GET
/flavorsGET
/flavors/{id}
Get a flavor
update_flavor- Default
rule:admin_only- Operations
PUT
/flavors/{id}
Update a flavor
delete_flavor- Default
rule:admin_only- Operations
DELETE
/flavors/{id}
Delete a flavor
create_service_profile- Default
rule:admin_only- Operations
POST
/service_profiles
Create a service profile
get_service_profile- Default
rule:admin_only- Operations
GET
/service_profilesGET
/service_profiles/{id}
Get a service profile
update_service_profile- Default
rule:admin_only- Operations
PUT
/service_profiles/{id}
Update a service profile
delete_service_profile- Default
rule:admin_only- Operations
DELETE
/service_profiles/{id}
Delete a service profile
get_flavor_service_profile- Default
rule:regular_user
Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.
create_flavor_service_profile- Default
rule:admin_only- Operations
POST
/flavors/{flavor_id}/service_profiles
Associate a flavor with a service profile
delete_flavor_service_profile- Default
rule:admin_only- Operations
DELETE
/flavors/{flavor_id}/service_profiles/{profile_id}
Disassociate a flavor with a service profile
create_floatingip- Default
rule:regular_user- Operations
POST
/floatingips
Create a floating IP
create_floatingip:floating_ip_address- Default
rule:admin_only- Operations
POST
/floatingips
Create a floating IP with a specific IP address
get_floatingip- Default
rule:admin_or_owner- Operations
GET
/floatingipsGET
/floatingips/{id}
Get a floating IP
update_floatingip- Default
rule:admin_or_owner- Operations
PUT
/floatingips/{id}
Update a floating IP
delete_floatingip- Default
rule:admin_or_owner- Operations
DELETE
/floatingips/{id}
Delete a floating IP
get_floatingip_pool- Default
rule:regular_user- Operations
GET
/floatingip_pools
Get floating IP pools
create_floatingip_port_forwarding- Default
rule:admin_or_ext_parent_owner- Operations
POST
/floatingips/{floatingip_id}/port_forwardings
Create a floating IP port forwarding
get_floatingip_port_forwarding- Default
rule:admin_or_ext_parent_owner- Operations
GET
/floatingips/{floatingip_id}/port_forwardingsGET
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
Get a floating IP port forwarding
update_floatingip_port_forwarding- Default
rule:admin_or_ext_parent_owner- Operations
PUT
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
Update a floating IP port forwarding
delete_floatingip_port_forwarding- Default
rule:admin_or_ext_parent_owner- Operations
DELETE
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
Delete a floating IP port forwarding
create_router_conntrack_helper- Default
rule:admin_or_ext_parent_owner- Operations
POST
/routers/{router_id}/conntrack_helpers
Create a router conntrack helper
get_router_conntrack_helper- Default
rule:admin_or_ext_parent_owner- Operations
GET
/routers/{router_id}/conntrack_helpersGET
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Get a router conntrack helper
update_router_conntrack_helper- Default
rule:admin_or_ext_parent_owner- Operations
PUT
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Update a router conntrack helper
delete_router_conntrack_helper- Default
rule:admin_or_ext_parent_owner- Operations
DELETE
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
Delete a router conntrack helper
get_loggable_resource- Default
rule:admin_only- Operations
GET
/log/loggable-resources
Get loggable resources
create_log- Default
rule:admin_only- Operations
POST
/log/logs
Create a network log
get_log- Default
rule:admin_only- Operations
GET
/log/logsGET
/log/logs/{id}
Get a network log
update_log- Default
rule:admin_only- Operations
PUT
/log/logs/{id}
Update a network log
delete_log- Default
rule:admin_only- Operations
DELETE
/log/logs/{id}
Delete a network log
create_metering_label- Default
rule:admin_only- Operations
POST
/metering/metering-labels
Create a metering label
get_metering_label- Default
rule:admin_only- Operations
GET
/metering/metering-labelsGET
/metering/metering-labels/{id}
Get a metering label
delete_metering_label- Default
rule:admin_only- Operations
DELETE
/metering/metering-labels/{id}
Delete a metering label
create_metering_label_rule- Default
rule:admin_only- Operations
POST
/metering/metering-label-rules
Create a metering label rule
get_metering_label_rule- Default
rule:admin_only- Operations
GET
/metering/metering-label-rulesGET
/metering/metering-label-rules/{id}
Get a metering label rule
delete_metering_label_rule- Default
rule:admin_only- Operations
DELETE
/metering/metering-label-rules/{id}
Delete a metering label rule
external- Default
field:networks:router:external=True
Definition of an external network
create_network- Default
rule:regular_user- Operations
POST
/networks
Create a network
create_network:shared- Default
rule:admin_only- Operations
POST
/networks
Create a shared network
create_network:router:external- Default
rule:admin_only- Operations
POST
/networks
Create an external network
create_network:is_default- Default
rule:admin_only- Operations
POST
/networks
Specify
is_defaultattribute when creating a networkcreate_network:port_security_enabled- Default
rule:regular_user- Operations
POST
/networks
Specify
port_security_enabledattribute when creating a networkcreate_network:segments- Default
rule:admin_only- Operations
POST
/networks
Specify
segmentsattribute when creating a networkcreate_network:provider:network_type- Default
rule:admin_only- Operations
POST
/networks
Specify
provider:network_typewhen creating a networkcreate_network:provider:physical_network- Default
rule:admin_only- Operations
POST
/networks
Specify
provider:physical_networkwhen creating a networkcreate_network:provider:segmentation_id- Default
rule:admin_only- Operations
POST
/networks
Specify
provider:segmentation_idwhen creating a networkget_network- Default
rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc- Operations
GET
/networksGET
/networks/{id}
Get a network
get_network:router:external- Default
rule:regular_user- Operations
GET
/networksGET
/networks/{id}
Get
router:externalattribute of a networkget_network:segments- Default
rule:admin_only- Operations
GET
/networksGET
/networks/{id}
Get
segmentsattribute of a networkget_network:provider:network_type- Default
rule:admin_only- Operations
GET
/networksGET
/networks/{id}
Get
provider:network_typeattribute of a networkget_network:provider:physical_network- Default
rule:admin_only- Operations
GET
/networksGET
/networks/{id}
Get
provider:physical_networkattribute of a networkget_network:provider:segmentation_id- Default
rule:admin_only- Operations
GET
/networksGET
/networks/{id}
Get
provider:segmentation_idattribute of a networkupdate_network- Default
rule:admin_or_owner- Operations
PUT
/networks/{id}
Update a network
update_network:segments- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
segmentsattribute of a networkupdate_network:shared- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
sharedattribute of a networkupdate_network:provider:network_type- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
provider:network_typeattribute of a networkupdate_network:provider:physical_network- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
provider:physical_networkattribute of a networkupdate_network:provider:segmentation_id- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
provider:segmentation_idattribute of a networkupdate_network:router:external- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
router:externalattribute of a networkupdate_network:is_default- Default
rule:admin_only- Operations
PUT
/networks/{id}
Update
is_defaultattribute of a networkupdate_network:port_security_enabled- Default
rule:admin_or_owner- Operations
PUT
/networks/{id}
Update
port_security_enabledattribute of a networkdelete_network- Default
rule:admin_or_owner- Operations
DELETE
/networks/{id}
Delete a network
get_network_ip_availability- Default
rule:admin_only- Operations
GET
/network-ip-availabilitiesGET
/network-ip-availabilities/{network_id}
Get network IP availability
create_network_segment_range- Default
rule:admin_only- Operations
POST
/network_segment_ranges
Create a network segment range
get_network_segment_range- Default
rule:admin_only- Operations
GET
/network_segment_rangesGET
/network_segment_ranges/{id}
Get a network segment range
update_network_segment_range- Default
rule:admin_only- Operations
PUT
/network_segment_ranges/{id}
Update a network segment range
delete_network_segment_range- Default
rule:admin_only- Operations
DELETE
/network_segment_ranges/{id}
Delete a network segment range
network_device- Default
field:port:device_owner=~^network:
Definition of port with network device_owner
admin_or_data_plane_int- Default
rule:context_is_admin or role:data_plane_integrator
Rule for data plane integration
create_port- Default
rule:regular_user- Operations
POST
/ports
Create a port
create_port:device_owner- Default
not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner- Operations
POST
/ports
Specify
device_ownerattribute when creting a portcreate_port:mac_address- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
POST
/ports
Specify
mac_addressattribute when creating a portcreate_port:fixed_ips- Default
rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared- Operations
POST
/ports
Specify
fixed_ipsinformation when creating a portcreate_port:fixed_ips:ip_address- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
POST
/ports
Specify IP address in
fixed_ipswhen creating a portcreate_port:fixed_ips:subnet_id- Default
rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared- Operations
POST
/ports
Specify subnet ID in
fixed_ipswhen creating a portcreate_port:port_security_enabled- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
POST
/ports
Specify
port_security_enabledattribute when creating a portcreate_port:binding:host_id- Default
rule:admin_only- Operations
POST
/ports
Specify
binding:host_idattribute when creating a portcreate_port:binding:profile- Default
rule:admin_only- Operations
POST
/ports
Specify
binding:profileattribute when creating a portcreate_port:binding:vnic_type- Default
rule:regular_user- Operations
POST
/ports
Specify
binding:vnic_typeattribute when creating a portcreate_port:allowed_address_pairs- Default
rule:admin_or_network_owner- Operations
POST
/ports
Specify
allowed_address_pairsattribute when creating a portcreate_port:allowed_address_pairs:mac_address- Default
rule:admin_or_network_owner- Operations
POST
/ports
Specify
mac_address` of `allowed_address_pairsattribute when creating a portcreate_port:allowed_address_pairs:ip_address- Default
rule:admin_or_network_owner- Operations
POST
/ports
Specify
ip_addressofallowed_address_pairsattribute when creating a portget_port- Default
rule:context_is_advsvc or rule:admin_owner_or_network_owner- Operations
GET
/portsGET
/ports/{id}
Get a port
get_port:binding:vif_type- Default
rule:admin_only- Operations
GET
/portsGET
/ports/{id}
Get
binding:vif_typeattribute of a portget_port:binding:vif_details- Default
rule:admin_only- Operations
GET
/portsGET
/ports/{id}
Get
binding:vif_detailsattribute of a portget_port:binding:host_id- Default
rule:admin_only- Operations
GET
/portsGET
/ports/{id}
Get
binding:host_idattribute of a portget_port:binding:profile- Default
rule:admin_only- Operations
GET
/portsGET
/ports/{id}
Get
binding:profileattribute of a portget_port:resource_request- Default
rule:admin_only- Operations
GET
/portsGET
/ports/{id}
Get
resource_requestattribute of a portupdate_port- Default
rule:admin_or_owner or rule:context_is_advsvc- Operations
PUT
/ports/{id}
Update a port
update_port:device_owner- Default
not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Update
device_ownerattribute of a portupdate_port:mac_address- Default
rule:admin_only or rule:context_is_advsvc- Operations
PUT
/ports/{id}
Update
mac_addressattribute of a portupdate_port:fixed_ips- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Specify
fixed_ipsinformation when updating a portupdate_port:fixed_ips:ip_address- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Specify IP address in
fixed_ipsinformation when updating a portupdate_port:fixed_ips:subnet_id- Default
rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared- Operations
PUT
/ports/{id}
Specify subnet ID in
fixed_ipsinformation when updating a portupdate_port:port_security_enabled- Default
rule:context_is_advsvc or rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Update
port_security_enabledattribute of a portupdate_port:binding:host_id- Default
rule:admin_only- Operations
PUT
/ports/{id}
Update
binding:host_idattribute of a portupdate_port:binding:profile- Default
rule:admin_only- Operations
PUT
/ports/{id}
Update
binding:profileattribute of a portupdate_port:binding:vnic_type- Default
rule:admin_or_owner or rule:context_is_advsvc- Operations
PUT
/ports/{id}
Update
binding:vnic_typeattribute of a portupdate_port:allowed_address_pairs- Default
rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Update
allowed_address_pairsattribute of a portupdate_port:allowed_address_pairs:mac_address- Default
rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Update
mac_addressofallowed_address_pairsattribute of a portupdate_port:allowed_address_pairs:ip_address- Default
rule:admin_or_network_owner- Operations
PUT
/ports/{id}
Update
ip_addressofallowed_address_pairsattribute of a portupdate_port:data_plane_status- Default
rule:admin_or_data_plane_int- Operations
PUT
/ports/{id}
Update
data_plane_statusattribute of a portdelete_port- Default
rule:context_is_advsvc or rule:admin_owner_or_network_owner- Operations
DELETE
/ports/{id}
Delete a port
get_policy- Default
rule:regular_user- Operations
GET
/qos/policiesGET
/qos/policies/{id}
Get QoS policies
create_policy- Default
rule:admin_only- Operations
POST
/qos/policies
Create a QoS policy
update_policy- Default
rule:admin_only- Operations
PUT
/qos/policies/{id}
Update a QoS policy
delete_policy- Default
rule:admin_only- Operations
DELETE
/qos/policies/{id}
Delete a QoS policy
get_rule_type- Default
rule:regular_user- Operations
GET
/qos/rule-typesGET
/qos/rule-types/{rule_type}
Get available QoS rule types
get_policy_bandwidth_limit_rule- Default
rule:regular_user- Operations
GET
/qos/policies/{policy_id}/bandwidth_limit_rulesGET
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
Get a QoS bandwidth limit rule
create_policy_bandwidth_limit_rule- Default
rule:admin_only- Operations
POST
/qos/policies/{policy_id}/bandwidth_limit_rules
Create a QoS bandwidth limit rule
update_policy_bandwidth_limit_rule- Default
rule:admin_only- Operations
PUT
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
Update a QoS bandwidth limit rule
delete_policy_bandwidth_limit_rule- Default
rule:admin_only- Operations
DELETE
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
Delete a QoS bandwidth limit rule
get_policy_dscp_marking_rule- Default
rule:regular_user- Operations
GET
/qos/policies/{policy_id}/dscp_marking_rulesGET
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
Get a QoS DSCP marking rule
create_policy_dscp_marking_rule- Default
rule:admin_only- Operations
POST
/qos/policies/{policy_id}/dscp_marking_rules
Create a QoS DSCP marking rule
update_policy_dscp_marking_rule- Default
rule:admin_only- Operations
PUT
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
Update a QoS DSCP marking rule
delete_policy_dscp_marking_rule- Default
rule:admin_only- Operations
DELETE
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
Delete a QoS DSCP marking rule
get_policy_minimum_bandwidth_rule- Default
rule:regular_user- Operations
GET
/qos/policies/{policy_id}/minimum_bandwidth_rulesGET
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
Get a QoS minimum bandwidth rule
create_policy_minimum_bandwidth_rule- Default
rule:admin_only- Operations
POST
/qos/policies/{policy_id}/minimum_bandwidth_rules
Create a QoS minimum bandwidth rule
update_policy_minimum_bandwidth_rule- Default
rule:admin_only- Operations
PUT
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
Update a QoS minimum bandwidth rule
delete_policy_minimum_bandwidth_rule- Default
rule:admin_only- Operations
DELETE
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
Delete a QoS minimum bandwidth rule
get_alias_bandwidth_limit_rule- Default
rule:get_policy_bandwidth_limit_rule- Operations
GET
/qos/alias_bandwidth_limit_rules/{rule_id}/
Get a QoS bandwidth limit rule through alias
update_alias_bandwidth_limit_rule- Default
rule:update_policy_bandwidth_limit_rule- Operations
PUT
/qos/alias_bandwidth_limit_rules/{rule_id}/
Update a QoS bandwidth limit rule through alias
delete_alias_bandwidth_limit_rule- Default
rule:delete_policy_bandwidth_limit_rule- Operations
DELETE
/qos/alias_bandwidth_limit_rules/{rule_id}/
Delete a QoS bandwidth limit rule through alias
get_alias_dscp_marking_rule- Default
rule:get_policy_dscp_marking_rule- Operations
GET
/qos/alias_dscp_marking_rules/{rule_id}/
Get a QoS DSCP marking rule through alias
update_alias_dscp_marking_rule- Default
rule:update_policy_dscp_marking_rule- Operations
PUT
/qos/alias_dscp_marking_rules/{rule_id}/
Update a QoS DSCP marking rule through alias
delete_alias_dscp_marking_rule- Default
rule:delete_policy_dscp_marking_rule- Operations
DELETE
/qos/alias_dscp_marking_rules/{rule_id}/
Delete a QoS DSCP marking rule through alias
get_alias_minimum_bandwidth_rule- Default
rule:get_policy_minimum_bandwidth_rule- Operations
GET
/qos/alias_minimum_bandwidth_rules/{rule_id}/
Get a QoS minimum bandwidth rule through alias
update_alias_minimum_bandwidth_rule- Default
rule:update_policy_minimum_bandwidth_rule- Operations
PUT
/qos/alias_minimum_bandwidth_rules/{rule_id}/
Update a QoS minimum bandwidth rule through alias
delete_alias_minimum_bandwidth_rule- Default
rule:delete_policy_minimum_bandwidth_rule- Operations
DELETE
/qos/alias_minimum_bandwidth_rules/{rule_id}/
Delete a QoS minimum bandwidth rule through alias
get_quota- Default
rule:admin_only- Operations
GET
/quotaGET
/quota/{id}
Get a resource quota
update_quota- Default
rule:admin_only- Operations
PUT
/quota/{id}
Update a resource quota
delete_quota- Default
rule:admin_only- Operations
DELETE
/quota/{id}
Delete a resource quota
restrict_wildcard- Default
(not field:rbac_policy:target_tenant=*) or rule:admin_only
Definition of a wildcard target_tenant
create_rbac_policy- Default
rule:regular_user- Operations
POST
/rbac-policies
Create an RBAC policy
create_rbac_policy:target_tenant- Default
rule:restrict_wildcard- Operations
POST
/rbac-policies
Specify
target_tenantwhen creating an RBAC policyupdate_rbac_policy- Default
rule:admin_or_owner- Operations
PUT
/rbac-policies/{id}
Update an RBAC policy
update_rbac_policy:target_tenant- Default
rule:restrict_wildcard and rule:admin_or_owner- Operations
PUT
/rbac-policies/{id}
Update
target_tenantattribute of an RBAC policyget_rbac_policy- Default
rule:admin_or_owner- Operations
GET
/rbac-policiesGET
/rbac-policies/{id}
Get an RBAC policy
delete_rbac_policy- Default
rule:admin_or_owner- Operations
DELETE
/rbac-policies/{id}
Delete an RBAC policy
create_router- Default
rule:regular_user- Operations
POST
/routers
Create a router
create_router:distributed- Default
rule:admin_only- Operations
POST
/routers
Specify
distributedattribute when creating a routercreate_router:ha- Default
rule:admin_only- Operations
POST
/routers
Specify
haattribute when creating a routercreate_router:external_gateway_info- Default
rule:admin_or_owner- Operations
POST
/routers
Specify
external_gateway_infoinformation when creating a routercreate_router:external_gateway_info:network_id- Default
rule:admin_or_owner- Operations
POST
/routers
Specify
network_idinexternal_gateway_infoinformation when creating a routercreate_router:external_gateway_info:enable_snat- Default
rule:admin_only- Operations
POST
/routers
Specify
enable_snatinexternal_gateway_infoinformation when creating a routercreate_router:external_gateway_info:external_fixed_ips- Default
rule:admin_only- Operations
POST
/routers
Specify
external_fixed_ipsinexternal_gateway_infoinformation when creating a routerget_router- Default
rule:admin_or_owner- Operations
GET
/routersGET
/routers/{id}
Get a router
get_router:distributed- Default
rule:admin_only- Operations
GET
/routersGET
/routers/{id}
Get
distributedattribute of a routerget_router:ha- Default
rule:admin_only- Operations
GET
/routersGET
/routers/{id}
Get
haattribute of a routerupdate_router- Default
rule:admin_or_owner- Operations
PUT
/routers/{id}
Update a router
update_router:distributed- Default
rule:admin_only- Operations
PUT
/routers/{id}
Update
distributedattribute of a routerupdate_router:ha- Default
rule:admin_only- Operations
PUT
/routers/{id}
Update
haattribute of a routerupdate_router:external_gateway_info- Default
rule:admin_or_owner- Operations
PUT
/routers/{id}
Update
external_gateway_infoinformation of a routerupdate_router:external_gateway_info:network_id- Default
rule:admin_or_owner- Operations
PUT
/routers/{id}
Update
network_idattribute ofexternal_gateway_infoinformation of a routerupdate_router:external_gateway_info:enable_snat- Default
rule:admin_only- Operations
PUT
/routers/{id}
Update
enable_snatattribute ofexternal_gateway_infoinformation of a routerupdate_router:external_gateway_info:external_fixed_ips- Default
rule:admin_only- Operations
PUT
/routers/{id}
Update
external_fixed_ipsattribute ofexternal_gateway_infoinformation of a routerdelete_router- Default
rule:admin_or_owner- Operations
DELETE
/routers/{id}
Delete a router
add_router_interface- Default
rule:admin_or_owner- Operations
PUT
/routers/{id}/add_router_interface
Add an interface to a router
remove_router_interface- Default
rule:admin_or_owner- Operations
PUT
/routers/{id}/remove_router_interface
Remove an interface from a router
admin_or_sg_owner- Default
rule:context_is_admin or tenant_id:%(security_group:tenant_id)s
Rule for admin or security group owner access
admin_owner_or_sg_owner- Default
rule:owner or rule:admin_or_sg_owner
Rule for resource owner, admin or security group owner access
create_security_group- Default
rule:admin_or_owner- Operations
POST
/security-groups
Create a security group
get_security_group- Default
rule:regular_user- Operations
GET
/security-groupsGET
/security-groups/{id}
Get a security group
update_security_group- Default
rule:admin_or_owner- Operations
PUT
/security-groups/{id}
Update a security group
delete_security_group- Default
rule:admin_or_owner- Operations
DELETE
/security-groups/{id}
Delete a security group
create_security_group_rule- Default
rule:admin_or_owner- Operations
POST
/security-group-rules
Create a security group rule
get_security_group_rule- Default
rule:admin_owner_or_sg_owner- Operations
GET
/security-group-rulesGET
/security-group-rules/{id}
Get a security group rule
delete_security_group_rule- Default
rule:admin_or_owner- Operations
DELETE
/security-group-rules/{id}
Delete a security group rule
create_segment- Default
rule:admin_only- Operations
POST
/segments
Create a segment
get_segment- Default
rule:admin_only- Operations
GET
/segmentsGET
/segments/{id}
Get a segment
update_segment- Default
rule:admin_only- Operations
PUT
/segments/{id}
Update a segment
delete_segment- Default
rule:admin_only- Operations
DELETE
/segments/{id}
Delete a segment
get_service_provider- Default
rule:regular_user- Operations
GET
/service-providers
Get service providers
create_subnet- Default
rule:admin_or_network_owner- Operations
POST
/subnets
Create a subnet
create_subnet:segment_id- Default
rule:admin_only- Operations
POST
/subnets
Specify
segment_idattribute when creating a subnetcreate_subnet:service_types- Default
rule:admin_only- Operations
POST
/subnets
Specify
service_typesattribute when creating a subnetget_subnet- Default
rule:admin_or_owner or rule:shared- Operations
GET
/subnetsGET
/subnets/{id}
Get a subnet
get_subnet:segment_id- Default
rule:admin_only- Operations
GET
/subnetsGET
/subnets/{id}
Get
segment_idattribute of a subnetupdate_subnet- Default
rule:admin_or_network_owner- Operations
PUT
/subnets/{id}
Update a subnet
update_subnet:segment_id- Default
rule:admin_only- Operations
PUT
/subnets/{id}
Update
segment_idattribute of a subnetupdate_subnet:service_types- Default
rule:admin_only- Operations
PUT
/subnets/{id}
Update
service_typesattribute of a subnetdelete_subnet- Default
rule:admin_or_network_owner- Operations
DELETE
/subnets/{id}
Delete a subnet
shared_subnetpools- Default
field:subnetpools:shared=True
Definition of a shared subnetpool
create_subnetpool- Default
rule:regular_user- Operations
POST
/subnetpools
Create a subnetpool
create_subnetpool:shared- Default
rule:admin_only- Operations
POST
/subnetpools
Create a shared subnetpool
create_subnetpool:is_default- Default
rule:admin_only- Operations
POST
/subnetpools
Specify
is_defaultattribute when creating a subnetpoolget_subnetpool- Default
rule:admin_or_owner or rule:shared_subnetpools- Operations
GET
/subnetpoolsGET
/subnetpools/{id}
Get a subnetpool
update_subnetpool- Default
rule:admin_or_owner- Operations
PUT
/subnetpools/{id}
Update a subnetpool
update_subnetpool:is_default- Default
rule:admin_only- Operations
PUT
/subnetpools/{id}
Update
is_defaultattribute of a subnetpooldelete_subnetpool- Default
rule:admin_or_owner- Operations
DELETE
/subnetpools/{id}
Delete a subnetpool
onboard_network_subnets- Default
rule:admin_or_owner- Operations
Put
/subnetpools/{id}/onboard_network_subnets
Onboard existing subnet into a subnetpool
add_prefixes- Default
rule:admin_or_owner- Operations
Put
/subnetpools/{id}/add_prefixes
Add prefixes to a subnetpool
remove_prefixes- Default
rule:admin_or_owner- Operations
Put
/subnetpools/{id}/remove_prefixes
Remove unallocated prefixes from a subnetpool
create_trunk- Default
rule:regular_user- Operations
POST
/trunks
Create a trunk
get_trunk- Default
rule:admin_or_owner- Operations
GET
/trunksGET
/trunks/{id}
Get a trunk
update_trunk- Default
rule:admin_or_owner- Operations
PUT
/trunks/{id}
Update a trunk
delete_trunk- Default
rule:admin_or_owner- Operations
DELETE
/trunks/{id}
Delete a trunk
get_subports- Default
rule:regular_user- Operations
GET
/trunks/{id}/get_subports
List subports attached to a trunk
add_subports- Default
rule:admin_or_owner- Operations
PUT
/trunks/{id}/add_subports
Add subports to a trunk
remove_subports- Default
rule:admin_or_owner- Operations
PUT
/trunks/{id}/remove_subports
Delete subports from a trunk
