Nova Policies¶
The following is an overview of all available policies in Nova.
Warning
JSON formatted policy file is deprecated since Nova 22.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
For a sample configuration file, refer to Sample Nova Policy File.
nova¶
context_is_admin
- Default:
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
- Default:
is_admin:True or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api
- Default:
is_admin:True
Default rule for most Admin APIs.
project_member_api
- Default:
role:member and project_id:%(project_id)s
Default rule for Project level non admin APIs.
project_reader_api
- Default:
role:reader and project_id:%(project_id)s
Default rule for Project level read only APIs.
project_member_or_admin
- Default:
rule:project_member_api or rule:context_is_admin
Default rule for Project Member or admin APIs.
project_reader_or_admin
- Default:
rule:project_reader_api or rule:context_is_admin
Default rule for Project reader or admin APIs.
os_compute_api:os-admin-actions:reset_state
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (os-resetState)
- Scope Types:
project
Reset the state of a given server
os_compute_api:os-admin-actions:inject_network_info
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (injectNetworkInfo)
- Scope Types:
project
Inject network information into the server
os_compute_api:os-admin-password
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (changePassword)
- Scope Types:
project
Change the administrative password for a server
os_compute_api:os-aggregates:set_metadata
- Default:
rule:context_is_admin
- Operations:
POST
/os-aggregates/{aggregate_id}/action (set_metadata)
- Scope Types:
project
Create or replace metadata for an aggregate
os_compute_api:os-aggregates:add_host
- Default:
rule:context_is_admin
- Operations:
POST
/os-aggregates/{aggregate_id}/action (add_host)
- Scope Types:
project
Add a host to an aggregate
os_compute_api:os-aggregates:create
- Default:
rule:context_is_admin
- Operations:
POST
/os-aggregates
- Scope Types:
project
Create an aggregate
os_compute_api:os-aggregates:remove_host
- Default:
rule:context_is_admin
- Operations:
POST
/os-aggregates/{aggregate_id}/action (remove_host)
- Scope Types:
project
Remove a host from an aggregate
os_compute_api:os-aggregates:update
- Default:
rule:context_is_admin
- Operations:
PUT
/os-aggregates/{aggregate_id}
- Scope Types:
project
Update name and/or availability zone for an aggregate
os_compute_api:os-aggregates:index
- Default:
rule:context_is_admin
- Operations:
GET
/os-aggregates
- Scope Types:
project
List all aggregates
os_compute_api:os-aggregates:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/os-aggregates/{aggregate_id}
- Scope Types:
project
Delete an aggregate
os_compute_api:os-aggregates:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-aggregates/{aggregate_id}
- Scope Types:
project
Show details for an aggregate
compute:aggregates:images
- Default:
rule:context_is_admin
- Operations:
POST
/os-aggregates/{aggregate_id}/images
- Scope Types:
project
Request image caching for an aggregate
os_compute_api:os-assisted-volume-snapshots:create
- Default:
rule:context_is_admin
- Operations:
POST
/os-assisted-volume-snapshots
- Scope Types:
project
Create an assisted volume snapshot
os_compute_api:os-assisted-volume-snapshots:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/os-assisted-volume-snapshots/{snapshot_id}
- Scope Types:
project
Delete an assisted volume snapshot
os_compute_api:os-attach-interfaces:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-interface
- Scope Types:
project
List port interfaces attached to a server
os_compute_api:os-attach-interfaces:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-interface/{port_id}
- Scope Types:
project
Show details of a port interface attached to a server
os_compute_api:os-attach-interfaces:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/os-interface
- Scope Types:
project
Attach an interface to a server
os_compute_api:os-attach-interfaces:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/os-interface/{port_id}
- Scope Types:
project
Detach an interface from a server
os_compute_api:os-availability-zone:list
- Default:
@
- Operations:
GET
/os-availability-zone
- Scope Types:
project
List availability zone information without host information
os_compute_api:os-availability-zone:detail
- Default:
rule:context_is_admin
- Operations:
GET
/os-availability-zone/detail
- Scope Types:
project
List detailed availability zone information with host information
os_compute_api:os-baremetal-nodes:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-baremetal-nodes
- Scope Types:
project
List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
os_compute_api:os-baremetal-nodes:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-baremetal-nodes/{node_id}
- Scope Types:
project
Show action details for a server.
os_compute_api:os-console-auth-tokens
- Default:
rule:context_is_admin
- Operations:
GET
/os-console-auth-tokens/{console_token}
- Scope Types:
project
Show console connection information for a given console authentication token
os_compute_api:os-console-output
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (os-getConsoleOutput)
- Scope Types:
project
Show console output for a server
os_compute_api:os-create-backup
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (createBackup)
- Scope Types:
project
Create a back up of a server
os_compute_api:os-deferred-delete:restore
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (restore)
- Scope Types:
project
Restore a soft deleted server
os_compute_api:os-deferred-delete:force
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (forceDelete)
- Scope Types:
project
Force delete a server before deferred cleanup
os_compute_api:os-evacuate
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (evacuate)
- Scope Types:
project
Evacuate a server from a failed host to a new host
os_compute_api:os-extended-server-attributes
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{id}
GET
/servers/detail
PUT
/servers/{server_id}
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:host
OS-EXT-SRV-ATTR:instance_name
OS-EXT-SRV-ATTR:reservation_id
(since microversion 2.3)OS-EXT-SRV-ATTR:launch_index
(since microversion 2.3)OS-EXT-SRV-ATTR:hostname
(since microversion 2.3)OS-EXT-SRV-ATTR:kernel_id
(since microversion 2.3)OS-EXT-SRV-ATTR:ramdisk_id
(since microversion 2.3)OS-EXT-SRV-ATTR:root_device_name
(since microversion 2.3)OS-EXT-SRV-ATTR:user_data
(since microversion 2.3)
Microvision 2.75 added the above attributes in the
PUT /servers/{server_id}
andPOST /servers/{server_id}/action (rebuild)
API responses which are also controlled by this policy rule, like theGET /servers*
APIs.Microversion 2.90 made the
OS-EXT-SRV-ATTR:hostname
attribute available to all users, so this policy has no effect on that field for microversions 2.90 and greater. Controlling the visibility of this attribute for all microversions is therefore deprecated and will be removed in a future release.os_compute_api:extensions
- Default:
@
- Operations:
GET
/extensions
GET
/extensions/{alias}
- Scope Types:
project
List available extensions and show information for an extension by alias
os_compute_api:os-flavor-access:add_tenant_access
- Default:
rule:context_is_admin
- Operations:
POST
/flavors/{flavor_id}/action (addTenantAccess)
- Scope Types:
project
Add flavor access to a tenant
os_compute_api:os-flavor-access:remove_tenant_access
- Default:
rule:context_is_admin
- Operations:
POST
/flavors/{flavor_id}/action (removeTenantAccess)
- Scope Types:
project
Remove flavor access from a tenant
os_compute_api:os-flavor-access
- Default:
rule:context_is_admin
- Operations:
GET
/flavors/{flavor_id}/os-flavor-access
- Scope Types:
project
List flavor access information
Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
os_compute_api:os-flavor-extra-specs:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
- Scope Types:
project
Show an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:create
- Default:
rule:context_is_admin
- Operations:
POST
/flavors/{flavor_id}/os-extra_specs/
- Scope Types:
project
Create extra specs for a flavor
os_compute_api:os-flavor-extra-specs:update
- Default:
rule:context_is_admin
- Operations:
PUT
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
- Scope Types:
project
Update an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
- Scope Types:
project
Delete an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/flavors/{flavor_id}/os-extra_specs/
POST
/flavors
GET
/flavors/detail
GET
/flavors/{flavor_id}
PUT
/flavors/{flavor_id}
- Scope Types:
project
List extra specs for a flavor. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
os_compute_api:os-flavor-manage:create
- Default:
rule:context_is_admin
- Operations:
POST
/flavors
- Scope Types:
project
Create a flavor
os_compute_api:os-flavor-manage:update
- Default:
rule:context_is_admin
- Operations:
PUT
/flavors/{flavor_id}
- Scope Types:
project
Update a flavor
os_compute_api:os-flavor-manage:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/flavors/{flavor_id}
- Scope Types:
project
Delete a flavor
os_compute_api:os-floating-ip-pools
- Default:
@
- Operations:
GET
/os-floating-ip-pools
- Scope Types:
project
List floating IP pools. This API is deprecated.
os_compute_api:os-floating-ips:add
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (addFloatingIp)
- Scope Types:
project
Associate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:remove
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (removeFloatingIp)
- Scope Types:
project
Disassociate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-floating-ips
- Scope Types:
project
List floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-floating-ips
- Scope Types:
project
Create floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-floating-ips/{floating_ip_id}
- Scope Types:
project
Show floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-floating-ips/{floating_ip_id}
- Scope Types:
project
Delete floating IPs. This API is deprecated.
os_compute_api:os-hosts:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-hosts
- Scope Types:
project
List physical hosts.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-hosts/{host_name}
- Scope Types:
project
Show physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:update
- Default:
rule:context_is_admin
- Operations:
PUT
/os-hosts/{host_name}
- Scope Types:
project
Update physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:reboot
- Default:
rule:context_is_admin
- Operations:
GET
/os-hosts/{host_name}/reboot
- Scope Types:
project
Reboot physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:shutdown
- Default:
rule:context_is_admin
- Operations:
GET
/os-hosts/{host_name}/shutdown
- Scope Types:
project
Shutdown physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:start
- Default:
rule:context_is_admin
- Operations:
GET
/os-hosts/{host_name}/startup
- Scope Types:
project
Start physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hypervisors:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors
- Scope Types:
project
List all hypervisors.
os_compute_api:os-hypervisors:list-detail
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/details
- Scope Types:
project
List all hypervisors with details
os_compute_api:os-hypervisors:statistics
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/statistics
- Scope Types:
project
Show summary statistics for all hypervisors over all compute nodes.
os_compute_api:os-hypervisors:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/{hypervisor_id}
- Scope Types:
project
Show details for a hypervisor.
os_compute_api:os-hypervisors:uptime
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/{hypervisor_id}/uptime
- Scope Types:
project
Show the uptime of a hypervisor.
os_compute_api:os-hypervisors:search
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/{hypervisor_hostname_pattern}/search
- Scope Types:
project
Search hypervisor by hypervisor_hostname pattern.
os_compute_api:os-hypervisors:servers
- Default:
rule:context_is_admin
- Operations:
GET
/os-hypervisors/{hypervisor_hostname_pattern}/servers
- Scope Types:
project
List all servers on hypervisors that can match the provided hypervisor_hostname pattern.
os_compute_api:os-instance-actions:events:details
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/os-instance-actions/{request_id}
- Scope Types:
project
Add “details” key in action events for a server.
This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.84, new field ‘details’ is exposed via API which can have more details about event failure. That field is controlled by this policy which is system reader by default. Making the ‘details’ field visible to the non-admin user helps to understand the nature of the problem (i.e. if the action can be retried), but in the other hand it might leak information about the deployment (e.g. the type of the hypervisor).
os_compute_api:os-instance-actions:events
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/os-instance-actions/{request_id}
- Scope Types:
project
Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
os_compute_api:os-instance-actions:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-instance-actions
- Scope Types:
project
List actions for a server.
os_compute_api:os-instance-actions:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-instance-actions/{request_id}
- Scope Types:
project
Show action details for a server.
os_compute_api:os-instance-usage-audit-log:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-instance_usage_audit_log
- Scope Types:
project
List all usage audits.
os_compute_api:os-instance-usage-audit-log:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-instance_usage_audit_log/{before_timestamp}
- Scope Types:
project
List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured
os_compute_api:ips:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/ips/{network_label}
- Scope Types:
project
Show IP addresses details for a network label of a server
os_compute_api:ips:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/ips
- Scope Types:
project
List IP addresses that are assigned to a server
os_compute_api:os-keypairs:index
- Default:
(rule:context_is_admin) or user_id:%(user_id)s
- Operations:
GET
/os-keypairs
- Scope Types:
project
List all keypairs
os_compute_api:os-keypairs:create
- Default:
(rule:context_is_admin) or user_id:%(user_id)s
- Operations:
POST
/os-keypairs
- Scope Types:
project
Create a keypair
os_compute_api:os-keypairs:delete
- Default:
(rule:context_is_admin) or user_id:%(user_id)s
- Operations:
DELETE
/os-keypairs/{keypair_name}
- Scope Types:
project
Delete a keypair
os_compute_api:os-keypairs:show
- Default:
(rule:context_is_admin) or user_id:%(user_id)s
- Operations:
GET
/os-keypairs/{keypair_name}
- Scope Types:
project
Show details of a keypair
os_compute_api:limits
- Default:
@
- Operations:
GET
/limits
- Scope Types:
project
Show rate and absolute limits for the current user project
os_compute_api:limits:other_project
- Default:
rule:context_is_admin
- Operations:
GET
/limits
- Scope Types:
project
Show rate and absolute limits of other project.
This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
os_compute_api:os-lock-server:lock
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (lock)
- Scope Types:
project
Lock a server
os_compute_api:os-lock-server:unlock
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (unlock)
- Scope Types:
project
Unlock a server
os_compute_api:os-lock-server:unlock:unlock_override
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (unlock)
- Scope Types:
project
Unlock a server, regardless who locked the server.
This check is performed only after the check os_compute_api:os-lock-server:unlock passes
os_compute_api:os-migrate-server:migrate
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (migrate)
- Scope Types:
project
Cold migrate a server without specifying a host
os_compute_api:os-migrate-server:migrate:host
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (migrate)
- Scope Types:
project
Cold migrate a server to a specified host
os_compute_api:os-migrate-server:migrate_live
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (os-migrateLive)
- Scope Types:
project
Live migrate a server to a new host without a reboot
os_compute_api:os-migrations:index
- Default:
rule:context_is_admin
- Operations:
GET
/os-migrations
- Scope Types:
project
List migrations
os_compute_api:os-multinic:add
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (addFixedIp)
- Scope Types:
project
Add a fixed IP address to a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-multinic:remove
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (removeFixedIp)
- Scope Types:
project
Remove a fixed IP address from a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-networks
- Scope Types:
project
List networks for the project.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-networks/{network_id}
- Scope Types:
project
Show network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-pause-server:pause
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (pause)
- Scope Types:
project
Pause a server
os_compute_api:os-pause-server:unpause
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (unpause)
- Scope Types:
project
Unpause a paused server
os_compute_api:os-quota-class-sets:show
- Default:
rule:context_is_admin
- Operations:
GET
/os-quota-class-sets/{quota_class}
- Scope Types:
project
List quotas for specific quota classs
os_compute_api:os-quota-class-sets:update
- Default:
rule:context_is_admin
- Operations:
PUT
/os-quota-class-sets/{quota_class}
- Scope Types:
project
Update quotas for specific quota class
os_compute_api:os-quota-sets:update
- Default:
rule:context_is_admin
- Operations:
PUT
/os-quota-sets/{tenant_id}
- Scope Types:
project
Update the quotas
os_compute_api:os-quota-sets:defaults
- Default:
@
- Operations:
GET
/os-quota-sets/{tenant_id}/defaults
- Scope Types:
project
List default quotas
os_compute_api:os-quota-sets:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-quota-sets/{tenant_id}
- Scope Types:
project
Show a quota
os_compute_api:os-quota-sets:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/os-quota-sets/{tenant_id}
- Scope Types:
project
Revert quotas to defaults
os_compute_api:os-quota-sets:detail
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-quota-sets/{tenant_id}/detail
- Scope Types:
project
Show the detail of quota
os_compute_api:os-remote-consoles
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (os-getRDPConsole)
POST
/servers/{server_id}/action (os-getSerialConsole)
POST
/servers/{server_id}/action (os-getSPICEConsole)
POST
/servers/{server_id}/action (os-getVNCConsole)
POST
/servers/{server_id}/remote-consoles
- Scope Types:
project
Generate a URL to access remove server console.
This policy is for
POST /remote-consoles
API and below Server actions APIs are deprecated:os-getRDPConsole
os-getSerialConsole
os-getSPICEConsole
os-getVNCConsole
.
os_compute_api:os-rescue
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (rescue)
- Scope Types:
project
Rescue a server
os_compute_api:os-unrescue
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (unrescue)
- Scope Types:
project
Unrescue a server
os_compute_api:os-security-groups:get
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-security-groups
- Scope Types:
project
List security groups. This API is deprecated.
os_compute_api:os-security-groups:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-security-groups/{security_group_id}
- Scope Types:
project
Show security group. This API is deprecated.
os_compute_api:os-security-groups:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-security-groups
- Scope Types:
project
Create security group. This API is deprecated.
os_compute_api:os-security-groups:update
- Default:
rule:project_member_or_admin
- Operations:
PUT
/os-security-groups/{security_group_id}
- Scope Types:
project
Update security group. This API is deprecated.
os_compute_api:os-security-groups:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-security-groups/{security_group_id}
- Scope Types:
project
Delete security group. This API is deprecated.
os_compute_api:os-security-groups:rule:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-security-group-rules
- Scope Types:
project
Create security group Rule. This API is deprecated.
os_compute_api:os-security-groups:rule:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-security-group-rules/{security_group_id}
- Scope Types:
project
Delete security group Rule. This API is deprecated.
os_compute_api:os-security-groups:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-security-groups
- Scope Types:
project
List security groups of server.
os_compute_api:os-security-groups:add
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (addSecurityGroup)
- Scope Types:
project
Add security groups to server.
os_compute_api:os-security-groups:remove
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (removeSecurityGroup)
- Scope Types:
project
Remove security groups from server.
os_compute_api:os-server-diagnostics
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/diagnostics
- Scope Types:
project
Show the usage data for a server
os_compute_api:os-server-external-events:create
- Default:
rule:context_is_admin
- Operations:
POST
/os-server-external-events
- Scope Types:
project
Create one or more external events
os_compute_api:os-server-groups:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-server-groups
- Scope Types:
project
Create a new server group
os_compute_api:os-server-groups:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-server-groups/{server_group_id}
- Scope Types:
project
Delete a server group
os_compute_api:os-server-groups:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-server-groups
- Scope Types:
project
List all server groups
os_compute_api:os-server-groups:index:all_projects
- Default:
rule:context_is_admin
- Operations:
GET
/os-server-groups
- Scope Types:
project
List all server groups for all projects
os_compute_api:os-server-groups:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-server-groups/{server_group_id}
- Scope Types:
project
Show details of a server group
os_compute_api:server-metadata:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/metadata
- Scope Types:
project
List all metadata of a server
os_compute_api:server-metadata:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/metadata/{key}
- Scope Types:
project
Show metadata for a server
os_compute_api:server-metadata:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/metadata
- Scope Types:
project
Create metadata for a server
os_compute_api:server-metadata:update_all
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}/metadata
- Scope Types:
project
Replace metadata for a server
os_compute_api:server-metadata:update
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}/metadata/{key}
- Scope Types:
project
Update metadata from a server
os_compute_api:server-metadata:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/metadata/{key}
- Scope Types:
project
Delete metadata from a server
os_compute_api:os-server-password:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-server-password
- Scope Types:
project
Show the encrypted administrative password of a server
os_compute_api:os-server-password:clear
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/os-server-password
- Scope Types:
project
Clear the encrypted administrative password of a server
os_compute_api:os-server-tags:delete_all
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/tags
- Scope Types:
project
Delete all the server tags
os_compute_api:os-server-tags:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/tags
- Scope Types:
project
List all tags for given server
os_compute_api:os-server-tags:update_all
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}/tags
- Scope Types:
project
Replace all tags on specified server with the new set of tags.
os_compute_api:os-server-tags:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/tags/{tag}
- Scope Types:
project
Delete a single tag from the specified server
os_compute_api:os-server-tags:update
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}/tags/{tag}
- Scope Types:
project
Add a single tag to the server if server has no specified tag
os_compute_api:os-server-tags:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/tags/{tag}
- Scope Types:
project
Check tag existence on the server.
compute:server:topology:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/topology
- Scope Types:
project
Show the NUMA topology data for a server
compute:server:topology:host:index
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/topology
- Scope Types:
project
Show the NUMA topology data for a server with host NUMA ID and CPU pinning information
os_compute_api:servers:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers
- Scope Types:
project
List all servers
os_compute_api:servers:detail
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/detail
- Scope Types:
project
List all servers with detailed information
os_compute_api:servers:index:get_all_tenants
- Default:
rule:context_is_admin
- Operations:
GET
/servers
- Scope Types:
project
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
- Default:
rule:context_is_admin
- Operations:
GET
/servers/detail
- Scope Types:
project
List all servers with detailed information for all projects
os_compute_api:servers:allow_all_filters
- Default:
rule:context_is_admin
- Operations:
GET
/servers
GET
/servers/detail
- Scope Types:
project
Allow all filters when listing servers
os_compute_api:servers:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}
- Scope Types:
project
Show a server
os_compute_api:servers:show:flavor-extra-specs
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/detail
GET
/servers/{server_id}
PUT
/servers/{server_id}
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server.
os_compute_api:servers:show:host_status
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}
GET
/servers/detail
PUT
/servers/{server_id}
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Show a server with additional host status information.
This means host_status will be shown irrespective of status value. If showing only host_status UNKNOWN is desired, use the
os_compute_api:servers:show:host_status:unknown-only
policy rule.Microvision 2.75 added the
host_status
attribute in thePUT /servers/{server_id}
andPOST /servers/{server_id}/action (rebuild)
API responses which are also controlled by this policy rule, like theGET /servers*
APIs.os_compute_api:servers:show:host_status:unknown-only
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}
GET
/servers/detail
PUT
/servers/{server_id}
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Show a server with additional host status information, only if host status is UNKNOWN.
This policy rule will only be enforced when the
os_compute_api:servers:show:host_status
policy rule does not pass for the request. An example policy configuration could be where theos_compute_api:servers:show:host_status
rule is set to allow admin-only and theos_compute_api:servers:show:host_status:unknown-only
rule is set to allow everyone.os_compute_api:servers:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server
os_compute_api:servers:create:forced_host
- Default:
rule:context_is_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified host and/or node by bypassing the scheduler filters unlike the
compute:servers:create:requested_destination
rule.compute:servers:create:requested_destination
- Default:
rule:context_is_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server on the requested compute service host and/or hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is validated by the scheduler filters unlike the
os_compute_api:servers:create:forced_host
rule.os_compute_api:servers:create:attach_volume
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server with the requested volume attached to it
os_compute_api:servers:create:attach_network
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server with the requested network attached to it
os_compute_api:servers:create:trusted_certs
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers
- Scope Types:
project
Create a server with trusted image certificate IDs
os_compute_api:servers:create:zero_disk_flavor
- Default:
rule:context_is_admin
- Operations:
POST
/servers
- Scope Types:
project
This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.
network:attach_external_network
- Default:
rule:context_is_admin
- Operations:
POST
/servers
POST
/servers/{server_id}/os-interface
- Scope Types:
project
Attach an unshared external network to a server
os_compute_api:servers:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}
- Scope Types:
project
Delete a server
os_compute_api:servers:update
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}
- Scope Types:
project
Update a server
os_compute_api:servers:confirm_resize
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (confirmResize)
- Scope Types:
project
Confirm a server resize
os_compute_api:servers:revert_resize
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (revertResize)
- Scope Types:
project
Revert a server resize
os_compute_api:servers:reboot
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (reboot)
- Scope Types:
project
Reboot a server
os_compute_api:servers:resize
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (resize)
- Scope Types:
project
Resize a server
compute:servers:resize:cross_cell
- Default:
!
- Operations:
POST
/servers/{server_id}/action (resize)
- Scope Types:
project
Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled.
os_compute_api:servers:rebuild
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Rebuild a server
os_compute_api:servers:rebuild:trusted_certs
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (rebuild)
- Scope Types:
project
Rebuild a server with trusted image certificate IDs
os_compute_api:servers:create_image
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (createImage)
- Scope Types:
project
Create an image from a server
os_compute_api:servers:create_image:allow_volume_backed
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (createImage)
- Scope Types:
project
Create an image from a volume backed server
os_compute_api:servers:start
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (os-start)
- Scope Types:
project
Start a server
os_compute_api:servers:stop
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (os-stop)
- Scope Types:
project
Stop a server
os_compute_api:servers:trigger_crash_dump
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (trigger_crash_dump)
- Scope Types:
project
Trigger crash dump in a server
os_compute_api:servers:migrations:show
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/migrations/{migration_id}
- Scope Types:
project
Show details for an in-progress live migration for a given server
os_compute_api:servers:migrations:force_complete
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/migrations/{migration_id}/action (force_complete)
- Scope Types:
project
Force an in-progress live migration for a given server to complete
os_compute_api:servers:migrations:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/servers/{server_id}/migrations/{migration_id}
- Scope Types:
project
Delete(Abort) an in-progress live migration
os_compute_api:servers:migrations:index
- Default:
rule:context_is_admin
- Operations:
GET
/servers/{server_id}/migrations
- Scope Types:
project
Lists in-progress live migrations for a given server
os_compute_api:os-services:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-services
- Scope Types:
project
List all running Compute services in a region.
os_compute_api:os-services:update
- Default:
rule:context_is_admin
- Operations:
PUT
/os-services/{service_id}
- Scope Types:
project
Update a Compute service.
os_compute_api:os-services:delete
- Default:
rule:context_is_admin
- Operations:
DELETE
/os-services/{service_id}
- Scope Types:
project
Delete a Compute service.
os_compute_api:os-shelve:shelve
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (shelve)
- Scope Types:
project
Shelve server
os_compute_api:os-shelve:unshelve
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (unshelve)
- Scope Types:
project
Unshelve (restore) shelved server
os_compute_api:os-shelve:unshelve_to_host
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (unshelve)
- Scope Types:
project
Unshelve (restore) shelve offloaded server to a specific host
os_compute_api:os-shelve:shelve_offload
- Default:
rule:context_is_admin
- Operations:
POST
/servers/{server_id}/action (shelveOffload)
- Scope Types:
project
Shelf-offload (remove) server
os_compute_api:os-simple-tenant-usage:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-simple-tenant-usage/{tenant_id}
- Scope Types:
project
Show usage statistics for a specific tenant
os_compute_api:os-simple-tenant-usage:list
- Default:
rule:context_is_admin
- Operations:
GET
/os-simple-tenant-usage
- Scope Types:
project
List per tenant usage statistics for all tenants
os_compute_api:os-suspend-server:resume
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (resume)
- Scope Types:
project
Resume suspended server
os_compute_api:os-suspend-server:suspend
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/action (suspend)
- Scope Types:
project
Suspend server
os_compute_api:os-tenant-networks:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-tenant-networks
- Scope Types:
project
List project networks.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-tenant-networks:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-tenant-networks/{network_id}
- Scope Types:
project
Show project network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-volumes:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-volumes
- Scope Types:
project
List volumes.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-volumes
- Scope Types:
project
Create volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:detail
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-volumes/detail
- Scope Types:
project
List volumes detail.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-volumes/{volume_id}
- Scope Types:
project
Show volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-volumes/{volume_id}
- Scope Types:
project
Delete volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:list
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-snapshots
- Scope Types:
project
List snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/os-snapshots
- Scope Types:
project
Create snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:detail
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-snapshots/detail
- Scope Types:
project
List snapshots details.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/os-snapshots/{snapshot_id}
- Scope Types:
project
Show snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/os-snapshots/{snapshot_id}
- Scope Types:
project
Delete snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes-attachments:index
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-volume_attachments
- Scope Types:
project
List volume attachments for an instance
os_compute_api:os-volumes-attachments:create
- Default:
rule:project_member_or_admin
- Operations:
POST
/servers/{server_id}/os-volume_attachments
- Scope Types:
project
Attach a volume to an instance
os_compute_api:os-volumes-attachments:show
- Default:
rule:project_reader_or_admin
- Operations:
GET
/servers/{server_id}/os-volume_attachments/{volume_id}
- Scope Types:
project
Show details of a volume attachment
os_compute_api:os-volumes-attachments:update
- Default:
rule:project_member_or_admin
- Operations:
PUT
/servers/{server_id}/os-volume_attachments/{volume_id}
- Scope Types:
project
Update a volume attachment. New ‘update’ policy about ‘swap + update’ request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be always superset of this policy permission.
os_compute_api:os-volumes-attachments:swap
- Default:
rule:context_is_admin
- Operations:
PUT
/servers/{server_id}/os-volume_attachments/{volume_id}
- Scope Types:
project
Update a volume attachment with a different volumeId
os_compute_api:os-volumes-attachments:delete
- Default:
rule:project_member_or_admin
- Operations:
DELETE
/servers/{server_id}/os-volume_attachments/{volume_id}
- Scope Types:
project
Detach a volume from an instance