Sample Nova Policy File

The following is a sample nova policy file for adaptation and use.

The sample policy can also be viewed in file form.

Important

The sample policy file is auto-generated from nova when this documentation is built. You must ensure your version of nova matches the version of this documentation.

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"

# DEPRECATED
# "admin_or_owner" has been deprecated since 21.0.0.
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

# DEPRECATED
# "admin_api" has been deprecated since 21.0.0.
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
# Default rule for most Admin APIs.
#"admin_api": "is_admin:True"

# Default rule for System Admin APIs.
#"system_admin_api": "role:admin and system_scope:all"

# DEPRECATED "rule:admin_api":"is_admin:True" has been deprecated
# since 21.0.0 in favor of "system_admin_api":"role:admin and
# system_scope:all".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_api": "rule:system_admin_api"
# Default rule for System level read only APIs.
#"system_reader_api": "role:reader and system_scope:all"

# DEPRECATED "rule:admin_api":"is_admin:True" has been deprecated
# since 21.0.0 in favor of "system_reader_api":"role:reader and
# system_scope:all".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_api": "rule:system_reader_api"
# Default rule for Project level admin APIs.
#"project_admin_api": "role:admin and project_id:%(project_id)s"

# DEPRECATED "rule:admin_api":"is_admin:True" has been deprecated
# since 21.0.0 in favor of "project_admin_api":"role:admin and
# project_id:%(project_id)s".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_api": "rule:project_admin_api"
# Default rule for Project level non admin APIs.
#"project_member_api": "role:member and project_id:%(project_id)s"

# DEPRECATED "rule:admin_or_owner":"is_admin:True or
# project_id:%(project_id)s" has been deprecated since 21.0.0 in favor
# of "project_member_api":"role:member and project_id:%(project_id)s".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_or_owner": "rule:project_member_api"
# Default rule for Project level read only APIs.
#"project_reader_api": "role:reader and project_id:%(project_id)s"

# Default rule for System admin+owner APIs.
#"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"

# DEPRECATED "rule:admin_or_owner":"is_admin:True or
# project_id:%(project_id)s" has been deprecated since 21.0.0 in favor
# of "system_admin_or_owner":"rule:system_admin_api or
# rule:project_member_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_or_owner": "rule:system_admin_or_owner"
# Default rule for System+Project read only APIs.
#"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"

# DEPRECATED "rule:admin_or_owner":"is_admin:True or
# project_id:%(project_id)s" has been deprecated since 21.0.0 in favor
# of "system_or_project_reader":"rule:system_reader_api or
# rule:project_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"rule:admin_or_owner": "rule:system_or_project_reader"
# Reset the state of a given server
# POST  /servers/{server_id}/action (os-resetState)
# Intended scope(s): system, project
#"os_compute_api:os-admin-actions:reset_state": "rule:system_admin_api"

# Inject network information into the server
# POST  /servers/{server_id}/action (injectNetworkInfo)
# Intended scope(s): system, project
#"os_compute_api:os-admin-actions:inject_network_info": "rule:system_admin_api"

# Reset networking on a server
# POST  /servers/{server_id}/action (resetNetwork)
# Intended scope(s): system, project
#"os_compute_api:os-admin-actions:reset_network": "rule:system_admin_api"

# Change the administrative password for a server
# POST  /servers/{server_id}/action (changePassword)
# Intended scope(s): system, project
#"os_compute_api:os-admin-password": "rule:system_admin_or_owner"

# List guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# GET  /os-agents
# Intended scope(s): system
#"os_compute_api:os-agents:list": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-agents":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# agents:list":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-agents": "rule:os_compute_api:os-agents:list"
# Create guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# POST  /os-agents
# Intended scope(s): system
#"os_compute_api:os-agents:create": "rule:system_admin_api"

# DEPRECATED "os_compute_api:os-agents":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# agents:create":"rule:system_admin_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-agents": "rule:os_compute_api:os-agents:create"
# Update guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# PUT  /os-agents/{agent_build_id}
# Intended scope(s): system
#"os_compute_api:os-agents:update": "rule:system_admin_api"

# DEPRECATED "os_compute_api:os-agents":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# agents:update":"rule:system_admin_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-agents": "rule:os_compute_api:os-agents:update"
# Delete guest agent builds This is XenAPI driver specific. It is used
# to force the upgrade of the XenAPI guest agent on instance boot.
# DELETE  /os-agents/{agent_build_id}
# Intended scope(s): system
#"os_compute_api:os-agents:delete": "rule:system_admin_api"

# DEPRECATED "os_compute_api:os-agents":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# agents:delete":"rule:system_admin_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-agents": "rule:os_compute_api:os-agents:delete"
# Create or replace metadata for an aggregate
# POST  /os-aggregates/{aggregate_id}/action (set_metadata)
# Intended scope(s): system
#"os_compute_api:os-aggregates:set_metadata": "rule:system_admin_api"

# Add a host to an aggregate
# POST  /os-aggregates/{aggregate_id}/action (add_host)
# Intended scope(s): system
#"os_compute_api:os-aggregates:add_host": "rule:system_admin_api"

# Create an aggregate
# POST  /os-aggregates
# Intended scope(s): system
#"os_compute_api:os-aggregates:create": "rule:system_admin_api"

# Remove a host from an aggregate
# POST  /os-aggregates/{aggregate_id}/action (remove_host)
# Intended scope(s): system
#"os_compute_api:os-aggregates:remove_host": "rule:system_admin_api"

# Update name and/or availability zone for an aggregate
# PUT  /os-aggregates/{aggregate_id}
# Intended scope(s): system
#"os_compute_api:os-aggregates:update": "rule:system_admin_api"

# List all aggregates
# GET  /os-aggregates
# Intended scope(s): system
#"os_compute_api:os-aggregates:index": "rule:system_reader_api"

# Delete an aggregate
# DELETE  /os-aggregates/{aggregate_id}
# Intended scope(s): system
#"os_compute_api:os-aggregates:delete": "rule:system_admin_api"

# Show details for an aggregate
# GET  /os-aggregates/{aggregate_id}
# Intended scope(s): system
#"os_compute_api:os-aggregates:show": "rule:system_reader_api"

# Request image caching for an aggregate
# POST  /os-aggregates/{aggregate_id}/images
# Intended scope(s): system
#"compute:aggregates:images": "rule:system_admin_api"

# Create an assisted volume snapshot
# POST  /os-assisted-volume-snapshots
# Intended scope(s): system
#"os_compute_api:os-assisted-volume-snapshots:create": "rule:system_admin_api"

# Delete an assisted volume snapshot
# DELETE  /os-assisted-volume-snapshots/{snapshot_id}
# Intended scope(s): system
#"os_compute_api:os-assisted-volume-snapshots:delete": "rule:system_admin_api"

# List port interfaces attached to a server
# GET  /servers/{server_id}/os-interface
# Intended scope(s): system, project
#"os_compute_api:os-attach-interfaces:list": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-attach-
# interfaces":"rule:admin_or_owner" has been deprecated since 21.0.0
# in favor of "os_compute_api:os-attach-
# interfaces:list":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:list"
# Show details of a port interface attached to a server
# GET  /servers/{server_id}/os-interface/{port_id}
# Intended scope(s): system, project
#"os_compute_api:os-attach-interfaces:show": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-attach-
# interfaces":"rule:admin_or_owner" has been deprecated since 21.0.0
# in favor of "os_compute_api:os-attach-
# interfaces:show":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:show"
# Attach an interface to a server
# POST  /servers/{server_id}/os-interface
# Intended scope(s): system, project
#"os_compute_api:os-attach-interfaces:create": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-attach-
# interfaces":"rule:admin_or_owner" has been deprecated since 21.0.0
# in favor of "os_compute_api:os-attach-
# interfaces:create":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:create"
# Detach an interface from a server
# DELETE  /servers/{server_id}/os-interface/{port_id}
# Intended scope(s): system, project
#"os_compute_api:os-attach-interfaces:delete": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-attach-
# interfaces":"rule:admin_or_owner" has been deprecated since 21.0.0
# in favor of "os_compute_api:os-attach-
# interfaces:delete":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-attach-interfaces": "rule:os_compute_api:os-attach-interfaces:delete"
# List availability zone information without host information
# GET  /os-availability-zone
# Intended scope(s): system, project
#"os_compute_api:os-availability-zone:list": "@"

# List detailed availability zone information with host information
# GET  /os-availability-zone/detail
# Intended scope(s): system
#"os_compute_api:os-availability-zone:detail": "rule:system_reader_api"

# List and show details of bare metal nodes.
#
# These APIs are proxy calls to the Ironic service and are deprecated.
# GET  /os-baremetal-nodes
# GET  /os-baremetal-nodes/{node_id}
#"os_compute_api:os-baremetal-nodes": "rule:admin_api"

# Show console connection information for a given console
# authentication token
# GET  /os-console-auth-tokens/{console_token}
# Intended scope(s): system
#"os_compute_api:os-console-auth-tokens": "rule:system_reader_api"

# Show console output for a server
# POST  /servers/{server_id}/action (os-getConsoleOutput)
# Intended scope(s): system, project
#"os_compute_api:os-console-output": "rule:system_admin_or_owner"

# Create a back up of a server
# POST  /servers/{server_id}/action (createBackup)
# Intended scope(s): system, project
#"os_compute_api:os-create-backup": "rule:system_admin_or_owner"

# Restore a soft deleted server
# POST  /servers/{server_id}/action (restore)
# Intended scope(s): system, project
#"os_compute_api:os-deferred-delete:restore": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-deferred-delete":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# deferred-delete:restore":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:restore"
# Force delete a server before deferred cleanup
# POST  /servers/{server_id}/action (forceDelete)
# Intended scope(s): system, project
#"os_compute_api:os-deferred-delete:force": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-deferred-delete":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# deferred-delete:force":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-deferred-delete": "rule:os_compute_api:os-deferred-delete:force"
# Evacuate a server from a failed host to a new host
# POST  /servers/{server_id}/action (evacuate)
# Intended scope(s): system, project
#"os_compute_api:os-evacuate": "rule:system_admin_api"

# Return extended attributes for server.
#
# This rule will control the visibility for a set of servers
# attributes:
#
# - ``OS-EXT-SRV-ATTR:host`` - ``OS-EXT-SRV-ATTR:instance_name`` -
# ``OS-EXT-SRV-ATTR:reservation_id`` (since microversion 2.3) - ``OS-
# EXT-SRV-ATTR:launch_index`` (since microversion 2.3) - ``OS-EXT-SRV-
# ATTR:hostname`` (since microversion 2.3) - ``OS-EXT-SRV-
# ATTR:kernel_id`` (since microversion 2.3) - ``OS-EXT-SRV-
# ATTR:ramdisk_id`` (since microversion 2.3) - ``OS-EXT-SRV-
# ATTR:root_device_name`` (since microversion 2.3) - ``OS-EXT-SRV-
# ATTR:user_data`` (since microversion 2.3)
#
# Microvision 2.75 added the above attributes in the ``PUT
# /servers/{server_id}`` and ``POST /servers/{server_id}/action
# (rebuild)`` API responses which are also controlled by this policy
# rule, like the ``GET /servers*`` APIs.
# GET  /servers/{id}
# GET  /servers/detail
# PUT  /servers/{server_id}
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
#"os_compute_api:os-extended-server-attributes": "rule:system_admin_api"

# List available extensions and show information for an extension by
# alias
# GET  /extensions
# GET  /extensions/{alias}
#"os_compute_api:extensions": "rule:admin_or_owner"

# Add flavor access to a tenant
# POST  /flavors/{flavor_id}/action (addTenantAccess)
# Intended scope(s): system
#"os_compute_api:os-flavor-access:add_tenant_access": "rule:system_admin_api"

# Remove flavor access from a tenant
# POST  /flavors/{flavor_id}/action (removeTenantAccess)
# Intended scope(s): system
#"os_compute_api:os-flavor-access:remove_tenant_access": "rule:system_admin_api"

# List flavor access information
#
# Allows access to the full list of tenants that have access to a
# flavor via an os-flavor-access API.
# GET  /flavors/{flavor_id}/os-flavor-access
# Intended scope(s): system
#"os_compute_api:os-flavor-access": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-flavor-access":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# flavor-access":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
# Show an extra spec for a flavor
# GET  /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
# Intended scope(s): system, project
#"os_compute_api:os-flavor-extra-specs:show": "rule:system_or_project_reader"

# Create extra specs for a flavor
# POST  /flavors/{flavor_id}/os-extra_specs/
# Intended scope(s): system
#"os_compute_api:os-flavor-extra-specs:create": "rule:system_admin_api"

# Update an extra spec for a flavor
# PUT  /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
# Intended scope(s): system
#"os_compute_api:os-flavor-extra-specs:update": "rule:system_admin_api"

# Delete an extra spec for a flavor
# DELETE  /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
# Intended scope(s): system
#"os_compute_api:os-flavor-extra-specs:delete": "rule:system_admin_api"

# List extra specs for a flavor. Starting with microversion 2.47, the
# flavor used for a server is also returned in the response when
# showing server details, updating a server or rebuilding a server.
# Starting with microversion 2.61, extra specs may be returned in
# responses for the flavor resource.
# GET  /flavors/{flavor_id}/os-extra_specs/
# GET  /servers/detail
# GET  /servers/{server_id}
# PUT  /servers/{server_id}
# POST  /servers/{server_id}/action (rebuild)
# POST  /flavors
# GET  /flavors/detail
# GET  /flavors/{flavor_id}
# PUT  /flavors/{flavor_id}
# Intended scope(s): system, project
#"os_compute_api:os-flavor-extra-specs:index": "rule:system_or_project_reader"

# Create a flavor
# POST  /flavors
# Intended scope(s): system
#"os_compute_api:os-flavor-manage:create": "rule:system_admin_api"

# Update a flavor
# PUT  /flavors/{flavor_id}
# Intended scope(s): system
#"os_compute_api:os-flavor-manage:update": "rule:system_admin_api"

# Delete a flavor
# DELETE  /flavors/{flavor_id}
# Intended scope(s): system
#"os_compute_api:os-flavor-manage:delete": "rule:system_admin_api"

# List floating IP pools. This API is deprecated.
# GET  /os-floating-ip-pools
#"os_compute_api:os-floating-ip-pools": "rule:admin_or_owner"

# Manage a project's floating IPs. These APIs are all deprecated.
# POST  /servers/{server_id}/action (addFloatingIp)
# POST  /servers/{server_id}/action (removeFloatingIp)
# GET  /os-floating-ips
# POST  /os-floating-ips
# GET  /os-floating-ips/{floating_ip_id}
# DELETE  /os-floating-ips/{floating_ip_id}
#"os_compute_api:os-floating-ips": "rule:admin_or_owner"

# List, show and manage physical hosts.
#
# These APIs are all deprecated in favor of os-hypervisors and os-
# services.
# GET  /os-hosts
# GET  /os-hosts/{host_name}
# PUT  /os-hosts/{host_name}
# GET  /os-hosts/{host_name}/reboot
# GET  /os-hosts/{host_name}/shutdown
# GET  /os-hosts/{host_name}/startup
#"os_compute_api:os-hosts": "rule:admin_api"

# List all hypervisors.
# GET  /os-hypervisors
# Intended scope(s): system
#"os_compute_api:os-hypervisors:list": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:list":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list"
# List all hypervisors with details
# GET  /os-hypervisors/details
# Intended scope(s): system
#"os_compute_api:os-hypervisors:list-detail": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:list-detail":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:list-detail"
# Show summary statistics for all hypervisors over all compute nodes.
# GET  /os-hypervisors/statistics
# Intended scope(s): system
#"os_compute_api:os-hypervisors:statistics": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:statistics":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:statistics"
# Show details for a hypervisor.
# GET  /os-hypervisors/{hypervisor_id}
# Intended scope(s): system
#"os_compute_api:os-hypervisors:show": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:show":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:show"
# Show the uptime of a hypervisor.
# GET  /os-hypervisors/{hypervisor_id}/uptime
# Intended scope(s): system
#"os_compute_api:os-hypervisors:uptime": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:uptime":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:uptime"
# Search hypervisor by hypervisor_hostname pattern.
# GET  /os-hypervisors/{hypervisor_hostname_pattern}/search
# Intended scope(s): system
#"os_compute_api:os-hypervisors:search": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:search":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:search"
# List all servers on hypervisors that can match the provided
# hypervisor_hostname pattern.
# GET  /os-hypervisors/{hypervisor_hostname_pattern}/servers
# Intended scope(s): system
#"os_compute_api:os-hypervisors:servers": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-hypervisors":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# hypervisors:servers":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-hypervisors": "rule:os_compute_api:os-hypervisors:servers"
# Add "details" key in action events for a server.
#
# This check is performed only after the check os_compute_api:os-
# instance-actions:show passes. Beginning with Microversion 2.84, new
# field 'details' is exposed via API which can have more details about
# event failure. That field is controlled by this policy which is
# system reader by default. Making the 'details' field visible to the
# non-admin user helps to understand the nature of the problem (i.e.
# if the action can be retried), but in the other hand it might leak
# information about the deployment (e.g. the type of the hypervisor).
# GET  /servers/{server_id}/os-instance-actions/{request_id}
# Intended scope(s): system, project
#"os_compute_api:os-instance-actions:events:details": "rule:system_reader_api"

# Add events details in action details for a server. This check is
# performed only after the check os_compute_api:os-instance-
# actions:show passes. Beginning with Microversion 2.51, events
# details are always included; traceback information is provided per
# event if policy enforcement passes. Beginning with Microversion
# 2.62, each event includes a hashed host identifier and, if policy
# enforcement passes, the name of the host.
# GET  /servers/{server_id}/os-instance-actions/{request_id}
# Intended scope(s): system, project
#"os_compute_api:os-instance-actions:events": "rule:system_reader_api"

# List actions for a server.
# GET  /servers/{server_id}/os-instance-actions
# Intended scope(s): system, project
#"os_compute_api:os-instance-actions:list": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-instance-
# actions":"rule:admin_or_owner" has been deprecated since 21.0.0 in
# favor of "os_compute_api:os-instance-
# actions:list":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:list"
# Show action details for a server.
# GET  /servers/{server_id}/os-instance-actions/{request_id}
# Intended scope(s): system, project
#"os_compute_api:os-instance-actions:show": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-instance-
# actions":"rule:admin_or_owner" has been deprecated since 21.0.0 in
# favor of "os_compute_api:os-instance-
# actions:show":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-instance-actions": "rule:os_compute_api:os-instance-actions:show"
# List all usage audits.
# GET  /os-instance_usage_audit_log
# Intended scope(s): system
#"os_compute_api:os-instance-usage-audit-log:list": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-instance-usage-audit-
# log":"rule:admin_api" has been deprecated since 21.0.0 in favor of
# "os_compute_api:os-instance-usage-audit-
# log:list":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:list"
# List all usage audits occurred before a specified time for all
# servers on all compute hosts where usage auditing is configured
# GET  /os-instance_usage_audit_log/{before_timestamp}
# Intended scope(s): system
#"os_compute_api:os-instance-usage-audit-log:show": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-instance-usage-audit-
# log":"rule:admin_api" has been deprecated since 21.0.0 in favor of
# "os_compute_api:os-instance-usage-audit-
# log:show":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-instance-usage-audit-log": "rule:os_compute_api:os-instance-usage-audit-log:show"
# Show IP addresses details for a network label of a  server
# GET  /servers/{server_id}/ips/{network_label}
# Intended scope(s): system, project
#"os_compute_api:ips:show": "rule:system_or_project_reader"

# List IP addresses that are assigned to a server
# GET  /servers/{server_id}/ips
# Intended scope(s): system, project
#"os_compute_api:ips:index": "rule:system_or_project_reader"

# List all keypairs
# GET  /os-keypairs
# Intended scope(s): system, project
#"os_compute_api:os-keypairs:index": "(rule:system_reader_api) or user_id:%(user_id)s"

# Create a keypair
# POST  /os-keypairs
# Intended scope(s): system, project
#"os_compute_api:os-keypairs:create": "(rule:system_admin_api) or user_id:%(user_id)s"

# Delete a keypair
# DELETE  /os-keypairs/{keypair_name}
# Intended scope(s): system, project
#"os_compute_api:os-keypairs:delete": "(rule:system_admin_api) or user_id:%(user_id)s"

# Show details of a keypair
# GET  /os-keypairs/{keypair_name}
# Intended scope(s): system, project
#"os_compute_api:os-keypairs:show": "(rule:system_reader_api) or user_id:%(user_id)s"

# Show rate and absolute limits for the current user project
# GET  /limits
# Intended scope(s): system, project
#"os_compute_api:limits": "@"

# Show rate and absolute limits of other project.
#
# This policy only checks if the user has access to the requested
# project limits. And this check is performed only after the check
# os_compute_api:limits passes
# GET  /limits
# Intended scope(s): system
#"os_compute_api:limits:other_project": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-used-limits":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of
# "os_compute_api:limits:other_project":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-used-limits": "rule:os_compute_api:limits:other_project"
# Lock a server
# POST  /servers/{server_id}/action (lock)
# Intended scope(s): system, project
#"os_compute_api:os-lock-server:lock": "rule:system_admin_or_owner"

# Unlock a server
# POST  /servers/{server_id}/action (unlock)
# Intended scope(s): system, project
#"os_compute_api:os-lock-server:unlock": "rule:system_admin_or_owner"

# Unlock a server, regardless who locked the server.
#
# This check is performed only after the check os_compute_api:os-lock-
# server:unlock passes
# POST  /servers/{server_id}/action (unlock)
# Intended scope(s): system, project
#"os_compute_api:os-lock-server:unlock:unlock_override": "rule:system_admin_api"

# Cold migrate a server to a host
# POST  /servers/{server_id}/action (migrate)
# Intended scope(s): system, project
#"os_compute_api:os-migrate-server:migrate": "rule:system_admin_api"

# Live migrate a server to a new host without a reboot
# POST  /servers/{server_id}/action (os-migrateLive)
# Intended scope(s): system, project
#"os_compute_api:os-migrate-server:migrate_live": "rule:system_admin_api"

# List migrations
# GET  /os-migrations
# Intended scope(s): system
#"os_compute_api:os-migrations:index": "rule:system_reader_api"

# Add or remove a fixed IP address from a server.
#
# These APIs are proxy calls to the Network service. These are all
# deprecated.
# POST  /servers/{server_id}/action (addFixedIp)
# POST  /servers/{server_id}/action (removeFixedIp)
#"os_compute_api:os-multinic": "rule:admin_or_owner"

# List networks for the project and show details for a network.
#
# These APIs are proxy calls to the Network service. These are all
# deprecated.
# GET  /os-networks
# GET  /os-networks/{network_id}
#"os_compute_api:os-networks:view": "rule:admin_or_owner"

# Pause a server
# POST  /servers/{server_id}/action (pause)
# Intended scope(s): system, project
#"os_compute_api:os-pause-server:pause": "rule:system_admin_or_owner"

# Unpause a paused server
# POST  /servers/{server_id}/action (unpause)
# Intended scope(s): system, project
#"os_compute_api:os-pause-server:unpause": "rule:system_admin_or_owner"

# List quotas for specific quota classs
# GET  /os-quota-class-sets/{quota_class}
# Intended scope(s): system
#"os_compute_api:os-quota-class-sets:show": "rule:system_reader_api"

# Update quotas for specific quota class
# PUT  /os-quota-class-sets/{quota_class}
# Intended scope(s): system
#"os_compute_api:os-quota-class-sets:update": "rule:system_admin_api"

# Update the quotas
# PUT  /os-quota-sets/{tenant_id}
# Intended scope(s): system
#"os_compute_api:os-quota-sets:update": "rule:system_admin_api"

# List default quotas
# GET  /os-quota-sets/{tenant_id}/defaults
# Intended scope(s): system, project
#"os_compute_api:os-quota-sets:defaults": "@"

# Show a quota
# GET  /os-quota-sets/{tenant_id}
# Intended scope(s): system, project
#"os_compute_api:os-quota-sets:show": "rule:system_or_project_reader"

# Revert quotas to defaults
# DELETE  /os-quota-sets/{tenant_id}
# Intended scope(s): system
#"os_compute_api:os-quota-sets:delete": "rule:system_admin_api"

# Show the detail of quota
# GET  /os-quota-sets/{tenant_id}/detail
# Intended scope(s): system, project
#"os_compute_api:os-quota-sets:detail": "rule:system_or_project_reader"

# Generate a URL to access remove server console.
#
# This policy is for ``POST /remote-consoles`` API and below Server
# actions APIs are deprecated:
#
# - ``os-getRDPConsole`` - ``os-getSerialConsole`` - ``os-
# getSPICEConsole`` - ``os-getVNCConsole``.
# POST  /servers/{server_id}/action (os-getRDPConsole)
# POST  /servers/{server_id}/action (os-getSerialConsole)
# POST  /servers/{server_id}/action (os-getSPICEConsole)
# POST  /servers/{server_id}/action (os-getVNCConsole)
# POST  /servers/{server_id}/remote-consoles
# Intended scope(s): system, project
#"os_compute_api:os-remote-consoles": "rule:system_admin_or_owner"

# Rescue a server
# POST  /servers/{server_id}/action (rescue)
# Intended scope(s): system, project
#"os_compute_api:os-rescue": "rule:system_admin_or_owner"

# Unrescue a server
# POST  /servers/{server_id}/action (unrescue)
# Intended scope(s): system, project
#"os_compute_api:os-unrescue": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-rescue":"rule:admin_or_owner" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# unrescue":"rule:system_admin_or_owner".
#
# Rescue/Unrescue API policies are made granular with new policy for
# unrescue and keeping old policy for rescue.
"os_compute_api:os-rescue": "rule:os_compute_api:os-unrescue"
# List, show, add, or remove security groups.
#
# APIs which are directly related to security groups resource are
# deprecated: Lists, shows information for, creates, updates and
# deletes security groups. Creates and deletes security group rules.
# All these APIs are deprecated.
# GET  /os-security-groups
# GET  /os-security-groups/{security_group_id}
# POST  /os-security-groups
# PUT  /os-security-groups/{security_group_id}
# DELETE  /os-security-groups/{security_group_id}
#"os_compute_api:os-security-groups": "rule:admin_or_owner"

# List security groups of server.
# GET  /servers/{server_id}/os-security-groups
# Intended scope(s): system, project
#"os_compute_api:os-security-groups:list": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-security-groups":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# security-groups:list":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:list"
# Add security groups to server.
# POST  /servers/{server_id}/action (addSecurityGroup)
# Intended scope(s): system, project
#"os_compute_api:os-security-groups:add": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-security-groups":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# security-groups:add":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:add"
# Remove security groups from server.
# POST  /servers/{server_id}/action (removeSecurityGroup)
# Intended scope(s): system, project
#"os_compute_api:os-security-groups:remove": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-security-groups":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# security-groups:remove":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-security-groups": "rule:os_compute_api:os-security-groups:remove"
# Show the usage data for a server
# GET  /servers/{server_id}/diagnostics
# Intended scope(s): system, project
#"os_compute_api:os-server-diagnostics": "rule:system_admin_api"

# Create one or more external events
# POST  /os-server-external-events
# Intended scope(s): system
#"os_compute_api:os-server-external-events:create": "rule:system_admin_api"

# Create a new server group
# POST  /os-server-groups
# Intended scope(s): project
#"os_compute_api:os-server-groups:create": "rule:project_member_api"

# Delete a server group
# DELETE  /os-server-groups/{server_group_id}
# Intended scope(s): system, project
#"os_compute_api:os-server-groups:delete": "rule:system_admin_or_owner"

# List all server groups
# GET  /os-server-groups
# Intended scope(s): system, project
#"os_compute_api:os-server-groups:index": "rule:system_or_project_reader"

# List all server groups for all projects
# GET  /os-server-groups
# Intended scope(s): system
#"os_compute_api:os-server-groups:index:all_projects": "rule:system_reader_api"

# Show details of a server group
# GET  /os-server-groups/{server_group_id}
# Intended scope(s): system, project
#"os_compute_api:os-server-groups:show": "rule:system_or_project_reader"

# List all metadata of a server
# GET  /servers/{server_id}/metadata
# Intended scope(s): system, project
#"os_compute_api:server-metadata:index": "rule:system_or_project_reader"

# Show metadata for a server
# GET  /servers/{server_id}/metadata/{key}
# Intended scope(s): system, project
#"os_compute_api:server-metadata:show": "rule:system_or_project_reader"

# Create metadata for a server
# POST  /servers/{server_id}/metadata
# Intended scope(s): system, project
#"os_compute_api:server-metadata:create": "rule:system_admin_or_owner"

# Replace metadata for a server
# PUT  /servers/{server_id}/metadata
# Intended scope(s): system, project
#"os_compute_api:server-metadata:update_all": "rule:system_admin_or_owner"

# Update metadata from a server
# PUT  /servers/{server_id}/metadata/{key}
# Intended scope(s): system, project
#"os_compute_api:server-metadata:update": "rule:system_admin_or_owner"

# Delete metadata from a server
# DELETE  /servers/{server_id}/metadata/{key}
# Intended scope(s): system, project
#"os_compute_api:server-metadata:delete": "rule:system_admin_or_owner"

# Show the encrypted administrative password of a server
# GET  /servers/{server_id}/os-server-password
# Intended scope(s): system, project
#"os_compute_api:os-server-password:show": "rule:system_or_project_reader"

# DEPRECATED "os_compute_api:os-server-password":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# server-password:show":"rule:system_or_project_reader".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:show"
# Clear the encrypted administrative password of a server
# DELETE  /servers/{server_id}/os-server-password
# Intended scope(s): system, project
#"os_compute_api:os-server-password:clear": "rule:system_admin_or_owner"

# DEPRECATED "os_compute_api:os-server-password":"rule:admin_or_owner"
# has been deprecated since 21.0.0 in favor of "os_compute_api:os-
# server-password:clear":"rule:system_admin_or_owner".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-server-password": "rule:os_compute_api:os-server-password:clear"
# Delete all the server tags
# DELETE  /servers/{server_id}/tags
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:delete_all": "rule:system_admin_or_owner"

# List all tags for given server
# GET  /servers/{server_id}/tags
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:index": "rule:system_or_project_reader"

# Replace all tags on specified server with the new set of tags.
# PUT  /servers/{server_id}/tags
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:update_all": "rule:system_admin_or_owner"

# Delete a single tag from the specified server
# DELETE  /servers/{server_id}/tags/{tag}
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:delete": "rule:system_admin_or_owner"

# Add a single tag to the server if server has no specified tag
# PUT  /servers/{server_id}/tags/{tag}
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:update": "rule:system_admin_or_owner"

# Check tag existence on the server.
# GET  /servers/{server_id}/tags/{tag}
# Intended scope(s): system, project
#"os_compute_api:os-server-tags:show": "rule:system_or_project_reader"

# Show the NUMA topology data for a server
# GET  /servers/{server_id}/topology
# Intended scope(s): system, project
#"compute:server:topology:index": "rule:system_or_project_reader"

# Show the NUMA topology data for a server with host NUMA ID and CPU
# pinning information
# GET  /servers/{server_id}/topology
# Intended scope(s): system
#"compute:server:topology:host:index": "rule:system_reader_api"

# List all servers
# GET  /servers
# Intended scope(s): system, project
#"os_compute_api:servers:index": "rule:system_or_project_reader"

# List all servers with detailed information
# GET  /servers/detail
# Intended scope(s): system, project
#"os_compute_api:servers:detail": "rule:system_or_project_reader"

# List all servers for all projects
# GET  /servers
# Intended scope(s): system
#"os_compute_api:servers:index:get_all_tenants": "rule:system_reader_api"

# List all servers with detailed information for  all projects
# GET  /servers/detail
# Intended scope(s): system
#"os_compute_api:servers:detail:get_all_tenants": "rule:system_reader_api"

# Allow all filters when listing servers
# GET  /servers
# GET  /servers/detail
# Intended scope(s): system
#"os_compute_api:servers:allow_all_filters": "rule:system_reader_api"

# Show a server
# GET  /servers/{server_id}
# Intended scope(s): system, project
#"os_compute_api:servers:show": "rule:system_or_project_reader"

# Show a server with additional host status information.
#
# This means host_status will be shown irrespective of status value.
# If showing only host_status UNKNOWN is desired, use the
# ``os_compute_api:servers:show:host_status:unknown-only`` policy
# rule.
#
# Microvision 2.75 added the ``host_status`` attribute in the ``PUT
# /servers/{server_id}`` and ``POST /servers/{server_id}/action
# (rebuild)`` API responses which are also controlled by this policy
# rule, like the ``GET /servers*`` APIs.
# GET  /servers/{server_id}
# GET  /servers/detail
# PUT  /servers/{server_id}
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
#"os_compute_api:servers:show:host_status": "rule:system_admin_api"

# Show a server with additional host status information, only if host
# status is UNKNOWN.
#
# This policy rule will only be enforced when the
# ``os_compute_api:servers:show:host_status`` policy rule does not
# pass for the request. An example policy configuration could be where
# the ``os_compute_api:servers:show:host_status`` rule is set to allow
# admin-only and the
# ``os_compute_api:servers:show:host_status:unknown-only`` rule is set
# to allow everyone.
# GET  /servers/{server_id}
# GET  /servers/detail
# PUT  /servers/{server_id}
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
#"os_compute_api:servers:show:host_status:unknown-only": "rule:system_admin_api"

# Create a server
# POST  /servers
# Intended scope(s): project
#"os_compute_api:servers:create": "rule:project_member_api"

# Create a server on the specified host and/or node.
#
# In this case, the server is forced to launch on the specified host
# and/or node by bypassing the scheduler filters unlike the
# ``compute:servers:create:requested_destination`` rule.
# POST  /servers
# Intended scope(s): system, project
#"os_compute_api:servers:create:forced_host": "rule:project_admin_api"

# Create a server on the requested compute service host and/or
# hypervisor_hostname.
#
# In this case, the requested host and/or hypervisor_hostname is
# validated by the scheduler filters unlike the
# ``os_compute_api:servers:create:forced_host`` rule.
# POST  /servers
# Intended scope(s): system, project
#"compute:servers:create:requested_destination": "rule:admin_api"

# Create a server with the requested volume attached to it
# POST  /servers
# Intended scope(s): project
#"os_compute_api:servers:create:attach_volume": "rule:project_member_api"

# Create a server with the requested network attached  to it
# POST  /servers
# Intended scope(s): project
#"os_compute_api:servers:create:attach_network": "rule:project_member_api"

# Create a server with trusted image certificate IDs
# POST  /servers
# Intended scope(s): project
#"os_compute_api:servers:create:trusted_certs": "rule:project_member_api"

# This rule controls the compute API validation behavior of creating a
# server with a flavor that has 0 disk, indicating the server should
# be volume-backed.
#
# For a flavor with disk=0, the root disk will be set to exactly the
# size of the image used to deploy the instance. However, in this case
# the filter_scheduler cannot select the compute host based on the
# virtual image size. Therefore, 0 should only be used for volume
# booted instances or for testing purposes.
#
# WARNING: It is a potential security exposure to enable this policy
# rule if users can upload their own images since repeated attempts to
# create a disk=0 flavor instance with a large image can exhaust the
# local disk of the compute (or shared storage cluster). See bug
# https://bugs.launchpad.net/nova/+bug/1739646 for details.
# POST  /servers
# Intended scope(s): system, project
#"os_compute_api:servers:create:zero_disk_flavor": "rule:project_admin_api"

# Attach an unshared external network to a server
# POST  /servers
# POST  /servers/{server_id}/os-interface
# Intended scope(s): system, project
#"network:attach_external_network": "rule:project_admin_api"

# Delete a server
# DELETE  /servers/{server_id}
# Intended scope(s): system, project
#"os_compute_api:servers:delete": "rule:system_admin_or_owner"

# Update a server
# PUT  /servers/{server_id}
# Intended scope(s): system, project
#"os_compute_api:servers:update": "rule:system_admin_or_owner"

# Confirm a server resize
# POST  /servers/{server_id}/action (confirmResize)
# Intended scope(s): system, project
#"os_compute_api:servers:confirm_resize": "rule:system_admin_or_owner"

# Revert a server resize
# POST  /servers/{server_id}/action (revertResize)
# Intended scope(s): system, project
#"os_compute_api:servers:revert_resize": "rule:system_admin_or_owner"

# Reboot a server
# POST  /servers/{server_id}/action (reboot)
# Intended scope(s): system, project
#"os_compute_api:servers:reboot": "rule:system_admin_or_owner"

# Resize a server
# POST  /servers/{server_id}/action (resize)
# Intended scope(s): system, project
#"os_compute_api:servers:resize": "rule:system_admin_or_owner"

# Resize a server across cells. By default, this is disabled for all
# users and recommended to be tested in a deployment for admin users
# before opening it up to non-admin users. Resizing within a cell is
# the default preferred behavior even if this is enabled.
# POST  /servers/{server_id}/action (resize)
# Intended scope(s): system, project
#"compute:servers:resize:cross_cell": "!"

# Rebuild a server
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
#"os_compute_api:servers:rebuild": "rule:system_admin_or_owner"

# Rebuild a server with trusted image certificate IDs
# POST  /servers/{server_id}/action (rebuild)
# Intended scope(s): system, project
#"os_compute_api:servers:rebuild:trusted_certs": "rule:system_admin_or_owner"

# Create an image from a server
# POST  /servers/{server_id}/action (createImage)
# Intended scope(s): system, project
#"os_compute_api:servers:create_image": "rule:system_admin_or_owner"

# Create an image from a volume backed server
# POST  /servers/{server_id}/action (createImage)
# Intended scope(s): system, project
#"os_compute_api:servers:create_image:allow_volume_backed": "rule:system_admin_or_owner"

# Start a server
# POST  /servers/{server_id}/action (os-start)
# Intended scope(s): system, project
#"os_compute_api:servers:start": "rule:system_admin_or_owner"

# Stop a server
# POST  /servers/{server_id}/action (os-stop)
# Intended scope(s): system, project
#"os_compute_api:servers:stop": "rule:system_admin_or_owner"

# Trigger crash dump in a server
# POST  /servers/{server_id}/action (trigger_crash_dump)
# Intended scope(s): system, project
#"os_compute_api:servers:trigger_crash_dump": "rule:system_admin_or_owner"

# Show details for an in-progress live migration for a given server
# GET  /servers/{server_id}/migrations/{migration_id}
# Intended scope(s): system, project
#"os_compute_api:servers:migrations:show": "rule:system_reader_api"

# Force an in-progress live migration for a given server to complete
# POST  /servers/{server_id}/migrations/{migration_id}/action (force_complete)
# Intended scope(s): system, project
#"os_compute_api:servers:migrations:force_complete": "rule:system_admin_api"

# Delete(Abort) an in-progress live migration
# DELETE  /servers/{server_id}/migrations/{migration_id}
# Intended scope(s): system, project
#"os_compute_api:servers:migrations:delete": "rule:system_admin_api"

# Lists in-progress live migrations for a given server
# GET  /servers/{server_id}/migrations
# Intended scope(s): system, project
#"os_compute_api:servers:migrations:index": "rule:system_reader_api"

# List all running Compute services in a region.
# GET  /os-services
# Intended scope(s): system
#"os_compute_api:os-services:list": "rule:system_reader_api"

# DEPRECATED "os_compute_api:os-services":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# services:list":"rule:system_reader_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-services": "rule:os_compute_api:os-services:list"
# Update a Compute service.
# PUT  /os-services/{service_id}
# Intended scope(s): system
#"os_compute_api:os-services:update": "rule:system_admin_api"

# DEPRECATED "os_compute_api:os-services":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# services:update":"rule:system_admin_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-services": "rule:os_compute_api:os-services:update"
# Delete a Compute service.
# DELETE  /os-services/{service_id}
# Intended scope(s): system
#"os_compute_api:os-services:delete": "rule:system_admin_api"

# DEPRECATED "os_compute_api:os-services":"rule:admin_api" has been
# deprecated since 21.0.0 in favor of "os_compute_api:os-
# services:delete":"rule:system_admin_api".
#
# Nova API policies are introducing new default roles with scope_type
# capabilities. Old policies are deprecated and silently going to be
# ignored in nova 23.0.0 release.
"os_compute_api:os-services": "rule:os_compute_api:os-services:delete"
# Shelve server
# POST  /servers/{server_id}/action (shelve)
# Intended scope(s): system, project
#"os_compute_api:os-shelve:shelve": "rule:system_admin_or_owner"

# Unshelve (restore) shelved server
# POST  /servers/{server_id}/action (unshelve)
# Intended scope(s): system, project
#"os_compute_api:os-shelve:unshelve": "rule:system_admin_or_owner"

# Shelf-offload (remove) server
# POST  /servers/{server_id}/action (shelveOffload)
# Intended scope(s): system, project
#"os_compute_api:os-shelve:shelve_offload": "rule:system_admin_api"

# Show usage statistics for a specific tenant
# GET  /os-simple-tenant-usage/{tenant_id}
# Intended scope(s): system, project
#"os_compute_api:os-simple-tenant-usage:show": "rule:system_or_project_reader"

# List per tenant usage statistics for all tenants
# GET  /os-simple-tenant-usage
# Intended scope(s): system
#"os_compute_api:os-simple-tenant-usage:list": "rule:system_reader_api"

# Resume suspended server
# POST  /servers/{server_id}/action (resume)
# Intended scope(s): system, project
#"os_compute_api:os-suspend-server:resume": "rule:system_admin_or_owner"

# Suspend server
# POST  /servers/{server_id}/action (suspend)
# Intended scope(s): system, project
#"os_compute_api:os-suspend-server:suspend": "rule:system_admin_or_owner"

# Create, list, show information for, and delete project networks.
#
# These APIs are proxy calls to the Network service. These are all
# deprecated.
# GET  /os-tenant-networks
# GET  /os-tenant-networks/{network_id}
#"os_compute_api:os-tenant-networks": "rule:admin_or_owner"

# Manage volumes for use with the Compute API.
#
# Lists, shows details, creates, and deletes volumes and snapshots.
# These APIs are proxy calls to the Volume service. These are all
# deprecated.
# GET  /os-volumes
# POST  /os-volumes
# GET  /os-volumes/detail
# GET  /os-volumes/{volume_id}
# DELETE  /os-volumes/{volume_id}
# GET  /os-snapshots
# POST  /os-snapshots
# GET  /os-snapshots/detail
# GET  /os-snapshots/{snapshot_id}
# DELETE  /os-snapshots/{snapshot_id}
#"os_compute_api:os-volumes": "rule:admin_or_owner"

# List volume attachments for an instance
# GET  /servers/{server_id}/os-volume_attachments
# Intended scope(s): system, project
#"os_compute_api:os-volumes-attachments:index": "rule:system_or_project_reader"

# Attach a volume to an instance
# POST  /servers/{server_id}/os-volume_attachments
# Intended scope(s): system, project
#"os_compute_api:os-volumes-attachments:create": "rule:system_admin_or_owner"

# Show details of a volume attachment
# GET  /servers/{server_id}/os-volume_attachments/{volume_id}
# Intended scope(s): system, project
#"os_compute_api:os-volumes-attachments:show": "rule:system_or_project_reader"

# Update a volume attachment. New 'update' policy about 'swap +
# update' request (which is possible only >2.85) only <swap policy> is
# checked. We expect <swap policy> to be always superset of this
# policy permission.
# PUT  /servers/{server_id}/os-volume_attachments/{volume_id}
# Intended scope(s): system, project
#"os_compute_api:os-volumes-attachments:update": "rule:system_admin_or_owner"

# Update a volume attachment with a different volumeId
# PUT  /servers/{server_id}/os-volume_attachments/{volume_id}
# Intended scope(s): system
#"os_compute_api:os-volumes-attachments:swap": "rule:system_admin_api"

# Detach a volume from an instance
# DELETE  /servers/{server_id}/os-volume_attachments/{volume_id}
# Intended scope(s): system, project
#"os_compute_api:os-volumes-attachments:delete": "rule:system_admin_or_owner"