Nova Policies

Nova Policies

The following is an overview of all available policies in Nova. For a sample configuration file, refer to Sample Nova Policy File.

nova

context_is_admin
Default:role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default:is_admin:True or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default:is_admin:True

Default rule for most Admin APIs.

os_compute_api:os-admin-actions:reset_state
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (os-resetState)

Reset the state of a given server

os_compute_api:os-admin-actions:inject_network_info
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (injectNetworkInfo)

Inject network information into the server

os_compute_api:os-admin-actions:reset_network
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (resetNetwork)

Reset networking on a server

os_compute_api:os-admin-password
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (changePassword)

Change the administrative password for a server

os_compute_api:os-agents
Default:

rule:admin_api

Operations:
  • GET /os-agents
  • POST /os-agents
  • PUT /os-agents/{agent_build_id}
  • DELETE /os-agents/{agent_build_id}

Create, list, update, and delete guest agent builds

This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.

os_compute_api:os-aggregates:set_metadata
Default:

rule:admin_api

Operations:
  • POST /os-aggregates/{aggregate_id}/action (set_metadata)

Create or replace metadata for an aggregate

os_compute_api:os-aggregates:add_host
Default:

rule:admin_api

Operations:
  • POST /os-aggregates/{aggregate_id}/action (add_host)

Add a host to an aggregate

os_compute_api:os-aggregates:create
Default:

rule:admin_api

Operations:
  • POST /os-aggregates

Create an aggregate

os_compute_api:os-aggregates:remove_host
Default:

rule:admin_api

Operations:
  • POST /os-aggregates/{aggregate_id}/action (remove_host)

Remove a host from an aggregate

os_compute_api:os-aggregates:update
Default:

rule:admin_api

Operations:
  • PUT /os-aggregates/{aggregate_id}

Update name and/or availability zone for an aggregate

os_compute_api:os-aggregates:index
Default:

rule:admin_api

Operations:
  • GET /os-aggregates

List all aggregates

os_compute_api:os-aggregates:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-aggregates/{aggregate_id}

Delete an aggregate

os_compute_api:os-aggregates:show
Default:

rule:admin_api

Operations:
  • GET /os-aggregates/{aggregate_id}

Show details for an aggregate

os_compute_api:os-assisted-volume-snapshots:create
Default:

rule:admin_api

Operations:
  • POST /os-assisted-volume-snapshots

Create an assisted volume snapshot

os_compute_api:os-assisted-volume-snapshots:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-assisted-volume-snapshots/{snapshot_id}

Delete an assisted volume snapshot

os_compute_api:os-attach-interfaces
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/os-interface
  • GET /servers/{server_id}/os-interface/{port_id}

List port interfaces or show details of a port interface attached to a server

os_compute_api:os-attach-interfaces:create
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/os-interface

Attach an interface to a server

os_compute_api:os-attach-interfaces:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/os-interface/{port_id}

Detach an interface from a server

os_compute_api:os-availability-zone:list
Default:

rule:admin_or_owner

Operations:
  • GET /os-availability-zone

List availability zone information without host information

os_compute_api:os-availability-zone:detail
Default:

rule:admin_api

Operations:
  • GET /os-availability-zone/detail

List detailed availability zone information with host information

os_compute_api:os-baremetal-nodes
Default:

rule:admin_api

Operations:
  • GET /os-baremetal-nodes
  • GET /os-baremetal-nodes/{node_id}

List and show details of bare metal nodes.

These APIs are proxy calls to the Ironic service and are deprecated.

os_compute_api:os-cells:update
Default:

rule:admin_api

Operations:
  • PUT /os-cells/{cell_id}

Update an existing cell

os_compute_api:os-cells:create
Default:

rule:admin_api

Operations:
  • POST /os-cells

Create a new cell

os_compute_api:os-cells
Default:

rule:admin_api

Operations:
  • GET /os-cells
  • GET /os-cells/detail
  • GET /os-cells/info
  • GET /os-cells/capacities
  • GET /os-cells/{cell_id}

List and show detailed info for a given cell or all cells

os_compute_api:os-cells:sync_instances
Default:

rule:admin_api

Operations:
  • POST /os-cells/sync_instances

Sync instances info in all cells

os_compute_api:os-cells:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-cells/{cell_id}

Remove a cell

cells_scheduler_filter:DifferentCellFilter
Default:is_admin:True

Different cell filter to route a build away from a particular cell

This policy is read by nova-scheduler process.

cells_scheduler_filter:TargetCellFilter
Default:is_admin:True

Target cell filter to route a build to a particular cell

This policy is read by nova-scheduler process.

os_compute_api:os-console-auth-tokens
Default:

rule:admin_api

Operations:
  • GET /os-console-auth-tokens/{console_token}

Show console connection information for a given console authentication token

os_compute_api:os-console-output
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (os-getConsoleOutput)

Show console output for a server

os_compute_api:os-consoles:create
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/consoles

Create a console for a server instance

os_compute_api:os-consoles:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/consoles/{console_id}

Show console details for a server instance

os_compute_api:os-consoles:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/consoles/{console_id}

Delete a console for a server instance

os_compute_api:os-consoles:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/consoles

List all consoles for a server instance

os_compute_api:os-create-backup
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (createBackup)

Create a back up of a server

os_compute_api:os-deferred-delete
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (restore)
  • POST /servers/{server_id}/action (forceDelete)

Restore a soft deleted server or force delete a server before deferred cleanup

os_compute_api:os-evacuate
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (evacuate)

Evacuate a server from a failed host to a new host

os_compute_api:os-extended-server-attributes
Default:

rule:admin_api

Operations:
  • GET /servers/{id}
  • GET /servers/detail

Return extended attributes for server.

This rule will control the visibility for a set of servers attributes:

  • OS-EXT-SRV-ATTR:host
  • OS-EXT-SRV-ATTR:instance_name
  • OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)
  • OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)
  • OS-EXT-SRV-ATTR:hostname (since microversion 2.3)
  • OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)
  • OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)
  • OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)
  • OS-EXT-SRV-ATTR:user_data (since microversion 2.3)
os_compute_api:extensions
Default:

rule:admin_or_owner

Operations:
  • GET /extensions
  • GET /extensions/{alias}

List available extensions and show information for an extension by alias

os_compute_api:os-flavor-access:add_tenant_access
Default:

rule:admin_api

Operations:
  • POST /flavors/{flavor_id}/action (addTenantAccess)

Add flavor access to a tenant

os_compute_api:os-flavor-access:remove_tenant_access
Default:

rule:admin_api

Operations:
  • POST /flavors/{flavor_id}/action (removeTenantAccess)

Remove flavor access from a tenant

os_compute_api:os-flavor-access
Default:

rule:admin_or_owner

Operations:
  • GET /flavors/{flavor_id}/os-flavor-access

List flavor access information

Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.

os_compute_api:os-flavor-extra-specs:show
Default:

rule:admin_or_owner

Operations:
  • GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Show an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:create
Default:

rule:admin_api

Operations:
  • POST /flavors/{flavor_id}/os-extra_specs/

Create extra specs for a flavor

os_compute_api:os-flavor-extra-specs:update
Default:

rule:admin_api

Operations:
  • PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Update an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:delete
Default:

rule:admin_api

Operations:
  • DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Delete an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:index
Default:

rule:admin_or_owner

Operations:
  • GET /flavors/{flavor_id}/os-extra_specs/
  • GET /servers/detail
  • GET /servers/{server_id}
  • PUT /servers/{server_id}
  • POST /servers/{server_id}/action (rebuild)
  • POST /flavors
  • GET /flavors/detail
  • GET /flavors/{flavor_id}
  • PUT /flavors/{flavor_id}

List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.

os_compute_api:os-flavor-manage:create
Default:

rule:admin_api

Operations:
  • POST /flavors

Create a flavor

os_compute_api:os-flavor-manage:update
Default:

rule:admin_api

Operations:
  • PUT /flavors/{flavor_id}

Update a flavor

os_compute_api:os-flavor-manage:delete
Default:

rule:admin_api

Operations:
  • DELETE /flavors/{flavor_id}

Delete a flavor

os_compute_api:os-floating-ip-pools
Default:

rule:admin_or_owner

Operations:
  • GET /os-floating-ip-pools

List floating IP pools. This API is deprecated.

os_compute_api:os-floating-ips
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (addFloatingIp)
  • POST /servers/{server_id}/action (removeFloatingIp)
  • GET /os-floating-ips
  • POST /os-floating-ips
  • GET /os-floating-ips/{floating_ip_id}
  • DELETE /os-floating-ips/{floating_ip_id}

Manage a project’s floating IPs. These APIs are all deprecated.

os_compute_api:os-hosts
Default:

rule:admin_api

Operations:
  • GET /os-hosts
  • GET /os-hosts/{host_name}
  • PUT /os-hosts/{host_name}
  • GET /os-hosts/{host_name}/reboot
  • GET /os-hosts/{host_name}/shutdown
  • GET /os-hosts/{host_name}/startup

List, show and manage physical hosts.

These APIs are all deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hypervisors
Default:

rule:admin_api

Operations:
  • GET /os-hypervisors
  • GET /os-hypervisors/details
  • GET /os-hypervisors/statistics
  • GET /os-hypervisors/{hypervisor_id}
  • GET /os-hypervisors/{hypervisor_id}/uptime
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/search
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/servers

Policy rule for hypervisor related APIs.

This rule will be checked for the following APIs:

List all hypervisors, list all hypervisors with details, show summary statistics for all hypervisors over all compute nodes, show details for a hypervisor, show the uptime of a hypervisor, search hypervisor by hypervisor_hostname pattern and list all servers on hypervisors that can match the provided hypervisor_hostname pattern.

os_compute_api:os-instance-actions:events
Default:

rule:admin_api

Operations:
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Add events details in action details for a server.

This check is performed only after the check os_compute_api:os-instance-actions passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.

os_compute_api:os-instance-actions
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/os-instance-actions
  • GET /servers/{server_id}/os-instance-actions/{request_id}

List actions and show action details for a server.

os_compute_api:os-instance-usage-audit-log
Default:

rule:admin_api

Operations:
  • GET /os-instance_usage_audit_log
  • GET /os-instance_usage_audit_log/{before_timestamp}

List all usage audits and that occurred before a specified time for all servers on all compute hosts where usage auditing is configured

os_compute_api:ips:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/ips/{network_label}

Show IP addresses details for a network label of a server

os_compute_api:ips:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/ips

List IP addresses that are assigned to a server

os_compute_api:os-keypairs:index
Default:

rule:admin_api or user_id:%(user_id)s

Operations:
  • GET /os-keypairs

List all keypairs

os_compute_api:os-keypairs:create
Default:

rule:admin_api or user_id:%(user_id)s

Operations:
  • POST /os-keypairs

Create a keypair

os_compute_api:os-keypairs:delete
Default:

rule:admin_api or user_id:%(user_id)s

Operations:
  • DELETE /os-keypairs/{keypair_name}

Delete a keypair

os_compute_api:os-keypairs:show
Default:

rule:admin_api or user_id:%(user_id)s

Operations:
  • GET /os-keypairs/{keypair_name}

Show details of a keypair

os_compute_api:limits
Default:

rule:admin_or_owner

Operations:
  • GET /limits

Show rate and absolute limits for the project

os_compute_api:os-lock-server:lock
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (lock)

Lock a server

os_compute_api:os-lock-server:unlock
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (unlock)

Unlock a server

os_compute_api:os-lock-server:unlock:unlock_override
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (unlock)

Unlock a server, regardless who locked the server.

This check is performed only after the check os_compute_api:os-lock-server:unlock passes

os_compute_api:os-migrate-server:migrate
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (migrate)

Cold migrate a server to a host

os_compute_api:os-migrate-server:migrate_live
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (os-migrateLive)

Live migrate a server to a new host without a reboot

os_compute_api:os-migrations:index
Default:

rule:admin_api

Operations:
  • GET /os-migrations

List migrations

os_compute_api:os-multinic
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (addFixedIp)
  • POST /servers/{server_id}/action (removeFixedIp)

Add or remove a fixed IP address from a server.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-networks
Default:

rule:admin_api

Operations:
  • POST /os-networks
  • POST /os-networks/add
  • DELETE /os-networks/{network_id}
  • POST /os-networks/{network_id}/action (disassociate)

Create and delete a network, add and disassociate a network from a project.

These APIs are only available with nova-network which is deprecated.

os_compute_api:os-networks:view
Default:

rule:admin_or_owner

Operations:
  • GET /os-networks
  • GET /os-networks/{network_id}

List networks for the project and show details for a network.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-networks-associate
Default:

rule:admin_api

Operations:
  • POST /os-networks/{network_id}/action (disassociate_host)
  • POST /os-networks/{network_id}/action (disassociate_project)
  • POST /os-networks/{network_id}/action (associate_host)

Associate or disassociate a network from a host or project.

These APIs are only available with nova-network which is deprecated.

os_compute_api:os-pause-server:pause
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (pause)

Pause a server

os_compute_api:os-pause-server:unpause
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (unpause)

Unpause a paused server

os_compute_api:os-quota-class-sets:show
Default:

is_admin:True or quota_class:%(quota_class)s

Operations:
  • GET /os-quota-class-sets/{quota_class}

List quotas for specific quota classs

os_compute_api:os-quota-class-sets:update
Default:

rule:admin_api

Operations:
  • PUT /os-quota-class-sets/{quota_class}

Update quotas for specific quota class

os_compute_api:os-quota-sets:update
Default:

rule:admin_api

Operations:
  • PUT /os-quota-sets/{tenant_id}

Update the quotas

os_compute_api:os-quota-sets:defaults
Default:

@

Operations:
  • GET /os-quota-sets/{tenant_id}/defaults

List default quotas

os_compute_api:os-quota-sets:show
Default:

rule:admin_or_owner

Operations:
  • GET /os-quota-sets/{tenant_id}

Show a quota

os_compute_api:os-quota-sets:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-quota-sets/{tenant_id}

Revert quotas to defaults

os_compute_api:os-quota-sets:detail
Default:

rule:admin_or_owner

Operations:
  • GET /os-quota-sets/{tenant_id}/detail

Show the detail of quota

os_compute_api:os-remote-consoles
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (os-getRDPConsole)
  • POST /servers/{server_id}/action (os-getSerialConsole)
  • POST /servers/{server_id}/action (os-getSPICEConsole)
  • POST /servers/{server_id}/action (os-getVNCConsole)
  • POST /servers/{server_id}/remote-consoles

Generate a URL to access remove server console

os_compute_api:os-rescue
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (rescue)
  • POST /servers/{server_id}/action (unrescue)

Rescue/unrescue a server

os_compute_api:os-security-group-default-rules
Default:

rule:admin_api

Operations:
  • GET /os-security-group-default-rules
  • GET /os-security-group-default-rules/{security_group_default_rule_id}
  • POST /os-security-group-default-rules
  • DELETE /os-security-group-default-rules/{security_group_default_rule_id}

List, show information for, create, or delete default security group rules.

These APIs are only available with nova-network which is now deprecated.

os_compute_api:os-security-groups
Default:

rule:admin_or_owner

Operations:
  • GET /os-security-groups
  • GET /os-security-groups/{security_group_id}
  • POST /os-security-groups
  • PUT /os-security-groups/{security_group_id}
  • DELETE /os-security-groups/{security_group_id}
  • GET /servers/{server_id}/os-security-groups
  • POST /servers/{server_id}/action (addSecurityGroup)
  • POST /servers/{server_id}/action (removeSecurityGroup)

List, show, add, or remove security groups.

APIs which are directly related to security groups resource are deprecated: Lists, shows information for, creates, updates and deletes security groups. Creates and deletes security group rules. All these APIs are deprecated.

APIs which are related to server resource are not deprecated: Lists Security Groups for a server. Add Security Group to a server and remove security group from a server.

os_compute_api:os-server-diagnostics
Default:

rule:admin_api

Operations:
  • GET /servers/{server_id}/diagnostics

Show the usage data for a server

os_compute_api:os-server-external-events:create
Default:

rule:admin_api

Operations:
  • POST /os-server-external-events

Create one or more external events

os_compute_api:os-server-groups:create
Default:

rule:admin_or_owner

Operations:
  • POST /os-server-groups

Create a new server group

os_compute_api:os-server-groups:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /os-server-groups/{server_group_id}

Delete a server group

os_compute_api:os-server-groups:index
Default:

rule:admin_or_owner

Operations:
  • GET /os-server-groups

List all server groups

os_compute_api:os-server-groups:show
Default:

rule:admin_or_owner

Operations:
  • GET /os-server-groups/{server_group_id}

Show details of a server group

os_compute_api:server-metadata:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/metadata

List all metadata of a server

os_compute_api:server-metadata:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/metadata/{key}

Show metadata for a server

os_compute_api:server-metadata:create
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/metadata

Create metadata for a server

os_compute_api:server-metadata:update_all
Default:

rule:admin_or_owner

Operations:
  • PUT /servers/{server_id}/metadata

Replace metadata for a server

os_compute_api:server-metadata:update
Default:

rule:admin_or_owner

Operations:
  • PUT /servers/{server_id}/metadata/{key}

Update metadata from a server

os_compute_api:server-metadata:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/metadata/{key}

Delete metadata from a server

os_compute_api:os-server-password
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/os-server-password
  • DELETE /servers/{server_id}/os-server-password

Show and clear the encrypted administrative password of a server

os_compute_api:os-server-tags:delete_all
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/tags

Delete all the server tags

os_compute_api:os-server-tags:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/tags

List all tags for given server

os_compute_api:os-server-tags:update_all
Default:

rule:admin_or_owner

Operations:
  • PUT /servers/{server_id}/tags

Replace all tags on specified server with the new set of tags.

os_compute_api:os-server-tags:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/tags/{tag}

Delete a single tag from the specified server

os_compute_api:os-server-tags:update
Default:

rule:admin_or_owner

Operations:
  • PUT /servers/{server_id}/tags/{tag}

Add a single tag to the server if server has no specified tag

os_compute_api:os-server-tags:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/tags/{tag}

Check tag existence on the server.

os_compute_api:servers:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers

List all servers

os_compute_api:servers:detail
Default:

rule:admin_or_owner

Operations:
  • GET /servers/detail

List all servers with detailed information

os_compute_api:servers:index:get_all_tenants
Default:

rule:admin_api

Operations:
  • GET /servers

List all servers for all projects

os_compute_api:servers:detail:get_all_tenants
Default:

rule:admin_api

Operations:
  • GET /servers/detail

List all servers with detailed information for all projects

os_compute_api:servers:allow_all_filters
Default:

rule:admin_api

Operations:
  • GET /servers
  • GET /servers/detail

Allow all filters when listing servers

os_compute_api:servers:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}

Show a server

os_compute_api:servers:show:host_status
Default:

rule:admin_api

Operations:
  • GET /servers/{server_id}
  • GET /servers/detail

Show a server with additional host status information

os_compute_api:servers:create
Default:

rule:admin_or_owner

Operations:
  • POST /servers

Create a server

os_compute_api:servers:create:forced_host
Default:

rule:admin_api

Operations:
  • POST /servers

Create a server on the specified host

os_compute_api:servers:create:attach_volume
Default:

rule:admin_or_owner

Operations:
  • POST /servers

Create a server with the requested volume attached to it

os_compute_api:servers:create:attach_network
Default:

rule:admin_or_owner

Operations:
  • POST /servers

Create a server with the requested network attached to it

os_compute_api:servers:create:trusted_certs
Default:

rule:admin_or_owner

Operations:
  • POST /servers

Create a server with trusted image certificate IDs

os_compute_api:servers:create:zero_disk_flavor
Default:

rule:admin_api

Operations:
  • POST /servers

This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.

For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.

WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.

network:attach_external_network
Default:

is_admin:True

Operations:
  • POST /servers
  • POST /servers/{server_id}/os-interface

Attach an unshared external network to a server

os_compute_api:servers:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}

Delete a server

os_compute_api:servers:update
Default:

rule:admin_or_owner

Operations:
  • PUT /servers/{server_id}

Update a server

os_compute_api:servers:confirm_resize
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (confirmResize)

Confirm a server resize

os_compute_api:servers:revert_resize
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (revertResize)

Revert a server resize

os_compute_api:servers:reboot
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (reboot)

Reboot a server

os_compute_api:servers:resize
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (resize)

Resize a server

os_compute_api:servers:rebuild
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (rebuild)

Rebuild a server

os_compute_api:servers:rebuild:trusted_certs
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (rebuild)

Rebuild a server with trusted image certificate IDs

os_compute_api:servers:create_image
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (createImage)

Create an image from a server

os_compute_api:servers:create_image:allow_volume_backed
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (createImage)

Create an image from a volume backed server

os_compute_api:servers:start
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (os-start)

Start a server

os_compute_api:servers:stop
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (os-stop)

Stop a server

os_compute_api:servers:trigger_crash_dump
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (trigger_crash_dump)

Trigger crash dump in a server

os_compute_api:servers:migrations:show
Default:

rule:admin_api

Operations:
  • GET /servers/{server_id}/migrations/{migration_id}

Show details for an in-progress live migration for a given server

os_compute_api:servers:migrations:force_complete
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/migrations/{migration_id}/action (force_complete)

Force an in-progress live migration for a given server to complete

os_compute_api:servers:migrations:delete
Default:

rule:admin_api

Operations:
  • DELETE /servers/{server_id}/migrations/{migration_id}

Delete(Abort) an in-progress live migration

os_compute_api:servers:migrations:index
Default:

rule:admin_api

Operations:
  • GET /servers/{server_id}/migrations

Lists in-progress live migrations for a given server

os_compute_api:os-services
Default:

rule:admin_api

Operations:
  • GET /os-services
  • PUT /os-services/enable
  • PUT /os-services/disable
  • PUT /os-services/disable-log-reason
  • PUT /os-services/force-down
  • PUT /os-services/{service_id}
  • DELETE /os-services/{service_id}

List all running Compute services in a region, enables or disable scheduling for a Compute service, logs disabled Compute service information, set or unset forced_down flag for the compute service and delete a Compute service

os_compute_api:os-shelve:shelve
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (shelve)

Shelve server

os_compute_api:os-shelve:unshelve
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (unshelve)

Unshelve (restore) shelved server

os_compute_api:os-shelve:shelve_offload
Default:

rule:admin_api

Operations:
  • POST /servers/{server_id}/action (shelveOffload)

Shelf-offload (remove) server

os_compute_api:os-simple-tenant-usage:show
Default:

rule:admin_or_owner

Operations:
  • GET /os-simple-tenant-usage/{tenant_id}

Show usage statistics for a specific tenant

os_compute_api:os-simple-tenant-usage:list
Default:

rule:admin_api

Operations:
  • GET /os-simple-tenant-usage

List per tenant usage statistics for all tenants

os_compute_api:os-suspend-server:resume
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (resume)

Resume suspended server

os_compute_api:os-suspend-server:suspend
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/action (suspend)

Suspend server

os_compute_api:os-tenant-networks
Default:

rule:admin_or_owner

Operations:
  • GET /os-tenant-networks
  • POST /os-tenant-networks
  • GET /os-tenant-networks/{network_id}
  • DELETE /os-tenant-networks/{network_id}

Create, list, show information for, and delete project networks.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-used-limits
Default:

rule:admin_api

Operations:
  • GET /limits

Show rate and absolute limits for the project.

This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes

os_compute_api:os-volumes
Default:

rule:admin_or_owner

Operations:
  • GET /os-volumes
  • POST /os-volumes
  • GET /os-volumes/detail
  • GET /os-volumes/{volume_id}
  • DELETE /os-volumes/{volume_id}
  • GET /os-snapshots
  • POST /os-snapshots
  • GET /os-snapshots/detail
  • GET /os-snapshots/{snapshot_id}
  • DELETE /os-snapshots/{snapshot_id}

Manage volumes for use with the Compute API.

Lists, shows details, creates, and deletes volumes and snapshots. These APIs are proxy calls to the Volume service. These are all deprecated.

os_compute_api:os-volumes-attachments:index
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/os-volume_attachments

List volume attachments for an instance

os_compute_api:os-volumes-attachments:create
Default:

rule:admin_or_owner

Operations:
  • POST /servers/{server_id}/os-volume_attachments

Attach a volume to an instance

os_compute_api:os-volumes-attachments:show
Default:

rule:admin_or_owner

Operations:
  • GET /servers/{server_id}/os-volume_attachments/{volume_id}

Show details of a volume attachment

os_compute_api:os-volumes-attachments:update
Default:

rule:admin_api

Operations:
  • PUT /servers/{server_id}/os-volume_attachments/{volume_id}

Update a volume attachment

os_compute_api:os-volumes-attachments:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /servers/{server_id}/os-volume_attachments/{volume_id}

Detach a volume from an instance

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.