Nova Policies

The following is an overview of all available policies in Nova.

For a sample configuration file, refer to Sample Nova Policy File.

nova

context_is_admin
Default

role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default

is_admin:True or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default

is_admin:True

Default rule for most Admin APIs.

system_admin_api
Default

role:admin and system_scope:all

Default rule for System Admin APIs.

system_reader_api
Default

role:reader and system_scope:all

Default rule for System level read only APIs.

project_admin_api
Default

role:admin and project_id:%(project_id)s

Default rule for Project level admin APIs.

project_member_api
Default

role:member and project_id:%(project_id)s

Default rule for Project level non admin APIs.

project_reader_api
Default

role:reader and project_id:%(project_id)s

Default rule for Project level read only APIs.

system_admin_or_owner
Default

rule:system_admin_api or rule:project_member_api

Default rule for System admin+owner APIs.

system_or_project_reader
Default

rule:system_reader_api or rule:project_reader_api

Default rule for System+Project read only APIs.

os_compute_api:os-admin-actions:reset_state
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (os-resetState)

Scope Types
  • system

  • project

Reset the state of a given server

os_compute_api:os-admin-actions:inject_network_info
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (injectNetworkInfo)

Scope Types
  • system

  • project

Inject network information into the server

os_compute_api:os-admin-actions:reset_network
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (resetNetwork)

Scope Types
  • system

  • project

Reset networking on a server

os_compute_api:os-admin-password
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (changePassword)

Scope Types
  • system

  • project

Change the administrative password for a server

os_compute_api:os-agents:list
Default

rule:system_reader_api

Operations
  • GET /os-agents

Scope Types
  • system

List guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.

os_compute_api:os-agents:create
Default

rule:system_admin_api

Operations
  • POST /os-agents

Scope Types
  • system

Create guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.

os_compute_api:os-agents:update
Default

rule:system_admin_api

Operations
  • PUT /os-agents/{agent_build_id}

Scope Types
  • system

Update guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.

os_compute_api:os-agents:delete
Default

rule:system_admin_api

Operations
  • DELETE /os-agents/{agent_build_id}

Scope Types
  • system

Delete guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.

os_compute_api:os-aggregates:set_metadata
Default

rule:system_admin_api

Operations
  • POST /os-aggregates/{aggregate_id}/action (set_metadata)

Scope Types
  • system

Create or replace metadata for an aggregate

os_compute_api:os-aggregates:add_host
Default

rule:system_admin_api

Operations
  • POST /os-aggregates/{aggregate_id}/action (add_host)

Scope Types
  • system

Add a host to an aggregate

os_compute_api:os-aggregates:create
Default

rule:system_admin_api

Operations
  • POST /os-aggregates

Scope Types
  • system

Create an aggregate

os_compute_api:os-aggregates:remove_host
Default

rule:system_admin_api

Operations
  • POST /os-aggregates/{aggregate_id}/action (remove_host)

Scope Types
  • system

Remove a host from an aggregate

os_compute_api:os-aggregates:update
Default

rule:system_admin_api

Operations
  • PUT /os-aggregates/{aggregate_id}

Scope Types
  • system

Update name and/or availability zone for an aggregate

os_compute_api:os-aggregates:index
Default

rule:system_reader_api

Operations
  • GET /os-aggregates

Scope Types
  • system

List all aggregates

os_compute_api:os-aggregates:delete
Default

rule:system_admin_api

Operations
  • DELETE /os-aggregates/{aggregate_id}

Scope Types
  • system

Delete an aggregate

os_compute_api:os-aggregates:show
Default

rule:system_reader_api

Operations
  • GET /os-aggregates/{aggregate_id}

Scope Types
  • system

Show details for an aggregate

compute:aggregates:images
Default

rule:system_admin_api

Operations
  • POST /os-aggregates/{aggregate_id}/images

Scope Types
  • system

Request image caching for an aggregate

os_compute_api:os-assisted-volume-snapshots:create
Default

rule:system_admin_api

Operations
  • POST /os-assisted-volume-snapshots

Scope Types
  • system

Create an assisted volume snapshot

os_compute_api:os-assisted-volume-snapshots:delete
Default

rule:system_admin_api

Operations
  • DELETE /os-assisted-volume-snapshots/{snapshot_id}

Scope Types
  • system

Delete an assisted volume snapshot

os_compute_api:os-attach-interfaces:list
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-interface

Scope Types
  • system

  • project

List port interfaces attached to a server

os_compute_api:os-attach-interfaces:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-interface/{port_id}

Scope Types
  • system

  • project

Show details of a port interface attached to a server

os_compute_api:os-attach-interfaces:create
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/os-interface

Scope Types
  • system

  • project

Attach an interface to a server

os_compute_api:os-attach-interfaces:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/os-interface/{port_id}

Scope Types
  • system

  • project

Detach an interface from a server

os_compute_api:os-availability-zone:list
Default

@

Operations
  • GET /os-availability-zone

Scope Types
  • system

  • project

List availability zone information without host information

os_compute_api:os-availability-zone:detail
Default

rule:system_reader_api

Operations
  • GET /os-availability-zone/detail

Scope Types
  • system

List detailed availability zone information with host information

os_compute_api:os-baremetal-nodes
Default

rule:admin_api

Operations
  • GET /os-baremetal-nodes

  • GET /os-baremetal-nodes/{node_id}

List and show details of bare metal nodes.

These APIs are proxy calls to the Ironic service and are deprecated.

os_compute_api:os-console-auth-tokens
Default

rule:system_reader_api

Operations
  • GET /os-console-auth-tokens/{console_token}

Scope Types
  • system

Show console connection information for a given console authentication token

os_compute_api:os-console-output
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (os-getConsoleOutput)

Scope Types
  • system

  • project

Show console output for a server

os_compute_api:os-create-backup
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (createBackup)

Scope Types
  • system

  • project

Create a back up of a server

os_compute_api:os-deferred-delete:restore
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (restore)

Scope Types
  • system

  • project

Restore a soft deleted server

os_compute_api:os-deferred-delete:force
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (forceDelete)

Scope Types
  • system

  • project

Force delete a server before deferred cleanup

os_compute_api:os-evacuate
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (evacuate)

Scope Types
  • system

  • project

Evacuate a server from a failed host to a new host

os_compute_api:os-extended-server-attributes
Default

rule:system_admin_api

Operations
  • GET /servers/{id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • system

  • project

Return extended attributes for server.

This rule will control the visibility for a set of servers attributes:

  • OS-EXT-SRV-ATTR:host

  • OS-EXT-SRV-ATTR:instance_name

  • OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)

  • OS-EXT-SRV-ATTR:hostname (since microversion 2.3)

  • OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)

  • OS-EXT-SRV-ATTR:user_data (since microversion 2.3)

Microvision 2.75 added the above attributes in the PUT /servers/{server_id} and POST /servers/{server_id}/action (rebuild) API responses which are also controlled by this policy rule, like the GET /servers* APIs.

os_compute_api:extensions
Default

rule:admin_or_owner

Operations
  • GET /extensions

  • GET /extensions/{alias}

List available extensions and show information for an extension by alias

os_compute_api:os-flavor-access:add_tenant_access
Default

rule:system_admin_api

Operations
  • POST /flavors/{flavor_id}/action (addTenantAccess)

Scope Types
  • system

Add flavor access to a tenant

os_compute_api:os-flavor-access:remove_tenant_access
Default

rule:system_admin_api

Operations
  • POST /flavors/{flavor_id}/action (removeTenantAccess)

Scope Types
  • system

Remove flavor access from a tenant

os_compute_api:os-flavor-access
Default

rule:system_reader_api

Operations
  • GET /flavors/{flavor_id}/os-flavor-access

Scope Types
  • system

List flavor access information

Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.

os_compute_api:os-flavor-extra-specs:show
Default

rule:system_or_project_reader

Operations
  • GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • system

  • project

Show an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:create
Default

rule:system_admin_api

Operations
  • POST /flavors/{flavor_id}/os-extra_specs/

Scope Types
  • system

Create extra specs for a flavor

os_compute_api:os-flavor-extra-specs:update
Default

rule:system_admin_api

Operations
  • PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • system

Update an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:delete
Default

rule:system_admin_api

Operations
  • DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • system

Delete an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:index
Default

rule:system_or_project_reader

Operations
  • GET /flavors/{flavor_id}/os-extra_specs/

  • GET /servers/detail

  • GET /servers/{server_id}

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

  • POST /flavors

  • GET /flavors/detail

  • GET /flavors/{flavor_id}

  • PUT /flavors/{flavor_id}

Scope Types
  • system

  • project

List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.

os_compute_api:os-flavor-manage:create
Default

rule:system_admin_api

Operations
  • POST /flavors

Scope Types
  • system

Create a flavor

os_compute_api:os-flavor-manage:update
Default

rule:system_admin_api

Operations
  • PUT /flavors/{flavor_id}

Scope Types
  • system

Update a flavor

os_compute_api:os-flavor-manage:delete
Default

rule:system_admin_api

Operations
  • DELETE /flavors/{flavor_id}

Scope Types
  • system

Delete a flavor

os_compute_api:os-floating-ip-pools
Default

rule:admin_or_owner

Operations
  • GET /os-floating-ip-pools

List floating IP pools. This API is deprecated.

os_compute_api:os-floating-ips
Default

rule:admin_or_owner

Operations
  • POST /servers/{server_id}/action (addFloatingIp)

  • POST /servers/{server_id}/action (removeFloatingIp)

  • GET /os-floating-ips

  • POST /os-floating-ips

  • GET /os-floating-ips/{floating_ip_id}

  • DELETE /os-floating-ips/{floating_ip_id}

Manage a project’s floating IPs. These APIs are all deprecated.

os_compute_api:os-hosts
Default

rule:admin_api

Operations
  • GET /os-hosts

  • GET /os-hosts/{host_name}

  • PUT /os-hosts/{host_name}

  • GET /os-hosts/{host_name}/reboot

  • GET /os-hosts/{host_name}/shutdown

  • GET /os-hosts/{host_name}/startup

List, show and manage physical hosts.

These APIs are all deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hypervisors:list
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors

Scope Types
  • system

List all hypervisors.

os_compute_api:os-hypervisors:list-detail
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/details

Scope Types
  • system

List all hypervisors with details

os_compute_api:os-hypervisors:statistics
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/statistics

Scope Types
  • system

Show summary statistics for all hypervisors over all compute nodes.

os_compute_api:os-hypervisors:show
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/{hypervisor_id}

Scope Types
  • system

Show details for a hypervisor.

os_compute_api:os-hypervisors:uptime
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/{hypervisor_id}/uptime

Scope Types
  • system

Show the uptime of a hypervisor.

os_compute_api:os-hypervisors:search
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/search

Scope Types
  • system

Search hypervisor by hypervisor_hostname pattern.

os_compute_api:os-hypervisors:servers
Default

rule:system_reader_api

Operations
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/servers

Scope Types
  • system

List all servers on hypervisors that can match the provided hypervisor_hostname pattern.

os_compute_api:os-instance-actions:events:details
Default

rule:system_reader_api

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • system

  • project

Add “details” key in action events for a server.

This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.84, new field ‘details’ is exposed via API which can have more details about event failure. That field is controlled by this policy which is system reader by default. Making the ‘details’ field visible to the non-admin user helps to understand the nature of the problem (i.e. if the action can be retried), but in the other hand it might leak information about the deployment (e.g. the type of the hypervisor).

os_compute_api:os-instance-actions:events
Default

rule:system_reader_api

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • system

  • project

Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.

os_compute_api:os-instance-actions:list
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-instance-actions

Scope Types
  • system

  • project

List actions for a server.

os_compute_api:os-instance-actions:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • system

  • project

Show action details for a server.

os_compute_api:os-instance-usage-audit-log:list
Default

rule:system_reader_api

Operations
  • GET /os-instance_usage_audit_log

Scope Types
  • system

List all usage audits.

os_compute_api:os-instance-usage-audit-log:show
Default

rule:system_reader_api

Operations
  • GET /os-instance_usage_audit_log/{before_timestamp}

Scope Types
  • system

List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured

os_compute_api:ips:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/ips/{network_label}

Scope Types
  • system

  • project

Show IP addresses details for a network label of a server

os_compute_api:ips:index
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/ips

Scope Types
  • system

  • project

List IP addresses that are assigned to a server

os_compute_api:os-keypairs:index
Default

(rule:system_reader_api) or user_id:%(user_id)s

Operations
  • GET /os-keypairs

Scope Types
  • system

  • project

List all keypairs

os_compute_api:os-keypairs:create
Default

(rule:system_admin_api) or user_id:%(user_id)s

Operations
  • POST /os-keypairs

Scope Types
  • system

  • project

Create a keypair

os_compute_api:os-keypairs:delete
Default

(rule:system_admin_api) or user_id:%(user_id)s

Operations
  • DELETE /os-keypairs/{keypair_name}

Scope Types
  • system

  • project

Delete a keypair

os_compute_api:os-keypairs:show
Default

(rule:system_reader_api) or user_id:%(user_id)s

Operations
  • GET /os-keypairs/{keypair_name}

Scope Types
  • system

  • project

Show details of a keypair

os_compute_api:limits
Default

@

Operations
  • GET /limits

Scope Types
  • system

  • project

Show rate and absolute limits for the current user project

os_compute_api:limits:other_project
Default

rule:system_reader_api

Operations
  • GET /limits

Scope Types
  • system

Show rate and absolute limits of other project.

This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes

os_compute_api:os-lock-server:lock
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (lock)

Scope Types
  • system

  • project

Lock a server

os_compute_api:os-lock-server:unlock
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (unlock)

Scope Types
  • system

  • project

Unlock a server

os_compute_api:os-lock-server:unlock:unlock_override
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (unlock)

Scope Types
  • system

  • project

Unlock a server, regardless who locked the server.

This check is performed only after the check os_compute_api:os-lock-server:unlock passes

os_compute_api:os-migrate-server:migrate
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (migrate)

Scope Types
  • system

  • project

Cold migrate a server to a host

os_compute_api:os-migrate-server:migrate_live
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (os-migrateLive)

Scope Types
  • system

  • project

Live migrate a server to a new host without a reboot

os_compute_api:os-migrations:index
Default

rule:system_reader_api

Operations
  • GET /os-migrations

Scope Types
  • system

List migrations

os_compute_api:os-multinic
Default

rule:admin_or_owner

Operations
  • POST /servers/{server_id}/action (addFixedIp)

  • POST /servers/{server_id}/action (removeFixedIp)

Add or remove a fixed IP address from a server.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-networks:view
Default

rule:admin_or_owner

Operations
  • GET /os-networks

  • GET /os-networks/{network_id}

List networks for the project and show details for a network.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-pause-server:pause
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (pause)

Scope Types
  • system

  • project

Pause a server

os_compute_api:os-pause-server:unpause
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (unpause)

Scope Types
  • system

  • project

Unpause a paused server

os_compute_api:os-quota-class-sets:show
Default

rule:system_reader_api

Operations
  • GET /os-quota-class-sets/{quota_class}

Scope Types
  • system

List quotas for specific quota classs

os_compute_api:os-quota-class-sets:update
Default

rule:system_admin_api

Operations
  • PUT /os-quota-class-sets/{quota_class}

Scope Types
  • system

Update quotas for specific quota class

os_compute_api:os-quota-sets:update
Default

rule:system_admin_api

Operations
  • PUT /os-quota-sets/{tenant_id}

Scope Types
  • system

Update the quotas

os_compute_api:os-quota-sets:defaults
Default

@

Operations
  • GET /os-quota-sets/{tenant_id}/defaults

Scope Types
  • system

  • project

List default quotas

os_compute_api:os-quota-sets:show
Default

rule:system_or_project_reader

Operations
  • GET /os-quota-sets/{tenant_id}

Scope Types
  • system

  • project

Show a quota

os_compute_api:os-quota-sets:delete
Default

rule:system_admin_api

Operations
  • DELETE /os-quota-sets/{tenant_id}

Scope Types
  • system

Revert quotas to defaults

os_compute_api:os-quota-sets:detail
Default

rule:system_or_project_reader

Operations
  • GET /os-quota-sets/{tenant_id}/detail

Scope Types
  • system

  • project

Show the detail of quota

os_compute_api:os-remote-consoles
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (os-getRDPConsole)

  • POST /servers/{server_id}/action (os-getSerialConsole)

  • POST /servers/{server_id}/action (os-getSPICEConsole)

  • POST /servers/{server_id}/action (os-getVNCConsole)

  • POST /servers/{server_id}/remote-consoles

Scope Types
  • system

  • project

Generate a URL to access remove server console.

This policy is for POST /remote-consoles API and below Server actions APIs are deprecated:

  • os-getRDPConsole

  • os-getSerialConsole

  • os-getSPICEConsole

  • os-getVNCConsole.

os_compute_api:os-rescue
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (rescue)

Scope Types
  • system

  • project

Rescue a server

os_compute_api:os-unrescue
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (unrescue)

Scope Types
  • system

  • project

Unrescue a server

os_compute_api:os-security-groups
Default

rule:admin_or_owner

Operations
  • GET /os-security-groups

  • GET /os-security-groups/{security_group_id}

  • POST /os-security-groups

  • PUT /os-security-groups/{security_group_id}

  • DELETE /os-security-groups/{security_group_id}

List, show, add, or remove security groups.

APIs which are directly related to security groups resource are deprecated: Lists, shows information for, creates, updates and deletes security groups. Creates and deletes security group rules. All these APIs are deprecated.

os_compute_api:os-security-groups:list
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-security-groups

Scope Types
  • system

  • project

List security groups of server.

os_compute_api:os-security-groups:add
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (addSecurityGroup)

Scope Types
  • system

  • project

Add security groups to server.

os_compute_api:os-security-groups:remove
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (removeSecurityGroup)

Scope Types
  • system

  • project

Remove security groups from server.

os_compute_api:os-server-diagnostics
Default

rule:system_admin_api

Operations
  • GET /servers/{server_id}/diagnostics

Scope Types
  • system

  • project

Show the usage data for a server

os_compute_api:os-server-external-events:create
Default

rule:system_admin_api

Operations
  • POST /os-server-external-events

Scope Types
  • system

Create one or more external events

os_compute_api:os-server-groups:create
Default

rule:project_member_api

Operations
  • POST /os-server-groups

Scope Types
  • project

Create a new server group

os_compute_api:os-server-groups:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /os-server-groups/{server_group_id}

Scope Types
  • system

  • project

Delete a server group

os_compute_api:os-server-groups:index
Default

rule:system_or_project_reader

Operations
  • GET /os-server-groups

Scope Types
  • system

  • project

List all server groups

os_compute_api:os-server-groups:index:all_projects
Default

rule:system_reader_api

Operations
  • GET /os-server-groups

Scope Types
  • system

List all server groups for all projects

os_compute_api:os-server-groups:show
Default

rule:system_or_project_reader

Operations
  • GET /os-server-groups/{server_group_id}

Scope Types
  • system

  • project

Show details of a server group

os_compute_api:server-metadata:index
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/metadata

Scope Types
  • system

  • project

List all metadata of a server

os_compute_api:server-metadata:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/metadata/{key}

Scope Types
  • system

  • project

Show metadata for a server

os_compute_api:server-metadata:create
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/metadata

Scope Types
  • system

  • project

Create metadata for a server

os_compute_api:server-metadata:update_all
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}/metadata

Scope Types
  • system

  • project

Replace metadata for a server

os_compute_api:server-metadata:update
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}/metadata/{key}

Scope Types
  • system

  • project

Update metadata from a server

os_compute_api:server-metadata:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/metadata/{key}

Scope Types
  • system

  • project

Delete metadata from a server

os_compute_api:os-server-password:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-server-password

Scope Types
  • system

  • project

Show the encrypted administrative password of a server

os_compute_api:os-server-password:clear
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/os-server-password

Scope Types
  • system

  • project

Clear the encrypted administrative password of a server

os_compute_api:os-server-tags:delete_all
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/tags

Scope Types
  • system

  • project

Delete all the server tags

os_compute_api:os-server-tags:index
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/tags

Scope Types
  • system

  • project

List all tags for given server

os_compute_api:os-server-tags:update_all
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}/tags

Scope Types
  • system

  • project

Replace all tags on specified server with the new set of tags.

os_compute_api:os-server-tags:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/tags/{tag}

Scope Types
  • system

  • project

Delete a single tag from the specified server

os_compute_api:os-server-tags:update
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}/tags/{tag}

Scope Types
  • system

  • project

Add a single tag to the server if server has no specified tag

os_compute_api:os-server-tags:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/tags/{tag}

Scope Types
  • system

  • project

Check tag existence on the server.

compute:server:topology:index
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/topology

Scope Types
  • system

  • project

Show the NUMA topology data for a server

compute:server:topology:host:index
Default

rule:system_reader_api

Operations
  • GET /servers/{server_id}/topology

Scope Types
  • system

Show the NUMA topology data for a server with hostNUMA ID and CPU pinning information

os_compute_api:servers:index
Default

rule:system_or_project_reader

Operations
  • GET /servers

Scope Types
  • system

  • project

List all servers

os_compute_api:servers:detail
Default

rule:system_or_project_reader

Operations
  • GET /servers/detail

Scope Types
  • system

  • project

List all servers with detailed information

os_compute_api:servers:index:get_all_tenants
Default

rule:system_reader_api

Operations
  • GET /servers

Scope Types
  • system

List all servers for all projects

os_compute_api:servers:detail:get_all_tenants
Default

rule:system_reader_api

Operations
  • GET /servers/detail

Scope Types
  • system

List all servers with detailed information for all projects

os_compute_api:servers:allow_all_filters
Default

rule:system_reader_api

Operations
  • GET /servers

  • GET /servers/detail

Scope Types
  • system

Allow all filters when listing servers

os_compute_api:servers:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}

Scope Types
  • system

  • project

Show a server

os_compute_api:servers:show:host_status
Default

rule:system_admin_api

Operations
  • GET /servers/{server_id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • system

  • project

Show a server with additional host status information.

This means host_status will be shown irrespective of status value. If showing only host_status UNKNOWN is desired, use the os_compute_api:servers:show:host_status:unknown-only policy rule.

Microvision 2.75 added the host_status attribute in the PUT /servers/{server_id} and POST /servers/{server_id}/action (rebuild) API responses which are also controlled by this policy rule, like the GET /servers* APIs.

os_compute_api:servers:show:host_status:unknown-only
Default

rule:system_admin_api

Operations
  • GET /servers/{server_id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • system

  • project

Show a server with additional host status information, only if host status is UNKNOWN.

This policy rule will only be enforced when the os_compute_api:servers:show:host_status policy rule does not pass for the request. An example policy configuration could be where the os_compute_api:servers:show:host_status rule is set to allow admin-only and the os_compute_api:servers:show:host_status:unknown-only rule is set to allow everyone.

os_compute_api:servers:create
Default

rule:project_member_api

Operations
  • POST /servers

Scope Types
  • project

Create a server

os_compute_api:servers:create:forced_host
Default

rule:project_admin_api

Operations
  • POST /servers

Scope Types
  • system

  • project

Create a server on the specified host and/or node.

In this case, the server is forced to launch on the specified host and/or node by bypassing the scheduler filters unlike the compute:servers:create:requested_destination rule.

compute:servers:create:requested_destination
Default

rule:admin_api

Operations
  • POST /servers

Scope Types
  • system

  • project

Create a server on the requested compute service host and/or hypervisor_hostname.

In this case, the requested host and/or hypervisor_hostname is validated by the scheduler filters unlike the os_compute_api:servers:create:forced_host rule.

os_compute_api:servers:create:attach_volume
Default

rule:project_member_api

Operations
  • POST /servers

Scope Types
  • project

Create a server with the requested volume attached to it

os_compute_api:servers:create:attach_network
Default

rule:project_member_api

Operations
  • POST /servers

Scope Types
  • project

Create a server with the requested network attached to it

os_compute_api:servers:create:trusted_certs
Default

rule:project_member_api

Operations
  • POST /servers

Scope Types
  • project

Create a server with trusted image certificate IDs

os_compute_api:servers:create:zero_disk_flavor
Default

rule:project_admin_api

Operations
  • POST /servers

Scope Types
  • system

  • project

This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.

For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.

WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.

network:attach_external_network
Default

rule:project_admin_api

Operations
  • POST /servers

  • POST /servers/{server_id}/os-interface

Scope Types
  • system

  • project

Attach an unshared external network to a server

os_compute_api:servers:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}

Scope Types
  • system

  • project

Delete a server

os_compute_api:servers:update
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}

Scope Types
  • system

  • project

Update a server

os_compute_api:servers:confirm_resize
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (confirmResize)

Scope Types
  • system

  • project

Confirm a server resize

os_compute_api:servers:revert_resize
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (revertResize)

Scope Types
  • system

  • project

Revert a server resize

os_compute_api:servers:reboot
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (reboot)

Scope Types
  • system

  • project

Reboot a server

os_compute_api:servers:resize
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (resize)

Scope Types
  • system

  • project

Resize a server

compute:servers:resize:cross_cell
Default

!

Operations
  • POST /servers/{server_id}/action (resize)

Scope Types
  • system

  • project

Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled.

os_compute_api:servers:rebuild
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • system

  • project

Rebuild a server

os_compute_api:servers:rebuild:trusted_certs
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • system

  • project

Rebuild a server with trusted image certificate IDs

os_compute_api:servers:create_image
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (createImage)

Scope Types
  • system

  • project

Create an image from a server

os_compute_api:servers:create_image:allow_volume_backed
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (createImage)

Scope Types
  • system

  • project

Create an image from a volume backed server

os_compute_api:servers:start
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (os-start)

Scope Types
  • system

  • project

Start a server

os_compute_api:servers:stop
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (os-stop)

Scope Types
  • system

  • project

Stop a server

os_compute_api:servers:trigger_crash_dump
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (trigger_crash_dump)

Scope Types
  • system

  • project

Trigger crash dump in a server

os_compute_api:servers:migrations:show
Default

rule:system_reader_api

Operations
  • GET /servers/{server_id}/migrations/{migration_id}

Scope Types
  • system

  • project

Show details for an in-progress live migration for a given server

os_compute_api:servers:migrations:force_complete
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/migrations/{migration_id}/action (force_complete)

Scope Types
  • system

  • project

Force an in-progress live migration for a given server to complete

os_compute_api:servers:migrations:delete
Default

rule:system_admin_api

Operations
  • DELETE /servers/{server_id}/migrations/{migration_id}

Scope Types
  • system

  • project

Delete(Abort) an in-progress live migration

os_compute_api:servers:migrations:index
Default

rule:system_reader_api

Operations
  • GET /servers/{server_id}/migrations

Scope Types
  • system

  • project

Lists in-progress live migrations for a given server

os_compute_api:os-services:list
Default

rule:system_reader_api

Operations
  • GET /os-services

Scope Types
  • system

List all running Compute services in a region.

os_compute_api:os-services:update
Default

rule:system_admin_api

Operations
  • PUT /os-services/{service_id}

Scope Types
  • system

Update a Compute service.

os_compute_api:os-services:delete
Default

rule:system_admin_api

Operations
  • DELETE /os-services/{service_id}

Scope Types
  • system

Delete a Compute service.

os_compute_api:os-shelve:shelve
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (shelve)

Scope Types
  • system

  • project

Shelve server

os_compute_api:os-shelve:unshelve
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (unshelve)

Scope Types
  • system

  • project

Unshelve (restore) shelved server

os_compute_api:os-shelve:shelve_offload
Default

rule:system_admin_api

Operations
  • POST /servers/{server_id}/action (shelveOffload)

Scope Types
  • system

  • project

Shelf-offload (remove) server

os_compute_api:os-simple-tenant-usage:show
Default

rule:system_or_project_reader

Operations
  • GET /os-simple-tenant-usage/{tenant_id}

Scope Types
  • system

  • project

Show usage statistics for a specific tenant

os_compute_api:os-simple-tenant-usage:list
Default

rule:system_reader_api

Operations
  • GET /os-simple-tenant-usage

Scope Types
  • system

List per tenant usage statistics for all tenants

os_compute_api:os-suspend-server:resume
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (resume)

Scope Types
  • system

  • project

Resume suspended server

os_compute_api:os-suspend-server:suspend
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/action (suspend)

Scope Types
  • system

  • project

Suspend server

os_compute_api:os-tenant-networks
Default

rule:admin_or_owner

Operations
  • GET /os-tenant-networks

  • GET /os-tenant-networks/{network_id}

Create, list, show information for, and delete project networks.

These APIs are proxy calls to the Network service. These are all deprecated.

os_compute_api:os-volumes
Default

rule:admin_or_owner

Operations
  • GET /os-volumes

  • POST /os-volumes

  • GET /os-volumes/detail

  • GET /os-volumes/{volume_id}

  • DELETE /os-volumes/{volume_id}

  • GET /os-snapshots

  • POST /os-snapshots

  • GET /os-snapshots/detail

  • GET /os-snapshots/{snapshot_id}

  • DELETE /os-snapshots/{snapshot_id}

Manage volumes for use with the Compute API.

Lists, shows details, creates, and deletes volumes and snapshots. These APIs are proxy calls to the Volume service. These are all deprecated.

os_compute_api:os-volumes-attachments:index
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-volume_attachments

Scope Types
  • system

  • project

List volume attachments for an instance

os_compute_api:os-volumes-attachments:create
Default

rule:system_admin_or_owner

Operations
  • POST /servers/{server_id}/os-volume_attachments

Scope Types
  • system

  • project

Attach a volume to an instance

os_compute_api:os-volumes-attachments:show
Default

rule:system_or_project_reader

Operations
  • GET /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • system

  • project

Show details of a volume attachment

os_compute_api:os-volumes-attachments:update
Default

rule:system_admin_or_owner

Operations
  • PUT /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • system

  • project

Update a volume attachment. New ‘update’ policy about ‘swap + update’ request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be always superset of this policy permission.

os_compute_api:os-volumes-attachments:swap
Default

rule:system_admin_api

Operations
  • PUT /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • system

Update a volume attachment with a different volumeId

os_compute_api:os-volumes-attachments:delete
Default

rule:system_admin_or_owner

Operations
  • DELETE /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • system

  • project

Detach a volume from an instance