Nova Policies

The following is an overview of all available policies in Nova.

Warning

JSON formatted policy file is deprecated since Nova 22.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.

For a sample configuration file, refer to Sample Nova Policy File.

nova

context_is_admin
Default

role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default

is_admin:True or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default

is_admin:True

Default rule for most Admin APIs.

project_member_api
Default

role:member and project_id:%(project_id)s

Default rule for Project level non admin APIs.

project_reader_api
Default

role:reader and project_id:%(project_id)s

Default rule for Project level read only APIs.

project_member_or_admin
Default

rule:project_member_api or rule:context_is_admin

Default rule for Project Member or admin APIs.

project_reader_or_admin
Default

rule:project_reader_api or rule:context_is_admin

Default rule for Project reader or admin APIs.

os_compute_api:os-admin-actions:reset_state
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (os-resetState)

Scope Types
  • project

Reset the state of a given server

os_compute_api:os-admin-actions:inject_network_info
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (injectNetworkInfo)

Scope Types
  • project

Inject network information into the server

os_compute_api:os-admin-password
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (changePassword)

Scope Types
  • project

Change the administrative password for a server

os_compute_api:os-aggregates:set_metadata
Default

rule:context_is_admin

Operations
  • POST /os-aggregates/{aggregate_id}/action (set_metadata)

Scope Types
  • project

Create or replace metadata for an aggregate

os_compute_api:os-aggregates:add_host
Default

rule:context_is_admin

Operations
  • POST /os-aggregates/{aggregate_id}/action (add_host)

Scope Types
  • project

Add a host to an aggregate

os_compute_api:os-aggregates:create
Default

rule:context_is_admin

Operations
  • POST /os-aggregates

Scope Types
  • project

Create an aggregate

os_compute_api:os-aggregates:remove_host
Default

rule:context_is_admin

Operations
  • POST /os-aggregates/{aggregate_id}/action (remove_host)

Scope Types
  • project

Remove a host from an aggregate

os_compute_api:os-aggregates:update
Default

rule:context_is_admin

Operations
  • PUT /os-aggregates/{aggregate_id}

Scope Types
  • project

Update name and/or availability zone for an aggregate

os_compute_api:os-aggregates:index
Default

rule:context_is_admin

Operations
  • GET /os-aggregates

Scope Types
  • project

List all aggregates

os_compute_api:os-aggregates:delete
Default

rule:context_is_admin

Operations
  • DELETE /os-aggregates/{aggregate_id}

Scope Types
  • project

Delete an aggregate

os_compute_api:os-aggregates:show
Default

rule:context_is_admin

Operations
  • GET /os-aggregates/{aggregate_id}

Scope Types
  • project

Show details for an aggregate

compute:aggregates:images
Default

rule:context_is_admin

Operations
  • POST /os-aggregates/{aggregate_id}/images

Scope Types
  • project

Request image caching for an aggregate

os_compute_api:os-assisted-volume-snapshots:create
Default

rule:context_is_admin

Operations
  • POST /os-assisted-volume-snapshots

Scope Types
  • project

Create an assisted volume snapshot

os_compute_api:os-assisted-volume-snapshots:delete
Default

rule:context_is_admin

Operations
  • DELETE /os-assisted-volume-snapshots/{snapshot_id}

Scope Types
  • project

Delete an assisted volume snapshot

os_compute_api:os-attach-interfaces:list
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-interface

Scope Types
  • project

List port interfaces attached to a server

os_compute_api:os-attach-interfaces:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-interface/{port_id}

Scope Types
  • project

Show details of a port interface attached to a server

os_compute_api:os-attach-interfaces:create
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/os-interface

Scope Types
  • project

Attach an interface to a server

os_compute_api:os-attach-interfaces:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/os-interface/{port_id}

Scope Types
  • project

Detach an interface from a server

os_compute_api:os-availability-zone:list
Default

@

Operations
  • GET /os-availability-zone

Scope Types
  • project

List availability zone information without host information

os_compute_api:os-availability-zone:detail
Default

rule:context_is_admin

Operations
  • GET /os-availability-zone/detail

Scope Types
  • project

List detailed availability zone information with host information

os_compute_api:os-baremetal-nodes:list
Default

rule:context_is_admin

Operations
  • GET /os-baremetal-nodes

Scope Types
  • project

List and show details of bare metal nodes.

These APIs are proxy calls to the Ironic service and are deprecated.

os_compute_api:os-baremetal-nodes:show
Default

rule:context_is_admin

Operations
  • GET /os-baremetal-nodes/{node_id}

Scope Types
  • project

Show action details for a server.

os_compute_api:os-console-auth-tokens
Default

rule:context_is_admin

Operations
  • GET /os-console-auth-tokens/{console_token}

Scope Types
  • project

Show console connection information for a given console authentication token

os_compute_api:os-console-output
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (os-getConsoleOutput)

Scope Types
  • project

Show console output for a server

os_compute_api:os-create-backup
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (createBackup)

Scope Types
  • project

Create a back up of a server

os_compute_api:os-deferred-delete:restore
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (restore)

Scope Types
  • project

Restore a soft deleted server

os_compute_api:os-deferred-delete:force
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (forceDelete)

Scope Types
  • project

Force delete a server before deferred cleanup

os_compute_api:os-evacuate
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (evacuate)

Scope Types
  • project

Evacuate a server from a failed host to a new host

os_compute_api:os-extended-server-attributes
Default

rule:context_is_admin

Operations
  • GET /servers/{id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Return extended attributes for server.

This rule will control the visibility for a set of servers attributes:

  • OS-EXT-SRV-ATTR:host

  • OS-EXT-SRV-ATTR:instance_name

  • OS-EXT-SRV-ATTR:reservation_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:launch_index (since microversion 2.3)

  • OS-EXT-SRV-ATTR:hostname (since microversion 2.3)

  • OS-EXT-SRV-ATTR:kernel_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:ramdisk_id (since microversion 2.3)

  • OS-EXT-SRV-ATTR:root_device_name (since microversion 2.3)

  • OS-EXT-SRV-ATTR:user_data (since microversion 2.3)

Microvision 2.75 added the above attributes in the PUT /servers/{server_id} and POST /servers/{server_id}/action (rebuild) API responses which are also controlled by this policy rule, like the GET /servers* APIs.

Microversion 2.90 made the OS-EXT-SRV-ATTR:hostname attribute available to all users, so this policy has no effect on that field for microversions 2.90 and greater. Controlling the visibility of this attribute for all microversions is therefore deprecated and will be removed in a future release.

os_compute_api:extensions
Default

@

Operations
  • GET /extensions

  • GET /extensions/{alias}

Scope Types
  • project

List available extensions and show information for an extension by alias

os_compute_api:os-flavor-access:add_tenant_access
Default

rule:context_is_admin

Operations
  • POST /flavors/{flavor_id}/action (addTenantAccess)

Scope Types
  • project

Add flavor access to a tenant

os_compute_api:os-flavor-access:remove_tenant_access
Default

rule:context_is_admin

Operations
  • POST /flavors/{flavor_id}/action (removeTenantAccess)

Scope Types
  • project

Remove flavor access from a tenant

os_compute_api:os-flavor-access
Default

rule:context_is_admin

Operations
  • GET /flavors/{flavor_id}/os-flavor-access

Scope Types
  • project

List flavor access information

Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.

os_compute_api:os-flavor-extra-specs:show
Default

rule:project_reader_or_admin

Operations
  • GET /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • project

Show an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:create
Default

rule:context_is_admin

Operations
  • POST /flavors/{flavor_id}/os-extra_specs/

Scope Types
  • project

Create extra specs for a flavor

os_compute_api:os-flavor-extra-specs:update
Default

rule:context_is_admin

Operations
  • PUT /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • project

Update an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:delete
Default

rule:context_is_admin

Operations
  • DELETE /flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}

Scope Types
  • project

Delete an extra spec for a flavor

os_compute_api:os-flavor-extra-specs:index
Default

rule:project_reader_or_admin

Operations
  • GET /flavors/{flavor_id}/os-extra_specs/

  • POST /flavors

  • GET /flavors/detail

  • GET /flavors/{flavor_id}

  • PUT /flavors/{flavor_id}

Scope Types
  • project

List extra specs for a flavor. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.

os_compute_api:os-flavor-manage:create
Default

rule:context_is_admin

Operations
  • POST /flavors

Scope Types
  • project

Create a flavor

os_compute_api:os-flavor-manage:update
Default

rule:context_is_admin

Operations
  • PUT /flavors/{flavor_id}

Scope Types
  • project

Update a flavor

os_compute_api:os-flavor-manage:delete
Default

rule:context_is_admin

Operations
  • DELETE /flavors/{flavor_id}

Scope Types
  • project

Delete a flavor

os_compute_api:os-floating-ip-pools
Default

@

Operations
  • GET /os-floating-ip-pools

Scope Types
  • project

List floating IP pools. This API is deprecated.

os_compute_api:os-floating-ips:add
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (addFloatingIp)

Scope Types
  • project

Associate floating IPs to server. This API is deprecated.

os_compute_api:os-floating-ips:remove
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (removeFloatingIp)

Scope Types
  • project

Disassociate floating IPs to server. This API is deprecated.

os_compute_api:os-floating-ips:list
Default

rule:project_reader_or_admin

Operations
  • GET /os-floating-ips

Scope Types
  • project

List floating IPs. This API is deprecated.

os_compute_api:os-floating-ips:create
Default

rule:project_member_or_admin

Operations
  • POST /os-floating-ips

Scope Types
  • project

Create floating IPs. This API is deprecated.

os_compute_api:os-floating-ips:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-floating-ips/{floating_ip_id}

Scope Types
  • project

Show floating IPs. This API is deprecated.

os_compute_api:os-floating-ips:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-floating-ips/{floating_ip_id}

Scope Types
  • project

Delete floating IPs. This API is deprecated.

os_compute_api:os-hosts:list
Default

rule:context_is_admin

Operations
  • GET /os-hosts

Scope Types
  • project

List physical hosts.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hosts:show
Default

rule:context_is_admin

Operations
  • GET /os-hosts/{host_name}

Scope Types
  • project

Show physical host.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hosts:update
Default

rule:context_is_admin

Operations
  • PUT /os-hosts/{host_name}

Scope Types
  • project

Update physical host.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hosts:reboot
Default

rule:context_is_admin

Operations
  • GET /os-hosts/{host_name}/reboot

Scope Types
  • project

Reboot physical host.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hosts:shutdown
Default

rule:context_is_admin

Operations
  • GET /os-hosts/{host_name}/shutdown

Scope Types
  • project

Shutdown physical host.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hosts:start
Default

rule:context_is_admin

Operations
  • GET /os-hosts/{host_name}/startup

Scope Types
  • project

Start physical host.

This API is deprecated in favor of os-hypervisors and os-services.

os_compute_api:os-hypervisors:list
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors

Scope Types
  • project

List all hypervisors.

os_compute_api:os-hypervisors:list-detail
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/details

Scope Types
  • project

List all hypervisors with details

os_compute_api:os-hypervisors:statistics
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/statistics

Scope Types
  • project

Show summary statistics for all hypervisors over all compute nodes.

os_compute_api:os-hypervisors:show
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/{hypervisor_id}

Scope Types
  • project

Show details for a hypervisor.

os_compute_api:os-hypervisors:uptime
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/{hypervisor_id}/uptime

Scope Types
  • project

Show the uptime of a hypervisor.

os_compute_api:os-hypervisors:search
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/search

Scope Types
  • project

Search hypervisor by hypervisor_hostname pattern.

os_compute_api:os-hypervisors:servers
Default

rule:context_is_admin

Operations
  • GET /os-hypervisors/{hypervisor_hostname_pattern}/servers

Scope Types
  • project

List all servers on hypervisors that can match the provided hypervisor_hostname pattern.

os_compute_api:os-instance-actions:events:details
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • project

Add “details” key in action events for a server.

This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.84, new field ‘details’ is exposed via API which can have more details about event failure. That field is controlled by this policy which is system reader by default. Making the ‘details’ field visible to the non-admin user helps to understand the nature of the problem (i.e. if the action can be retried), but in the other hand it might leak information about the deployment (e.g. the type of the hypervisor).

os_compute_api:os-instance-actions:events
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • project

Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.

os_compute_api:os-instance-actions:list
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-instance-actions

Scope Types
  • project

List actions for a server.

os_compute_api:os-instance-actions:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-instance-actions/{request_id}

Scope Types
  • project

Show action details for a server.

os_compute_api:os-instance-usage-audit-log:list
Default

rule:context_is_admin

Operations
  • GET /os-instance_usage_audit_log

Scope Types
  • project

List all usage audits.

os_compute_api:os-instance-usage-audit-log:show
Default

rule:context_is_admin

Operations
  • GET /os-instance_usage_audit_log/{before_timestamp}

Scope Types
  • project

List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured

os_compute_api:ips:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/ips/{network_label}

Scope Types
  • project

Show IP addresses details for a network label of a server

os_compute_api:ips:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/ips

Scope Types
  • project

List IP addresses that are assigned to a server

os_compute_api:os-keypairs:index
Default

(rule:context_is_admin) or user_id:%(user_id)s

Operations
  • GET /os-keypairs

Scope Types
  • project

List all keypairs

os_compute_api:os-keypairs:create
Default

(rule:context_is_admin) or user_id:%(user_id)s

Operations
  • POST /os-keypairs

Scope Types
  • project

Create a keypair

os_compute_api:os-keypairs:delete
Default

(rule:context_is_admin) or user_id:%(user_id)s

Operations
  • DELETE /os-keypairs/{keypair_name}

Scope Types
  • project

Delete a keypair

os_compute_api:os-keypairs:show
Default

(rule:context_is_admin) or user_id:%(user_id)s

Operations
  • GET /os-keypairs/{keypair_name}

Scope Types
  • project

Show details of a keypair

os_compute_api:limits
Default

@

Operations
  • GET /limits

Scope Types
  • project

Show rate and absolute limits for the current user project

os_compute_api:limits:other_project
Default

rule:context_is_admin

Operations
  • GET /limits

Scope Types
  • project

Show rate and absolute limits of other project.

This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes

os_compute_api:os-lock-server:lock
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (lock)

Scope Types
  • project

Lock a server

os_compute_api:os-lock-server:unlock
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (unlock)

Scope Types
  • project

Unlock a server

os_compute_api:os-lock-server:unlock:unlock_override
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (unlock)

Scope Types
  • project

Unlock a server, regardless who locked the server.

This check is performed only after the check os_compute_api:os-lock-server:unlock passes

os_compute_api:os-migrate-server:migrate
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (migrate)

Scope Types
  • project

Cold migrate a server to a host

os_compute_api:os-migrate-server:migrate_live
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (os-migrateLive)

Scope Types
  • project

Live migrate a server to a new host without a reboot

os_compute_api:os-migrations:index
Default

rule:context_is_admin

Operations
  • GET /os-migrations

Scope Types
  • project

List migrations

os_compute_api:os-multinic:add
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (addFixedIp)

Scope Types
  • project

Add a fixed IP address to a server.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-multinic:remove
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (removeFixedIp)

Scope Types
  • project

Remove a fixed IP address from a server.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-networks:list
Default

rule:project_reader_or_admin

Operations
  • GET /os-networks

Scope Types
  • project

List networks for the project.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-networks:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-networks/{network_id}

Scope Types
  • project

Show network details.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-pause-server:pause
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (pause)

Scope Types
  • project

Pause a server

os_compute_api:os-pause-server:unpause
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (unpause)

Scope Types
  • project

Unpause a paused server

os_compute_api:os-quota-class-sets:show
Default

rule:context_is_admin

Operations
  • GET /os-quota-class-sets/{quota_class}

Scope Types
  • project

List quotas for specific quota classs

os_compute_api:os-quota-class-sets:update
Default

rule:context_is_admin

Operations
  • PUT /os-quota-class-sets/{quota_class}

Scope Types
  • project

Update quotas for specific quota class

os_compute_api:os-quota-sets:update
Default

rule:context_is_admin

Operations
  • PUT /os-quota-sets/{tenant_id}

Scope Types
  • project

Update the quotas

os_compute_api:os-quota-sets:defaults
Default

@

Operations
  • GET /os-quota-sets/{tenant_id}/defaults

Scope Types
  • project

List default quotas

os_compute_api:os-quota-sets:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-quota-sets/{tenant_id}

Scope Types
  • project

Show a quota

os_compute_api:os-quota-sets:delete
Default

rule:context_is_admin

Operations
  • DELETE /os-quota-sets/{tenant_id}

Scope Types
  • project

Revert quotas to defaults

os_compute_api:os-quota-sets:detail
Default

rule:project_reader_or_admin

Operations
  • GET /os-quota-sets/{tenant_id}/detail

Scope Types
  • project

Show the detail of quota

os_compute_api:os-remote-consoles
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (os-getRDPConsole)

  • POST /servers/{server_id}/action (os-getSerialConsole)

  • POST /servers/{server_id}/action (os-getSPICEConsole)

  • POST /servers/{server_id}/action (os-getVNCConsole)

  • POST /servers/{server_id}/remote-consoles

Scope Types
  • project

Generate a URL to access remove server console.

This policy is for POST /remote-consoles API and below Server actions APIs are deprecated:

  • os-getRDPConsole

  • os-getSerialConsole

  • os-getSPICEConsole

  • os-getVNCConsole.

os_compute_api:os-rescue
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (rescue)

Scope Types
  • project

Rescue a server

os_compute_api:os-unrescue
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (unrescue)

Scope Types
  • project

Unrescue a server

os_compute_api:os-security-groups:get
Default

rule:project_reader_or_admin

Operations
  • GET /os-security-groups

Scope Types
  • project

List security groups. This API is deprecated.

os_compute_api:os-security-groups:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-security-groups/{security_group_id}

Scope Types
  • project

Show security group. This API is deprecated.

os_compute_api:os-security-groups:create
Default

rule:project_member_or_admin

Operations
  • POST /os-security-groups

Scope Types
  • project

Create security group. This API is deprecated.

os_compute_api:os-security-groups:update
Default

rule:project_member_or_admin

Operations
  • PUT /os-security-groups/{security_group_id}

Scope Types
  • project

Update security group. This API is deprecated.

os_compute_api:os-security-groups:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-security-groups/{security_group_id}

Scope Types
  • project

Delete security group. This API is deprecated.

os_compute_api:os-security-groups:rule:create
Default

rule:project_member_or_admin

Operations
  • POST /os-security-group-rules

Scope Types
  • project

Create security group Rule. This API is deprecated.

os_compute_api:os-security-groups:rule:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-security-group-rules/{security_group_id}

Scope Types
  • project

Delete security group Rule. This API is deprecated.

os_compute_api:os-security-groups:list
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-security-groups

Scope Types
  • project

List security groups of server.

os_compute_api:os-security-groups:add
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (addSecurityGroup)

Scope Types
  • project

Add security groups to server.

os_compute_api:os-security-groups:remove
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (removeSecurityGroup)

Scope Types
  • project

Remove security groups from server.

os_compute_api:os-server-diagnostics
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/diagnostics

Scope Types
  • project

Show the usage data for a server

os_compute_api:os-server-external-events:create
Default

rule:context_is_admin

Operations
  • POST /os-server-external-events

Scope Types
  • project

Create one or more external events

os_compute_api:os-server-groups:create
Default

rule:project_member_or_admin

Operations
  • POST /os-server-groups

Scope Types
  • project

Create a new server group

os_compute_api:os-server-groups:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-server-groups/{server_group_id}

Scope Types
  • project

Delete a server group

os_compute_api:os-server-groups:index
Default

rule:project_reader_or_admin

Operations
  • GET /os-server-groups

Scope Types
  • project

List all server groups

os_compute_api:os-server-groups:index:all_projects
Default

rule:context_is_admin

Operations
  • GET /os-server-groups

Scope Types
  • project

List all server groups for all projects

os_compute_api:os-server-groups:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-server-groups/{server_group_id}

Scope Types
  • project

Show details of a server group

os_compute_api:server-metadata:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/metadata

Scope Types
  • project

List all metadata of a server

os_compute_api:server-metadata:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/metadata/{key}

Scope Types
  • project

Show metadata for a server

os_compute_api:server-metadata:create
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/metadata

Scope Types
  • project

Create metadata for a server

os_compute_api:server-metadata:update_all
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}/metadata

Scope Types
  • project

Replace metadata for a server

os_compute_api:server-metadata:update
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}/metadata/{key}

Scope Types
  • project

Update metadata from a server

os_compute_api:server-metadata:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/metadata/{key}

Scope Types
  • project

Delete metadata from a server

os_compute_api:os-server-password:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-server-password

Scope Types
  • project

Show the encrypted administrative password of a server

os_compute_api:os-server-password:clear
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/os-server-password

Scope Types
  • project

Clear the encrypted administrative password of a server

os_compute_api:os-server-tags:delete_all
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/tags

Scope Types
  • project

Delete all the server tags

os_compute_api:os-server-tags:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/tags

Scope Types
  • project

List all tags for given server

os_compute_api:os-server-tags:update_all
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}/tags

Scope Types
  • project

Replace all tags on specified server with the new set of tags.

os_compute_api:os-server-tags:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/tags/{tag}

Scope Types
  • project

Delete a single tag from the specified server

os_compute_api:os-server-tags:update
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}/tags/{tag}

Scope Types
  • project

Add a single tag to the server if server has no specified tag

os_compute_api:os-server-tags:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/tags/{tag}

Scope Types
  • project

Check tag existence on the server.

compute:server:topology:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/topology

Scope Types
  • project

Show the NUMA topology data for a server

compute:server:topology:host:index
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/topology

Scope Types
  • project

Show the NUMA topology data for a server with host NUMA ID and CPU pinning information

os_compute_api:servers:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers

Scope Types
  • project

List all servers

os_compute_api:servers:detail
Default

rule:project_reader_or_admin

Operations
  • GET /servers/detail

Scope Types
  • project

List all servers with detailed information

os_compute_api:servers:index:get_all_tenants
Default

rule:context_is_admin

Operations
  • GET /servers

Scope Types
  • project

List all servers for all projects

os_compute_api:servers:detail:get_all_tenants
Default

rule:context_is_admin

Operations
  • GET /servers/detail

Scope Types
  • project

List all servers with detailed information for all projects

os_compute_api:servers:allow_all_filters
Default

rule:context_is_admin

Operations
  • GET /servers

  • GET /servers/detail

Scope Types
  • project

Allow all filters when listing servers

os_compute_api:servers:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}

Scope Types
  • project

Show a server

os_compute_api:servers:show:flavor-extra-specs
Default

rule:project_reader_or_admin

Operations
  • GET /servers/detail

  • GET /servers/{server_id}

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Starting with microversion 2.47, the flavor and its extra specs used for a server is also returned in the response when showing server details, updating a server or rebuilding a server.

os_compute_api:servers:show:host_status
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Show a server with additional host status information.

This means host_status will be shown irrespective of status value. If showing only host_status UNKNOWN is desired, use the os_compute_api:servers:show:host_status:unknown-only policy rule.

Microvision 2.75 added the host_status attribute in the PUT /servers/{server_id} and POST /servers/{server_id}/action (rebuild) API responses which are also controlled by this policy rule, like the GET /servers* APIs.

os_compute_api:servers:show:host_status:unknown-only
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}

  • GET /servers/detail

  • PUT /servers/{server_id}

  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Show a server with additional host status information, only if host status is UNKNOWN.

This policy rule will only be enforced when the os_compute_api:servers:show:host_status policy rule does not pass for the request. An example policy configuration could be where the os_compute_api:servers:show:host_status rule is set to allow admin-only and the os_compute_api:servers:show:host_status:unknown-only rule is set to allow everyone.

os_compute_api:servers:create
Default

rule:project_member_or_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server

os_compute_api:servers:create:forced_host
Default

rule:context_is_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server on the specified host and/or node.

In this case, the server is forced to launch on the specified host and/or node by bypassing the scheduler filters unlike the compute:servers:create:requested_destination rule.

compute:servers:create:requested_destination
Default

rule:context_is_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server on the requested compute service host and/or hypervisor_hostname.

In this case, the requested host and/or hypervisor_hostname is validated by the scheduler filters unlike the os_compute_api:servers:create:forced_host rule.

os_compute_api:servers:create:attach_volume
Default

rule:project_member_or_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server with the requested volume attached to it

os_compute_api:servers:create:attach_network
Default

rule:project_member_or_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server with the requested network attached to it

os_compute_api:servers:create:trusted_certs
Default

rule:project_member_or_admin

Operations
  • POST /servers

Scope Types
  • project

Create a server with trusted image certificate IDs

os_compute_api:servers:create:zero_disk_flavor
Default

rule:context_is_admin

Operations
  • POST /servers

Scope Types
  • project

This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.

For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.

WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.

network:attach_external_network
Default

rule:context_is_admin

Operations
  • POST /servers

  • POST /servers/{server_id}/os-interface

Scope Types
  • project

Attach an unshared external network to a server

os_compute_api:servers:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}

Scope Types
  • project

Delete a server

os_compute_api:servers:update
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}

Scope Types
  • project

Update a server

os_compute_api:servers:confirm_resize
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (confirmResize)

Scope Types
  • project

Confirm a server resize

os_compute_api:servers:revert_resize
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (revertResize)

Scope Types
  • project

Revert a server resize

os_compute_api:servers:reboot
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (reboot)

Scope Types
  • project

Reboot a server

os_compute_api:servers:resize
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (resize)

Scope Types
  • project

Resize a server

compute:servers:resize:cross_cell
Default

!

Operations
  • POST /servers/{server_id}/action (resize)

Scope Types
  • project

Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled.

os_compute_api:servers:rebuild
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Rebuild a server

os_compute_api:servers:rebuild:trusted_certs
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (rebuild)

Scope Types
  • project

Rebuild a server with trusted image certificate IDs

os_compute_api:servers:create_image
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (createImage)

Scope Types
  • project

Create an image from a server

os_compute_api:servers:create_image:allow_volume_backed
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (createImage)

Scope Types
  • project

Create an image from a volume backed server

os_compute_api:servers:start
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (os-start)

Scope Types
  • project

Start a server

os_compute_api:servers:stop
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (os-stop)

Scope Types
  • project

Stop a server

os_compute_api:servers:trigger_crash_dump
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (trigger_crash_dump)

Scope Types
  • project

Trigger crash dump in a server

os_compute_api:servers:migrations:show
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/migrations/{migration_id}

Scope Types
  • project

Show details for an in-progress live migration for a given server

os_compute_api:servers:migrations:force_complete
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/migrations/{migration_id}/action (force_complete)

Scope Types
  • project

Force an in-progress live migration for a given server to complete

os_compute_api:servers:migrations:delete
Default

rule:context_is_admin

Operations
  • DELETE /servers/{server_id}/migrations/{migration_id}

Scope Types
  • project

Delete(Abort) an in-progress live migration

os_compute_api:servers:migrations:index
Default

rule:context_is_admin

Operations
  • GET /servers/{server_id}/migrations

Scope Types
  • project

Lists in-progress live migrations for a given server

os_compute_api:os-services:list
Default

rule:context_is_admin

Operations
  • GET /os-services

Scope Types
  • project

List all running Compute services in a region.

os_compute_api:os-services:update
Default

rule:context_is_admin

Operations
  • PUT /os-services/{service_id}

Scope Types
  • project

Update a Compute service.

os_compute_api:os-services:delete
Default

rule:context_is_admin

Operations
  • DELETE /os-services/{service_id}

Scope Types
  • project

Delete a Compute service.

os_compute_api:os-shelve:shelve
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (shelve)

Scope Types
  • project

Shelve server

os_compute_api:os-shelve:unshelve
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (unshelve)

Scope Types
  • project

Unshelve (restore) shelved server

os_compute_api:os-shelve:unshelve_to_host
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (unshelve)

Scope Types
  • project

Unshelve (restore) shelve offloaded server to a specific host

os_compute_api:os-shelve:shelve_offload
Default

rule:context_is_admin

Operations
  • POST /servers/{server_id}/action (shelveOffload)

Scope Types
  • project

Shelf-offload (remove) server

os_compute_api:os-simple-tenant-usage:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-simple-tenant-usage/{tenant_id}

Scope Types
  • project

Show usage statistics for a specific tenant

os_compute_api:os-simple-tenant-usage:list
Default

rule:context_is_admin

Operations
  • GET /os-simple-tenant-usage

Scope Types
  • project

List per tenant usage statistics for all tenants

os_compute_api:os-suspend-server:resume
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (resume)

Scope Types
  • project

Resume suspended server

os_compute_api:os-suspend-server:suspend
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/action (suspend)

Scope Types
  • project

Suspend server

os_compute_api:os-tenant-networks:list
Default

rule:project_reader_api

Operations
  • GET /os-tenant-networks

Scope Types
  • project

List project networks.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-tenant-networks:show
Default

rule:project_reader_api

Operations
  • GET /os-tenant-networks/{network_id}

Scope Types
  • project

Show project network details.

This API is proxy calls to the Network service. This is deprecated.

os_compute_api:os-volumes:list
Default

rule:project_reader_or_admin

Operations
  • GET /os-volumes

Scope Types
  • project

List volumes.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:create
Default

rule:project_member_or_admin

Operations
  • POST /os-volumes

Scope Types
  • project

Create volume.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:detail
Default

rule:project_reader_or_admin

Operations
  • GET /os-volumes/detail

Scope Types
  • project

List volumes detail.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-volumes/{volume_id}

Scope Types
  • project

Show volume.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-volumes/{volume_id}

Scope Types
  • project

Delete volume.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:snapshots:list
Default

rule:project_reader_or_admin

Operations
  • GET /os-snapshots

Scope Types
  • project

List snapshots.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:snapshots:create
Default

rule:project_member_or_admin

Operations
  • POST /os-snapshots

Scope Types
  • project

Create snapshots.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:snapshots:detail
Default

rule:project_reader_or_admin

Operations
  • GET /os-snapshots/detail

Scope Types
  • project

List snapshots details.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:snapshots:show
Default

rule:project_reader_or_admin

Operations
  • GET /os-snapshots/{snapshot_id}

Scope Types
  • project

Show snapshot.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes:snapshots:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /os-snapshots/{snapshot_id}

Scope Types
  • project

Delete snapshot.

This API is a proxy call to the Volume service. It is deprecated.

os_compute_api:os-volumes-attachments:index
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-volume_attachments

Scope Types
  • project

List volume attachments for an instance

os_compute_api:os-volumes-attachments:create
Default

rule:project_member_or_admin

Operations
  • POST /servers/{server_id}/os-volume_attachments

Scope Types
  • project

Attach a volume to an instance

os_compute_api:os-volumes-attachments:show
Default

rule:project_reader_or_admin

Operations
  • GET /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • project

Show details of a volume attachment

os_compute_api:os-volumes-attachments:update
Default

rule:project_member_or_admin

Operations
  • PUT /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • project

Update a volume attachment. New ‘update’ policy about ‘swap + update’ request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be always superset of this policy permission.

os_compute_api:os-volumes-attachments:swap
Default

rule:context_is_admin

Operations
  • PUT /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • project

Update a volume attachment with a different volumeId

os_compute_api:os-volumes-attachments:delete
Default

rule:project_member_or_admin

Operations
  • DELETE /servers/{server_id}/os-volume_attachments/{volume_id}

Scope Types
  • project

Detach a volume from an instance