Sample Placement Policy File¶
Warning
JSON formatted policy file is deprecated since Placement 5.0.0 (Wallaby). The oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is a sample placement policy file for adaptation and use.
The sample policy can also be viewed in file form.
Important
The sample policy file is auto-generated from placement when this documentation is built. You must ensure your version of placement matches the version of this documentation.
# DEPRECATED
# "admin_api" has been deprecated since W.
# Placement API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in the placement 6.0.0 (Xena) release.
# Default rule for most placement APIs.
# Intended scope(s): system
#"admin_api": "role:admin"
# List resource providers.
# GET /resource_providers
# Intended scope(s): system
#"placement:resource_providers:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:list":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:list":"role:reader and
# system_scope:all".
# The resource provider API now supports a read-only role by default.
# Create resource provider.
# POST /resource_providers
# Intended scope(s): system
#"placement:resource_providers:create": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:create":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:create":"role:admin and
# system_scope:all".
# The resource provider API now supports a read-only role by default.
# Show resource provider.
# GET /resource_providers/{uuid}
# Intended scope(s): system
#"placement:resource_providers:show": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:show":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:show":"role:reader and
# system_scope:all".
# The resource provider API now supports a read-only role by default.
# Update resource provider.
# PUT /resource_providers/{uuid}
# Intended scope(s): system
#"placement:resource_providers:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:update":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:update":"role:admin and
# system_scope:all".
# The resource provider API now supports a read-only role by default.
# Delete resource provider.
# DELETE /resource_providers/{uuid}
# Intended scope(s): system
#"placement:resource_providers:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:delete":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:delete":"role:admin and
# system_scope:all".
# The resource provider API now supports a read-only role by default.
# List resource classes.
# GET /resource_classes
# Intended scope(s): system
#"placement:resource_classes:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_classes:list":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_classes:list":"role:reader and
# system_scope:all".
# The resource classes API now supports a read-only role by default.
# Create resource class.
# POST /resource_classes
# Intended scope(s): system
#"placement:resource_classes:create": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_classes:create":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_classes:create":"role:admin and
# system_scope:all".
# The resource classes API now supports a read-only role by default.
# Show resource class.
# GET /resource_classes/{name}
# Intended scope(s): system
#"placement:resource_classes:show": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_classes:show":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_classes:show":"role:reader and
# system_scope:all".
# The resource classes API now supports a read-only role by default.
# Update resource class.
# PUT /resource_classes/{name}
# Intended scope(s): system
#"placement:resource_classes:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_classes:update":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_classes:update":"role:admin and
# system_scope:all".
# The resource classes API now supports a read-only role by default.
# Delete resource class.
# DELETE /resource_classes/{name}
# Intended scope(s): system
#"placement:resource_classes:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_classes:delete":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_classes:delete":"role:admin and
# system_scope:all".
# The resource classes API now supports a read-only role by default.
# List resource provider inventories.
# GET /resource_providers/{uuid}/inventories
# Intended scope(s): system
#"placement:resource_providers:inventories:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:inventories:list":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:inventories:list":"role:reader and
# system_scope:all".
# The inventory API now supports a read-only role by default.
# Create one resource provider inventory.
# POST /resource_providers/{uuid}/inventories
# Intended scope(s): system
#"placement:resource_providers:inventories:create": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:inventories:create":"rule:admin_api"
# has been deprecated since W in favor of
# "placement:resource_providers:inventories:create":"role:admin and
# system_scope:all".
# The inventory API now supports a read-only role by default.
# Show resource provider inventory.
# GET /resource_providers/{uuid}/inventories/{resource_class}
# Intended scope(s): system
#"placement:resource_providers:inventories:show": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:inventories:show":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:inventories:show":"role:reader and
# system_scope:all".
# The inventory API now supports a read-only role by default.
# Update resource provider inventory.
# PUT /resource_providers/{uuid}/inventories
# PUT /resource_providers/{uuid}/inventories/{resource_class}
# Intended scope(s): system
#"placement:resource_providers:inventories:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:inventories:update":"rule:admin_api"
# has been deprecated since W in favor of
# "placement:resource_providers:inventories:update":"role:admin and
# system_scope:all".
# The inventory API now supports a read-only role by default.
# Delete resource provider inventory.
# DELETE /resource_providers/{uuid}/inventories
# DELETE /resource_providers/{uuid}/inventories/{resource_class}
# Intended scope(s): system
#"placement:resource_providers:inventories:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:inventories:delete":"rule:admin_api"
# has been deprecated since W in favor of
# "placement:resource_providers:inventories:delete":"role:admin and
# system_scope:all".
# The inventory API now supports a read-only role by default.
# List resource provider aggregates.
# GET /resource_providers/{uuid}/aggregates
# Intended scope(s): system
#"placement:resource_providers:aggregates:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:aggregates:list":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:aggregates:list":"role:reader and
# system_scope:all".
# The aggregates API now supports a read-only role by default.
# Update resource provider aggregates.
# PUT /resource_providers/{uuid}/aggregates
# Intended scope(s): system
#"placement:resource_providers:aggregates:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:aggregates:update":"rule:admin_api"
# has been deprecated since W in favor of
# "placement:resource_providers:aggregates:update":"role:admin and
# system_scope:all".
# The aggregates API now supports a read-only role by default.
# List resource provider usages.
# GET /resource_providers/{uuid}/usages
# Intended scope(s): system
#"placement:resource_providers:usages": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:usages":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:usages":"role:reader and
# system_scope:all".
# The usage API now supports a read-only role by default.
# List total resource usages for a given project.
# GET /usages
# Intended scope(s): system, project
#"placement:usages": "(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)"
# DEPRECATED
# "placement:usages":"rule:admin_api" has been deprecated since W in
# favor of "placement:usages":"(role:reader and system_scope:all) or
# (role:reader and project_id:%(project_id)s)".
# The usage API now supports a read-only role by default.
# List traits.
# GET /traits
# Intended scope(s): system
#"placement:traits:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:traits:list":"rule:admin_api" has been deprecated since W
# in favor of "placement:traits:list":"role:reader and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Show trait.
# GET /traits/{name}
# Intended scope(s): system
#"placement:traits:show": "role:reader and system_scope:all"
# DEPRECATED
# "placement:traits:show":"rule:admin_api" has been deprecated since W
# in favor of "placement:traits:show":"role:reader and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Update trait.
# PUT /traits/{name}
# Intended scope(s): system
#"placement:traits:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:traits:update":"rule:admin_api" has been deprecated since
# W in favor of "placement:traits:update":"role:admin and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Delete trait.
# DELETE /traits/{name}
# Intended scope(s): system
#"placement:traits:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:traits:delete":"rule:admin_api" has been deprecated since
# W in favor of "placement:traits:delete":"role:admin and
# system_scope:all".
# The traits API now supports a read-only role by default.
# List resource provider traits.
# GET /resource_providers/{uuid}/traits
# Intended scope(s): system
#"placement:resource_providers:traits:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:traits:list":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:resource_providers:traits:list":"role:reader and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Update resource provider traits.
# PUT /resource_providers/{uuid}/traits
# Intended scope(s): system
#"placement:resource_providers:traits:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:traits:update":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:traits:update":"role:admin and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Delete resource provider traits.
# DELETE /resource_providers/{uuid}/traits
# Intended scope(s): system
#"placement:resource_providers:traits:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:resource_providers:traits:delete":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:traits:delete":"role:admin and
# system_scope:all".
# The traits API now supports a read-only role by default.
# Manage allocations.
# POST /allocations
# Intended scope(s): system
#"placement:allocations:manage": "role:admin and system_scope:all"
# DEPRECATED
# "placement:allocations:manage":"rule:admin_api" has been deprecated
# since W in favor of "placement:allocations:manage":"role:admin and
# system_scope:all".
# The allocation API now supports read-only roles by default.
# List allocations.
# GET /allocations/{consumer_uuid}
# Intended scope(s): system
#"placement:allocations:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:allocations:list":"rule:admin_api" has been deprecated
# since W in favor of "placement:allocations:list":"role:reader and
# system_scope:all".
# The allocation API now supports read-only roles by default.
# Update allocations.
# PUT /allocations/{consumer_uuid}
# Intended scope(s): system
#"placement:allocations:update": "role:admin and system_scope:all"
# DEPRECATED
# "placement:allocations:update":"rule:admin_api" has been deprecated
# since W in favor of "placement:allocations:update":"role:admin and
# system_scope:all".
# The allocation API now supports read-only roles by default.
# Delete allocations.
# DELETE /allocations/{consumer_uuid}
# Intended scope(s): system
#"placement:allocations:delete": "role:admin and system_scope:all"
# DEPRECATED
# "placement:allocations:delete":"rule:admin_api" has been deprecated
# since W in favor of "placement:allocations:delete":"role:admin and
# system_scope:all".
# The allocation API now supports read-only roles by default.
# List resource provider allocations.
# GET /resource_providers/{uuid}/allocations
# Intended scope(s): system
#"placement:resource_providers:allocations:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:resource_providers:allocations:list":"rule:admin_api" has
# been deprecated since W in favor of
# "placement:resource_providers:allocations:list":"role:reader and
# system_scope:all".
# The allocation API now supports read-only roles by default.
# List allocation candidates.
# GET /allocation_candidates
# Intended scope(s): system
#"placement:allocation_candidates:list": "role:reader and system_scope:all"
# DEPRECATED
# "placement:allocation_candidates:list":"rule:admin_api" has been
# deprecated since W in favor of
# "placement:allocation_candidates:list":"role:reader and
# system_scope:all".
# The allocation candidate API now supports read-only roles by
# default.
# Reshape Inventory and Allocations.
# POST /reshaper
# Intended scope(s): system
#"placement:reshaper:reshape": "role:admin and system_scope:all"
# DEPRECATED
# "placement:reshaper:reshape":"rule:admin_api" has been deprecated
# since W in favor of "placement:reshaper:reshape":"role:admin and
# system_scope:all".
# The reshape API now supports scoped rule by default.
