policy.yaml

Use the policy.yaml file to define additional access controls that will be applied to Searchlight:

#
#"context_is_admin": "role:admin and is_admin_project:True"

#
#"admin_or_owner": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Glance Image resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Glance::Image": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Glance Metadef resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Glance::Metadef": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Nova Server resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Nova::Server": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Nova Hypervisor resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Nova::Hypervisor": "rule:context_is_admin"

# Query with Nova ServerGroup resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Nova::ServerGroup": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Nova Flavor resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Nova::Flavor": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Cinder Volume resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Cinder::Volume": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Cinder Snapshot resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Cinder::Snapshot": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Designate Zone resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Designate::Zone": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Designate RecordSet resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Designate::RecordSet": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Neutron Net resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Neutron::Net": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Neutron Port resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Neutron::Port": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Neutron Subnet resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Neutron::Subnet": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Neutron Router resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Neutron::Router": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Neutron SecurityGroup resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Neutron::SecurityGroup": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Ironic Chassis resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Ironic::Chassis": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Ironic Node resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Ironic::Node": "rule:context_is_admin or project_id:%(project_id)s"

# Query with Ironic Port resource.
# POST  /v1/search
# GET  /v1/search
# GET  /v1/search/plugins
# GET  /v1/search/facets
#"resource:OS::Ironic::Port": "rule:context_is_admin or project_id:%(project_id)s"

# Query a search.
# POST  /v1/search
# GET  /v1/search
#"search:query": "rule:context_is_admin or project_id:%(project_id)s"

# Query a search with aggregation request.
# POST  /v1/search
# GET  /v1/search
#"search:query:aggregations": "rule:context_is_admin or project_id:%(project_id)s"

# Retrieve a list of installed plugins.
# GET  /v1/search/plugins
#"search:plugins_info": "rule:context_is_admin or project_id:%(project_id)s"

# List supported facets.
# GET  /v1/search/facets
#"search:facets": "rule:context_is_admin or project_id:%(project_id)s"