Sample Tacker Policy File

Warning

JSON formatted policy file is deprecated since Tacker 5.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

The following is a sample tacker policy file for adaptation and use.

The sample policy can also be viewed in file form.

Important

The sample policy file is auto-generated from tacker when this documentation is built. You must ensure your version of tacker matches the version of this documentation.

# Decides what is required for the 'is_admin:True' check to succeed.
#"context_is_admin": "role:admin"

# DEPRECATED
# "rule:admin_only":"is_admin:True" has been deprecated since 11.0.0
# in favor of "context_is_admin":"role:admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_only": "rule:context_is_admin"

# DEPRECATED
# "admin_or_owner" has been deprecated since 11.0.0.
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# Default rule for most non-Admin APIs.
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"

# DEPRECATED
# "admin_only" has been deprecated since 11.0.0.
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# Default rule for most Admin APIs.
#"admin_only": "is_admin:True"

# Default rule for sharing vims.
#"shared": "field:vims:shared=True"

# Default rule for Project level non admin APIs.
#"project_member": "role:member and project_id:%(project_id)s"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_member":"role:member and project_id:%(project_id)s".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member"

# Default rule for Project Member or admin APIs.
#"project_member_or_admin": "rule:project_member or rule:context_is_admin"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_member_or_admin":"rule:project_member or
# rule:context_is_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_member_or_admin"

# Default rule for Project level read only APIs.
#"project_reader": "role:reader and project_id:%(project_id)s"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_reader":"role:reader and project_id:%(project_id)s".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader"

# Default rule for Project reader or admin APIs.
#"project_reader_or_admin": "rule:project_reader or rule:context_is_admin"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "project_reader_or_admin":"rule:project_reader or
# rule:context_is_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:project_reader_or_admin"

# Default rule for most non-Admin APIs.
#"default": "rule:project_member_or_admin"

# DEPRECATED
# "rule:admin_or_owner":"is_admin:True or project_id:%(project_id)s"
# has been deprecated since 11.0.0 in favor of
# "default":"rule:project_member_or_admin".
# Tacker API policies are introducing new default roles with
# scope_type capabilities. Old policies are deprecated and silently
# going to be ignored in future.
# WARNING: A rule name change has been identified.
#          This may be an artifact of new rules being
#          included which require legacy fallback
#          rules to ensure proper policy behavior.
#          Alternatively, this may just be an alias.
#          Please evaluate on a case by case basis
#          keeping in mind the format for aliased
#          rules is:
#          "old_rule_name": "new_rule_name".
# "rule:admin_or_owner": "rule:default"

# Creates a vnf package.
# POST  /vnf_packages
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:create": "rule:project_member_or_admin"

# Show a vnf package.
# GET  /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:show": "rule:project_reader_or_admin"

# List all vnf packages.
# GET  /vnf_packages/
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:index": "rule:project_reader_or_admin"

# Delete a vnf package.
# DELETE  /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:delete": "rule:project_member_or_admin"

# fetch the contents of an on-boarded VNF Package
# GET  /vnf_packages/{vnf_package_id}/package_content
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:fetch_package_content": "rule:project_reader_or_admin"

# upload a vnf package content.
# PUT  /vnf_packages/{vnf_package_id}/package_content
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:upload_package_content": "rule:project_member_or_admin"

# upload a vnf package content from uri.
# POST  /vnf_packages/{vnf_package_id}/package_content/upload_from_uri
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:upload_from_uri": "rule:project_member_or_admin"

# update information of vnf package.
# PATCH  /vnf_packages/{vnf_package_id}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:patch": "rule:project_member_or_admin"

# reads the content of the VNFD within a VNF package.
# GET  /vnf_packages/{vnf_package_id}/vnfd
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:get_vnf_package_vnfd": "rule:project_reader_or_admin"

# reads the content of the artifact within a VNF package.
# GET  /vnf_packages/{vnfPkgId}/artifacts/{artifactPath}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_packages:fetch_artifact": "rule:project_reader_or_admin"

# Get API Versions.
# GET  /vnflcm/v1/api_versions
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:api_versions": "@"

# Creates vnf instance.
# POST  /vnflcm/v1/vnf_instances
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:create": "rule:project_member_or_admin"

# Instantiate vnf instance.
# POST  /vnflcm/v1/vnf_instances/{vnfInstanceId}/instantiate
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:instantiate": "rule:project_member_or_admin"

# Query an Individual VNF instance.
# GET  /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:show": "rule:project_reader_or_admin"

# Terminate a VNF instance.
# POST  /vnflcm/v1/vnf_instances/{vnfInstanceId}/terminate
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:terminate": "rule:project_member_or_admin"

# Heal a VNF instance.
# POST  /vnflcm/v1/vnf_instances/{vnfInstanceId}/heal
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:heal": "rule:project_member_or_admin"

# Scale a VNF instance.
# POST  /vnflcm/v1/vnf_instances/{vnfInstanceId}/scale
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:scale": "rule:project_member_or_admin"

# Query an Individual VNF LCM operation occurrence
# GET  /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:show_lcm_op_occs": "rule:project_reader_or_admin"

# Query VNF LCM operation occurrence
# GET  /vnflcm/v1/vnf_lcm_op_occs
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:list_lcm_op_occs": "rule:project_reader_or_admin"

# Query VNF instances.
# GET  /vnflcm/v1/vnf_instances
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:index": "rule:project_reader_or_admin"

# Delete an Individual VNF instance.
# DELETE  /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:delete": "rule:project_member_or_admin"

# Update an Individual VNF instance.
# PATCH  /vnflcm/v1/vnf_instances/{vnfInstanceId}
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:update_vnf": "rule:project_member_or_admin"

# Rollback a VNF instance.
# POST  /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:rollback": "rule:project_member_or_admin"

# Cancel a VNF instance.
# POST  /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/cancel
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:cancel": "rule:project_member_or_admin"

# Fail a VNF instance.
# POST  /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:fail": "rule:project_member_or_admin"

# Retry a VNF instance.
# POST  /vnflcm/v1/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:retry": "rule:project_member_or_admin"

# Change external VNF connectivity.
# POST  /vnflcm/v1/vnf_instances/{vnfInstanceId}/change_ext_conn
# Intended scope(s): project
#"os_nfv_orchestration_api:vnf_instances:change_ext_conn": "rule:project_member_or_admin"

# Get API Versions.
# GET  /vnflcm/v2/api_versions
#"os_nfv_orchestration_api_v2:vnf_instances:api_versions": "@"

# Creates vnf instance.
# POST  /vnflcm/v2/vnf_instances
#"os_nfv_orchestration_api_v2:vnf_instances:create": "@"

# Query VNF instances.
# GET  /vnflcm/v2/vnf_instances
#"os_nfv_orchestration_api_v2:vnf_instances:index": "@"

# Query an Individual VNF instance.
# GET  /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:show": "@"

# Delete an Individual VNF instance.
# DELETE  /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:delete": "@"

# Modify vnf instance information.
# PATCH  /vnflcm/v2/vnf_instances/{vnfInstanceId}
#"os_nfv_orchestration_api_v2:vnf_instances:update": "@"

# Instantiate vnf instance.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/instantiate
#"os_nfv_orchestration_api_v2:vnf_instances:instantiate": "@"

# Terminate vnf instance.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/terminate
#"os_nfv_orchestration_api_v2:vnf_instances:terminate": "@"

# Scale vnf instance.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/scale
#"os_nfv_orchestration_api_v2:vnf_instances:scale": "@"

# Heal vnf instance.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/heal
#"os_nfv_orchestration_api_v2:vnf_instances:heal": "@"

# Change external vnf connectivity.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_ext_conn
#"os_nfv_orchestration_api_v2:vnf_instances:change_ext_conn": "@"

# Change vnf package.
# POST  /vnflcm/v2/vnf_instances/{vnfInstanceId}/change_vnfpkg
#"os_nfv_orchestration_api_v2:vnf_instances:change_vnfpkg": "@"

# Create subscription.
# POST  /vnflcm/v2/subscriptions
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_create": "@"

# List subscription.
# GET  /vnflcm/v2/subscriptions
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_list": "@"

# Show subscription.
# GET  /vnflcm/v2/vnf_instances/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_show": "@"

# Delete subscription.
# DELETE  /vnflcm/v2/vnf_instances/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_instances:subscription_delete": "@"

# List VnfLcmOpOcc.
# GET  /vnflcm/v2/vnf_lcm_op_occs
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_list": "@"

# Show VnfLcmOpOcc.
# GET  /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_show": "@"

# Retry VnfLcmOpOcc.
# POST  /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/retry
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_retry": "@"

# Rollback VnfLcmOpOcc.
# POST  /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/rollback
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_rollback": "@"

# Fail VnfLcmOpOcc.
# POST  /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}/fail
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_fail": "@"

# Delete VnfLcmOpOcc.
# DELETE  /vnflcm/v2/vnf_lcm_op_occs/{vnfLcmOpOccId}
#"os_nfv_orchestration_api_v2:vnf_instances:lcm_op_occ_delete": "@"

# notify
# POST  /server_notification
#"tacker_server_notification_api:server_notification:notify": "@"

# Query FM alarms.
# GET  /vnffm/v1/alarms
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:index": "@"

# Query an Individual FM alarm.
# GET  /vnffm/v1/alarms/{alarmId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:show": "@"

# Modify FM alarm information.
# PATCH  /vnffm/v1/alarms/{alarmId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:update": "@"

# Create subscription.
# POST  /vnffm/v1/subscriptions
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_create": "@"

# List subscription.
# GET  /vnffm/v1/subscriptions
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_list": "@"

# Show subscription.
# GET  /vnffm/v1/subscriptions/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_show": "@"

# Delete subscription.
# DELETE  /vnffm/v1/subscriptions/{subscriptionId}
#"os_nfv_orchestration_api_v2:vnf_fault_monitor:subscription_delete": "@"

# Receive the alert sent from External Monitoring Tool
# POST  /alert
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:alert": "@"

# Create a PM job.
# POST  /vnfpm/v2/pm_jobs
#"os_nfv_orchestration_api_v2:vnf_performance_management:create": "@"

# Query PM jobs.
# GET  /vnfpm/v2/pm_jobs
#"os_nfv_orchestration_api_v2:vnf_performance_management:index": "@"

# Update a PM job.
# PATCH  /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:update": "@"

# Get an individual PM job.
# GET  /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:show": "@"

# Delete a PM job.
# DELETE  /vnfpm/v2/pm_jobs/{pmJobId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:delete": "@"

# Get an individual performance report.
# GET  /vnfpm/v2/pm_jobs/{id}/reports/{report_id}
#"os_nfv_orchestration_api_v2:vnf_performance_management:report_get": "@"

# Receive the PM event sent from External Monitoring Tool
# POST  /pm_event
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:pm_event": "@"

# auto_healing
# POST  /alert/auto_healing
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:auto_healing": "@"

# auto_scaling
# POST  /alert/auto_scaling
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:auto_scaling": "@"

# Create a PM threshold.
# POST  /vnfpm/v2/thresholds
#"os_nfv_orchestration_api_v2:vnf_performance_management:create_threshold": "@"

# Query PM thresholds.
# GET  /vnfpm/v2/thresholds
#"os_nfv_orchestration_api_v2:vnf_performance_management:index_threshold": "@"

# Get an individual PM threshold.
# GET  /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:show_threshold": "@"

# Update a PM threshold callback.
# PATCH  /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:update_threshold": "@"

# Delete a PM threshold.
# DELETE  /vnfpm/v2/thresholds/{thresholdId}
#"os_nfv_orchestration_api_v2:vnf_performance_management:delete_threshold": "@"

# Receive the PM threshold sent from External Monitoring Tool.
# POST  /pm_threshold
#"tacker_PROM_PLUGIN_api:PROM_PLUGIN:pm_threshold": "@"