Policy configuration¶
Configuration¶
Warning
JSON formatted policy file is deprecated since Zun 7.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
The following is an overview of all available policies in Zun. For a sample configuration file.
zun¶
context_is_admin- Default
role:admin
(no description provided)
admin_or_owner- Default
is_admin:True or project_id:%(project_id)s
(no description provided)
admin_api- Default
rule:context_is_admin
(no description provided)
deny_everybody- Default
!
Default rule for deny everybody.
container:create- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers
Create a new container.
container:create:runtime- Default
rule:context_is_admin- Operations
POST
/v1/containers
Create a new container with specified runtime.
container:create:privileged- Default
rule:deny_everybody- Operations
POST
/v1/containers
Create a new privileged container.Warning: the privileged container has a big security risk so be caution if you want to enable this feature
container:create:requested_destination- Default
rule:context_is_admin- Operations
POST
/v1/containers
Create a container on the requested compute host.
container:create:image_pull_policy- Default
rule:context_is_admin- Operations
POST
/v1/containers
Create a new container with specified image pull policy.
container:delete- Default
is_admin:True or project_id:%(project_id)s- Operations
DELETE
/v1/containers/{container_ident}
Delete a container.
container:delete_all_projects- Default
rule:context_is_admin- Operations
DELETE
/v1/containers/{container_ident}
Delete a container from all projects.
container:delete_force- Default
rule:context_is_admin- Operations
DELETE
/v1/containers/{container_ident}
Forcibly delete a container.
container:get_one- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}
Retrieve the details of a specific container.
container:get_one:host- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}GET
/v1/containersPOST
/v1/containersPATCH
/v1/containers/{container_ident}
Retrieve the host field of containers.
container:get_one:image_pull_policy- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}GET
/v1/containersPOST
/v1/containersPATCH
/v1/containers/{container_ident}
Retrieve the image_pull_policy field of containers.
container:get_one:privileged- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}GET
/v1/containersPOST
/v1/containersPATCH
/v1/containers/{container_ident}
Retrieve the privileged field of containers.
container:get_one:runtime- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}GET
/v1/containersPOST
/v1/containersPATCH
/v1/containers/{container_ident}
Retrieve the runtime field of containers.
container:get_one_all_projects- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}
Retrieve the details of a specific container from all projects.
container:get_all- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers
Retrieve the details of all containers.
container:get_all_all_projects- Default
rule:context_is_admin- Operations
GET
/v1/containers
Retrieve the details of all containers across projects.
container:update- Default
is_admin:True or project_id:%(project_id)s- Operations
PATCH
/v1/containers/{container_ident}
Update a container.
container:start- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/start
Start a container.
container:stop- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/stop
Stop a container.
container:reboot- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/reboot
Reboot a container.
container:pause- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/pause
Pause a container.
container:unpause- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/unpause
Unpause a container.
container:logs- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/logs
Get the log of a container
container:execute- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/execute
Execute command in a running container
container:execute_resize- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/execute_resize
Resize the TTY used by an execute command.
container:kill- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/kill
Kill a running container
container:rename- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/rename
Rename a container.
container:attach- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/attach
Attach to a running container
container:resize- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/resize
Resize a container.
container:top- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/top
Display the running processes inside the container.
container:get_archive- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/get_archive
Get a tar archive of a path of container.
container:put_archive- Default
is_admin:True or project_id:%(project_id)s- Operations
PUT
/v1/containers/{container_ident}/put_archive
Put a tar archive to be extracted to a path of container
container:stats- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/stats
Display the statistics of a container
container:commit- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/commit
Commit a container
container:add_security_group- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/add_security_group
Add a security group to a specific container.
container:network_detach- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/network_detach
Detach a network from a container.
container:network_attach- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/network_attach
Attach a network from a container.
container:remove_security_group- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/remove_security_group
Remove security group from a specific container.
container:rebuild- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/rebuild
Rebuild a container.
container:resize_container- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/containers/{container_ident}/resize_container
Resize an existing container.
image:pull- Default
rule:context_is_admin- Operations
POST
/v1/images
Pull an image.
image:get_all- Default
rule:context_is_admin- Operations
GET
/v1/images
Print a list of available images.
image:get_one- Default
rule:context_is_admin- Operations
GET
/v1/images/{image_id}
Retrieve the details of a specific image.
image:search- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/images/{image_ident}/search
Search an image.
image:delete- Default
rule:context_is_admin- Operations
DELETE
/v1/images/{image_ident}
Delete an image.
zun-service:delete- Default
rule:context_is_admin- Operations
DELETE
/v1/services
Delete a service.
zun-service:disable- Default
rule:context_is_admin- Operations
PUT
/v1/services/disable
Disable a service.
zun-service:enable- Default
rule:context_is_admin- Operations
PUT
/v1/services/enable
Enable a service.
zun-service:force_down- Default
rule:context_is_admin- Operations
PUT
/v1/services/force_down
Forcibly shutdown a service.
zun-service:get_all- Default
rule:context_is_admin- Operations
GET
/v1/services
Show the status of a service.
host:get_all- Default
rule:context_is_admin- Operations
GET
/v1/hosts
List all compute hosts.
host:get- Default
rule:context_is_admin- Operations
GET
/v1/hosts/{host_ident}
Show the details of a specific compute host.
capsule:create- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/capsules/
Create a capsule
capsule:delete- Default
is_admin:True or project_id:%(project_id)s- Operations
DELETE
/v1/capsules/{capsule_ident}
Delete a capsule
capsule:delete_all_projects- Default
rule:context_is_admin- Operations
DELETE
/v1/capsules/{capsule_ident}
Delete a container in any project.
capsule:get- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/capsules/{capsule_ident}
Retrieve the details of a capsule.
capsule:get:host- Default
rule:context_is_admin- Operations
GET
/v1/capsules/{capsule_ident}GET
/v1/capsulesPOST
/v1/capsules
Retrieve the host field of a capsule.
capsule:get_one_all_projects- Default
rule:context_is_admin- Operations
GET
/v1/capsules/{capsule_ident}
Retrieve the details of a capsule in any project.
capsule:get_all- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/capsules/
List all capsules.
capsule:get_all_all_projects- Default
rule:context_is_admin- Operations
GET
/v1/capsules/
List all capsules across projects.
network:attach_external_network- Default
role:admin- Operations
POST
/v1/containers
Attach an unshared external network to a container
network:create- Default
role:admin- Operations
POST
/v1/networks
Create a network
network:delete- Default
role:admin- Operations
DELETE
/v1/networks
Delete a network
container:actions- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/containers/{container_ident}/container_actions/GET
/v1/containers/{container_ident}/container_actions/{request_id}
List actions and show action details for a container
container:action:events- Default
rule:context_is_admin- Operations
GET
/v1/containers/{container_ident}/container_actions/{request_id}
Add events details in action details for a container.
availability_zones:get_all- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/availability_zones
List availability zone
quota:update- Default
rule:context_is_admin- Operations
PUT
/v1/quotas/{project_id}
Update quotas for a project
quota:delete- Default
rule:context_is_admin- Operations
DELETE
/v1/quotas/{project_id}
Delete quotas for a project
quota:get- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/quotas/{project_id}
Get quotas for a project
quota:get_default- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/quotas/defaults
Get default quotas for a project
quota_class:update- Default
rule:context_is_admin- Operations
PUT
/v1/quota_classes/{quota_class_name}
Update quotas for specific quota class
quota_class:get- Default
rule:context_is_admin- Operations
GET
/v1/quota_classes/{quota_class_name}
List quotas for specific quota class
registry:create- Default
is_admin:True or project_id:%(project_id)s- Operations
POST
/v1/registries
Create a new registry.
registry:delete- Default
is_admin:True or project_id:%(project_id)s- Operations
DELETE
/v1/registries/{registry_ident}
Delete a registry.
registry:get_one- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/registries/{registry_ident}
Retrieve the details of a specific registry.
registry:get_all- Default
is_admin:True or project_id:%(project_id)s- Operations
GET
/v1/registries
Retrieve the details of all registries.
registry:get_all_all_projects- Default
rule:context_is_admin- Operations
GET
/v1/registries
Retrieve the details of all registries across projects.
registry:update- Default
is_admin:True or project_id:%(project_id)s- Operations
PATCH
/v1/registries/{registry_ident}
Update a registry.
