Policy configuration

Policy configuration

Configuration

The following is an overview of all available policies in Cinder.

cinder

context_is_admin
Default:role:admin

Decides what is required for the ‘is_admin:True’ check to succeed.

admin_or_owner
Default:is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s

Default rule for most non-Admin APIs.

admin_api
Default:is_admin:True or (role:admin and is_admin_project:True)

Default rule for most Admin APIs.

volume:attachment_create
Default:

<empty string>

Operations:
  • POST /attachments

Create attachment.

volume:attachment_update
Default:

rule:admin_or_owner

Operations:
  • PUT /attachments/{attachment_id}

Update attachment.

volume:attachment_delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /attachments/{attachment_id}

Delete attachment.

volume:attachment_complete
Default:

rule:admin_or_owner

Operations:
  • POST /attachments/{attachment_id}/action (os-complete)

Mark a volume attachment process as completed (in-use)

volume:multiattach_bootable_volume
Default:

rule:admin_or_owner

Operations:
  • POST /attachments

Allow multiattach of bootable volumes.

message:get_all
Default:

rule:admin_or_owner

Operations:
  • GET /messages

List messages.

message:get
Default:

rule:admin_or_owner

Operations:
  • GET /messages/{message_id}

Show message.

message:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /messages/{message_id}

Delete message.

clusters:get_all
Default:

rule:admin_api

Operations:
  • GET /clusters
  • GET /clusters/detail

List clusters.

clusters:get
Default:

rule:admin_api

Operations:
  • GET /clusters/{cluster_id}

Show cluster.

clusters:update
Default:

rule:admin_api

Operations:
  • PUT /clusters/{cluster_id}

Update cluster.

workers:cleanup
Default:

rule:admin_api

Operations:
  • POST /workers/cleanup

Clean up workers.

volume:get_snapshot_metadata
Default:

rule:admin_or_owner

Operations:
  • GET /snapshots/{snapshot_id}/metadata
  • GET /snapshots/{snapshot_id}/metadata/{key}

Show snapshot’s metadata or one specified metadata with a given key.

volume:update_snapshot_metadata
Default:

rule:admin_or_owner

Operations:
  • PUT /snapshots/{snapshot_id}/metadata
  • PUT /snapshots/{snapshot_id}/metadata/{key}

Update snapshot’s metadata or one specified metadata with a given key.

volume:delete_snapshot_metadata
Default:

rule:admin_or_owner

Operations:
  • DELETE /snapshots/{snapshot_id}/metadata/{key}

Delete snapshot’s specified metadata with a given key.

volume:get_all_snapshots
Default:

rule:admin_or_owner

Operations:
  • GET /snapshots
  • GET /snapshots/detail

List snapshots.

volume_extension:extended_snapshot_attributes
Default:

rule:admin_or_owner

Operations:
  • GET /snapshots
  • GET /snapshots/detail

List snapshots with extended attributes.

volume:create_snapshot
Default:

rule:admin_or_owner

Operations:
  • POST /snapshots

Create snapshot.

volume:get_snapshot
Default:

rule:admin_or_owner

Operations:
  • GET /snapshots/{snapshot_id}

Show snapshot.

volume:update_snapshot
Default:

rule:admin_or_owner

Operations:
  • PUT /snapshots/{snapshot_id}

Update snapshot.

volume:delete_snapshot
Default:

rule:admin_or_owner

Operations:
  • DELETE /snapshots/{snapshot_id}

Delete snapshot.

volume_extension:snapshot_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-reset_status)

Reset status of a snapshot.

snapshot_extension:snapshot_actions:update_snapshot_status
Default:

<empty string>

Operations:
  • POST /snapshots/{snapshot_id}/action (update_snapshot_status)

Update database fields of snapshot.

volume_extension:snapshot_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-force_delete)

Force delete a snapshot.

snapshot_extension:list_manageable
Default:

rule:admin_api

Operations:
  • GET /manageable_snapshots
  • GET /manageable_snapshots/detail

List (in detail) of snapshots which are available to manage.

snapshot_extension:snapshot_manage
Default:

rule:admin_api

Operations:
  • POST /manageable_snapshots

Manage an existing snapshot.

snapshot_extension:snapshot_unmanage
Default:

rule:admin_api

Operations:
  • POST /snapshots/{snapshot_id}/action (os-unmanage)

Stop managing a snapshot.

backup:get_all
Default:

rule:admin_or_owner

Operations:
  • GET /backups
  • GET /backups/detail

List backups.

backup:backup_project_attribute
Default:

rule:admin_api

Operations:
  • GET /backups/{backup_id}
  • GET /backups/detail

List backups or show backup with project attributes.

backup:create
Default:

<empty string>

Operations:
  • POST /backups

Create backup.

backup:get
Default:

rule:admin_or_owner

Operations:
  • GET /backups/{backup_id}

Show backup.

backup:update
Default:

rule:admin_or_owner

Operations:
  • PUT /backups/{backup_id}

Update backup.

backup:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /backups/{backup_id}

Delete backup.

backup:restore
Default:

rule:admin_or_owner

Operations:
  • POST /backups/{backup_id}/restore

Restore backup.

backup:backup-import
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/import_record

Import backup.

backup:export-import
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/export_record

Export backup.

volume_extension:backup_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/action (os-reset_status)

Reset status of a backup.

volume_extension:backup_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /backups/{backup_id}/action (os-force_delete)

Force delete a backup.

group:get_all
Default:

rule:admin_or_owner

Operations:
  • GET /groups
  • GET /groups/detail

List groups.

group:create
Default:

<empty string>

Operations:
  • POST /groups

Create group.

group:get
Default:

rule:admin_or_owner

Operations:
  • GET /groups/{group_id}

Show group.

group:update
Default:

rule:admin_or_owner

Operations:
  • PUT /groups/{group_id}

Update group.

group:group_types_manage
Default:

rule:admin_api

Operations:
  • POST /group_types/
  • PUT /group_types/{group_type_id}
  • DELETE /group_types/{group_type_id}

Create, update or delete a group type.

group:access_group_types_specs
Default:

rule:admin_api

Operations:
  • GET /group_types/{group_type_id}

Show group type with type specs attributes.

group:group_types_specs
Default:

rule:admin_api

Operations:
  • GET /group_types/{group_type_id}/group_specs/{g_spec_id}
  • GET /group_types/{group_type_id}/group_specs
  • POST /group_types/{group_type_id}/group_specs
  • PUT /group_types/{group_type_id}/group_specs/{g_spec_id}
  • DELETE /group_types/{group_type_id}/group_specs/{g_spec_id}

Create, show, update and delete group type spec.

group:get_all_group_snapshots
Default:

rule:admin_or_owner

Operations:
  • GET /group_snapshots
  • GET /group_snapshots/detail

List group snapshots.

group:create_group_snapshot
Default:

<empty string>

Operations:
  • POST /group_snapshots

Create group snapshot.

group:get_group_snapshot
Default:

rule:admin_or_owner

Operations:
  • GET /group_snapshots/{group_snapshot_id}

Show group snapshot.

group:delete_group_snapshot
Default:

rule:admin_or_owner

Operations:
  • DELETE /group_snapshots/{group_snapshot_id}

Delete group snapshot.

group:update_group_snapshot
Default:

rule:admin_or_owner

Operations:
  • PUT /group_snapshots/{group_snapshot_id}

Update group snapshot.

group:reset_group_snapshot_status
Default:

rule:admin_api

Operations:
  • POST /group_snapshots/{g_snapshot_id}/action (reset_status)

Reset status of group snapshot.

group:delete
Default:

rule:admin_or_owner

Operations:
  • POST /groups/{group_id}/action (delete)

Delete group.

group:reset_status
Default:

rule:admin_api

Operations:
  • POST /groups/{group_id}/action (reset_status)

Reset status of group.

group:enable_replication
Default:

rule:admin_or_owner

Operations:
  • POST /groups/{group_id}/action (enable_replication)

Enable replication.

group:disable_replication
Default:

rule:admin_or_owner

Operations:
  • POST /groups/{group_id}/action (disable_replication)

Disable replication.

group:failover_replication
Default:

rule:admin_or_owner

Operations:
  • POST /groups/{group_id}/action (failover_replication)

Fail over replication.

group:list_replication_targets
Default:

rule:admin_or_owner

Operations:
  • POST /groups/{group_id}/action (list_replication_targets)

List failover replication.

volume_extension:qos_specs_manage:get_all
Default:

rule:admin_api

Operations:
  • GET /qos-specs
  • GET /qos-specs/{qos_id}/associations

List qos specs or list all associations.

volume_extension:qos_specs_manage:get
Default:

rule:admin_api

Operations:
  • GET /qos-specs/{qos_id}

Show qos specs.

volume_extension:qos_specs_manage:create
Default:

rule:admin_api

Operations:
  • POST /qos-specs

Create qos specs.

volume_extension:qos_specs_manage:update
Default:

rule:admin_api

Operations:
  • PUT /qos-specs/{qos_id}
  • GET /qos-specs/{qos_id}/disassociate_all
  • GET /qos-specs/{qos_id}/associate
  • GET /qos-specs/{qos_id}/disassociate

Update qos specs (including updating association).

volume_extension:qos_specs_manage:delete
Default:

rule:admin_api

Operations:
  • DELETE /qos-specs/{qos_id}
  • PUT /qos-specs/{qos_id}/delete_keys

delete qos specs or unset one specified qos key.

volume_extension:quota_classes
Default:

rule:admin_api

Operations:
  • GET /os-quota-class-sets/{project_id}
  • PUT /os-quota-class-sets/{project_id}

Show or update project quota class.

volume_extension:quotas:show
Default:

rule:admin_or_owner

Operations:
  • GET /os-quota-sets/{project_id}
  • GET /os-quota-sets/{project_id}/default
  • GET /os-quota-sets/{project_id}?usage=True

Show project quota (including usage and default).

volume_extension:quotas:update
Default:

rule:admin_api

Operations:
  • PUT /os-quota-sets/{project_id}

Update project quota.

volume_extension:quotas:delete
Default:

rule:admin_api

Operations:
  • DELETE /os-quota-sets/{project_id}

Delete project quota.

volume_extension:quota_classes:validate_setup_for_nested_quota_use
Default:

rule:admin_api

Operations:
  • GET /os-quota-sets/validate_setup_for_nested_quota_use

Validate setup for nested quota.

volume_extension:capabilities
Default:

rule:admin_api

Operations:
  • GET /capabilities/{host_name}

Show backend capabilities.

volume_extension:services:index
Default:

rule:admin_api

Operations:
  • GET /os-services

List all services.

volume_extension:services:update
Default:

rule:admin_api

Operations:
  • PUT /os-services/{action}

Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.

volume:freeze_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/freeze

Freeze a backend host.

volume:thaw_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/thaw

Thaw a backend host.

volume:failover_host
Default:

rule:admin_api

Operations:
  • PUT /os-services/failover_host

Failover a backend host.

scheduler_extension:scheduler_stats:get_pools
Default:

rule:admin_api

Operations:
  • GET /scheduler-stats/get_pools

List all backend pools.

volume_extension:hosts
Default:

rule:admin_api

Operations:
  • GET /os-hosts
  • PUT /os-hosts/{host_name}
  • GET /os-hosts/{host_id}

List, update or show hosts for a project.

limits_extension:used_limits
Default:

rule:admin_or_owner

Operations:
  • GET /limits

Show limits with used limit attributes.

volume_extension:list_manageable
Default:

rule:admin_api

Operations:
  • GET /manageable_volumes
  • GET /manageable_volumes/detail

List (in detail) of volumes which are available to manage.

volume_extension:volume_manage
Default:

rule:admin_api

Operations:
  • POST /manageable_volumes

Manage existing volumes.

volume_extension:volume_unmanage
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-unmanage)

Stop managing a volume.

volume_extension:types_manage
Default:

rule:admin_api

Operations:
  • POST /types
  • PUT /types
  • DELETE /types

Create, update and delete volume type.

volume_extension:volume_type_encryption
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/encryption
  • PUT /types/{type_id}/encryption/{encryption_id}
  • GET /types/{type_id}/encryption
  • GET /types/{type_id}/encryption/{encryption_id}
  • DELETE /types/{type_id}/encryption/{encryption_id}

List, show, create, update and delete volume type encryption.

volume_extension:access_types_extra_specs
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}
  • GET /types

List or show volume type with access type extra specs attribute.

volume_extension:access_types_qos_specs_id
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}
  • GET /types

List or show volume type with access type qos specs id attribute.

volume_extension:volume_type_access
Default:

rule:admin_or_owner

Operations:
  • GET /types
  • GET /types/detail
  • GET /types/{type_id}
  • POST /types

Volume type access related APIs.

volume_extension:volume_type_access:addProjectAccess
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/action (addProjectAccess)

Add volume type access for project.

volume_extension:volume_type_access:removeProjectAccess
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/action (removeProjectAccess)

Remove volume type access for project.

volume:extend
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-extend)

Extend a volume.

volume:extend_attached_volume
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-extend)

Extend a attached volume.

volume:revert_to_snapshot
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (revert)

Revert a volume to a snapshot.

volume_extension:volume_admin_actions:reset_status
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-reset_status)

Reset status of a volume.

volume:retype
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-retype)

Retype a volume.

volume:update_readonly_flag
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)

Update a volume’s readonly flag.

volume_extension:volume_admin_actions:force_delete
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-force_delete)

Force delete a volume.

volume_extension:volume_actions:upload_public
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image with public visibility.

volume_extension:volume_actions:upload_image
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-volume_upload_image)

Upload a volume to image.

volume_extension:volume_admin_actions:force_detach
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-force_detach)

Force detach a volume.

volume_extension:volume_admin_actions:migrate_volume
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-migrate_volume)

migrate a volume to a specified host.

volume_extension:volume_admin_actions:migrate_volume_completion
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-migrate_volume_completion)

Complete a volume migration.

volume_extension:volume_actions:initialize_connection
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-initialize_connection)

Initialize volume attachment.

volume_extension:volume_actions:terminate_connection
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-terminate_connection)

Terminate volume attachment.

volume_extension:volume_actions:roll_detaching
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-roll_detaching)

Roll back volume status to ‘in-use’.

volume_extension:volume_actions:reserve
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-reserve)

Mark volume as reserved.

volume_extension:volume_actions:unreserve
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-unreserve)

Unmark volume as reserved.

volume_extension:volume_actions:begin_detaching
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-begin_detaching)

Begin detach volumes.

volume_extension:volume_actions:attach
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-attach)

Add attachment metadata.

volume_extension:volume_actions:detach
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/action (os-detach)

Clear attachment metadata.

volume:get_all_transfers
Default:

rule:admin_or_owner

Operations:
  • GET /os-volume-transfer
  • GET /os-volume-transfer/detail

List volume transfer.

volume:create_transfer
Default:

rule:admin_or_owner

Operations:
  • POST /os-volume-transfer

Create a volume transfer.

volume:get_transfer
Default:

rule:admin_or_owner

Operations:
  • GET /os-volume-transfer/{transfer_id}

Show one specified volume transfer.

volume:accept_transfer
Default:

<empty string>

Operations:
  • POST /os-volume-transfer/{transfer_id}/accept

Accept a volume transfer.

volume:delete_transfer
Default:

rule:admin_or_owner

Operations:
  • DELETE /os-volume-transfer/{transfer_id}

Delete volume transfer.

volume:get_volume_metadata
Default:

rule:admin_or_owner

Operations:
  • GET /volumes/{volume_id}/metadata
  • GET /volumes/{volume_id}/metadata/{key}

Show volume’s metadata or one specified metadata with a given key.

volume:create_volume_metadata
Default:

rule:admin_or_owner

Operations:
  • POST /volumes/{volume_id}/metadata

Create volume metadata.

volume:update_volume_metadata
Default:

rule:admin_or_owner

Operations:
  • PUT /volumes/{volume_id}/metadata
  • PUT /volumes/{volume_id}/metadata/{key}

Update volume’s metadata or one specified metadata with a given key.

volume:delete_volume_metadata
Default:

rule:admin_or_owner

Operations:
  • DELETE /volumes/{volume_id}/metadata/{key}

Delete volume’s specified metadata with a given key.

volume_extension:volume_image_metadata
Default:

rule:admin_or_owner

Operations:
  • GET /volumes/detail
  • GET /volumes/{volume_id}
  • POST /volumes/{volume_id}/action (os-set_image_metadata)
  • POST /volumes/{volume_id}/action (os-unset_image_metadata)

Volume’s image metadata related operation, create, delete, show and list.

volume:update_volume_admin_metadata
Default:

rule:admin_api

Operations:
  • POST /volumes/{volume_id}/action (os-update_readonly_flag)
  • POST /volumes/{volume_id}/action (os-attach)

Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs

volume_extension:types_extra_specs:index
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}/extra_specs

List type extra specs.

volume_extension:types_extra_specs:create
Default:

rule:admin_api

Operations:
  • POST /types/{type_id}/extra_specs

Create type extra specs.

volume_extension:types_extra_specs:show
Default:

rule:admin_api

Operations:
  • GET /types/{type_id}/extra_specs/{extra_spec_key}

Show one specified type extra specs.

volume_extension:types_extra_specs:update
Default:

rule:admin_api

Operations:
  • PUT /types/{type_id}/extra_specs/{extra_spec_key}

Update type extra specs.

volume_extension:types_extra_specs:delete
Default:

rule:admin_api

Operations:
  • DELETE /types/{type_id}/extra_specs/{extra_spec_key}

Delete type extra specs.

volume:create
Default:

<empty string>

Operations:
  • POST /volumes

Create volume.

volume:create_from_image
Default:

<empty string>

Operations:
  • POST /volumes

Create volume from image.

volume:get
Default:

rule:admin_or_owner

Operations:
  • GET /volumes/{volume_id}

Show volume.

volume:get_all
Default:

rule:admin_or_owner

Operations:
  • GET /volumes
  • GET /volumes/detail

List volumes.

volume:update
Default:

rule:admin_or_owner

Operations:
  • PUT /volumes

Update volume.

volume:delete
Default:

rule:admin_or_owner

Operations:
  • DELETE /volumes/{volume_id}

Delete volume.

volume:force_delete
Default:

rule:admin_api

Operations:
  • DELETE /volumes/{volume_id}

Force Delete a volume.

volume_extension:volume_host_attribute
Default:

rule:admin_api

Operations:
  • GET /volumes/{volume_id}
  • GET /volumes/detail

List or show volume with host attribute.

volume_extension:volume_tenant_attribute
Default:

rule:admin_or_owner

Operations:
  • GET /volumes/{volume_id}
  • GET /volumes/detail

List or show volume with tenant attribute.

volume_extension:volume_mig_status_attribute
Default:

rule:admin_api

Operations:
  • GET /volumes/{volume_id}
  • GET /volumes/detail

List or show volume with migration status attribute.

volume_extension:volume_encryption_metadata
Default:

rule:admin_or_owner

Operations:
  • GET /volumes/{volume_id}/encryption
  • GET /volumes/{volume_id}/encryption/{encryption_key}

Show volume’s encryption metadata.

volume:multiattach
Default:

rule:admin_or_owner

Operations:
  • POST /volumes

Create multiattach capable volume.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.