The following is a sample cyborg policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific cyborg APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
If you wish build a policy file, you can also use tox -e genpolicy
to
generate it.
The sample policy file can also be downloaded in file form.
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Internal flag for public API routes
#"public_api": "is_public_api:True"
# any access will be passed
#"allow": "@"
# all access will be forbidden
#"deny": "!"
# Full read/write API access
#"is_admin": "rule:admin_api"
# Admin or owner API access
#"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
# Admin or user API access
#"admin_or_user": "is_admin:True or user_id:%(user_id)s"
# Default API access rule
#"default": "rule:admin_or_owner"
# Retrieve accelerator records
#"cyborg:accelerator:get": "rule:default"
# Create accelerator records
#"cyborg:accelerator:create": "rule:allow"
# Delete accelerator records
#"cyborg:accelerator:delete": "rule:default"
# Update accelerator records
#"cyborg:accelerator:update": "rule:default"
# Show deployable detail
#"cyborg:deployable:get_one": "rule:allow"
# Retrieve all deployable records
#"cyborg:deployable:get_all": "rule:allow"
# Create deployable records
#"cyborg:deployable:create": "rule:admin_api"
# Delete deployable records
#"cyborg:deployable:delete": "rule:admin_api"
# Update deployable records
#"cyborg:deployable:update": "rule:admin_api"
# Program deployable(FPGA) records
#"cyborg:deployable:program": "rule:allow"
# Show fpga detail
#"cyborg:fpga:get_one": "rule:allow"
# Retrieve all fpga records
#"cyborg:fpga:get_all": "rule:allow"
# Update fpga records
#"cyborg:fpga:update": "rule:allow"
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.