Policies

Warning

JSON formatted policy files were deprecated in the Wallaby development cycle due to the Victoria deprecation by the olso.policy library. Use the oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.

The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.

ironic.api

admin_api

Default

role:admin or role:administrator

Legacy rule for cloud admin access

public_api

Default

is_public_api:True

Internal flag for public API routes

show_password

Default

!

Show or mask secrets within node driver information in API responses

show_instance_secrets

Default

!

Show or mask secrets within instance information in API responses

is_member

Default

(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)

May be used to restrict access to specific projects

is_observer

Default

rule:is_member and (role:observer or role:baremetal_observer)

Read-only API access

is_admin

Default

rule:admin_api or (rule:is_member and role:baremetal_admin)

Full read/write API access

is_node_owner

Default

project_id:%(node.owner)s

Owner of node

is_node_lessee

Default

project_id:%(node.lessee)s

Lessee of node

is_allocation_owner

Default

project_id:%(allocation.owner)s

Owner of allocation

baremetal:node:create

Default

rule:is_admin

Operations

• POST /nodes

Create Node records

baremetal:node:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}

Retrieve a single Node record

baremetal:node:list

Default

rule:baremetal:node:get

Operations

• GET /nodes

• GET /nodes/detail

Retrieve multiple Node records, filtered by owner

baremetal:node:list_all

Default

rule:baremetal:node:get

Operations

• GET /nodes

• GET /nodes/detail

Retrieve multiple Node records

baremetal:node:update

Default

rule:is_admin

Operations

• PATCH /nodes/{node_ident}

Update Node records

baremetal:node:update_extra

Default

rule:baremetal:node:update

Operations

• PATCH /nodes/{node_ident}

Update Node extra field

baremetal:node:update_instance_info

Default

rule:baremetal:node:update

Operations

• PATCH /nodes/{node_ident}

Update Node instance_info field

baremetal:node:update_owner_provisioned

Default

rule:is_admin

Operations

• PATCH /nodes/{node_ident}

Update Node owner even when Node is provisioned

baremetal:node:delete

Default

rule:is_admin

Operations

• DELETE /nodes/{node_ident}

Delete Node records

baremetal:node:validate

Default

rule:is_admin

Operations

• GET /nodes/{node_ident}/validate

Request active validation of Nodes

baremetal:node:set_maintenance

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/maintenance

Set maintenance flag, taking a Node out of service

baremetal:node:clear_maintenance

Default

rule:is_admin

Operations

• DELETE /nodes/{node_ident}/maintenance

Clear maintenance flag, placing the Node into service again

baremetal:node:get_boot_device

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}/management/boot_device

• GET /nodes/{node_ident}/management/boot_device/supported

Retrieve Node boot device metadata

baremetal:node:set_boot_device

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/management/boot_device

Change Node boot device

baremetal:node:get_indicator_state

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}/management/indicators/{component}/{indicator}

• GET /nodes/{node_ident}/management/indicators

Retrieve Node indicators and their states

baremetal:node:set_indicator_state

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/management/indicators/{component}/{indicator}

Change Node indicator state

baremetal:node:inject_nmi

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/management/inject_nmi

Inject NMI for a node

baremetal:node:get_states

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}/states

View Node power and provision state

baremetal:node:set_power_state

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/states/power

Change Node power status

baremetal:node:set_provision_state

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/states/provision

Change Node provision status

baremetal:node:set_raid_state

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/states/raid

Change Node RAID status

baremetal:node:get_console

Default

rule:is_admin

Operations

• GET /nodes/{node_ident}/states/console

Get Node console connection information

baremetal:node:set_console_state

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/states/console

Change Node console status

baremetal:node:vif:list

Default

rule:is_admin

Operations

• GET /nodes/{node_ident}/vifs

List VIFs attached to node

baremetal:node:vif:attach

Default

rule:is_admin

Operations

• POST /nodes/{node_ident}/vifs

Attach a VIF to a node

baremetal:node:vif:detach

Default

rule:is_admin

Operations

• DELETE /nodes/{node_ident}/vifs/{node_vif_ident}

Detach a VIF from a node

baremetal:node:traits:list

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}/traits

List node traits

baremetal:node:traits:set

Default

rule:is_admin

Operations

• PUT /nodes/{node_ident}/traits

• PUT /nodes/{node_ident}/traits/{trait}

Add a trait to, or replace all traits of, a node

baremetal:node:traits:delete

Default

rule:is_admin

Operations

• DELETE /nodes/{node_ident}/traits

• DELETE /nodes/{node_ident}/traits/{trait}

Remove one or all traits from a node

baremetal:node:bios:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /nodes/{node_ident}/bios

• GET /nodes/{node_ident}/bios/{setting}

Retrieve Node BIOS information

baremetal:node:disable_cleaning

Default

rule:baremetal:node:update

Operations

• PATCH /nodes/{node_ident}

Disable Node disk cleaning

baremetal:port:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /ports/{port_id}

• GET /nodes/{node_ident}/ports

• GET /nodes/{node_ident}/ports/detail

• GET /portgroups/{portgroup_ident}/ports

• GET /portgroups/{portgroup_ident}/ports/detail

Retrieve Port records

baremetal:port:list

Default

rule:baremetal:port:get

Operations

• GET /ports

• GET /ports/detail

Retrieve multiple Port records, filtered by owner

baremetal:port:list_all

Default

rule:baremetal:port:get

Operations

• GET /ports

• GET /ports/detail

Retrieve multiple Port records

baremetal:port:create

Default

rule:is_admin

Operations

• POST /ports

Create Port records

baremetal:port:delete

Default

rule:is_admin

Operations

• DELETE /ports/{port_id}

Delete Port records

baremetal:port:update

Default

rule:is_admin

Operations

• PATCH /ports/{port_id}

Update Port records

baremetal:portgroup:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /portgroups

• GET /portgroups/detail

• GET /portgroups/{portgroup_ident}

• GET /nodes/{node_ident}/portgroups

• GET /nodes/{node_ident}/portgroups/detail

Retrieve Portgroup records

baremetal:portgroup:create

Default

rule:is_admin

Operations

• POST /portgroups

Create Portgroup records

baremetal:portgroup:delete

Default

rule:is_admin

Operations

• DELETE /portgroups/{portgroup_ident}

Delete Portgroup records

baremetal:portgroup:update

Default

rule:is_admin

Operations

• PATCH /portgroups/{portgroup_ident}

Update Portgroup records

baremetal:chassis:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /chassis

• GET /chassis/detail

• GET /chassis/{chassis_id}

Retrieve Chassis records

baremetal:chassis:create

Default

rule:is_admin

Operations

• POST /chassis

Create Chassis records

baremetal:chassis:delete

Default

rule:is_admin

Operations

• DELETE /chassis/{chassis_id}

Delete Chassis records

baremetal:chassis:update

Default

rule:is_admin

Operations

• PATCH /chassis/{chassis_id}

Update Chassis records

baremetal:driver:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /drivers

• GET /drivers/{driver_name}

View list of available drivers

baremetal:driver:get_properties

Default

rule:is_admin or rule:is_observer

Operations

• GET /drivers/{driver_name}/properties

View driver-specific properties

baremetal:driver:get_raid_logical_disk_properties

Default

rule:is_admin or rule:is_observer

Operations

• GET /drivers/{driver_name}/raid/logical_disk_properties

View driver-specific RAID metadata

baremetal:node:vendor_passthru

Default

rule:is_admin

Operations

• GET nodes/{node_ident}/vendor_passthru/methods

• GET nodes/{node_ident}/vendor_passthru?method={method_name}

• PUT nodes/{node_ident}/vendor_passthru?method={method_name}

• POST nodes/{node_ident}/vendor_passthru?method={method_name}

• PATCH nodes/{node_ident}/vendor_passthru?method={method_name}

• DELETE nodes/{node_ident}/vendor_passthru?method={method_name}

Access vendor-specific Node functions

baremetal:driver:vendor_passthru

Default

rule:is_admin

Operations

• GET drivers/{driver_name}/vendor_passthru/methods

• GET drivers/{driver_name}/vendor_passthru?method={method_name}

• PUT drivers/{driver_name}/vendor_passthru?method={method_name}

• POST drivers/{driver_name}/vendor_passthru?method={method_name}

• PATCH drivers/{driver_name}/vendor_passthru?method={method_name}

• DELETE drivers/{driver_name}/vendor_passthru?method={method_name}

Access vendor-specific Driver functions

baremetal:node:ipa_heartbeat

Default

rule:public_api

Operations

• POST /heartbeat/{node_ident}

Send heartbeats from IPA ramdisk

baremetal:driver:ipa_lookup

Default

rule:public_api

Operations

• GET /lookup

Access IPA ramdisk functions

baremetal:volume:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /volume

• GET /volume/connectors

• GET /volume/connectors/{volume_connector_id}

• GET /volume/targets

• GET /volume/targets/{volume_target_id}

• GET /nodes/{node_ident}/volume

• GET /nodes/{node_ident}/volume/connectors

• GET /nodes/{node_ident}/volume/targets

Retrieve Volume connector and target records

baremetal:volume:create

Default

rule:is_admin

Operations

• POST /volume/connectors

• POST /volume/targets

Create Volume connector and target records

baremetal:volume:delete

Default

rule:is_admin

Operations

• DELETE /volume/connectors/{volume_connector_id}

• DELETE /volume/targets/{volume_target_id}

Delete Volume connector and target records

baremetal:volume:update

Default

rule:is_admin

Operations

• PATCH /volume/connectors/{volume_connector_id}

• PATCH /volume/targets/{volume_target_id}

Update Volume connector and target records

baremetal:conductor:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /conductors

• GET /conductors/{hostname}

Retrieve Conductor records

baremetal:allocation:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /allocations/{allocation_id}

• GET /nodes/{node_ident}/allocation

Retrieve Allocation records

baremetal:allocation:list

Default

rule:baremetal:allocation:get

Operations

• GET /allocations

Retrieve multiple Allocation records, filtered by owner

baremetal:allocation:list_all

Default

rule:baremetal:allocation:get

Operations

• GET /allocations

Retrieve multiple Allocation records

baremetal:allocation:create

Default

rule:is_admin

Operations

• POST /allocations

Create Allocation records

baremetal:allocation:create_restricted

Default

rule:baremetal:allocation:create

Operations

• POST /allocations

Create Allocation records that are restricted to an owner

baremetal:allocation:delete

Default

rule:is_admin

Operations

• DELETE /allocations/{allocation_id}

• DELETE /nodes/{node_ident}/allocation

Delete Allocation records

baremetal:allocation:update

Default

rule:is_admin

Operations

• PATCH /allocations/{allocation_id}

Change name and extra fields of an allocation

baremetal:events:post

Default

rule:is_admin

Operations

• POST /events

Post events

baremetal:deploy_template:get

Default

rule:is_admin or rule:is_observer

Operations

• GET /deploy_templates

• GET /deploy_templates/{deploy_template_ident}

Retrieve Deploy Template records

baremetal:deploy_template:create

Default

rule:is_admin

Operations

• POST /deploy_templates

Create Deploy Template records

baremetal:deploy_template:delete

Default

rule:is_admin

Operations

• DELETE /deploy_templates/{deploy_template_ident}

Delete Deploy Template records

baremetal:deploy_template:update

Default

rule:is_admin

Operations

• PATCH /deploy_templates/{deploy_template_ident}

Update Deploy Template records