Policies¶
Warning
JSON formatted policy files were deprecated in the Wallaby development
cycle due to the Victoria deprecation by the olso.policy
library.
Use the oslopolicy-convert-json-to-yaml tool
to convert the existing JSON to YAML formatted policy file in backward
compatible way.
The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.
ironic.api¶
admin_api
- Default
role:admin or role:administrator
Legacy rule for cloud admin access
public_api
- Default
is_public_api:True
Internal flag for public API routes
show_password
- Default
!
Show or mask secrets within node driver information in API responses
show_instance_secrets
- Default
!
Show or mask secrets within instance information in API responses
is_member
- Default
(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)
May be used to restrict access to specific projects
is_observer
- Default
rule:is_member and (role:observer or role:baremetal_observer)
Read-only API access
is_admin
- Default
rule:admin_api or (rule:is_member and role:baremetal_admin)
Full read/write API access
is_node_owner
- Default
project_id:%(node.owner)s
Owner of node
is_node_lessee
- Default
project_id:%(node.lessee)s
Lessee of node
is_allocation_owner
- Default
project_id:%(allocation.owner)s
Owner of allocation
baremetal:node:create
- Default
rule:is_admin
- Operations
POST
/nodes
Create Node records
baremetal:node:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}
Retrieve a single Node record
baremetal:node:list
- Default
rule:baremetal:node:get
- Operations
GET
/nodes
GET
/nodes/detail
Retrieve multiple Node records, filtered by owner
baremetal:node:list_all
- Default
rule:baremetal:node:get
- Operations
GET
/nodes
GET
/nodes/detail
Retrieve multiple Node records
baremetal:node:update
- Default
rule:is_admin
- Operations
PATCH
/nodes/{node_ident}
Update Node records
baremetal:node:update_extra
- Default
rule:baremetal:node:update
- Operations
PATCH
/nodes/{node_ident}
Update Node extra field
baremetal:node:update_instance_info
- Default
rule:baremetal:node:update
- Operations
PATCH
/nodes/{node_ident}
Update Node instance_info field
baremetal:node:update_owner_provisioned
- Default
rule:is_admin
- Operations
PATCH
/nodes/{node_ident}
Update Node owner even when Node is provisioned
baremetal:node:delete
- Default
rule:is_admin
- Operations
DELETE
/nodes/{node_ident}
Delete Node records
baremetal:node:validate
- Default
rule:is_admin
- Operations
GET
/nodes/{node_ident}/validate
Request active validation of Nodes
baremetal:node:set_maintenance
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/maintenance
Set maintenance flag, taking a Node out of service
baremetal:node:clear_maintenance
- Default
rule:is_admin
- Operations
DELETE
/nodes/{node_ident}/maintenance
Clear maintenance flag, placing the Node into service again
baremetal:node:get_boot_device
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}/management/boot_device
GET
/nodes/{node_ident}/management/boot_device/supported
Retrieve Node boot device metadata
baremetal:node:set_boot_device
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/management/boot_device
Change Node boot device
baremetal:node:get_indicator_state
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}/management/indicators/{component}/{indicator}
GET
/nodes/{node_ident}/management/indicators
Retrieve Node indicators and their states
baremetal:node:set_indicator_state
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/management/indicators/{component}/{indicator}
Change Node indicator state
baremetal:node:inject_nmi
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/management/inject_nmi
Inject NMI for a node
baremetal:node:get_states
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}/states
View Node power and provision state
baremetal:node:set_power_state
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/states/power
Change Node power status
baremetal:node:set_provision_state
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/states/provision
Change Node provision status
baremetal:node:set_raid_state
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/states/raid
Change Node RAID status
baremetal:node:get_console
- Default
rule:is_admin
- Operations
GET
/nodes/{node_ident}/states/console
Get Node console connection information
baremetal:node:set_console_state
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/states/console
Change Node console status
baremetal:node:vif:list
- Default
rule:is_admin
- Operations
GET
/nodes/{node_ident}/vifs
List VIFs attached to node
baremetal:node:vif:attach
- Default
rule:is_admin
- Operations
POST
/nodes/{node_ident}/vifs
Attach a VIF to a node
baremetal:node:vif:detach
- Default
rule:is_admin
- Operations
DELETE
/nodes/{node_ident}/vifs/{node_vif_ident}
Detach a VIF from a node
baremetal:node:traits:list
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}/traits
List node traits
baremetal:node:traits:set
- Default
rule:is_admin
- Operations
PUT
/nodes/{node_ident}/traits
PUT
/nodes/{node_ident}/traits/{trait}
Add a trait to, or replace all traits of, a node
baremetal:node:traits:delete
- Default
rule:is_admin
- Operations
DELETE
/nodes/{node_ident}/traits
DELETE
/nodes/{node_ident}/traits/{trait}
Remove one or all traits from a node
baremetal:node:bios:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/nodes/{node_ident}/bios
GET
/nodes/{node_ident}/bios/{setting}
Retrieve Node BIOS information
baremetal:node:disable_cleaning
- Default
rule:baremetal:node:update
- Operations
PATCH
/nodes/{node_ident}
Disable Node disk cleaning
baremetal:port:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/ports/{port_id}
GET
/nodes/{node_ident}/ports
GET
/nodes/{node_ident}/ports/detail
GET
/portgroups/{portgroup_ident}/ports
GET
/portgroups/{portgroup_ident}/ports/detail
Retrieve Port records
baremetal:port:list
- Default
rule:baremetal:port:get
- Operations
GET
/ports
GET
/ports/detail
Retrieve multiple Port records, filtered by owner
baremetal:port:list_all
- Default
rule:baremetal:port:get
- Operations
GET
/ports
GET
/ports/detail
Retrieve multiple Port records
baremetal:port:create
- Default
rule:is_admin
- Operations
POST
/ports
Create Port records
baremetal:port:delete
- Default
rule:is_admin
- Operations
DELETE
/ports/{port_id}
Delete Port records
baremetal:port:update
- Default
rule:is_admin
- Operations
PATCH
/ports/{port_id}
Update Port records
baremetal:portgroup:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/portgroups
GET
/portgroups/detail
GET
/portgroups/{portgroup_ident}
GET
/nodes/{node_ident}/portgroups
GET
/nodes/{node_ident}/portgroups/detail
Retrieve Portgroup records
baremetal:portgroup:create
- Default
rule:is_admin
- Operations
POST
/portgroups
Create Portgroup records
baremetal:portgroup:delete
- Default
rule:is_admin
- Operations
DELETE
/portgroups/{portgroup_ident}
Delete Portgroup records
baremetal:portgroup:update
- Default
rule:is_admin
- Operations
PATCH
/portgroups/{portgroup_ident}
Update Portgroup records
baremetal:chassis:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/chassis
GET
/chassis/detail
GET
/chassis/{chassis_id}
Retrieve Chassis records
baremetal:chassis:create
- Default
rule:is_admin
- Operations
POST
/chassis
Create Chassis records
baremetal:chassis:delete
- Default
rule:is_admin
- Operations
DELETE
/chassis/{chassis_id}
Delete Chassis records
baremetal:chassis:update
- Default
rule:is_admin
- Operations
PATCH
/chassis/{chassis_id}
Update Chassis records
baremetal:driver:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/drivers
GET
/drivers/{driver_name}
View list of available drivers
baremetal:driver:get_properties
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/drivers/{driver_name}/properties
View driver-specific properties
baremetal:driver:get_raid_logical_disk_properties
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/drivers/{driver_name}/raid/logical_disk_properties
View driver-specific RAID metadata
baremetal:node:vendor_passthru
- Default
rule:is_admin
- Operations
GET
nodes/{node_ident}/vendor_passthru/methods
GET
nodes/{node_ident}/vendor_passthru?method={method_name}
PUT
nodes/{node_ident}/vendor_passthru?method={method_name}
POST
nodes/{node_ident}/vendor_passthru?method={method_name}
PATCH
nodes/{node_ident}/vendor_passthru?method={method_name}
DELETE
nodes/{node_ident}/vendor_passthru?method={method_name}
Access vendor-specific Node functions
baremetal:driver:vendor_passthru
- Default
rule:is_admin
- Operations
GET
drivers/{driver_name}/vendor_passthru/methods
GET
drivers/{driver_name}/vendor_passthru?method={method_name}
PUT
drivers/{driver_name}/vendor_passthru?method={method_name}
POST
drivers/{driver_name}/vendor_passthru?method={method_name}
PATCH
drivers/{driver_name}/vendor_passthru?method={method_name}
DELETE
drivers/{driver_name}/vendor_passthru?method={method_name}
Access vendor-specific Driver functions
baremetal:node:ipa_heartbeat
- Default
rule:public_api
- Operations
POST
/heartbeat/{node_ident}
Send heartbeats from IPA ramdisk
baremetal:driver:ipa_lookup
- Default
rule:public_api
- Operations
GET
/lookup
Access IPA ramdisk functions
baremetal:volume:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/volume
GET
/volume/connectors
GET
/volume/connectors/{volume_connector_id}
GET
/volume/targets
GET
/volume/targets/{volume_target_id}
GET
/nodes/{node_ident}/volume
GET
/nodes/{node_ident}/volume/connectors
GET
/nodes/{node_ident}/volume/targets
Retrieve Volume connector and target records
baremetal:volume:create
- Default
rule:is_admin
- Operations
POST
/volume/connectors
POST
/volume/targets
Create Volume connector and target records
baremetal:volume:delete
- Default
rule:is_admin
- Operations
DELETE
/volume/connectors/{volume_connector_id}
DELETE
/volume/targets/{volume_target_id}
Delete Volume connector and target records
baremetal:volume:update
- Default
rule:is_admin
- Operations
PATCH
/volume/connectors/{volume_connector_id}
PATCH
/volume/targets/{volume_target_id}
Update Volume connector and target records
baremetal:conductor:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/conductors
GET
/conductors/{hostname}
Retrieve Conductor records
baremetal:allocation:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/allocations/{allocation_id}
GET
/nodes/{node_ident}/allocation
Retrieve Allocation records
baremetal:allocation:list
- Default
rule:baremetal:allocation:get
- Operations
GET
/allocations
Retrieve multiple Allocation records, filtered by owner
baremetal:allocation:list_all
- Default
rule:baremetal:allocation:get
- Operations
GET
/allocations
Retrieve multiple Allocation records
baremetal:allocation:create
- Default
rule:is_admin
- Operations
POST
/allocations
Create Allocation records
baremetal:allocation:create_restricted
- Default
rule:baremetal:allocation:create
- Operations
POST
/allocations
Create Allocation records that are restricted to an owner
baremetal:allocation:delete
- Default
rule:is_admin
- Operations
DELETE
/allocations/{allocation_id}
DELETE
/nodes/{node_ident}/allocation
Delete Allocation records
baremetal:allocation:update
- Default
rule:is_admin
- Operations
PATCH
/allocations/{allocation_id}
Change name and extra fields of an allocation
baremetal:events:post
- Default
rule:is_admin
- Operations
POST
/events
Post events
baremetal:deploy_template:get
- Default
rule:is_admin or rule:is_observer
- Operations
GET
/deploy_templates
GET
/deploy_templates/{deploy_template_ident}
Retrieve Deploy Template records
baremetal:deploy_template:create
- Default
rule:is_admin
- Operations
POST
/deploy_templates
Create Deploy Template records
baremetal:deploy_template:delete
- Default
rule:is_admin
- Operations
DELETE
/deploy_templates/{deploy_template_ident}
Delete Deploy Template records
baremetal:deploy_template:update
- Default
rule:is_admin
- Operations
PATCH
/deploy_templates/{deploy_template_ident}
Update Deploy Template records