Ironic Policy¶
The following is a sample Ironic policy file, autogenerated from Ironic when this documentation is built. To prevent conflicts, ensure your version of Ironic aligns with the version of this documentation.
The sample policy can also be downloaded as a file
.
# Legacy rule for cloud admin access
#"admin_api": "role:admin or role:administrator"
# Internal flag for public API routes
#"public_api": "is_public_api:True"
# Show or mask secrets within node driver information in API responses
#"show_password": "!"
# Show or mask secrets within instance information in API responses
#"show_instance_secrets": "!"
# May be used to restrict access to specific projects
#"is_member": "(project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)"
# Read-only API access
#"is_observer": "rule:is_member and (role:observer or role:baremetal_observer)"
# Full read/write API access
#"is_admin": "rule:admin_api or (rule:is_member and role:baremetal_admin)"
# Owner of node
#"is_node_owner": "project_id:%(node.owner)s"
# Lessee of node
#"is_node_lessee": "project_id:%(node.lessee)s"
# Owner of allocation
#"is_allocation_owner": "project_id:%(allocation.owner)s"
# Create Node records
# POST /nodes
#"baremetal:node:create": "rule:is_admin"
# Retrieve a single Node record
# GET /nodes/{node_ident}
#"baremetal:node:get": "rule:is_admin or rule:is_observer"
# Retrieve multiple Node records, filtered by owner
# GET /nodes
# GET /nodes/detail
#"baremetal:node:list": "rule:baremetal:node:get"
# Retrieve multiple Node records
# GET /nodes
# GET /nodes/detail
#"baremetal:node:list_all": "rule:baremetal:node:get"
# Update Node records
# PATCH /nodes/{node_ident}
#"baremetal:node:update": "rule:is_admin"
# Update Node extra field
# PATCH /nodes/{node_ident}
#"baremetal:node:update_extra": "rule:baremetal:node:update"
# Update Node instance_info field
# PATCH /nodes/{node_ident}
#"baremetal:node:update_instance_info": "rule:baremetal:node:update"
# Update Node owner even when Node is provisioned
# PATCH /nodes/{node_ident}
#"baremetal:node:update_owner_provisioned": "rule:is_admin"
# Delete Node records
# DELETE /nodes/{node_ident}
#"baremetal:node:delete": "rule:is_admin"
# Request active validation of Nodes
# GET /nodes/{node_ident}/validate
#"baremetal:node:validate": "rule:is_admin"
# Set maintenance flag, taking a Node out of service
# PUT /nodes/{node_ident}/maintenance
#"baremetal:node:set_maintenance": "rule:is_admin"
# Clear maintenance flag, placing the Node into service again
# DELETE /nodes/{node_ident}/maintenance
#"baremetal:node:clear_maintenance": "rule:is_admin"
# Retrieve Node boot device metadata
# GET /nodes/{node_ident}/management/boot_device
# GET /nodes/{node_ident}/management/boot_device/supported
#"baremetal:node:get_boot_device": "rule:is_admin or rule:is_observer"
# Change Node boot device
# PUT /nodes/{node_ident}/management/boot_device
#"baremetal:node:set_boot_device": "rule:is_admin"
# Retrieve Node indicators and their states
# GET /nodes/{node_ident}/management/indicators/{component}/{indicator}
# GET /nodes/{node_ident}/management/indicators
#"baremetal:node:get_indicator_state": "rule:is_admin or rule:is_observer"
# Change Node indicator state
# PUT /nodes/{node_ident}/management/indicators/{component}/{indicator}
#"baremetal:node:set_indicator_state": "rule:is_admin"
# Inject NMI for a node
# PUT /nodes/{node_ident}/management/inject_nmi
#"baremetal:node:inject_nmi": "rule:is_admin"
# View Node power and provision state
# GET /nodes/{node_ident}/states
#"baremetal:node:get_states": "rule:is_admin or rule:is_observer"
# Change Node power status
# PUT /nodes/{node_ident}/states/power
#"baremetal:node:set_power_state": "rule:is_admin"
# Change Node provision status
# PUT /nodes/{node_ident}/states/provision
#"baremetal:node:set_provision_state": "rule:is_admin"
# Change Node RAID status
# PUT /nodes/{node_ident}/states/raid
#"baremetal:node:set_raid_state": "rule:is_admin"
# Get Node console connection information
# GET /nodes/{node_ident}/states/console
#"baremetal:node:get_console": "rule:is_admin"
# Change Node console status
# PUT /nodes/{node_ident}/states/console
#"baremetal:node:set_console_state": "rule:is_admin"
# List VIFs attached to node
# GET /nodes/{node_ident}/vifs
#"baremetal:node:vif:list": "rule:is_admin"
# Attach a VIF to a node
# POST /nodes/{node_ident}/vifs
#"baremetal:node:vif:attach": "rule:is_admin"
# Detach a VIF from a node
# DELETE /nodes/{node_ident}/vifs/{node_vif_ident}
#"baremetal:node:vif:detach": "rule:is_admin"
# List node traits
# GET /nodes/{node_ident}/traits
#"baremetal:node:traits:list": "rule:is_admin or rule:is_observer"
# Add a trait to, or replace all traits of, a node
# PUT /nodes/{node_ident}/traits
# PUT /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:set": "rule:is_admin"
# Remove one or all traits from a node
# DELETE /nodes/{node_ident}/traits
# DELETE /nodes/{node_ident}/traits/{trait}
#"baremetal:node:traits:delete": "rule:is_admin"
# Retrieve Node BIOS information
# GET /nodes/{node_ident}/bios
# GET /nodes/{node_ident}/bios/{setting}
#"baremetal:node:bios:get": "rule:is_admin or rule:is_observer"
# Disable Node disk cleaning
# PATCH /nodes/{node_ident}
#"baremetal:node:disable_cleaning": "rule:baremetal:node:update"
# Retrieve Port records
# GET /ports/{port_id}
# GET /nodes/{node_ident}/ports
# GET /nodes/{node_ident}/ports/detail
# GET /portgroups/{portgroup_ident}/ports
# GET /portgroups/{portgroup_ident}/ports/detail
#"baremetal:port:get": "rule:is_admin or rule:is_observer"
# Retrieve multiple Port records, filtered by owner
# GET /ports
# GET /ports/detail
#"baremetal:port:list": "rule:baremetal:port:get"
# Retrieve multiple Port records
# GET /ports
# GET /ports/detail
#"baremetal:port:list_all": "rule:baremetal:port:get"
# Create Port records
# POST /ports
#"baremetal:port:create": "rule:is_admin"
# Delete Port records
# DELETE /ports/{port_id}
#"baremetal:port:delete": "rule:is_admin"
# Update Port records
# PATCH /ports/{port_id}
#"baremetal:port:update": "rule:is_admin"
# Retrieve Portgroup records
# GET /portgroups
# GET /portgroups/detail
# GET /portgroups/{portgroup_ident}
# GET /nodes/{node_ident}/portgroups
# GET /nodes/{node_ident}/portgroups/detail
#"baremetal:portgroup:get": "rule:is_admin or rule:is_observer"
# Create Portgroup records
# POST /portgroups
#"baremetal:portgroup:create": "rule:is_admin"
# Delete Portgroup records
# DELETE /portgroups/{portgroup_ident}
#"baremetal:portgroup:delete": "rule:is_admin"
# Update Portgroup records
# PATCH /portgroups/{portgroup_ident}
#"baremetal:portgroup:update": "rule:is_admin"
# Retrieve Chassis records
# GET /chassis
# GET /chassis/detail
# GET /chassis/{chassis_id}
#"baremetal:chassis:get": "rule:is_admin or rule:is_observer"
# Create Chassis records
# POST /chassis
#"baremetal:chassis:create": "rule:is_admin"
# Delete Chassis records
# DELETE /chassis/{chassis_id}
#"baremetal:chassis:delete": "rule:is_admin"
# Update Chassis records
# PATCH /chassis/{chassis_id}
#"baremetal:chassis:update": "rule:is_admin"
# View list of available drivers
# GET /drivers
# GET /drivers/{driver_name}
#"baremetal:driver:get": "rule:is_admin or rule:is_observer"
# View driver-specific properties
# GET /drivers/{driver_name}/properties
#"baremetal:driver:get_properties": "rule:is_admin or rule:is_observer"
# View driver-specific RAID metadata
# GET /drivers/{driver_name}/raid/logical_disk_properties
#"baremetal:driver:get_raid_logical_disk_properties": "rule:is_admin or rule:is_observer"
# Access vendor-specific Node functions
# GET nodes/{node_ident}/vendor_passthru/methods
# GET nodes/{node_ident}/vendor_passthru?method={method_name}
# PUT nodes/{node_ident}/vendor_passthru?method={method_name}
# POST nodes/{node_ident}/vendor_passthru?method={method_name}
# PATCH nodes/{node_ident}/vendor_passthru?method={method_name}
# DELETE nodes/{node_ident}/vendor_passthru?method={method_name}
#"baremetal:node:vendor_passthru": "rule:is_admin"
# Access vendor-specific Driver functions
# GET drivers/{driver_name}/vendor_passthru/methods
# GET drivers/{driver_name}/vendor_passthru?method={method_name}
# PUT drivers/{driver_name}/vendor_passthru?method={method_name}
# POST drivers/{driver_name}/vendor_passthru?method={method_name}
# PATCH drivers/{driver_name}/vendor_passthru?method={method_name}
# DELETE drivers/{driver_name}/vendor_passthru?method={method_name}
#"baremetal:driver:vendor_passthru": "rule:is_admin"
# Send heartbeats from IPA ramdisk
# POST /heartbeat/{node_ident}
#"baremetal:node:ipa_heartbeat": "rule:public_api"
# Access IPA ramdisk functions
# GET /lookup
#"baremetal:driver:ipa_lookup": "rule:public_api"
# Retrieve Volume connector and target records
# GET /volume
# GET /volume/connectors
# GET /volume/connectors/{volume_connector_id}
# GET /volume/targets
# GET /volume/targets/{volume_target_id}
# GET /nodes/{node_ident}/volume
# GET /nodes/{node_ident}/volume/connectors
# GET /nodes/{node_ident}/volume/targets
#"baremetal:volume:get": "rule:is_admin or rule:is_observer"
# Create Volume connector and target records
# POST /volume/connectors
# POST /volume/targets
#"baremetal:volume:create": "rule:is_admin"
# Delete Volume connector and target records
# DELETE /volume/connectors/{volume_connector_id}
# DELETE /volume/targets/{volume_target_id}
#"baremetal:volume:delete": "rule:is_admin"
# Update Volume connector and target records
# PATCH /volume/connectors/{volume_connector_id}
# PATCH /volume/targets/{volume_target_id}
#"baremetal:volume:update": "rule:is_admin"
# Retrieve Conductor records
# GET /conductors
# GET /conductors/{hostname}
#"baremetal:conductor:get": "rule:is_admin or rule:is_observer"
# Retrieve Allocation records
# GET /allocations/{allocation_id}
# GET /nodes/{node_ident}/allocation
#"baremetal:allocation:get": "rule:is_admin or rule:is_observer"
# Retrieve multiple Allocation records, filtered by owner
# GET /allocations
#"baremetal:allocation:list": "rule:baremetal:allocation:get"
# Retrieve multiple Allocation records
# GET /allocations
#"baremetal:allocation:list_all": "rule:baremetal:allocation:get"
# Create Allocation records
# POST /allocations
#"baremetal:allocation:create": "rule:is_admin"
# Create Allocation records that are restricted to an owner
# POST /allocations
#"baremetal:allocation:create_restricted": "rule:baremetal:allocation:create"
# Delete Allocation records
# DELETE /allocations/{allocation_id}
# DELETE /nodes/{node_ident}/allocation
#"baremetal:allocation:delete": "rule:is_admin"
# Change name and extra fields of an allocation
# PATCH /allocations/{allocation_id}
#"baremetal:allocation:update": "rule:is_admin"
# Post events
# POST /events
#"baremetal:events:post": "rule:is_admin"
# Retrieve Deploy Template records
# GET /deploy_templates
# GET /deploy_templates/{deploy_template_ident}
#"baremetal:deploy_template:get": "rule:is_admin or rule:is_observer"
# Create Deploy Template records
# POST /deploy_templates
#"baremetal:deploy_template:create": "rule:is_admin"
# Delete Deploy Template records
# DELETE /deploy_templates/{deploy_template_ident}
#"baremetal:deploy_template:delete": "rule:is_admin"
# Update Deploy Template records
# PATCH /deploy_templates/{deploy_template_ident}
#"baremetal:deploy_template:update": "rule:is_admin"