Nova Policies¶
The following is an overview of all available policies in Nova.
For a sample configuration file, refer to Sample Nova Policy File.
nova¶
context_is_admin- Default
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner- Default
is_admin:True or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api- Default
is_admin:True
Default rule for most Admin APIs.
os_compute_api:os-admin-actions:reset_state- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (os-resetState)
Reset the state of a given server
os_compute_api:os-admin-actions:inject_network_info- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (injectNetworkInfo)
Inject network information into the server
os_compute_api:os-admin-actions:reset_network- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (resetNetwork)
Reset networking on a server
os_compute_api:os-admin-password- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (changePassword)
Change the administrative password for a server
os_compute_api:os-agents- Default
rule:admin_api- Operations
GET
/os-agentsPOST
/os-agentsPUT
/os-agents/{agent_build_id}DELETE
/os-agents/{agent_build_id}
Create, list, update, and delete guest agent builds
This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-aggregates:set_metadata- Default
rule:admin_api- Operations
POST
/os-aggregates/{aggregate_id}/action (set_metadata)
Create or replace metadata for an aggregate
os_compute_api:os-aggregates:add_host- Default
rule:admin_api- Operations
POST
/os-aggregates/{aggregate_id}/action (add_host)
Add a host to an aggregate
os_compute_api:os-aggregates:create- Default
rule:admin_api- Operations
POST
/os-aggregates
Create an aggregate
os_compute_api:os-aggregates:remove_host- Default
rule:admin_api- Operations
POST
/os-aggregates/{aggregate_id}/action (remove_host)
Remove a host from an aggregate
os_compute_api:os-aggregates:update- Default
rule:admin_api- Operations
PUT
/os-aggregates/{aggregate_id}
Update name and/or availability zone for an aggregate
os_compute_api:os-aggregates:index- Default
rule:admin_api- Operations
GET
/os-aggregates
List all aggregates
os_compute_api:os-aggregates:delete- Default
rule:admin_api- Operations
DELETE
/os-aggregates/{aggregate_id}
Delete an aggregate
os_compute_api:os-aggregates:show- Default
rule:admin_api- Operations
GET
/os-aggregates/{aggregate_id}
Show details for an aggregate
os_compute_api:os-assisted-volume-snapshots:create- Default
rule:admin_api- Operations
POST
/os-assisted-volume-snapshots
Create an assisted volume snapshot
os_compute_api:os-assisted-volume-snapshots:delete- Default
rule:admin_api- Operations
DELETE
/os-assisted-volume-snapshots/{snapshot_id}
Delete an assisted volume snapshot
os_compute_api:os-attach-interfaces- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/os-interfaceGET
/servers/{server_id}/os-interface/{port_id}
List port interfaces or show details of a port interface attached to a server
os_compute_api:os-attach-interfaces:create- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/os-interface
Attach an interface to a server
os_compute_api:os-attach-interfaces:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/os-interface/{port_id}
Detach an interface from a server
os_compute_api:os-availability-zone:list- Default
rule:admin_or_owner- Operations
GET
/os-availability-zone
List availability zone information without host information
os_compute_api:os-availability-zone:detail- Default
rule:admin_api- Operations
GET
/os-availability-zone/detail
List detailed availability zone information with host information
os_compute_api:os-baremetal-nodes- Default
rule:admin_api- Operations
GET
/os-baremetal-nodesGET
/os-baremetal-nodes/{node_id}
List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
os_compute_api:os-console-auth-tokens- Default
rule:admin_api- Operations
GET
/os-console-auth-tokens/{console_token}
Show console connection information for a given console authentication token
os_compute_api:os-console-output- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (os-getConsoleOutput)
Show console output for a server
os_compute_api:os-consoles:create- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/consoles
Create a console for a server instance
os_compute_api:os-consoles:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/consoles/{console_id}
Show console details for a server instance
os_compute_api:os-consoles:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/consoles/{console_id}
Delete a console for a server instance
os_compute_api:os-consoles:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/consoles
List all consoles for a server instance
os_compute_api:os-create-backup- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (createBackup)
Create a back up of a server
os_compute_api:os-deferred-delete- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (restore)POST
/servers/{server_id}/action (forceDelete)
Restore a soft deleted server or force delete a server before deferred cleanup
os_compute_api:os-evacuate- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (evacuate)
Evacuate a server from a failed host to a new host
os_compute_api:os-extended-server-attributes- Default
rule:admin_api- Operations
GET
/servers/{id}GET
/servers/detail
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:hostOS-EXT-SRV-ATTR:instance_nameOS-EXT-SRV-ATTR:reservation_id(since microversion 2.3)OS-EXT-SRV-ATTR:launch_index(since microversion 2.3)OS-EXT-SRV-ATTR:hostname(since microversion 2.3)OS-EXT-SRV-ATTR:kernel_id(since microversion 2.3)OS-EXT-SRV-ATTR:ramdisk_id(since microversion 2.3)OS-EXT-SRV-ATTR:root_device_name(since microversion 2.3)OS-EXT-SRV-ATTR:user_data(since microversion 2.3)
os_compute_api:extensions- Default
rule:admin_or_owner- Operations
GET
/extensionsGET
/extensions/{alias}
List available extensions and show information for an extension by alias
os_compute_api:os-flavor-access:add_tenant_access- Default
rule:admin_api- Operations
POST
/flavors/{flavor_id}/action (addTenantAccess)
Add flavor access to a tenant
os_compute_api:os-flavor-access:remove_tenant_access- Default
rule:admin_api- Operations
POST
/flavors/{flavor_id}/action (removeTenantAccess)
Remove flavor access from a tenant
os_compute_api:os-flavor-access- Default
rule:admin_or_owner- Operations
GET
/flavors/{flavor_id}/os-flavor-access
List flavor access information
Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
os_compute_api:os-flavor-extra-specs:show- Default
rule:admin_or_owner- Operations
GET
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Show an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:create- Default
rule:admin_api- Operations
POST
/flavors/{flavor_id}/os-extra_specs/
Create extra specs for a flavor
os_compute_api:os-flavor-extra-specs:update- Default
rule:admin_api- Operations
PUT
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Update an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:delete- Default
rule:admin_api- Operations
DELETE
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Delete an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:index- Default
rule:admin_or_owner- Operations
GET
/flavors/{flavor_id}/os-extra_specs/GET
/servers/detailGET
/servers/{server_id}PUT
/servers/{server_id}POST
/servers/{server_id}/action (rebuild)POST
/flavorsGET
/flavors/detailGET
/flavors/{flavor_id}PUT
/flavors/{flavor_id}
List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
os_compute_api:os-flavor-manage:create- Default
rule:admin_api- Operations
POST
/flavors
Create a flavor
os_compute_api:os-flavor-manage:update- Default
rule:admin_api- Operations
PUT
/flavors/{flavor_id}
Update a flavor
os_compute_api:os-flavor-manage:delete- Default
rule:admin_api- Operations
DELETE
/flavors/{flavor_id}
Delete a flavor
os_compute_api:os-floating-ip-pools- Default
rule:admin_or_owner- Operations
GET
/os-floating-ip-pools
List floating IP pools. This API is deprecated.
os_compute_api:os-floating-ips- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (addFloatingIp)POST
/servers/{server_id}/action (removeFloatingIp)GET
/os-floating-ipsPOST
/os-floating-ipsGET
/os-floating-ips/{floating_ip_id}DELETE
/os-floating-ips/{floating_ip_id}
Manage a project’s floating IPs. These APIs are all deprecated.
os_compute_api:os-hosts- Default
rule:admin_api- Operations
GET
/os-hostsGET
/os-hosts/{host_name}PUT
/os-hosts/{host_name}GET
/os-hosts/{host_name}/rebootGET
/os-hosts/{host_name}/shutdownGET
/os-hosts/{host_name}/startup
List, show and manage physical hosts.
These APIs are all deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hypervisors- Default
rule:admin_api- Operations
GET
/os-hypervisorsGET
/os-hypervisors/detailsGET
/os-hypervisors/statisticsGET
/os-hypervisors/{hypervisor_id}GET
/os-hypervisors/{hypervisor_id}/uptimeGET
/os-hypervisors/{hypervisor_hostname_pattern}/searchGET
/os-hypervisors/{hypervisor_hostname_pattern}/servers
Policy rule for hypervisor related APIs.
This rule will be checked for the following APIs:
List all hypervisors, list all hypervisors with details, show summary statistics for all hypervisors over all compute nodes, show details for a hypervisor, show the uptime of a hypervisor, search hypervisor by hypervisor_hostname pattern and list all servers on hypervisors that can match the provided hypervisor_hostname pattern.
os_compute_api:os-instance-actions:events- Default
rule:admin_api- Operations
GET
/servers/{server_id}/os-instance-actions/{request_id}
Add events details in action details for a server.
This check is performed only after the check os_compute_api:os-instance-actions passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
os_compute_api:os-instance-actions- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/os-instance-actionsGET
/servers/{server_id}/os-instance-actions/{request_id}
List actions and show action details for a server.
os_compute_api:os-instance-usage-audit-log- Default
rule:admin_api- Operations
GET
/os-instance_usage_audit_logGET
/os-instance_usage_audit_log/{before_timestamp}
List all usage audits and that occurred before a specified time for all servers on all compute hosts where usage auditing is configured
os_compute_api:ips:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/ips/{network_label}
Show IP addresses details for a network label of a server
os_compute_api:ips:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/ips
List IP addresses that are assigned to a server
os_compute_api:os-keypairs:index- Default
rule:admin_api or user_id:%(user_id)s- Operations
GET
/os-keypairs
List all keypairs
os_compute_api:os-keypairs:create- Default
rule:admin_api or user_id:%(user_id)s- Operations
POST
/os-keypairs
Create a keypair
os_compute_api:os-keypairs:delete- Default
rule:admin_api or user_id:%(user_id)s- Operations
DELETE
/os-keypairs/{keypair_name}
Delete a keypair
os_compute_api:os-keypairs:show- Default
rule:admin_api or user_id:%(user_id)s- Operations
GET
/os-keypairs/{keypair_name}
Show details of a keypair
os_compute_api:limits- Default
rule:admin_or_owner- Operations
GET
/limits
Show rate and absolute limits for the project
os_compute_api:os-lock-server:lock- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (lock)
Lock a server
os_compute_api:os-lock-server:unlock- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (unlock)
Unlock a server
os_compute_api:os-lock-server:unlock:unlock_override- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (unlock)
Unlock a server, regardless who locked the server.
This check is performed only after the check os_compute_api:os-lock-server:unlock passes
os_compute_api:os-migrate-server:migrate- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (migrate)
Cold migrate a server to a host
os_compute_api:os-migrate-server:migrate_live- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (os-migrateLive)
Live migrate a server to a new host without a reboot
os_compute_api:os-migrations:index- Default
rule:admin_api- Operations
GET
/os-migrations
List migrations
os_compute_api:os-multinic- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (addFixedIp)POST
/servers/{server_id}/action (removeFixedIp)
Add or remove a fixed IP address from a server.
These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-networks- Default
rule:admin_api- Operations
POST
/os-networksPOST
/os-networks/addDELETE
/os-networks/{network_id}POST
/os-networks/{network_id}/action (disassociate)
Create and delete a network, add and disassociate a network from a project.
These APIs are only available with nova-network which is deprecated.
os_compute_api:os-networks:view- Default
rule:admin_or_owner- Operations
GET
/os-networksGET
/os-networks/{network_id}
List networks for the project and show details for a network.
These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-networks-associate- Default
rule:admin_api- Operations
POST
/os-networks/{network_id}/action (disassociate_host)POST
/os-networks/{network_id}/action (disassociate_project)POST
/os-networks/{network_id}/action (associate_host)
Associate or disassociate a network from a host or project.
These APIs are only available with nova-network which is deprecated.
os_compute_api:os-pause-server:pause- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (pause)
Pause a server
os_compute_api:os-pause-server:unpause- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (unpause)
Unpause a paused server
os_compute_api:os-quota-class-sets:show- Default
is_admin:True or quota_class:%(quota_class)s- Operations
GET
/os-quota-class-sets/{quota_class}
List quotas for specific quota classs
os_compute_api:os-quota-class-sets:update- Default
rule:admin_api- Operations
PUT
/os-quota-class-sets/{quota_class}
Update quotas for specific quota class
os_compute_api:os-quota-sets:update- Default
rule:admin_api- Operations
PUT
/os-quota-sets/{tenant_id}
Update the quotas
os_compute_api:os-quota-sets:defaults- Default
@- Operations
GET
/os-quota-sets/{tenant_id}/defaults
List default quotas
os_compute_api:os-quota-sets:show- Default
rule:admin_or_owner- Operations
GET
/os-quota-sets/{tenant_id}
Show a quota
os_compute_api:os-quota-sets:delete- Default
rule:admin_api- Operations
DELETE
/os-quota-sets/{tenant_id}
Revert quotas to defaults
os_compute_api:os-quota-sets:detail- Default
rule:admin_or_owner- Operations
GET
/os-quota-sets/{tenant_id}/detail
Show the detail of quota
os_compute_api:os-remote-consoles- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (os-getRDPConsole)POST
/servers/{server_id}/action (os-getSerialConsole)POST
/servers/{server_id}/action (os-getSPICEConsole)POST
/servers/{server_id}/action (os-getVNCConsole)POST
/servers/{server_id}/remote-consoles
Generate a URL to access remove server console
os_compute_api:os-rescue- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (rescue)POST
/servers/{server_id}/action (unrescue)
Rescue/unrescue a server
os_compute_api:os-security-group-default-rules- Default
rule:admin_api- Operations
GET
/os-security-group-default-rulesGET
/os-security-group-default-rules/{security_group_default_rule_id}POST
/os-security-group-default-rulesDELETE
/os-security-group-default-rules/{security_group_default_rule_id}
List, show information for, create, or delete default security group rules.
These APIs are only available with nova-network which is now deprecated.
os_compute_api:os-security-groups- Default
rule:admin_or_owner- Operations
GET
/os-security-groupsGET
/os-security-groups/{security_group_id}POST
/os-security-groupsPUT
/os-security-groups/{security_group_id}DELETE
/os-security-groups/{security_group_id}GET
/servers/{server_id}/os-security-groupsPOST
/servers/{server_id}/action (addSecurityGroup)POST
/servers/{server_id}/action (removeSecurityGroup)
List, show, add, or remove security groups.
APIs which are directly related to security groups resource are deprecated: Lists, shows information for, creates, updates and deletes security groups. Creates and deletes security group rules. All these APIs are deprecated.
APIs which are related to server resource are not deprecated: Lists Security Groups for a server. Add Security Group to a server and remove security group from a server.
os_compute_api:os-server-diagnostics- Default
rule:admin_api- Operations
GET
/servers/{server_id}/diagnostics
Show the usage data for a server
os_compute_api:os-server-external-events:create- Default
rule:admin_api- Operations
POST
/os-server-external-events
Create one or more external events
os_compute_api:os-server-groups:create- Default
rule:admin_or_owner- Operations
POST
/os-server-groups
Create a new server group
os_compute_api:os-server-groups:delete- Default
rule:admin_or_owner- Operations
DELETE
/os-server-groups/{server_group_id}
Delete a server group
os_compute_api:os-server-groups:index- Default
rule:admin_or_owner- Operations
GET
/os-server-groups
List all server groups
os_compute_api:os-server-groups:show- Default
rule:admin_or_owner- Operations
GET
/os-server-groups/{server_group_id}
Show details of a server group
os_compute_api:server-metadata:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/metadata
List all metadata of a server
os_compute_api:server-metadata:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/metadata/{key}
Show metadata for a server
os_compute_api:server-metadata:create- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/metadata
Create metadata for a server
os_compute_api:server-metadata:update_all- Default
rule:admin_or_owner- Operations
PUT
/servers/{server_id}/metadata
Replace metadata for a server
os_compute_api:server-metadata:update- Default
rule:admin_or_owner- Operations
PUT
/servers/{server_id}/metadata/{key}
Update metadata from a server
os_compute_api:server-metadata:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/metadata/{key}
Delete metadata from a server
os_compute_api:os-server-password- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/os-server-passwordDELETE
/servers/{server_id}/os-server-password
Show and clear the encrypted administrative password of a server
os_compute_api:os-server-tags:delete_all- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/tags
Delete all the server tags
os_compute_api:os-server-tags:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/tags
List all tags for given server
os_compute_api:os-server-tags:update_all- Default
rule:admin_or_owner- Operations
PUT
/servers/{server_id}/tags
Replace all tags on specified server with the new set of tags.
os_compute_api:os-server-tags:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/tags/{tag}
Delete a single tag from the specified server
os_compute_api:os-server-tags:update- Default
rule:admin_or_owner- Operations
PUT
/servers/{server_id}/tags/{tag}
Add a single tag to the server if server has no specified tag
os_compute_api:os-server-tags:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/tags/{tag}
Check tag existence on the server.
compute:server:topology:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/topology
Show the NUMA topology data for a server
compute:server:topology:host:index- Default
rule:admin_api- Operations
GET
/servers/{server_id}/topology
Show the NUMA topology data for a server with host NUMA ID and CPU pinning information
os_compute_api:servers:index- Default
rule:admin_or_owner- Operations
GET
/servers
List all servers
os_compute_api:servers:detail- Default
rule:admin_or_owner- Operations
GET
/servers/detail
List all servers with detailed information
os_compute_api:servers:index:get_all_tenants- Default
rule:admin_api- Operations
GET
/servers
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants- Default
rule:admin_api- Operations
GET
/servers/detail
List all servers with detailed information for all projects
os_compute_api:servers:allow_all_filters- Default
rule:admin_api- Operations
GET
/serversGET
/servers/detail
Allow all filters when listing servers
os_compute_api:servers:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}
Show a server
os_compute_api:servers:show:host_status- Default
rule:admin_api- Operations
GET
/servers/{server_id}GET
/servers/detail
Show a server with additional host status information
os_compute_api:servers:create- Default
rule:admin_or_owner- Operations
POST
/servers
Create a server
os_compute_api:servers:create:forced_host- Default
rule:admin_api- Operations
POST
/servers
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified host and/or node by bypassing the scheduler filters unlike the
compute:servers:create:requested_destinationrule.compute:servers:create:requested_destination- Default
rule:admin_api- Operations
POST
/servers
Create a server on the requested compute service host and/or hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is validated by the scheduler filters unlike the
os_compute_api:servers:create:forced_hostrule.os_compute_api:servers:create:attach_volume- Default
rule:admin_or_owner- Operations
POST
/servers
Create a server with the requested volume attached to it
os_compute_api:servers:create:attach_network- Default
rule:admin_or_owner- Operations
POST
/servers
Create a server with the requested network attached to it
os_compute_api:servers:create:trusted_certs- Default
rule:admin_or_owner- Operations
POST
/servers
Create a server with trusted image certificate IDs
os_compute_api:servers:create:zero_disk_flavor- Default
rule:admin_api- Operations
POST
/servers
This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.
network:attach_external_network- Default
is_admin:True- Operations
POST
/serversPOST
/servers/{server_id}/os-interface
Attach an unshared external network to a server
os_compute_api:servers:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}
Delete a server
os_compute_api:servers:update- Default
rule:admin_or_owner- Operations
PUT
/servers/{server_id}
Update a server
os_compute_api:servers:confirm_resize- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (confirmResize)
Confirm a server resize
os_compute_api:servers:revert_resize- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (revertResize)
Revert a server resize
os_compute_api:servers:reboot- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (reboot)
Reboot a server
os_compute_api:servers:resize- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (resize)
Resize a server
os_compute_api:servers:rebuild- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (rebuild)
Rebuild a server
os_compute_api:servers:rebuild:trusted_certs- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (rebuild)
Rebuild a server with trusted image certificate IDs
os_compute_api:servers:create_image- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (createImage)
Create an image from a server
os_compute_api:servers:create_image:allow_volume_backed- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (createImage)
Create an image from a volume backed server
os_compute_api:servers:start- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (os-start)
Start a server
os_compute_api:servers:stop- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (os-stop)
Stop a server
os_compute_api:servers:trigger_crash_dump- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (trigger_crash_dump)
Trigger crash dump in a server
os_compute_api:servers:migrations:show- Default
rule:admin_api- Operations
GET
/servers/{server_id}/migrations/{migration_id}
Show details for an in-progress live migration for a given server
os_compute_api:servers:migrations:force_complete- Default
rule:admin_api- Operations
POST
/servers/{server_id}/migrations/{migration_id}/action (force_complete)
Force an in-progress live migration for a given server to complete
os_compute_api:servers:migrations:delete- Default
rule:admin_api- Operations
DELETE
/servers/{server_id}/migrations/{migration_id}
Delete(Abort) an in-progress live migration
os_compute_api:servers:migrations:index- Default
rule:admin_api- Operations
GET
/servers/{server_id}/migrations
Lists in-progress live migrations for a given server
os_compute_api:os-services- Default
rule:admin_api- Operations
GET
/os-servicesPUT
/os-services/enablePUT
/os-services/disablePUT
/os-services/disable-log-reasonPUT
/os-services/force-downPUT
/os-services/{service_id}DELETE
/os-services/{service_id}
List all running Compute services in a region, enables or disable scheduling for a Compute service, logs disabled Compute service information, set or unset forced_down flag for the compute service and delete a Compute service
os_compute_api:os-shelve:shelve- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (shelve)
Shelve server
os_compute_api:os-shelve:unshelve- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (unshelve)
Unshelve (restore) shelved server
os_compute_api:os-shelve:shelve_offload- Default
rule:admin_api- Operations
POST
/servers/{server_id}/action (shelveOffload)
Shelf-offload (remove) server
os_compute_api:os-simple-tenant-usage:show- Default
rule:admin_or_owner- Operations
GET
/os-simple-tenant-usage/{tenant_id}
Show usage statistics for a specific tenant
os_compute_api:os-simple-tenant-usage:list- Default
rule:admin_api- Operations
GET
/os-simple-tenant-usage
List per tenant usage statistics for all tenants
os_compute_api:os-suspend-server:resume- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (resume)
Resume suspended server
os_compute_api:os-suspend-server:suspend- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/action (suspend)
Suspend server
os_compute_api:os-tenant-networks- Default
rule:admin_or_owner- Operations
GET
/os-tenant-networksPOST
/os-tenant-networksGET
/os-tenant-networks/{network_id}DELETE
/os-tenant-networks/{network_id}
Create, list, show information for, and delete project networks.
These APIs are proxy calls to the Network service. These are all deprecated.
os_compute_api:os-used-limits- Default
rule:admin_api- Operations
GET
/limits
Show rate and absolute limits for the project.
This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
os_compute_api:os-volumes- Default
rule:admin_or_owner- Operations
GET
/os-volumesPOST
/os-volumesGET
/os-volumes/detailGET
/os-volumes/{volume_id}DELETE
/os-volumes/{volume_id}GET
/os-snapshotsPOST
/os-snapshotsGET
/os-snapshots/detailGET
/os-snapshots/{snapshot_id}DELETE
/os-snapshots/{snapshot_id}
Manage volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and snapshots. These APIs are proxy calls to the Volume service. These are all deprecated.
os_compute_api:os-volumes-attachments:index- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/os-volume_attachments
List volume attachments for an instance
os_compute_api:os-volumes-attachments:create- Default
rule:admin_or_owner- Operations
POST
/servers/{server_id}/os-volume_attachments
Attach a volume to an instance
os_compute_api:os-volumes-attachments:show- Default
rule:admin_or_owner- Operations
GET
/servers/{server_id}/os-volume_attachments/{volume_id}
Show details of a volume attachment
os_compute_api:os-volumes-attachments:update- Default
rule:admin_api- Operations
PUT
/servers/{server_id}/os-volume_attachments/{volume_id}
Update a volume attachment
os_compute_api:os-volumes-attachments:delete- Default
rule:admin_or_owner- Operations
DELETE
/servers/{server_id}/os-volume_attachments/{volume_id}
Detach a volume from an instance
