Policy configuration¶
Configuration¶
The following is an overview of all available policies in Cinder.
cinder¶
context_is_admin- Default
role:admin
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner- Default
is_admin:True or (role:admin and is_admin_project:True) or project_id:%(project_id)s
Default rule for most non-Admin APIs.
admin_api- Default
is_admin:True or (role:admin and is_admin_project:True)
Default rule for most Admin APIs.
volume:attachment_create- Default
<empty string>
- Operations
POST
/attachments
Create attachment.
volume:attachment_update- Default
rule:admin_or_owner- Operations
PUT
/attachments/{attachment_id}
Update attachment.
volume:attachment_delete- Default
rule:admin_or_owner- Operations
DELETE
/attachments/{attachment_id}
Delete attachment.
volume:attachment_complete- Default
rule:admin_or_owner- Operations
POST
/attachments/{attachment_id}/action (os-complete)
Mark a volume attachment process as completed (in-use)
volume:multiattach_bootable_volume- Default
rule:admin_or_owner- Operations
POST
/attachments
Allow multiattach of bootable volumes.
message:get_all- Default
rule:admin_or_owner- Operations
GET
/messages
List messages.
message:get- Default
rule:admin_or_owner- Operations
GET
/messages/{message_id}
Show message.
message:delete- Default
rule:admin_or_owner- Operations
DELETE
/messages/{message_id}
Delete message.
clusters:get_all- Default
rule:admin_api- Operations
GET
/clustersGET
/clusters/detail
List clusters.
clusters:get- Default
rule:admin_api- Operations
GET
/clusters/{cluster_id}
Show cluster.
clusters:update- Default
rule:admin_api- Operations
PUT
/clusters/{cluster_id}
Update cluster.
workers:cleanup- Default
rule:admin_api- Operations
POST
/workers/cleanup
Clean up workers.
volume:get_snapshot_metadata- Default
rule:admin_or_owner- Operations
GET
/snapshots/{snapshot_id}/metadataGET
/snapshots/{snapshot_id}/metadata/{key}
Show snapshot’s metadata or one specified metadata with a given key.
volume:update_snapshot_metadata- Default
rule:admin_or_owner- Operations
PUT
/snapshots/{snapshot_id}/metadataPUT
/snapshots/{snapshot_id}/metadata/{key}
Update snapshot’s metadata or one specified metadata with a given key.
volume:delete_snapshot_metadata- Default
rule:admin_or_owner- Operations
DELETE
/snapshots/{snapshot_id}/metadata/{key}
Delete snapshot’s specified metadata with a given key.
volume:get_all_snapshots- Default
rule:admin_or_owner- Operations
GET
/snapshotsGET
/snapshots/detail
List snapshots.
volume_extension:extended_snapshot_attributes- Default
rule:admin_or_owner- Operations
GET
/snapshots/{snapshot_id}GET
/snapshots/detail
List or show snapshots with extended attributes.
volume:create_snapshot- Default
rule:admin_or_owner- Operations
POST
/snapshots
Create snapshot.
volume:get_snapshot- Default
rule:admin_or_owner- Operations
GET
/snapshots/{snapshot_id}
Show snapshot.
volume:update_snapshot- Default
rule:admin_or_owner- Operations
PUT
/snapshots/{snapshot_id}
Update snapshot.
volume:delete_snapshot- Default
rule:admin_or_owner- Operations
DELETE
/snapshots/{snapshot_id}
Delete snapshot.
volume_extension:snapshot_admin_actions:reset_status- Default
rule:admin_api- Operations
POST
/snapshots/{snapshot_id}/action (os-reset_status)
Reset status of a snapshot.
snapshot_extension:snapshot_actions:update_snapshot_status- Default
<empty string>
- Operations
POST
/snapshots/{snapshot_id}/action (update_snapshot_status)
Update database fields of snapshot.
volume_extension:snapshot_admin_actions:force_delete- Default
rule:admin_api- Operations
POST
/snapshots/{snapshot_id}/action (os-force_delete)
Force delete a snapshot.
snapshot_extension:list_manageable- Default
rule:admin_api- Operations
GET
/manageable_snapshotsGET
/manageable_snapshots/detail
List (in detail) of snapshots which are available to manage.
snapshot_extension:snapshot_manage- Default
rule:admin_api- Operations
POST
/manageable_snapshots
Manage an existing snapshot.
snapshot_extension:snapshot_unmanage- Default
rule:admin_api- Operations
POST
/snapshots/{snapshot_id}/action (os-unmanage)
Stop managing a snapshot.
backup:get_all- Default
rule:admin_or_owner- Operations
GET
/backupsGET
/backups/detail
List backups.
backup:backup_project_attribute- Default
rule:admin_api- Operations
GET
/backups/{backup_id}GET
/backups/detail
List backups or show backup with project attributes.
backup:create- Default
<empty string>
- Operations
POST
/backups
Create backup.
backup:get- Default
rule:admin_or_owner- Operations
GET
/backups/{backup_id}
Show backup.
backup:update- Default
rule:admin_or_owner- Operations
PUT
/backups/{backup_id}
Update backup.
backup:delete- Default
rule:admin_or_owner- Operations
DELETE
/backups/{backup_id}
Delete backup.
backup:restore- Default
rule:admin_or_owner- Operations
POST
/backups/{backup_id}/restore
Restore backup.
backup:backup-import- Default
rule:admin_api- Operations
POST
/backups/{backup_id}/import_record
Import backup.
backup:export-import- Default
rule:admin_api- Operations
POST
/backups/{backup_id}/export_record
Export backup.
volume_extension:backup_admin_actions:reset_status- Default
rule:admin_api- Operations
POST
/backups/{backup_id}/action (os-reset_status)
Reset status of a backup.
volume_extension:backup_admin_actions:force_delete- Default
rule:admin_api- Operations
POST
/backups/{backup_id}/action (os-force_delete)
Force delete a backup.
group:get_all- Default
rule:admin_or_owner- Operations
GET
/groupsGET
/groups/detail
List groups.
group:create- Default
<empty string>
- Operations
POST
/groups
Create group.
group:get- Default
rule:admin_or_owner- Operations
GET
/groups/{group_id}
Show group.
group:update- Default
rule:admin_or_owner- Operations
PUT
/groups/{group_id}
Update group.
group:group_project_attribute- Default
rule:admin_api- Operations
GET
/groups/{group_id}GET
/groups/detail
List groups or show group with project attributes.
group:group_types_manage- Default
rule:admin_api- Operations
POST
/group_types/PUT
/group_types/{group_type_id}DELETE
/group_types/{group_type_id}
Create, update or delete a group type.
group:access_group_types_specs- Default
rule:admin_api- Operations
GET
/group_types/{group_type_id}
Show group type with type specs attributes.
group:group_types_specs- Default
rule:admin_api- Operations
GET
/group_types/{group_type_id}/group_specs/{g_spec_id}GET
/group_types/{group_type_id}/group_specsPOST
/group_types/{group_type_id}/group_specsPUT
/group_types/{group_type_id}/group_specs/{g_spec_id}DELETE
/group_types/{group_type_id}/group_specs/{g_spec_id}
Create, show, update and delete group type spec.
group:get_all_group_snapshots- Default
rule:admin_or_owner- Operations
GET
/group_snapshotsGET
/group_snapshots/detail
List group snapshots.
group:create_group_snapshot- Default
<empty string>
- Operations
POST
/group_snapshots
Create group snapshot.
group:get_group_snapshot- Default
rule:admin_or_owner- Operations
GET
/group_snapshots/{group_snapshot_id}
Show group snapshot.
group:delete_group_snapshot- Default
rule:admin_or_owner- Operations
DELETE
/group_snapshots/{group_snapshot_id}
Delete group snapshot.
group:update_group_snapshot- Default
rule:admin_or_owner- Operations
PUT
/group_snapshots/{group_snapshot_id}
Update group snapshot.
group:group_snapshot_project_attribute- Default
rule:admin_api- Operations
GET
/group_snapshots/{group_snapshot_id}GET
/group_snapshots/detail
List group snapshots or show group snapshot with project attributes.
group:reset_group_snapshot_status- Default
rule:admin_or_owner- Operations
POST
/group_snapshots/{g_snapshot_id}/action (reset_status)
Reset status of group snapshot.
group:delete- Default
rule:admin_or_owner- Operations
POST
/groups/{group_id}/action (delete)
Delete group.
group:reset_status- Default
rule:admin_api- Operations
POST
/groups/{group_id}/action (reset_status)
Reset status of group.
group:enable_replication- Default
rule:admin_or_owner- Operations
POST
/groups/{group_id}/action (enable_replication)
Enable replication.
group:disable_replication- Default
rule:admin_or_owner- Operations
POST
/groups/{group_id}/action (disable_replication)
Disable replication.
group:failover_replication- Default
rule:admin_or_owner- Operations
POST
/groups/{group_id}/action (failover_replication)
Fail over replication.
group:list_replication_targets- Default
rule:admin_or_owner- Operations
POST
/groups/{group_id}/action (list_replication_targets)
List failover replication.
volume_extension:qos_specs_manage:get_all- Default
rule:admin_api- Operations
GET
/qos-specsGET
/qos-specs/{qos_id}/associations
List qos specs or list all associations.
volume_extension:qos_specs_manage:get- Default
rule:admin_api- Operations
GET
/qos-specs/{qos_id}
Show qos specs.
volume_extension:qos_specs_manage:create- Default
rule:admin_api- Operations
POST
/qos-specs
Create qos specs.
volume_extension:qos_specs_manage:update- Default
rule:admin_api- Operations
PUT
/qos-specs/{qos_id}GET
/qos-specs/{qos_id}/disassociate_allGET
/qos-specs/{qos_id}/associateGET
/qos-specs/{qos_id}/disassociate
Update qos specs (including updating association).
volume_extension:qos_specs_manage:delete- Default
rule:admin_api- Operations
DELETE
/qos-specs/{qos_id}PUT
/qos-specs/{qos_id}/delete_keys
delete qos specs or unset one specified qos key.
volume_extension:quota_classes- Default
rule:admin_api- Operations
GET
/os-quota-class-sets/{project_id}PUT
/os-quota-class-sets/{project_id}
Show or update project quota class.
volume_extension:quotas:show- Default
rule:admin_or_owner- Operations
GET
/os-quota-sets/{project_id}GET
/os-quota-sets/{project_id}/defaultGET
/os-quota-sets/{project_id}?usage=True
Show project quota (including usage and default).
volume_extension:quotas:update- Default
rule:admin_api- Operations
PUT
/os-quota-sets/{project_id}
Update project quota.
volume_extension:quotas:delete- Default
rule:admin_api- Operations
DELETE
/os-quota-sets/{project_id}
Delete project quota.
volume_extension:quota_classes:validate_setup_for_nested_quota_use- Default
rule:admin_api- Operations
GET
/os-quota-sets/validate_setup_for_nested_quota_use
Validate setup for nested quota.
volume_extension:capabilities- Default
rule:admin_api- Operations
GET
/capabilities/{host_name}
Show backend capabilities.
volume_extension:services:index- Default
rule:admin_api- Operations
GET
/os-services
List all services.
volume_extension:services:update- Default
rule:admin_api- Operations
PUT
/os-services/{action}
Update service, including failover_host, thaw, freeze, disable, enable, set-log and get-log actions.
volume:freeze_host- Default
rule:admin_api- Operations
PUT
/os-services/freeze
Freeze a backend host.
volume:thaw_host- Default
rule:admin_api- Operations
PUT
/os-services/thaw
Thaw a backend host.
volume:failover_host- Default
rule:admin_api- Operations
PUT
/os-services/failover_host
Failover a backend host.
scheduler_extension:scheduler_stats:get_pools- Default
rule:admin_api- Operations
GET
/scheduler-stats/get_pools
List all backend pools.
volume_extension:hosts- Default
rule:admin_api- Operations
GET
/os-hostsPUT
/os-hosts/{host_name}GET
/os-hosts/{host_id}
List, update or show hosts for a project.
limits_extension:used_limits- Default
rule:admin_or_owner- Operations
GET
/limits
Show limits with used limit attributes.
volume_extension:list_manageable- Default
rule:admin_api- Operations
GET
/manageable_volumesGET
/manageable_volumes/detail
List (in detail) of volumes which are available to manage.
volume_extension:volume_manage- Default
rule:admin_api- Operations
POST
/manageable_volumes
Manage existing volumes.
volume_extension:volume_unmanage- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-unmanage)
Stop managing a volume.
volume_extension:types_manage- Default
rule:admin_api- Operations
POST
/typesPUT
/typesDELETE
/types
Create, update and delete volume type.
volume_extension:type_get- Default
<empty string>
- Operations
GET
/types/{type_id}
Get one specific volume type.
volume_extension:type_get_all- Default
<empty string>
- Operations
GET
/types/
List volume types.
volume_extension:volume_type_encryption- Default
rule:admin_api- Operations
POST
/types/{type_id}/encryptionPUT
/types/{type_id}/encryption/{encryption_id}GET
/types/{type_id}/encryptionGET
/types/{type_id}/encryption/{encryption_id}DELETE
/types/{type_id}/encryption/{encryption_id}
List, show, create, update and delete volume type encryption. This is deprecated in the Stein release and will be removed in the future.
volume_extension:volume_type_encryption:create- Default
rule:volume_extension:volume_type_encryption- Operations
POST
/types/{type_id}/encryption
Create volume type encryption.
volume_extension:volume_type_encryption:get- Default
rule:volume_extension:volume_type_encryption- Operations
GET
/types/{type_id}/encryption/{encryption_id}GET
/types/{type_id}/encryption
Show, list volume type encryption.
volume_extension:volume_type_encryption:update- Default
rule:volume_extension:volume_type_encryption- Operations
PUT
/types/{type_id}/encryption/{encryption_id}
Update volume type encryption.
volume_extension:volume_type_encryption:delete- Default
rule:volume_extension:volume_type_encryption- Operations
DELETE
/types/{type_id}/encryption/{encryption_id}
Delete volume type encryption.
volume_extension:access_types_extra_specs- Default
rule:admin_api- Operations
GET
/types/{type_id}GET
/types
List or show volume type with access type extra specs attribute.
volume_extension:access_types_qos_specs_id- Default
rule:admin_api- Operations
GET
/types/{type_id}GET
/types
List or show volume type with access type qos specs id attribute.
volume_extension:volume_type_access- Default
rule:admin_or_owner- Operations
GET
/typesGET
/types/detailGET
/types/{type_id}POST
/types
Volume type access related APIs.
volume_extension:volume_type_access:addProjectAccess- Default
rule:admin_api- Operations
POST
/types/{type_id}/action (addProjectAccess)
Add volume type access for project.
volume_extension:volume_type_access:removeProjectAccess- Default
rule:admin_api- Operations
POST
/types/{type_id}/action (removeProjectAccess)
Remove volume type access for project.
volume:extend- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-extend)
Extend a volume.
volume:extend_attached_volume- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-extend)
Extend a attached volume.
volume:revert_to_snapshot- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (revert)
Revert a volume to a snapshot.
volume_extension:volume_admin_actions:reset_status- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-reset_status)
Reset status of a volume.
volume:retype- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-retype)
Retype a volume.
volume:update_readonly_flag- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-update_readonly_flag)
Update a volume’s readonly flag.
volume_extension:volume_admin_actions:force_delete- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-force_delete)
Force delete a volume.
volume_extension:volume_actions:upload_public- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image with public visibility.
volume_extension:volume_actions:upload_image- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-volume_upload_image)
Upload a volume to image.
volume_extension:volume_admin_actions:force_detach- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-force_detach)
Force detach a volume.
volume_extension:volume_admin_actions:migrate_volume- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-migrate_volume)
migrate a volume to a specified host.
volume_extension:volume_admin_actions:migrate_volume_completion- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-migrate_volume_completion)
Complete a volume migration.
volume_extension:volume_actions:initialize_connection- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-initialize_connection)
Initialize volume attachment.
volume_extension:volume_actions:terminate_connection- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-terminate_connection)
Terminate volume attachment.
volume_extension:volume_actions:roll_detaching- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-roll_detaching)
Roll back volume status to ‘in-use’.
volume_extension:volume_actions:reserve- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-reserve)
Mark volume as reserved.
volume_extension:volume_actions:unreserve- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-unreserve)
Unmark volume as reserved.
volume_extension:volume_actions:begin_detaching- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-begin_detaching)
Begin detach volumes.
volume_extension:volume_actions:attach- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-attach)
Add attachment metadata.
volume_extension:volume_actions:detach- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/action (os-detach)
Clear attachment metadata.
volume:get_all_transfers- Default
rule:admin_or_owner- Operations
GET
/os-volume-transferGET
/os-volume-transfer/detailGET
/volume_transfersGET
/volume-transfers/detail
List volume transfer.
volume:create_transfer- Default
rule:admin_or_owner- Operations
POST
/os-volume-transferPOST
/volume_transfers
Create a volume transfer.
volume:get_transfer- Default
rule:admin_or_owner- Operations
GET
/os-volume-transfer/{transfer_id}GET
/volume-transfers/{transfer_id}
Show one specified volume transfer.
volume:accept_transfer- Default
<empty string>
- Operations
POST
/os-volume-transfer/{transfer_id}/acceptPOST
/volume-transfers/{transfer_id}/accept
Accept a volume transfer.
volume:delete_transfer- Default
rule:admin_or_owner- Operations
DELETE
/os-volume-transfer/{transfer_id}DELETE
/volume-transfers/{transfer_id}
Delete volume transfer.
volume:get_volume_metadata- Default
rule:admin_or_owner- Operations
GET
/volumes/{volume_id}/metadataGET
/volumes/{volume_id}/metadata/{key}
Show volume’s metadata or one specified metadata with a given key.
volume:create_volume_metadata- Default
rule:admin_or_owner- Operations
POST
/volumes/{volume_id}/metadata
Create volume metadata.
volume:update_volume_metadata- Default
rule:admin_or_owner- Operations
PUT
/volumes/{volume_id}/metadataPUT
/volumes/{volume_id}/metadata/{key}
Update volume’s metadata or one specified metadata with a given key.
volume:delete_volume_metadata- Default
rule:admin_or_owner- Operations
DELETE
/volumes/{volume_id}/metadata/{key}
Delete volume’s specified metadata with a given key.
volume_extension:volume_image_metadata- Default
rule:admin_or_owner- Operations
GET
/volumes/detailGET
/volumes/{volume_id}POST
/volumes/{volume_id}/action (os-set_image_metadata)POST
/volumes/{volume_id}/action (os-unset_image_metadata)
Volume’s image metadata related operation, create, delete, show and list.
volume:update_volume_admin_metadata- Default
rule:admin_api- Operations
POST
/volumes/{volume_id}/action (os-update_readonly_flag)POST
/volumes/{volume_id}/action (os-attach)
Update volume admin metadata. It’s used in attach and os-update_readonly_flag APIs
volume_extension:types_extra_specs:index- Default
rule:admin_api- Operations
GET
/types/{type_id}/extra_specs
List type extra specs.
volume_extension:types_extra_specs:create- Default
rule:admin_api- Operations
POST
/types/{type_id}/extra_specs
Create type extra specs.
volume_extension:types_extra_specs:show- Default
rule:admin_api- Operations
GET
/types/{type_id}/extra_specs/{extra_spec_key}
Show one specified type extra specs.
volume_extension:types_extra_specs:update- Default
rule:admin_api- Operations
PUT
/types/{type_id}/extra_specs/{extra_spec_key}
Update type extra specs.
volume_extension:types_extra_specs:delete- Default
rule:admin_api- Operations
DELETE
/types/{type_id}/extra_specs/{extra_spec_key}
Delete type extra specs.
volume:create- Default
<empty string>
- Operations
POST
/volumes
Create volume.
volume:create_from_image- Default
<empty string>
- Operations
POST
/volumes
Create volume from image.
volume:get- Default
rule:admin_or_owner- Operations
GET
/volumes/{volume_id}
Show volume.
volume:get_all- Default
rule:admin_or_owner- Operations
GET
/volumesGET
/volumes/detailGET
/volumes/summary
List volumes or get summary of volumes.
volume:update- Default
rule:admin_or_owner- Operations
PUT
/volumesPOST
/volumes/{volume_id}/action (os-set_bootable)
Update volume or update a volume’s bootable status.
volume:delete- Default
rule:admin_or_owner- Operations
DELETE
/volumes/{volume_id}
Delete volume.
volume:force_delete- Default
rule:admin_api- Operations
DELETE
/volumes/{volume_id}
Force Delete a volume.
volume_extension:volume_host_attribute- Default
rule:admin_api- Operations
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with host attribute.
volume_extension:volume_tenant_attribute- Default
rule:admin_or_owner- Operations
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with tenant attribute.
volume_extension:volume_mig_status_attribute- Default
rule:admin_api- Operations
GET
/volumes/{volume_id}GET
/volumes/detail
List or show volume with migration status attribute.
volume_extension:volume_encryption_metadata- Default
rule:admin_or_owner- Operations
GET
/volumes/{volume_id}/encryptionGET
/volumes/{volume_id}/encryption/{encryption_key}
Show volume’s encryption metadata.
volume:multiattach- Default
rule:admin_or_owner- Operations
POST
/volumes
Create multiattach capable volume.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.