Policy Reference

updated: 2021-10-06 12:27

Policy Reference¶

Warning

JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.

The following is an overview of all available policies in neutron.

For a sample policy file, refer to Sample Policy File.

neutron¶

context_is_admin

Default: role:admin

Rule for cloud admin access

owner

Default: tenant_id:%(tenant_id)s

Rule for resource owner access

admin_or_owner

Default: rule:context_is_admin or rule:owner

Rule for admin or owner access

context_is_advsvc

Default: role:advsvc

Rule for advsvc role access

admin_or_network_owner

Default: rule:context_is_admin or tenant_id:%(network:tenant_id)s

Rule for admin or network owner access

admin_owner_or_network_owner

Default: rule:owner or rule:admin_or_network_owner

Rule for resource owner, admin or network owner access

network_owner

Default: tenant_id:%(network:tenant_id)s

Rule for network owner access

admin_only

Default: rule:context_is_admin

Rule for admin-only access

regular_user

Default: <empty string>

Rule for regular user access

shared

Default: field:networks:shared=True

Rule of shared network

default

Default: rule:admin_or_owner

Default access rule

admin_or_ext_parent_owner

Default: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

ext_parent_owner

Default: tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

sg_owner

Default: tenant_id:%(security_group:tenant_id)s

Rule for security group owner access

shared_address_groups

Default: field:address_groups:shared=True

Definition of a shared address group

get_address_group

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups

Operations

GET /address-groups
GET /address-groups/{id}

Scope Types

system
project

Get an address group

shared_address_scopes

Default: field:address_scopes:shared=True

Definition of a shared address scope

create_address_scope

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /address-scopes

Scope Types

system
project

Create an address scope

create_address_scope:shared

Default

role:admin and system_scope:all

Operations

POST /address-scopes

Scope Types

system
project

Create a shared address scope

get_address_scope

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_address_scopes

Operations

GET /address-scopes
GET /address-scopes/{id}

Scope Types

system
project

Get an address scope

update_address_scope

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /address-scopes/{id}

Scope Types

system
project

Update an address scope

update_address_scope:shared

Default

role:admin and system_scope:all

Operations

PUT /address-scopes/{id}

Scope Types

system
project

Update shared attribute of an address scope

delete_address_scope

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /address-scopes/{id}

Scope Types

system
project

Delete an address scope

get_agent

Default

role:reader and system_scope:all

Operations

GET /agents
GET /agents/{id}

Scope Types

system

Get an agent

update_agent

Default

role:admin and system_scope:all

Operations

PUT /agents/{id}

Scope Types

system

Update an agent

delete_agent

Default

role:admin and system_scope:all

Operations

DELETE /agents/{id}

Scope Types

system

Delete an agent

create_dhcp-network

Default

role:admin and system_scope:all

Operations

POST /agents/{agent_id}/dhcp-networks

Scope Types

system

Add a network to a DHCP agent

get_dhcp-networks

Default

role:reader and system_scope:all

Operations

GET /agents/{agent_id}/dhcp-networks

Scope Types

system

List networks on a DHCP agent

delete_dhcp-network

Default

role:admin and system_scope:all

Operations

DELETE /agents/{agent_id}/dhcp-networks/{network_id}

Scope Types

system

Remove a network from a DHCP agent

create_l3-router

Default

role:admin and system_scope:all

Operations

POST /agents/{agent_id}/l3-routers

Scope Types

system

Add a router to an L3 agent

get_l3-routers

Default

role:reader and system_scope:all

Operations

GET /agents/{agent_id}/l3-routers

Scope Types

system

List routers on an L3 agent

delete_l3-router

Default

role:admin and system_scope:all

Operations

DELETE /agents/{agent_id}/l3-routers/{router_id}

Scope Types

system

Remove a router from an L3 agent

get_dhcp-agents

Default

role:reader and system_scope:all

Operations

GET /networks/{network_id}/dhcp-agents

Scope Types

system

List DHCP agents hosting a network

get_l3-agents

Default

role:reader and system_scope:all

Operations

GET /routers/{router_id}/l3-agents

Scope Types

system

List L3 agents hosting a router

get_auto_allocated_topology

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /auto-allocated-topology/{project_id}

Scope Types

system
project

Get a project’s auto-allocated topology

delete_auto_allocated_topology

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /auto-allocated-topology/{project_id}

Scope Types

system
project

Delete a project’s auto-allocated topology

get_availability_zone

Default

role:reader and system_scope:all

Operations

GET /availability_zones

Scope Types

system

List availability zones

create_flavor

Default

role:admin and system_scope:all

Operations

POST /flavors

Scope Types

system

Create a flavor

get_flavor

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /flavors
GET /flavors/{id}

Scope Types

system
project

Get a flavor

update_flavor

Default

role:admin and system_scope:all

Operations

PUT /flavors/{id}

Scope Types

system

Update a flavor

delete_flavor

Default

role:admin and system_scope:all

Operations

DELETE /flavors/{id}

Scope Types

system

Delete a flavor

create_service_profile

Default

role:admin and system_scope:all

Operations

POST /service_profiles

Scope Types

system

Create a service profile

get_service_profile

Default

role:reader and system_scope:all

Operations

GET /service_profiles
GET /service_profiles/{id}

Scope Types

system

Get a service profile

update_service_profile

Default

role:admin and system_scope:all

Operations

PUT /service_profiles/{id}

Scope Types

system

Update a service profile

delete_service_profile

Default

role:admin and system_scope:all

Operations

DELETE /service_profiles/{id}

Scope Types

system

Delete a service profile

get_flavor_service_profile

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Scope Types

system
project

Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.

create_flavor_service_profile

Default

role:admin and system_scope:all

Operations

POST /flavors/{flavor_id}/service_profiles

Scope Types

system

Associate a flavor with a service profile

delete_flavor_service_profile

Default

role:admin and system_scope:all

Operations

DELETE /flavors/{flavor_id}/service_profiles/{profile_id}

Scope Types

system

Disassociate a flavor with a service profile

create_floatingip

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /floatingips

Scope Types

system
project

Create a floating IP

create_floatingip:floating_ip_address

Default

role:admin and system_scope:all

Operations

POST /floatingips

Scope Types

system
project

Create a floating IP with a specific IP address

get_floatingip

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /floatingips
GET /floatingips/{id}

Scope Types

system
project

Get a floating IP

update_floatingip

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /floatingips/{id}

Scope Types

system
project

Update a floating IP

delete_floatingip

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /floatingips/{id}

Scope Types

system
project

Delete a floating IP

get_floatingip_pool

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /floatingip_pools

Scope Types

system
project

Get floating IP pools

create_floatingip_port_forwarding

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

POST /floatingips/{floatingip_id}/port_forwardings

Scope Types

system
project

Create a floating IP port forwarding

get_floatingip_port_forwarding

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

GET /floatingips/{floatingip_id}/port_forwardings
GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

system
project

Get a floating IP port forwarding

update_floatingip_port_forwarding

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

system
project

Update a floating IP port forwarding

delete_floatingip_port_forwarding

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types

system
project

Delete a floating IP port forwarding

create_router_conntrack_helper

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

POST /routers/{router_id}/conntrack_helpers

Scope Types

system
project

Create a router conntrack helper

get_router_conntrack_helper

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

GET /routers/{router_id}/conntrack_helpers
GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

system
project

Get a router conntrack helper

update_router_conntrack_helper

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

system
project

Update a router conntrack helper

delete_router_conntrack_helper

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations

DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types

system
project

Delete a router conntrack helper

get_loggable_resource

Default

role:reader and system_scope:all

Operations

GET /log/loggable-resources

Scope Types

system

Get loggable resources

create_log

Default

role:admin and system_scope:all

Operations

POST /log/logs

Scope Types

system

Create a network log

get_log

Default

role:reader and system_scope:all

Operations

GET /log/logs
GET /log/logs/{id}

Scope Types

system

Get a network log

update_log

Default

role:admin and system_scope:all

Operations

PUT /log/logs/{id}

Scope Types

system

Update a network log

delete_log

Default

role:admin and system_scope:all

Operations

DELETE /log/logs/{id}

Scope Types

system

Delete a network log

create_metering_label

Default

role:admin and system_scope:all

Operations

POST /metering/metering-labels

Scope Types

system
project

Create a metering label

get_metering_label

Default

role:reader and system_scope:all

Operations

GET /metering/metering-labels
GET /metering/metering-labels/{id}

Scope Types

system
project

Get a metering label

delete_metering_label

Default

role:admin and system_scope:all

Operations

DELETE /metering/metering-labels/{id}

Scope Types

system
project

Delete a metering label

create_metering_label_rule

Default

role:admin and system_scope:all

Operations

POST /metering/metering-label-rules

Scope Types

system
project

Create a metering label rule

get_metering_label_rule

Default

role:reader and system_scope:all

Operations

GET /metering/metering-label-rules
GET /metering/metering-label-rules/{id}

Scope Types

system
project

Get a metering label rule

delete_metering_label_rule

Default

role:admin and system_scope:all

Operations

DELETE /metering/metering-label-rules/{id}

Scope Types

system
project

Delete a metering label rule

external

Default: field:networks:router:external=True

Definition of an external network

create_network

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /networks

Scope Types

system
project

Create a network

create_network:shared

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Create a shared network

create_network:router:external

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Create an external network

create_network:is_default

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Specify is_default attribute when creating a network

create_network:port_security_enabled

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /networks

Scope Types

system
project

Specify port_security_enabled attribute when creating a network

create_network:segments

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Specify segments attribute when creating a network

create_network:provider:network_type

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Specify provider:network_type when creating a network

create_network:provider:physical_network

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Specify provider:physical_network when creating a network

create_network:provider:segmentation_id

Default

role:admin and system_scope:all

Operations

POST /networks

Scope Types

system

Specify provider:segmentation_id when creating a network

get_network

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc

Operations

GET /networks
GET /networks/{id}

Scope Types

system
project

Get a network

get_network:router:external

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /networks
GET /networks/{id}

Scope Types

system
project

Get router:external attribute of a network

get_network:segments

Default

role:reader and system_scope:all

Operations

GET /networks
GET /networks/{id}

Scope Types

system

Get segments attribute of a network

get_network:provider:network_type

Default

role:reader and system_scope:all

Operations

GET /networks
GET /networks/{id}

Scope Types

system

Get provider:network_type attribute of a network

get_network:provider:physical_network

Default

role:reader and system_scope:all

Operations

GET /networks
GET /networks/{id}

Scope Types

system

Get provider:physical_network attribute of a network

get_network:provider:segmentation_id

Default

role:reader and system_scope:all

Operations

GET /networks
GET /networks/{id}

Scope Types

system

Get provider:segmentation_id attribute of a network

update_network

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /networks/{id}

Scope Types

system
project

Update a network

update_network:segments

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update segments attribute of a network

update_network:shared

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update shared attribute of a network

update_network:provider:network_type

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update provider:network_type attribute of a network

update_network:provider:physical_network

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update provider:physical_network attribute of a network

update_network:provider:segmentation_id

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update provider:segmentation_id attribute of a network

update_network:router:external

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update router:external attribute of a network

update_network:is_default

Default

role:admin and system_scope:all

Operations

PUT /networks/{id}

Scope Types

system

Update is_default attribute of a network

update_network:port_security_enabled

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /networks/{id}

Scope Types

system
project

Update port_security_enabled attribute of a network

delete_network

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /networks/{id}

Scope Types

system
project

Delete a network

get_network_ip_availability

Default

role:reader and system_scope:all

Operations

GET /network-ip-availabilities
GET /network-ip-availabilities/{network_id}

Scope Types

system

Get network IP availability

create_network_segment_range

Default

role:admin and system_scope:all

Operations

POST /network_segment_ranges

Scope Types

system

Create a network segment range

get_network_segment_range

Default

role:reader and system_scope:all

Operations

GET /network_segment_ranges
GET /network_segment_ranges/{id}

Scope Types

system

Get a network segment range

update_network_segment_range

Default

role:admin and system_scope:all

Operations

PUT /network_segment_ranges/{id}

Scope Types

system

Update a network segment range

delete_network_segment_range

Default

role:admin and system_scope:all

Operations

DELETE /network_segment_ranges/{id}

Scope Types

system

Delete a network segment range

network_device

Default: field:port:device_owner=~^network:

Definition of port with network device_owner

admin_or_data_plane_int

Default: rule:context_is_admin or role:data_plane_integrator

Rule for data plane integration

create_port

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /ports

Scope Types

system
project

Create a port

create_port:device_owner

Default

not rule:network_device or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:context_is_advsvc or rule:network_owner

Operations

POST /ports

Scope Types

system
project

Specify device_owner attribute when creting a port

create_port:mac_address

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

POST /ports

Scope Types

system
project

Specify mac_address attribute when creating a port

create_port:fixed_ips

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

POST /ports

Scope Types

system
project

Specify fixed_ips information when creating a port

create_port:fixed_ips:ip_address

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

POST /ports

Scope Types

system
project

Specify IP address in fixed_ips when creating a port

create_port:fixed_ips:subnet_id

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

POST /ports

Scope Types

system
project

Specify subnet ID in fixed_ips when creating a port

create_port:port_security_enabled

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

POST /ports

Scope Types

system
project

Specify port_security_enabled attribute when creating a port

create_port:binding:host_id

Default

role:admin and system_scope:all

Operations

POST /ports

Scope Types

system

Specify binding:host_id attribute when creating a port

create_port:binding:profile

Default

role:admin and system_scope:all

Operations

POST /ports

Scope Types

system

Specify binding:profile attribute when creating a port

create_port:binding:vnic_type

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /ports

Scope Types

system
project

Specify binding:vnic_type attribute when creating a port

create_port:allowed_address_pairs

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

POST /ports

Scope Types

project
system

Specify allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:mac_address

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

POST /ports

Scope Types

project
system

Specify mac_address` of `allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:ip_address

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

POST /ports

Scope Types

project
system

Specify ip_address of allowed_address_pairs attribute when creating a port

get_port

Default

rule:context_is_advsvc or (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /ports
GET /ports/{id}

Scope Types

project
system

Get a port

get_port:binding:vif_type

Default

role:reader and system_scope:all

Operations

GET /ports
GET /ports/{id}

Scope Types

system

Get binding:vif_type attribute of a port

get_port:binding:vif_details

Default

role:reader and system_scope:all

Operations

GET /ports
GET /ports/{id}

Scope Types

system

Get binding:vif_details attribute of a port

get_port:binding:host_id

Default

role:reader and system_scope:all

Operations

GET /ports
GET /ports/{id}

Scope Types

system

Get binding:host_id attribute of a port

get_port:binding:profile

Default

role:reader and system_scope:all

Operations

GET /ports
GET /ports/{id}

Scope Types

system

Get binding:profile attribute of a port

get_port:resource_request

Default

role:reader and system_scope:all

Operations

GET /ports
GET /ports/{id}

Scope Types

system

Get resource_request attribute of a port

update_port

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations

PUT /ports/{id}

Scope Types

system
project

Update a port

update_port:device_owner

Default

not rule:network_device or rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

PUT /ports/{id}

Scope Types

system
project

Update device_owner attribute of a port

update_port:mac_address

Default

role:admin and system_scope:all or rule:context_is_advsvc

Operations

PUT /ports/{id}

Scope Types

system
project

Update mac_address attribute of a port

update_port:fixed_ips

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

PUT /ports/{id}

Scope Types

system
project

Specify fixed_ips information when updating a port

update_port:fixed_ips:ip_address

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

PUT /ports/{id}

Scope Types

system
project

Specify IP address in fixed_ips information when updating a port

update_port:fixed_ips:subnet_id

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:shared

Operations

PUT /ports/{id}

Scope Types

system
project

Specify subnet ID in fixed_ips information when updating a port

update_port:port_security_enabled

Default

rule:context_is_advsvc or rule:network_owner or role:admin and system_scope:all or role:admin and project_id:%(project_id)s

Operations

PUT /ports/{id}

Scope Types

system
project

Update port_security_enabled attribute of a port

update_port:binding:host_id

Default

role:admin and system_scope:all

Operations

PUT /ports/{id}

Scope Types

system

Update binding:host_id attribute of a port

update_port:binding:profile

Default

role:admin and system_scope:all

Operations

PUT /ports/{id}

Scope Types

system

Update binding:profile attribute of a port

update_port:binding:vnic_type

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations

PUT /ports/{id}

Scope Types

system
project

Update binding:vnic_type attribute of a port

update_port:allowed_address_pairs

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

PUT /ports/{id}

Scope Types

system
project

Update allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:mac_address

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

PUT /ports/{id}

Scope Types

system
project

Update mac_address of allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:ip_address

Default

role:admin and system_scope:all or role:admin and project_id:%(project_id)s or rule:network_owner

Operations

PUT /ports/{id}

Scope Types

system
project

Update ip_address of allowed_address_pairs attribute of a port

update_port:data_plane_status

Default

role:admin and system_scope:all or role:data_plane_integrator

Operations

PUT /ports/{id}

Scope Types

system
project

Update data_plane_status attribute of a port

delete_port

Default

rule:context_is_advsvc or (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /ports/{id}

Scope Types

system
project

Delete a port

get_policy

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /qos/policies
GET /qos/policies/{id}

Scope Types

system
project

Get QoS policies

create_policy

Default

role:admin and system_scope:all

Operations

POST /qos/policies

Scope Types

system

Create a QoS policy

update_policy

Default

role:admin and system_scope:all

Operations

PUT /qos/policies/{id}

Scope Types

system

Update a QoS policy

delete_policy

Default

role:admin and system_scope:all

Operations

DELETE /qos/policies/{id}

Scope Types

system

Delete a QoS policy

get_rule_type

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /qos/rule-types
GET /qos/rule-types/{rule_type}

Scope Types

system
project

Get available QoS rule types

get_policy_bandwidth_limit_rule

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /qos/policies/{policy_id}/bandwidth_limit_rules
GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

system
project

Get a QoS bandwidth limit rule

create_policy_bandwidth_limit_rule

Default

role:admin and system_scope:all

Operations

POST /qos/policies/{policy_id}/bandwidth_limit_rules

Scope Types

system

Create a QoS bandwidth limit rule

update_policy_bandwidth_limit_rule

Default

role:admin and system_scope:all

Operations

PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

system

Update a QoS bandwidth limit rule

delete_policy_bandwidth_limit_rule

Default

role:admin and system_scope:all

Operations

DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types

system

Delete a QoS bandwidth limit rule

get_policy_dscp_marking_rule

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /qos/policies/{policy_id}/dscp_marking_rules
GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

system
project

Get a QoS DSCP marking rule

create_policy_dscp_marking_rule

Default

role:admin and system_scope:all

Operations

POST /qos/policies/{policy_id}/dscp_marking_rules

Scope Types

system

Create a QoS DSCP marking rule

update_policy_dscp_marking_rule

Default

role:admin and system_scope:all

Operations

PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

system

Update a QoS DSCP marking rule

delete_policy_dscp_marking_rule

Default

role:admin and system_scope:all

Operations

DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types

system

Delete a QoS DSCP marking rule

get_policy_minimum_bandwidth_rule

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /qos/policies/{policy_id}/minimum_bandwidth_rules
GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

system
project

Get a QoS minimum bandwidth rule

create_policy_minimum_bandwidth_rule

Default

role:admin and system_scope:all

Operations

POST /qos/policies/{policy_id}/minimum_bandwidth_rules

Scope Types

system

Create a QoS minimum bandwidth rule

update_policy_minimum_bandwidth_rule

Default

role:admin and system_scope:all

Operations

PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

system

Update a QoS minimum bandwidth rule

delete_policy_minimum_bandwidth_rule

Default

role:admin and system_scope:all

Operations

DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types

system

Delete a QoS minimum bandwidth rule

get_alias_bandwidth_limit_rule

Default

rule:get_policy_bandwidth_limit_rule

Operations

GET /qos/alias_bandwidth_limit_rules/{rule_id}/

Get a QoS bandwidth limit rule through alias

update_alias_bandwidth_limit_rule

Default

rule:update_policy_bandwidth_limit_rule

Operations

PUT /qos/alias_bandwidth_limit_rules/{rule_id}/

Update a QoS bandwidth limit rule through alias

delete_alias_bandwidth_limit_rule

Default

rule:delete_policy_bandwidth_limit_rule

Operations

DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/

Delete a QoS bandwidth limit rule through alias

get_alias_dscp_marking_rule

Default

rule:get_policy_dscp_marking_rule

Operations

GET /qos/alias_dscp_marking_rules/{rule_id}/

Get a QoS DSCP marking rule through alias

update_alias_dscp_marking_rule

Default

rule:update_policy_dscp_marking_rule

Operations

PUT /qos/alias_dscp_marking_rules/{rule_id}/

Update a QoS DSCP marking rule through alias

delete_alias_dscp_marking_rule

Default

rule:delete_policy_dscp_marking_rule

Operations

DELETE /qos/alias_dscp_marking_rules/{rule_id}/

Delete a QoS DSCP marking rule through alias

get_alias_minimum_bandwidth_rule

Default

rule:get_policy_minimum_bandwidth_rule

Operations

GET /qos/alias_minimum_bandwidth_rules/{rule_id}/

Get a QoS minimum bandwidth rule through alias

update_alias_minimum_bandwidth_rule

Default

rule:update_policy_minimum_bandwidth_rule

Operations

PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/

Update a QoS minimum bandwidth rule through alias

delete_alias_minimum_bandwidth_rule

Default

rule:delete_policy_minimum_bandwidth_rule

Operations

DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/

Delete a QoS minimum bandwidth rule through alias

get_quota

Default

role:reader and system_scope:all

Operations

GET /quota
GET /quota/{id}

Scope Types

system

Get a resource quota

update_quota

Default

role:admin and system_scope:all

Operations

PUT /quota/{id}

Scope Types

system

Update a resource quota

delete_quota

Default

role:admin and system_scope:all

Operations

DELETE /quota/{id}

Scope Types

system

Delete a resource quota

restrict_wildcard

Default: (not field:rbac_policy:target_tenant=*) or rule:admin_only

Definition of a wildcard target_tenant

create_rbac_policy

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /rbac-policies

Scope Types

system
project

Create an RBAC policy

create_rbac_policy:target_tenant

Default

role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)

Operations

POST /rbac-policies

Scope Types

system
project

Specify target_tenant when creating an RBAC policy

update_rbac_policy

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /rbac-policies/{id}

Scope Types

project
system

Update an RBAC policy

update_rbac_policy:target_tenant

Default

role:admin and system_scope:all or (not field:rbac_policy:target_tenant=*)

Operations

PUT /rbac-policies/{id}

Scope Types

system
project

Update target_tenant attribute of an RBAC policy

get_rbac_policy

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /rbac-policies
GET /rbac-policies/{id}

Scope Types

project
system

Get an RBAC policy

delete_rbac_policy

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /rbac-policies/{id}

Scope Types

project
system

Delete an RBAC policy

create_router

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /routers

Scope Types

system
project

Create a router

create_router:distributed

Default

role:admin and system_scope:all

Operations

POST /routers

Scope Types

system

Specify distributed attribute when creating a router

create_router:ha

Default

role:admin and system_scope:all

Operations

POST /routers

Scope Types

system

Specify ha attribute when creating a router

create_router:external_gateway_info

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /routers

Scope Types

system
project

Specify external_gateway_info information when creating a router

create_router:external_gateway_info:network_id

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /routers

Scope Types

system
project

Specify network_id in external_gateway_info information when creating a router

create_router:external_gateway_info:enable_snat

Default

role:admin and system_scope:all

Operations

POST /routers

Scope Types

system

Specify enable_snat in external_gateway_info information when creating a router

create_router:external_gateway_info:external_fixed_ips

Default

role:admin and system_scope:all

Operations

POST /routers

Scope Types

system

Specify external_fixed_ips in external_gateway_info information when creating a router

get_router

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /routers
GET /routers/{id}

Scope Types

system
project

Get a router

get_router:distributed

Default

role:reader and system_scope:all

Operations

GET /routers
GET /routers/{id}

Scope Types

system

Get distributed attribute of a router

get_router:ha

Default

role:reader and system_scope:all

Operations

GET /routers
GET /routers/{id}

Scope Types

system

Get ha attribute of a router

update_router

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}

Scope Types

system
project

Update a router

update_router:distributed

Default

role:admin and system_scope:all

Operations

PUT /routers/{id}

Scope Types

system

Update distributed attribute of a router

update_router:ha

Default

role:admin and system_scope:all

Operations

PUT /routers/{id}

Scope Types

system

Update ha attribute of a router

update_router:external_gateway_info

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}

Scope Types

system
project

Update external_gateway_info information of a router

update_router:external_gateway_info:network_id

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}

Scope Types

system
project

Update network_id attribute of external_gateway_info information of a router

update_router:external_gateway_info:enable_snat

Default

role:admin and system_scope:all

Operations

PUT /routers/{id}

Scope Types

system

Update enable_snat attribute of external_gateway_info information of a router

update_router:external_gateway_info:external_fixed_ips

Default

role:admin and system_scope:all

Operations

PUT /routers/{id}

Scope Types

system

Update external_fixed_ips attribute of external_gateway_info information of a router

delete_router

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /routers/{id}

Scope Types

system
project

Delete a router

add_router_interface

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}/add_router_interface

Scope Types

system
project

Add an interface to a router

remove_router_interface

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}/remove_router_interface

Scope Types

system
project

Remove an interface from a router

add_extraroutes

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}/add_extraroutes

Scope Types

system
project

Add extra route to a router

remove_extraroutes

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /routers/{id}/remove_extraroutes

Scope Types

system
project

Remove extra route from a router

admin_or_sg_owner

Default: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s

Rule for admin or security group owner access

admin_owner_or_sg_owner

Default: rule:owner or rule:admin_or_sg_owner

Rule for resource owner, admin or security group owner access

create_security_group

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /security-groups

Scope Types

system
project

Create a security group

get_security_group

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /security-groups
GET /security-groups/{id}

Scope Types

system
project

Get a security group

update_security_group

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /security-groups/{id}

Scope Types

system
project

Update a security group

delete_security_group

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /security-groups/{id}

Scope Types

system
project

Delete a security group

create_security_group_rule

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /security-group-rules

Scope Types

system
project

Create a security group rule

get_security_group_rule

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:sg_owner

Operations

GET /security-group-rules
GET /security-group-rules/{id}

Scope Types

system
project

Get a security group rule

delete_security_group_rule

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /security-group-rules/{id}

Scope Types

system
project

Delete a security group rule

create_segment

Default

role:admin and system_scope:all

Operations

POST /segments

Scope Types

system

Create a segment

get_segment

Default

role:reader and system_scope:all

Operations

GET /segments
GET /segments/{id}

Scope Types

system

Get a segment

update_segment

Default

role:admin and system_scope:all

Operations

PUT /segments/{id}

Scope Types

system

Update a segment

delete_segment

Default

role:admin and system_scope:all

Operations

DELETE /segments/{id}

Scope Types

system

Delete a segment

get_service_provider

Default

role:reader

Operations

GET /service-providers

Scope Types

system
project

Get service providers

create_subnet

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

POST /subnets

Scope Types

system
project

Create a subnet

create_subnet:segment_id

Default

role:admin and system_scope:all

Operations

POST /subnets

Scope Types

system

Specify segment_id attribute when creating a subnet

create_subnet:service_types

Default

role:admin and system_scope:all

Operations

POST /subnets

Scope Types

system

Specify service_types attribute when creating a subnet

get_subnet

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared

Operations

GET /subnets
GET /subnets/{id}

Scope Types

system
project

Get a subnet

get_subnet:segment_id

Default

role:reader and system_scope:all

Operations

GET /subnets
GET /subnets/{id}

Scope Types

system

Get segment_id attribute of a subnet

update_subnet

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

PUT /subnets/{id}

Scope Types

system
project

Update a subnet

update_subnet:segment_id

Default

role:admin and system_scope:all

Operations

PUT /subnets/{id}

Scope Types

system

Update segment_id attribute of a subnet

update_subnet:service_types

Default

role:admin and system_scope:all

Operations

PUT /subnets/{id}

Scope Types

system

Update service_types attribute of a subnet

delete_subnet

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s) or rule:network_owner

Operations

DELETE /subnets/{id}

Scope Types

system
project

Delete a subnet

shared_subnetpools

Default: field:subnetpools:shared=True

Definition of a shared subnetpool

create_subnetpool

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /subnetpools

Scope Types

project
system

Create a subnetpool

create_subnetpool:shared

Default

role:admin and system_scope:all

Operations

POST /subnetpools

Scope Types

system

Create a shared subnetpool

create_subnetpool:is_default

Default

role:admin and system_scope:all

Operations

POST /subnetpools

Scope Types

system

Specify is_default attribute when creating a subnetpool

get_subnetpool

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations

GET /subnetpools
GET /subnetpools/{id}

Scope Types

system
project

Get a subnetpool

update_subnetpool

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /subnetpools/{id}

Scope Types

system
project

Update a subnetpool

update_subnetpool:is_default

Default

role:admin and system_scope:all

Operations

PUT /subnetpools/{id}

Scope Types

system

Update is_default attribute of a subnetpool

delete_subnetpool

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /subnetpools/{id}

Scope Types

system
project

Delete a subnetpool

onboard_network_subnets

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /subnetpools/{id}/onboard_network_subnets

Scope Types

system
project

Onboard existing subnet into a subnetpool

add_prefixes

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /subnetpools/{id}/add_prefixes

Scope Types

system
project

Add prefixes to a subnetpool

remove_prefixes

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /subnetpools/{id}/remove_prefixes

Scope Types

system
project

Remove unallocated prefixes from a subnetpool

create_trunk

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

POST /trunks

Scope Types

project
system

Create a trunk

get_trunk

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /trunks
GET /trunks/{id}

Scope Types

project
system

Get a trunk

update_trunk

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /trunks/{id}

Scope Types

project
system

Update a trunk

delete_trunk

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

DELETE /trunks/{id}

Scope Types

project
system

Delete a trunk

get_subports

Default

(role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)

Operations

GET /trunks/{id}/get_subports

Scope Types

project
system

List subports attached to a trunk

add_subports

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /trunks/{id}/add_subports

Scope Types

project
system

Add subports to a trunk

remove_subports

Default

(role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)

Operations

PUT /trunks/{id}/remove_subports

Scope Types

project
system

Delete subports from a trunk

updated: 2021-10-06 12:27

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.