Nova Policies¶
The following is an overview of all available policies in Nova.
For a sample configuration file, refer to Sample Nova Policy File.
nova¶
context_is_adminDefault: role:adminDecides what is required for the ‘is_admin:True’ check to succeed.
admin_or_ownerDefault: is_admin:True or project_id:%(project_id)sDefault rule for most non-Admin APIs.
admin_apiDefault: is_admin:TrueDefault rule for most Admin APIs.
os_compute_api:os-admin-actions:reset_stateDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (os-resetState)
Reset the state of a given server
- POST
os_compute_api:os-admin-actions:inject_network_infoDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (injectNetworkInfo)
Inject network information into the server
- POST
os_compute_api:os-admin-actions:reset_networkDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (resetNetwork)
Reset networking on a server
- POST
os_compute_api:os-admin-passwordDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (changePassword)
Change the administrative password for a server
- POST
os_compute_api:os-agentsDefault: rule:admin_apiOperations: - GET
/os-agents - POST
/os-agents - PUT
/os-agents/{agent_build_id} - DELETE
/os-agents/{agent_build_id}
Create, list, update, and delete guest agent builds
This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
- GET
os_compute_api:os-aggregates:set_metadataDefault: rule:admin_apiOperations: - POST
/os-aggregates/{aggregate_id}/action (set_metadata)
Create or replace metadata for an aggregate
- POST
os_compute_api:os-aggregates:add_hostDefault: rule:admin_apiOperations: - POST
/os-aggregates/{aggregate_id}/action (add_host)
Add a host to an aggregate
- POST
os_compute_api:os-aggregates:createDefault: rule:admin_apiOperations: - POST
/os-aggregates
Create an aggregate
- POST
os_compute_api:os-aggregates:remove_hostDefault: rule:admin_apiOperations: - POST
/os-aggregates/{aggregate_id}/action (remove_host)
Remove a host from an aggregate
- POST
os_compute_api:os-aggregates:updateDefault: rule:admin_apiOperations: - PUT
/os-aggregates/{aggregate_id}
Update name and/or availability zone for an aggregate
- PUT
os_compute_api:os-aggregates:indexDefault: rule:admin_apiOperations: - GET
/os-aggregates
List all aggregates
- GET
os_compute_api:os-aggregates:deleteDefault: rule:admin_apiOperations: - DELETE
/os-aggregates/{aggregate_id}
Delete an aggregate
- DELETE
os_compute_api:os-aggregates:showDefault: rule:admin_apiOperations: - GET
/os-aggregates/{aggregate_id}
Show details for an aggregate
- GET
os_compute_api:os-assisted-volume-snapshots:createDefault: rule:admin_apiOperations: - POST
/os-assisted-volume-snapshots
Create an assisted volume snapshot
- POST
os_compute_api:os-assisted-volume-snapshots:deleteDefault: rule:admin_apiOperations: - DELETE
/os-assisted-volume-snapshots/{snapshot_id}
Delete an assisted volume snapshot
- DELETE
os_compute_api:os-attach-interfacesDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/os-interface - GET
/servers/{server_id}/os-interface/{port_id}
List port interfaces or show details of a port interface attached to a server
- GET
os_compute_api:os-attach-interfaces:createDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/os-interface
Attach an interface to a server
- POST
os_compute_api:os-attach-interfaces:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/os-interface/{port_id}
Detach an interface from a server
- DELETE
os_compute_api:os-availability-zone:listDefault: rule:admin_or_ownerOperations: - GET
/os-availability-zone
List availability zone information without host information
- GET
os_compute_api:os-availability-zone:detailDefault: rule:admin_apiOperations: - GET
/os-availability-zone/detail
List detailed availability zone information with host information
- GET
os_compute_api:os-baremetal-nodesDefault: rule:admin_apiOperations: - GET
/os-baremetal-nodes - GET
/os-baremetal-nodes/{node_id}
List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
- GET
os_compute_api:os-console-auth-tokensDefault: rule:admin_apiOperations: - GET
/os-console-auth-tokens/{console_token}
Show console connection information for a given console authentication token
- GET
os_compute_api:os-console-outputDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (os-getConsoleOutput)
Show console output for a server
- POST
os_compute_api:os-consoles:createDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/consoles
Create a console for a server instance
- POST
os_compute_api:os-consoles:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/consoles/{console_id}
Show console details for a server instance
- GET
os_compute_api:os-consoles:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/consoles/{console_id}
Delete a console for a server instance
- DELETE
os_compute_api:os-consoles:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/consoles
List all consoles for a server instance
- GET
os_compute_api:os-create-backupDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (createBackup)
Create a back up of a server
- POST
os_compute_api:os-deferred-deleteDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (restore) - POST
/servers/{server_id}/action (forceDelete)
Restore a soft deleted server or force delete a server before deferred cleanup
- POST
os_compute_api:os-evacuateDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (evacuate)
Evacuate a server from a failed host to a new host
- POST
os_compute_api:os-extended-server-attributesDefault: rule:admin_apiOperations: - GET
/servers/{id} - GET
/servers/detail
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:hostOS-EXT-SRV-ATTR:instance_nameOS-EXT-SRV-ATTR:reservation_id(since microversion 2.3)OS-EXT-SRV-ATTR:launch_index(since microversion 2.3)OS-EXT-SRV-ATTR:hostname(since microversion 2.3)OS-EXT-SRV-ATTR:kernel_id(since microversion 2.3)OS-EXT-SRV-ATTR:ramdisk_id(since microversion 2.3)OS-EXT-SRV-ATTR:root_device_name(since microversion 2.3)OS-EXT-SRV-ATTR:user_data(since microversion 2.3)
- GET
os_compute_api:extensionsDefault: rule:admin_or_ownerOperations: - GET
/extensions - GET
/extensions/{alias}
List available extensions and show information for an extension by alias
- GET
os_compute_api:os-flavor-access:add_tenant_accessDefault: rule:admin_apiOperations: - POST
/flavors/{flavor_id}/action (addTenantAccess)
Add flavor access to a tenant
- POST
os_compute_api:os-flavor-access:remove_tenant_accessDefault: rule:admin_apiOperations: - POST
/flavors/{flavor_id}/action (removeTenantAccess)
Remove flavor access from a tenant
- POST
os_compute_api:os-flavor-accessDefault: rule:admin_or_ownerOperations: - GET
/flavors/{flavor_id}/os-flavor-access
List flavor access information
Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
- GET
os_compute_api:os-flavor-extra-specs:showDefault: rule:admin_or_ownerOperations: - GET
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Show an extra spec for a flavor
- GET
os_compute_api:os-flavor-extra-specs:createDefault: rule:admin_apiOperations: - POST
/flavors/{flavor_id}/os-extra_specs/
Create extra specs for a flavor
- POST
os_compute_api:os-flavor-extra-specs:updateDefault: rule:admin_apiOperations: - PUT
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Update an extra spec for a flavor
- PUT
os_compute_api:os-flavor-extra-specs:deleteDefault: rule:admin_apiOperations: - DELETE
/flavors/{flavor_id}/os-extra_specs/{flavor_extra_spec_key}
Delete an extra spec for a flavor
- DELETE
os_compute_api:os-flavor-extra-specs:indexDefault: rule:admin_or_ownerOperations: - GET
/flavors/{flavor_id}/os-extra_specs/ - GET
/servers/detail - GET
/servers/{server_id} - PUT
/servers/{server_id} - POST
/servers/{server_id}/action (rebuild) - POST
/flavors - GET
/flavors/detail - GET
/flavors/{flavor_id} - PUT
/flavors/{flavor_id}
List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
- GET
os_compute_api:os-flavor-manage:createDefault: rule:admin_apiOperations: - POST
/flavors
Create a flavor
- POST
os_compute_api:os-flavor-manage:updateDefault: rule:admin_apiOperations: - PUT
/flavors/{flavor_id}
Update a flavor
- PUT
os_compute_api:os-flavor-manage:deleteDefault: rule:admin_apiOperations: - DELETE
/flavors/{flavor_id}
Delete a flavor
- DELETE
os_compute_api:os-floating-ip-poolsDefault: rule:admin_or_ownerOperations: - GET
/os-floating-ip-pools
List floating IP pools. This API is deprecated.
- GET
os_compute_api:os-floating-ipsDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (addFloatingIp) - POST
/servers/{server_id}/action (removeFloatingIp) - GET
/os-floating-ips - POST
/os-floating-ips - GET
/os-floating-ips/{floating_ip_id} - DELETE
/os-floating-ips/{floating_ip_id}
Manage a project’s floating IPs. These APIs are all deprecated.
- POST
os_compute_api:os-hostsDefault: rule:admin_apiOperations: - GET
/os-hosts - GET
/os-hosts/{host_name} - PUT
/os-hosts/{host_name} - GET
/os-hosts/{host_name}/reboot - GET
/os-hosts/{host_name}/shutdown - GET
/os-hosts/{host_name}/startup
List, show and manage physical hosts.
These APIs are all deprecated in favor of os-hypervisors and os-services.
- GET
os_compute_api:os-hypervisorsDefault: rule:admin_apiOperations: - GET
/os-hypervisors - GET
/os-hypervisors/details - GET
/os-hypervisors/statistics - GET
/os-hypervisors/{hypervisor_id} - GET
/os-hypervisors/{hypervisor_id}/uptime - GET
/os-hypervisors/{hypervisor_hostname_pattern}/search - GET
/os-hypervisors/{hypervisor_hostname_pattern}/servers
Policy rule for hypervisor related APIs.
This rule will be checked for the following APIs:
List all hypervisors, list all hypervisors with details, show summary statistics for all hypervisors over all compute nodes, show details for a hypervisor, show the uptime of a hypervisor, search hypervisor by hypervisor_hostname pattern and list all servers on hypervisors that can match the provided hypervisor_hostname pattern.
- GET
os_compute_api:os-instance-actions:eventsDefault: rule:admin_apiOperations: - GET
/servers/{server_id}/os-instance-actions/{request_id}
Add events details in action details for a server.
This check is performed only after the check os_compute_api:os-instance-actions passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
- GET
os_compute_api:os-instance-actionsDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/os-instance-actions - GET
/servers/{server_id}/os-instance-actions/{request_id}
List actions and show action details for a server.
- GET
os_compute_api:os-instance-usage-audit-logDefault: rule:admin_apiOperations: - GET
/os-instance_usage_audit_log - GET
/os-instance_usage_audit_log/{before_timestamp}
List all usage audits and that occurred before a specified time for all servers on all compute hosts where usage auditing is configured
- GET
os_compute_api:ips:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/ips/{network_label}
Show IP addresses details for a network label of a server
- GET
os_compute_api:ips:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/ips
List IP addresses that are assigned to a server
- GET
os_compute_api:os-keypairs:indexDefault: rule:admin_api or user_id:%(user_id)sOperations: - GET
/os-keypairs
List all keypairs
- GET
os_compute_api:os-keypairs:createDefault: rule:admin_api or user_id:%(user_id)sOperations: - POST
/os-keypairs
Create a keypair
- POST
os_compute_api:os-keypairs:deleteDefault: rule:admin_api or user_id:%(user_id)sOperations: - DELETE
/os-keypairs/{keypair_name}
Delete a keypair
- DELETE
os_compute_api:os-keypairs:showDefault: rule:admin_api or user_id:%(user_id)sOperations: - GET
/os-keypairs/{keypair_name}
Show details of a keypair
- GET
os_compute_api:limitsDefault: rule:admin_or_ownerOperations: - GET
/limits
Show rate and absolute limits for the project
- GET
os_compute_api:os-lock-server:lockDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (lock)
Lock a server
- POST
os_compute_api:os-lock-server:unlockDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (unlock)
Unlock a server
- POST
os_compute_api:os-lock-server:unlock:unlock_overrideDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (unlock)
Unlock a server, regardless who locked the server.
This check is performed only after the check os_compute_api:os-lock-server:unlock passes
- POST
os_compute_api:os-migrate-server:migrateDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (migrate)
Cold migrate a server to a host
- POST
os_compute_api:os-migrate-server:migrate_liveDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (os-migrateLive)
Live migrate a server to a new host without a reboot
- POST
os_compute_api:os-migrations:indexDefault: rule:admin_apiOperations: - GET
/os-migrations
List migrations
- GET
os_compute_api:os-multinicDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (addFixedIp) - POST
/servers/{server_id}/action (removeFixedIp)
Add or remove a fixed IP address from a server.
These APIs are proxy calls to the Network service. These are all deprecated.
- POST
os_compute_api:os-networksDefault: rule:admin_apiOperations: - POST
/os-networks - POST
/os-networks/add - DELETE
/os-networks/{network_id} - POST
/os-networks/{network_id}/action (disassociate)
Create and delete a network, add and disassociate a network from a project.
These APIs are only available with nova-network which is deprecated.
- POST
os_compute_api:os-networks:viewDefault: rule:admin_or_ownerOperations: - GET
/os-networks - GET
/os-networks/{network_id}
List networks for the project and show details for a network.
These APIs are proxy calls to the Network service. These are all deprecated.
- GET
os_compute_api:os-networks-associateDefault: rule:admin_apiOperations: - POST
/os-networks/{network_id}/action (disassociate_host) - POST
/os-networks/{network_id}/action (disassociate_project) - POST
/os-networks/{network_id}/action (associate_host)
Associate or disassociate a network from a host or project.
These APIs are only available with nova-network which is deprecated.
- POST
os_compute_api:os-pause-server:pauseDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (pause)
Pause a server
- POST
os_compute_api:os-pause-server:unpauseDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (unpause)
Unpause a paused server
- POST
os_compute_api:os-quota-class-sets:showDefault: is_admin:True or quota_class:%(quota_class)sOperations: - GET
/os-quota-class-sets/{quota_class}
List quotas for specific quota classs
- GET
os_compute_api:os-quota-class-sets:updateDefault: rule:admin_apiOperations: - PUT
/os-quota-class-sets/{quota_class}
Update quotas for specific quota class
- PUT
os_compute_api:os-quota-sets:updateDefault: rule:admin_apiOperations: - PUT
/os-quota-sets/{tenant_id}
Update the quotas
- PUT
os_compute_api:os-quota-sets:defaultsDefault: @Operations: - GET
/os-quota-sets/{tenant_id}/defaults
List default quotas
- GET
os_compute_api:os-quota-sets:showDefault: rule:admin_or_ownerOperations: - GET
/os-quota-sets/{tenant_id}
Show a quota
- GET
os_compute_api:os-quota-sets:deleteDefault: rule:admin_apiOperations: - DELETE
/os-quota-sets/{tenant_id}
Revert quotas to defaults
- DELETE
os_compute_api:os-quota-sets:detailDefault: rule:admin_or_ownerOperations: - GET
/os-quota-sets/{tenant_id}/detail
Show the detail of quota
- GET
os_compute_api:os-remote-consolesDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (os-getRDPConsole) - POST
/servers/{server_id}/action (os-getSerialConsole) - POST
/servers/{server_id}/action (os-getSPICEConsole) - POST
/servers/{server_id}/action (os-getVNCConsole) - POST
/servers/{server_id}/remote-consoles
Generate a URL to access remove server console
- POST
os_compute_api:os-rescueDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (rescue) - POST
/servers/{server_id}/action (unrescue)
Rescue/unrescue a server
- POST
os_compute_api:os-security-group-default-rulesDefault: rule:admin_apiOperations: - GET
/os-security-group-default-rules - GET
/os-security-group-default-rules/{security_group_default_rule_id} - POST
/os-security-group-default-rules - DELETE
/os-security-group-default-rules/{security_group_default_rule_id}
List, show information for, create, or delete default security group rules.
These APIs are only available with nova-network which is now deprecated.
- GET
os_compute_api:os-security-groupsDefault: rule:admin_or_ownerOperations: - GET
/os-security-groups - GET
/os-security-groups/{security_group_id} - POST
/os-security-groups - PUT
/os-security-groups/{security_group_id} - DELETE
/os-security-groups/{security_group_id} - GET
/servers/{server_id}/os-security-groups - POST
/servers/{server_id}/action (addSecurityGroup) - POST
/servers/{server_id}/action (removeSecurityGroup)
List, show, add, or remove security groups.
APIs which are directly related to security groups resource are deprecated: Lists, shows information for, creates, updates and deletes security groups. Creates and deletes security group rules. All these APIs are deprecated.
APIs which are related to server resource are not deprecated: Lists Security Groups for a server. Add Security Group to a server and remove security group from a server.
- GET
os_compute_api:os-server-diagnosticsDefault: rule:admin_apiOperations: - GET
/servers/{server_id}/diagnostics
Show the usage data for a server
- GET
os_compute_api:os-server-external-events:createDefault: rule:admin_apiOperations: - POST
/os-server-external-events
Create one or more external events
- POST
os_compute_api:os-server-groups:createDefault: rule:admin_or_ownerOperations: - POST
/os-server-groups
Create a new server group
- POST
os_compute_api:os-server-groups:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/os-server-groups/{server_group_id}
Delete a server group
- DELETE
os_compute_api:os-server-groups:indexDefault: rule:admin_or_ownerOperations: - GET
/os-server-groups
List all server groups
- GET
os_compute_api:os-server-groups:showDefault: rule:admin_or_ownerOperations: - GET
/os-server-groups/{server_group_id}
Show details of a server group
- GET
os_compute_api:server-metadata:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/metadata
List all metadata of a server
- GET
os_compute_api:server-metadata:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/metadata/{key}
Show metadata for a server
- GET
os_compute_api:server-metadata:createDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/metadata
Create metadata for a server
- POST
os_compute_api:server-metadata:update_allDefault: rule:admin_or_ownerOperations: - PUT
/servers/{server_id}/metadata
Replace metadata for a server
- PUT
os_compute_api:server-metadata:updateDefault: rule:admin_or_ownerOperations: - PUT
/servers/{server_id}/metadata/{key}
Update metadata from a server
- PUT
os_compute_api:server-metadata:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/metadata/{key}
Delete metadata from a server
- DELETE
os_compute_api:os-server-passwordDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/os-server-password - DELETE
/servers/{server_id}/os-server-password
Show and clear the encrypted administrative password of a server
- GET
os_compute_api:os-server-tags:delete_allDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/tags
Delete all the server tags
- DELETE
os_compute_api:os-server-tags:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/tags
List all tags for given server
- GET
os_compute_api:os-server-tags:update_allDefault: rule:admin_or_ownerOperations: - PUT
/servers/{server_id}/tags
Replace all tags on specified server with the new set of tags.
- PUT
os_compute_api:os-server-tags:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/tags/{tag}
Delete a single tag from the specified server
- DELETE
os_compute_api:os-server-tags:updateDefault: rule:admin_or_ownerOperations: - PUT
/servers/{server_id}/tags/{tag}
Add a single tag to the server if server has no specified tag
- PUT
os_compute_api:os-server-tags:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/tags/{tag}
Check tag existence on the server.
- GET
compute:server:topology:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/topology
Show the NUMA topology data for a server
- GET
compute:server:topology:host:indexDefault: rule:admin_apiOperations: - GET
/servers/{server_id}/topology
Show the NUMA topology data for a server with host NUMA ID and CPU pinning information
- GET
os_compute_api:servers:indexDefault: rule:admin_or_ownerOperations: - GET
/servers
List all servers
- GET
os_compute_api:servers:detailDefault: rule:admin_or_ownerOperations: - GET
/servers/detail
List all servers with detailed information
- GET
os_compute_api:servers:index:get_all_tenantsDefault: rule:admin_apiOperations: - GET
/servers
List all servers for all projects
- GET
os_compute_api:servers:detail:get_all_tenantsDefault: rule:admin_apiOperations: - GET
/servers/detail
List all servers with detailed information for all projects
- GET
os_compute_api:servers:allow_all_filtersDefault: rule:admin_apiOperations: - GET
/servers - GET
/servers/detail
Allow all filters when listing servers
- GET
os_compute_api:servers:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}
Show a server
- GET
os_compute_api:servers:show:host_statusDefault: rule:admin_apiOperations: - GET
/servers/{server_id} - GET
/servers/detail
Show a server with additional host status information
- GET
os_compute_api:servers:createDefault: rule:admin_or_ownerOperations: - POST
/servers
Create a server
- POST
os_compute_api:servers:create:forced_hostDefault: rule:admin_apiOperations: - POST
/servers
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified host and/or node by bypassing the scheduler filters unlike the
compute:servers:create:requested_destinationrule.- POST
compute:servers:create:requested_destinationDefault: rule:admin_apiOperations: - POST
/servers
Create a server on the requested compute service host and/or hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is validated by the scheduler filters unlike the
os_compute_api:servers:create:forced_hostrule.- POST
os_compute_api:servers:create:attach_volumeDefault: rule:admin_or_ownerOperations: - POST
/servers
Create a server with the requested volume attached to it
- POST
os_compute_api:servers:create:attach_networkDefault: rule:admin_or_ownerOperations: - POST
/servers
Create a server with the requested network attached to it
- POST
os_compute_api:servers:create:trusted_certsDefault: rule:admin_or_ownerOperations: - POST
/servers
Create a server with trusted image certificate IDs
- POST
os_compute_api:servers:create:zero_disk_flavorDefault: rule:admin_apiOperations: - POST
/servers
This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.
- POST
network:attach_external_networkDefault: is_admin:TrueOperations: - POST
/servers - POST
/servers/{server_id}/os-interface
Attach an unshared external network to a server
- POST
os_compute_api:servers:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}
Delete a server
- DELETE
os_compute_api:servers:updateDefault: rule:admin_or_ownerOperations: - PUT
/servers/{server_id}
Update a server
- PUT
os_compute_api:servers:confirm_resizeDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (confirmResize)
Confirm a server resize
- POST
os_compute_api:servers:revert_resizeDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (revertResize)
Revert a server resize
- POST
os_compute_api:servers:rebootDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (reboot)
Reboot a server
- POST
os_compute_api:servers:resizeDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (resize)
Resize a server
- POST
os_compute_api:servers:rebuildDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (rebuild)
Rebuild a server
- POST
os_compute_api:servers:rebuild:trusted_certsDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (rebuild)
Rebuild a server with trusted image certificate IDs
- POST
os_compute_api:servers:create_imageDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (createImage)
Create an image from a server
- POST
os_compute_api:servers:create_image:allow_volume_backedDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (createImage)
Create an image from a volume backed server
- POST
os_compute_api:servers:startDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (os-start)
Start a server
- POST
os_compute_api:servers:stopDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (os-stop)
Stop a server
- POST
os_compute_api:servers:trigger_crash_dumpDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (trigger_crash_dump)
Trigger crash dump in a server
- POST
os_compute_api:servers:migrations:showDefault: rule:admin_apiOperations: - GET
/servers/{server_id}/migrations/{migration_id}
Show details for an in-progress live migration for a given server
- GET
os_compute_api:servers:migrations:force_completeDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/migrations/{migration_id}/action (force_complete)
Force an in-progress live migration for a given server to complete
- POST
os_compute_api:servers:migrations:deleteDefault: rule:admin_apiOperations: - DELETE
/servers/{server_id}/migrations/{migration_id}
Delete(Abort) an in-progress live migration
- DELETE
os_compute_api:servers:migrations:indexDefault: rule:admin_apiOperations: - GET
/servers/{server_id}/migrations
Lists in-progress live migrations for a given server
- GET
os_compute_api:os-servicesDefault: rule:admin_apiOperations: - GET
/os-services - PUT
/os-services/enable - PUT
/os-services/disable - PUT
/os-services/disable-log-reason - PUT
/os-services/force-down - PUT
/os-services/{service_id} - DELETE
/os-services/{service_id}
List all running Compute services in a region, enables or disable scheduling for a Compute service, logs disabled Compute service information, set or unset forced_down flag for the compute service and delete a Compute service
- GET
os_compute_api:os-shelve:shelveDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (shelve)
Shelve server
- POST
os_compute_api:os-shelve:unshelveDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (unshelve)
Unshelve (restore) shelved server
- POST
os_compute_api:os-shelve:shelve_offloadDefault: rule:admin_apiOperations: - POST
/servers/{server_id}/action (shelveOffload)
Shelf-offload (remove) server
- POST
os_compute_api:os-simple-tenant-usage:showDefault: rule:admin_or_ownerOperations: - GET
/os-simple-tenant-usage/{tenant_id}
Show usage statistics for a specific tenant
- GET
os_compute_api:os-simple-tenant-usage:listDefault: rule:admin_apiOperations: - GET
/os-simple-tenant-usage
List per tenant usage statistics for all tenants
- GET
os_compute_api:os-suspend-server:resumeDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (resume)
Resume suspended server
- POST
os_compute_api:os-suspend-server:suspendDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/action (suspend)
Suspend server
- POST
os_compute_api:os-tenant-networksDefault: rule:admin_or_ownerOperations: - GET
/os-tenant-networks - POST
/os-tenant-networks - GET
/os-tenant-networks/{network_id} - DELETE
/os-tenant-networks/{network_id}
Create, list, show information for, and delete project networks.
These APIs are proxy calls to the Network service. These are all deprecated.
- GET
os_compute_api:os-used-limitsDefault: rule:admin_apiOperations: - GET
/limits
Show rate and absolute limits for the project.
This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
- GET
os_compute_api:os-volumesDefault: rule:admin_or_ownerOperations: - GET
/os-volumes - POST
/os-volumes - GET
/os-volumes/detail - GET
/os-volumes/{volume_id} - DELETE
/os-volumes/{volume_id} - GET
/os-snapshots - POST
/os-snapshots - GET
/os-snapshots/detail - GET
/os-snapshots/{snapshot_id} - DELETE
/os-snapshots/{snapshot_id}
Manage volumes for use with the Compute API.
Lists, shows details, creates, and deletes volumes and snapshots. These APIs are proxy calls to the Volume service. These are all deprecated.
- GET
os_compute_api:os-volumes-attachments:indexDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/os-volume_attachments
List volume attachments for an instance
- GET
os_compute_api:os-volumes-attachments:createDefault: rule:admin_or_ownerOperations: - POST
/servers/{server_id}/os-volume_attachments
Attach a volume to an instance
- POST
os_compute_api:os-volumes-attachments:showDefault: rule:admin_or_ownerOperations: - GET
/servers/{server_id}/os-volume_attachments/{volume_id}
Show details of a volume attachment
- GET
os_compute_api:os-volumes-attachments:updateDefault: rule:admin_apiOperations: - PUT
/servers/{server_id}/os-volume_attachments/{volume_id}
Update a volume attachment
- PUT
os_compute_api:os-volumes-attachments:deleteDefault: rule:admin_or_ownerOperations: - DELETE
/servers/{server_id}/os-volume_attachments/{volume_id}
Detach a volume from an instance
- DELETE
