Warning
JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.
Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.
The following is an overview of all available policies in neutron.
For a sample policy file, refer to Sample Policy File.
context_is_admin
role:admin
Rule for cloud admin access
owner
tenant_id:%(tenant_id)s
Rule for resource owner access
admin_or_owner
rule:context_is_admin or rule:owner
Rule for admin or owner access
context_is_advsvc
role:advsvc
Rule for advsvc role access
admin_or_network_owner
rule:context_is_admin or tenant_id:%(network:tenant_id)s
Rule for admin or network owner access
admin_owner_or_network_owner
rule:owner or rule:admin_or_network_owner
Rule for resource owner, admin or network owner access
network_owner
tenant_id:%(network:tenant_id)s
Rule for network owner access
admin_only
rule:context_is_admin
Rule for admin-only access
regular_user
<empty string>
Rule for regular user access
shared
field:networks:shared=True
Rule of shared network
default
rule:admin_or_owner
Default access rule
admin_or_ext_parent_owner
rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
Rule for common parent owner check
ext_parent_owner
tenant_id:%(ext_parent:tenant_id)s
Rule for common parent owner check
sg_owner
tenant_id:%(security_group:tenant_id)s
Rule for security group owner access
shared_address_groups
field:address_groups:shared=True
Definition of a shared address group
get_address_group
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups
GET /address-groups
GET /address-groups/{id}
project
Get an address group
shared_address_scopes
field:address_scopes:shared=True
Definition of a shared address scope
create_address_scope
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /address-scopes
project
Create an address scope
create_address_scope:shared
rule:admin_only
POST /address-scopes
project
Create a shared address scope
get_address_scope
rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes
GET /address-scopes
GET /address-scopes/{id}
project
Get an address scope
update_address_scope
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /address-scopes/{id}
project
Update an address scope
update_address_scope:shared
rule:admin_only
PUT /address-scopes/{id}
project
Update shared
attribute of an address scope
delete_address_scope
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /address-scopes/{id}
project
Delete an address scope
get_agent
rule:admin_only
GET /agents
GET /agents/{id}
project
Get an agent
update_agent
rule:admin_only
PUT /agents/{id}
project
Update an agent
delete_agent
rule:admin_only
DELETE /agents/{id}
project
Delete an agent
create_dhcp-network
rule:admin_only
POST /agents/{agent_id}/dhcp-networks
project
Add a network to a DHCP agent
get_dhcp-networks
rule:admin_only
GET /agents/{agent_id}/dhcp-networks
project
List networks on a DHCP agent
delete_dhcp-network
rule:admin_only
DELETE /agents/{agent_id}/dhcp-networks/{network_id}
project
Remove a network from a DHCP agent
create_l3-router
rule:admin_only
POST /agents/{agent_id}/l3-routers
project
Add a router to an L3 agent
get_l3-routers
rule:admin_only
GET /agents/{agent_id}/l3-routers
project
List routers on an L3 agent
delete_l3-router
rule:admin_only
DELETE /agents/{agent_id}/l3-routers/{router_id}
project
Remove a router from an L3 agent
get_dhcp-agents
rule:admin_only
GET /networks/{network_id}/dhcp-agents
project
List DHCP agents hosting a network
get_l3-agents
rule:admin_only
GET /routers/{router_id}/l3-agents
project
List L3 agents hosting a router
get_auto_allocated_topology
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /auto-allocated-topology/{project_id}
project
Get a project’s auto-allocated topology
delete_auto_allocated_topology
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /auto-allocated-topology/{project_id}
project
Delete a project’s auto-allocated topology
get_availability_zone
role:reader
GET /availability_zones
project
List availability zones
create_flavor
rule:admin_only
POST /flavors
project
Create a flavor
get_flavor
role:reader
GET /flavors
GET /flavors/{id}
project
Get a flavor
update_flavor
rule:admin_only
PUT /flavors/{id}
project
Update a flavor
delete_flavor
rule:admin_only
DELETE /flavors/{id}
project
Delete a flavor
create_service_profile
rule:admin_only
POST /service_profiles
project
Create a service profile
get_service_profile
rule:admin_only
GET /service_profiles
GET /service_profiles/{id}
project
Get a service profile
update_service_profile
rule:admin_only
PUT /service_profiles/{id}
project
Update a service profile
delete_service_profile
rule:admin_only
DELETE /service_profiles/{id}
project
Delete a service profile
get_flavor_service_profile
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
project
Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.
create_flavor_service_profile
rule:admin_only
POST /flavors/{flavor_id}/service_profiles
project
Associate a flavor with a service profile
delete_flavor_service_profile
rule:admin_only
DELETE /flavors/{flavor_id}/service_profiles/{profile_id}
project
Disassociate a flavor with a service profile
create_floatingip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /floatingips
project
Create a floating IP
create_floatingip:floating_ip_address
rule:admin_only
POST /floatingips
project
Create a floating IP with a specific IP address
get_floatingip
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /floatingips
GET /floatingips/{id}
project
Get a floating IP
update_floatingip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /floatingips/{id}
project
Update a floating IP
delete_floatingip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /floatingips/{id}
project
Delete a floating IP
get_floatingip_pool
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /floatingip_pools
project
Get floating IP pools
create_floatingip_port_forwarding
(rule:admin_only) or (role:member and rule:ext_parent_owner)
POST /floatingips/{floatingip_id}/port_forwardings
project
Create a floating IP port forwarding
get_floatingip_port_forwarding
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /floatingips/{floatingip_id}/port_forwardings
GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
project
Get a floating IP port forwarding
update_floatingip_port_forwarding
(rule:admin_only) or (role:member and rule:ext_parent_owner)
PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
project
Update a floating IP port forwarding
delete_floatingip_port_forwarding
(rule:admin_only) or (role:member and rule:ext_parent_owner)
DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
project
Delete a floating IP port forwarding
create_router_conntrack_helper
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
POST /routers/{router_id}/conntrack_helpers
project
Create a router conntrack helper
get_router_conntrack_helper
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner
GET /routers/{router_id}/conntrack_helpers
GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
project
Get a router conntrack helper
update_router_conntrack_helper
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
project
Update a router conntrack helper
delete_router_conntrack_helper
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
project
Delete a router conntrack helper
create_local_ip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /local-ips
project
Create a Local IP
get_local_ip
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /local-ips
GET /local-ips/{id}
project
Get a Local IP
update_local_ip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /local-ips/{id}
project
Update a Local IP
delete_local_ip
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /local-ips/{id}
project
Delete a Local IP
create_local_ip_port_association
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
POST /local_ips/{local_ip_id}/port_associations
project
Create a Local IP port association
get_local_ip_port_association
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner
GET /local_ips/{local_ip_id}/port_associations
GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id}
project
Get a Local IP port association
delete_local_ip_port_association
(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner
DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id}
project
Delete a Local IP port association
get_loggable_resource
rule:admin_only
GET /log/loggable-resources
project
Get loggable resources
create_log
rule:admin_only
POST /log/logs
project
Create a network log
get_log
rule:admin_only
GET /log/logs
GET /log/logs/{id}
project
Get a network log
update_log
rule:admin_only
PUT /log/logs/{id}
project
Update a network log
delete_log
rule:admin_only
DELETE /log/logs/{id}
project
Delete a network log
create_metering_label
rule:admin_only
POST /metering/metering-labels
project
Create a metering label
get_metering_label
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /metering/metering-labels
GET /metering/metering-labels/{id}
project
Get a metering label
delete_metering_label
rule:admin_only
DELETE /metering/metering-labels/{id}
project
Delete a metering label
create_metering_label_rule
rule:admin_only
POST /metering/metering-label-rules
project
Create a metering label rule
get_metering_label_rule
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /metering/metering-label-rules
GET /metering/metering-label-rules/{id}
project
Get a metering label rule
delete_metering_label_rule
rule:admin_only
DELETE /metering/metering-label-rules/{id}
project
Delete a metering label rule
create_ndp_proxy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /ndp_proxies
project
Create a ndp proxy
get_ndp_proxy
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /ndp_proxies
GET /ndp_proxies/{id}
project
Get a ndp proxy
update_ndp_proxy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /ndp_proxies/{id}
project
Update a ndp proxy
delete_ndp_proxy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /ndp_proxies/{id}
project
Delete a ndp proxy
external
field:networks:router:external=True
Definition of an external network
create_network
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /networks
project
Create a network
create_network:shared
rule:admin_only
POST /networks
project
Create a shared network
create_network:router:external
rule:admin_only
POST /networks
project
Create an external network
create_network:is_default
rule:admin_only
POST /networks
project
Specify is_default
attribute when creating a network
create_network:port_security_enabled
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /networks
project
Specify port_security_enabled
attribute when creating a network
create_network:segments
rule:admin_only
POST /networks
project
Specify segments
attribute when creating a network
create_network:provider:network_type
rule:admin_only
POST /networks
project
Specify provider:network_type
when creating a network
create_network:provider:physical_network
rule:admin_only
POST /networks
project
Specify provider:physical_network
when creating a network
create_network:provider:segmentation_id
rule:admin_only
POST /networks
project
Specify provider:segmentation_id
when creating a network
get_network
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc
GET /networks
GET /networks/{id}
project
Get a network
get_network:segments
rule:admin_only
GET /networks
GET /networks/{id}
project
Get segments
attribute of a network
get_network:provider:network_type
rule:admin_only
GET /networks
GET /networks/{id}
project
Get provider:network_type
attribute of a network
get_network:provider:physical_network
rule:admin_only
GET /networks
GET /networks/{id}
project
Get provider:physical_network
attribute of a network
get_network:provider:segmentation_id
rule:admin_only
GET /networks
GET /networks/{id}
project
Get provider:segmentation_id
attribute of a network
update_network
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /networks/{id}
project
Update a network
update_network:segments
rule:admin_only
PUT /networks/{id}
project
Update segments
attribute of a network
update_network:shared
rule:admin_only
PUT /networks/{id}
project
Update shared
attribute of a network
update_network:provider:network_type
rule:admin_only
PUT /networks/{id}
project
Update provider:network_type
attribute of a network
update_network:provider:physical_network
rule:admin_only
PUT /networks/{id}
project
Update provider:physical_network
attribute of a network
update_network:provider:segmentation_id
rule:admin_only
PUT /networks/{id}
project
Update provider:segmentation_id
attribute of a network
update_network:router:external
rule:admin_only
PUT /networks/{id}
project
Update router:external
attribute of a network
update_network:is_default
rule:admin_only
PUT /networks/{id}
project
Update is_default
attribute of a network
update_network:port_security_enabled
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /networks/{id}
project
Update port_security_enabled
attribute of a network
delete_network
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /networks/{id}
project
Delete a network
get_network_ip_availability
rule:admin_only
GET /network-ip-availabilities
GET /network-ip-availabilities/{network_id}
project
Get network IP availability
create_network_segment_range
rule:admin_only
POST /network_segment_ranges
project
Create a network segment range
get_network_segment_range
rule:admin_only
GET /network_segment_ranges
GET /network_segment_ranges/{id}
project
Get a network segment range
update_network_segment_range
rule:admin_only
PUT /network_segment_ranges/{id}
project
Update a network segment range
delete_network_segment_range
rule:admin_only
DELETE /network_segment_ranges/{id}
project
Delete a network segment range
network_device
field:port:device_owner=~^network:
Definition of port with network device_owner
admin_or_data_plane_int
rule:context_is_admin or role:data_plane_integrator
Rule for data plane integration
create_port
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /ports
project
Create a port
create_port:device_owner
not rule:network_device or rule:admin_only or rule:context_is_advsvc or rule:network_owner
POST /ports
project
Specify device_owner
attribute when creating a port
create_port:mac_address
rule:context_is_advsvc or rule:network_owner or rule:admin_only
POST /ports
project
Specify mac_address
attribute when creating a port
create_port:fixed_ips
rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared
POST /ports
project
Specify fixed_ips
information when creating a port
create_port:fixed_ips:ip_address
rule:context_is_advsvc or rule:network_owner or rule:admin_only
POST /ports
project
Specify IP address in fixed_ips
when creating a port
create_port:fixed_ips:subnet_id
rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared
POST /ports
project
Specify subnet ID in fixed_ips
when creating a port
create_port:port_security_enabled
rule:context_is_advsvc or rule:network_owner or rule:admin_only
POST /ports
project
Specify port_security_enabled
attribute when creating a port
create_port:binding:host_id
rule:admin_only
POST /ports
project
Specify binding:host_id
attribute when creating a port
create_port:binding:profile
rule:admin_only
POST /ports
project
Specify binding:profile
attribute when creating a port
create_port:binding:vnic_type
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /ports
project
Specify binding:vnic_type
attribute when creating a port
create_port:allowed_address_pairs
rule:admin_only or rule:network_owner
POST /ports
project
Specify allowed_address_pairs
attribute when creating a port
create_port:allowed_address_pairs:mac_address
rule:admin_only or rule:network_owner
POST /ports
project
Specify mac_address` of `allowed_address_pairs
attribute when creating a port
create_port:allowed_address_pairs:ip_address
rule:admin_only or rule:network_owner
POST /ports
project
Specify ip_address
of allowed_address_pairs
attribute when creating a port
get_port
rule:admin_only or rule:context_is_advsvc or rule:network_owner or role:reader and project_id:%(project_id)s
GET /ports
GET /ports/{id}
project
Get a port
get_port:binding:vif_type
rule:admin_only
GET /ports
GET /ports/{id}
project
Get binding:vif_type
attribute of a port
get_port:binding:vif_details
rule:admin_only
GET /ports
GET /ports/{id}
project
Get binding:vif_details
attribute of a port
get_port:binding:host_id
rule:admin_only
GET /ports
GET /ports/{id}
project
Get binding:host_id
attribute of a port
get_port:binding:profile
rule:admin_only
GET /ports
GET /ports/{id}
project
Get binding:profile
attribute of a port
get_port:resource_request
rule:admin_only
GET /ports
GET /ports/{id}
project
Get resource_request
attribute of a port
update_port
rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc
PUT /ports/{id}
project
Update a port
update_port:device_owner
not rule:network_device or rule:context_is_advsvc or rule:network_owner or rule:admin_only
PUT /ports/{id}
project
Update device_owner
attribute of a port
update_port:mac_address
rule:admin_only or rule:context_is_advsvc
PUT /ports/{id}
project
Update mac_address
attribute of a port
update_port:fixed_ips
rule:context_is_advsvc or rule:network_owner or rule:admin_only
PUT /ports/{id}
project
Specify fixed_ips
information when updating a port
update_port:fixed_ips:ip_address
rule:context_is_advsvc or rule:network_owner or rule:admin_only
PUT /ports/{id}
project
Specify IP address in fixed_ips
information when updating a port
update_port:fixed_ips:subnet_id
rule:context_is_advsvc or rule:network_owner or rule:admin_only or rule:shared
PUT /ports/{id}
project
Specify subnet ID in fixed_ips
information when updating a port
update_port:port_security_enabled
rule:context_is_advsvc or rule:network_owner or rule:admin_only
PUT /ports/{id}
project
Update port_security_enabled
attribute of a port
update_port:binding:host_id
rule:admin_only
PUT /ports/{id}
project
Update binding:host_id
attribute of a port
update_port:binding:profile
rule:admin_only
PUT /ports/{id}
project
Update binding:profile
attribute of a port
update_port:binding:vnic_type
rule:admin_only or role:member and project_id:%(project_id)s or rule:context_is_advsvc
PUT /ports/{id}
project
Update binding:vnic_type
attribute of a port
update_port:allowed_address_pairs
rule:admin_only or rule:network_owner
PUT /ports/{id}
project
Update allowed_address_pairs
attribute of a port
update_port:allowed_address_pairs:mac_address
rule:admin_only or rule:network_owner
PUT /ports/{id}
project
Update mac_address
of allowed_address_pairs
attribute of a port
update_port:allowed_address_pairs:ip_address
rule:admin_only or rule:network_owner
PUT /ports/{id}
project
Update ip_address
of allowed_address_pairs
attribute of a port
update_port:data_plane_status
rule:admin_only or role:data_plane_integrator
PUT /ports/{id}
project
Update data_plane_status
attribute of a port
delete_port
rule:admin_only or rule:context_is_advsvc or role:member and project_id:%(project_id)s or rule:network_owner
DELETE /ports/{id}
project
Delete a port
shared_qos_policy
field:policies:shared=True
Rule of shared qos policy
get_policy
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy
GET /qos/policies
GET /qos/policies/{id}
project
Get QoS policies
create_policy
rule:admin_only
POST /qos/policies
project
Create a QoS policy
update_policy
rule:admin_only
PUT /qos/policies/{id}
project
Update a QoS policy
delete_policy
rule:admin_only
DELETE /qos/policies/{id}
project
Delete a QoS policy
get_rule_type
role:reader
GET /qos/rule-types
GET /qos/rule-types/{rule_type}
project
Get available QoS rule types
get_policy_bandwidth_limit_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/policies/{policy_id}/bandwidth_limit_rules
GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
project
Get a QoS bandwidth limit rule
create_policy_bandwidth_limit_rule
rule:admin_only
POST /qos/policies/{policy_id}/bandwidth_limit_rules
project
Create a QoS bandwidth limit rule
update_policy_bandwidth_limit_rule
rule:admin_only
PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
project
Update a QoS bandwidth limit rule
delete_policy_bandwidth_limit_rule
rule:admin_only
DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
project
Delete a QoS bandwidth limit rule
get_policy_packet_rate_limit_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/policies/{policy_id}/packet_rate_limit_rules
GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
project
Get a QoS packet rate limit rule
create_policy_packet_rate_limit_rule
rule:admin_only
POST /qos/policies/{policy_id}/packet_rate_limit_rules
project
Create a QoS packet rate limit rule
update_policy_packet_rate_limit_rule
rule:admin_only
PUT /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
project
Update a QoS packet rate limit rule
delete_policy_packet_rate_limit_rule
rule:admin_only
DELETE /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
project
Delete a QoS packet rate limit rule
get_policy_dscp_marking_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/policies/{policy_id}/dscp_marking_rules
GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
project
Get a QoS DSCP marking rule
create_policy_dscp_marking_rule
rule:admin_only
POST /qos/policies/{policy_id}/dscp_marking_rules
project
Create a QoS DSCP marking rule
update_policy_dscp_marking_rule
rule:admin_only
PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
project
Update a QoS DSCP marking rule
delete_policy_dscp_marking_rule
rule:admin_only
DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
project
Delete a QoS DSCP marking rule
get_policy_minimum_bandwidth_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/policies/{policy_id}/minimum_bandwidth_rules
GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
project
Get a QoS minimum bandwidth rule
create_policy_minimum_bandwidth_rule
rule:admin_only
POST /qos/policies/{policy_id}/minimum_bandwidth_rules
project
Create a QoS minimum bandwidth rule
update_policy_minimum_bandwidth_rule
rule:admin_only
PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
project
Update a QoS minimum bandwidth rule
delete_policy_minimum_bandwidth_rule
rule:admin_only
DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
project
Delete a QoS minimum bandwidth rule
get_policy_minimum_packet_rate_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/policies/{policy_id}/minimum_packet_rate_rules
GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
project
Get a QoS minimum packet rate rule
create_policy_minimum_packet_rate_rule
rule:admin_only
POST /qos/policies/{policy_id}/minimum_packet_rate_rules
project
Create a QoS minimum packet rate rule
update_policy_minimum_packet_rate_rule
rule:admin_only
PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
project
Update a QoS minimum packet rate rule
delete_policy_minimum_packet_rate_rule
rule:admin_only
DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
project
Delete a QoS minimum packet rate rule
get_alias_bandwidth_limit_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/alias_bandwidth_limit_rules/{rule_id}/
project
Get a QoS bandwidth limit rule through alias
update_alias_bandwidth_limit_rule
rule:admin_only
PUT /qos/alias_bandwidth_limit_rules/{rule_id}/
project
Update a QoS bandwidth limit rule through alias
delete_alias_bandwidth_limit_rule
rule:admin_only
DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/
project
Delete a QoS bandwidth limit rule through alias
get_alias_dscp_marking_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/alias_dscp_marking_rules/{rule_id}/
project
Get a QoS DSCP marking rule through alias
update_alias_dscp_marking_rule
rule:admin_only
PUT /qos/alias_dscp_marking_rules/{rule_id}/
project
Update a QoS DSCP marking rule through alias
delete_alias_dscp_marking_rule
rule:admin_only
DELETE /qos/alias_dscp_marking_rules/{rule_id}/
project
Delete a QoS DSCP marking rule through alias
get_alias_minimum_bandwidth_rule
(rule:admin_only) or (role:reader and rule:ext_parent_owner)
GET /qos/alias_minimum_bandwidth_rules/{rule_id}/
project
Get a QoS minimum bandwidth rule through alias
update_alias_minimum_bandwidth_rule
rule:admin_only
PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/
project
Update a QoS minimum bandwidth rule through alias
delete_alias_minimum_bandwidth_rule
rule:admin_only
DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/
project
Delete a QoS minimum bandwidth rule through alias
get_alias_minimum_packet_rate_rule
rule:get_policy_minimum_packet_rate_rule
GET /qos/alias_minimum_packet_rate_rules/{rule_id}/
project
Get a QoS minimum packet rate rule through alias
update_alias_minimum_packet_rate_rule
rule:update_policy_minimum_packet_rate_rule
PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/
project
Update a QoS minimum packet rate rule through alias
delete_alias_minimum_packet_rate_rule
rule:delete_policy_minimum_packet_rate_rule
DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/
project
Delete a QoS minimum packet rate rule through alias
get_quota
rule:admin_only
GET /quota
GET /quota/{id}
project
Get a resource quota
update_quota
rule:admin_only
PUT /quota/{id}
project
Update a resource quota
delete_quota
rule:admin_only
DELETE /quota/{id}
project
Delete a resource quota
restrict_wildcard
(not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only
Definition of a wildcard target_project
create_rbac_policy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /rbac-policies
project
Create an RBAC policy
create_rbac_policy:target_tenant
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)
POST /rbac-policies
project
Specify target_tenant
when creating an RBAC policy
update_rbac_policy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /rbac-policies/{id}
project
Update an RBAC policy
update_rbac_policy:target_tenant
rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)
PUT /rbac-policies/{id}
project
Update target_tenant
attribute of an RBAC policy
get_rbac_policy
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /rbac-policies
GET /rbac-policies/{id}
project
Get an RBAC policy
delete_rbac_policy
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /rbac-policies/{id}
project
Delete an RBAC policy
create_router
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /routers
project
Create a router
create_router:distributed
rule:admin_only
POST /routers
project
Specify distributed
attribute when creating a router
create_router:ha
rule:admin_only
POST /routers
project
Specify ha
attribute when creating a router
create_router:external_gateway_info
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /routers
project
Specify external_gateway_info
information when creating a router
create_router:external_gateway_info:network_id
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /routers
project
Specify network_id
in external_gateway_info
information when creating a router
create_router:external_gateway_info:enable_snat
rule:admin_only
POST /routers
project
Specify enable_snat
in external_gateway_info
information when creating a router
create_router:external_gateway_info:external_fixed_ips
rule:admin_only
POST /routers
project
Specify external_fixed_ips
in external_gateway_info
information when creating a router
get_router
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /routers
GET /routers/{id}
project
Get a router
get_router:distributed
rule:admin_only
GET /routers
GET /routers/{id}
project
Get distributed
attribute of a router
get_router:ha
rule:admin_only
GET /routers
GET /routers/{id}
project
Get ha
attribute of a router
update_router
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}
project
Update a router
update_router:distributed
rule:admin_only
PUT /routers/{id}
project
Update distributed
attribute of a router
update_router:ha
rule:admin_only
PUT /routers/{id}
project
Update ha
attribute of a router
update_router:external_gateway_info
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}
project
Update external_gateway_info
information of a router
update_router:external_gateway_info:network_id
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}
project
Update network_id
attribute of external_gateway_info
information of a router
update_router:external_gateway_info:enable_snat
rule:admin_only
PUT /routers/{id}
project
Update enable_snat
attribute of external_gateway_info
information of a router
update_router:external_gateway_info:external_fixed_ips
rule:admin_only
PUT /routers/{id}
project
Update external_fixed_ips
attribute of external_gateway_info
information of a router
delete_router
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /routers/{id}
project
Delete a router
add_router_interface
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}/add_router_interface
project
Add an interface to a router
remove_router_interface
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}/remove_router_interface
project
Remove an interface from a router
add_extraroutes
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}/add_extraroutes
project
Add extra route to a router
remove_extraroutes
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /routers/{id}/remove_extraroutes
project
Remove extra route from a router
admin_or_sg_owner
rule:context_is_admin or tenant_id:%(security_group:tenant_id)s
Rule for admin or security group owner access
admin_owner_or_sg_owner
rule:owner or rule:admin_or_sg_owner
Rule for resource owner, admin or security group owner access
shared_security_group
field:security_groups:shared=True
Definition of a shared security group
create_security_group
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /security-groups
project
Create a security group
get_security_group
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group
GET /security-groups
GET /security-groups/{id}
project
Get a security group
update_security_group
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /security-groups/{id}
project
Update a security group
delete_security_group
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /security-groups/{id}
project
Delete a security group
create_security_group_rule
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /security-group-rules
project
Create a security group rule
get_security_group_rule
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner
GET /security-group-rules
GET /security-group-rules/{id}
project
Get a security group rule
delete_security_group_rule
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /security-group-rules/{id}
project
Delete a security group rule
create_segment
rule:admin_only
POST /segments
project
Create a segment
get_segment
rule:admin_only
GET /segments
GET /segments/{id}
project
Get a segment
update_segment
rule:admin_only
PUT /segments/{id}
project
Update a segment
delete_segment
rule:admin_only
DELETE /segments/{id}
project
Delete a segment
get_service_provider
role:reader
GET /service-providers
project
Get service providers
create_subnet
rule:admin_only or role:member and rule:network_owner
POST /subnets
project
Create a subnet
create_subnet:segment_id
rule:admin_only
POST /subnets
project
Specify segment_id
attribute when creating a subnet
create_subnet:service_types
rule:admin_only
POST /subnets
project
Specify service_types
attribute when creating a subnet
get_subnet
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared
GET /subnets
GET /subnets/{id}
project
Get a subnet
get_subnet:segment_id
rule:admin_only
GET /subnets
GET /subnets/{id}
project
Get segment_id
attribute of a subnet
update_subnet
(rule:admin_only) or (role:member and project_id:%(project_id)s) or role:member and rule:network_owner
PUT /subnets/{id}
project
Update a subnet
update_subnet:segment_id
rule:admin_only
PUT /subnets/{id}
project
Update segment_id
attribute of a subnet
update_subnet:service_types
rule:admin_only
PUT /subnets/{id}
project
Update service_types
attribute of a subnet
delete_subnet
(rule:admin_only) or (role:member and project_id:%(project_id)s) or role:member and rule:network_owner
DELETE /subnets/{id}
project
Delete a subnet
shared_subnetpools
field:subnetpools:shared=True
Definition of a shared subnetpool
create_subnetpool
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /subnetpools
project
Create a subnetpool
create_subnetpool:shared
rule:admin_only
POST /subnetpools
project
Create a shared subnetpool
create_subnetpool:is_default
rule:admin_only
POST /subnetpools
project
Specify is_default
attribute when creating a subnetpool
get_subnetpool
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools
GET /subnetpools
GET /subnetpools/{id}
project
Get a subnetpool
update_subnetpool
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /subnetpools/{id}
project
Update a subnetpool
update_subnetpool:is_default
rule:admin_only
PUT /subnetpools/{id}
project
Update is_default
attribute of a subnetpool
delete_subnetpool
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /subnetpools/{id}
project
Delete a subnetpool
onboard_network_subnets
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /subnetpools/{id}/onboard_network_subnets
project
Onboard existing subnet into a subnetpool
add_prefixes
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /subnetpools/{id}/add_prefixes
project
Add prefixes to a subnetpool
remove_prefixes
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /subnetpools/{id}/remove_prefixes
project
Remove unallocated prefixes from a subnetpool
create_trunk
(rule:admin_only) or (role:member and project_id:%(project_id)s)
POST /trunks
project
Create a trunk
get_trunk
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /trunks
GET /trunks/{id}
project
Get a trunk
update_trunk
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /trunks/{id}
project
Update a trunk
delete_trunk
(rule:admin_only) or (role:member and project_id:%(project_id)s)
DELETE /trunks/{id}
project
Delete a trunk
get_subports
(rule:admin_only) or (role:reader and project_id:%(project_id)s)
GET /trunks/{id}/get_subports
project
List subports attached to a trunk
add_subports
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /trunks/{id}/add_subports
project
Add subports to a trunk
remove_subports
(rule:admin_only) or (role:member and project_id:%(project_id)s)
PUT /trunks/{id}/remove_subports
project
Delete subports from a trunk
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.