The following is an overview of all available policies in Nova.
Warning
JSON formatted policy file is deprecated since Nova 22.0.0(Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
For a sample configuration file, refer to Sample Nova Policy File.
context_is_admin
Default: | role:admin |
---|
Decides what is required for the ‘is_admin:True’ check to succeed.
admin_or_owner
Default: | is_admin:True or project_id:%(project_id)s |
---|
Default rule for most non-Admin APIs.
admin_api
Default: | is_admin:True |
---|
Default rule for most Admin APIs.
system_admin_api
Default: | role:admin and system_scope:all |
---|
Default rule for System Admin APIs.
system_reader_api
Default: | role:reader and system_scope:all |
---|
Default rule for System level read only APIs.
project_admin_api
Default: | role:admin and project_id:%(project_id)s |
---|
Default rule for Project level admin APIs.
project_member_api
Default: | role:member and project_id:%(project_id)s |
---|
Default rule for Project level non admin APIs.
project_reader_api
Default: | role:reader and project_id:%(project_id)s |
---|
Default rule for Project level read only APIs.
system_admin_or_owner
Default: | rule:system_admin_api or rule:project_member_api |
---|
Default rule for System admin+owner APIs.
system_or_project_reader
Default: | rule:system_reader_api or rule:project_reader_api |
---|
Default rule for System+Project read only APIs.
os_compute_api:os-admin-actions:reset_state
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Reset the state of a given server
os_compute_api:os-admin-actions:inject_network_info
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Inject network information into the server
os_compute_api:os-admin-actions:reset_network
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Reset networking on a server
os_compute_api:os-admin-password
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Change the administrative password for a server
os_compute_api:os-agents:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-agents:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-agents:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-agents:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete guest agent builds This is XenAPI driver specific. It is used to force the upgrade of the XenAPI guest agent on instance boot.
os_compute_api:os-aggregates:set_metadata
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create or replace metadata for an aggregate
os_compute_api:os-aggregates:add_host
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add a host to an aggregate
os_compute_api:os-aggregates:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create an aggregate
os_compute_api:os-aggregates:remove_host
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Remove a host from an aggregate
os_compute_api:os-aggregates:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update name and/or availability zone for an aggregate
os_compute_api:os-aggregates:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all aggregates
os_compute_api:os-aggregates:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete an aggregate
os_compute_api:os-aggregates:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details for an aggregate
compute:aggregates:images
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Request image caching for an aggregate
os_compute_api:os-assisted-volume-snapshots:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create an assisted volume snapshot
os_compute_api:os-assisted-volume-snapshots:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete an assisted volume snapshot
os_compute_api:os-attach-interfaces:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List port interfaces attached to a server
os_compute_api:os-attach-interfaces:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details of a port interface attached to a server
os_compute_api:os-attach-interfaces:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Attach an interface to a server
os_compute_api:os-attach-interfaces:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Detach an interface from a server
os_compute_api:os-availability-zone:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List availability zone information without host information
os_compute_api:os-availability-zone:detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List detailed availability zone information with host information
os_compute_api:os-baremetal-nodes:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List and show details of bare metal nodes.
These APIs are proxy calls to the Ironic service and are deprecated.
os_compute_api:os-baremetal-nodes:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show action details for a server.
os_compute_api:os-console-auth-tokens
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show console connection information for a given console authentication token
os_compute_api:os-console-output
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show console output for a server
os_compute_api:os-create-backup
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a back up of a server
os_compute_api:os-deferred-delete:restore
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Restore a soft deleted server
os_compute_api:os-deferred-delete:force
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Force delete a server before deferred cleanup
os_compute_api:os-evacuate
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Evacuate a server from a failed host to a new host
os_compute_api:os-extended-server-attributes
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Return extended attributes for server.
This rule will control the visibility for a set of servers attributes:
OS-EXT-SRV-ATTR:host
OS-EXT-SRV-ATTR:instance_name
OS-EXT-SRV-ATTR:reservation_id
(since microversion 2.3)OS-EXT-SRV-ATTR:launch_index
(since microversion 2.3)OS-EXT-SRV-ATTR:hostname
(since microversion 2.3)OS-EXT-SRV-ATTR:kernel_id
(since microversion 2.3)OS-EXT-SRV-ATTR:ramdisk_id
(since microversion 2.3)OS-EXT-SRV-ATTR:root_device_name
(since microversion 2.3)OS-EXT-SRV-ATTR:user_data
(since microversion 2.3)Microvision 2.75 added the above attributes in the PUT /servers/{server_id}
and POST /servers/{server_id}/action (rebuild)
API responses which are
also controlled by this policy rule, like the GET /servers*
APIs.
os_compute_api:extensions
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List available extensions and show information for an extension by alias
os_compute_api:os-flavor-access:add_tenant_access
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add flavor access to a tenant
os_compute_api:os-flavor-access:remove_tenant_access
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Remove flavor access from a tenant
os_compute_api:os-flavor-access
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List flavor access information
Allows access to the full list of tenants that have access to a flavor via an os-flavor-access API.
os_compute_api:os-flavor-extra-specs:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create extra specs for a flavor
os_compute_api:os-flavor-extra-specs:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete an extra spec for a flavor
os_compute_api:os-flavor-extra-specs:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List extra specs for a flavor. Starting with microversion 2.47, the flavor used for a server is also returned in the response when showing server details, updating a server or rebuilding a server. Starting with microversion 2.61, extra specs may be returned in responses for the flavor resource.
os_compute_api:os-flavor-manage:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a flavor
os_compute_api:os-flavor-manage:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update a flavor
os_compute_api:os-flavor-manage:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a flavor
os_compute_api:os-floating-ip-pools
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List floating IP pools. This API is deprecated.
os_compute_api:os-floating-ips:add
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Associate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:remove
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Disassociate floating IPs to server. This API is deprecated.
os_compute_api:os-floating-ips:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show floating IPs. This API is deprecated.
os_compute_api:os-floating-ips:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete floating IPs. This API is deprecated.
os_compute_api:os-hosts:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List physical hosts.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:reboot
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Reboot physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:shutdown
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Shutdown physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hosts:start
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Start physical host.
This API is deprecated in favor of os-hypervisors and os-services.
os_compute_api:os-hypervisors:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all hypervisors.
os_compute_api:os-hypervisors:list-detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all hypervisors with details
os_compute_api:os-hypervisors:statistics
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show summary statistics for all hypervisors over all compute nodes.
os_compute_api:os-hypervisors:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details for a hypervisor.
os_compute_api:os-hypervisors:uptime
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the uptime of a hypervisor.
os_compute_api:os-hypervisors:search
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Search hypervisor by hypervisor_hostname pattern.
os_compute_api:os-hypervisors:servers
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all servers on hypervisors that can match the provided hypervisor_hostname pattern.
os_compute_api:os-instance-actions:events:details
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add “details” key in action events for a server.
This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.84, new field ‘details’ is exposed via API which can have more details about event failure. That field is controlled by this policy which is system reader by default. Making the ‘details’ field visible to the non-admin user helps to understand the nature of the problem (i.e. if the action can be retried), but in the other hand it might leak information about the deployment (e.g. the type of the hypervisor).
os_compute_api:os-instance-actions:events
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add events details in action details for a server. This check is performed only after the check os_compute_api:os-instance-actions:show passes. Beginning with Microversion 2.51, events details are always included; traceback information is provided per event if policy enforcement passes. Beginning with Microversion 2.62, each event includes a hashed host identifier and, if policy enforcement passes, the name of the host.
os_compute_api:os-instance-actions:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List actions for a server.
os_compute_api:os-instance-actions:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show action details for a server.
os_compute_api:os-instance-usage-audit-log:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all usage audits.
os_compute_api:os-instance-usage-audit-log:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all usage audits occurred before a specified time for all servers on all compute hosts where usage auditing is configured
os_compute_api:ips:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show IP addresses details for a network label of a server
os_compute_api:ips:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List IP addresses that are assigned to a server
os_compute_api:os-keypairs:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all keypairs
os_compute_api:os-keypairs:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a keypair
os_compute_api:os-keypairs:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a keypair
os_compute_api:os-keypairs:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details of a keypair
os_compute_api:limits
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show rate and absolute limits for the current user project
os_compute_api:limits:other_project
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show rate and absolute limits of other project.
This policy only checks if the user has access to the requested project limits. And this check is performed only after the check os_compute_api:limits passes
os_compute_api:os-lock-server:lock
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Lock a server
os_compute_api:os-lock-server:unlock
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Unlock a server
os_compute_api:os-lock-server:unlock:unlock_override
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Unlock a server, regardless who locked the server.
This check is performed only after the check os_compute_api:os-lock-server:unlock passes
os_compute_api:os-migrate-server:migrate
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Cold migrate a server to a host
os_compute_api:os-migrate-server:migrate_live
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Live migrate a server to a new host without a reboot
os_compute_api:os-migrations:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List migrations
os_compute_api:os-multinic:add
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add a fixed IP address to a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-multinic:remove
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Remove a fixed IP address from a server.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List networks for the project.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-networks:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-pause-server:pause
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Pause a server
os_compute_api:os-pause-server:unpause
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Unpause a paused server
os_compute_api:os-quota-class-sets:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List quotas for specific quota classs
os_compute_api:os-quota-class-sets:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update quotas for specific quota class
os_compute_api:os-quota-sets:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update the quotas
os_compute_api:os-quota-sets:defaults
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List default quotas
os_compute_api:os-quota-sets:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show a quota
os_compute_api:os-quota-sets:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Revert quotas to defaults
os_compute_api:os-quota-sets:detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the detail of quota
os_compute_api:os-remote-consoles
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Generate a URL to access remove server console.
This policy is for POST /remote-consoles
API and below Server actions APIs
are deprecated:
os-getRDPConsole
os-getSerialConsole
os-getSPICEConsole
os-getVNCConsole
.os_compute_api:os-rescue
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Rescue a server
os_compute_api:os-unrescue
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Unrescue a server
os_compute_api:os-security-groups:get
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List security groups. This API is deprecated.
os_compute_api:os-security-groups:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show security group. This API is deprecated.
os_compute_api:os-security-groups:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create security group. This API is deprecated.
os_compute_api:os-security-groups:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update security group. This API is deprecated.
os_compute_api:os-security-groups:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete security group. This API is deprecated.
os_compute_api:os-security-groups:rule:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create security group Rule. This API is deprecated.
os_compute_api:os-security-groups:rule:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete security group Rule. This API is deprecated.
os_compute_api:os-security-groups:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List security groups of server.
os_compute_api:os-security-groups:add
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add security groups to server.
os_compute_api:os-security-groups:remove
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Remove security groups from server.
os_compute_api:os-server-diagnostics
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the usage data for a server
os_compute_api:os-server-external-events:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create one or more external events
os_compute_api:os-server-groups:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a new server group
os_compute_api:os-server-groups:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a server group
os_compute_api:os-server-groups:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all server groups
os_compute_api:os-server-groups:index:all_projects
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all server groups for all projects
os_compute_api:os-server-groups:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details of a server group
os_compute_api:server-metadata:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all metadata of a server
os_compute_api:server-metadata:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show metadata for a server
os_compute_api:server-metadata:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create metadata for a server
os_compute_api:server-metadata:update_all
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Replace metadata for a server
os_compute_api:server-metadata:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update metadata from a server
os_compute_api:server-metadata:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete metadata from a server
os_compute_api:os-server-password:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the encrypted administrative password of a server
os_compute_api:os-server-password:clear
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Clear the encrypted administrative password of a server
os_compute_api:os-server-tags:delete_all
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete all the server tags
os_compute_api:os-server-tags:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all tags for given server
os_compute_api:os-server-tags:update_all
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Replace all tags on specified server with the new set of tags.
os_compute_api:os-server-tags:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a single tag from the specified server
os_compute_api:os-server-tags:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Add a single tag to the server if server has no specified tag
os_compute_api:os-server-tags:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Check tag existence on the server.
compute:server:topology:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the NUMA topology data for a server
compute:server:topology:host:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show the NUMA topology data for a server with host NUMA ID and CPU pinning information
os_compute_api:servers:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all servers
os_compute_api:servers:detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all servers with detailed information
os_compute_api:servers:index:get_all_tenants
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all servers for all projects
os_compute_api:servers:detail:get_all_tenants
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all servers with detailed information for all projects
os_compute_api:servers:allow_all_filters
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Allow all filters when listing servers
os_compute_api:servers:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show a server
os_compute_api:servers:show:host_status
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show a server with additional host status information.
This means host_status will be shown irrespective of status value. If showing
only host_status UNKNOWN is desired, use the
os_compute_api:servers:show:host_status:unknown-only
policy rule.
Microvision 2.75 added the host_status
attribute in the
PUT /servers/{server_id}
and POST /servers/{server_id}/action (rebuild)
API responses which are also controlled by this policy rule, like the
GET /servers*
APIs.
os_compute_api:servers:show:host_status:unknown-only
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show a server with additional host status information, only if host status is UNKNOWN.
This policy rule will only be enforced when the
os_compute_api:servers:show:host_status
policy rule does not pass for the
request. An example policy configuration could be where the
os_compute_api:servers:show:host_status
rule is set to allow admin-only and
the os_compute_api:servers:show:host_status:unknown-only
rule is set to
allow everyone.
os_compute_api:servers:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server
os_compute_api:servers:create:forced_host
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server on the specified host and/or node.
In this case, the server is forced to launch on the specified
host and/or node by bypassing the scheduler filters unlike the
compute:servers:create:requested_destination
rule.
compute:servers:create:requested_destination
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server on the requested compute service host and/or hypervisor_hostname.
In this case, the requested host and/or hypervisor_hostname is
validated by the scheduler filters unlike the
os_compute_api:servers:create:forced_host
rule.
os_compute_api:servers:create:attach_volume
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server with the requested volume attached to it
os_compute_api:servers:create:attach_network
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server with the requested network attached to it
os_compute_api:servers:create:trusted_certs
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create a server with trusted image certificate IDs
os_compute_api:servers:create:zero_disk_flavor
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
This rule controls the compute API validation behavior of creating a server with a flavor that has 0 disk, indicating the server should be volume-backed.
For a flavor with disk=0, the root disk will be set to exactly the size of the image used to deploy the instance. However, in this case the filter_scheduler cannot select the compute host based on the virtual image size. Therefore, 0 should only be used for volume booted instances or for testing purposes.
WARNING: It is a potential security exposure to enable this policy rule if users can upload their own images since repeated attempts to create a disk=0 flavor instance with a large image can exhaust the local disk of the compute (or shared storage cluster). See bug https://bugs.launchpad.net/nova/+bug/1739646 for details.
network:attach_external_network
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Attach an unshared external network to a server
os_compute_api:servers:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a server
os_compute_api:servers:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update a server
os_compute_api:servers:confirm_resize
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Confirm a server resize
os_compute_api:servers:revert_resize
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Revert a server resize
os_compute_api:servers:reboot
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Reboot a server
os_compute_api:servers:resize
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Resize a server
compute:servers:resize:cross_cell
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Resize a server across cells. By default, this is disabled for all users and recommended to be tested in a deployment for admin users before opening it up to non-admin users. Resizing within a cell is the default preferred behavior even if this is enabled.
os_compute_api:servers:rebuild
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Rebuild a server
os_compute_api:servers:rebuild:trusted_certs
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Rebuild a server with trusted image certificate IDs
os_compute_api:servers:create_image
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create an image from a server
os_compute_api:servers:create_image:allow_volume_backed
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create an image from a volume backed server
os_compute_api:servers:start
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Start a server
os_compute_api:servers:stop
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Stop a server
os_compute_api:servers:trigger_crash_dump
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Trigger crash dump in a server
os_compute_api:servers:migrations:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details for an in-progress live migration for a given server
os_compute_api:servers:migrations:force_complete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Force an in-progress live migration for a given server to complete
os_compute_api:servers:migrations:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete(Abort) an in-progress live migration
os_compute_api:servers:migrations:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Lists in-progress live migrations for a given server
os_compute_api:os-services:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List all running Compute services in a region.
os_compute_api:os-services:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update a Compute service.
os_compute_api:os-services:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete a Compute service.
os_compute_api:os-shelve:shelve
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Shelve server
os_compute_api:os-shelve:unshelve
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Unshelve (restore) shelved server
os_compute_api:os-shelve:shelve_offload
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Shelf-offload (remove) server
os_compute_api:os-simple-tenant-usage:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show usage statistics for a specific tenant
os_compute_api:os-simple-tenant-usage:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List per tenant usage statistics for all tenants
os_compute_api:os-suspend-server:resume
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Resume suspended server
os_compute_api:os-suspend-server:suspend
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Suspend server
os_compute_api:os-tenant-networks:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List project networks.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-tenant-networks:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show project network details.
This API is proxy calls to the Network service. This is deprecated.
os_compute_api:os-volumes:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List volumes.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List volumes detail.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete volume.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:list
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Create snapshots.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:detail
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List snapshots details.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes:snapshots:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Delete snapshot.
This API is a proxy call to the Volume service. It is deprecated.
os_compute_api:os-volumes-attachments:index
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
List volume attachments for an instance
os_compute_api:os-volumes-attachments:create
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Attach a volume to an instance
os_compute_api:os-volumes-attachments:show
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Show details of a volume attachment
os_compute_api:os-volumes-attachments:update
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update a volume attachment. New ‘update’ policy about ‘swap + update’ request (which is possible only >2.85) only <swap policy> is checked. We expect <swap policy> to be always superset of this policy permission.
os_compute_api:os-volumes-attachments:swap
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Update a volume attachment with a different volumeId
os_compute_api:os-volumes-attachments:delete
Default: |
|
---|---|
Operations: |
|
Scope Types: |
|
Detach a volume from an instance
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.