policy.yaml

updated: 2024-06-21 08:38

The following policies are shipped by default. Glance will assume a policy’s default value if it’s not explicitly overridden in the policy file.

policy.yaml¶

glance¶

default

Default:: <empty string>

Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file.

context_is_admin

Default:: role:admin

Defines the rule for the is_admin:True check.

add_image

Default:

role:admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)

Operations:

POST /v2/images

Scope Types:

project

Create new image

delete_image

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/images/{image_id}

Scope Types:

project

Deletes the image

get_image

Default:

role:admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))

Operations:

GET /v2/images/{image_id}

Scope Types:

project

Get specified image

get_images

Default:

role:admin or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/images

Scope Types:

project

Get all available images

modify_image

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

PATCH /v2/images/{image_id}

Scope Types:

project

Updates given image

publicize_image

Default:

role:admin

Operations:

PATCH /v2/images/{image_id}

Scope Types:

project

Publicize given image

communitize_image

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

PATCH /v2/images/{image_id}

Scope Types:

project

Communitize given image

download_image

Default:

role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))

Operations:

GET /v2/images/{image_id}/file

Scope Types:

project

Downloads given image

upload_image

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

PUT /v2/images/{image_id}/file

Scope Types:

project

Uploads data to specified image

delete_image_location

Default:

role:admin

Operations:

PATCH /v2/images/{image_id}

Scope Types:

project

Deletes the location of given image

get_image_location

Default:

role:admin or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/images/{image_id}

Scope Types:

project

Reads the location of the image

set_image_location

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

PATCH /v2/images/{image_id}

Scope Types:

project

Sets location URI to given image

add_member

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/images/{image_id}/members

Scope Types:

project

Create image member

delete_member

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

DELETE /v2/images/{image_id}/members/{member_id}

Scope Types:

project

Delete image member

get_member

Default:

role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)

Operations:

GET /v2/images/{image_id}/members/{member_id}

Scope Types:

project

Show image member details

get_members

Default:

role:admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)

Operations:

GET /v2/images/{image_id}/members

Scope Types:

project

List image members

modify_member

Default:

role:admin or (role:member and project_id:%(member_id)s)

Operations:

PUT /v2/images/{image_id}/members/{member_id}

Scope Types:

project

Update image member

manage_image_cache

Default:

role:admin

Scope Types:

project

Manage image cache

deactivate

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/images/{image_id}/actions/deactivate

Scope Types:

project

Deactivate image

reactivate

Default:

role:admin or (role:member and project_id:%(project_id)s)

Operations:

POST /v2/images/{image_id}/actions/reactivate

Scope Types:

project

Reactivate image

copy_image

Default:

role:admin

Operations:

POST /v2/images/{image_id}/import

Scope Types:

project

Copy existing image to other stores

get_task

Default:

rule:default

Operations:

GET /v2/tasks/{task_id}

Scope Types:

project

Get an image task.

This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.

get_tasks

Default:

rule:default

Operations:

GET /v2/tasks

Scope Types:

project

List tasks for all images.

add_task

Default:

rule:default

Operations:

POST /v2/tasks

Scope Types:

project

List tasks for all images.

modify_task

Default:

rule:default

Operations:

DELETE /v2/tasks/{task_id}

Scope Types:

project

This policy is not used.

tasks_api_access

Default:

role:admin

Operations:

GET /v2/tasks/{task_id}
GET /v2/tasks
POST /v2/tasks
DELETE /v2/tasks/{task_id}

Scope Types:

project

This is a generic blanket policy for protecting all task APIs. It is not granular and will not allow you to separate writable and readable task operations into different roles.

metadef_default

Default:: <empty string>

(no description provided)

metadef_admin

Default:: role:admin

(no description provided)

get_metadef_namespace

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}

Scope Types:

project

Get a specific namespace.

get_metadef_namespaces

Default:

role:admin or (role:reader and project_id:%(project_id)s)

Operations:

GET /v2/metadefs/namespaces

Scope Types:

project

List namespace.

modify_metadef_namespace

Default:

rule:metadef_admin

Operations:

PUT /v2/metadefs/namespaces/{namespace_name}

Scope Types:

project

Modify an existing namespace.

add_metadef_namespace

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces

Scope Types:

project

Create a namespace.

delete_metadef_namespace

Default:

rule:metadef_admin

Operations:

DELETE /v2/metadefs/namespaces/{namespace_name}

Scope Types:

project

Delete a namespace.

get_metadef_object

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

project

Get a specific object from a namespace.

get_metadef_objects

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/objects

Scope Types:

project

Get objects from a namespace.

modify_metadef_object

Default:

rule:metadef_admin

Operations:

PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

project

Update an object within a namespace.

add_metadef_object

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/objects

Scope Types:

project

Create an object within a namespace.

delete_metadef_object

Default:

rule:metadef_admin

Operations:

DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

project

Delete an object within a namespace.

list_metadef_resource_types

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/resource_types

Scope Types:

project

List meta definition resource types.

get_metadef_resource_type

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/resource_types

Scope Types:

project

Get meta definition resource types associations.

add_metadef_resource_type_association

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/resource_types

Scope Types:

project

Create meta definition resource types association.

remove_metadef_resource_type_association

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}

Scope Types:

project

Delete meta definition resource types association.

get_metadef_property

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

project

Get a specific meta definition property.

get_metadef_properties

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/properties

Scope Types:

project

List meta definition properties.

modify_metadef_property

Default:

rule:metadef_admin

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

project

Update meta definition property.

add_metadef_property

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/properties

Scope Types:

project

Create meta definition property.

remove_metadef_property

Default:

rule:metadef_admin

Operations:

DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

project

Delete meta definition property.

get_metadef_tag

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

project

Get tag definition.

get_metadef_tags

Default:

role:admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

GET /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

project

List tag definitions.

modify_metadef_tag

Default:

rule:metadef_admin

Operations:

PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

project

Update tag definition.

add_metadef_tag

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

project

Add tag definition.

add_metadef_tags

Default:

rule:metadef_admin

Operations:

POST /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

project

Create tag definitions.

delete_metadef_tag

Default:

rule:metadef_admin

Operations:

DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

project

Delete tag definition.

delete_metadef_tags

Default:

rule:metadef_admin

Operations:

DELETE /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

project

Delete tag definitions.

cache_image

Default:

role:admin

Operations:

PUT /v2/cache/{image_id}

Scope Types:

project

Queue image for caching

cache_list

Default:

role:admin

Operations:

GET /v2/cache

Scope Types:

project

List cache status

cache_delete

Default:

role:admin

Operations:

DELETE /v2/cache
DELETE /v2/cache/{image_id}

Scope Types:

project

Delete image(s) from cache and/or queue

stores_info_detail

Default:

role:admin

Operations:

GET /v2/info/stores/detail

Scope Types:

project

Expose store specific information

updated: 2024-06-21 08:38

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.

policy.yaml

policy.yaml¶

glance¶

glance

Page Contents