The following policies are shipped by default. Glance will assume a policy’s default value if it’s not explicitly overridden in the policy file.

policy.yaml

glance

default
Default:

<empty string>

Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file.

context_is_admin
Default:

role:admin

Defines the rule for the is_admin:True check.

service_api
Default:

role:service

Default rule for the service-to-service API.

add_image
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)

Operations:

  • POST /v2/images

Scope Types:

  • project

Create new image

delete_image
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • DELETE /v2/images/{image_id}

Scope Types:

  • project

Deletes the image

get_image
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))

Operations:

  • GET /v2/images/{image_id}

Scope Types:

  • project

Get specified image

get_images
Default:

rule:context_is_admin or (role:reader and project_id:%(project_id)s)

Operations:

  • GET /v2/images

Scope Types:

  • project

Get all available images

modify_image
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • PATCH /v2/images/{image_id}

Scope Types:

  • project

Updates given image

publicize_image
Default:

rule:context_is_admin

Operations:

  • PATCH /v2/images/{image_id}

Scope Types:

  • project

Publicize given image

communitize_image
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • PATCH /v2/images/{image_id}

Scope Types:

  • project

Communitize given image

download_image
Default:

rule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))

Operations:

  • GET /v2/images/{image_id}/file

Scope Types:

  • project

Downloads given image

upload_image
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • PUT /v2/images/{image_id}/file

Scope Types:

  • project

Uploads data to specified image

delete_image_location
Default:

rule:context_is_admin

Operations:

  • PATCH /v2/images/{image_id}

Scope Types:

  • project

Deletes the location of given image

get_image_location
Default:

rule:context_is_admin or (role:reader and project_id:%(project_id)s)

Operations:

  • GET /v2/images/{image_id}

Scope Types:

  • project

Reads the location of the image

set_image_location
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • PATCH /v2/images/{image_id}

Scope Types:

  • project

Sets location URI to given image

add_image_location
Default:

rule:service_api or (role:member and project_id:%(project_id)s and project_id:%(owner)s)

Operations:

  • POST /v2/images/{image_id}/locations

Scope Types:

  • project

Add location URI to given image

fetch_image_location
Default:

rule:service_api

Operations:

  • GET /v2/images/{image_id}/locations

Scope Types:

  • project

Show all locations associated to given image

add_member
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • POST /v2/images/{image_id}/members

Scope Types:

  • project

Create image member

delete_member
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • DELETE /v2/images/{image_id}/members/{member_id}

Scope Types:

  • project

Delete image member

get_member
Default:

rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)

Operations:

  • GET /v2/images/{image_id}/members/{member_id}

Scope Types:

  • project

Show image member details

get_members
Default:

rule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)

Operations:

  • GET /v2/images/{image_id}/members

Scope Types:

  • project

List image members

modify_member
Default:

rule:context_is_admin or (role:member and project_id:%(member_id)s)

Operations:

  • PUT /v2/images/{image_id}/members/{member_id}

Scope Types:

  • project

Update image member

manage_image_cache
Default:

rule:context_is_admin

Scope Types:

  • project

Manage image cache

deactivate
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • POST /v2/images/{image_id}/actions/deactivate

Scope Types:

  • project

Deactivate image

reactivate
Default:

rule:context_is_admin or (role:member and project_id:%(project_id)s)

Operations:

  • POST /v2/images/{image_id}/actions/reactivate

Scope Types:

  • project

Reactivate image

copy_image
Default:

rule:context_is_admin

Operations:

  • POST /v2/images/{image_id}/import

Scope Types:

  • project

Copy existing image to other stores

get_task
Default:

rule:default

Operations:

  • GET /v2/tasks/{task_id}

Scope Types:

  • project

Get an image task.

This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.

get_tasks
Default:

rule:default

Operations:

  • GET /v2/tasks

Scope Types:

  • project

List tasks for all images.

This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.

add_task
Default:

rule:default

Operations:

  • POST /v2/tasks

Scope Types:

  • project

List tasks for all images.

This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.

modify_task
Default:

rule:default

Operations:

  • DELETE /v2/tasks/{task_id}

Scope Types:

  • project

This policy is not used.

tasks_api_access
Default:

rule:context_is_admin

Operations:

  • GET /v2/tasks/{task_id}

  • GET /v2/tasks

  • POST /v2/tasks

  • DELETE /v2/tasks/{task_id}

Scope Types:

  • project

This is a generic blanket policy for protecting all task APIs. It is not granular and will not allow you to separate writable and readable task operations into different roles.

metadef_default
Default:

<empty string>

(no description provided)

metadef_admin
Default:

rule:context_is_admin

(no description provided)

get_metadef_namespace
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}

Scope Types:

  • project

Get a specific namespace.

get_metadef_namespaces
Default:

rule:context_is_admin or (role:reader and project_id:%(project_id)s)

Operations:

  • GET /v2/metadefs/namespaces

Scope Types:

  • project

List namespace.

modify_metadef_namespace
Default:

rule:metadef_admin

Operations:

  • PUT /v2/metadefs/namespaces/{namespace_name}

Scope Types:

  • project

Modify an existing namespace.

add_metadef_namespace
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces

Scope Types:

  • project

Create a namespace.

delete_metadef_namespace
Default:

rule:metadef_admin

Operations:

  • DELETE /v2/metadefs/namespaces/{namespace_name}

Scope Types:

  • project

Delete a namespace.

get_metadef_object
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

  • project

Get a specific object from a namespace.

get_metadef_objects
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/objects

Scope Types:

  • project

Get objects from a namespace.

modify_metadef_object
Default:

rule:metadef_admin

Operations:

  • PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

  • project

Update an object within a namespace.

add_metadef_object
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/objects

Scope Types:

  • project

Create an object within a namespace.

delete_metadef_object
Default:

rule:metadef_admin

Operations:

  • DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}

Scope Types:

  • project

Delete an object within a namespace.

list_metadef_resource_types
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/resource_types

Scope Types:

  • project

List meta definition resource types.

get_metadef_resource_type
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/resource_types

Scope Types:

  • project

Get meta definition resource types associations.

add_metadef_resource_type_association
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/resource_types

Scope Types:

  • project

Create meta definition resource types association.

remove_metadef_resource_type_association
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}

Scope Types:

  • project

Delete meta definition resource types association.

get_metadef_property
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

  • project

Get a specific meta definition property.

get_metadef_properties
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/properties

Scope Types:

  • project

List meta definition properties.

modify_metadef_property
Default:

rule:metadef_admin

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

  • project

Update meta definition property.

add_metadef_property
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/properties

Scope Types:

  • project

Create meta definition property.

remove_metadef_property
Default:

rule:metadef_admin

Operations:

  • DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}

Scope Types:

  • project

Delete meta definition property.

get_metadef_tag
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

  • project

Get tag definition.

get_metadef_tags
Default:

rule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))

Operations:

  • GET /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

  • project

List tag definitions.

modify_metadef_tag
Default:

rule:metadef_admin

Operations:

  • PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

  • project

Update tag definition.

add_metadef_tag
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

  • project

Add tag definition.

add_metadef_tags
Default:

rule:metadef_admin

Operations:

  • POST /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

  • project

Create tag definitions.

delete_metadef_tag
Default:

rule:metadef_admin

Operations:

  • DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}

Scope Types:

  • project

Delete tag definition.

delete_metadef_tags
Default:

rule:metadef_admin

Operations:

  • DELETE /v2/metadefs/namespaces/{namespace_name}/tags

Scope Types:

  • project

Delete tag definitions.

cache_image
Default:

rule:context_is_admin

Operations:

  • PUT /v2/cache/{image_id}

Scope Types:

  • project

Queue image for caching

cache_list
Default:

rule:context_is_admin

Operations:

  • GET /v2/cache

Scope Types:

  • project

List cache status

cache_delete
Default:

rule:context_is_admin

Operations:

  • DELETE /v2/cache

  • DELETE /v2/cache/{image_id}

Scope Types:

  • project

Delete image(s) from cache and/or queue

stores_info_detail
Default:

rule:context_is_admin

Operations:

  • GET /v2/info/stores/detail

Scope Types:

  • project

Expose store specific information