Policies¶
The following is an overview of all available policies in Ironic. For a sample configuration file, refer to Ironic Policy.
ironic.api¶
admin_apiDefault: role:admin or role:administratorLegacy rule for cloud admin access
public_apiDefault: is_public_api:TrueInternal flag for public API routes
show_passwordDefault: !Show or mask secrets within node driver information in API responses
show_instance_secretsDefault: !Show or mask secrets within instance information in API responses
is_memberDefault: (project_domain_id:default or project_domain_id:None) and (project_name:demo or project_name:baremetal)May be used to restrict access to specific projects
is_observerDefault: rule:is_member and (role:observer or role:baremetal_observer)Read-only API access
is_adminDefault: rule:admin_api or (rule:is_member and role:baremetal_admin)Full read/write API access
baremetal:node:getDefault: rule:is_admin or rule:is_observerRetrieve Node records
baremetal:node:get_boot_deviceDefault: rule:is_admin or rule:is_observerRetrieve Node boot device metadata
baremetal:node:get_statesDefault: rule:is_admin or rule:is_observerView Node power and provision state
baremetal:node:createDefault: rule:is_adminCreate Node records
baremetal:node:deleteDefault: rule:is_adminDelete Node records
baremetal:node:updateDefault: rule:is_adminUpdate Node records
baremetal:node:validateDefault: rule:is_adminRequest active validation of Nodes
baremetal:node:set_maintenanceDefault: rule:is_adminSet maintenance flag, taking a Node out of service
baremetal:node:clear_maintenanceDefault: rule:is_adminClear maintenance flag, placing the Node into service again
baremetal:node:set_boot_deviceDefault: rule:is_adminChange Node boot device
baremetal:node:set_power_stateDefault: rule:is_adminChange Node power status
baremetal:node:set_provision_stateDefault: rule:is_adminChange Node provision status
baremetal:node:set_raid_stateDefault: rule:is_adminChange Node RAID status
baremetal:node:get_consoleDefault: rule:is_adminGet Node console connection information
baremetal:node:set_console_stateDefault: rule:is_adminChange Node console status
baremetal:node:vif:listDefault: rule:is_adminList VIFs attached to node
baremetal:node:vif:attachDefault: rule:is_adminAttach a VIF to a node
baremetal:node:vif:detachDefault: rule:is_adminDetach a VIF from a node
baremetal:node:inject_nmiDefault: rule:is_adminInject NMI for a node
baremetal:port:getDefault: rule:is_admin or rule:is_observerRetrieve Port records
baremetal:port:createDefault: rule:is_adminCreate Port records
baremetal:port:deleteDefault: rule:is_adminDelete Port records
baremetal:port:updateDefault: rule:is_adminUpdate Port records
baremetal:portgroup:getDefault: rule:is_admin or rule:is_observerRetrieve Portgroup records
baremetal:portgroup:createDefault: rule:is_adminCreate Portgroup records
baremetal:portgroup:deleteDefault: rule:is_adminDelete Portgroup records
baremetal:portgroup:updateDefault: rule:is_adminUpdate Portgroup records
baremetal:chassis:getDefault: rule:is_admin or rule:is_observerRetrieve Chassis records
baremetal:chassis:createDefault: rule:is_adminCreate Chassis records
baremetal:chassis:deleteDefault: rule:is_adminDelete Chassis records
baremetal:chassis:updateDefault: rule:is_adminUpdate Chassis records
baremetal:driver:getDefault: rule:is_admin or rule:is_observerView list of available drivers
baremetal:driver:get_propertiesDefault: rule:is_admin or rule:is_observerView driver-specific properties
baremetal:driver:get_raid_logical_disk_propertiesDefault: rule:is_admin or rule:is_observerView driver-specific RAID metadata
baremetal:node:vendor_passthruDefault: rule:is_adminAccess vendor-specific Node functions
baremetal:driver:vendor_passthruDefault: rule:is_adminAccess vendor-specific Driver functions
baremetal:node:ipa_heartbeatDefault: rule:public_apiSend heartbeats from IPA ramdisk
baremetal:driver:ipa_lookupDefault: rule:public_apiAccess IPA ramdisk functions
baremetal:volume:getDefault: rule:is_admin or rule:is_observerRetrieve Volume connector and target records
baremetal:volume:createDefault: rule:is_adminCreate Volume connector and target records
baremetal:volume:deleteDefault: rule:is_adminDelete Volume connetor and target records
baremetal:volume:updateDefault: rule:is_adminUpdate Volume connector and target records
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.