Policy Reference¶

Warning

JSON formatted policy file is deprecated since Neutron 18.0.0 (Wallaby). This oslopolicy-convert-json-to-yaml tool will migrate your existing JSON-formatted policy file to YAML in a backward-compatible way.

Neutron, like most OpenStack projects, uses a policy language to restrict permissions on REST API actions.

The following is an overview of all available policies in neutron.

For a sample policy file, refer to Sample Policy File.

neutron¶

context_is_admin

Default:: role:admin

Rule for cloud admin access

service_api

Default:: role:service

Default rule for the service-to-service APIs.

owner

Default:: tenant_id:%(tenant_id)s

Rule for resource owner access

admin_or_owner

Default:: rule:context_is_admin or rule:owner

Rule for admin or owner access

context_is_advsvc

Default:: role:advsvc

Rule for advsvc role access

admin_or_network_owner

Default:: rule:context_is_admin or tenant_id:%(network:tenant_id)s

Rule for admin or network owner access

admin_owner_or_network_owner

Default:: rule:owner or rule:admin_or_network_owner

Rule for resource owner, admin or network owner access

network_owner

Default:: tenant_id:%(network:tenant_id)s

Rule for network owner access

admin_only

Default:: rule:context_is_admin

Rule for admin-only access

regular_user

Default:: <empty string>

Rule for regular user access

shared

Default:: field:networks:shared=True

Rule of shared network

default

Default:: rule:admin_or_owner

Default access rule

admin_or_ext_parent_owner

Default:: rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

ext_parent_owner

Default:: tenant_id:%(ext_parent:tenant_id)s

Rule for common parent owner check

sg_owner

Default:: tenant_id:%(security_group:tenant_id)s

Rule for security group owner access

shared_address_groups

Default:: field:address_groups:shared=True

Definition of a shared address group

get_address_group

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups

Operations:

GET /address-groups
GET /address-groups/{id}

Scope Types:

project

Get an address group

shared_address_scopes

Default:: field:address_scopes:shared=True

Definition of a shared address scope

create_address_scope

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /address-scopes

Scope Types:

project

Create an address scope

create_address_scope:shared

Default:

rule:admin_only

Operations:

POST /address-scopes

Scope Types:

project

Create a shared address scope

get_address_scope

Default:

rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes

Operations:

GET /address-scopes
GET /address-scopes/{id}

Scope Types:

project

Get an address scope

update_address_scope

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /address-scopes/{id}

Scope Types:

project

Update an address scope

update_address_scope:shared

Default:

rule:admin_only

Operations:

PUT /address-scopes/{id}

Scope Types:

project

Update shared attribute of an address scope

delete_address_scope

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /address-scopes/{id}

Scope Types:

project

Delete an address scope

get_agent

Default:

rule:admin_only

Operations:

GET /agents
GET /agents/{id}

Scope Types:

project

Get an agent

update_agent

Default:

rule:admin_only

Operations:

PUT /agents/{id}

Scope Types:

project

Update an agent

delete_agent

Default:

rule:admin_only

Operations:

DELETE /agents/{id}

Scope Types:

project

Delete an agent

create_dhcp-network

Default:

rule:admin_only

Operations:

POST /agents/{agent_id}/dhcp-networks

Scope Types:

project

Add a network to a DHCP agent

get_dhcp-networks

Default:

rule:admin_only

Operations:

GET /agents/{agent_id}/dhcp-networks

Scope Types:

project

List networks on a DHCP agent

delete_dhcp-network

Default:

rule:admin_only

Operations:

DELETE /agents/{agent_id}/dhcp-networks/{network_id}

Scope Types:

project

Remove a network from a DHCP agent

create_l3-router

Default:

rule:admin_only

Operations:

POST /agents/{agent_id}/l3-routers

Scope Types:

project

Add a router to an L3 agent

get_l3-routers

Default:

rule:admin_only

Operations:

GET /agents/{agent_id}/l3-routers

Scope Types:

project

List routers on an L3 agent

delete_l3-router

Default:

rule:admin_only

Operations:

DELETE /agents/{agent_id}/l3-routers/{router_id}

Scope Types:

project

Remove a router from an L3 agent

get_dhcp-agents

Default:

rule:admin_only

Operations:

GET /networks/{network_id}/dhcp-agents

Scope Types:

project

List DHCP agents hosting a network

get_l3-agents

Default:

rule:admin_only

Operations:

GET /routers/{router_id}/l3-agents

Scope Types:

project

List L3 agents hosting a router

get_auto_allocated_topology

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /auto-allocated-topology/{project_id}

Scope Types:

project

Get a project’s auto-allocated topology

delete_auto_allocated_topology

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /auto-allocated-topology/{project_id}

Scope Types:

project

Delete a project’s auto-allocated topology

get_availability_zone

Default:

role:reader

Operations:

GET /availability_zones

Scope Types:

project

List availability zones

create_default_security_group_rule

Default:

rule:admin_only

Operations:

POST /default-security-group-rules

Scope Types:

project

Create a templated of the security group rule

get_default_security_group_rule

Default:

role:reader

Operations:

GET /default-security-group-rules
GET /default-security-group-rules/{id}

Scope Types:

project

Get a templated of the security group rule

delete_default_security_group_rule

Default:

rule:admin_only

Operations:

DELETE /default-security-group-rules/{id}

Scope Types:

project

Delete a templated of the security group rule

create_flavor

Default:

rule:admin_only

Operations:

POST /flavors

Scope Types:

project

Create a flavor

get_flavor

Default:

role:reader

Operations:

GET /flavors
GET /flavors/{id}

Scope Types:

project

Get a flavor

update_flavor

Default:

rule:admin_only

Operations:

PUT /flavors/{id}

Scope Types:

project

Update a flavor

delete_flavor

Default:

rule:admin_only

Operations:

DELETE /flavors/{id}

Scope Types:

project

Delete a flavor

create_service_profile

Default:

rule:admin_only

Operations:

POST /service_profiles

Scope Types:

project

Create a service profile

get_service_profile

Default:

rule:admin_only

Operations:

GET /service_profiles
GET /service_profiles/{id}

Scope Types:

project

Get a service profile

update_service_profile

Default:

rule:admin_only

Operations:

PUT /service_profiles/{id}

Scope Types:

project

Update a service profile

delete_service_profile

Default:

rule:admin_only

Operations:

DELETE /service_profiles/{id}

Scope Types:

project

Delete a service profile

get_flavor_service_profile

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Scope Types:

project

Get a flavor associated with a given service profiles. There is no corresponding GET operations in API currently. This rule is currently referred only in the DELETE of flavor_service_profile.

create_flavor_service_profile

Default:

rule:admin_only

Operations:

POST /flavors/{flavor_id}/service_profiles

Scope Types:

project

Associate a flavor with a service profile

delete_flavor_service_profile

Default:

rule:admin_only

Operations:

DELETE /flavors/{flavor_id}/service_profiles/{profile_id}

Scope Types:

project

Disassociate a flavor with a service profile

create_floatingip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /floatingips

Scope Types:

project

Create a floating IP

create_floatingip:floating_ip_address

Default:

rule:admin_only

Operations:

POST /floatingips

Scope Types:

project

Create a floating IP with a specific IP address

get_floatingip

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /floatingips
GET /floatingips/{id}

Scope Types:

project

Get a floating IP

get_floatingips_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /floatingips/{id}/tags
GET /floatingips/{id}/tags/{tag_id}

Scope Types:

project

Get the floating IP tags

update_floatingip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /floatingips/{id}

Scope Types:

project

Update a floating IP

update_floatingips_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /floatingips/{id}/tags
PUT /floatingips/{id}/tags/{tag_id}

Scope Types:

project

Update the floating IP tags

delete_floatingip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /floatingips/{id}

Scope Types:

project

Delete a floating IP

delete_floatingips_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /floatingips/{id}/tags
DELETE /floatingips/{id}/tags/{tag_id}

Scope Types:

project

Delete the floating IP tags

get_floatingip_pool

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /floatingip_pools

Scope Types:

project

Get floating IP pools

create_floatingip_port_forwarding

Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:

POST /floatingips/{floatingip_id}/port_forwardings

Scope Types:

project

Create a floating IP port forwarding

get_floatingip_port_forwarding

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /floatingips/{floatingip_id}/port_forwardings
GET /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:

project

Get a floating IP port forwarding

update_floatingip_port_forwarding

Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:

PUT /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:

project

Update a floating IP port forwarding

delete_floatingip_port_forwarding

Default:

(rule:admin_only) or (role:member and rule:ext_parent_owner)

Operations:

DELETE /floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}

Scope Types:

project

Delete a floating IP port forwarding

create_router_conntrack_helper

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

POST /routers/{router_id}/conntrack_helpers

Scope Types:

project

Create a router conntrack helper

get_router_conntrack_helper

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

GET /routers/{router_id}/conntrack_helpers
GET /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:

project

Get a router conntrack helper

update_router_conntrack_helper

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

PUT /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:

project

Update a router conntrack helper

delete_router_conntrack_helper

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

DELETE /routers/{router_id}/conntrack_helpers/{conntrack_helper_id}

Scope Types:

project

Delete a router conntrack helper

create_local_ip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /local-ips

Scope Types:

project

Create a Local IP

get_local_ip

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /local-ips
GET /local-ips/{id}

Scope Types:

project

Get a Local IP

update_local_ip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /local-ips/{id}

Scope Types:

project

Update a Local IP

delete_local_ip

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /local-ips/{id}

Scope Types:

project

Delete a Local IP

create_local_ip_port_association

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

POST /local_ips/{local_ip_id}/port_associations

Scope Types:

project

Create a Local IP port association

get_local_ip_port_association

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

GET /local_ips/{local_ip_id}/port_associations
GET /local_ips/{local_ip_id}/port_associations/{fixed_port_id}

Scope Types:

project

Get a Local IP port association

delete_local_ip_port_association

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:ext_parent_owner

Operations:

DELETE /local_ips/{local_ip_id}/port_associations/{fixed_port_id}

Scope Types:

project

Delete a Local IP port association

get_loggable_resource

Default:

rule:admin_only

Operations:

GET /log/loggable-resources

Scope Types:

project

Get loggable resources

create_log

Default:

rule:admin_only

Operations:

POST /log/logs

Scope Types:

project

Create a network log

get_log

Default:

rule:admin_only

Operations:

GET /log/logs
GET /log/logs/{id}

Scope Types:

project

Get a network log

update_log

Default:

rule:admin_only

Operations:

PUT /log/logs/{id}

Scope Types:

project

Update a network log

delete_log

Default:

rule:admin_only

Operations:

DELETE /log/logs/{id}

Scope Types:

project

Delete a network log

create_metering_label

Default:

rule:admin_only

Operations:

POST /metering/metering-labels

Scope Types:

project

Create a metering label

get_metering_label

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /metering/metering-labels
GET /metering/metering-labels/{id}

Scope Types:

project

Get a metering label

delete_metering_label

Default:

rule:admin_only

Operations:

DELETE /metering/metering-labels/{id}

Scope Types:

project

Delete a metering label

create_metering_label_rule

Default:

rule:admin_only

Operations:

POST /metering/metering-label-rules

Scope Types:

project

Create a metering label rule

get_metering_label_rule

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /metering/metering-label-rules
GET /metering/metering-label-rules/{id}

Scope Types:

project

Get a metering label rule

delete_metering_label_rule

Default:

rule:admin_only

Operations:

DELETE /metering/metering-label-rules/{id}

Scope Types:

project

Delete a metering label rule

create_ndp_proxy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /ndp_proxies

Scope Types:

project

Create a ndp proxy

get_ndp_proxy

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /ndp_proxies
GET /ndp_proxies/{id}

Scope Types:

project

Get a ndp proxy

update_ndp_proxy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /ndp_proxies/{id}

Scope Types:

project

Update a ndp proxy

delete_ndp_proxy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /ndp_proxies/{id}

Scope Types:

project

Delete a ndp proxy

external

Default:: field:networks:router:external=True

Definition of an external network

create_network

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /networks

Scope Types:

project

Create a network

create_network:shared

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Create a shared network

create_network:router:external

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Create an external network

create_network:is_default

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Specify is_default attribute when creating a network

create_network:port_security_enabled

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /networks

Scope Types:

project

Specify port_security_enabled attribute when creating a network

create_network:segments

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Specify segments attribute when creating a network

create_network:provider:network_type

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Specify provider:network_type when creating a network

create_network:provider:physical_network

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Specify provider:physical_network when creating a network

create_network:provider:segmentation_id

Default:

rule:admin_only

Operations:

POST /networks

Scope Types:

project

Specify provider:segmentation_id when creating a network

get_network

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:service_api or rule:shared or rule:external or rule:context_is_advsvc

Operations:

GET /networks
GET /networks/{id}

Scope Types:

project

Get a network

get_network:segments

Default:

rule:admin_only

Operations:

GET /networks
GET /networks/{id}

Scope Types:

project

Get segments attribute of a network

get_network:provider:network_type

Default:

rule:admin_only

Operations:

GET /networks
GET /networks/{id}

Scope Types:

project

Get provider:network_type attribute of a network

get_network:provider:physical_network

Default:

rule:admin_only

Operations:

GET /networks
GET /networks/{id}

Scope Types:

project

Get provider:physical_network attribute of a network

get_network:provider:segmentation_id

Default:

rule:admin_only

Operations:

GET /networks
GET /networks/{id}

Scope Types:

project

Get provider:segmentation_id attribute of a network

get_networks_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc

Operations:

GET /networks/{id}/tags
GET /networks/{id}/tags/{tag_id}

Scope Types:

project

Get the network tags

update_network

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /networks/{id}

Scope Types:

project

Update a network

update_network:segments

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update segments attribute of a network

update_network:shared

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update shared attribute of a network

update_network:provider:network_type

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update provider:network_type attribute of a network

update_network:provider:physical_network

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update provider:physical_network attribute of a network

update_network:provider:segmentation_id

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update provider:segmentation_id attribute of a network

update_network:router:external

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update router:external attribute of a network

update_network:is_default

Default:

rule:admin_only

Operations:

PUT /networks/{id}

Scope Types:

project

Update is_default attribute of a network

update_network:port_security_enabled

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /networks/{id}

Scope Types:

project

Update port_security_enabled attribute of a network

update_networks_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /networks/{id}/tags
PUT /networks/{id}/tags/{tag_id}

Scope Types:

project

Update the network tags

delete_network

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /networks/{id}

Scope Types:

project

Delete a network

delete_networks_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /networks/{id}/tags
DELETE /networks/{id}/tags/{tag_id}

Scope Types:

project

Delete the network tags

get_network_ip_availability

Default:

rule:admin_only

Operations:

GET /network-ip-availabilities
GET /network-ip-availabilities/{network_id}

Scope Types:

project

Get network IP availability

create_network_segment_range

Default:

rule:admin_only

Operations:

POST /network_segment_ranges

Scope Types:

project

Create a network segment range

get_network_segment_range

Default:

rule:admin_only

Operations:

GET /network_segment_ranges
GET /network_segment_ranges/{id}

Scope Types:

project

Get a network segment range

get_network_segment_ranges_tags

Default:

rule:admin_only

Operations:

GET /network_segment_ranges/{id}/tags
GET /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:

project

Get the network segment range tags

update_network_segment_range

Default:

rule:admin_only

Operations:

PUT /network_segment_ranges/{id}

Scope Types:

project

Update a network segment range

update_network_segment_ranges_tags

Default:

rule:admin_only

Operations:

PUT /network_segment_ranges/{id}/tags
PUT /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:

project

Update the network segment range tags

delete_network_segment_range

Default:

rule:admin_only

Operations:

DELETE /network_segment_ranges/{id}

Scope Types:

project

Delete a network segment range

delete_network_segment_ranges_tags

Default:

rule:admin_only

Operations:

DELETE /network_segment_ranges/{id}/tags
DELETE /network_segment_ranges/{id}/tags/{tag_id}

Scope Types:

project

Delete the network segment range tags

get_port_binding

Default:

(rule:admin_only) or (rule:service_api)

Operations:

GET /ports/{port_id}/bindings/

Scope Types:

project

Get port binding information

create_port_binding

Default:

rule:service_api

Operations:

POST /ports/{port_id}/bindings/

Scope Types:

project

Create port binding on the host

delete_port_binding

Default:

rule:service_api

Operations:

DELETE /ports/{port_id}/bindings/

Scope Types:

project

Delete port binding on the host

activate

Default:

rule:service_api

Operations:

PUT /ports/{port_id}/bindings/{host}

Scope Types:

project

Activate port binding on the host

network_device

Default:: field:port:device_owner=~^network:

Definition of port with network device_owner

admin_or_data_plane_int

Default:: rule:context_is_admin or role:data_plane_integrator

Rule for data plane integration

create_port

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api

Operations:

POST /ports

Scope Types:

project

Create a port

create_port:device_owner

Default:

not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

POST /ports

Scope Types:

project

Specify device_owner attribute when creating a port

create_port:mac_address

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

POST /ports

Scope Types:

project

Specify mac_address attribute when creating a port

create_port:fixed_ips

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared

Operations:

POST /ports

Scope Types:

project

Specify fixed_ips information when creating a port

create_port:fixed_ips:ip_address

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

POST /ports

Scope Types:

project

Specify IP address in fixed_ips when creating a port

create_port:fixed_ips:subnet_id

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared

Operations:

POST /ports

Scope Types:

project

Specify subnet ID in fixed_ips when creating a port

create_port:port_security_enabled

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

POST /ports

Scope Types:

project

Specify port_security_enabled attribute when creating a port

create_port:binding:host_id

Default:

(rule:admin_only) or (rule:service_api)

Operations:

POST /ports

Scope Types:

project

Specify binding:host_id attribute when creating a port

create_port:binding:profile

Default:

rule:service_api

Operations:

POST /ports

Scope Types:

project

Specify binding:profile attribute when creating a port

create_port:binding:vnic_type

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:service_api

Operations:

POST /ports

Scope Types:

project

Specify binding:vnic_type attribute when creating a port

create_port:allowed_address_pairs

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

POST /ports

Scope Types:

project

Specify allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:mac_address

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

POST /ports

Scope Types:

project

Specify mac_address` of `allowed_address_pairs attribute when creating a port

create_port:allowed_address_pairs:ip_address

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

POST /ports

Scope Types:

project

Specify ip_address of allowed_address_pairs attribute when creating a port

create_port:hints

Default:

rule:admin_only

Operations:

POST /ports

Scope Types:

project

Specify hints attribute when creating a port

get_port

Default:

(rule:admin_only) or (rule:service_api) or role:reader and rule:network_owner or role:reader and project_id:%(project_id)s

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get a port

get_port:binding:vif_type

Default:

(rule:admin_only) or (rule:service_api)

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get binding:vif_type attribute of a port

get_port:binding:vif_details

Default:

(rule:admin_only) or (rule:service_api)

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get binding:vif_details attribute of a port

get_port:binding:host_id

Default:

(rule:admin_only) or (rule:service_api)

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get binding:host_id attribute of a port

get_port:binding:profile

Default:

(rule:admin_only) or (rule:service_api)

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get binding:profile attribute of a port

get_port:resource_request

Default:

rule:admin_only

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get resource_request attribute of a port

get_port:hints

Default:

rule:admin_only

Operations:

GET /ports
GET /ports/{id}

Scope Types:

project

Get hints attribute of a port

get_ports_tags

Default:

rule:context_is_advsvc or (rule:admin_only) or (role:reader and rule:network_owner) or role:reader and project_id:%(project_id)s

Operations:

GET /ports/{id}/tags
GET /ports/{id}/tags/{tag_id}

Scope Types:

project

Get the port tags

update_port

Default:

(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s

Operations:

PUT /ports/{id}

Scope Types:

project

Update a port

update_port:device_owner

Default:

not rule:network_device or (rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

PUT /ports/{id}

Scope Types:

project

Update device_owner attribute of a port

update_port:mac_address

Default:

(rule:admin_only) or (rule:service_api)

Operations:

PUT /ports/{id}

Scope Types:

project

Update mac_address attribute of a port

update_port:fixed_ips

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

PUT /ports/{id}

Scope Types:

project

Specify fixed_ips information when updating a port

update_port:fixed_ips:ip_address

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

PUT /ports/{id}

Scope Types:

project

Specify IP address in fixed_ips information when updating a port

update_port:fixed_ips:subnet_id

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or rule:shared

Operations:

PUT /ports/{id}

Scope Types:

project

Specify subnet ID in fixed_ips information when updating a port

update_port:port_security_enabled

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner

Operations:

PUT /ports/{id}

Scope Types:

project

Update port_security_enabled attribute of a port

update_port:binding:host_id

Default:

(rule:admin_only) or (rule:service_api)

Operations:

PUT /ports/{id}

Scope Types:

project

Update binding:host_id attribute of a port

update_port:binding:profile

Default:

rule:service_api

Operations:

PUT /ports/{id}

Scope Types:

project

Update binding:profile attribute of a port

update_port:binding:vnic_type

Default:

(rule:admin_only) or (rule:service_api) or role:member and project_id:%(project_id)s

Operations:

PUT /ports/{id}

Scope Types:

project

Update binding:vnic_type attribute of a port

update_port:allowed_address_pairs

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

PUT /ports/{id}

Scope Types:

project

Update allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:mac_address

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

PUT /ports/{id}

Scope Types:

project

Update mac_address of allowed_address_pairs attribute of a port

update_port:allowed_address_pairs:ip_address

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

PUT /ports/{id}

Scope Types:

project

Update ip_address of allowed_address_pairs attribute of a port

update_port:data_plane_status

Default:

rule:admin_only or role:data_plane_integrator

Operations:

PUT /ports/{id}

Scope Types:

project

Update data_plane_status attribute of a port

update_port:hints

Default:

rule:admin_only

Operations:

PUT /ports/{id}

Scope Types:

project

Update hints attribute of a port

update_ports_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s) or rule:context_is_advsvc

Operations:

PUT /ports/{id}/tags
PUT /ports/{id}/tags/{tag_id}

Scope Types:

project

Update the port tags

delete_port

Default:

(rule:admin_only) or (rule:service_api) or role:member and rule:network_owner or role:member and project_id:%(project_id)s

Operations:

DELETE /ports/{id}

Scope Types:

project

Delete a port

delete_ports_tags

Default:

rule:context_is_advsvc or role:member and project_id:%(project_id)s or (rule:admin_only) or (role:member and rule:network_owner)

Operations:

DELETE /ports/{id}/tags
DELETE /ports/{id}/tags/{tag_id}

Scope Types:

project

Delete the port tags

shared_qos_policy

Default:: field:policies:shared=True

Rule of shared qos policy

get_policy

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_qos_policy

Operations:

GET /qos/policies
GET /qos/policies/{id}

Scope Types:

project

Get QoS policies

create_policy

Default:

rule:admin_only

Operations:

POST /qos/policies

Scope Types:

project

Create a QoS policy

update_policy

Default:

rule:admin_only

Operations:

PUT /qos/policies/{id}

Scope Types:

project

Update a QoS policy

delete_policy

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{id}

Scope Types:

project

Delete a QoS policy

get_rule_type

Default:

role:reader

Operations:

GET /qos/rule-types
GET /qos/rule-types/{rule_type}

Scope Types:

project

Get available QoS rule types

get_policy_bandwidth_limit_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/policies/{policy_id}/bandwidth_limit_rules
GET /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:

project

Get a QoS bandwidth limit rule

create_policy_bandwidth_limit_rule

Default:

rule:admin_only

Operations:

POST /qos/policies/{policy_id}/bandwidth_limit_rules

Scope Types:

project

Create a QoS bandwidth limit rule

update_policy_bandwidth_limit_rule

Default:

rule:admin_only

Operations:

PUT /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:

project

Update a QoS bandwidth limit rule

delete_policy_bandwidth_limit_rule

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}

Scope Types:

project

Delete a QoS bandwidth limit rule

get_policy_packet_rate_limit_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/policies/{policy_id}/packet_rate_limit_rules
GET /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:

project

Get a QoS packet rate limit rule

create_policy_packet_rate_limit_rule

Default:

rule:admin_only

Operations:

POST /qos/policies/{policy_id}/packet_rate_limit_rules

Scope Types:

project

Create a QoS packet rate limit rule

update_policy_packet_rate_limit_rule

Default:

rule:admin_only

Operations:

PUT /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:

project

Update a QoS packet rate limit rule

delete_policy_packet_rate_limit_rule

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}

Scope Types:

project

Delete a QoS packet rate limit rule

get_policy_dscp_marking_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/policies/{policy_id}/dscp_marking_rules
GET /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:

project

Get a QoS DSCP marking rule

create_policy_dscp_marking_rule

Default:

rule:admin_only

Operations:

POST /qos/policies/{policy_id}/dscp_marking_rules

Scope Types:

project

Create a QoS DSCP marking rule

update_policy_dscp_marking_rule

Default:

rule:admin_only

Operations:

PUT /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:

project

Update a QoS DSCP marking rule

delete_policy_dscp_marking_rule

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{policy_id}/dscp_marking_rules/{rule_id}

Scope Types:

project

Delete a QoS DSCP marking rule

get_policy_minimum_bandwidth_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/policies/{policy_id}/minimum_bandwidth_rules
GET /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:

project

Get a QoS minimum bandwidth rule

create_policy_minimum_bandwidth_rule

Default:

rule:admin_only

Operations:

POST /qos/policies/{policy_id}/minimum_bandwidth_rules

Scope Types:

project

Create a QoS minimum bandwidth rule

update_policy_minimum_bandwidth_rule

Default:

rule:admin_only

Operations:

PUT /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:

project

Update a QoS minimum bandwidth rule

delete_policy_minimum_bandwidth_rule

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}

Scope Types:

project

Delete a QoS minimum bandwidth rule

get_policy_minimum_packet_rate_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/policies/{policy_id}/minimum_packet_rate_rules
GET /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:

project

Get a QoS minimum packet rate rule

create_policy_minimum_packet_rate_rule

Default:

rule:admin_only

Operations:

POST /qos/policies/{policy_id}/minimum_packet_rate_rules

Scope Types:

project

Create a QoS minimum packet rate rule

update_policy_minimum_packet_rate_rule

Default:

rule:admin_only

Operations:

PUT /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:

project

Update a QoS minimum packet rate rule

delete_policy_minimum_packet_rate_rule

Default:

rule:admin_only

Operations:

DELETE /qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}

Scope Types:

project

Delete a QoS minimum packet rate rule

get_alias_bandwidth_limit_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:

project

Get a QoS bandwidth limit rule through alias

update_alias_bandwidth_limit_rule

Default:

rule:admin_only

Operations:

PUT /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:

project

Update a QoS bandwidth limit rule through alias

delete_alias_bandwidth_limit_rule

Default:

rule:admin_only

Operations:

DELETE /qos/alias_bandwidth_limit_rules/{rule_id}/

Scope Types:

project

Delete a QoS bandwidth limit rule through alias

get_alias_dscp_marking_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:

project

Get a QoS DSCP marking rule through alias

update_alias_dscp_marking_rule

Default:

rule:admin_only

Operations:

PUT /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:

project

Update a QoS DSCP marking rule through alias

delete_alias_dscp_marking_rule

Default:

rule:admin_only

Operations:

DELETE /qos/alias_dscp_marking_rules/{rule_id}/

Scope Types:

project

Delete a QoS DSCP marking rule through alias

get_alias_minimum_bandwidth_rule

Default:

(rule:admin_only) or (role:reader and rule:ext_parent_owner)

Operations:

GET /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:

project

Get a QoS minimum bandwidth rule through alias

update_alias_minimum_bandwidth_rule

Default:

rule:admin_only

Operations:

PUT /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:

project

Update a QoS minimum bandwidth rule through alias

delete_alias_minimum_bandwidth_rule

Default:

rule:admin_only

Operations:

DELETE /qos/alias_minimum_bandwidth_rules/{rule_id}/

Scope Types:

project

Delete a QoS minimum bandwidth rule through alias

get_alias_minimum_packet_rate_rule

Default:

rule:get_policy_minimum_packet_rate_rule

Operations:

GET /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:

project

Get a QoS minimum packet rate rule through alias

update_alias_minimum_packet_rate_rule

Default:

rule:update_policy_minimum_packet_rate_rule

Operations:

PUT /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:

project

Update a QoS minimum packet rate rule through alias

delete_alias_minimum_packet_rate_rule

Default:

rule:delete_policy_minimum_packet_rate_rule

Operations:

DELETE /qos/alias_minimum_packet_rate_rules/{rule_id}/

Scope Types:

project

Delete a QoS minimum packet rate rule through alias

get_quota

Default:

rule:admin_only

Operations:

GET /quota
GET /quota/{id}

Scope Types:

project

Get a resource quota

update_quota

Default:

rule:admin_only

Operations:

PUT /quota/{id}

Scope Types:

project

Update a resource quota

delete_quota

Default:

rule:admin_only

Operations:

DELETE /quota/{id}

Scope Types:

project

Delete a resource quota

restrict_wildcard

Default:: (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*) or rule:admin_only

Definition of a wildcard target_project

create_rbac_policy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /rbac-policies

Scope Types:

project

Create an RBAC policy

create_rbac_policy:target_tenant

Default:

rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)

Operations:

POST /rbac-policies

Scope Types:

project

Specify target_tenant when creating an RBAC policy

update_rbac_policy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /rbac-policies/{id}

Scope Types:

project

Update an RBAC policy

update_rbac_policy:target_tenant

Default:

rule:admin_only or (not field:rbac_policy:target_tenant=* and not field:rbac_policy:target_project=*)

Operations:

PUT /rbac-policies/{id}

Scope Types:

project

Update target_tenant attribute of an RBAC policy

get_rbac_policy

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /rbac-policies
GET /rbac-policies/{id}

Scope Types:

project

Get an RBAC policy

delete_rbac_policy

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /rbac-policies/{id}

Scope Types:

project

Delete an RBAC policy

create_router

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /routers

Scope Types:

project

Create a router

create_router:distributed

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify distributed attribute when creating a router

create_router:ha

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify ha attribute when creating a router

create_router:external_gateway_info

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /routers

Scope Types:

project

Specify external_gateway_info information when creating a router

create_router:external_gateway_info:network_id

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /routers

Scope Types:

project

Specify network_id in external_gateway_info information when creating a router

create_router:external_gateway_info:enable_snat

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify enable_snat in external_gateway_info information when creating a router

create_router:external_gateway_info:external_fixed_ips

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify external_fixed_ips in external_gateway_info information when creating a router

create_router:enable_default_route_bfd

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify enable_default_route_bfd attribute when creating a router

create_router:enable_default_route_ecmp

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify enable_default_route_ecmp attribute when creating a router

get_router

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /routers
GET /routers/{id}

Scope Types:

project

Get a router

get_router:distributed

Default:

rule:admin_only

Operations:

GET /routers
GET /routers/{id}

Scope Types:

project

Get distributed attribute of a router

get_router:ha

Default:

rule:admin_only

Operations:

GET /routers
GET /routers/{id}

Scope Types:

project

Get ha attribute of a router

get_routers_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /routers/{id}/tags
GET /routers/{id}/tags/{tag_id}

Scope Types:

project

Get the router tags

update_router

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}

Scope Types:

project

Update a router

update_router:distributed

Default:

rule:admin_only

Operations:

PUT /routers/{id}

Scope Types:

project

Update distributed attribute of a router

update_router:ha

Default:

rule:admin_only

Operations:

PUT /routers/{id}

Scope Types:

project

Update ha attribute of a router

update_router:external_gateway_info

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}

Scope Types:

project

Update external_gateway_info information of a router

update_router:external_gateway_info:network_id

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}

Scope Types:

project

Update network_id attribute of external_gateway_info information of a router

update_router:external_gateway_info:enable_snat

Default:

rule:admin_only

Operations:

PUT /routers/{id}

Scope Types:

project

Update enable_snat attribute of external_gateway_info information of a router

update_router:external_gateway_info:external_fixed_ips

Default:

rule:admin_only

Operations:

PUT /routers/{id}

Scope Types:

project

Update external_fixed_ips attribute of external_gateway_info information of a router

update_router:enable_default_route_bfd

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify enable_default_route_bfd attribute when updating a router

update_router:enable_default_route_ecmp

Default:

rule:admin_only

Operations:

POST /routers

Scope Types:

project

Specify enable_default_route_ecmp attribute when updating a router

update_routers_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}/tags
PUT /routers/{id}/tags/{tag_id}

Scope Types:

project

Update the router tags

delete_router

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /routers/{id}

Scope Types:

project

Delete a router

delete_routers_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /routers/{id}/tags
DELETE /routers/{id}/tags/{tag_id}

Scope Types:

project

Delete the router tags

add_router_interface

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}/add_router_interface

Scope Types:

project

Add an interface to a router

remove_router_interface

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}/remove_router_interface

Scope Types:

project

Remove an interface from a router

add_extraroutes

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}/add_extraroutes

Scope Types:

project

Add extra route to a router

remove_extraroutes

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /routers/{id}/remove_extraroutes

Scope Types:

project

Remove extra route from a router

admin_or_sg_owner

Default:: rule:context_is_admin or tenant_id:%(security_group:tenant_id)s

Rule for admin or security group owner access

admin_owner_or_sg_owner

Default:: rule:owner or rule:admin_or_sg_owner

Rule for resource owner, admin or security group owner access

shared_security_group

Default:: field:security_groups:shared=True

Definition of a shared security group

rule_default_sg

Default:: field:security_group_rules:belongs_to_default_sg=True

Definition of a security group rule that belongs to the project default security group

create_security_group

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /security-groups

Scope Types:

project

Create a security group

get_security_group

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group

Operations:

GET /security-groups
GET /security-groups/{id}

Scope Types:

project

Get a security group

get_security_groups_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_security_group

Operations:

GET /security-groups/{id}/tags
GET /security-groups/{id}/tags/{tag_id}

Scope Types:

project

Get the security group tags

update_security_group

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /security-groups/{id}

Scope Types:

project

Update a security group

update_security_groups_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /security-groups/{id}/tags
PUT /security-groups/{id}/tags/{tag_id}

Scope Types:

project

Update the security group tags

delete_security_group

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /security-groups/{id}

Scope Types:

project

Delete a security group

delete_security_groups_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /security-groups/{id}/tags
DELETE /security-groups/{id}/tags/{tag_id}

Scope Types:

project

Delete the security group tags

create_security_group_rule

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /security-group-rules

Scope Types:

project

Create a security group rule

get_security_group_rule

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:sg_owner

Operations:

GET /security-group-rules
GET /security-group-rules/{id}

Scope Types:

project

Get a security group rule

delete_security_group_rule

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /security-group-rules/{id}

Scope Types:

project

Delete a security group rule

create_segment

Default:

rule:admin_only

Operations:

POST /segments

Scope Types:

project

Create a segment

get_segment

Default:

rule:admin_only

Operations:

GET /segments
GET /segments/{id}

Scope Types:

project

Get a segment

get_segments_tags

Default:

rule:admin_only

Operations:

GET /segments/{id}/tags
GET /segments/{id}/tags/{tag_id}

Scope Types:

project

Get the segment tags

update_segment

Default:

rule:admin_only

Operations:

PUT /segments/{id}

Scope Types:

project

Update a segment

update_segments_tags

Default:

rule:admin_only

Operations:

PUT /segments/{id}/tags
PUT /segments/{id}/tags/{tag_id}

Scope Types:

project

Update the segment tags

delete_segment

Default:

rule:admin_only

Operations:

DELETE /segments/{id}

Scope Types:

project

Delete a segment

delete_segments_tags

Default:

rule:admin_only

Operations:

DELETE /segments/{id}/tags
DELETE /segments/{id}/tags/{tag_id}

Scope Types:

project

Delete the segment tags

get_service_provider

Default:

role:reader

Operations:

GET /service-providers

Scope Types:

project

Get service providers

create_subnet

Default:

(rule:admin_only) or (role:member and rule:network_owner)

Operations:

POST /subnets

Scope Types:

project

Create a subnet

create_subnet:segment_id

Default:

rule:admin_only

Operations:

POST /subnets

Scope Types:

project

Specify segment_id attribute when creating a subnet

create_subnet:service_types

Default:

rule:admin_only

Operations:

POST /subnets

Scope Types:

project

Specify service_types attribute when creating a subnet

get_subnet

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared

Operations:

GET /subnets
GET /subnets/{id}

Scope Types:

project

Get a subnet

get_subnet:segment_id

Default:

rule:admin_only

Operations:

GET /subnets
GET /subnets/{id}

Scope Types:

project

Get segment_id attribute of a subnet

get_subnets_tags

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:reader and project_id:%(project_id)s or rule:shared

Operations:

GET /subnets/{id}/tags
GET /subnets/{id}/tags/{tag_id}

Scope Types:

project

Get the subnet tags

update_subnet

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s

Operations:

PUT /subnets/{id}

Scope Types:

project

Update a subnet

update_subnet:segment_id

Default:

rule:admin_only

Operations:

PUT /subnets/{id}

Scope Types:

project

Update segment_id attribute of a subnet

update_subnet:service_types

Default:

rule:admin_only

Operations:

PUT /subnets/{id}

Scope Types:

project

Update service_types attribute of a subnet

update_subnets_tags

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s

Operations:

PUT /subnets/{id}/tags
PUT /subnets/{id}/tags/{tag_id}

Scope Types:

project

Update the subnet tags

delete_subnet

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s

Operations:

DELETE /subnets/{id}

Scope Types:

project

Delete a subnet

delete_subnets_tags

Default:

(rule:admin_only) or (role:member and rule:network_owner) or role:member and project_id:%(project_id)s

Operations:

DELETE /subnets/{id}/tags
DELETE /subnets/{id}/tags/{tag_id}

Scope Types:

project

Delete the subnet tags

shared_subnetpools

Default:: field:subnetpools:shared=True

Definition of a shared subnetpool

create_subnetpool

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /subnetpools

Scope Types:

project

Create a subnetpool

create_subnetpool:shared

Default:

rule:admin_only

Operations:

POST /subnetpools

Scope Types:

project

Create a shared subnetpool

create_subnetpool:is_default

Default:

rule:admin_only

Operations:

POST /subnetpools

Scope Types:

project

Specify is_default attribute when creating a subnetpool

get_subnetpool

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations:

GET /subnetpools
GET /subnetpools/{id}

Scope Types:

project

Get a subnetpool

get_subnetpools_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_subnetpools

Operations:

GET /subnetpools/{id}/tags
GET /subnetpools/{id}/tags/{tag_id}

Scope Types:

project

Get the subnetpool tags

update_subnetpool

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /subnetpools/{id}

Scope Types:

project

Update a subnetpool

update_subnetpool:is_default

Default:

rule:admin_only

Operations:

PUT /subnetpools/{id}

Scope Types:

project

Update is_default attribute of a subnetpool

update_subnetpools_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /subnetpools/{id}/tags
PUT /subnetpools/{id}/tags/{tag_id}

Scope Types:

project

Update the subnetpool tags

delete_subnetpool

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /subnetpools/{id}

Scope Types:

project

Delete a subnetpool

delete_subnetpools_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /subnetpools/{id}/tags
DELETE /subnetpools/{id}/tags/{tag_id}

Scope Types:

project

Delete the subnetpool tags

onboard_network_subnets

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /subnetpools/{id}/onboard_network_subnets

Scope Types:

project

Onboard existing subnet into a subnetpool

add_prefixes

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /subnetpools/{id}/add_prefixes

Scope Types:

project

Add prefixes to a subnetpool

remove_prefixes

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /subnetpools/{id}/remove_prefixes

Scope Types:

project

Remove unallocated prefixes from a subnetpool

create_trunk

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

POST /trunks

Scope Types:

project

Create a trunk

get_trunk

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /trunks
GET /trunks/{id}

Scope Types:

project

Get a trunk

get_trunks_tags

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /trunks/{id}/tags
GET /trunks/{id}/tags/{tag_id}

Scope Types:

project

Get the trunk tags

update_trunk

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /trunks/{id}

Scope Types:

project

Update a trunk

update_trunks_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /trunks/{id}/tags
PUT /trunks/{id}/tags/{tag_id}

Scope Types:

project

Update the trunk tags

delete_trunk

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /trunks/{id}

Scope Types:

project

Delete a trunk

delete_trunks_tags

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

DELETE /trunks/{id}/tags
DELETE /trunks/{id}/tags/{tag_id}

Scope Types:

project

Delete a trunk

get_subports

Default:

(rule:admin_only) or (role:reader and project_id:%(project_id)s)

Operations:

GET /trunks/{id}/get_subports

Scope Types:

project

List subports attached to a trunk

add_subports

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /trunks/{id}/add_subports

Scope Types:

project

Add subports to a trunk

remove_subports

Default:

(rule:admin_only) or (role:member and project_id:%(project_id)s)

Operations:

PUT /trunks/{id}/remove_subports

Scope Types:

project

Delete subports from a trunk

Policy Reference

Policy Reference¶

neutron¶

Neutron 24.1.0.dev48

Page Contents