Octavia Policies¶
The default policy is to not allow access unless the auth_strategy is ‘noauth’.
Users must be a member of one of the following roles to have access to the load-balancer API:
- role:load-balancer_observer
User has access to load-balancer read-only APIs.
- role:load-balancer_global_observer
User has access to load-balancer read-only APIs including resources owned by others.
- role:load-balancer_member
User has access to load-balancer read and write APIs.
- role:load-balancer_quota_admin
User is considered an admin for quota APIs only.
- role:load-balancer_admin
User is considered an admin for all load-balnacer APIs including resources owned by others.
- role:admin
User is admin to all APIs.
Note
‘is_admin:True’ is a policy rule that takes into account the auth_strategy == noauth configuration setting. It is equivalent to ‘rule:context_is_admin or {auth_strategy == noauth}’ if that would be valid syntax.
An alternate policy file has been provided in octavia/etc/policy called admin_or_owner-policy.json that removes the load-balancer RBAC role requirement. Please see the README.rst in that directory for more information.
Sample File Generation¶
To generate a sample policy.json file from the Octavia defaults, run the oslo policy generation script:
oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.json.sample
Merged File Generation¶
This will output a policy file which includes all registered policy defaults and all policies configured with a policy file. This file shows the effective policy in use by the project:
oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf
This tool uses the output_file path from the config-file.
List Redundant Configurations¶
This will output a list of matches for policy rules that are defined in a configuration file where the rule does not differ from a registered default rule. These are rules that can be removed from the policy file with no change in effective policy:
oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf
Default Octavia Policies¶
{
"context_is_admin": "role:admin or role:load-balancer_admin",
"load-balancer:owner": "project_id:%(project_id)s",
"load-balancer:admin": "is_admin:True or role:admin or role:load-balancer_admin",
"load-balancer:observer_and_owner": "role:load-balancer_observer and rule:load-balancer:owner",
"load-balancer:global_observer": "role:load-balancer_global_observer",
"load-balancer:member_and_owner": "role:load-balancer_member and rule:load-balancer:owner",
"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin",
"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin",
"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin",
"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or role:load-balancer_quota_admin or rule:load-balancer:admin",
"load-balancer:read-quota-global": "rule:load-balancer:global_observer or role:load-balancer_quota_admin or rule:load-balancer:admin",
"load-balancer:write-quota": "role:load-balancer_quota_admin or rule:load-balancer:admin",
"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read",
"os_load-balancer_api:flavor:post": "rule:load-balancer:admin",
"os_load-balancer_api:flavor:put": "rule:load-balancer:admin",
"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read",
"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin",
"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin",
"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin",
"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin",
"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin",
"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read",
"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read",
"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin",
"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin",
"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read",
"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global",
"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write",
"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read",
"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write",
"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write",
"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read",
"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global",
"os_load-balancer_api:l7policy:post": "rule:load-balancer:write",
"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read",
"os_load-balancer_api:l7policy:put": "rule:load-balancer:write",
"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write",
"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read",
"os_load-balancer_api:l7rule:post": "rule:load-balancer:write",
"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read",
"os_load-balancer_api:l7rule:put": "rule:load-balancer:write",
"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write",
"os_load-balancer_api:listener:get_all": "rule:load-balancer:read",
"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global",
"os_load-balancer_api:listener:post": "rule:load-balancer:write",
"os_load-balancer_api:listener:get_one": "rule:load-balancer:read",
"os_load-balancer_api:listener:put": "rule:load-balancer:write",
"os_load-balancer_api:listener:delete": "rule:load-balancer:write",
"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read",
"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read",
"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global",
"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write",
"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read",
"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write",
"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write",
"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read",
"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read",
"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin",
"os_load-balancer_api:member:get_all": "rule:load-balancer:read",
"os_load-balancer_api:member:post": "rule:load-balancer:write",
"os_load-balancer_api:member:get_one": "rule:load-balancer:read",
"os_load-balancer_api:member:put": "rule:load-balancer:write",
"os_load-balancer_api:member:delete": "rule:load-balancer:write",
"os_load-balancer_api:pool:get_all": "rule:load-balancer:read",
"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global",
"os_load-balancer_api:pool:post": "rule:load-balancer:write",
"os_load-balancer_api:pool:get_one": "rule:load-balancer:read",
"os_load-balancer_api:pool:put": "rule:load-balancer:write",
"os_load-balancer_api:pool:delete": "rule:load-balancer:write",
"os_load-balancer_api:provider:get_all": "rule:load-balancer:read",
"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota",
"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global",
"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota",
"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota",
"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota",
"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota",
"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin",
"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin",
"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin",
"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin",
"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin",
"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin",
"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"
}