The following policies are shipped by default. Glance will assume a policy’s default value if it’s not explicitly overridden in the policy file.
default<empty string>
Defines the default rule used for policies that historically had an empty policy in the supplied policy.json file.
context_is_adminrole:admin
Defines the rule for the is_admin:True check.
add_imagerule:context_is_admin or (role:member and project_id:%(project_id)s and project_id:%(owner)s)
POST /v2/images
project
Create new image
delete_imagerule:context_is_admin or (role:member and project_id:%(project_id)s)
DELETE /v2/images/{image_id}
project
Deletes the image
get_imagerule:context_is_admin or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
GET /v2/images/{image_id}
project
Get specified image
get_imagesrule:context_is_admin or (role:reader and project_id:%(project_id)s)
GET /v2/images
project
Get all available images
modify_imagerule:context_is_admin or (role:member and project_id:%(project_id)s)
PATCH /v2/images/{image_id}
project
Updates given image
publicize_imagerule:context_is_admin
PATCH /v2/images/{image_id}
project
Publicize given image
communitize_imagerule:context_is_admin or (role:member and project_id:%(project_id)s)
PATCH /v2/images/{image_id}
project
Communitize given image
download_imagerule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
GET /v2/images/{image_id}/file
project
Downloads given image
upload_imagerule:context_is_admin or (role:member and project_id:%(project_id)s)
PUT /v2/images/{image_id}/file
project
Uploads data to specified image
delete_image_locationrule:context_is_admin
PATCH /v2/images/{image_id}
project
Deletes the location of given image
get_image_locationrule:context_is_admin or (role:reader and project_id:%(project_id)s)
GET /v2/images/{image_id}
project
Reads the location of the image
set_image_locationrule:context_is_admin or (role:member and project_id:%(project_id)s)
PATCH /v2/images/{image_id}
project
Sets location URI to given image
add_memberrule:context_is_admin or (role:member and project_id:%(project_id)s)
POST /v2/images/{image_id}/members
project
Create image member
delete_memberrule:context_is_admin or (role:member and project_id:%(project_id)s)
DELETE /v2/images/{image_id}/members/{member_id}
project
Delete image member
get_memberrule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
GET /v2/images/{image_id}/members/{member_id}
project
Show image member details
get_membersrule:context_is_admin or role:reader and (project_id:%(project_id)s or project_id:%(member_id)s)
GET /v2/images/{image_id}/members
project
List image members
modify_memberrule:context_is_admin or (role:member and project_id:%(member_id)s)
PUT /v2/images/{image_id}/members/{member_id}
project
Update image member
manage_image_cacherule:context_is_admin
project
Manage image cache
deactivaterule:context_is_admin or (role:member and project_id:%(project_id)s)
POST /v2/images/{image_id}/actions/deactivate
project
Deactivate image
reactivaterule:context_is_admin or (role:member and project_id:%(project_id)s)
POST /v2/images/{image_id}/actions/reactivate
project
Reactivate image
copy_imagerule:context_is_admin
POST /v2/images/{image_id}/import
project
Copy existing image to other stores
get_taskrule:default
GET /v2/tasks/{task_id}
project
Get an image task.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
get_tasksrule:default
GET /v2/tasks
project
List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
add_taskrule:default
POST /v2/tasks
project
List tasks for all images.
This granular policy controls access to tasks, both from the tasks API as well as internal locations in Glance that use tasks (like import). Practically this cannot be more restrictive than the policy that controls import or things will break, and changing it from the default is almost certainly not what you want. Access to the external tasks API should be restricted as desired by the tasks_api_access policy. This may change in the future.
modify_taskrule:default
DELETE /v2/tasks/{task_id}
project
This policy is not used.
tasks_api_accessrule:context_is_admin
GET /v2/tasks/{task_id}
GET /v2/tasks
POST /v2/tasks
DELETE /v2/tasks/{task_id}
project
This is a generic blanket policy for protecting all task APIs. It is not granular and will not allow you to separate writable and readable task operations into different roles.
metadef_default<empty string>
(no description provided)
metadef_adminrule:context_is_admin
(no description provided)
get_metadef_namespacerule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}
project
Get a specific namespace.
get_metadef_namespacesrule:context_is_admin or (role:reader and project_id:%(project_id)s)
GET /v2/metadefs/namespaces
project
List namespace.
modify_metadef_namespacerule:metadef_admin
PUT /v2/metadefs/namespaces/{namespace_name}
project
Modify an existing namespace.
add_metadef_namespacerule:metadef_admin
POST /v2/metadefs/namespaces
project
Create a namespace.
delete_metadef_namespacerule:metadef_admin
DELETE /v2/metadefs/namespaces/{namespace_name}
project
Delete a namespace.
get_metadef_objectrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
project
Get a specific object from a namespace.
get_metadef_objectsrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/objects
project
Get objects from a namespace.
modify_metadef_objectrule:metadef_admin
PUT /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
project
Update an object within a namespace.
add_metadef_objectrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/objects
project
Create an object within a namespace.
delete_metadef_objectrule:metadef_admin
DELETE /v2/metadefs/namespaces/{namespace_name}/objects/{object_name}
project
Delete an object within a namespace.
list_metadef_resource_typesrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/resource_types
project
List meta definition resource types.
get_metadef_resource_typerule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/resource_types
project
Get meta definition resource types associations.
add_metadef_resource_type_associationrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/resource_types
project
Create meta definition resource types association.
remove_metadef_resource_type_associationrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/resource_types/{name}
project
Delete meta definition resource types association.
get_metadef_propertyrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
project
Get a specific meta definition property.
get_metadef_propertiesrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/properties
project
List meta definition properties.
modify_metadef_propertyrule:metadef_admin
GET /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
project
Update meta definition property.
add_metadef_propertyrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/properties
project
Create meta definition property.
remove_metadef_propertyrule:metadef_admin
DELETE /v2/metadefs/namespaces/{namespace_name}/properties/{property_name}
project
Delete meta definition property.
get_metadef_tagrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
project
Get tag definition.
get_metadef_tagsrule:context_is_admin or (role:reader and (project_id:%(project_id)s or 'public':%(visibility)s))
GET /v2/metadefs/namespaces/{namespace_name}/tags
project
List tag definitions.
modify_metadef_tagrule:metadef_admin
PUT /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
project
Update tag definition.
add_metadef_tagrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
project
Add tag definition.
add_metadef_tagsrule:metadef_admin
POST /v2/metadefs/namespaces/{namespace_name}/tags
project
Create tag definitions.
delete_metadef_tagrule:metadef_admin
DELETE /v2/metadefs/namespaces/{namespace_name}/tags/{tag_name}
project
Delete tag definition.
delete_metadef_tagsrule:metadef_admin
DELETE /v2/metadefs/namespaces/{namespace_name}/tags
project
Delete tag definitions.
cache_imagerule:context_is_admin
PUT /v2/cache/{image_id}
project
Queue image for caching
cache_listrule:context_is_admin
GET /v2/cache
project
List cache status
cache_deleterule:context_is_admin
DELETE /v2/cache
DELETE /v2/cache/{image_id}
project
Delete image(s) from cache and/or queue
stores_info_detailrule:context_is_admin
GET /v2/info/stores/detail
project
Expose store specific information
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.