策略参考¶
警告
自 Neutron 18.0.0 (Wallaby) 起,JSON 格式的策略文件已被弃用。此 oslopolicy-convert-json-to-yaml 工具将以向后兼容的方式将现有的 JSON 格式策略文件迁移到 YAML。
Neutron,像大多数 OpenStack 项目一样,使用策略语言来限制 REST API 操作的权限。
以下是 neutron 中所有可用策略的概述。
有关示例策略文件,请参阅 示例策略文件。
neutron¶
context_is_admin- 默认值:
role:admin
云管理员访问规则
context_with_global_access- 默认值:
!
具有资源全局访问权限的上下文规则
service_api- 默认值:
role:service
服务到服务 API 的默认规则。
owner- 默认值:
tenant_id:%(tenant_id)s
资源所有者访问规则
admin_or_owner- 默认值:
rule:context_is_admin or rule:owner
管理员或所有者访问规则
context_is_advsvc- 默认值:
role:advsvc
advsvc 角色访问规则
admin_or_network_owner- 默认值:
rule:context_is_admin or tenant_id:%(network:tenant_id)s
管理员或网络所有者访问规则
admin_owner_or_network_owner- 默认值:
rule:owner or rule:admin_or_network_owner
资源所有者、管理员或网络所有者访问规则
network_owner- 默认值:
tenant_id:%(network:tenant_id)s
网络所有者访问规则
admin_only- 默认值:
rule:context_is_admin
仅管理员访问规则
regular_user- 默认值:
<空字符串>
普通用户访问规则
shared- 默认值:
field:networks:shared=True
共享网络规则
default- 默认值:
rule:admin_or_owner
默认访问规则
admin_or_ext_parent_owner- 默认值:
rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s
通用父级所有者检查规则
ext_parent_owner- 默认值:
tenant_id:%(ext_parent:tenant_id)s
通用父级所有者检查规则
sg_owner- 默认值:
tenant_id:%(security_group:tenant_id)s
安全组所有者访问规则
shared_address_groups- 默认值:
field:address_groups:shared=True
共享地址组的定义
get_address_group- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared_address_groups- 操作:
GET
/address-groupsGET
/address-groups/{id}
- 作用域类型:
project
获取地址组
shared_address_scopes- 默认值:
field:address_scopes:shared=True
共享地址范围的定义
create_address_scope- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/address-scopes
- 作用域类型:
project
创建地址范围
create_address_scope:shared- 默认值:
rule:admin_only- 操作:
POST
/address-scopes
- 作用域类型:
project
创建共享地址范围
get_address_scope- 默认值:
rule:admin_only or role:reader and project_id:%(project_id)s or rule:shared_address_scopes- 操作:
GET
/address-scopesGET
/address-scopes/{id}
- 作用域类型:
project
获取地址范围
update_address_scope- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/address-scopes/{id}
- 作用域类型:
project
更新地址范围
update_address_scope:shared- 默认值:
rule:admin_only- 操作:
PUT
/address-scopes/{id}
- 作用域类型:
project
更新地址范围的
shared属性delete_address_scope- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/address-scopes/{id}
- 作用域类型:
project
删除地址范围
create_agent- 默认值:
rule:admin_only- 操作:
POST
/agents/{id}
- 作用域类型:
project
创建代理
get_agent- 默认值:
rule:admin_only- 操作:
GET
/agentsGET
/agents/{id}
- 作用域类型:
project
获取代理
update_agent- 默认值:
rule:admin_only- 操作:
PUT
/agents/{id}
- 作用域类型:
project
更新代理
delete_agent- 默认值:
rule:admin_only- 操作:
DELETE
/agents/{id}
- 作用域类型:
project
删除代理
create_dhcp-network- 默认值:
rule:admin_only- 操作:
POST
/agents/{agent_id}/dhcp-networks
- 作用域类型:
project
将网络添加到 DHCP 代理
get_dhcp-networks- 默认值:
rule:admin_only- 操作:
GET
/agents/{agent_id}/dhcp-networks
- 作用域类型:
project
列出 DHCP 代理上的网络
delete_dhcp-network- 默认值:
rule:admin_only- 操作:
DELETE
/agents/{agent_id}/dhcp-networks/{network_id}
- 作用域类型:
project
从 DHCP 代理中删除网络
create_l3-router- 默认值:
rule:admin_only- 操作:
POST
/agents/{agent_id}/l3-routers
- 作用域类型:
project
将路由器添加到 L3 代理
get_l3-routers- 默认值:
rule:admin_only- 操作:
GET
/agents/{agent_id}/l3-routers
- 作用域类型:
project
列出 L3 代理上的路由器
delete_l3-router- 默认值:
rule:admin_only- 操作:
DELETE
/agents/{agent_id}/l3-routers/{router_id}
- 作用域类型:
project
从 L3 代理中删除路由器
get_dhcp-agents- 默认值:
rule:admin_only- 操作:
GET
/networks/{network_id}/dhcp-agents
- 作用域类型:
project
列出托管网络的 DHCP 代理
get_l3-agents- 默认值:
rule:admin_only- 操作:
GET
/routers/{router_id}/l3-agents
- 作用域类型:
project
列出托管路由器的 L3 代理
get_auto_allocated_topology- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/auto-allocated-topology/{project_id}
- 作用域类型:
project
获取项目的自动分配拓扑
delete_auto_allocated_topology- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/auto-allocated-topology/{project_id}
- 作用域类型:
project
删除项目的自动分配拓扑
get_availability_zone- 默认值:
role:reader- 操作:
GET
/availability_zones
- 作用域类型:
project
列出可用区
create_default_security_group_rule- 默认值:
rule:admin_only- 操作:
POST
/default-security-group-rules
- 作用域类型:
project
创建安全组规则的模板
get_default_security_group_rule- 默认值:
role:reader- 操作:
GET
/default-security-group-rulesGET
/default-security-group-rules/{id}
- 作用域类型:
project
获取安全组规则的模板
delete_default_security_group_rule- 默认值:
rule:admin_only- 操作:
DELETE
/default-security-group-rules/{id}
- 作用域类型:
project
删除安全组规则的模板
create_flavor- 默认值:
rule:admin_only- 操作:
POST
/flavors
- 作用域类型:
project
Create a flavor
get_flavor- 默认值:
role:reader- 操作:
GET
/flavorsGET
/flavors/{id}
- 作用域类型:
project
获取 flavor
update_flavor- 默认值:
rule:admin_only- 操作:
PUT
/flavors/{id}
- 作用域类型:
project
更新风味
delete_flavor- 默认值:
rule:admin_only- 操作:
DELETE
/flavors/{id}
- 作用域类型:
project
Delete a flavor
create_service_profile- 默认值:
rule:admin_only- 操作:
POST
/service_profiles
- 作用域类型:
project
创建服务配置文件
get_service_profile- 默认值:
rule:admin_only- 操作:
GET
/service_profilesGET
/service_profiles/{id}
- 作用域类型:
project
获取服务配置文件
update_service_profile- 默认值:
rule:admin_only- 操作:
PUT
/service_profiles/{id}
- 作用域类型:
project
更新服务配置文件
delete_service_profile- 默认值:
rule:admin_only- 操作:
DELETE
/service_profiles/{id}
- 作用域类型:
project
删除服务配置文件
get_flavor_service_profile- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 作用域类型:
project
获取与给定服务配置文件关联的 flavor。目前 API 中没有相应的 GET 操作。此规则目前仅在 flavor_service_profile 的 DELETE 中引用。
create_flavor_service_profile- 默认值:
rule:admin_only- 操作:
POST
/flavors/{flavor_id}/service_profiles
- 作用域类型:
project
将 flavor 与服务配置文件关联
delete_flavor_service_profile- 默认值:
rule:admin_only- 操作:
DELETE
/flavors/{flavor_id}/service_profiles/{profile_id}
- 作用域类型:
project
取消 flavor 与服务配置文件的关联
create_floatingip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/floatingips
- 作用域类型:
project
创建浮动 IP
create_floatingip:floating_ip_address- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/floatingips
- 作用域类型:
project
创建具有特定 IP 地址的浮动 IP
create_floatingip:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/floatingips/{id}/tags
- 作用域类型:
project
创建浮动 IP 标签
get_floatingip- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/floatingipsGET
/floatingips/{id}
- 作用域类型:
project
获取浮动 IP
get_floatingip:tags- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/floatingips/{id}/tagsGET
/floatingips/{id}/tags/{tag_id}
- 作用域类型:
project
获取浮动 IP 标签
update_floatingip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/floatingips/{id}
- 作用域类型:
project
更新浮动 IP
update_floatingip:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/floatingips/{id}/tagsPUT
/floatingips/{id}/tags/{tag_id}
- 作用域类型:
project
更新浮动 IP 标签
delete_floatingip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/floatingips/{id}
- 作用域类型:
project
删除浮动 IP
delete_floatingips:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/floatingips/{id}/tagsDELETE
/floatingips/{id}/tags/{tag_id}
- 作用域类型:
project
删除浮动 IP 标签
get_floatingip_pool- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/floatingip_pools
- 作用域类型:
project
获取浮动 IP 池
create_floatingip_port_forwarding- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
POST
/floatingips/{floatingip_id}/port_forwardings
- 作用域类型:
project
创建浮动 IP 端口转发
get_floatingip_port_forwarding- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/floatingips/{floatingip_id}/port_forwardingsGET
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- 作用域类型:
project
获取浮动 IP 端口转发
update_floatingip_port_forwarding- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
PUT
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- 作用域类型:
project
更新浮动 IP 端口转发
delete_floatingip_port_forwarding- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
DELETE
/floatingips/{floatingip_id}/port_forwardings/{port_forwarding_id}
- 作用域类型:
project
删除浮动 IP 端口转发
create_router_conntrack_helper- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
POST
/routers/{router_id}/conntrack_helpers
- 作用域类型:
project
创建路由器 conntrack 助手
get_router_conntrack_helper- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/routers/{router_id}/conntrack_helpersGET
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- 作用域类型:
project
获取路由器 conntrack 助手
update_router_conntrack_helper- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
PUT
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- 作用域类型:
project
更新路由器 conntrack 助手
delete_router_conntrack_helper- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
DELETE
/routers/{router_id}/conntrack_helpers/{conntrack_helper_id}
- 作用域类型:
project
删除路由器 conntrack 助手
create_local_ip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/local-ips
- 作用域类型:
project
创建本地 IP
get_local_ip- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/local-ipsGET
/local-ips/{id}
- 作用域类型:
project
获取本地 IP
update_local_ip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/local-ips/{id}
- 作用域类型:
project
更新本地 IP
delete_local_ip- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/local-ips/{id}
- 作用域类型:
project
删除本地 IP
create_local_ip_port_association- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
POST
/local_ips/{local_ip_id}/port_associations
- 作用域类型:
project
创建本地 IP 端口关联
get_local_ip_port_association- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/local_ips/{local_ip_id}/port_associationsGET
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- 作用域类型:
project
获取本地 IP 端口关联
delete_local_ip_port_association- 默认值:
(rule:admin_only) or (role:member and rule:ext_parent_owner)- 操作:
DELETE
/local_ips/{local_ip_id}/port_associations/{fixed_port_id}
- 作用域类型:
project
删除本地 IP 端口关联
get_loggable_resource- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
GET
/log/loggable-resources
- 作用域类型:
project
获取可记录资源
create_log- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/log/logs
- 作用域类型:
project
创建网络日志
get_log- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
GET
/log/logsGET
/log/logs/{id}
- 作用域类型:
project
获取网络日志
update_log- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
PUT
/log/logs/{id}
- 作用域类型:
project
更新网络日志
delete_log- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
DELETE
/log/logs/{id}
- 作用域类型:
project
删除网络日志
create_metering_label- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/metering/metering-labels
- 作用域类型:
project
创建计量标签
get_metering_label- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/metering/metering-labelsGET
/metering/metering-labels/{id}
- 作用域类型:
project
获取计量标签
delete_metering_label- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
DELETE
/metering/metering-labels/{id}
- 作用域类型:
project
删除计量标签
create_metering_label_rule- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/metering/metering-label-rules
- 作用域类型:
project
创建计量标签规则
get_metering_label_rule- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/metering/metering-label-rulesGET
/metering/metering-label-rules/{id}
- 作用域类型:
project
获取计量标签规则
delete_metering_label_rule- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
DELETE
/metering/metering-label-rules/{id}
- 作用域类型:
project
删除计量标签规则
create_ndp_proxy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/ndp_proxies
- 作用域类型:
project
创建ndp代理
get_ndp_proxy- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/ndp_proxiesGET
/ndp_proxies/{id}
- 作用域类型:
project
获取ndp代理
update_ndp_proxy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/ndp_proxies/{id}
- 作用域类型:
project
更新ndp代理
delete_ndp_proxy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/ndp_proxies/{id}
- 作用域类型:
project
删除ndp代理
external- 默认值:
field:networks:router:external=True
外部网络的定义
create_network- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/networks
- 作用域类型:
project
创建网络
create_network:shared- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
创建共享网络
create_network:router:external- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
创建外部网络
create_network:is_default- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
is_default属性create_network:port_security_enabled- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
port_security_enabled属性create_network:segments- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
segments属性create_network:provider:network_type- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
provider:network_typecreate_network:provider:physical_network- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
provider:physical_networkcreate_network:provider:segmentation_id- 默认值:
rule:admin_only- 操作:
POST
/networks
- 作用域类型:
project
在创建网络时指定
provider:segmentation_idcreate_network:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/networks/{id}/tags
- 作用域类型:
project
创建网络标签
get_network- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:service_api 或 rule:shared 或 rule:external 或 rule:context_is_advsvc- 操作:
GET
/networksGET
/networks/{id}
- 作用域类型:
project
获取网络
get_network:segments- 默认值:
rule:admin_only- 操作:
GET
/networksGET
/networks/{id}
- 作用域类型:
project
获取网络的
segments属性get_network:provider:network_type- 默认值:
rule:admin_only- 操作:
GET
/networksGET
/networks/{id}
- 作用域类型:
project
获取网络的
provider:network_type属性get_network:provider:physical_network- 默认值:
rule:admin_only- 操作:
GET
/networksGET
/networks/{id}
- 作用域类型:
project
获取网络的
provider:physical_network属性get_network:provider:segmentation_id- 默认值:
rule:admin_only- 操作:
GET
/networksGET
/networks/{id}
- 作用域类型:
project
获取网络的
provider:segmentation_id属性get_network:tags- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared 或 rule:external 或 rule:context_is_advsvc- 操作:
GET
/networks/{id}/tagsGET
/networks/{id}/tags/{tag_id}
- 作用域类型:
project
获取网络标签
update_network- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络
update_network:segments- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
segments属性update_network:shared- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
shared属性update_network:provider:network_type- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
provider:network_type属性update_network:provider:physical_network- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
provider:physical_network属性update_network:provider:segmentation_id- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
provider:segmentation_id属性update_network:router:external- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
router:external属性update_network:is_default- 默认值:
rule:admin_only- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
is_default属性update_network:port_security_enabled- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/networks/{id}
- 作用域类型:
project
更新网络的
port_security_enabled属性update_network:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/networks/{id}/tagsPUT
/networks/{id}/tags/{tag_id}
- 作用域类型:
project
更新网络标签
delete_network- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/networks/{id}
- 作用域类型:
project
删除网络
delete_network:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/networks/{id}/tagsDELETE
/networks/{id}/tags/{tag_id}
- 作用域类型:
project
删除网络标签
get_network_ip_availability- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/network-ip-availabilitiesGET
/network-ip-availabilities/{network_id}
- 作用域类型:
project
获取网络IP可用性
create_network_segment_range- 默认值:
rule:admin_only- 操作:
POST
/network_segment_ranges
- 作用域类型:
project
创建网络段范围
create_network_segment_range:tags- 默认值:
rule:admin_only- 操作:
POST
/network_segment_ranges/{id}/tags
- 作用域类型:
project
创建网络段范围标签
get_network_segment_range- 默认值:
rule:admin_only- 操作:
GET
/network_segment_rangesGET
/network_segment_ranges/{id}
- 作用域类型:
project
获取网络段范围
get_network_segment_range:tags- 默认值:
rule:admin_only- 操作:
GET
/network_segment_ranges/{id}/tagsGET
/network_segment_ranges/{id}/tags/{tag_id}
- 作用域类型:
project
获取网络段范围标签
update_network_segment_range- 默认值:
rule:admin_only- 操作:
PUT
/network_segment_ranges/{id}
- 作用域类型:
project
更新网络段范围
update_network_segment_range:tags- 默认值:
rule:admin_only- 操作:
PUT
/network_segment_ranges/{id}/tagsPUT
/network_segment_ranges/{id}/tags/{tag_id}
- 作用域类型:
project
更新网络段范围标签
delete_network_segment_range- 默认值:
rule:admin_only- 操作:
DELETE
/network_segment_ranges/{id}
- 作用域类型:
project
删除网络段范围
delete_network_segment_range:tags- 默认值:
rule:admin_only- 操作:
DELETE
/network_segment_ranges/{id}/tagsDELETE
/network_segment_ranges/{id}/tags/{tag_id}
- 作用域类型:
project
删除网络段范围标签
get_port_binding- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/ports/{port_id}/bindings/
- 作用域类型:
project
获取端口绑定信息
create_port_binding- 默认值:
rule:service_api- 操作:
POST
/ports/{port_id}/bindings/
- 作用域类型:
project
在宿主机上创建端口绑定
delete_port_binding- 默认值:
rule:service_api- 操作:
DELETE
/ports/{port_id}/bindings/
- 作用域类型:
project
在宿主机上删除端口绑定
activate- 默认值:
rule:service_api- 操作:
PUT
/ports/{port_id}/bindings/{host}
- 作用域类型:
project
在宿主机上激活端口绑定
network_device- 默认值:
field:port:device_owner=~^network
具有网络 device_owner 的端口定义
admin_or_data_plane_int- 默认值:
rule:context_is_admin 或 role:data_plane_integrator
数据平面集成规则
create_port- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
创建端口
create_port:device_id- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
device_id属性create_port:device_owner- 默认值:
非 rule:network_device 或 (rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
device_owner属性create_port:mac_address- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
mac_address属性create_port:fixed_ips- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner 或 rule:shared- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
fixed_ips信息create_port:fixed_ips:ip_address- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时,在
fixed_ips中指定 IP 地址create_port:fixed_ips:subnet_id- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner 或 rule:shared- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时,在
fixed_ips中指定子网 IDcreate_port:port_security_enabled- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
port_security_enabled属性create_port:binding:host_id- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
binding:host_id属性create_port:binding:profile- 默认值:
rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
binding:profile属性create_port:binding:vnic_type- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
binding:vnic_type属性create_port:allowed_address_pairs- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
allowed_address_pairs属性create_port:allowed_address_pairs:mac_address- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时,指定
allowed_address_pairs属性的mac_addresscreate_port:allowed_address_pairs:ip_address- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时,指定
allowed_address_pairs属性的ip_addresscreate_port:hints- 默认值:
rule:admin_only- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
hints属性create_port:trusted- 默认值:
rule:admin_only- 操作:
POST
/ports
- 作用域类型:
project
在创建端口时指定
trusted属性create_port:tags- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:context_is_advsvc- 操作:
POST
/ports/{id}/tags
- 作用域类型:
project
创建端口标签
get_port- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:reader 且 rule:network_owner 或 role:reader 且 project_id:%(project_id)s- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口
get_port:binding:vif_type- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
binding:vif_type属性get_port:binding:vif_details- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
binding:vif_details属性get_port:binding:host_id- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
binding:host_id属性get_port:binding:profile- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
binding:profile属性get_port:resource_request- 默认值:
rule:admin_only- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
resource_request属性get_port:hints- 默认值:
rule:admin_only- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
hints属性get_port:trusted- 默认值:
rule:admin_only- 操作:
GET
/portsGET
/ports/{id}
- 作用域类型:
project
获取端口的
trusted属性get_port:tags- 默认值:
rule:context_is_advsvc 或 (rule:admin_only) 或 (role:reader 且 rule:network_owner) 或 role:reader 且 project_id:%(project_id)s- 操作:
GET
/ports/{id}/tagsGET
/ports/{id}/tags/{tag_id}
- 作用域类型:
project
获取端口标签
update_port- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:member 且 project_id:%(project_id)s- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口
update_port:device_id- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:service_api- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
device_id属性update_port:device_owner- 默认值:
非 rule:network_device 或 (rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
device_owner属性update_port:mac_address- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
mac_address属性update_port:fixed_ips- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口时指定
fixed_ips信息update_port:fixed_ips:ip_address- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口时在
fixed_ips信息中指定 IP 地址update_port:fixed_ips:subnet_id- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner 或 rule:shared- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口时在
fixed_ips信息中指定子网 IDupdate_port:port_security_enabled- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:manager 且 project_id:%(project_id)s 或 role:member 且 rule:network_owner- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
port_security_enabled属性update_port:binding:host_id- 默认值:
(rule:admin_only) 或 (rule:service_api)- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
binding:host_id属性update_port:binding:profile- 默认值:
rule:service_api- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
binding:profile属性update_port:binding:vnic_type- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:member 且 project_id:%(project_id)s- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
binding:vnic_type属性update_port:allowed_address_pairs- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
allowed_address_pairs属性update_port:allowed_address_pairs:mac_address- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
allowed_address_pairs属性中的mac_addressupdate_port:allowed_address_pairs:ip_address- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner) 或 role:manager 且 project_id:%(project_id)s 或 rule:service_api- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
allowed_address_pairs属性中的ip_addressupdate_port:data_plane_status- 默认值:
rule:admin_only 或 role:data_plane_integrator- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
data_plane_status属性update_port:hints- 默认值:
rule:admin_only- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
hints属性update_port:trusted- 默认值:
rule:admin_only- 操作:
PUT
/ports/{id}
- 作用域类型:
project
更新端口的
trusted属性update_port:tags- 默认值:
(rule:admin_only) 或 (role:member 且 project_id:%(project_id)s) 或 rule:context_is_advsvc- 操作:
PUT
/ports/{id}/tagsPUT
/ports/{id}/tags/{tag_id}
- 作用域类型:
project
更新端口标签
delete_port- 默认值:
(rule:admin_only) 或 (rule:service_api) 或 role:member 且 rule:network_owner 或 role:member 且 project_id:%(project_id)s- 操作:
DELETE
/ports/{id}
- 作用域类型:
project
删除端口
delete_port:tags- 默认值:
rule:context_is_advsvc 或 role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
DELETE
/ports/{id}/tagsDELETE
/ports/{id}/tags/{tag_id}
- 作用域类型:
project
删除端口标签
shared_qos_policy- 默认值:
field:policies:shared=True
共享 QoS 策略规则
get_policy- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_qos_policy- 操作:
GET
/qos/policiesGET
/qos/policies/{id}
- 作用域类型:
project
获取 QoS 策略
get_policy:tags- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_qos_policy- 操作:
GET
/qos/policies/{id}/tagsGET
/qos/policies/{id}/tags/{tag_id}
- 作用域类型:
project
获取 QoS 策略标签
create_policy- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/qos/policies
- 作用域类型:
project
创建 QoS 策略
create_policy:tags- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
POST
/qos/policies/{id}/tags
- 作用域类型:
project
创建 QoS 策略标签
update_policy- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
PUT
/qos/policies/{id}
- 作用域类型:
project
更新 QoS 策略
update_policy:tags- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
PUT
/qos/policies/{id}/tagsPUT
/qos/policies/{id}/tags/{tag_id}
- 作用域类型:
project
更新 QoS 策略标签
delete_policy- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
DELETE
/qos/policies/{id}
- 作用域类型:
project
删除 QoS 策略
delete_policy:tags- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
DELETE
/qos/policies/{id}/tagsDELETE
/qos/policies/{id}/tags/{tag_id}
- 作用域类型:
project
删除 QoS 策略标签
get_rule_type- 默认值:
role:reader- 操作:
GET
/qos/rule-typesGET
/qos/rule-types/{rule_type}
- 作用域类型:
project
获取可用的 QoS 规则类型
get_policy_bandwidth_limit_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/policies/{policy_id}/bandwidth_limit_rulesGET
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- 作用域类型:
project
获取 QoS 带宽限制规则
create_policy_bandwidth_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
POST
/qos/policies/{policy_id}/bandwidth_limit_rules
- 作用域类型:
project
创建 QoS 带宽限制规则
update_policy_bandwidth_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- 作用域类型:
project
更新 QoS 带宽限制规则
delete_policy_bandwidth_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/policies/{policy_id}/bandwidth_limit_rules/{rule_id}
- 作用域类型:
project
删除 QoS 带宽限制规则
get_policy_packet_rate_limit_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/policies/{policy_id}/packet_rate_limit_rulesGET
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- 作用域类型:
project
获取 QoS 数据包速率限制规则
create_policy_packet_rate_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
POST
/qos/policies/{policy_id}/packet_rate_limit_rules
- 作用域类型:
project
创建 QoS 数据包速率限制规则
update_policy_packet_rate_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- 作用域类型:
project
更新 QoS 数据包速率限制规则
delete_policy_packet_rate_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/policies/{policy_id}/packet_rate_limit_rules/{rule_id}
- 作用域类型:
project
删除 QoS 数据包速率限制规则
get_policy_dscp_marking_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/policies/{policy_id}/dscp_marking_rulesGET
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- 作用域类型:
project
获取 QoS DSCP 标记规则
create_policy_dscp_marking_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
POST
/qos/policies/{policy_id}/dscp_marking_rules
- 作用域类型:
project
创建 QoS DSCP 标记规则
update_policy_dscp_marking_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- 作用域类型:
project
更新 QoS DSCP 标记规则
delete_policy_dscp_marking_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/policies/{policy_id}/dscp_marking_rules/{rule_id}
- 作用域类型:
project
删除 QoS DSCP 标记规则
get_policy_minimum_bandwidth_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/policies/{policy_id}/minimum_bandwidth_rulesGET
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- 作用域类型:
project
获取 QoS 最小带宽规则
create_policy_minimum_bandwidth_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
POST
/qos/policies/{policy_id}/minimum_bandwidth_rules
- 作用域类型:
project
创建 QoS 最小带宽规则
update_policy_minimum_bandwidth_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- 作用域类型:
project
更新 QoS 最小带宽规则
delete_policy_minimum_bandwidth_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/policies/{policy_id}/minimum_bandwidth_rules/{rule_id}
- 作用域类型:
project
删除 QoS 最小带宽规则
get_policy_minimum_packet_rate_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/policies/{policy_id}/minimum_packet_rate_rulesGET
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- 作用域类型:
project
获取 QoS 最小数据包速率规则
create_policy_minimum_packet_rate_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
POST
/qos/policies/{policy_id}/minimum_packet_rate_rules
- 作用域类型:
project
创建 QoS 最小数据包速率规则
update_policy_minimum_packet_rate_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- 作用域类型:
project
更新 QoS 最小数据包速率规则
delete_policy_minimum_packet_rate_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/policies/{policy_id}/minimum_packet_rate_rules/{rule_id}
- 作用域类型:
project
删除 QoS 最小数据包速率规则
get_alias_bandwidth_limit_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/alias_bandwidth_limit_rules/{rule_id}/
- 作用域类型:
project
通过别名获取 QoS 带宽限制规则
update_alias_bandwidth_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/alias_bandwidth_limit_rules/{rule_id}/
- 作用域类型:
project
通过别名更新 QoS 带宽限制规则
delete_alias_bandwidth_limit_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/alias_bandwidth_limit_rules/{rule_id}/
- 作用域类型:
project
通过别名删除 QoS 带宽限制规则
get_alias_dscp_marking_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/alias_dscp_marking_rules/{rule_id}/
- 作用域类型:
project
通过别名获取 QoS DSCP 标记规则
update_alias_dscp_marking_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/alias_dscp_marking_rules/{rule_id}/
- 作用域类型:
project
通过别名更新 QoS DSCP 标记规则
delete_alias_dscp_marking_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/alias_dscp_marking_rules/{rule_id}/
- 作用域类型:
project
通过别名删除 QoS DSCP 标记规则
get_alias_minimum_bandwidth_rule- 默认值:
(rule:admin_only) or (role:reader and rule:ext_parent_owner)- 操作:
GET
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- 作用域类型:
project
通过别名获取 QoS 最小带宽规则
update_alias_minimum_bandwidth_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
PUT
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- 作用域类型:
project
通过别名更新 QoS 最小带宽规则
delete_alias_minimum_bandwidth_rule- 默认值:
(rule:admin_only) 或 (role:manager 且 rule:ext_parent_owner)- 操作:
DELETE
/qos/alias_minimum_bandwidth_rules/{rule_id}/
- 作用域类型:
project
通过别名删除 QoS 最小带宽规则
get_alias_minimum_packet_rate_rule- 默认值:
rule:get_policy_minimum_packet_rate_rule- 操作:
GET
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- 作用域类型:
project
通过别名获取 QoS 最小数据包速率规则
update_alias_minimum_packet_rate_rule- 默认值:
rule:update_policy_minimum_packet_rate_rule- 操作:
PUT
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- 作用域类型:
project
通过别名更新 QoS 最小数据包速率规则
delete_alias_minimum_packet_rate_rule- 默认值:
rule:delete_policy_minimum_packet_rate_rule- 操作:
DELETE
/qos/alias_minimum_packet_rate_rules/{rule_id}/
- 作用域类型:
project
通过别名删除 QoS 最小数据包速率规则
get_quota- 默认值:
(rule:admin_only) or (role:manager and project_id:%(project_id)s)- 操作:
GET
/quotaGET
/quota/{id}
- 作用域类型:
project
获取资源配额
update_quota- 默认值:
rule:admin_only- 操作:
PUT
/quota/{id}
- 作用域类型:
project
更新资源配额
delete_quota- 默认值:
rule:admin_only- 操作:
DELETE
/quota/{id}
- 作用域类型:
project
删除资源配额
restrict_wildcard- 默认值:
(not field:rbac_policy:target_tenant=* 且 not field:rbac_policy:target_project=*) 或 rule:admin_only
target_project 通配符的定义
create_rbac_policy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/rbac-policies
- 作用域类型:
project
创建 RBAC 策略
create_rbac_policy:target_tenant- 默认值:
rule:admin_only 或 (not field:rbac_policy:target_tenant=* 且 not field:rbac_policy:target_project=*)- 操作:
POST
/rbac-policies
- 作用域类型:
project
创建 RBAC 策略时指定
target_tenantcreate_rbac_policy:target_project- 默认值:
rule:admin_only 或 not field:rbac_policy:target_project=*- 操作:
POST
/rbac-policies
- 作用域类型:
project
创建 RBAC 策略时指定
target_projectupdate_rbac_policy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/rbac-policies/{id}
- 作用域类型:
project
更新 RBAC 策略
update_rbac_policy:target_tenant- 默认值:
rule:admin_only 或 (not field:rbac_policy:target_tenant=* 且 not field:rbac_policy:target_project=*)- 操作:
PUT
/rbac-policies/{id}
- 作用域类型:
project
更新 RBAC 策略的
target_tenant属性update_rbac_policy:target_project- 默认值:
rule:admin_only 或 not field:rbac_policy:target_project=*- 操作:
PUT
/rbac-policies/{id}
- 作用域类型:
project
更新 RBAC 策略的
target_project属性get_rbac_policy- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/rbac-policiesGET
/rbac-policies/{id}
- 作用域类型:
project
获取 RBAC 策略
delete_rbac_policy- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/rbac-policies/{id}
- 作用域类型:
project
删除 RBAC 策略
create_router- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/routers
- 作用域类型:
project
创建路由器
create_router:distributed- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
创建路由器时指定
distributed属性create_router:ha- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
创建路由器时指定
ha属性create_router:external_gateway_info- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/routers
- 作用域类型:
project
创建路由器时指定
external_gateway_info信息create_router:external_gateway_info:network_id- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/routers
- 作用域类型:
project
创建路由器时在
external_gateway_info信息中指定network_idcreate_router:external_gateway_info:enable_snat- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
创建路由器时在
external_gateway_info信息中指定enable_snatcreate_router:external_gateway_info:external_fixed_ips- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
在创建路由器时,指定
external_fixed_ips信息到external_gateway_info中create_router:enable_default_route_bfd- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
在创建路由器时,指定
enable_default_route_bfd属性create_router:enable_default_route_ecmp- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
在创建路由器时,指定
enable_default_route_ecmp属性create_router:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/routers/{id}/tags
- 作用域类型:
project
创建路由器标签
get_router- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/routersGET
/routers/{id}
- 作用域类型:
project
获取一个路由器
get_router:distributed- 默认值:
rule:admin_only- 操作:
GET
/routersGET
/routers/{id}
- 作用域类型:
project
获取路由器的
distributed属性get_router:ha- 默认值:
rule:admin_only- 操作:
GET
/routersGET
/routers/{id}
- 作用域类型:
project
获取路由器的
ha属性get_router:tags- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/routers/{id}/tagsGET
/routers/{id}/tags/{tag_id}
- 作用域类型:
project
获取路由器标签
update_router- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新一个路由器
update_router:distributed- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器的
distributed属性update_router:ha- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器的
ha属性update_router:external_gateway_info- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器的
external_gateway_info信息update_router:external_gateway_info:network_id- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器
external_gateway_info信息中的network_id属性update_router:external_gateway_info:enable_snat- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器
external_gateway_info信息中的enable_snat属性update_router:external_gateway_info:external_fixed_ips- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器
external_gateway_info信息中的external_fixed_ips属性update_router:enable_default_route_bfd- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
在更新路由器时,指定
enable_default_route_bfd属性update_router:enable_default_route_ecmp- 默认值:
rule:admin_only- 操作:
POST
/routers
- 作用域类型:
project
在更新路由器时,指定
enable_default_route_ecmp属性update_router:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}/tagsPUT
/routers/{id}/tags/{tag_id}
- 作用域类型:
project
更新路由器标签
delete_router- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/routers/{id}
- 作用域类型:
project
删除一个路由器
delete_router:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/routers/{id}/tagsDELETE
/routers/{id}/tags/{tag_id}
- 作用域类型:
project
删除路由器标签
add_router_interface- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}/add_router_interface
- 作用域类型:
project
向路由器添加接口
remove_router_interface- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}/remove_router_interface
- 作用域类型:
project
从路由器移除接口
add_extraroutes- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}/add_extraroutes
- 作用域类型:
project
向路由器添加额外路由
remove_extraroutes- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}/remove_extraroutes
- 作用域类型:
project
从路由器移除额外路由
add_external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
添加路由器外部网关
add_external_gateways:external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
添加路由器外部网关
add_external_gateways:external_gateways:network_id- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
添加具有指定网络 ID 的路由器外部网关
add_external_gateways:external_gateways:enable_snat- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
添加指定 SNAT 标志的路由器外部网关
add_external_gateways:external_gateways:external_fixed_ips- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
添加指定固定 IP 的路由器外部网关
update_external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器外部网关
update_external_gateways:external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器外部网关
update_external_gateways:external_gateways:network_id- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器外部网关网络 ID
update_external_gateways:external_gateways:enable_snat- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器外部网关 SNAT 标志
update_external_gateways:external_gateways:external_fixed_ips- 默认值:
rule:admin_only- 操作:
PUT
/routers/{id}
- 作用域类型:
project
更新路由器外部网关固定 IP
remove_external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
移除路由器外部网关
remove_external_gateways:external_gateways- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/routers/{id}
- 作用域类型:
project
移除路由器外部网关
admin_or_sg_owner- 默认值:
rule:context_is_admin 或 tenant_id:%(security_group:tenant_id)s
管理员或安全组所有者访问规则
admin_owner_or_sg_owner- 默认值:
rule:owner 或 rule:admin_or_sg_owner
资源所有者、管理员或安全组所有者访问规则
shared_security_group- 默认值:
field:security_groups:shared=True
共享安全组的定义
rule_default_sg- 默认值:
field:security_group_rules:belongs_to_default_sg=True
属于项目默认安全组的安全组规则的定义
create_security_group- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/security-groups
- 作用域类型:
project
创建一个安全组
create_security_group:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/security-groups/{id}/tags
- 作用域类型:
project
创建安全组标签
get_security_group- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_security_group- 操作:
GET
/security-groupsGET
/security-groups/{id}
- 作用域类型:
project
获取一个安全组
get_security_group:tags- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_security_group- 操作:
GET
/security-groups/{id}/tagsGET
/security-groups/{id}/tags/{tag_id}
- 作用域类型:
project
获取安全组标签
update_security_group- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/security-groups/{id}
- 作用域类型:
project
更新一个安全组
update_security_group:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/security-groups/{id}/tagsPUT
/security-groups/{id}/tags/{tag_id}
- 作用域类型:
project
更新安全组标签
delete_security_group- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/security-groups/{id}
- 作用域类型:
project
删除一个安全组
delete_security_group:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/security-groups/{id}/tagsDELETE
/security-groups/{id}/tags/{tag_id}
- 作用域类型:
project
删除安全组标签
create_security_group_rule- 默认值:
(rule:admin_only) 或 (role:member 且 rule:sg_owner)- 操作:
POST
/security-group-rules
- 作用域类型:
project
创建一个安全组规则
get_security_group_rule- 默认值:
(rule:admin_only) 或 (role:reader 且 rule:sg_owner)- 操作:
GET
/security-group-rulesGET
/security-group-rules/{id}
- 作用域类型:
project
获取一个安全组规则
delete_security_group_rule- 默认值:
(rule:admin_only) 或 (role:member 且 rule:sg_owner)- 操作:
DELETE
/security-group-rules/{id}
- 作用域类型:
project
删除一个安全组规则
create_segment- 默认值:
rule:admin_only- 操作:
POST
/segments
- 作用域类型:
project
创建一个 segment
create_segments_tags- 默认值:
rule:admin_only- 操作:
POST
/segments/{id}/tags
- 作用域类型:
project
创建 segment 标签
get_segment- 默认值:
rule:admin_only- 操作:
GET
/segmentsGET
/segments/{id}
- 作用域类型:
project
获取一个 segment
get_segments_tags- 默认值:
rule:admin_only- 操作:
GET
/segments/{id}/tagsGET
/segments/{id}/tags/{tag_id}
- 作用域类型:
project
获取 segment 标签
update_segment- 默认值:
rule:admin_only- 操作:
PUT
/segments/{id}
- 作用域类型:
project
更新一个 segment
update_segments_tags- 默认值:
rule:admin_only- 操作:
PUT
/segments/{id}/tagsPUT
/segments/{id}/tags/{tag_id}
- 作用域类型:
project
更新 segment 标签
delete_segment- 默认值:
rule:admin_only- 操作:
DELETE
/segments/{id}
- 作用域类型:
project
删除一个 segment
delete_segments_tags- 默认值:
rule:admin_only- 操作:
DELETE
/segments/{id}/tagsDELETE
/segments/{id}/tags/{tag_id}
- 作用域类型:
project
删除 segment 标签
get_service_provider- 默认值:
role:reader- 操作:
GET
/service-providers
- 作用域类型:
project
获取服务提供商
external_network- 默认值:
field:subnets:router:external=True
属于外部网络的子网的定义
create_subnet- 默认值:
(rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
POST
/subnets
- 作用域类型:
project
创建一个子网
create_subnet:segment_id- 默认值:
rule:admin_only- 操作:
POST
/subnets
- 作用域类型:
project
在创建子网时,指定
segment_id属性create_subnet:service_types- 默认值:
rule:admin_only- 操作:
POST
/subnets
- 作用域类型:
project
在创建子网时,指定
service_types属性create_subnet:tags- 默认值:
role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
POST
/subnets/{id}/tags
- 作用域类型:
project
创建子网标签
get_subnet- 默认值:
role:reader 且 project_id:%(project_id)s 或 rule:shared 或 rule:external_network 或 (rule:admin_only) 或 (role:reader 且 rule:network_owner) 或 rule:service_api- 操作:
GET
/subnetsGET
/subnets/{id}
- 作用域类型:
project
获取一个子网
get_subnet:segment_id- 默认值:
rule:admin_only- 操作:
GET
/subnetsGET
/subnets/{id}
- 作用域类型:
project
获取子网的
segment_id属性get_subnet:tags- 默认值:
role:reader 且 project_id:%(project_id)s 或 rule:shared 或 rule:external_network 或 (rule:admin_only) 或 (role:reader 且 rule:network_owner)- 操作:
GET
/subnets/{id}/tagsGET
/subnets/{id}/tags/{tag_id}
- 作用域类型:
project
获取子网标签
update_subnet- 默认值:
role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
PUT
/subnets/{id}
- 作用域类型:
project
更新一个子网
update_subnet:segment_id- 默认值:
rule:admin_only- 操作:
PUT
/subnets/{id}
- 作用域类型:
project
更新子网的
segment_id属性update_subnet:service_types- 默认值:
rule:admin_only- 操作:
PUT
/subnets/{id}
- 作用域类型:
project
更新子网的
service_types属性update_subnet:tags- 默认值:
role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
PUT
/subnets/{id}/tagsPUT
/subnets/{id}/tags/{tag_id}
- 作用域类型:
project
更新子网标签
delete_subnet- 默认值:
role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
DELETE
/subnets/{id}
- 作用域类型:
project
删除一个子网
delete_subnet:tags- 默认值:
role:member 且 project_id:%(project_id)s 或 (rule:admin_only) 或 (role:member 且 rule:network_owner)- 操作:
DELETE
/subnets/{id}/tagsDELETE
/subnets/{id}/tags/{tag_id}
- 作用域类型:
project
删除子网标签
shared_subnetpools- 默认值:
field:subnetpools:shared=True
共享子网池的定义
create_subnetpool- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/subnetpools
- 作用域类型:
project
创建一个子网池
create_subnetpool:shared- 默认值:
rule:admin_only- 操作:
POST
/subnetpools
- 作用域类型:
project
创建一个共享子网池
create_subnetpool:is_default- 默认值:
rule:admin_only- 操作:
POST
/subnetpools
- 作用域类型:
project
在创建子网池时,指定
is_default属性create_subnetpool:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/subnetpools/{id}/tags
- 作用域类型:
project
创建子网池标签
get_subnetpool- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_subnetpools- 操作:
GET
/subnetpoolsGET
/subnetpools/{id}
- 作用域类型:
project
获取一个子网池
get_subnetpool:tags- 默认值:
(rule:admin_only) 或 (role:reader 且 project_id:%(project_id)s) 或 rule:shared_subnetpools- 操作:
GET
/subnetpools/{id}/tagsGET
/subnetpools/{id}/tags/{tag_id}
- 作用域类型:
project
获取子网池标签
update_subnetpool- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/subnetpools/{id}
- 作用域类型:
project
更新一个子网池
update_subnetpool:is_default- 默认值:
rule:admin_only- 操作:
PUT
/subnetpools/{id}
- 作用域类型:
project
更新子网池的
is_default属性update_subnetpool:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/subnetpools/{id}/tagsPUT
/subnetpools/{id}/tags/{tag_id}
- 作用域类型:
project
更新子网池标签
delete_subnetpool- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/subnetpools/{id}
- 作用域类型:
project
删除一个子网池
delete_subnetpool:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/subnetpools/{id}/tagsDELETE
/subnetpools/{id}/tags/{tag_id}
- 作用域类型:
project
删除子网池标签
onboard_network_subnets- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/subnetpools/{id}/onboard_network_subnets
- 作用域类型:
project
将现有子网导入到子网池
add_prefixes- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/subnetpools/{id}/add_prefixes
- 作用域类型:
project
向子网池添加前缀
remove_prefixes- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/subnetpools/{id}/remove_prefixes
- 作用域类型:
project
从子网池移除未分配的前缀
create_trunk- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/trunks
- 作用域类型:
project
创建一个 trunk
create_trunk:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
POST
/trunks/{id}/tags
- 作用域类型:
project
创建 trunk 标签
get_trunk- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/trunksGET
/trunks/{id}
- 作用域类型:
project
获取一个 trunk
get_trunk:tags- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/trunks/{id}/tagsGET
/trunks/{id}/tags/{tag_id}
- 作用域类型:
project
获取 trunk 标签
update_trunk- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/trunks/{id}
- 作用域类型:
project
更新一个 trunk
update_trunk:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/trunks/{id}/tagsPUT
/trunks/{id}/tags/{tag_id}
- 作用域类型:
project
更新 trunk 标签
delete_trunk- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/trunks/{id}
- 作用域类型:
project
删除一个 trunk
delete_trunk:tags- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
DELETE
/trunks/{id}/tagsDELETE
/trunks/{id}/tags/{tag_id}
- 作用域类型:
project
删除一个 trunk
get_subports- 默认值:
(rule:admin_only) or (role:reader and project_id:%(project_id)s)- 操作:
GET
/trunks/{id}/get_subports
- 作用域类型:
project
列出连接到 trunk 的子端口
add_subports- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/trunks/{id}/add_subports
- 作用域类型:
project
向 trunk 添加子端口
remove_subports- 默认值:
(rule:admin_only) or (role:member and project_id:%(project_id)s)- 操作:
PUT
/trunks/{id}/remove_subports
- 作用域类型:
project
从 trunk 删除子端口
