Octavia 策略¶
警告
自 Octavia 8.0.0 (Wallaby) 起,基于 JSON 格式的策略文件已被弃用。此 oslopolicy-convert-json-to-yaml 工具将以向后兼容的方式将现有的 JSON 格式策略文件迁移到 YAML 格式。
Octavia 高级基于角色的访问控制 (RBAC)¶
Octavia 在 OpenStack 的 Pike 版本中采用了默认的“高级基于角色的访问控制 (RBAC)”策略。这为 Octavia 服务提供了细粒度的默认访问控制策略。
Octavia 高级 RBAC 超越了 OpenStack 遗留 RBAC 策略,即允许“所有者和管理员”完全访问所有服务。它还提供了比更新的 Keystone 默认角色 更细粒度的 RBAC 策略。
默认策略是不允许访问,除非 auth_strategy 为 ‘noauth’。
用户必须是以下角色之一才能访问负载均衡器 API
- role:load-balancer_observer¶
用户可以访问负载均衡器只读 API。
- role:load-balancer_global_observer¶
用户可以访问负载均衡器只读 API,包括属于其他用户拥有的资源。
- role:load-balancer_member¶
用户可以访问负载均衡器读写 API。
- role:load-balancer_quota_admin¶
用户被视为仅限配额 API 的管理员。
- role:load-balancer_admin¶
用户被视为所有负载均衡器 API 的管理员,包括属于其他用户拥有的资源。
- role:admin and system_scope:all¶
用户是所有服务 API(包括 Octavia)的管理员。
注意
‘is_admin:True’ 是一个策略规则,它会考虑 auth_strategy == noauth 配置设置。如果语法有效,它等效于 ‘rule:context_is_admin or {auth_strategy == noauth}’。
这些角色除了 Keystone 默认角色 之外。
role:reader
role:member
此外,Octavia API 支持 Keystone 作用域令牌。在 Oslo Policy 中启用后,用户需要提供作用域为“system”或特定“项目”的令牌。有关更多信息,请参阅 升级注意事项 部分。
有关如何在生产环境中应用这些 RBAC 策略的示例和建议,请参阅 管理 Octavia 用户角色 部分。
遗留管理员或所有者策略覆盖文件¶
Octavia 的 octavia/etc/policy 目录中提供了一个替代策略文件 admin_or_owner-policy.yaml,该文件删除了负载均衡器 RBAC 角色要求。有关更多信息,请参阅该目录中的 README.rst 文件。
这将删除角色要求,允许所有具有“admin”角色的用户或属于创建资源的项目的成员访问所有资源。所有用户都可以访问 Octavia API,以在其项目下创建和管理负载均衡器。
OpenStack 默认角色策略覆盖文件¶
Octavia 的 octavia/etc/policy 目录中提供了一个替代策略文件 keystone_default_roles-policy.yaml,该文件删除了负载均衡器 RBAC 角色要求。有关更多信息,请参阅该目录中的 README.rst 文件。
此策略将遵守以下 Keystone 默认角色 在 Octavia API 中
管理员
项目作用域 - Reader
项目作用域 - Member
此外,还有一个替代策略文件,该文件启用了系统作用域令牌检查,名为 keystone_default_roles_scoped-policy.yaml。
系统作用域 - Admin
系统作用域 - Reader
项目作用域 - Reader
项目作用域 - Member
管理 Octavia 用户角色¶
用户和组角色通过 Keystone(身份)项目进行管理。
可以使用以下命令将角色添加到用户
openstack role add --project <project name or id> --user <user name or id> <role>
一个示例,其中用户“jane”在“engineering”项目中获得了一个新角色“load-balancer_member”
openstack role add --project engineering --user jane load-balancer_member
Keystone 组角色¶
角色也可以分配给 Keystone 组。这可以大大简化用户角色管理。
例如,您的云可能在 Keystone 中定义了一个“users”组。该组设置为将您的云的所有常规用户作为成员。如果您希望您的所有用户都可以访问负载均衡服务 Octavia,您可以将“load-balancer_member”角色添加到“users”组
openstack role add --domain default --group users load-balancer_member
升级注意事项¶
从 Octavia 的 Wallaby 版本开始,可以强制执行 Keystone 令牌作用域和默认角色。默认情况下,在 Wallaby 版本中,Oslo Policy 不会强制执行这些新角色和作用域。但是,在未来的某个时间点,它们可能会成为默认设置。您现在可以启用它们,以便为后续过渡做好准备。本节将介绍这些设置。
Oslo Policy 项目定义了两个配置设置(包括但不限于),这些设置可以在 Octavia 配置文件中设置,以影响 Octavia API 中策略的处理方式。这两个设置是 enforce_scope 和 enforce_new_defaults。
[oslo_policy] enforce_scope¶
Keystone 引入了 令牌作用域 的概念。目前,Oslo Policy 默认不强制执行令牌的作用域验证,原因是为了保持向后兼容性。
从 Wallaby 版本开始,Octavia API 支持强制执行 Keystone 令牌作用域。如果您准备好在 Octavia API 中开始强制执行 Keystone 令牌作用域,可以将以下设置添加到您的 Octavia API 配置文件
[oslo_policy]
enforce_scope = True
当前此设置的主要效果是允许系统作用域管理员令牌在对 Octavia API 进行管理 API 调用时使用。它还将允许系统作用域读取令牌具有 load-balancer_global_observer 角色的等效权限。
Octavia API 已经强制执行 Keystone 令牌的项目作用域。
[oslo_policy] enforce_new_defaults¶
Octavia Wallaby 版本增加了对 Octavia 默认策略中 Keystone 默认角色 的支持。以前的 Octavia 高级 RBAC 策略现在已被弃用,转而支持需要以下 Keystone 默认角色 的新策略。目前,Oslo Policy 默认使用已弃用的策略,这些策略不需要新的 Keystone 默认角色,以保持向后兼容性。
从 Wallaby 版本开始,Octavia API 支持需要这些新的 Keystone 默认角色。如果您准备好开始需要这些角色,可以启用新策略,方法是将以下设置添加到您的 Octavia API 配置文件
[oslo_policy]
enforce_new_defaults = True
当 Octavia API 中启用新的默认策略时,具有 load-balancer_observer 角色的用户还需要 Keystone 默认角色“role:reader”。具有 load-balancer_member 角色的用户还需要 Keystone 默认角色“role:member”。
示例文件生成¶
要从 Octavia 默认值生成示例 policy.yaml 文件,请运行 oslo policy 生成脚本
oslopolicy-sample-generator
--config-file etc/policy/octavia-policy-generator.conf
--output-file policy.yaml.sample
合并文件生成¶
这将输出一个策略文件,其中包含所有已注册的策略默认值和使用策略文件配置的所有策略。此文件显示了项目使用的有效策略
oslopolicy-policy-generator
--config-file etc/policy/octavia-policy-generator.conf
此工具使用配置文件中的 output_file 路径。
列出冗余配置¶
这将输出一个列表,其中包含策略规则的匹配项,这些规则在配置文件中定义,但规则与已注册的默认规则不同。这些规则可以从策略文件中删除,而不会更改有效的策略
oslopolicy-list-redundant
--config-file etc/policy/octavia-policy-generator.conf
默认 Octavia 策略 - API 有效规则¶
本节将列出 Octavia API 将使用的 RBAC 规则,然后列出将被允许访问的角色。
在不使用 enforce_scope 和 enforce_new_defaults 的情况下
load-balancer:read
load-balancer_admin
load-balancer_global_observer
load-balancer_member 和 <项目成员>
load-balancer_observer 和 <项目成员>
role:admin
load-balancer:read-global
load-balancer_admin
load-balancer_global_observer
role:admin
load-balancer:write
load-balancer_admin
load-balancer_member 和 <项目成员>
role:admin
load-balancer:read-quota
load-balancer_admin
load-balancer_global_observer
load-balancer_member 和 <项目成员>
load-balancer_observer 和 <项目成员>
load-balancer_quota_admin
role:admin
load-balancer:read-quota-global
load-balancer_admin
load-balancer_global_observer
load-balancer_quota_admin
role:admin
load-balancer:write-quota
load-balancer_admin
load-balancer_quota_admin
role:admin
在启用 enforce_scope 和 enforce_new_defaults 的情况下
load-balancer:read
load-balancer_admin
load-balancer_global_observer
load-balancer_member 和 <项目成员> 和 role:member
load-balancer_observer 和 <项目成员> 和 role:reader
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:read-global
load-balancer_admin
load-balancer_global_observer
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:write
load-balancer_admin
load-balancer_member 和 <项目成员> 和 role:member
role:admin and system_scope:all
load-balancer:read-quota
load-balancer_admin
load-balancer_global_observer
load-balancer_member 和 <项目成员> 和 role:member
load-balancer_observer 和 <项目成员> 和 role:reader
load-balancer_quota_admin
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:read-quota-global
load-balancer_admin
load-balancer_global_observer
load-balancer_quota_admin
role:admin and system_scope:all
role:reader and system_scope:all
load-balancer:write-quota
load-balancer_admin
load-balancer_quota_admin
role:admin and system_scope:all
默认 Octavia 策略 - 从 Octavia 代码生成¶
# Intended scope(s): project
#"load-balancer:read": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-global": "rule:load-balancer:global_observer or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:write": "rule:load-balancer:member_and_owner or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-quota": "rule:load-balancer:observer_and_owner or rule:load-balancer:global_observer or rule:load-balancer:member_and_owner or rule:load-balancer:quota-admin or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:read-quota-global": "rule:load-balancer:global_observer or rule:load-balancer:quota-admin or rule:load-balancer:admin"
# Intended scope(s): project
#"load-balancer:write-quota": "rule:load-balancer:quota-admin or rule:load-balancer:admin"
# Intended scope(s): project
#"project-member": "role:member and project_id:%(project_id)s"
# Intended scope(s): project
#"project-reader": "role:reader and project_id:%(project_id)s"
# Intended scope(s): project
#"context_is_admin": "role:admin"
# DEPRECATED
# "context_is_admin":"role:admin or role:load-balancer_admin" has been
# deprecated since W in favor of "context_is_admin":"role:admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:admin": "is_admin:True or role:admin"
# DEPRECATED
# "load-balancer:admin":"is_admin:True or role:admin or role:load-
# balancer_admin" has been deprecated since W in favor of "load-
# balancer:admin":"is_admin:True or role:admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"service": "role:service"
# Intended scope(s): project
#"load-balancer:global_observer": "role:admin"
# DEPRECATED
# "load-balancer:global_observer":"role:load-balancer_global_observer"
# has been deprecated since W in favor of "load-
# balancer:global_observer":"role:admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:member_and_owner": "rule:project-member"
# DEPRECATED
# "load-balancer:member_and_owner":"role:load-balancer_member and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:member_and_owner":"rule:project-member".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:observer_and_owner": "rule:project-reader"
# DEPRECATED
# "load-balancer:observer_and_owner":"role:load-balancer_observer and
# rule:load-balancer:owner" has been deprecated since W in favor of
# "load-balancer:observer_and_owner":"rule:project-reader".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:quota-admin": "role:admin"
# DEPRECATED
# "load-balancer:quota-admin":"role:load-balancer_quota_admin" has
# been deprecated since W in favor of "load-balancer:quota-
# admin":"role:admin".
# The Octavia API now requires the OpenStack default roles and scoped
# tokens. See
# https://docs.openstack.org/octavia/2025.2/configuration/policy.html
# and https://docs.openstack.org/keystone/2025.2/contributor/services.
# html#reusable-default-roles for more information.
# Intended scope(s): project
#"load-balancer:owner": "project_id:%(project_id)s"
# List Flavors
# GET /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:get_all": "rule:load-balancer:read"
# Create a Flavor
# POST /v2.0/lbaas/flavors
#"os_load-balancer_api:flavor:post": "rule:load-balancer:admin"
# Update a Flavor
# PUT /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:put": "rule:load-balancer:admin"
# Show Flavor details
# GET /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:get_one": "rule:load-balancer:read"
# Remove a Flavor
# DELETE /v2.0/lbaas/flavors/{flavor_id}
#"os_load-balancer_api:flavor:delete": "rule:load-balancer:admin"
# List Flavor Profiles
# GET /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:get_all": "rule:load-balancer:admin"
# Create a Flavor Profile
# POST /v2.0/lbaas/flavorprofiles
#"os_load-balancer_api:flavor-profile:post": "rule:load-balancer:admin"
# Update a Flavor Profile
# PUT /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:put": "rule:load-balancer:admin"
# Show Flavor Profile details
# GET /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:get_one": "rule:load-balancer:admin"
# Remove a Flavor Profile
# DELETE /v2.0/lbaas/flavorprofiles/{flavor_profile_id}
#"os_load-balancer_api:flavor-profile:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:get_all": "rule:load-balancer:read"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzones
#"os_load-balancer_api:availability-zone:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:get_one": "rule:load-balancer:read"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzones/{availability_zone_id}
#"os_load-balancer_api:availability-zone:delete": "rule:load-balancer:admin"
# List Availability Zones
# GET /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:get_all": "rule:load-balancer:admin"
# Create an Availability Zone
# POST /v2.0/lbaas/availabilityzoneprofiles
#"os_load-balancer_api:availability-zone-profile:post": "rule:load-balancer:admin"
# Update an Availability Zone
# PUT /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:put": "rule:load-balancer:admin"
# Show Availability Zone details
# GET /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:get_one": "rule:load-balancer:admin"
# Remove an Availability Zone
# DELETE /v2.0/lbaas/availabilityzoneprofiles/{availability_zone_profile_id}
#"os_load-balancer_api:availability-zone-profile:delete": "rule:load-balancer:admin"
# List Health Monitors of a Pool
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all": "rule:load-balancer:read"
# List Health Monitors including resources owned by others
# GET /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:get_all-global": "rule:load-balancer:read-global"
# Create a Health Monitor
# POST /v2/lbaas/healthmonitors
#"os_load-balancer_api:healthmonitor:post": "rule:load-balancer:write"
# Show Health Monitor details
# GET /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:get_one": "rule:load-balancer:read"
# Update a Health Monitor
# PUT /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:put": "rule:load-balancer:write"
# Remove a Health Monitor
# DELETE /v2/lbaas/healthmonitors/{healthmonitor_id}
#"os_load-balancer_api:healthmonitor:delete": "rule:load-balancer:write"
# List L7 Policys
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all": "rule:load-balancer:read"
# List L7 Policys including resources owned by others
# GET /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:get_all-global": "rule:load-balancer:read-global"
# Create a L7 Policy
# POST /v2/lbaas/l7policies
#"os_load-balancer_api:l7policy:post": "rule:load-balancer:write"
# Show L7 Policy details
# GET /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:get_one": "rule:load-balancer:read"
# Update a L7 Policy
# PUT /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:put": "rule:load-balancer:write"
# Remove a L7 Policy
# DELETE /v2/lbaas/l7policies/{l7policy_id}
#"os_load-balancer_api:l7policy:delete": "rule:load-balancer:write"
# List L7 Rules
# GET /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:get_all": "rule:load-balancer:read"
# Create a L7 Rule
# POST /v2/lbaas/l7policies/{l7policy_id}/rules
#"os_load-balancer_api:l7rule:post": "rule:load-balancer:write"
# Show L7 Rule details
# GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:get_one": "rule:load-balancer:read"
# Update a L7 Rule
# PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:put": "rule:load-balancer:write"
# Remove a L7 Rule
# DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id}
#"os_load-balancer_api:l7rule:delete": "rule:load-balancer:write"
# List Listeners
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all": "rule:load-balancer:read"
# List Listeners including resources owned by others
# GET /v2/lbaas/listeners
#"os_load-balancer_api:listener:get_all-global": "rule:load-balancer:read-global"
# Create a Listener
# POST /v2/lbaas/listeners
#"os_load-balancer_api:listener:post": "rule:load-balancer:write"
# Show Listener details
# GET /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:get_one": "rule:load-balancer:read"
# Update a Listener
# PUT /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:put": "rule:load-balancer:write"
# Remove a Listener
# DELETE /v2/lbaas/listeners/{listener_id}
#"os_load-balancer_api:listener:delete": "rule:load-balancer:write"
# Show Listener statistics
# GET /v2/lbaas/listeners/{listener_id}/stats
#"os_load-balancer_api:listener:get_stats": "rule:load-balancer:read"
# List Load Balancers
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all": "rule:load-balancer:read"
# List Load Balancers including resources owned by others
# GET /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:get_all-global": "rule:load-balancer:read-global"
# Create a Load Balancer
# POST /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:post": "rule:load-balancer:write"
# Create a Load Balancer with VIP Security Groups
# POST /v2/lbaas/loadbalancers
#"os_load-balancer_api:loadbalancer:post:vip_sg_ids": "rule:load-balancer:write"
# Show Load Balancer details
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:get_one": "rule:load-balancer:read"
# Update a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:put": "rule:load-balancer:write"
# Update the VIP Security Groups of a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:put:vip_sg_ids": "rule:load-balancer:write"
# Remove a Load Balancer
# DELETE /v2/lbaas/loadbalancers/{loadbalancer_id}
#"os_load-balancer_api:loadbalancer:delete": "rule:load-balancer:write"
# Show Load Balancer statistics
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats
#"os_load-balancer_api:loadbalancer:get_stats": "rule:load-balancer:read"
# Show Load Balancer status
# GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status
#"os_load-balancer_api:loadbalancer:get_status": "rule:load-balancer:read"
# Failover a Load Balancer
# PUT /v2/lbaas/loadbalancers/{loadbalancer_id}/failover
#"os_load-balancer_api:loadbalancer:put_failover": "rule:load-balancer:admin"
# List Members of a Pool
# GET /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:get_all": "rule:load-balancer:read or rule:service"
# Create a Member
# POST /v2/lbaas/pools/{pool_id}/members
#"os_load-balancer_api:member:post": "rule:load-balancer:write"
# Show Member details
# GET /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:get_one": "rule:load-balancer:read"
# Update a Member
# PUT /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:put": "rule:load-balancer:write"
# Remove a Member
# DELETE /v2/lbaas/pools/{pool_id}/members/{member_id}
#"os_load-balancer_api:member:delete": "rule:load-balancer:write"
# List Pools
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all": "rule:load-balancer:read"
# List Pools including resources owned by others
# GET /v2/lbaas/pools
#"os_load-balancer_api:pool:get_all-global": "rule:load-balancer:read-global"
# Create a Pool
# POST /v2/lbaas/pools
#"os_load-balancer_api:pool:post": "rule:load-balancer:write"
# Show Pool details
# GET /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:get_one": "rule:load-balancer:read"
# Update a Pool
# PUT /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:put": "rule:load-balancer:write"
# Remove a Pool
# DELETE /v2/lbaas/pools/{pool_id}
#"os_load-balancer_api:pool:delete": "rule:load-balancer:write"
# List enabled providers
# GET /v2/lbaas/providers
#"os_load-balancer_api:provider:get_all": "rule:load-balancer:read"
# List Quotas
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all": "rule:load-balancer:read-quota"
# List Quotas including resources owned by others
# GET /v2/lbaas/quotas
#"os_load-balancer_api:quota:get_all-global": "rule:load-balancer:read-quota-global"
# Show Quota details
# GET /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:get_one": "rule:load-balancer:read-quota"
# Update a Quota
# PUT /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:put": "rule:load-balancer:write-quota"
# Reset a Quota
# DELETE /v2/lbaas/quotas/{project_id}
#"os_load-balancer_api:quota:delete": "rule:load-balancer:write-quota"
# Show Default Quota for a Project
# GET /v2/lbaas/quotas/{project_id}/default
#"os_load-balancer_api:quota:get_defaults": "rule:load-balancer:read-quota"
# List Amphorae
# GET /v2/octavia/amphorae
#"os_load-balancer_api:amphora:get_all": "rule:load-balancer:admin"
# Show Amphora details
# GET /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:get_one": "rule:load-balancer:admin"
# Delete an Amphora
# DELETE /v2/octavia/amphorae/{amphora_id}
#"os_load-balancer_api:amphora:delete": "rule:load-balancer:admin"
# Update Amphora Agent Configuration
# PUT /v2/octavia/amphorae/{amphora_id}/config
#"os_load-balancer_api:amphora:put_config": "rule:load-balancer:admin"
# Failover Amphora
# PUT /v2/octavia/amphorae/{amphora_id}/failover
#"os_load-balancer_api:amphora:put_failover": "rule:load-balancer:admin"
# Show Amphora statistics
# GET /v2/octavia/amphorae/{amphora_id}/stats
#"os_load-balancer_api:amphora:get_stats": "rule:load-balancer:admin"
# List the provider flavor capabilities.
# GET /v2/lbaas/providers/{provider}/flavor_capabilities
#"os_load-balancer_api:provider-flavor:get_all": "rule:load-balancer:admin"
# List the provider availability zone capabilities.
# GET /v2/lbaas/providers/{provider}/availability_zone_capabilities
#"os_load-balancer_api:provider-availability-zone:get_all": "rule:load-balancer:admin"
