Cyborg Policies¶
The following is an overview of all available policies in Cyborg.
Warning
JSON formatted policy file is deprecated since Cyborg (Victoria). Use YAML formatted file. Use oslopolicy-convert-json-to-yaml tool to convert the existing JSON to YAML formatted policy file in backward compatible way.
For a sample configuration file, refer to Cyborg Sample Policy.
cyborg.api¶
system_admin_api
- Default:
role:admin and system_scope:all
Default rule for System Admin APIs.
system_reader_api
- Default:
role:reader and system_scope:all
Default rule for System level read only APIs.
project_admin_api
- Default:
role:admin and project_id:%(project_id)s
Default rule for Project level admin APIs.
project_member_api
- Default:
role:member and project_id:%(project_id)s
Default rule for Project level non admin APIs.
project_reader_api
- Default:
role:reader and project_id:%(project_id)s
Default rule for Project level read only APIs.
system_admin_or_owner
- Default:
rule:system_admin_api or rule:project_member_api
Default rule for system_admin+owner APIs.
system_or_project_reader
- Default:
rule:system_reader_api or rule:project_reader_api
Default rule for System+Project read only APIs.
public_api
- Default:
is_public_api:True
legacy rule of Internal flag for public API routes
allow
- Default:
@
legacy rule: any access will be passed
deny
- Default:
!
legacy rule: all access will be forbidden
default
- Default:
rule:admin_or_owner
Legacy rule for default rule
admin_api
- Default:
role:admin or role:administrator
Legacy rule for cloud admin access
is_admin
- Default:
rule:admin_api
Full read/write API access
admin_or_owner
- Default:
is_admin:True or project_id:%(project_id)s
Admin or owner API access
admin_or_user
- Default:
is_admin:True or user_id:%(user_id)s
Admin or user API access
cyborg:device_profile:get_all
- Default:
rule:system_or_project_reader
- Operations:
GET
/v2/device_profiles
- Scope Types:
system
project
Retrieve all device_profiles
cyborg:device_profile:get_one
- Default:
rule:system_or_project_reader
- Operations:
GET
/v2/device_profiles/{device_profiles_uuid}
- Scope Types:
system
project
Retrieve a specific device_profile
cyborg:device_profile:create
- Default:
rule:system_admin_api
- Operations:
POST
/v2/device_profiles
- Scope Types:
system
Create a device_profile
cyborg:device_profile:delete
- Default:
rule:system_admin_api
- Operations:
DELETE
/v2/device_profiles/{device_profiles_uuid}
DELETE
/v2/device_profiles?value={device_profile_name1}
- Scope Types:
system
Delete device_profile(s)
cyborg:device:get_one
- Default:
rule:allow
Show device detail
cyborg:device:get_all
- Default:
rule:allow
Retrieve all device records
cyborg:device:disable
- Default:
rule:admin_api
Disable a device
cyborg:device:enable
- Default:
rule:admin_api
Enable a device
cyborg:deployable:get_one
- Default:
rule:allow
Show deployable detail
cyborg:deployable:get_all
- Default:
rule:allow
Retrieve all deployable records
cyborg:deployable:program
- Default:
rule:allow
FPGA programming.
cyborg:attribute:get_one
- Default:
rule:allow
Show attribute detail
cyborg:attribute:get_all
- Default:
rule:allow
Retrieve all attribute records
cyborg:attribute:create
- Default:
rule:allow
Create an attribute record
cyborg:attribute:delete
- Default:
rule:allow
Delete attribute records.
cyborg:arq:get_all
- Default:
rule:default
Retrieve accelerator request records.
cyborg:arq:get_one
- Default:
rule:default
Get an accelerator request record.
cyborg:arq:create
- Default:
rule:allow
Create accelerator request records.
cyborg:arq:delete
- Default:
rule:default
Delete accelerator request records.
cyborg:arq:update
- Default:
rule:default
Update accelerator request records.
cyborg:fpga:get_one
- Default:
rule:allow
Show fpga detail
cyborg:fpga:get_all
- Default:
rule:allow
Retrieve all fpga records
cyborg:fpga:update
- Default:
rule:allow
Update fpga records