92d0cc2919
Found some typos after change was merged, fix them. TrivialFix Change-Id: I3eb0a6f65a8dd544034bb268e8f7f2ec0d9c46d8
2.7 KiB
2.7 KiB
Neutron API policies and supported roles
As part of the Consistent and Secure Default RBAC
community goal1 Neutron implemented support for
various scopes and personas in all of the API policies which are defined
in the Neutron code.
Roles supported by the default Neutron API policies
Roles supported by the default Neutron API policies are:
- PROJECT_READER - this role is intended to have read-only access to the project owned resources.
- PROJECT_MEMBER - this role inherits all of the privileges from the
PROJECT_READER role and also has access to
create,updateanddeleteproject-owned resources. - PROJECT_MANAGER - this role inherits all of the privileges from the PROJECT_MEMBER role and additionally is allowed to do more operations on the project-owned resources.
- ADMIN - this role is the same as it was in the "old" default policies. A user with granted ADMIN role is allowed to do almost every possible modification on all resources, even those which belong to different projects.
- SERVICE - this is a special role designed to be used for service-to-service communication only, for example, between Nova and Neutron. It does not inherit any privileges from any other roles mentioned above.
Default API policies defined in Neutron
By default, all of the existing API policies can be used with
project scoped tokens only. Tokens with
service scope are not supported by any of the policies
defined in the Neutron code.
Default API policies
Default API policies defined in the Neutron code can be found in the
Policy Reference
document.