Policy Documentation¶
The following is an overview of all available policies in Designate. For a sample configuration file, refer to policy.yaml.
designate¶
adminDefault: role:admin or is_admin:True(no description provided)
primary_zoneDefault: target.zone_type:SECONDARY(no description provided)
ownerDefault: tenant:%(tenant_id)s(no description provided)
admin_or_ownerDefault: rule:admin or rule:owner(no description provided)
defaultDefault: rule:admin_or_owner(no description provided)
targetDefault: tenant:%(target_tenant_id)s(no description provided)
owner_or_targetDefault: rule:target or rule:owner(no description provided)
admin_or_owner_or_targetDefault: rule:owner_or_target or rule:admin(no description provided)
admin_or_targetDefault: rule:admin or rule:target(no description provided)
zone_primary_or_adminDefault: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)(no description provided)
create_blacklistDefault: rule:adminOperations: - POST
/v2/blacklists
Create blacklist.
- POST
find_blacklistDefault: rule:adminOperations: - GET
/v2/blacklists
Find blacklist.
- GET
find_blacklistsDefault: rule:adminOperations: - GET
/v2/blacklists
Find blacklists.
- GET
get_blacklistDefault: rule:adminOperations: - GET
/v2/blacklists/{blacklist_id}
Get blacklist.
- GET
update_blacklistDefault: rule:adminOperations: - PATCH
/v2/blacklists/{blacklist_id}
Update blacklist.
- PATCH
delete_blacklistDefault: rule:adminOperations: - DELETE
/v2/blacklists/{blacklist_id}
Delete blacklist.
- DELETE
use_blacklisted_zoneDefault: rule:adminOperations: - POST
/v2/zones
Allowed bypass the blacklist.
- POST
all_tenantsDefault: rule:adminAction on all tenants.
edit_managed_recordsDefault: rule:adminEdit managed records.
use_low_ttlDefault: rule:adminUse low TTL.
use_sudoDefault: rule:adminAccept sudo from user to tenant.
diagnostics_pingDefault: rule:adminDiagnose ping.
diagnostics_sync_zonesDefault: rule:adminDiagnose sync zones.
diagnostics_sync_zoneDefault: rule:adminDiagnose sync zone.
diagnostics_sync_recordDefault: rule:adminDiagnose sync record.
create_poolDefault: rule:adminCreate pool.
find_poolsDefault: rule:adminOperations: - GET
/v2/pools
Find pool.
- GET
find_poolDefault: rule:adminOperations: - GET
/v2/pools
Find pools.
- GET
get_poolDefault: rule:adminOperations: - GET
/v2/pools/{pool_id}
Get pool.
- GET
update_poolDefault: rule:adminUpdate pool.
delete_poolDefault: rule:adminDelete pool.
zone_create_forced_poolDefault: rule:adminOperations: - POST
/v2/zones
load and set the pool to the one provided in the Zone attributes.
- POST
get_quotasDefault: rule:admin_or_ownerOperations: - GET
/v2/quotas
View Current Project’s Quotas.
- GET
get_quotaDefault: rule:admin_or_owner(no description provided)
set_quotaDefault: rule:adminOperations: - PATCH
/v2/quotas/{project_id}
Set Quotas.
- PATCH
reset_quotasDefault: rule:adminOperations: - DELETE
/v2/quotas/{project_id}
Reset Quotas.
- DELETE
find_recordsDefault: rule:admin_or_ownerOperations: - GET
/v2/reverse/floatingips/{region}:{floatingip_id} - GET
/v2/reverse/floatingips
Find records.
- GET
count_recordsDefault: rule:admin_or_owner(no description provided)
create_recordsetDefault: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)Operations: - POST
/v2/zones/{zone_id}/recordsets - PATCH
/v2/reverse/floatingips/{region}:{floatingip_id}
Create Recordset
- POST
get_recordsetsDefault: rule:admin_or_owner(no description provided)
get_recordsetDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/{zone_id}/recordsets/{recordset_id} - DELETE
/v2/zones/{zone_id}/recordsets/{recordset_id} - PUT
/v2/zones/{zone_id}/recordsets/{recordset_id}
Get recordset
- GET
update_recordsetDefault: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)Operations: - PUT
/v2/zones/{zone_id}/recordsets/{recordset_id} - PATCH
/v2/reverse/floatingips/{region}:{floatingip_id}
Update recordset
- PUT
delete_recordsetDefault: ('PRIMARY':%(zone_type)s and rule:admin_or_owner) OR ('SECONDARY':%(zone_type)s AND is_admin:True)Operations: - DELETE
/v2/zones/{zone_id}/recordsets/{recordset_id}
Delete RecordSet
- DELETE
count_recordsetDefault: rule:admin_or_ownerCount recordsets
find_service_statusDefault: rule:adminOperations: - GET
/v2/service_status/{service_id}
Find a single Service Status
- GET
find_service_statusesDefault: rule:adminOperations: - GET
/v2/service_status
List service statuses.
- GET
update_service_statusDefault: rule:admin(no description provided)
find_tenantsDefault: rule:adminFind all Tenants.
get_tenantDefault: rule:adminGet all Tenants.
count_tenantsDefault: rule:adminCount tenants
create_tldDefault: rule:adminOperations: - POST
/v2/tlds
Create Tld
- POST
find_tldsDefault: rule:adminOperations: - GET
/v2/tlds
List Tlds
- GET
get_tldDefault: rule:adminOperations: - GET
/v2/tlds/{tld_id}
Show Tld
- GET
update_tldDefault: rule:adminOperations: - PATCH
/v2/tlds/{tld_id}
Update Tld
- PATCH
delete_tldDefault: rule:adminOperations: - DELETE
/v2/tlds/{tld_id}
Delete Tld
- DELETE
create_tsigkeyDefault: rule:adminOperations: - POST
/v2/tsigkeys
Create Tsigkey
- POST
find_tsigkeysDefault: rule:adminOperations: - GET
/v2/tsigkeys
List Tsigkeys
- GET
get_tsigkeyDefault: rule:adminOperations: - PATCH
/v2/tsigkeys/{tsigkey_id} - GET
/v2/tsigkeys/{tsigkey_id}
Show a Tsigkey
- PATCH
update_tsigkeyDefault: rule:adminOperations: - PATCH
/v2/tsigkeys/{tsigkey_id}
Update Tsigkey
- PATCH
delete_tsigkeyDefault: rule:adminOperations: - DELETE
/v2/tsigkeys/{tsigkey_id}
Delete a Tsigkey
- DELETE
create_zoneDefault: rule:admin_or_ownerOperations: - POST
/v2/zones
Create Zone
- POST
get_zonesDefault: rule:admin_or_owner(no description provided)
get_zoneDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/{zone_id} - PATCH
/v2/zones/{zone_id} - PUT
/v2/zones/{zone_id}/recordsets/{recordset_id}
Get Zone
- GET
get_zone_serversDefault: rule:admin_or_owner(no description provided)
find_zonesDefault: rule:admin_or_ownerOperations: - GET
/v2/zones
List existing zones
- GET
update_zoneDefault: rule:admin_or_ownerOperations: - PATCH
/v2/zones/{zone_id}
Update Zone
- PATCH
delete_zoneDefault: rule:admin_or_ownerOperations: - DELETE
/v2/zones/{zone_id}
Delete Zone
- DELETE
xfr_zoneDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/{zone_id}/tasks/xfr
Manually Trigger an Update of a Secondary Zone
- POST
abandon_zoneDefault: rule:adminOperations: - POST
/v2/zones/{zone_id}/tasks/abandon
Abandon Zone
- POST
count_zonesDefault: rule:admin_or_owner(no description provided)
count_zones_pending_notifyDefault: rule:admin_or_owner(no description provided)
purge_zonesDefault: rule:admin(no description provided)
touch_zoneDefault: rule:admin_or_owner(no description provided)
zone_exportDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/exports/{zone_export_id}/export
Retrive a Zone Export from the Designate Datastore
- GET
create_zone_exportDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/{zone_id}/tasks/export
Create Zone Export
- POST
find_zone_exportsDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/exports
List Zone Exports
- GET
get_zone_exportDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/exports/{zone_export_id} - GET
/v2/zones/tasks/exports/{zone_export_id}/export
Get Zone Exports
- GET
update_zone_exportDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/{zone_id}/tasks/export
Update Zone Exports
- POST
create_zone_importDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/tasks/imports
Create Zone Import
- POST
find_zone_importsDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/imports
List all Zone Imports
- GET
get_zone_importDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/imports/{zone_import_id}
Get Zone Imports
- GET
update_zone_importDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/tasks/imports
Update Zone Imports
- POST
delete_zone_importDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/imports/{zone_import_id}
Delete a Zone Import
- GET
create_zone_transfer_acceptDefault: rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)sOperations: - POST
/v2/zones/tasks/transfer_accepts
Create Zone Transfer Accept
- POST
get_zone_transfer_acceptDefault: rule:admin_or_ownerOperations: - GET
/v2/zones/tasks/transfer_requests/{zone_transfer_accept_id}
Get Zone Transfer Accept
- GET
find_zone_transfer_acceptsDefault: rule:adminOperations: - GET
/v2/zones/tasks/transfer_accepts
List Zone Transfer Accepts
- GET
find_zone_transfer_acceptDefault: rule:admin(no description provided)
update_zone_transfer_acceptDefault: rule:adminOperations: - POST
/v2/zones/tasks/transfer_accepts
Update a Zone Transfer Accept
- POST
delete_zone_transfer_acceptDefault: rule:admin(no description provided)
create_zone_transfer_requestDefault: rule:admin_or_ownerOperations: - POST
/v2/zones/{zone_id}/tasks/transfer_requests
Create Zone Transfer Accept
- POST
get_zone_transfer_requestDefault: rule:admin_or_owner OR tenant:%(target_tenant_id)s OR None:%(target_tenant_id)sOperations: - GET
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id} - PATCH
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
Show a Zone Transfer Request
- GET
get_zone_transfer_request_detailedDefault: rule:admin_or_owner(no description provided)
find_zone_transfer_requestsDefault: @Operations: - GET
/v2/zones/tasks/transfer_requests
List Zone Transfer Requests
- GET
find_zone_transfer_requestDefault: @(no description provided)
update_zone_transfer_requestDefault: rule:admin_or_ownerOperations: - PATCH
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
Update a Zone Transfer Request
- PATCH
delete_zone_transfer_requestDefault: rule:admin_or_ownerOperations: - DELETE
/v2/zones/tasks/transfer_requests/{zone_transfer_request_id}
Delete a Zone Transfer Request
- DELETE
