Ask Your Question

Uunderstand the user/admin API and policies

asked 2017-08-16 05:12:59 -0500

liaodalin19903 gravatar image

updated 2017-08-16 07:22:50 -0500

When I read the docs:

I find this line:

The Compute API includes all end user and administrator API calls.

and this line:

The Compute API uses these roles, along with oslo.policy, to decide what the user is authorized to do.

I don't understand.

1) What is the difference between end user and administrator API ?

2) What is the oslo.policy ? what function did it has?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2017-08-16 07:20:18 -0500

Hi Liaodalin,

And end user only need to create VMs/instances, attach volumes, security groups, etc. And administrator also need manage hypervisor, set quotas, see all tenants VMs, statistics, etc.

That's the reason of roles who in policy files (oslo.policy) set who can do each action and who doesn't.

Small example of cinder's policy.json

    "volume:create": "",
    "volume:create_from_image": "",
    "volume:delete": "rule:admin_or_owner",
    "volume:force_delete": "rule:admin_api",
    "volume:get": "rule:admin_or_owner",
    "volume:get_all": "rule:admin_or_owner",
    "volume:get_volume_metadata": "rule:admin_or_owner",
    "volume_extension:quotas:show": "",
    "volume_extension:quotas:update": "rule:admin_api",
    "volume_extension:quotas:delete": "rule:admin_api",
    "volume_extension:quota_classes": "rule:admin_api",

In this example you can see some rules with empty values: volume:create and volume_extension:quotas:show This means everybody can execute those actions, create volumes and see their quotas.

Also can see volume:delete: rule:admin_or_owner which means that for delete a volume need to be the owner (creator of the volume) or an administrator user.

Other value we can see volume_extension:quotas:update: rule:admin_api means only administrators can change/update quotas.


edit flag offensive delete link more

answered 2017-08-16 17:48:29 -0500

Some API calls and components are reserved to the administrator. For example, the hypervisor API (I think), and the OS-EXT-SRV-ATTR fields returned by server show.

oslo is the nickname for a project that provides shared and/or low-level functionality for all OpenStack projects, in the form of Python libraries. Policy checks are part of that. oslo.policyis documented at

In my experience, Google is very handy for finding developer documentation. For example, I found the oslo.policy site by googling for oslo.policy. You can also try to just add the project name after, for example

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2017-08-16 05:12:59 -0500

Seen: 125 times

Last updated: Aug 16 '17