Skip to content

Cinder Policies

Introduction

This document presents the permissions available for reader and member roles on the Cinder service (block storage management) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role for block storage operations.

Legend

Symbol Meaning
✅ Allowed - The policy explicitly permits this action
❌ Forbidden - The policy explicitly denies this action
🔍 Conditional - Allowed based on ownership or project membership

Volume Management

Basic Volume Operations

Action API Endpoint Reader Member Notes
List volumes GET /volumes ✅ ✅ Can list project volumes
List volumes (detailed) GET /volumes/detail ✅ ✅ Includes detailed information
Get volume summary GET /volumes/summary ✅ ✅ Summary statistics
Show volume GET /volumes/{volume_id} 🔍 🔍 Only project volumes
Create volume POST /volumes ❌ ✅
Create volume from image POST /volumes ❌ ✅ With source image
Update volume PUT /volumes/{volume_id} ❌ 🔍 Only project volumes
Delete volume DELETE /volumes/{volume_id} ❌ 🔍 Only project volumes

Volume Advanced Operations

Action API Endpoint Reader Member Notes
Extend volume POST /volumes/{volume_id}/action (os-extend) ❌ 🔍 Resize volume
Extend attached volume POST /volumes/{volume_id}/action (os-extend) ❌ 🔍 Resize while attached
Revert to snapshot POST /volumes/{volume_id}/action (revert) ❌ 🔍 Restore from snapshot
Retype volume POST /volumes/{volume_id}/action (os-retype) ❌ 🔍 Change volume type
Update readonly flag POST /volumes/{volume_id}/action (os-update_readonly_flag) ❌ 🔍 Set read-only mode
Set bootable flag POST /volumes/{volume_id}/action (os-set_bootable) ❌ 🔍 Mark as bootable
Reimage volume POST /volumes/{volume_id}/action (os-reimage) ❌ 🔍 Replace volume content

Volume Attachments

Action API Endpoint Reader Member Notes
Create attachment POST /attachments ❌ ✅ Attach to instance
Update attachment PUT /attachments/{attachment_id} ❌ ✅ Modify attachment
Delete attachment DELETE /attachments/{attachment_id} ❌ ✅ Detach from instance
Complete attachment POST /attachments/{attachment_id}/action (os-complete) ❌ ✅ Finalize attachment
Initialize connection POST /volumes/{volume_id}/action (os-initialize_connection) ❌ 🔍 Setup connection
Terminate connection POST /volumes/{volume_id}/action (os-terminate_connection) ❌ 🔍 Close connection

Volume States Management

Action API Endpoint Reader Member Notes
Reserve volume POST /volumes/{volume_id}/action (os-reserve) ❌ 🔍 Mark as reserved
Unreserve volume POST /volumes/{volume_id}/action (os-unreserve) ❌ 🔍 Unmark reserved
Begin detaching POST /volumes/{volume_id}/action (os-begin_detaching) ❌ 🔍 Start detach process
Roll back detaching POST /volumes/{volume_id}/action (os-roll_detaching) ❌ 🔍 Cancel detach
Attach metadata POST /volumes/{volume_id}/action (os-attach) ❌ 🔍 Add attachment info
Detach metadata POST /volumes/{volume_id}/action (os-detach) ❌ 🔍 Remove attachment info

Snapshot Management

Action API Endpoint Reader Member Notes
List snapshots GET /snapshots ✅ ✅ Project snapshots
List snapshots (detailed) GET /snapshots/detail ✅ ✅ With details
Show snapshot GET /snapshots/{snapshot_id} 🔍 🔍 Only project snapshots
Create snapshot POST /snapshots ❌ 🔍 From project volume
Update snapshot PUT /snapshots/{snapshot_id} ❌ 🔍 Only project snapshots
Delete snapshot DELETE /snapshots/{snapshot_id} ❌ 🔍 Only project snapshots
Update snapshot status POST /snapshots/{snapshot_id}/action (update_snapshot_status) ❌ ✅ Administrative action

Backup Management

Action API Endpoint Reader Member Notes
List backups GET /backups ✅ ✅ Project backups
List backups (detailed) GET /backups/detail ✅ ✅ With details
Show backup GET /backups/{backup_id} 🔍 🔍 Only project backups
Create backup POST /backups ❌ ✅ From project volume
Update backup PUT /backups/{backup_id} ❌ 🔍 Only project backups
Delete backup DELETE /backups/{backup_id} ❌ 🔍 Only project backups
Restore backup POST /backups/{backup_id}/restore ❌ 🔍 Create volume from backup

Volume Types

Action API Endpoint Reader Member Notes
List volume types GET /types/ ✅ ✅ Available types
Show volume type GET /types/{type_id} ✅ ✅ Type details
List type extra specs GET /types/{type_id}/extra_specs ✅ ✅ Type specifications
Show type extra spec GET /types/{type_id}/extra_specs/{extra_spec_key} ✅ ✅ Specific spec value

Volume Type Access

Action API Endpoint Reader Member Notes
View type access GET /types/{type_id} ❌ ✅ See access information
View type access POST /types ❌ ✅ In create response

Metadata Management

Volume Metadata

Action API Endpoint Reader Member Notes
Show volume metadata GET /volumes/{volume_id}/metadata 🔍 🔍 Only project volumes
Show volume metadata key GET /volumes/{volume_id}/metadata/{key} 🔍 🔍 Specific key
Create volume metadata POST /volumes/{volume_id}/metadata ❌ 🔍 Add metadata
Update volume metadata PUT /volumes/{volume_id}/metadata ❌ 🔍 Replace all metadata
Update volume metadata key PUT /volumes/{volume_id}/metadata/{key} ❌ 🔍 Update specific key
Delete volume metadata key DELETE /volumes/{volume_id}/metadata/{key} ❌ 🔍 Remove specific key

Snapshot Metadata

Action API Endpoint Reader Member Notes
Show snapshot metadata GET /snapshots/{snapshot_id}/metadata 🔍 🔍 Only project snapshots
Show snapshot metadata key GET /snapshots/{snapshot_id}/metadata/{key} 🔍 🔍 Specific key
Update snapshot metadata POST /snapshots/{snapshot_id}/metadata ❌ 🔍 Add metadata
Update snapshot metadata key PUT /snapshots/{snapshot_id}/metadata/{key} ❌ 🔍 Update specific key
Delete snapshot metadata key DELETE /snapshots/{snapshot_id}/metadata/{key} ❌ 🔍 Remove specific key

Image Metadata

Action API Endpoint Reader Member Notes
Show image metadata POST /volumes/{volume_id}/action (os-show_image_metadata) 🔍 🔍 View image metadata
Show image metadata GET /volumes/{volume_id} 🔍 🔍 In volume details
Set image metadata POST /volumes/{volume_id}/action (os-set_image_metadata) ❌ 🔍 Add image metadata
Remove image metadata POST /volumes/{volume_id}/action (os-unset_image_metadata) ❌ 🔍 Remove image metadata

Volume Transfers

Action API Endpoint Reader Member Notes
List transfers GET /volume-transfers ✅ ✅ Project transfers
List transfers (detailed) GET /volume-transfers/detail ✅ ✅ With details
Show transfer GET /volume-transfers/{transfer_id} 🔍 🔍 Only project transfers
Create transfer POST /volume-transfers ❌ 🔍 Transfer project volume
Accept transfer POST /volume-transfers/{transfer_id}/accept ❌ ✅ Accept incoming transfer
Delete transfer DELETE /volume-transfers/{transfer_id} ❌ 🔍 Cancel transfer

Group Management

Action API Endpoint Reader Member Notes
List groups GET /groups ✅ ✅ Project groups
List groups (detailed) GET /groups/detail ✅ ✅ With details
Show group GET /groups/{group_id} 🔍 🔍 Only project groups
Create group POST /groups ❌ ✅ Volume group
Update group PUT /groups/{group_id} ❌ 🔍 Only project groups
Delete group POST /groups/{group_id}/action (delete) ❌ 🔍 Only project groups

Group Snapshots

Action API Endpoint Reader Member Notes
List group snapshots GET /group_snapshots ✅ ✅ Project group snapshots
List group snapshots (detailed) GET /group_snapshots/detail ✅ ✅ With details
Show group snapshot GET /group_snapshots/{group_snapshot_id} 🔍 🔍 Only project snapshots
Create group snapshot POST /group_snapshots ❌ ✅ From project group
Update group snapshot PUT /group_snapshots/{group_snapshot_id} ❌ 🔍 Only project snapshots
Delete group snapshot DELETE /group_snapshots/{group_snapshot_id} ❌ 🔍 Only project snapshots

Group Replication

Action API Endpoint Reader Member Notes
Enable replication POST /groups/{group_id}/action (enable_replication) ❌ 🔍 Enable for project group
Disable replication POST /groups/{group_id}/action (disable_replication) ❌ 🔍 Disable for project group
Failover replication POST /groups/{group_id}/action (failover_replication) ❌ 🔍 Failover project group
List replication targets POST /groups/{group_id}/action (list_replication_targets) ❌ 🔍 View targets

Volume Encryption

Action API Endpoint Reader Member Notes
Show encryption metadata GET /volumes/{volume_id}/encryption 🔍 🔍 Only project volumes
Show encryption key GET /volumes/{volume_id}/encryption/{encryption_key} 🔍 🔍 Specific encryption key

Volume Actions

Action API Endpoint Reader Member Notes
Upload to image POST /volumes/{volume_id}/action (os-volume_upload_image) ❌ 🔍 Create image from volume

System Information

Action API Endpoint Reader Member Notes
Show limits GET /limits ✅ ✅ Project limits and usage
List messages GET /messages ✅ ✅ System messages
Show message GET /messages/{message_id} 🔍 🔍 Specific message
Delete message DELETE /messages/{message_id} ❌ ✅ Remove message

Quotas

Action API Endpoint Reader Member Notes
Show quota GET /os-quota-sets/{project_id} ✅ ✅ Project quotas
Show quota (usage) GET /os-quota-sets/{project_id}?usage=True ✅ ✅ With usage information
Show quota (default) GET /os-quota-sets/{project_id}/default ✅ ✅ Default quotas

Capabilities Summary by Role

Permissions:

  • ✅ Read Access: List and view all project resources (volumes, snapshots, backups, groups)
  • ✅ Metadata Reading: Access metadata for project resources
  • ✅ Type Information: View volume types and specifications
  • ✅ System Information: Check quotas, limits, and messages
  • ✅ Encryption: View encryption metadata for project volumes

Limitations:

  • ❌ No Creation: Cannot create any resources
  • ❌ No Modification: Cannot update or delete resources
  • ❌ No Operations: Cannot perform volume operations (extend, attach, etc.)

Permissions:

  • ✅ Full Management: Create, update, delete project resources
  • ✅ Volume Operations: Extend, attach, retype, revert volumes
  • ✅ Backup & Restore: Create backups and restore from them
  • ✅ Transfers: Create and accept volume transfers
  • ✅ Groups: Manage volume groups and group snapshots
  • ✅ Metadata: Full metadata management
  • ✅ Multiattach: Create volumes with multiattach capability

Scope:

  • 🔍 Project Ownership: Can only manage resources within their project
  • 🔍 Resource Ownership: Some operations require owning the specific resource

Usage Examples

Volume Monitoring Application

Use case: Infrastructure monitoring or read-only dashboard

Recommended role: reader

# Application Credential
role: reader

# Possible actions
- openstack volume list
- openstack volume show <volume-id>
- openstack volume snapshot list
- openstack quota show
- openstack volume type list

Volume Management Application

Use case: CI/CD, automated backup, infrastructure automation

Recommended role: member

# Application Credential
role: member

# Possible actions
- openstack volume create --size 10 --type standard my-volume
- openstack volume snapshot create --volume <volume-id> my-snapshot
- openstack volume set --size 20 <volume-id>
- openstack volume backup create --name my-backup <volume-id>
- openstack volume transfer request create <volume-id>

Backup Management Application

Use case: Automated backup and disaster recovery

Recommended role: member

# Application Credential
role: member

# Backup operations
- openstack volume backup create --name daily-backup-$(date +%Y%m%d) <volume-id>
- openstack volume backup restore <backup-id> --name restored-volume
- openstack volume snapshot create --volume <volume-id> snapshot-$(date +%Y%m%d)

Context Variables

Policies use the following variables to determine authorizations:

Variable Description
%(project_id)s Current user's project ID
%(volume_id)s Target volume ID
%(snapshot_id)s Target snapshot ID
%(backup_id)s Target backup ID
%(group_id)s Target group ID

Important Notes

Best Practices

  1. Principle of least privilege: Use the reader role if you only need to view volumes and related resources
  2. Project isolation: Members can only manage resources within their project
  3. Resource ownership: Some operations require being the owner of the specific resource
  4. Application Credentials management: Create specific credentials per use case
  5. Multiattach considerations: Special care needed for bootable volumes with multiattach capability