Skip to content

Neutron Policies

Introduction

This document presents the permissions available for reader and member roles on the Neutron service (networking management) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role.

Symbol Meaning
✅ Allowed - The policy explicitly permits this action
❌ Forbidden - The policy explicitly denies this action
🔍 Conditional - Allowed based on ownership, sharing or network visibility

Network Management

Operation Endpoint Policy Reader Member Conditions
List networks GET /v2.0/networks get_network 🔍 🔍 Project, shared or external*
Show network GET /v2.0/networks/{id} get_network 🔍 🔍 Project, shared or external*
Create network POST /v2.0/networks create_network ❌ ✅ Project member
Update network PUT /v2.0/networks/{id} update_network ❌ ✅ Project member
Delete network DELETE /v2.0/networks/{id} delete_network ❌ ✅ Project member

*Visibility rules: project member, shared network, external network, or advanced service context

Network Tags Management

Operation Endpoint Policy Reader Member Conditions
Get network tags GET /v2.0/networks/{id}/tags get_networks_tags 🔍 🔍 Project, shared or external*
Update network tags PUT /v2.0/networks/{id}/tags update_networks_tags ❌ ✅ Project member
Update single tag PUT /v2.0/networks/{id}/tags/{tag} update_networks_tags ❌ ✅ Project member
Delete network tags DELETE /v2.0/networks/{id}/tags delete_networks_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/networks/{id}/tags/{tag} delete_networks_tags ❌ ✅ Project member

*Visibility rules: project member, shared network, external network, or advanced service context

Subnet Management

Operation Endpoint Policy Reader Member Conditions
List subnets GET /v2.0/subnets get_subnet 🔍 🔍 Network owner or shared*
Show subnet GET /v2.0/subnets/{id} get_subnet 🔍 🔍 Network owner or shared*
Create subnet POST /v2.0/subnets create_subnet ❌ 🔍 Network owner
Update subnet PUT /v2.0/subnets/{id} update_subnet ❌ 🔍 Network owner or project member
Delete subnet DELETE /v2.0/subnets/{id} delete_subnet ❌ 🔍 Network owner or project member

*Ownership rules: network owner or project member, or shared network

Subnet Tags Management

Operation Endpoint Policy Reader Member Conditions
Get subnet tags GET /v2.0/subnets/{id}/tags get_subnets_tags 🔍 🔍 Network owner or shared*
Update subnet tags PUT /v2.0/subnets/{id}/tags update_subnets_tags ❌ 🔍 Network owner or project member
Update single tag PUT /v2.0/subnets/{id}/tags/{tag} update_subnets_tags ❌ 🔍 Network owner or project member
Delete subnet tags DELETE /v2.0/subnets/{id}/tags delete_subnets_tags ❌ 🔍 Network owner or project member
Delete single tag DELETE /v2.0/subnets/{id}/tags/{tag} delete_subnets_tags ❌ 🔍 Network owner or project member

*Ownership rules: network owner or project member, or shared network

Port Management

Operation Endpoint Policy Reader Member Conditions
List ports GET /v2.0/ports get_port 🔍 🔍 Network owner or project member*
Show port GET /v2.0/ports/{id} get_port 🔍 🔍 Network owner or project member*
Create port POST /v2.0/ports create_port ❌ ✅ Project member
Create port with specific IP POST /v2.0/ports create_port:fixed_ips:ip_address ❌ ❌ ⚠
Create port with security disabled POST /v2.0/ports create_port:port_security_enabled ❌ ❌ ⚠
Update port PUT /v2.0/ports/{id} update_port ❌ ✅ ✅
Update port security PUT /v2.0/ports/{id} update_port:port_security_enabled ❌ ❌ ⚠
Update allowed address pairs PUT /v2.0/ports/{id} update_port:allowed_address_pairs ❌ ❌ ⚠
Delete port DELETE /v2.0/ports/{id} delete_port ❌ 🔍 Network owner or project member

*Access rules: network owner, project member, or service API

Port Tags Management

Operation Endpoint Policy Reader Member Conditions
Get port tags GET /v2.0/ports/{id}/tags get_ports_tags 🔍 🔍 Network owner or project member*
Update port tags PUT /v2.0/ports/{id}/tags update_ports_tags ❌ ✅ Project member
Update single tag PUT /v2.0/ports/{id}/tags/{tag} update_ports_tags ❌ ✅ Project member
Delete port tags DELETE /v2.0/ports/{id}/tags delete_ports_tags ❌ 🔍 Network owner or project member
Delete single tag DELETE /v2.0/ports/{id}/tags/{tag} delete_ports_tags ❌ 🔍 Network owner or project member

*Access rules: advanced service context, network owner, or project member

Router Management

Operation Endpoint Policy Reader Member Conditions
List routers GET /v2.0/routers get_router ✅ ✅ Project member
Show router GET /v2.0/routers/{id} get_router ✅ ✅ Project member
Create router POST /v2.0/routers create_router ❌ ✅ Project member
Update router PUT /v2.0/routers/{id} update_router ❌ ✅ Project member
Delete router DELETE /v2.0/routers/{id} delete_router ❌ ✅ Project member

Router Interface Management

Operation Endpoint Policy Reader Member Conditions
Add router interface PUT /v2.0/routers/{id}/add_router_interface add_router_interface ❌ ✅ Project member
Remove router interface PUT /v2.0/routers/{id}/remove_router_interface remove_router_interface ❌ ✅ Project member

Router Tags Management

Operation Endpoint Policy Reader Member Conditions
Get router tags GET /v2.0/routers/{id}/tags get_routers_tags ✅ ✅ Project member
Update router tags PUT /v2.0/routers/{id}/tags update_routers_tags ❌ ✅ Project member
Update single tag PUT /v2.0/routers/{id}/tags/{tag} update_routers_tags ❌ ✅ Project member
Delete router tags DELETE /v2.0/routers/{id}/tags delete_routers_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/routers/{id}/tags/{tag} delete_routers_tags ❌ ✅ Project member

Security Group Management

Operation Endpoint Policy Reader Member Conditions
List security groups GET /v2.0/security-groups get_security_group 🔍 🔍 Project or shared*
Show security group GET /v2.0/security-groups/{id} get_security_group 🔍 🔍 Project or shared*
Create security group POST /v2.0/security-groups create_security_group ❌ ✅ Project member
Update security group PUT /v2.0/security-groups/{id} update_security_group ❌ ✅ Project member
Delete security group DELETE /v2.0/security-groups/{id} delete_security_group ❌ ✅ Project member

*Visibility rules: project member or shared security group

Security Group Tags Management

Operation Endpoint Policy Reader Member Conditions
Get security group tags GET /v2.0/security-groups/{id}/tags get_security_groups_tags 🔍 🔍 Project or shared*
Update security group tags PUT /v2.0/security-groups/{id}/tags update_security_groups_tags ❌ ✅ Project member
Update single tag PUT /v2.0/security-groups/{id}/tags/{tag} update_security_groups_tags ❌ ✅ Project member
Delete security group tags DELETE /v2.0/security-groups/{id}/tags delete_security_groups_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/security-groups/{id}/tags/{tag} delete_security_groups_tags ❌ ✅ Project member

*Visibility rules: project member or shared security group

Security Group Rules Management

Operation Endpoint Policy Reader Member Conditions
List security group rules GET /v2.0/security-group-rules get_security_group_rule 🔍 🔍 Project or security group owner*
Show security group rule GET /v2.0/security-group-rules/{id} get_security_group_rule 🔍 🔍 Project or security group owner*
Create security group rule POST /v2.0/security-group-rules create_security_group_rule ❌ ✅ Project member
Delete security group rule DELETE /v2.0/security-group-rules/{id} delete_security_group_rule ❌ ✅ Project member

*Access rules: project member or security group owner

Floating IP Management

Operation Endpoint Policy Reader Member Conditions
List floating IPs GET /v2.0/floatingips get_floatingip ✅ ✅ Project member
Show floating IP GET /v2.0/floatingips/{id} get_floatingip ✅ ✅ Project member
Create floating IP POST /v2.0/floatingips create_floatingip ❌ ✅ Project member
Create floating IP with specific IP POST /v2.0/floatingips create_floatingip:floating_ip_address ❌ ❌ ⚠
Update floating IP PUT /v2.0/floatingips/{id} update_floatingip ❌ ✅ Project member
Delete floating IP DELETE /v2.0/floatingips/{id} delete_floatingip ❌ ✅ Project member

Floating IP Tags Management

Operation Endpoint Policy Reader Member Conditions
Get floating IP tags GET /v2.0/floatingips/{id}/tags get_floatingips_tags ✅ ✅ Project member
Update floating IP tags PUT /v2.0/floatingips/{id}/tags update_floatingips_tags ❌ ✅ Project member
Update single tag PUT /v2.0/floatingips/{id}/tags/{tag} update_floatingips_tags ❌ ✅ Project member
Delete floating IP tags DELETE /v2.0/floatingips/{id}/tags delete_floatingips_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/floatingips/{id}/tags/{tag} delete_floatingips_tags ❌ ✅ Project member

Floating IP Pool Management

Operation Endpoint Policy Reader Member Conditions
Get floating IP pools GET /v2.0/floatingip_pools get_floatingip_pool ✅ ✅ Project member

Port Forwarding Management

Operation Endpoint Policy Reader Member Conditions
List port forwardings GET /v2.0/floatingips/{id}/port_forwardings get_floatingip_port_forwarding 🔍 🔍 Floating IP owner*
Show port forwarding GET /v2.0/floatingips/{id}/port_forwardings/{pf_id} get_floatingip_port_forwarding 🔍 🔍 Floating IP owner*
Create port forwarding POST /v2.0/floatingips/{id}/port_forwardings create_floatingip_port_forwarding ❌ 🔍 Floating IP owner
Update port forwarding PUT /v2.0/floatingips/{id}/port_forwardings/{pf_id} update_floatingip_port_forwarding ❌ 🔍 Floating IP owner
Delete port forwarding DELETE /v2.0/floatingips/{id}/port_forwardings/{pf_id} delete_floatingip_port_forwarding ❌ 🔍 Floating IP owner

*Access rules: floating IP parent owner

Subnetpool Management

Operation Endpoint Policy Reader Member Conditions
List subnetpools GET /v2.0/subnetpools get_subnetpool 🔍 🔍 Project or shared*
Show subnetpool GET /v2.0/subnetpools/{id} get_subnetpool 🔍 🔍 Project or shared*
Create subnetpool POST /v2.0/subnetpools create_subnetpool ❌ ✅ Project member
Update subnetpool PUT /v2.0/subnetpools/{id} update_subnetpool ❌ ✅ Project member
Delete subnetpool DELETE /v2.0/subnetpools/{id} delete_subnetpool ❌ ✅ Project member

*Visibility rules: project member or shared subnetpool

Subnetpool Tags Management

Operation Endpoint Policy Reader Member Conditions
Get subnetpool tags GET /v2.0/subnetpools/{id}/tags get_subnetpools_tags 🔍 🔍 Project or shared*
Update subnetpool tags PUT /v2.0/subnetpools/{id}/tags update_subnetpools_tags ❌ ✅ Project member
Update single tag PUT /v2.0/subnetpools/{id}/tags/{tag} update_subnetpools_tags ❌ ✅ Project member
Delete subnetpool tags DELETE /v2.0/subnetpools/{id}/tags delete_subnetpools_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/subnetpools/{id}/tags/{tag} delete_subnetpools_tags ❌ ✅ Project member

*Visibility rules: project member or shared subnetpool

Address Scope Management

Operation Endpoint Policy Reader Member Conditions
List address scopes GET /v2.0/address-scopes get_address_scope 🔍 🔍 Project or shared*
Show address scope GET /v2.0/address-scopes/{id} get_address_scope 🔍 🔍 Project or shared*
Create address scope POST /v2.0/address-scopes create_address_scope ❌ ✅ Project member
Update address scope PUT /v2.0/address-scopes/{id} update_address_scope ❌ ✅ Project member
Delete address scope DELETE /v2.0/address-scopes/{id} delete_address_scope ❌ ✅ Project member

*Visibility rules: project member or shared address scope

Trunk Management

Operation Endpoint Policy Reader Member Conditions
List trunks GET /v2.0/trunks get_trunk ✅ ✅ Project member
Show trunk GET /v2.0/trunks/{id} get_trunk ✅ ✅ Project member
Create trunk POST /v2.0/trunks create_trunk ❌ ✅ Project member
Update trunk PUT /v2.0/trunks/{id} update_trunk ❌ ✅ Project member
Delete trunk DELETE /v2.0/trunks/{id} delete_trunk ❌ ✅ Project member

Trunk Tags Management

Operation Endpoint Policy Reader Member Conditions
Get trunk tags GET /v2.0/trunks/{id}/tags get_trunks_tags ✅ ✅ Project member
Update trunk tags PUT /v2.0/trunks/{id}/tags update_trunks_tags ❌ ✅ Project member
Update single tag PUT /v2.0/trunks/{id}/tags/{tag} update_trunks_tags ❌ ✅ Project member
Delete trunk tags DELETE /v2.0/trunks/{id}/tags delete_trunks_tags ❌ ✅ Project member
Delete single tag DELETE /v2.0/trunks/{id}/tags/{tag} delete_trunks_tags ❌ ✅ Project member

Trunk Subports Management

Operation Endpoint Policy Reader Member Conditions
List subports GET /v2.0/trunks/{id}/get_subports get_subports ✅ ✅ Project member
Add subports PUT /v2.0/trunks/{id}/add_subports add_subports ❌ ✅ Project member
Remove subports PUT /v2.0/trunks/{id}/remove_subports remove_subports ❌ ✅ Project member

RBAC Policies Management

Operation Endpoint Policy Reader Member Conditions
List RBAC policies GET /v2.0/rbac-policies get_rbac_policy ✅ ✅ Project member
Show RBAC policy GET /v2.0/rbac-policies/{id} get_rbac_policy ✅ ✅ Project member
Create RBAC policy POST /v2.0/rbac-policies create_rbac_policy ❌ ✅ Project member
Update RBAC policy PUT /v2.0/rbac-policies/{id} update_rbac_policy ❌ ✅ Project member
Delete RBAC policy DELETE /v2.0/rbac-policies/{id} delete_rbac_policy ❌ ✅ Project member

QoS Policies Management

Operation Endpoint Policy Reader Member Conditions
List QoS policies GET /v2.0/qos/policies get_policy 🔍 🔍 Project or shared*
Show QoS policy GET /v2.0/qos/policies/{id} get_policy 🔍 🔍 Project or shared*

*Visibility rules: project member or shared QoS policy

QoS Policy Tags Management

Operation Endpoint Policy Reader Member Conditions
Get QoS policy tags GET /v2.0/qos/policies/{id}/tags get_policies_tags 🔍 🔍 Project or shared*

*Visibility rules: project member or shared QoS policy

QoS Rule Types Management

Operation Endpoint Policy Reader Member Conditions
List rule types GET /v2.0/qos/rule-types get_rule_type ✅ ✅ Global information
Show rule type GET /v2.0/qos/rule-types/{type} get_rule_type ✅ ✅ Global information

Service Providers Management

Operation Endpoint Policy Reader Member Conditions
Get service providers GET /v2.0/service-providers get_service_provider ✅ ✅ Global information

Availability Zones Management

Operation Endpoint Policy Reader Member Conditions
List availability zones GET /v2.0/availability_zones get_availability_zone ✅ ✅ Global information

BYOIP (Bring Your Own IP) Features

Support Activation Required

The following features require the special role which must be activated by Infomaniak support before use.

Operation Endpoint Policy Reader Member BYOIP Description
Create floating IP with specific IP POST /v2.0/floatingips create_floatingip:floating_ip_address ❌ ❌ ✅ Use your own IP addresses
Create port with specific IP POST /v2.0/ports create_port:fixed_ips:ip_address ❌ ❌ ✅ Assign specific IP to port
Disable port security POST/PUT /v2.0/ports create/update_port:port_security_enabled ❌ ❌ ✅ Disable security groups
Configure allowed address pairs PUT /v2.0/ports/{id} update_port:allowed_address_pairs* ❌ ❌ ✅ Advanced MAC/IP configuration

BYOIP Role Activation

To activate BYOIP features:

  1. Contact Infomaniak support
  2. Provide use case and IP range details
  3. Wait for approval and activation

Capabilities Summary by Role

Granted permissions:

  • ✅ View all project networking resources
  • ✅ View shared and external networks
  • ✅ View routers and floating IPs
  • ✅ View security groups and rules
  • ✅ View ports and subnets
  • ✅ View trunks and subports
  • ✅ View QoS policies and rules
  • ✅ View RBAC policies
  • ✅ View global service information

Limitations:

  • ❌ No creation or modification actions
  • ❌ No network topology changes
  • ❌ No security policy management
  • ❌ No resource sharing configuration

Granted permissions:

  • ✅ All Reader capabilities
  • ✅ Create and manage networks
  • ✅ Create and manage subnets
  • ✅ Create and manage ports
  • ✅ Create and manage routers
  • ✅ Manage router interfaces
  • ✅ Create and manage security groups
  • ✅ Manage security group rules
  • ✅ Create and manage floating IPs
  • ✅ Configure port forwarding
  • ✅ Manage trunks and subports
  • ✅ Configure RBAC policies
  • ✅ Manage all resource tags

Limitations:

  • ❌ Limited to project-scoped operations
  • ❌ Cannot create shared or external networks
  • ❌ Cannot manage QoS policies
  • ❌ Cannot access advanced networking features

Usage Examples

Network Monitoring Application

Use case: Network monitoring dashboard

Recommended role: reader

# Application Credential
role: reader

# Possible actions
- openstack network list
- openstack router list
- openstack floating ip list
- openstack security group list
- openstack port list

Infrastructure Management Application

Use case: Automated network provisioning, CI/CD

Recommended role: member

# Application Credential
role: member

# Possible actions
- openstack network create private-net
- openstack subnet create --network private-net --subnet-range 10.0.0.0/24 private-subnet
- openstack router create my-router
- openstack router add subnet my-router private-subnet
- openstack floating ip create external-net
- openstack security group create web-servers

Context Variables

Policies use the following variables to determine authorizations:

Variable Description
%(project_id)s Current user's project ID
%(tenant_id)s Current user's tenant ID (legacy)
%(network:tenant_id)s Network owner's tenant ID
%(security_group:tenant_id)s Security group owner's tenant ID
%(ext_parent:tenant_id)s Parent resource owner's tenant ID
%(target_tenant)s Target tenant for RBAC operations

Important Notes

Best Practices

  1. Principle of least privilege: Use the reader role for monitoring applications
  2. Project isolation: Most operations are scoped to the user's project
  3. Shared resources: Access to shared networks and external networks is read-only for non-owners
  4. Security groups: Default security groups cannot be deleted
  5. RBAC policies: Use carefully to avoid unintended resource sharing

Neutron Service Overview

Neutron provides network connectivity as a service for OpenStack. Key features include:

  • Virtual networks and subnets
  • Router and gateway management
  • Security groups and firewall rules
  • Floating IP and port forwarding
  • Load balancing and VPN services
  • QoS and traffic shaping

Infomaniak Specificities

  • External networks are managed by Infomaniak administrators
  • Some advanced networking features may be restricted
  • QoS policy creation requires admin privileges
  • Network sharing via RBAC should be used carefully
  • BYOIP features: Special role required (contact support for activation)