Nova Policies
Introduction
This document presents the permissions available for reader and member roles on the Nova service (compute management) of Infomaniak Public Cloud, based on OpenStack default policies.
Context
Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role.
Legend
| Symbol | Meaning |
|---|---|
 |
Allowed - The policy explicitly permits this action |
 |
Forbidden - The policy explicitly denies this action |
 |
Conditional - Allowed based on ownership or project membership |
Server Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List servers | GET /servers |
os_compute_api:servers:index |
|
|
Project only |
| List servers (detailed) | GET /servers/detail |
os_compute_api:servers:detail |
|
|
Project only |
| Show server | GET /servers/{id} |
os_compute_api:servers:show |
|
|
Project only |
| Create server | POST /servers |
os_compute_api:servers:create |
|
|
Project member |
| Update server | PUT /servers/{id} |
os_compute_api:servers:update |
|
|
Project member |
| Delete server | DELETE /servers/{id} |
os_compute_api:servers:delete |
|
|
Project member |
Server Actions
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Start server | POST /servers/{id}/action (os-start) |
os_compute_api:servers:start |
|
|
Project member |
| Stop server | POST /servers/{id}/action (os-stop) |
os_compute_api:servers:stop |
|
|
Project member |
| Reboot server | POST /servers/{id}/action (reboot) |
os_compute_api:servers:reboot |
|
|
Project member |
| Pause server | POST /servers/{id}/action (pause) |
os_compute_api:os-pause-server:pause |
|
|
Project member |
| Unpause server | POST /servers/{id}/action (unpause) |
os_compute_api:os-pause-server:unpause |
|
|
Project member |
| Suspend server | POST /servers/{id}/action (suspend) |
os_compute_api:os-suspend-server:suspend |
|
|
Project member |
| Resume server | POST /servers/{id}/action (resume) |
os_compute_api:os-suspend-server:resume |
|
|
Project member |
| Lock server | POST /servers/{id}/action (lock) |
os_compute_api:os-lock-server:lock |
|
|
Project member |
| Unlock server | POST /servers/{id}/action (unlock) |
os_compute_api:os-lock-server:unlock |
|
|
Project member |
Server Lifecycle
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Resize server | POST /servers/{id}/action (resize) |
os_compute_api:servers:resize |
|
|
Project member |
| Confirm resize | POST /servers/{id}/action (confirmResize) |
os_compute_api:servers:confirm_resize |
|
|
Project member |
| Revert resize | POST /servers/{id}/action (revertResize) |
os_compute_api:servers:revert_resize |
|
|
Project member |
| Rebuild server | POST /servers/{id}/action (rebuild) |
os_compute_api:servers:rebuild |
|
|
Project member |
| Rescue server | POST /servers/{id}/action (rescue) |
os_compute_api:os-rescue |
|
|
Project member |
| Unrescue server | POST /servers/{id}/action (unrescue) |
os_compute_api:os-unrescue |
|
|
Project member |
| Shelve server | POST /servers/{id}/action (shelve) |
os_compute_api:os-shelve:shelve |
|
|
Project member |
| Unshelve server | POST /servers/{id}/action (unshelve) |
os_compute_api:os-shelve:unshelve |
|
|
Project member |
| Migrate server | POST /servers/{id}/action (migrate) |
os_compute_api:os-migrate-server:migrate |
|
|
Project member |
Server Images & Backups
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Create image | POST /servers/{id}/action (createImage) |
os_compute_api:servers:create_image |
|
|
Project member |
| Create backup | POST /servers/{id}/action (createBackup) |
os_compute_api:os-create-backup |
|
|
Project member |
Server Information
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List actions | GET /servers/{id}/os-instance-actions |
os_compute_api:os-instance-actions:list |
|
|
Project only |
| Show action | GET /servers/{id}/os-instance-actions/{req_id} |
os_compute_api:os-instance-actions:show |
|
|
Project only |
| Get console output | POST /servers/{id}/action (os-getConsoleOutput) |
os_compute_api:os-console-output |
|
|
Project member |
| Get remote console | POST /servers/{id}/remote-consoles |
os_compute_api:os-remote-consoles |
|
|
Project member |
| Show topology | GET /servers/{id}/topology |
compute:server:topology:index |
|
|
Project only |
Server Metadata
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List metadata | GET /servers/{id}/metadata |
os_compute_api:server-metadata:index |
|
|
Project only |
| Show metadata | GET /servers/{id}/metadata/{key} |
os_compute_api:server-metadata:show |
|
|
Project only |
| Create metadata | POST /servers/{id}/metadata |
os_compute_api:server-metadata:create |
|
|
Project member |
| Update metadata | PUT /servers/{id}/metadata/{key} |
os_compute_api:server-metadata:update |
|
|
Project member |
| Replace metadata | PUT /servers/{id}/metadata |
os_compute_api:server-metadata:update_all |
|
|
Project member |
| Delete metadata | DELETE /servers/{id}/metadata/{key} |
os_compute_api:server-metadata:delete |
|
|
Project member |
Server Tags
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List tags | GET /servers/{id}/tags |
os_compute_api:os-server-tags:index |
|
|
Project only |
| Show tag | GET /servers/{id}/tags/{tag} |
os_compute_api:os-server-tags:show |
|
|
Project only |
| Add tag | PUT /servers/{id}/tags/{tag} |
os_compute_api:os-server-tags:update |
|
|
Project member |
| Replace tags | PUT /servers/{id}/tags |
os_compute_api:os-server-tags:update_all |
|
|
Project member |
| Delete tag | DELETE /servers/{id}/tags/{tag} |
os_compute_api:os-server-tags:delete |
|
|
Project member |
| Delete all tags | DELETE /servers/{id}/tags |
os_compute_api:os-server-tags:delete_all |
|
|
Project member |
Networking
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List interfaces | GET /servers/{id}/os-interface |
os_compute_api:os-attach-interfaces:list |
|
|
Project only |
| Show interface | GET /servers/{id}/os-interface/{port_id} |
os_compute_api:os-attach-interfaces:show |
|
|
Project only |
| Attach interface | POST /servers/{id}/os-interface |
os_compute_api:os-attach-interfaces:create |
|
|
Project member |
| Detach interface | DELETE /servers/{id}/os-interface/{port_id} |
os_compute_api:os-attach-interfaces:delete |
|
|
Project member |
| List server IPs | GET /servers/{id}/ips |
os_compute_api:ips:index |
|
|
Project only |
| Show network IPs | GET /servers/{id}/ips/{network} |
os_compute_api:ips:show |
|
|
Project only |
Volume Attachments
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List attachments | GET /servers/{id}/os-volume_attachments |
os_compute_api:os-volumes-attachments:index |
|
|
Project only |
| Show attachment | GET /servers/{id}/os-volume_attachments/{vol_id} |
os_compute_api:os-volumes-attachments:show |
|
|
Project only |
| Attach volume | POST /servers/{id}/os-volume_attachments |
os_compute_api:os-volumes-attachments:create |
|
|
Project member |
| Update attachment | PUT /servers/{id}/os-volume_attachments/{vol_id} |
os_compute_api:os-volumes-attachments:update |
|
|
Project member |
| Detach volume | DELETE /servers/{id}/os-volume_attachments/{vol_id} |
os_compute_api:os-volumes-attachments:delete |
|
|
Project member |
SSH Key Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List keypairs | GET /os-keypairs |
os_compute_api:os-keypairs:index |
|
|
Own keypairs |
| Show keypair | GET /os-keypairs/{name} |
os_compute_api:os-keypairs:show |
|
|
Own keypairs |
| Create keypair | POST /os-keypairs |
os_compute_api:os-keypairs:create |
|
|
Own keypairs |
| Delete keypair | DELETE /os-keypairs/{name} |
os_compute_api:os-keypairs:delete |
|
|
Own keypairs |
Keypair Access
Keypair operations are restricted to the user who owns them (user_id:%(user_id)s), regardless of role.
Server Groups
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List server groups | GET /os-server-groups |
os_compute_api:os-server-groups:index |
|
|
Project only |
| Show server group | GET /os-server-groups/{id} |
os_compute_api:os-server-groups:show |
|
|
Project only |
| Create server group | POST /os-server-groups |
os_compute_api:os-server-groups:create |
|
|
Project member |
| Delete server group | DELETE /os-server-groups/{id} |
os_compute_api:os-server-groups:delete |
|
|
Project member |
Flavors
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Show extra spec | GET /flavors/{id}/os-extra_specs/{key} |
os_compute_api:os-flavor-extra-specs:show |
|
|
Project only |
| List extra specs | GET /flavors/{id}/os-extra_specs/ |
os_compute_api:os-flavor-extra-specs:index |
|
|
Project only |
System Information
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Show limits | GET /limits |
os_compute_api:limits |
|
|
All users |
| Show quotas | GET /os-quota-sets/{tenant_id} |
os_compute_api:os-quota-sets:show |
|
|
Project only |
| Show quota details | GET /os-quota-sets/{tenant_id}/detail |
os_compute_api:os-quota-sets:detail |
|
|
Project only |
| Show default quotas | GET /os-quota-sets/{tenant_id}/defaults |
os_compute_api:os-quota-sets:defaults |
|
|
All users |
| List extensions | GET /extensions |
os_compute_api:extensions |
|
|
All users |
| Show extension | GET /extensions/{alias} |
os_compute_api:extensions |
|
|
All users |
| List availability zones | GET /os-availability-zone |
os_compute_api:os-availability-zone:list |
|
|
All users |
Capabilities Summary by Role
Granted permissions:
- View all project servers and details
- Access server metadata, tags, and configuration
- View network interfaces and IP addresses
- Access server actions history and topology
- View volume attachments and server groups
- View quotas, limits, and system information
- Manage own SSH keypairs
Limitations:
- No server creation, modification, or deletion
- No server actions (start, stop, reboot, etc.)
- No metadata, tags, or attachment management
- Limited to read-only operations
Granted permissions:
- All Reader capabilities
- Create, update, and delete servers
- Perform all server actions and lifecycle operations
- Manage server metadata and tags
- Create and manage server images and backups
- Attach/detach volumes and network interfaces
- Manage server groups
- Access console and remote console
Limitations:
- No administrative functions
- Limited to project-scoped operations
- Cannot access other projects' resources
Usage Examples
Server Monitoring Application
Use case: Monitoring dashboard, alerting system
Recommended role: reader
# Application Credential
role: reader
# Possible actions
- openstack server list
- openstack server show <server-id>
- openstack server action list <server-id>
- openstack quota show
Server Management Application
Use case: CI/CD, infrastructure automation, deployment tools
Recommended role: member
# Application Credential
role: member
# Possible actions
- openstack server create --flavor m1.small --image ubuntu my-server
- openstack server start <server-id>
- openstack server set --property environment=production <server-id>
- openstack server image create <server-id> my-backup
- openstack volume attach <volume-id> <server-id>
Context Variables
Policies use the following variables to determine authorizations:
| Variable | Description |
|---|---|
%(project_id)s |
Current user's project ID |
%(user_id)s |
Current user ID (for keypairs) |
%(server_id)s |
Target server ID |
Important Notes
Best Practices
- Principle of least privilege: Use the
readerrole for monitoring and read-only operations - Project isolation: Members can only manage servers within their project
- Keypair management: SSH keypairs are user-scoped, not project-scoped
- Application Credentials: Create specific credentials per use case and rotate regularly