Skip to content

Octavia Policies

Introduction

This document presents the permissions available for reader and member roles on the Octavia service (load balancer management) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role for load balancing operations.

Legend

Symbol Meaning
✅ Allowed - The policy explicitly permits this action
❌ Forbidden - The policy explicitly denies this action
🔍 Conditional - Allowed based on project membership

Load Balancer Management

Basic Load Balancer Operations

Operation Endpoint Policy Reader Member Conditions
List load balancers GET /v2/lbaas/loadbalancers os_load-balancer_api:loadbalancer:get_all ✅ ✅ Project resources
Show load balancer GET /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:get_one 🔍 🔍 Project ownership
Create load balancer POST /v2/lbaas/loadbalancers os_load-balancer_api:loadbalancer:post ❌ ✅
Update load balancer PUT /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:put ❌ 🔍 Project ownership
Delete load balancer DELETE /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:delete ❌ 🔍 Project ownership

Load Balancer Monitoring

Operation Endpoint Policy Reader Member Conditions
Show statistics GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats os_load-balancer_api:loadbalancer:get_stats 🔍 🔍 Project ownership
Show status GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status os_load-balancer_api:loadbalancer:get_status 🔍 🔍 Project ownership

Listener Management

Basic Listener Operations

Operation Endpoint Policy Reader Member Conditions
List listeners GET /v2/lbaas/listeners os_load-balancer_api:listener:get_all ✅ ✅ Project resources
Show listener GET /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:get_one 🔍 🔍 Project ownership
Create listener POST /v2/lbaas/listeners os_load-balancer_api:listener:post ❌ ✅
Update listener PUT /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:put ❌ 🔍 Project ownership
Delete listener DELETE /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:delete ❌ 🔍 Project ownership

Listener Monitoring

Operation Endpoint Policy Reader Member Conditions
Show statistics GET /v2/lbaas/listeners/{listener_id}/stats os_load-balancer_api:listener:get_stats 🔍 🔍 Project ownership

Pool Management

Basic Pool Operations

Operation Endpoint Policy Reader Member Conditions
List pools GET /v2/lbaas/pools os_load-balancer_api:pool:get_all ✅ ✅ Project resources
Show pool GET /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:get_one 🔍 🔍 Project ownership
Create pool POST /v2/lbaas/pools os_load-balancer_api:pool:post ❌ ✅
Update pool PUT /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:put ❌ 🔍 Project ownership
Delete pool DELETE /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:delete ❌ 🔍 Project ownership

Member Management

Pool Member Operations

Operation Endpoint Policy Reader Member Conditions
List members GET /v2/lbaas/pools/{pool_id}/members os_load-balancer_api:member:get_all 🔍 🔍 Project pool ownership
Show member GET /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:get_one 🔍 🔍 Project ownership
Create member POST /v2/lbaas/pools/{pool_id}/members os_load-balancer_api:member:post ❌ 🔍 Project pool ownership
Update member PUT /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:put ❌ 🔍 Project ownership
Delete member DELETE /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:delete ❌ 🔍 Project ownership

Health Monitor Management

Operation Endpoint Policy Reader Member Conditions
List health monitors GET /v2/lbaas/healthmonitors os_load-balancer_api:healthmonitor:get_all ✅ ✅ Project resources
Show health monitor GET /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:get_one 🔍 🔍 Project ownership
Create health monitor POST /v2/lbaas/healthmonitors os_load-balancer_api:healthmonitor:post ❌ ✅
Update health monitor PUT /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:put ❌ 🔍 Project ownership
Delete health monitor DELETE /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:delete ❌ 🔍 Project ownership

L7 Policy Management

L7 Policy Operations

Operation Endpoint Policy Reader Member Conditions
List L7 policies GET /v2/lbaas/l7policies os_load-balancer_api:l7policy:get_all ✅ ✅ Project resources
Show L7 policy GET /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:get_one 🔍 🔍 Project ownership
Create L7 policy POST /v2/lbaas/l7policies os_load-balancer_api:l7policy:post ❌ ✅
Update L7 policy PUT /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:put ❌ 🔍 Project ownership
Delete L7 policy DELETE /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:delete ❌ 🔍 Project ownership

L7 Rule Operations

Operation Endpoint Policy Reader Member Conditions
List L7 rules GET /v2/lbaas/l7policies/{l7policy_id}/rules os_load-balancer_api:l7rule:get_all 🔍 🔍 Project L7 policy ownership
Show L7 rule GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:get_one 🔍 🔍 Project ownership
Create L7 rule POST /v2/lbaas/l7policies/{l7policy_id}/rules os_load-balancer_api:l7rule:post ❌ 🔍 Project L7 policy ownership
Update L7 rule PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:put ❌ 🔍 Project ownership
Delete L7 rule DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:delete ❌ 🔍 Project ownership

Flavor Management

Operation Endpoint Policy Reader Member Conditions
List flavors GET /v2.0/lbaas/flavors os_load-balancer_api:flavor:get_all ✅ ✅ Available flavors
Show flavor GET /v2.0/lbaas/flavors/{flavor_id} os_load-balancer_api:flavor:get_one ✅ ✅ Flavor details

Availability Zone Management

Operation Endpoint Policy Reader Member Conditions
List availability zones GET /v2.0/lbaas/availabilityzones os_load-balancer_api:availability-zone:get_all ✅ ✅ Available zones
Show availability zone GET /v2.0/lbaas/availabilityzones/{availability_zone_id} os_load-balancer_api:availability-zone:get_one ✅ ✅ Zone details

Provider Management

Operation Endpoint Policy Reader Member Conditions
List providers GET /v2/lbaas/providers os_load-balancer_api:provider:get_all ✅ ✅ Available providers

Quota Management

Operation Endpoint Policy Reader Member Conditions
List quotas GET /v2/lbaas/quotas os_load-balancer_api:quota:get_all ✅ ✅ Project quotas
Show quota GET /v2/lbaas/quotas/{project_id} os_load-balancer_api:quota:get_one ✅ ✅ Project quotas
Show default quota GET /v2/lbaas/quotas/{project_id}/default os_load-balancer_api:quota:get_defaults ✅ ✅ Default quotas

Capabilities Summary by Role

Granted permissions:

  • ✅ View all project load balancers and components
  • ✅ View load balancer statistics and status
  • ✅ View listener statistics
  • ✅ Access flavors and availability zones
  • ✅ View providers and quotas
  • ✅ Monitor health monitors and L7 policies

Limitations:

  • ❌ No creation or modification actions
  • ❌ No configuration changes
  • ❌ No operational management

Granted permissions:

  • ✅ All Reader capabilities
  • ✅ Create and manage load balancers
  • ✅ Configure listeners and pools
  • ✅ Manage pool members
  • ✅ Set up health monitoring
  • ✅ Configure L7 policies and rules
  • ✅ Full operational management

Limitations:

  • ❌ No administrative operations (failover, amphora management)
  • ❌ Limited to project-scoped operations

Usage Examples

Load Balancer Monitoring Application

Use case: Infrastructure monitoring, health dashboard

Recommended role: reader

# Application Credential
role: reader

# Possible actions
- openstack loadbalancer list
- openstack loadbalancer show <lb-id>
- openstack loadbalancer stats show <lb-id>
- openstack loadbalancer status show <lb-id>
- openstack loadbalancer listener list

Load Balancer Management Application

Use case: Infrastructure automation, CI/CD deployment

Recommended role: member

# Application Credential
role: member

# Possible actions
- openstack loadbalancer create --name my-lb --vip-subnet-id <subnet-id>
- openstack loadbalancer listener create --name http-listener --protocol HTTP --protocol-port 80 <lb-id>
- openstack loadbalancer pool create --name web-pool --lb-algorithm ROUND_ROBIN --listener <listener-id> --protocol HTTP
- openstack loadbalancer member create --subnet-id <subnet-id> --address 192.168.1.10 --protocol-port 80 <pool-id>

Auto-scaling Integration Application

Use case: Dynamic member management, auto-scaling

Recommended role: member

# Application Credential
role: member

# Auto-scaling operations
- openstack loadbalancer member create --subnet-id <subnet-id> --address <new-server-ip> --protocol-port 80 <pool-id>
- openstack loadbalancer member set --weight 1 <pool-id> <member-id>
- openstack loadbalancer member delete <pool-id> <member-id>
- openstack loadbalancer healthmonitor create --delay 5 --max-retries 3 --timeout 10 --type HTTP --pool <pool-id>

Context Variables

Policies use the following variables to determine authorizations:

Variable Description
%(project_id)s Current user's project ID
%(loadbalancer_id)s Target load balancer ID
%(listener_id)s Target listener ID
%(pool_id)s Target pool ID
%(member_id)s Target member ID
%(healthmonitor_id)s Target health monitor ID

Important Notes

Best Practices

  1. Principle of least privilege: Use the reader role for monitoring and read-only operations
  2. Project isolation: Members can only manage load balancers within their project
  3. Resource dependencies: Ensure proper order when creating load balancer components (LB → Listener → Pool → Members)
  4. Health monitoring: Set up health monitors for production workloads
  5. Application Credentials management: Create specific credentials per use case and operational needs