Skip to content

Octavia Policies

Introduction

This document presents the permissions available for the load-balancer_member role on the Octavia service (load balancer management) of Infomaniak Public Cloud, based on OpenStack default policies.

Context

Application Credentials for Octavia must be created with the load-balancer_member role. The reader and member roles are not functional for load balancer management operations.

Legend

Symbol Meaning
✅ Allowed - The policy explicitly permits this action
❌ Forbidden - The policy explicitly denies this action
🔍 Conditional - Allowed based on project membership

Load Balancer Management

Basic Load Balancer Operations

Operation Endpoint Policy LB Member Conditions
List load balancers GET /v2/lbaas/loadbalancers os_load-balancer_api:loadbalancer:get_all ✅ Project resources
Show load balancer GET /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:get_one 🔍 Project ownership
Create load balancer POST /v2/lbaas/loadbalancers os_load-balancer_api:loadbalancer:post ✅
Update load balancer PUT /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:put 🔍 Project ownership
Delete load balancer DELETE /v2/lbaas/loadbalancers/{loadbalancer_id} os_load-balancer_api:loadbalancer:delete 🔍 Project ownership

Load Balancer Monitoring

Operation Endpoint Policy LB Member Conditions
Show statistics GET /v2/lbaas/loadbalancers/{loadbalancer_id}/stats os_load-balancer_api:loadbalancer:get_stats 🔍 Project ownership
Show status GET /v2/lbaas/loadbalancers/{loadbalancer_id}/status os_load-balancer_api:loadbalancer:get_status 🔍 Project ownership

Listener Management

Basic Listener Operations

Operation Endpoint Policy LB Member Conditions
List listeners GET /v2/lbaas/listeners os_load-balancer_api:listener:get_all ✅ Project resources
Show listener GET /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:get_one 🔍 Project ownership
Create listener POST /v2/lbaas/listeners os_load-balancer_api:listener:post ✅
Update listener PUT /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:put 🔍 Project ownership
Delete listener DELETE /v2/lbaas/listeners/{listener_id} os_load-balancer_api:listener:delete 🔍 Project ownership

Listener Monitoring

Operation Endpoint Policy LB Member Conditions
Show statistics GET /v2/lbaas/listeners/{listener_id}/stats os_load-balancer_api:listener:get_stats 🔍 Project ownership

Pool Management

Basic Pool Operations

Operation Endpoint Policy LB Member Conditions
List pools GET /v2/lbaas/pools os_load-balancer_api:pool:get_all ✅ Project resources
Show pool GET /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:get_one 🔍 Project ownership
Create pool POST /v2/lbaas/pools os_load-balancer_api:pool:post ✅
Update pool PUT /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:put 🔍 Project ownership
Delete pool DELETE /v2/lbaas/pools/{pool_id} os_load-balancer_api:pool:delete 🔍 Project ownership

Member Management

Pool Member Operations

Operation Endpoint Policy LB Member Conditions
List members GET /v2/lbaas/pools/{pool_id}/members os_load-balancer_api:member:get_all 🔍 Project pool ownership
Show member GET /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:get_one 🔍 Project ownership
Create member POST /v2/lbaas/pools/{pool_id}/members os_load-balancer_api:member:post 🔍 Project pool ownership
Update member PUT /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:put 🔍 Project ownership
Delete member DELETE /v2/lbaas/pools/{pool_id}/members/{member_id} os_load-balancer_api:member:delete 🔍 Project ownership

Health Monitor Management

Operation Endpoint Policy LB Member Conditions
List health monitors GET /v2/lbaas/healthmonitors os_load-balancer_api:healthmonitor:get_all ✅ Project resources
Show health monitor GET /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:get_one 🔍 Project ownership
Create health monitor POST /v2/lbaas/healthmonitors os_load-balancer_api:healthmonitor:post ✅
Update health monitor PUT /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:put 🔍 Project ownership
Delete health monitor DELETE /v2/lbaas/healthmonitors/{healthmonitor_id} os_load-balancer_api:healthmonitor:delete 🔍 Project ownership

L7 Policy Management

L7 Policy Operations

Operation Endpoint Policy LB Member Conditions
List L7 policies GET /v2/lbaas/l7policies os_load-balancer_api:l7policy:get_all ✅ Project resources
Show L7 policy GET /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:get_one 🔍 Project ownership
Create L7 policy POST /v2/lbaas/l7policies os_load-balancer_api:l7policy:post ✅
Update L7 policy PUT /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:put 🔍 Project ownership
Delete L7 policy DELETE /v2/lbaas/l7policies/{l7policy_id} os_load-balancer_api:l7policy:delete 🔍 Project ownership

L7 Rule Operations

Operation Endpoint Policy LB Member Conditions
List L7 rules GET /v2/lbaas/l7policies/{l7policy_id}/rules os_load-balancer_api:l7rule:get_all 🔍 Project L7 policy ownership
Show L7 rule GET /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:get_one 🔍 Project ownership
Create L7 rule POST /v2/lbaas/l7policies/{l7policy_id}/rules os_load-balancer_api:l7rule:post 🔍 Project L7 policy ownership
Update L7 rule PUT /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:put 🔍 Project ownership
Delete L7 rule DELETE /v2/lbaas/l7policies/{l7policy_id}/rules/{l7rule_id} os_load-balancer_api:l7rule:delete 🔍 Project ownership

Flavor Management

Operation Endpoint Policy LB Member Conditions
List flavors GET /v2.0/lbaas/flavors os_load-balancer_api:flavor:get_all ✅ Available flavors
Show flavor GET /v2.0/lbaas/flavors/{flavor_id} os_load-balancer_api:flavor:get_one ✅ Flavor details

Availability Zone Management

Operation Endpoint Policy LB Member Conditions
List availability zones GET /v2.0/lbaas/availabilityzones os_load-balancer_api:availability-zone:get_all ✅ Available zones
Show availability zone GET /v2.0/lbaas/availabilityzones/{availability_zone_id} os_load-balancer_api:availability-zone:get_one ✅ Zone details

Provider Management

Operation Endpoint Policy LB Member Conditions
List providers GET /v2/lbaas/providers os_load-balancer_api:provider:get_all ✅ Available providers

Quota Management

Operation Endpoint Policy LB Member Conditions
List quotas GET /v2/lbaas/quotas os_load-balancer_api:quota:get_all ✅ Project quotas
Show quota GET /v2/lbaas/quotas/{project_id} os_load-balancer_api:quota:get_one ✅ Project quotas
Show default quota GET /v2/lbaas/quotas/{project_id}/default os_load-balancer_api:quota:get_defaults ✅ Default quotas

Capabilities Summary

The load-balancer_member role provides the following capabilities for the Octavia service:

  • ✅ View all project load balancers and components
  • ✅ View load balancer statistics and status
  • ✅ View listener statistics
  • ✅ Access flavors and availability zones
  • ✅ View providers and quotas
  • ✅ Monitor health monitors and L7 policies
  • ✅ Create and manage load balancers
  • ✅ Configure listeners and pools
  • ✅ Manage pool members
  • ✅ Set up health monitoring
  • ✅ Configure L7 policies and rules
  • ✅ Full operational management

Limitations:

  • ❌ No administrative operations (failover, amphora management)
  • ❌ Limited to project-scoped operations
  • ❌ Resource modification restricted to owned resources

Usage Examples

Load Balancer Monitoring Application

Use case: Infrastructure monitoring, health dashboard

Required role: load-balancer_member

# Application Credential
role: load-balancer_member

# Possible actions
- openstack loadbalancer list
- openstack loadbalancer show <lb-id>
- openstack loadbalancer stats show <lb-id>
- openstack loadbalancer status show <lb-id>
- openstack loadbalancer listener list

Load Balancer Management Application

Use case: Infrastructure automation, CI/CD deployment

Required role: load-balancer_member

# Application Credential
role: load-balancer_member

# Possible actions
- openstack loadbalancer create --name my-lb --vip-subnet-id <subnet-id>
- openstack loadbalancer listener create --name http-listener --protocol HTTP --protocol-port 80 <lb-id>
- openstack loadbalancer pool create --name web-pool --lb-algorithm ROUND_ROBIN --listener <listener-id> --protocol HTTP
- openstack loadbalancer member create --subnet-id <subnet-id> --address 192.168.1.10 --protocol-port 80 <pool-id>

Auto-scaling Integration Application

Use case: Dynamic member management, auto-scaling

Required role: load-balancer_member

# Application Credential
role: member

# Auto-scaling operations
- openstack loadbalancer member create --subnet-id <subnet-id> --address <new-server-ip> --protocol-port 80 <pool-id>
- openstack loadbalancer member set --weight 1 <pool-id> <member-id>
- openstack loadbalancer member delete <pool-id> <member-id>
- openstack loadbalancer healthmonitor create --delay 5 --max-retries 3 --timeout 10 --type HTTP --pool <pool-id>

Context Variables

Policies use the following variables to determine authorizations:

Variable Description
%(project_id)s Current user's project ID
%(loadbalancer_id)s Target load balancer ID
%(listener_id)s Target listener ID
%(pool_id)s Target pool ID
%(member_id)s Target member ID
%(healthmonitor_id)s Target health monitor ID

Important Notes

Best Practices

  1. Use the load-balancer_member role: This is the only functional role for Octavia load balancer operations
  2. Project isolation: Load balancer members can only manage load balancers within their project
  3. Resource dependencies: Ensure proper order when creating load balancer components (LB → Listener → Pool → Members)
  4. Health monitoring: Set up health monitors for production workloads
  5. Application Credentials management: Create specific credentials per use case and operational needs