Customize RBAC policies to control which roles can perform each API operation across Polystack services. Create custom roles and map them to service-level.
Polystack services enforce role-based access control through policy files. Each service has a policy.yaml (or policy.json) file that maps API operations to role requirements. The default policies follow the principle of least privilege — admin gets full access, member gets project-scoped CRUD, and reader gets read-only access. This guide covers viewing default policies, creating custom roles, writing per-service overrides, and applying changes safely.
Administrator Access Required — This operation requires the admin role. Contact your
Polystack administrator if you do not have sufficient permissions.
The admin role implies member, which implies reader — so each role inherits the permissions of those below it.
Policy files use oslo.policy syntax. Rules can reference roles, project context, object ownership, and system scope. You only need to define overrides — unspecified rules use the service’s compiled-in defaults.
Each Polystack service reads its policy file from inside its container. Overrides are placed in /etc/ironcore/<service>/ on the host and deployed by the deployment console:
Service
Policy Override Path
Container Path
Compute (Nova)
/etc/ironcore/nova/policy.yaml
/etc/nova/policy.yaml
Block Storage (Cinder)
/etc/ironcore/cinder/policy.yaml
/etc/cinder/policy.yaml
Networking (Neutron)
/etc/ironcore/neutron/policy.yaml
/etc/neutron/policy.yaml
Image (Glance)
/etc/ironcore/glance/policy.yaml
/etc/glance/policy.yaml
Identity (Keystone)
/etc/ironcore/keystone/policy.yaml
/etc/keystone/policy.yaml
Orchestration (Heat)
/etc/ironcore/heat/policy.yaml
/etc/heat/policy.yaml
Object Storage (Swift)
/etc/ironcore/swift/policy.yaml
/etc/swift/policy.yaml
DNS (Designate)
/etc/ironcore/designate/policy.yaml
/etc/designate/policy.yaml
Key Manager (Barbican)
/etc/ironcore/barbican/policy.yaml
/etc/barbican/policy.yaml
Load Balancer (Octavia)
/etc/ironcore/octavia/policy.yaml
/etc/octavia/policy.yaml
Start with an empty override file and add only the rules you need to change. All other rules fall back to the service’s built-in defaults.
Custom roles are names you create in Keystone. They have no permissions by default — you must explicitly grant them permissions in each service’s policy file.
Create /etc/ironcore/<service>/policy.yaml with only the rules you want to change:
/etc/ironcore/nova/policy.yaml — allow network-operator to list servers
"os_compute_api:servers:index": "role:network-operator or role:member""os_compute_api:servers:detail": "role:network-operator or role:member"
/etc/ironcore/neutron/policy.yaml — allow network-operator to manage ports
"create_port": "role:network-operator or role:admin""update_port": "role:network-operator or role:admin""delete_port": "role:network-operator or role:admin""get_port": "role:network-operator or role:member"
Apply the policy changes via the deployment console
# Allow only admin role"rule_name": "role:admin"# Allow a custom role or admin"rule_name": "role:network-operator or role:admin"# Allow member and admin roles"rule_name": "role:member or role:admin"# Allow any authenticated user"rule_name": "@"# Deny everyone (disable an operation)"rule_name": "!"
Project-scoped rules
Project ownership rules
# Allow only the resource owner or admin"rule_name": "project_id:%(project_id)s or role:admin"# Allow only within the same project"rule_name": "project_id:%(target.project.id)s"
System-scope rules
System admin rules
# Require system-scope admin (cross-project operations)"rule_name": "role:admin and system_scope:all"
Combining rules with aliases
Define reusable aliases at the top of the policy file to avoid repetition:
Policy with reusable aliases
# Define aliases"is_admin": "role:admin""is_operator": "role:network-operator or role:admin""is_member": "role:member or role:admin"# Use aliases in rules"get_network": "rule:is_member""create_network": "rule:is_operator""delete_network": "rule:is_admin"
# Restrict flavor creation and deletion to admins only"os_compute_api:os-flavor-manage:create": "role:admin""os_compute_api:os-flavor-manage:delete": "role:admin"# Allow a custom 'compute-operator' role to resize instances"os_compute_api:servers:resize": "role:compute-operator or role:admin"# Restrict live migration to admins"os_compute_api:os-migrate-server:migrate_live": "role:admin"# Allow readers to list hypervisors (normally admin-only)"os_compute_api:os-hypervisors:list": "role:reader or role:admin"
/etc/ironcore/neutron/policy.yaml
# Allow a 'network-operator' role to manage routers"create_router": "role:network-operator or role:admin""update_router": "role:network-operator or role:admin""delete_router": "role:network-operator or role:admin"# Allow QoS policy creation for network admins"create_policy": "role:network-operator or role:admin""update_policy": "role:network-operator or role:admin"# Restrict floating IP allocation to members and above"create_floatingip": "role:member or role:admin"
/etc/ironcore/cinder/policy.yaml
# Restrict volume type creation to admins"volume_extension:types_manage": "role:admin"# Allow a 'storage-operator' to manage volume backups"backup:create": "role:storage-operator or role:member""backup:delete": "role:storage-operator or role:admin"# Allow members to set volume metadata"volume:update_volume_metadata": "role:member or role:admin"
/etc/ironcore/glance/policy.yaml
# Restrict image deletion to image owner or admin"delete_image": "rule:image_owner or role:admin"# Allow a custom 'image-publisher' role to publicize images"publicize_image": "role:image-publisher or role:admin"# Restrict community image creation to members+"communitize_image": "role:member or role:admin"
/etc/ironcore/keystone/policy.yaml
# Allow a 'domain-admin' role to manage users within a domain"identity:list_users": "rule:cloud_admin or rule:domain_admin""identity:create_user": "rule:cloud_admin or rule:domain_admin""identity:update_user": "rule:cloud_admin or rule:domain_admin"# Restrict role assignment to cloud admins only"identity:create_grant": "role:admin and system_scope:all"
Overly permissive policies are a leading cause of privilege escalation incidents. Test policy changes in a staging environment before applying to production. Always restrict — never relax — default policies without documented justification.
Maintain a change log for all policy modifications. Document the business justification, date of change, and approver for each policy override. This record is essential for compliance audits.
