- check_str: (role:admin and is_admin_project:True) OR (role:admin and system_scope:all)
  description: Decides what is required for the 'is_admin:True' check to succeed.
  name: context_is_admin
  operations: []
  scope_types: null
- check_str: role:admin
  description: Default rule for project admin.
  name: project_admin
  operations: []
  scope_types: null
- check_str: not role:heat_stack_user
  description: Default rule for deny stack user.
  name: deny_stack_user
  operations: []
  scope_types: null
- check_str: '!'
  description: Default rule for deny everybody.
  name: deny_everybody
  operations: []
  scope_types: null
- check_str: ''
  description: Default rule for allow everybody.
  name: allow_everybody
  operations: []
  scope_types: null
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:action
  deprecated_since: W
  description: Performs non-lifecycle operations on the stack (Snapshot, Resume, Cancel
    update, or check stack resources). This is the default for all actions but can
    be overridden by more specific policies for individual actions.
  name: actions:action
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types: null
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:snapshot
  deprecated_since: W
  description: Create stack snapshot
  name: actions:snapshot
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:suspend
  deprecated_since: W
  description: Suspend a stack.
  name: actions:suspend
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:resume
  deprecated_since: W
  description: Resume a suspended stack.
  name: actions:resume
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:check
  deprecated_since: W
  description: Check stack resources.
  name: actions:check
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:cancel_update
  deprecated_since: W
  description: Cancel stack operation and roll back.
  name: actions:cancel_update
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The actions API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: actions:cancel_without_rollback
  deprecated_since: W
  description: Cancel stack operation without rolling back.
  name: actions:cancel_without_rollback
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/actions
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The build API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: build_info:build_info
  deprecated_since: W
  description: Show build information.
  name: build_info:build_info
  operations:
  - method: GET
    path: /v1/{tenant_id}/build_info
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:ListStacks
  deprecated_since: W
  description: null
  name: cloudformation:ListStacks
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:CreateStack
  deprecated_since: W
  description: null
  name: cloudformation:CreateStack
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:DescribeStacks
  deprecated_since: W
  description: null
  name: cloudformation:DescribeStacks
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:DeleteStack
  deprecated_since: W
  description: null
  name: cloudformation:DeleteStack
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:UpdateStack
  deprecated_since: W
  description: null
  name: cloudformation:UpdateStack
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:CancelUpdateStack
  deprecated_since: W
  description: null
  name: cloudformation:CancelUpdateStack
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:DescribeStackEvents
  deprecated_since: W
  description: null
  name: cloudformation:DescribeStackEvents
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:ValidateTemplate
  deprecated_since: W
  description: null
  name: cloudformation:ValidateTemplate
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:GetTemplate
  deprecated_since: W
  description: null
  name: cloudformation:GetTemplate
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:EstimateTemplateCost
  deprecated_since: W
  description: null
  name: cloudformation:EstimateTemplateCost
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
    or (role:heat_stack_user and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:allow_everybody
    name: cloudformation:DescribeStackResource
  deprecated_since: W
  description: null
  name: cloudformation:DescribeStackResource
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:DescribeStackResources
  deprecated_since: W
  description: null
  name: cloudformation:DescribeStackResources
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The cloud formation API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: cloudformation:ListStackResources
  deprecated_since: W
  description: null
  name: cloudformation:ListStackResources
  operations: []
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The events API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: events:index
  deprecated_since: W
  description: List events.
  name: events:index
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/events
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The events API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: events:show
  deprecated_since: W
  description: Show event.
  name: events:show
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/events/{event_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The resources API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: resource:index
  deprecated_since: W
  description: List resources.
  name: resource:index
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
    or (role:heat_stack_user and project_id:%(project_id)s)
  deprecated_reason: '

    The resources API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:allow_everybody
    name: resource:metadata
  deprecated_since: W
  description: Show resource metadata.
  name: resource:metadata
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/metadata
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
    or (role:heat_stack_user and project_id:%(project_id)s)
  deprecated_reason: '

    The resources API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:allow_everybody
    name: resource:signal
  deprecated_since: W
  description: Signal resource.
  name: resource:signal
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}/signal
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The resources API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: resource:mark_unhealthy
  deprecated_since: W
  description: Mark resource as unhealthy.
  name: resource:mark_unhealthy
  operations:
  - method: PATCH
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name_or_physical_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The resources API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: resource:show
  deprecated_since: W
  description: Show resource.
  name: resource:show
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/resources/{resource_name}
  scope_types:
  - system
  - project
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Nova::Flavor
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Cinder::EncryptedVolumeType
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Cinder::VolumeType
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Cinder::Quota
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::Quota
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Nova::Quota
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Octavia::Quota
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Manila::ShareType
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::ProviderNet
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::QoSPolicy
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::QoSBandwidthLimitRule
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::QoSDscpMarkingRule
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::QoSMinimumBandwidthRule
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Neutron::Segment
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Nova::HostAggregate
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Cinder::QoSSpecs
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Cinder::QoSAssociation
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Keystone::*
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Blazar::Host
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Octavia::Flavor
  operations: []
  scope_types: null
- check_str: rule:project_admin
  description: null
  name: resource_types:OS::Octavia::FlavorProfile
  operations: []
  scope_types: null
- check_str: role:reader and system_scope:all
  deprecated_reason: '

    The service API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:context_is_admin
    name: service:index
  deprecated_since: W
  description: null
  name: service:index
  operations: []
  scope_types: null
- check_str: role:reader and system_scope:all
  deprecated_reason: '

    The software configuration API now support system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_everybody
    name: software_configs:global_index
  deprecated_since: W
  description: List configs globally.
  name: software_configs:global_index
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_configs
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The software configuration API now support system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_configs:index
  deprecated_since: W
  description: List configs.
  name: software_configs:index
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_configs
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The software configuration API now support system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_configs:create
  deprecated_since: W
  description: Create config.
  name: software_configs:create
  operations:
  - method: POST
    path: /v1/{tenant_id}/software_configs
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The software configuration API now support system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_configs:show
  deprecated_since: W
  description: Show config details.
  name: software_configs:show
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_configs/{config_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The software configuration API now support system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_configs:delete
  deprecated_since: W
  description: Delete config.
  name: software_configs:delete
  operations:
  - method: DELETE
    path: /v1/{tenant_id}/software_configs/{config_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The software deployment API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_deployments:index
  deprecated_since: W
  description: List deployments.
  name: software_deployments:index
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_deployments
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The software deployment API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_deployments:create
  deprecated_since: W
  description: Create deployment.
  name: software_deployments:create
  operations:
  - method: POST
    path: /v1/{tenant_id}/software_deployments
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The software deployment API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_deployments:show
  deprecated_since: W
  description: Show deployment details.
  name: software_deployments:show
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_deployments/{deployment_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The software deployment API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_deployments:update
  deprecated_since: W
  description: Update deployment.
  name: software_deployments:update
  operations:
  - method: PUT
    path: /v1/{tenant_id}/software_deployments/{deployment_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The software deployment API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: software_deployments:delete
  deprecated_since: W
  description: Delete deployment.
  name: software_deployments:delete
  operations:
  - method: DELETE
    path: /v1/{tenant_id}/software_deployments/{deployment_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
    or (role:heat_stack_user and project_id:%(project_id)s)
  description: Show server configuration metadata.
  name: software_deployments:metadata
  operations:
  - method: GET
    path: /v1/{tenant_id}/software_deployments/metadata/{server_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:abandon
  deprecated_since: W
  description: Abandon stack.
  name: stacks:abandon
  operations:
  - method: DELETE
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/abandon
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:create
  deprecated_since: W
  description: Create stack.
  name: stacks:create
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:delete
  deprecated_since: W
  description: Delete stack.
  name: stacks:delete
  operations:
  - method: DELETE
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:detail
  deprecated_since: W
  description: List stacks in detail.
  name: stacks:detail
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:export
  deprecated_since: W
  description: Export stack.
  name: stacks:export
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/export
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:generate_template
  deprecated_since: W
  description: Generate stack template.
  name: stacks:generate_template
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
  scope_types:
  - system
  - project
- check_str: role:reader and system_scope:all
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_everybody
    name: stacks:global_index
  deprecated_since: W
  description: List stacks globally.
  name: stacks:global_index
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:index
  deprecated_since: W
  description: List stacks.
  name: stacks:index
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:list_resource_types
  deprecated_since: W
  description: List resource types.
  name: stacks:list_resource_types
  operations:
  - method: GET
    path: /v1/{tenant_id}/resource_types
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:list_template_versions
  deprecated_since: W
  description: List template versions.
  name: stacks:list_template_versions
  operations:
  - method: GET
    path: /v1/{tenant_id}/template_versions
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:list_template_functions
  deprecated_since: W
  description: List template functions.
  name: stacks:list_template_functions
  operations:
  - method: GET
    path: /v1/{tenant_id}/template_versions/{template_version}/functions
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
    or (role:heat_stack_user and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:allow_everybody
    name: stacks:lookup
  deprecated_since: W
  description: Find stack.
  name: stacks:lookup
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_identity}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:preview
  deprecated_since: W
  description: Preview stack.
  name: stacks:preview
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/preview
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:resource_schema
  deprecated_since: W
  description: Show resource type schema.
  name: stacks:resource_schema
  operations:
  - method: GET
    path: /v1/{tenant_id}/resource_types/{type_name}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:show
  deprecated_since: W
  description: Show stack.
  name: stacks:show
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_identity}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:template
  deprecated_since: W
  description: Get stack template.
  name: stacks:template
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/template
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:environment
  deprecated_since: W
  description: Get stack environment.
  name: stacks:environment
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/environment
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:files
  deprecated_since: W
  description: Get stack files.
  name: stacks:files
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/files
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:update
  deprecated_since: W
  description: Update stack.
  name: stacks:update
  operations:
  - method: PUT
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:update_patch
  deprecated_since: W
  description: Update stack (PATCH).
  name: stacks:update_patch
  operations:
  - method: PATCH
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:preview_update
  deprecated_since: W
  description: Preview update stack.
  name: stacks:preview_update
  operations:
  - method: PUT
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:preview_update_patch
  deprecated_since: W
  description: Preview update stack (PATCH).
  name: stacks:preview_update_patch
  operations:
  - method: PATCH
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/preview
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:validate_template
  deprecated_since: W
  description: Validate template.
  name: stacks:validate_template
  operations:
  - method: POST
    path: /v1/{tenant_id}/validate
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:snapshot
  deprecated_since: W
  description: Snapshot Stack.
  name: stacks:snapshot
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:show_snapshot
  deprecated_since: W
  description: Show snapshot.
  name: stacks:show_snapshot
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:delete_snapshot
  deprecated_since: W
  description: Delete snapshot.
  name: stacks:delete_snapshot
  operations:
  - method: DELETE
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:list_snapshots
  deprecated_since: W
  description: List snapshots.
  name: stacks:list_snapshots
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots
  scope_types:
  - system
  - project
- check_str: (role:admin and system_scope:all) or (role:member and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:restore_snapshot
  deprecated_since: W
  description: Restore snapshot.
  name: stacks:restore_snapshot
  operations:
  - method: POST
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/snapshots/{snapshot_id}/restore
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:list_outputs
  deprecated_since: W
  description: List outputs.
  name: stacks:list_outputs
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs
  scope_types:
  - system
  - project
- check_str: (role:reader and system_scope:all) or (role:reader and project_id:%(project_id)s)
  deprecated_reason: '

    The stack API now supports system scope and default roles.

    '
  deprecated_rule:
    check_str: rule:deny_stack_user
    name: stacks:show_output
  deprecated_since: W
  description: Show outputs.
  name: stacks:show_output
  operations:
  - method: GET
    path: /v1/{tenant_id}/stacks/{stack_name}/{stack_id}/outputs/{output_key}
  scope_types:
  - system
  - project
