{"msg":"Running step start_crdb","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:51.125633517Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"init_with_steps"} {"msg":"Starting CRDB","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:51.126282864Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach temporary directory: /var/tmp/omicron_tmp/.tmpNTZZPg","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:51.187294179Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach: copying from seed tarball (/var/tmp/omicron_tmp/crdb-base-build/25f7937f9ad789fdb3d5fe26603ea7bfc6d229e3bf5587ce4ec009504e11060b.tar) to storage directory (/var/tmp/omicron_tmp/.tmpNTZZPg/data)","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:51.18744166Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach command line: cockroach start-single-node --insecure --http-addr=:0 --store=path=/var/tmp/omicron_tmp/.tmpNTZZPg/data,ballast-size=0 --listen-addr [::1]:0 --listening-url-file /var/tmp/omicron_tmp/.tmpNTZZPg/listen-url","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:51.22896956Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach environment: BUILDOMAT_JOB_ID=01KEYW6ZBWM4QEBSCMRX4P2GHN BUILDOMAT_TASK_ID=4 CARGO=/home/build/.rustup/toolchains/1.91.1-x86_64-unknown-illumos/bin/cargo CARGO_HOME=/home/build/.cargo CARGO_INCREMENTAL=0 CARGO_MANIFEST_DIR=/work/oxidecomputer/omicron/nexus CARGO_PKG_AUTHORS= CARGO_PKG_DESCRIPTION= CARGO_PKG_HOMEPAGE= CARGO_PKG_LICENSE=MPL-2.0 CARGO_PKG_LICENSE_FILE= CARGO_PKG_NAME=omicron-nexus CARGO_PKG_REPOSITORY= CARGO_PKG_RUST_VERSION= CARGO_PKG_VERSION=0.1.0 CARGO_PKG_VERSION_MAJOR=0 CARGO_PKG_VERSION_MINOR=1 CARGO_PKG_VERSION_PATCH=0 CARGO_PKG_VERSION_PRE= CARGO_TERM_COLOR=always CI=true CRDB_SEED_TAR=/var/tmp/omicron_tmp/crdb-base-build/25f7937f9ad789fdb3d5fe26603ea7bfc6d229e3bf5587ce4ec009504e11060b.tar GITHUB_BRANCH=iliana/cockroach-in-switch-zone GITHUB_REF=refs/heads/iliana/cockroach-in-switch-zone GITHUB_REPOSITORY=oxidecomputer/omicron GITHUB_SHA=cdd1d4ed932c03acff05ce286f9dcc941c035089 GOTRACEBACK=crash HOME=/home/build LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LD_LIBRARY_PATH=/work/oxidecomputer/omicron/target/debug/build/aws-lc-sys-e269a799996cc73d/out/build/artifacts:/work/oxidecomputer/omicron/target/debug/build/blake3-f08b403ebfa90352/out:/work/oxidecomputer/omicron/target/debug/build/bzip2-sys-8dc5be0faba5452c/out/lib:/work/oxidecomputer/omicron/target/debug/build/libgit2-sys-4ac38c1702e3f2b5/out/build:/work/oxidecomputer/omicron/target/debug/build/ring-b9d704b8d20089f7/out:/work/oxidecomputer/omicron/target/debug/build/tofino-6a545a93d51cd40e/out:/work/oxidecomputer/omicron/target/debug/build/zstd-sys-0b430c6eb1c88682/out:/work/oxidecomputer/omicron/target/debug/deps:/work/oxidecomputer/omicron/target/debug:/home/build/.rustup/toolchains/1.91.1-x86_64-unknown-illumos/lib/rustlib/x86_64-unknown-illumos/lib:/home/build/.rustup/toolchains/1.91.1-x86_64-unknown-illumos/lib LOGNAME=build NEXTEST=1 NEXTEST_BIN_EXE_nexus=/work/oxidecomputer/omicron/target/debug/nexus NEXTEST_BIN_EXE_schema-updater=/work/oxidecomputer/omicron/target/debug/schema-updater NEXTEST_EXECUTION_MODE=process-per-test NEXTEST_LD_LIBRARY_PATH=/work/oxidecomputer/omicron/target/debug/build/aws-lc-sys-e269a799996cc73d/out/build/artifacts:/work/oxidecomputer/omicron/target/debug/build/blake3-f08b403ebfa90352/out:/work/oxidecomputer/omicron/target/debug/build/bzip2-sys-8dc5be0faba5452c/out/lib:/work/oxidecomputer/omicron/target/debug/build/libgit2-sys-4ac38c1702e3f2b5/out/build:/work/oxidecomputer/omicron/target/debug/build/ring-b9d704b8d20089f7/out:/work/oxidecomputer/omicron/target/debug/build/tofino-6a545a93d51cd40e/out:/work/oxidecomputer/omicron/target/debug/build/zstd-sys-0b430c6eb1c88682/out:/work/oxidecomputer/omicron/target/debug/deps:/work/oxidecomputer/omicron/target/debug:/home/build/.rustup/toolchains/1.91.1-x86_64-unknown-illumos/lib/rustlib/x86_64-unknown-illumos/lib:/home/build/.rustup/toolchains/1.91.1-x86_64-unknown-illumos/lib NEXTEST_PROFILE=ci NEXTEST_RUN_ID=44093501-f026-4d9b-8fd1-a071d6ae713f NEXTEST_TEST_GLOBAL_SLOT=2 NEXTEST_TEST_GROUP=@global NEXTEST_TEST_GROUP_SLOT=none NEXTEST_TEST_PHASE=run OUT_DIR=/work/oxidecomputer/omicron/target/debug/build/omicron-nexus-0f0e157a700d2316/out PATH=/work/oxidecomputer/omicron/out/mgd/root/opt/oxide/mgd/bin:/work/oxidecomputer/omicron/out/dendrite-stub/bin:/work/oxidecomputer/omicron/out/clickhouse:/work/oxidecomputer/omicron/out/cockroachdb/bin:/home/build/.cargo/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/ooce/bin:/opt/ooce/sbin PWD=/work/oxidecomputer/omicron RUSTC_BOOTSTRAP=1 RUSTDOCFLAGS=--document-private-items -D warnings RUSTFLAGS=--cfg tokio_unstable -D warnings -C link-arg=-R/usr/platform/oxide/lib/amd64 RUSTUP_HOME=/home/build/.rustup RUSTUP_TOOLCHAIN=1.91.1-x86_64-unknown-illumos RUST_BACKTRACE=1 RUST_RECURSION_COUNT=1 SHLVL=1 SSL_CERT_DIR=/usr/ssl/certs SSL_CERT_FILE=/etc/ssl/cacert.pem TMPDIR=/var/tmp/omicron_tmp TZ=UTC USER=build _=/usr/bin/ptime __NEXTEST_ATTEMPT=1","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:51.236944431Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach pid: 5135","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.02316094Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"cockroach listen URL: postgresql://root@[::1]:60999/omicron?sslmode=disable","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.023287519Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"Running step start_clickhouse","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.107597537Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"init_with_steps"} {"msg":"Starting Clickhouse","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.107770216Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"Running step start_internal_dns","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.638983957Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"init_with_steps"} {"msg":"opening sled database","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.639381188Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"internal_dns_server","path":"/var/tmp/omicron_tmp/.tmpr9vf7z"} {"msg":"pruning trees for generations newer than 0","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.763692091Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"internal_dns_server"} {"msg":"pruning trees for generations older than 0","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.76375769Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"internal_dns_server","keep":3} {"msg":"DNS server bound to address","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.764117869Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"dns","kind":"dns","component":"internal_dns_server","local_address":"[::1]:44688"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.765067437Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server","versions":"from 1.0.0 to 2.0.0","path":"/config","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.765171953Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server","versions":"all starting from 2.0.0","path":"/config","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.76522118Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server","versions":"from 1.0.0 to 2.0.0","path":"/config","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.765259335Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server","versions":"all starting from 2.0.0","path":"/config","method":"PUT"} {"msg":"listening","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.765300316Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server"} {"msg":"successfully registered DTrace USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.766668367Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:46878","component":"http","kind":"dns","component":"internal_dns_server"} {"msg":"Running step start_external_dns","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.766853391Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"init_with_steps"} {"msg":"opening sled database","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.767046732Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"external_dns_server","path":"/var/tmp/omicron_tmp/.tmpH5ntOU"} {"msg":"pruning trees for generations newer than 0","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.77827302Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"external_dns_server"} {"msg":"pruning trees for generations older than 0","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.778388086Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"store","component":"external_dns_server","keep":3} {"msg":"DNS server bound to address","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.77844054Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"dns","kind":"dns","component":"external_dns_server","local_address":"[::1]:51230"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.778549183Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server","versions":"from 1.0.0 to 2.0.0","path":"/config","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.778620664Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server","versions":"all starting from 2.0.0","path":"/config","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.778667246Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server","versions":"from 1.0.0 to 2.0.0","path":"/config","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.778707715Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server","versions":"all starting from 2.0.0","path":"/config","method":"PUT"} {"msg":"listening","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.778750449Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server"} {"msg":"successfully registered DTrace USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.780053523Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"[::1]:55696","component":"http","kind":"dns","component":"external_dns_server"} {"msg":"Running step start_nexus_internal","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.780441256Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"init_with_steps"} {"msg":"Starting Nexus (internal API)","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.780498669Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131} {"msg":"setting up nexus server","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.781257633Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.783957645Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Action"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784039656Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AuditLog"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784086829Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AnyActor"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784139292Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AuthenticatedActor"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784183099Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"BlueprintConfig"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78421955Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Database"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784260822Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"DnsConfig"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78431099Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Fleet"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.7843516Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Inventory"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78438683Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"IpPoolList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784455344Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"VpcList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784491856Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"ConsoleSessionList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784533648Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"DeviceAuthRequestList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784569289Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"QuiesceState"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784610079Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloCertificateList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784648134Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloGroupList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784682762Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloIdentityProviderList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784721809Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloUserList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784755535Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloUserSessionList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784794231Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloUserTokenList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784828078Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"UpdateTrustRootList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784865461Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"TargetReleaseConfig"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784899809Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AlertClassList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784938475Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"ScimClientBearerTokenList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.784977071Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"MulticastGroupList"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785113169Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Project"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785172135Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Disk"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785206332Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Snapshot"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785244998Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"ProjectImage"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785278504Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AffinityGroup"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.785315507Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AntiAffinityGroup"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786378007Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Instance"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786447224Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"IpPool"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786485769Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"InstanceNetworkInterface"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786543463Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Vpc"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786582099Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"VpcRouter"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786619242Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"InternetGateway"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786660193Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"InternetGatewayIpPool"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.7866947Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"InternetGatewayIpAddress"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786736102Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"RouterRoute"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78677048Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"VpcSubnet"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786829275Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"FloatingIp"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786865647Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Image"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786905946Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloImage"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786940945Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AddressLot"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.786982727Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Blueprint"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787018407Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"LoopbackAddress"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78706052Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Certificate"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787101761Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"ConsoleSession"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787138123Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"DeviceAuthRequest"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787178082Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"DeviceAccessToken"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787213812Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"PhysicalDisk"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78725353Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Rack"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787288769Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SshKey"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787327886Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Silo"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787361613Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloUser"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787402884Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SiloGroup"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787437562Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SupportBundle"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787480286Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"IdentityProvider"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787519103Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"SamlIdentityProvider"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.78755335Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Sled"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787591084Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"TufRepo"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787624901Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"TufArtifact"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787664128Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"TufTrustRoot"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787730068Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Alert"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787769866Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"AlertReceiver"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787803612Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"WebhookSecret"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787840836Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Zpool"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787873901Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"Service"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787913669Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"UserBuiltin"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787947335Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"ScimClientBearerToken"} {"msg":"registering Oso class","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.787989228Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","class":"MulticastGroup"} {"msg":"full Oso configuration","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.788032132Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","config":"#\n# Oso configuration for Omicron\n# This file is augmented by generated snippets.\n#\n\n#\n# ACTOR TYPES AND BASIC RULES\n#\n\n# `AnyActor` includes both authenticated and unauthenticated users.\nactor AnyActor {}\n\n# An `AuthenticatedActor` has an identity in the system. All of our operations\n# today require that an actor be authenticated.\nactor AuthenticatedActor {}\n\n# For any resource, `actor` can perform action `action` on it if they're\n# authenticated and their role(s) give them the corresponding permission on that\n# resource.\nallow(actor: AnyActor, action: Action, resource) if\n actor.authenticated and\n has_permission(actor.authn_actor.unwrap(), action.to_perm(), resource);\n\n# Define role relationships\nhas_role(actor: AuthenticatedActor, role: String, resource: Resource)\n\tif resource.has_role(actor, role);\n\n#\n# ROLES AND PERMISSIONS IN THE FLEET/SILO/PROJECT HIERARCHY\n#\n# We define the following permissions for most resources in the system:\n#\n# - \"create_child\": required to create child resources (of any type)\n#\n# - \"list_children\": required to list child resources (of all types) of a\n# resource\n#\n# - \"modify\": required to modify or delete a resource\n#\n# - \"read\": required to read a resource\n#\n# We define the following predefined roles for only a few high-level resources:\n# the Fleet (see below), Silo, Organization, and Project. The specific roles\n# are oriented around intended use-cases:\n#\n# - \"admin\": has all permissions on the resource\n#\n# - \"collaborator\": has \"read\", \"list_children\", and \"create_child\", plus\n# the \"admin\" role for child resources. The idea is that if you're an\n# Organization Collaborator, you have full control over the Projects within\n# the Organization, but you cannot modify or delete the Organization itself.\n#\n# - \"viewer\": has \"read\" and \"list_children\" on a resource\n#\n# Below the Project level, permissions are granted via roles at the Project\n# level. For example, for someone to be able to create, modify, or delete any\n# Instances, they must be granted project.collaborator, which means they can\n# create, modify, or delete _all_ resources in the Project.\n#\n# The complete set of predefined roles:\n#\n# - fleet.admin (superuser for the whole system)\n# - fleet.collaborator (can manage Silos)\n# - fleet.viewer (can read most non-siloed resources in the system)\n# - silo.admin (superuser for the silo)\n# - silo.collaborator (can create and own Organizations; grants project.admin on all projects)\n# - silo.limited-collaborator (grants project.limited-collaborator on all projects)\n# - silo.viewer (can read most resources within the Silo; grants project.viewer)\n# - organization.admin (complete control over an organization)\n# - organization.collaborator (can manage Projects)\n# - organization.viewer (can read most resources within the Organization)\n# - project.admin (complete control over a Project)\n# - project.collaborator (can manage all resources within the Project, including networking)\n# - project.limited-collaborator (can manage compute resources, but not networking resources)\n# - project.viewer (can read most resources within the Project)\n#\n# Outside the Silo/Organization/Project hierarchy, we (currently) treat most\n# resources as nested under Fleet or else a synthetic resource (see below). We\n# do not yet support role assignments on anything other than Fleet, Silo,\n# Organization, or Project.\n#\n\n# \"Fleet\" is a global singleton representing the whole system. The name comes\n# from the idea described in RFD 24, but it's not quite right. This probably\n# should be more like \"Region\" or \"AvailabilityZone\". The precise boundaries\n# have not yet been figured out.\nresource Fleet {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"read\",\n\t \"create_child\",\n\t];\n\n\troles = [\n\t # Roles that can be attached by users\n\t \"admin\",\n\t \"collaborator\",\n\t \"viewer\",\n\n\t # Internal-only roles\n\t \"external-authenticator\"\n\t];\n\n\t# Roles implied by other roles on this resource\n\t\"viewer\" if \"collaborator\";\n\t\"collaborator\" if \"admin\";\n\n\t# Permissions granted directly by roles on this resource\n\t\"list_children\" if \"viewer\";\n\t\"read\" if \"viewer\";\n\t\"create_child\" if \"collaborator\";\n\t\"modify\" if \"admin\";\n}\n\n# For fleets specifically, roles can be conferred by roles on the user's Silo.\n# Note that certain Actors may not ever have any roles assigned to them, like\n# SCIM Actors.\nhas_role(actor: AuthenticatedActor, role: String, _: Fleet) if\n\tsilo_role in actor.confers_fleet_role(role) and\n\thas_role(actor, silo_role, actor.silo.unwrap());\n\nresource Silo {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"read\",\n\t \"create_child\",\n\t];\n\troles = [ \"admin\", \"collaborator\", \"limited-collaborator\", \"viewer\" ];\n\n\t# Roles implied by other roles on this resource\n\t\"viewer\" if \"limited-collaborator\";\n\t\"limited-collaborator\" if \"collaborator\";\n\t\"collaborator\" if \"admin\";\n\n\t# Permissions granted directly by roles on this resource\n\t\"list_children\" if \"viewer\";\n\t\"read\" if \"viewer\";\n\n\t\"create_child\" if \"collaborator\";\n\t\"modify\" if \"admin\";\n\n\t# Permissions implied by roles on this resource's parent (Fleet). Fleet\n\t# privileges allow a user to see and potentially administer the Silo,\n\t# but they do not give anyone permission to look at anything inside the\n\t# Silo. To achieve this, we use permission rules here. (If we granted\n\t# Fleet administrators _roles_ on the Silo, then those would cascade\n\t# into the Silo as well.)\n\trelations = { parent_fleet: Fleet };\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n\t\"modify\" if \"collaborator\" on \"parent_fleet\";\n\n\t# external authenticator has to create silo users\n\t\"list_children\" if \"external-authenticator\" on \"parent_fleet\";\n\t\"create_child\" if \"external-authenticator\" on \"parent_fleet\";\n}\n\nhas_relation(fleet: Fleet, \"parent_fleet\", silo: Silo)\n\tif silo.fleet = fleet;\n\n# As a special case, all authenticated users can read their own Silo. That's\n# not quite the same as having the \"viewer\" role. For example, they cannot list\n# Organizations in the Silo.\n#\n# One reason this is necessary is because if an unprivileged user tries to\n# create an Organization using \"POST /organizations\", they should get back a 403\n# (which implies they're able to see /organizations, which is essentially seeing\n# the Silo itself) rather than a 404. This behavior isn't a hard constraint\n# (i.e., you could reasonably get a 404 for an API you're not allowed to call).\n# Nor is the implementation (i.e., we could special-case this endpoint somehow).\n# But granting this permission is the simplest way to keep this endpoint's\n# behavior consistent with the rest of the API.\n#\n# This rule is also used to determine if a user can list the identity providers\n# in the Silo (which they should be able to), since that's predicated on being\n# able to read the Silo.\n#\n# It's unclear what else would break if users couldn't see their own Silo.\nhas_permission(actor: AuthenticatedActor, \"read\", silo: Silo)\n\tif actor.is_user and silo in actor.silo;\n\nresource Project {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"read\",\n\t \"create_child\",\n\t];\n\troles = [ \"admin\", \"collaborator\", \"limited-collaborator\", \"viewer\" ];\n\n\t# Roles implied by other roles on this resource\n\t# Role hierarchy: admin > collaborator > limited-collaborator > viewer\n\t#\n\t# The \"limited-collaborator\" role can create/modify non-networking\n\t# resources (instances, disks, etc.) but cannot create/modify networking\n\t# infrastructure (VPCs, subnets, routers, internet gateways).\n\t# See nexus/authz-macros for InProjectLimited vs InProjectFull.\n\t\"viewer\" if \"limited-collaborator\";\n\t\"limited-collaborator\" if \"collaborator\";\n\t\"collaborator\" if \"admin\";\n\n\t# Permissions granted directly by roles on this resource\n\t\"list_children\" if \"viewer\";\n\t\"read\" if \"viewer\";\n\t\"create_child\" if \"limited-collaborator\";\n\t\"modify\" if \"admin\";\n\n\t# Roles implied by roles on this resource's parent (Silo)\n\trelations = { parent_silo: Silo };\n\t\"admin\" if \"collaborator\" on \"parent_silo\";\n\t\"limited-collaborator\" if \"limited-collaborator\" on \"parent_silo\";\n\t\"viewer\" if \"viewer\" on \"parent_silo\";\n}\nhas_relation(silo: Silo, \"parent_silo\", project: Project)\n\tif project.silo = silo;\n\n#\n# GENERAL RESOURCES OUTSIDE THE SILO/PROJECT HIERARCHY\n#\n# Many resources use snippets of Polar generated by the `authz_resource!` Rust\n# macro. Some resources require custom Polar code. Those appear here.\n#\n\nresource Certificate {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Fleet-level and silo-level roles both grant privileges on certificates.\n\t\"read\" if \"admin\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\t\"read\" if \"admin\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", certificate: Certificate)\n\tif certificate.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", certificate: Certificate)\n\tif certificate.silo.fleet = fleet;\n\nresource SiloUser {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"read\",\n\t \"create_child\",\n\t];\n\n\t# Fleet and Silo administrators can manage a Silo's users. This is one\n\t# of the only areas of Silo configuration that Fleet Administrators have\n\t# permissions on.\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\t\"list_children\" if \"read\" on \"parent_silo\";\n\t\"read\" if \"read\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"list_children\" if \"read\" on \"parent_fleet\";\n\t\"read\" if \"read\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", user: SiloUser)\n\tif user.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", user: SiloUser)\n\tif user.silo.fleet = fleet;\n\n# authenticated actors have all permissions on themselves\nhas_permission(actor: AuthenticatedActor, _perm: String, silo_user: SiloUser)\n if actor.equals_silo_user(silo_user);\n\nhas_permission(actor: AuthenticatedActor, \"read\", silo_user: SiloUser)\n if actor.is_user and silo_user.silo in actor.silo;\n\nresource SiloGroup {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"read\",\n\t \"create_child\",\n\t];\n\n\trelations = { parent_silo: Silo };\n\t\"list_children\" if \"read\" on \"parent_silo\";\n\t\"read\" if \"read\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n}\nhas_relation(silo: Silo, \"parent_silo\", group: SiloGroup)\n\tif group.silo = silo;\n\nresource SshKey {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { silo_user: SiloUser };\n\n\t\"read\" if \"read\" on \"silo_user\";\n}\n# We want to allow the user to modify the ssh key but disallow a SCIM IdP token\n# from doing the same.\nhas_permission(actor: AuthenticatedActor, \"modify\", ssh_key: SshKey)\n\tif actor.is_user and has_permission(actor, \"modify\", ssh_key.silo_user);\nhas_relation(user: SiloUser, \"silo_user\", ssh_key: SshKey)\n\tif ssh_key.silo_user = user;\n\nresource IdentityProvider {\n\tpermissions = [\n\t \"read\",\n\t \"modify\",\n\t \"create_child\",\n\t \"list_children\",\n\t];\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Silo-level roles grant privileges on identity providers.\n\t\"read\" if \"viewer\" on \"parent_silo\";\n\t\"list_children\" if \"viewer\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\n\t# Fleet-level roles also grant privileges on identity providers.\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", identity_provider: IdentityProvider)\n\tif identity_provider.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: IdentityProvider)\n\tif collection.silo.fleet = fleet;\n\nresource SamlIdentityProvider {\n\tpermissions = [\n\t \"read\",\n\t \"modify\",\n\t \"create_child\",\n\t \"list_children\",\n\t];\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Silo-level roles grant privileges on identity providers.\n\t\"read\" if \"viewer\" on \"parent_silo\";\n\t\"list_children\" if \"viewer\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\n\t# Fleet-level roles also grant privileges on identity providers.\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", saml_identity_provider: SamlIdentityProvider)\n\tif saml_identity_provider.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: SamlIdentityProvider)\n\tif collection.silo.fleet = fleet;\n\nresource ScimClientBearerToken {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n # necessary to authenticate SCIM actors\n\t\"read\" if \"external-authenticator\" on \"parent_fleet\";\n\n\t# Silo-level roles grant privileges for SCIM client tokens.\n\t\"read\" if \"admin\" on \"parent_silo\";\n\t\"modify\" if \"admin\" on \"parent_silo\";\n\n\t# Fleet-level roles also grant privileges for SCIM client tokens.\n\t\"read\" if \"admin\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", scim_client_bearer_token: ScimClientBearerToken)\n\tif scim_client_bearer_token.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: ScimClientBearerToken)\n\tif collection.silo.fleet = fleet;\n\n\n#\n# SYNTHETIC RESOURCES OUTSIDE THE SILO HIERARCHY\n#\n# The resources here do not correspond to anything that appears explicitly in\n# the API or is stored in the database. These are used either at the top level\n# of the API path (e.g., \"/v1/system/ip-pools\") or as an implementation detail of the system\n# (in the case of console sessions and \"Database\"). The policies are\n# either statically-defined in this file or driven by role assignments on the\n# Fleet. None of these resources defines their own roles.\n#\n\n# Describes the quiesce state of a particular Nexus instance.\n#\n# These authz checks must not require the database. We grant this directly to\n# callers of the internal API.\nresource QuiesceState {\n\tpermissions = [ \"read\", \"modify\" ];\n}\nhas_permission(USER_INTERNAL_API: AuthenticatedActor, \"read\", _q: QuiesceState);\nhas_permission(\n USER_INTERNAL_API: AuthenticatedActor,\n \"modify\",\n _q: QuiesceState\n);\n\n# Describes the policy for reading and modifying DNS configuration\n# (both internal and external)\nresource DnsConfig {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { parent_fleet: Fleet };\n\t# \"external-authenticator\" requires these permissions because that's the\n\t# context that Nexus uses when creating and deleting Silos. These\n\t# operations necessarily need to read and modify DNS configuration.\n\t\"read\" if \"external-authenticator\" on \"parent_fleet\";\n\t\"modify\" if \"external-authenticator\" on \"parent_fleet\";\n\t# \"admin\" on the parent fleet also gets these permissions, primarily for\n\t# the test suite.\n\t\"read\" if \"admin\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", dns_config: DnsConfig)\n\tif dns_config.fleet = fleet;\n\n# Describes the policy for accessing blueprints\nresource BlueprintConfig {\n\tpermissions = [\n\t \"list_children\", # list blueprints\n\t \"create_child\", # create blueprint\n\t \"read\", # read the current target\n\t \"modify\", # change the current target\n\t];\n\n\trelations = { parent_fleet: Fleet };\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", list: BlueprintConfig)\n\tif list.fleet = fleet;\n\n# Describes the policy for accessing \"/v1/system/update/trust-roots\" in the API\nresource UpdateTrustRootList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\trelations = { parent_fleet: Fleet };\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: UpdateTrustRootList)\n\tif collection.fleet = fleet;\n\n# Describes the policy for accessing blueprints\nresource TargetReleaseConfig {\n\tpermissions = [\n\t \"read\", # read the current target release\n\t \"modify\", # change the current target release\n\t];\n\n\trelations = { parent_fleet: Fleet };\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", resource: TargetReleaseConfig)\n\tif resource.fleet = fleet;\n\n# Describes the policy for reading and modifying low-level inventory\nresource Inventory {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { parent_fleet: Fleet };\n\t\"read\" if \"viewer\" on \"parent_fleet\";\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", inventory: Inventory)\n\tif inventory.fleet = fleet;\n\n# Describes the policy for accessing \"/v1/system/ip-pools\" in the API\nresource IpPoolList {\n\tpermissions = [\n\t \"list_children\",\n\t \"modify\",\n\t \"create_child\",\n\t];\n\n\t# Fleet Administrators can create or modify the IP Pools list.\n\trelations = { parent_fleet: Fleet };\n\t\"modify\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n\n\t# Fleet Viewers can list IP Pools\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", ip_pool_list: IpPoolList)\n\tif ip_pool_list.fleet = fleet;\n\n# Any authenticated user can create a child of a provided IP Pool.\n# This is necessary to use the pools when provisioning instances.\nhas_permission(actor: AuthenticatedActor, \"create_child\", ip_pool: IpPool)\n\tif actor.is_user and silo in actor.silo and silo.fleet = ip_pool.fleet;\n\n# Describes the policy for accessing \"/v1/multicast-groups\" in the API\nresource MulticastGroupList {\n\tpermissions = [\n\t \"list_children\",\n\t \"create_child\",\n\t];\n\n\trelations = { parent_fleet: Fleet };\n\t# Fleet Administrators can create multicast groups\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n\n\t# Fleet Viewers can list multicast groups\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", multicast_group_list: MulticastGroupList)\n\tif multicast_group_list.fleet = fleet;\n\n# Any authenticated user can create multicast groups in their fleet.\n# This is necessary to allow silo users to create multicast groups for\n# cross-project and cross-silo communication without requiring Fleet::Admin.\nhas_permission(actor: AuthenticatedActor, \"create_child\", multicast_group_list: MulticastGroupList)\n\tif silo in actor.silo and silo.fleet = multicast_group_list.fleet;\n\n# Any authenticated user can list multicast groups in their fleet.\n# This is necessary because multicast groups are fleet-scoped resources that\n# silo users need to discover and attach their instances to, without requiring\n# Fleet::Viewer role.\nhas_permission(actor: AuthenticatedActor, \"list_children\", multicast_group_list: MulticastGroupList)\n\tif silo in actor.silo and silo.fleet = multicast_group_list.fleet;\n\n# Any authenticated user can read and modify individual multicast groups in their fleet.\n# Users can create, modify, and consume (attach instances to) multicast groups.\n# This enables cross-project and cross-silo multicast while maintaining\n# appropriate security boundaries via API authorization and underlay group\n# membership validation.\nhas_permission(actor: AuthenticatedActor, \"read\", multicast_group: MulticastGroup)\n\tif silo in actor.silo and silo.fleet = multicast_group.fleet;\n\nhas_permission(actor: AuthenticatedActor, \"modify\", multicast_group: MulticastGroup)\n\tif silo in actor.silo and silo.fleet = multicast_group.fleet;\n\n# Describes the policy for reading and writing the audit log\nresource AuditLog {\n\tpermissions = [\n\t \"list_children\", # retrieve audit log\n\t \"create_child\", # create audit log entry\n\t];\n\n\trelations = { parent_fleet: Fleet };\n\n\t# Fleet viewers can read the audit log\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n}\n\n# Any actor should be able to write to the audit log because we need to be able\n# to write to the log from any request, authenticated or not. Audit log writes\n# are always a byproduct of other operations: there are no endpoints that allow\n# the user to write to the log deliberately. Note we use AuthenticatedActor\n# because we don't really mean unauthenticated -- in the case of login\n# operations, we use the external authenticator actor that creates the session\n# to authorize the audit log write.\nhas_permission(_actor: AuthenticatedActor, \"create_child\", _audit_log: AuditLog);\n\nhas_relation(fleet: Fleet, \"parent_fleet\", audit_log: AuditLog)\n\tif audit_log.fleet = fleet;\n\n# Describes the policy for creating and managing web console sessions.\nresource ConsoleSessionList {\n\tpermissions = [ \"create_child\" ];\n\trelations = { parent_fleet: Fleet };\n\t\"create_child\" if \"external-authenticator\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: ConsoleSessionList)\n\tif collection.fleet = fleet;\n\n# Allow silo admins to delete and list user sessions\nresource SiloUserSessionList {\n permissions = [ \"modify\", \"list_children\" ];\n relations = { parent_silo: Silo };\n\n # A silo admin can modify (e.g., delete) a user's sessions.\n \"modify\" if \"admin\" on \"parent_silo\";\n\n # A silo admin can list a user's sessions.\n \"list_children\" if \"admin\" on \"parent_silo\";\n}\nhas_relation(silo: Silo, \"parent_silo\", authn_list: SiloUserSessionList)\n if authn_list.silo_user.silo = silo;\n\n# give users 'modify' and 'list_children' on their own sessions\nhas_permission(actor: AuthenticatedActor, \"modify\", authn_list: SiloUserSessionList)\n if actor.equals_silo_user(authn_list.silo_user);\nhas_permission(actor: AuthenticatedActor, \"list_children\", authn_list: SiloUserSessionList)\n if actor.equals_silo_user(authn_list.silo_user);\n\n# Allow silo admins to delete and list user access tokens\nresource SiloUserTokenList {\n permissions = [ \"modify\", \"list_children\" ];\n relations = { parent_silo: Silo };\n\n # A silo admin can modify (e.g., delete) a user's tokens.\n \"modify\" if \"admin\" on \"parent_silo\";\n\n # A silo admin can list a user's tokens.\n \"list_children\" if \"admin\" on \"parent_silo\";\n}\nhas_relation(silo: Silo, \"parent_silo\", authn_list: SiloUserTokenList)\n if authn_list.silo_user.silo = silo;\n\n# give users 'modify' and 'list_children' on their own tokens\nhas_permission(actor: AuthenticatedActor, \"modify\", authn_list: SiloUserTokenList)\n if actor.equals_silo_user(authn_list.silo_user);\nhas_permission(actor: AuthenticatedActor, \"list_children\", authn_list: SiloUserTokenList)\n if actor.equals_silo_user(authn_list.silo_user);\n\n# Describes the policy for creating and managing device authorization requests.\nresource DeviceAuthRequestList {\n\tpermissions = [ \"create_child\" ];\n\trelations = { parent_fleet: Fleet };\n\t\"create_child\" if \"external-authenticator\" on \"parent_fleet\";\n}\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: DeviceAuthRequestList)\n\tif collection.fleet = fleet;\n\n# Describes the policy for creating and managing Silo certificates\nresource SiloCertificateList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Both Fleet and Silo administrators can see and modify the Silo's\n\t# certificates.\n\t\"list_children\" if \"admin\" on \"parent_silo\";\n\t\"list_children\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", collection: SiloCertificateList)\n\tif collection.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: SiloCertificateList)\n\tif collection.silo.fleet = fleet;\n\n# Describes the policy for creating and managing Silo identity providers\nresource SiloIdentityProviderList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Everyone who can read the Silo (which includes all the users in the\n\t# Silo) can see the identity providers in it.\n\t\"list_children\" if \"read\" on \"parent_silo\";\n\n\t# Fleet and Silo administrators can manage the Silo's identity provider\n\t# configuration. This is one of the only areas of Silo configuration\n\t# that Fleet Administrators have permissions on. This is also one of\n\t# the only cases where we need to look two levels up the hierarchy to\n\t# see if somebody has the right permission. For most other things,\n\t# permissions cascade down the hierarchy so we only need to look at the\n\t# parent.\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", collection: SiloIdentityProviderList)\n\tif collection.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: SiloIdentityProviderList)\n\tif collection.silo.fleet = fleet;\n\n# Describes the policy for creating and managing Silo users (mostly intended for\n# API-managed users)\nresource SiloUserList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Everyone who can read the Silo (which includes all the users in the\n\t# Silo) can see the users in it.\n\t\"list_children\" if \"read\" on \"parent_silo\";\n\n\t# Fleet and Silo administrators can manage the Silo's users. This is\n\t# one of the only areas of Silo configuration that Fleet Administrators\n\t# have permissions on. This is also one of the few cases (so far) where\n\t# we need to look two levels up the hierarchy to see if somebody has the\n\t# right permission. For most other things, permissions cascade down the\n\t# hierarchy so we only need to look at the parent.\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"list_children\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", collection: SiloUserList)\n\tif collection.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: SiloUserList)\n\tif collection.silo.fleet = fleet;\n\n# Grant SCIM IdP actors the permissions they need on users.\nhas_permission(actor: AuthenticatedActor, \"read\", silo_user: SiloUser)\n if actor.is_scim_idp and silo_user.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"create_child\", silo_user_list: SiloUserList)\n\tif actor.is_scim_idp and silo_user_list.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"modify\", silo_user: SiloUser)\n\tif actor.is_scim_idp and silo_user.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"list_children\", silo_user_list: SiloUserList)\n if actor.is_scim_idp and silo_user_list.silo in actor.silo;\n\n# Describes the policy for creating and managing Silo groups (mostly intended\n# for API-managed groups)\nresource SiloGroupList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Everyone who can read the Silo (which includes all the groups in the\n\t# Silo) can see the groups in it.\n\t\"list_children\" if \"read\" on \"parent_silo\";\n\n\t# Fleet and Silo administrators can manage the Silo's groups. This is\n\t# one of the only areas of Silo configuration that Fleet Administrators\n\t# have permissions on. This is also one of the few cases (so far) where\n\t# we need to look two levels up the hierarchy to see if somebody has the\n\t# right permission. For most other things, permissions cascade down the\n\t# hierarchy so we only need to look at the parent.\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"list_children\" if \"admin\" on \"parent_fleet\";\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", collection: SiloGroupList)\n\tif collection.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: SiloGroupList)\n\tif collection.silo.fleet = fleet;\n\n# Grant SCIM IdP actors the permissions they need on groups.\nhas_permission(actor: AuthenticatedActor, \"read\", silo_group: SiloGroup)\n if actor.is_scim_idp and silo_group.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"create_child\", silo_group_list: SiloGroupList)\n\tif actor.is_scim_idp and silo_group_list.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"modify\", silo_group: SiloGroup)\n\tif actor.is_scim_idp and silo_group.silo in actor.silo;\nhas_permission(actor: AuthenticatedActor, \"list_children\", silo_group_list: SiloGroupList)\n if actor.is_scim_idp and silo_group_list.silo in actor.silo;\n\n# These rules grants the external authenticator role the permissions it needs to\n# read silo users and modify their sessions. This is necessary for login to\n# work.\nhas_permission(actor: AuthenticatedActor, \"read\", silo: Silo)\n\tif has_role(actor, \"external-authenticator\", silo.fleet);\nhas_permission(actor: AuthenticatedActor, \"read\", user: SiloUser)\n\tif has_role(actor, \"external-authenticator\", user.silo.fleet);\nhas_permission(actor: AuthenticatedActor, \"modify\", user: SiloUser)\n\tif has_role(actor, \"external-authenticator\", user.silo.fleet);\nhas_permission(actor: AuthenticatedActor, \"read\", group: SiloGroup)\n\tif has_role(actor, \"external-authenticator\", group.silo.fleet);\nhas_permission(actor: AuthenticatedActor, \"modify\", group: SiloGroup)\n\tif has_role(actor, \"external-authenticator\", group.silo.fleet);\n\nhas_permission(actor: AuthenticatedActor, \"read\", session: ConsoleSession)\n\tif has_role(actor, \"external-authenticator\", session.fleet);\nhas_permission(actor: AuthenticatedActor, \"modify\", session: ConsoleSession)\n\tif has_role(actor, \"external-authenticator\", session.fleet);\n\n# All authenticated users can read and delete device authn requests because\n# by necessity these operations happen before we've figured out what user (or\n# even Silo) the device auth is associated with. Any user can claim a device\n# auth request with the right user code (that's how it works) -- it's the user\n# code and associated logic that prevents unauthorized access here.\nhas_permission(actor: AuthenticatedActor, \"read\", _device_auth: DeviceAuthRequest)\n if actor.is_user;\nhas_permission(actor: AuthenticatedActor, \"modify\", _device_auth: DeviceAuthRequest)\n if actor.is_user;\n\nhas_permission(actor: AuthenticatedActor, \"read\", device_token: DeviceAccessToken)\n\tif has_role(actor, \"external-authenticator\", device_token.fleet);\n\nhas_permission(actor: AuthenticatedActor, \"read\", identity_provider: IdentityProvider)\n\tif has_role(actor, \"external-authenticator\", identity_provider.silo.fleet);\n\nhas_permission(actor: AuthenticatedActor, \"read\", saml_identity_provider: SamlIdentityProvider)\n\tif has_role(actor, \"external-authenticator\", saml_identity_provider.silo.fleet);\n\n# Describes the policy for who can access the internal database.\nresource Database {\n\tpermissions = [\n\t # \"query\" is required to perform any query against the database,\n\t # whether a read or write query. This is checked when an operation\n\t # checks out a database connection from the connection pool.\n\t #\n\t # Any authenticated user gets this permission. There's generally\n\t # some other authz check involved in the database query. For\n\t # example, if you're querying the database to \"read\" a \"Project\", we\n\t # should also be checking that. So why do we do this at all? It's\n\t # a belt-and-suspenders measure so that if we somehow introduced an\n\t # unauthenticated code path that hits the database, it cannot be\n\t # used to DoS the database because we won't allow the operation to\n\t # make the query. (As long as the code path _is_ authenticated, we\n\t # can use throttling mechanisms to prevent DoS.)\n\t \"query\",\n\n\t # \"modify\" is required to populate database data that's delivered\n\t # with the system. It should also be required for schema changes,\n\t # when we support those. This is separate from \"query\" so that we\n\t # cannot accidentally invoke these code paths from API calls and\n\t # other general functions.\n\t \"modify\"\n\t];\n}\n\n# All authenticated users have the \"query\" permission on the database.\nhas_permission(_actor: AuthenticatedActor, \"query\", _resource: Database);\n\n# The \"db-init\" user is the only one with the \"modify\" permission.\nhas_permission(USER_DB_INIT: AuthenticatedActor, \"modify\", _resource: Database);\nhas_permission(USER_DB_INIT: AuthenticatedActor, \"create_child\", _resource: IpPoolList);\n# It also has \"admin\" on the internal silo to populate it with built-in resources.\n# TODO-completeness: actually limit to just internal silo and not all silos\nhas_role(USER_DB_INIT: AuthenticatedActor, \"admin\", _silo: Silo);\n\n# Allow the internal API admin permissions on all silos.\nhas_role(USER_INTERNAL_API: AuthenticatedActor, \"admin\", _silo: Silo);\n\nresource WebhookSecret {\n\tpermissions = [ \"read\", \"modify\" ];\n\trelations = { parent_alert_receiver: AlertReceiver };\n\n\t\"read\" if \"read\" on \"parent_alert_receiver\";\n\t\"modify\" if \"modify\" on \"parent_alert_receiver\";\n}\n\nhas_relation(rx: AlertReceiver, \"parent_alert_receiver\", secret: WebhookSecret)\n\tif secret.alert_receiver = rx;\n\nresource AlertClassList {\n\tpermissions = [ \"list_children\" ];\n\trelations = { parent_fleet: Fleet };\n\n\t\"list_children\" if \"viewer\" on \"parent_fleet\";\n}\n\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: AlertClassList)\n\tif collection.fleet = fleet;\n\nresource ScimClientBearerTokenList {\n\tpermissions = [ \"create_child\", \"list_children\" ];\n\trelations = { parent_silo: Silo, parent_fleet: Fleet };\n\n\t# Silo-level roles grant privileges for SCIM client tokens.\n # These are all admin because being able to create these tokens would allow\n # a user to grant themselves admin by modifying group membership through SCIM calls\n\t\"create_child\" if \"admin\" on \"parent_silo\";\n\t\"list_children\" if \"admin\" on \"parent_silo\";\n\n # Fleet-level roles also grant privileges for SCIM client tokens, for\n # configuration before silo admins are present.\n\t\"create_child\" if \"admin\" on \"parent_fleet\";\n\t\"list_children\" if \"admin\" on \"parent_fleet\";\n}\nhas_relation(silo: Silo, \"parent_silo\", scim_client_bearer_token_list: ScimClientBearerTokenList)\n\tif scim_client_bearer_token_list.silo = silo;\nhas_relation(fleet: Fleet, \"parent_fleet\", collection: ScimClientBearerTokenList)\n\tif collection.silo.fleet = fleet;\n\n# VpcList is a synthetic resource for controlling VPC creation.\n# Unlike other project resources, VPC creation requires the full \"collaborator\"\n# role rather than \"limited-collaborator\", enforcing the networking restriction.\n# This allows organizations to restrict who can reconfigure the network topology\n# while still allowing users with limited-collaborator to work with compute\n# resources (instances, disks, etc.) within the existing network.\nresource VpcList {\n\tpermissions = [ \"list_children\", \"create_child\" ];\n\n\trelations = { containing_project: Project };\n\n\t\"list_children\" if \"read\" on \"containing_project\";\n\t\"create_child\" if \"collaborator\" on \"containing_project\";\n}\nhas_relation(project: Project, \"containing_project\", collection: VpcList)\n\tif collection.project = project;\n\n\n\n resource Disk {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: Disk)\n if child.project = parent;\n \n\n resource Snapshot {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: Snapshot)\n if child.project = parent;\n \n\n resource ProjectImage {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: ProjectImage)\n if child.project = parent;\n \n\n resource AffinityGroup {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: AffinityGroup)\n if child.project = parent;\n \n\n resource AntiAffinityGroup {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: AntiAffinityGroup)\n if child.project = parent;\n \n\n resource Instance {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: Instance)\n if child.project = parent;\n \n\n resource IpPool {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: IpPool)\n if child.fleet = fleet;\n \n\n resource InstanceNetworkInterface {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: Instance\n };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: InstanceNetworkInterface)\n if has_relation(project, \"containing_project\", child.instance);\n\n has_relation(parent: Instance, \"parent\", child: InstanceNetworkInterface)\n if child.instance = parent;\n \n\n resource Vpc {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: Vpc)\n if child.project = parent;\n \n\n resource VpcRouter {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: Vpc\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: VpcRouter)\n if has_relation(project, \"containing_project\", child.vpc);\n\n has_relation(parent: Vpc, \"parent\", child: VpcRouter)\n if child.vpc = parent;\n \n\n resource InternetGateway {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: Vpc\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: InternetGateway)\n if has_relation(project, \"containing_project\", child.vpc);\n\n has_relation(parent: Vpc, \"parent\", child: InternetGateway)\n if child.vpc = parent;\n \n\n resource InternetGatewayIpPool {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: InternetGateway\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: InternetGatewayIpPool)\n if has_relation(project, \"containing_project\", child.internet_gateway);\n\n has_relation(parent: InternetGateway, \"parent\", child: InternetGatewayIpPool)\n if child.internet_gateway = parent;\n \n\n resource InternetGatewayIpAddress {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: InternetGateway\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: InternetGatewayIpAddress)\n if has_relation(project, \"containing_project\", child.internet_gateway);\n\n has_relation(parent: InternetGateway, \"parent\", child: InternetGatewayIpAddress)\n if child.internet_gateway = parent;\n \n\n resource RouterRoute {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: VpcRouter\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: RouterRoute)\n if has_relation(project, \"containing_project\", child.vpc_router);\n\n has_relation(parent: VpcRouter, \"parent\", child: RouterRoute)\n if child.vpc_router = parent;\n \n\n resource VpcSubnet {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = {\n containing_project: Project,\n parent: Vpc\n };\n\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"collaborator\" on \"containing_project\";\n \"create_child\" if \"collaborator\" on \"containing_project\";\n }\n\n has_relation(project: Project, \"containing_project\", child: VpcSubnet)\n if has_relation(project, \"containing_project\", child.vpc);\n\n has_relation(parent: Vpc, \"parent\", child: VpcSubnet)\n if child.vpc = parent;\n \n\n resource FloatingIp {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_project: Project };\n \"list_children\" if \"viewer\" on \"containing_project\";\n \"read\" if \"viewer\" on \"containing_project\";\n \"modify\" if \"limited-collaborator\" on \"containing_project\";\n \"create_child\" if \"limited-collaborator\" on \"containing_project\";\n }\n\n has_relation(parent: Project, \"containing_project\", child: FloatingIp)\n if child.project = parent;\n \n\n resource Image {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_silo: Silo };\n \"list_children\" if \"viewer\" on \"containing_silo\";\n \"read\" if \"viewer\" on \"containing_silo\";\n \"modify\" if \"collaborator\" on \"containing_silo\";\n \"create_child\" if \"collaborator\" on \"containing_silo\";\n }\n\n has_relation(parent: Silo, \"containing_silo\", child: Image)\n if child.silo = parent;\n \n\n resource SiloImage {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n\n relations = { containing_silo: Silo };\n \"list_children\" if \"viewer\" on \"containing_silo\";\n \"read\" if \"viewer\" on \"containing_silo\";\n \"modify\" if \"collaborator\" on \"containing_silo\";\n \"create_child\" if \"collaborator\" on \"containing_silo\";\n }\n\n has_relation(parent: Silo, \"containing_silo\", child: SiloImage)\n if child.silo = parent;\n \n\n resource AddressLot {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: AddressLot)\n if child.fleet = fleet;\n \n\n resource Blueprint {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Blueprint)\n if child.fleet = fleet;\n \n\n resource LoopbackAddress {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: LoopbackAddress)\n if child.fleet = fleet;\n \n\n\n resource ConsoleSession {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: ConsoleSession)\n if child.fleet = fleet;\n \n\n resource DeviceAuthRequest {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: DeviceAuthRequest)\n if child.fleet = fleet;\n \n\n resource DeviceAccessToken {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: DeviceAccessToken)\n if child.fleet = fleet;\n \n\n resource PhysicalDisk {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: PhysicalDisk)\n if child.fleet = fleet;\n \n\n resource Rack {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Rack)\n if child.fleet = fleet;\n \n\n\n\n\n\n resource SupportBundle {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: SupportBundle)\n if child.fleet = fleet;\n \n\n\n\n resource Sled {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Sled)\n if child.fleet = fleet;\n \n\n resource TufRepo {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: TufRepo)\n if child.fleet = fleet;\n \n\n resource TufArtifact {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: TufArtifact)\n if child.fleet = fleet;\n \n\n resource TufTrustRoot {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: TufTrustRoot)\n if child.fleet = fleet;\n \n\n resource Alert {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Alert)\n if child.fleet = fleet;\n \n\n resource AlertReceiver {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: AlertReceiver)\n if child.fleet = fleet;\n \n\n\n resource Zpool {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Zpool)\n if child.fleet = fleet;\n \n\n resource Service {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: Service)\n if child.fleet = fleet;\n \n\n resource UserBuiltin {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: UserBuiltin)\n if child.fleet = fleet;\n \n\n\n resource MulticastGroup {\n permissions = [\n \"list_children\",\n \"modify\",\n \"read\",\n \"create_child\",\n ];\n \n relations = { parent_fleet: Fleet };\n \"list_children\" if \"viewer\" on \"parent_fleet\";\n \"read\" if \"viewer\" on \"parent_fleet\";\n \"modify\" if \"admin\" on \"parent_fleet\";\n \"create_child\" if \"admin\" on \"parent_fleet\";\n }\n has_relation(fleet: Fleet, \"parent_fleet\", child: MulticastGroup)\n if child.fleet = fleet;\n "} {"msg":"Setting up resolver using DNS address: [::1]:44688","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.823771132Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"new DNS resolver","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.824137322Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DnsResolver","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","addresses":"[[::1]:44688]"} {"msg":"Setting up qorb database pool from a single host","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:53.825276063Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","url":"PostgresConfigWithUrl {\n url_raw: \"postgresql://root@[::1]:60999/omicron?sslmode=disable\",\n config: Config {\n user: Some(\n \"root\",\n ),\n password: None,\n dbname: Some(\n \"omicron\",\n ),\n options: None,\n application_name: None,\n ssl_mode: Disable,\n host: [\n Tcp(\n \"::1\",\n ),\n ],\n hostaddr: [],\n port: [\n 60999,\n ],\n connect_timeout: None,\n tcp_user_timeout: None,\n keepalives: true,\n keepalives_idle: 7200s,\n keepalives_interval: None,\n keepalives_retries: None,\n target_session_attrs: Any,\n channel_binding: Prefer,\n load_balance_hosts: Disable,\n },\n}"} {"msg":"registered USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:53.82817136Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"Database schema version is up to date","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:55.545215407Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"desired_version":"215.0.0","found_version":"215.0.0","component":"datastore","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"No db_metadata_nexus records exist - skipping access check","v":0,"name":"test_vpc_routers_crud_operations","level":40,"time":"2026-01-14T21:22:55.565149158Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"datastore","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","explanation":"This is expected during initial deployment or before migration","nexus_id":"913233fe-92a8-4635-9572-183f495429c4 (omicron_zone)"} {"msg":"Datastore is ready for usage","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:55.565409791Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"registered USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.680189009Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"id":"a65a442c-8cda-4957-877c-7a9220e08305","component":"clickhouse-client","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786356192Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/crucible/0/upstairs/{upstairs_id}/downstairs/{downstairs_id}/stop-request","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786543852Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/crucible/0/upstairs/{upstairs_id}/downstairs/{downstairs_id}/stopped","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786606715Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/crucible/0/upstairs/{upstairs_id}/repair/{repair_id}/progress","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786663086Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/crucible/0/upstairs/{upstairs_id}/repair-finish","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786717343Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/crucible/0/upstairs/{upstairs_id}/repair-start","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786759255Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/disk/{disk_id}/remove-read-only-parent","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786809705Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/disks/{disk_id}","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786859212Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/metrics/collectors","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786897247Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/metrics/collectors/{collector_id}/producers","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786945502Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/metrics/producers","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.786995009Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/nat/ipv4/changeset/{from_gen}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787034768Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/probes/{sled}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787115346Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/refresh-vpc-routes","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787169833Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sled-agents/{sled_id}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787221104Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sled-agents/{sled_id}","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787262185Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/switch/{switch_id}","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787313837Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/v1/ping","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787363214Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/vmms/{propolis_id}","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787401199Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/volume/{volume_id}/remove-read-only-parent","method":"POST"} {"msg":"listening","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:55.787449554Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"successfully registered DTrace USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.787785575Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:47680","component":"dropshot_internal","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.791907054Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/bgtasks","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792008794Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/bgtasks/activate","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792067079Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/bgtasks/view/{bgtask_name}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792120805Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/clickhouse/policy","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792176825Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/clickhouse/policy","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792235521Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/debug/fetch-omdb-binary","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792276581Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/demo-saga","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792324215Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/demo-saga/{demo_saga_id}/complete","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792375786Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/all","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792414483Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/all/{blueprint_id}","method":"DELETE"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.79246411Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/all/{blueprint_id}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792514289Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/import","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792552795Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/regenerate","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792634576Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/target","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792687951Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/target","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792737829Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/blueprints/target/enabled","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792776796Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/reconfigurator-config","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792825812Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/reconfigurator-config","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792903825Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/reconfigurator-config/{version}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.792947562Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/deployment/update-status","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793000466Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793051736Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793101905Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}","method":"DELETE"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793142886Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793193145Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793243093Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}/download","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793295436Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}/download","method":"HEAD"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793335825Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}/download/{file}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793390904Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}/download/{file}","method":"HEAD"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793487574Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/experimental/v1/system/support-bundles/{bundle_id}/index","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793546069Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/instances/{instance_id}/migrate","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793586128Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/mgs-updates","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793636507Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/oximeter/read-policy","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793685554Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/oximeter/read-policy","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793723448Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/physical-disk/expunge","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793774168Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/quiesce","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793822774Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/quiesce","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793859977Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/racks/{rack_id}/initialization-complete","method":"PUT"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793909464Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sagas","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793960925Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sagas/{saga_id}","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.793999111Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sleds/add","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.794050011Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sleds/expunge","method":"POST"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.794100761Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/sleds/uninitialized","method":"GET"} {"msg":"registered endpoint","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.794139246Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4","versions":"all","path":"/v1/ping","method":"GET"} {"msg":"listening","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:55.794187361Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"successfully registered DTrace USDT probes","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.794452954Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"local_addr":"127.0.0.1:38729","component":"dropshot_lockstep","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"SEC running","v":0,"name":"test_vpc_routers_crud_operations","level":30,"time":"2026-01-14T21:22:55.794930774Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"sec_id":"913233fe-92a8-4635-9572-183f495429c4","component":"SEC","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"authorize begin","v":0,"name":"test_vpc_routers_crud_operations","level":10,"time":"2026-01-14T21:22:55.796064074Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","resource":"Database","action":"Modify","actor":"Some(Actor::UserBuiltin { user_builtin_id: 001de000-05e4-4000-8000-000000000001 (built_in_user), .. })"} {"msg":"roles","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.796190833Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","roles":"RoleSet { roles: {} }"} {"msg":"authorize result","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.799761048Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","result":"Ok(())","resource":"Database","action":"Modify","actor":"Some(Actor::UserBuiltin { user_builtin_id: 001de000-05e4-4000-8000-000000000001 (built_in_user), .. })"} {"msg":"attempting to create built-in users","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.799976211Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4"} {"msg":"authorize begin","v":0,"name":"test_vpc_routers_crud_operations","level":10,"time":"2026-01-14T21:22:55.801065735Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","resource":"Database","action":"Query","actor":"Some(Actor::UserBuiltin { user_builtin_id: 001de000-05e4-4000-8000-000000000001 (built_in_user), .. })"} {"msg":"roles","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.801140622Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","roles":"RoleSet { roles: {} }"} {"msg":"authorize result","v":0,"name":"test_vpc_routers_crud_operations","level":20,"time":"2026-01-14T21:22:55.801686957Z","hostname":"bmat-EVT22200007-0000d42a","pid":5131,"component":"DataLoader","component":"nexus","component":"ServerContext","name":"913233fe-92a8-4635-9572-183f495429c4","result":"Ok(())","resource":"Database","action":"Query","actor":"Some(Actor::UserBuiltin { user_builtin_id: 001de000-05e4-4000-8000-000000000001 (built_in_user), .. })"}