b7bb76eb20
This commit allows horizon to handle deprecated policy rules. The approach is explained in the document updated by this change. oslo.policy requirement is updated. oslo.policy 3.2.0 is chosen just because it is the first release in Victoria cycle. requirements.txt and lower-constraints.txt are updated accordingly including oslo.policy dependencies. Change-Id: If5059d03f6bd7e94796065aa1b51c0c23ac85f5e
2955 lines
97 KiB
YAML
2955 lines
97 KiB
YAML
- check_str: role:admin or is_admin:1
|
|
description: null
|
|
name: admin_required
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: role:service
|
|
description: null
|
|
name: service_role
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:admin_required or rule:service_role
|
|
description: null
|
|
name: service_or_admin
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: user_id:%(user_id)s
|
|
description: null
|
|
name: owner
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:admin_required or rule:owner
|
|
description: null
|
|
name: admin_or_owner
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: user_id:%(target.token.user_id)s
|
|
description: null
|
|
name: token_subject
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:admin_required or rule:token_subject
|
|
description: null
|
|
name: admin_or_token_subject
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: rule:service_or_admin or rule:token_subject
|
|
description: null
|
|
name: service_admin_or_token_subject
|
|
operations: []
|
|
scope_types: null
|
|
- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s
|
|
description: Show access rule details.
|
|
name: identity:get_access_rule
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s
|
|
description: List access rules for a user.
|
|
name: identity:list_access_rules
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/access_rules
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}/access_rules
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s
|
|
description: Delete an access_rule.
|
|
name: identity:delete_access_rule
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: Authorize OAUTH1 request token.
|
|
name: identity:authorize_request_token
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-OAUTH1/authorize/{request_token_id}
|
|
scope_types:
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: Get OAUTH1 access token for user by access token ID.
|
|
name: identity:get_access_token
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
|
scope_types:
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: Get role for user OAUTH1 access token.
|
|
name: identity:get_access_token_role
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
|
|
scope_types:
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: List OAUTH1 access tokens for user.
|
|
name: identity:list_access_tokens
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens
|
|
scope_types:
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: List OAUTH1 access token roles.
|
|
name: identity:list_access_token_roles
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
|
|
scope_types:
|
|
- project
|
|
- check_str: rule:admin_required
|
|
description: Delete OAUTH1 access token.
|
|
name: identity:delete_access_token
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
|
scope_types:
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or rule:owner
|
|
deprecated_reason: The application credential API is now aware of system scope and
|
|
default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:get_application_credentials
|
|
deprecated_since: T
|
|
description: Show application credential details.
|
|
name: identity:get_application_credential
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or rule:owner
|
|
deprecated_reason: The application credential API is now aware of system scope and
|
|
default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:list_application_credentials
|
|
deprecated_since: T
|
|
description: List application credentials for a user.
|
|
name: identity:list_application_credentials
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/application_credentials
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}/application_credentials
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: user_id:%(user_id)s
|
|
description: Create an application credential.
|
|
name: identity:create_application_credential
|
|
operations:
|
|
- method: POST
|
|
path: /v3/users/{user_id}/application_credentials
|
|
scope_types:
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or rule:owner
|
|
deprecated_reason: The application credential API is now aware of system scope and
|
|
default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:delete_application_credentials
|
|
deprecated_since: T
|
|
description: Delete an application credential.
|
|
name: identity:delete_application_credential
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: ''
|
|
description: Get service catalog.
|
|
name: identity:get_auth_catalog
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/catalog
|
|
- method: HEAD
|
|
path: /v3/auth/catalog
|
|
scope_types: null
|
|
- check_str: ''
|
|
description: List all projects a user has access to via role assignments.
|
|
name: identity:get_auth_projects
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/projects
|
|
- method: HEAD
|
|
path: /v3/auth/projects
|
|
scope_types: null
|
|
- check_str: ''
|
|
description: List all domains a user has access to via role assignments.
|
|
name: identity:get_auth_domains
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/domains
|
|
- method: HEAD
|
|
path: /v3/auth/domains
|
|
scope_types: null
|
|
- check_str: ''
|
|
description: List systems a user has access to via role assignments.
|
|
name: identity:get_auth_system
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/system
|
|
- method: HEAD
|
|
path: /v3/auth/system
|
|
scope_types: null
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_consumer
|
|
deprecated_since: T
|
|
description: Show OAUTH1 consumer details.
|
|
name: identity:get_consumer
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_consumers
|
|
deprecated_since: T
|
|
description: List OAUTH1 consumers.
|
|
name: identity:list_consumers
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-OAUTH1/consumers
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_consumer
|
|
deprecated_since: T
|
|
description: Create OAUTH1 consumer.
|
|
name: identity:create_consumer
|
|
operations:
|
|
- method: POST
|
|
path: /v3/OS-OAUTH1/consumers
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_consumer
|
|
deprecated_since: T
|
|
description: Update OAUTH1 consumer.
|
|
name: identity:update_consumer
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_consumer
|
|
deprecated_since: T
|
|
description: Delete OAUTH1 consumer.
|
|
name: identity:delete_consumer
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The credential API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_credential
|
|
deprecated_since: S
|
|
description: Show credentials details.
|
|
name: identity:get_credential
|
|
operations:
|
|
- method: GET
|
|
path: /v3/credentials/{credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The credential API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_credentials
|
|
deprecated_since: S
|
|
description: List credentials.
|
|
name: identity:list_credentials
|
|
operations:
|
|
- method: GET
|
|
path: /v3/credentials
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The credential API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_credential
|
|
deprecated_since: S
|
|
description: Create credential.
|
|
name: identity:create_credential
|
|
operations:
|
|
- method: POST
|
|
path: /v3/credentials
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The credential API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_credential
|
|
deprecated_since: S
|
|
description: Update credential.
|
|
name: identity:update_credential
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/credentials/{credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The credential API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_credential
|
|
deprecated_since: S
|
|
description: Delete credential.
|
|
name: identity:delete_credential
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/credentials/{credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s
|
|
or token.project.domain.id:%(target.domain.id)s
|
|
deprecated_reason: The domain API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s
|
|
name: identity:get_domain
|
|
deprecated_since: S
|
|
description: Show domain details.
|
|
name: identity:get_domain
|
|
operations:
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The domain API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_domains
|
|
deprecated_since: S
|
|
description: List domains.
|
|
name: identity:list_domains
|
|
operations:
|
|
- method: GET
|
|
path: /v3/domains
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_domain
|
|
deprecated_since: S
|
|
description: Create domain.
|
|
name: identity:create_domain
|
|
operations:
|
|
- method: POST
|
|
path: /v3/domains
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_domain
|
|
deprecated_since: S
|
|
description: Update domain.
|
|
name: identity:update_domain
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/domains/{domain_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_domain
|
|
deprecated_since: S
|
|
description: Delete domain.
|
|
name: identity:delete_domain
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain config API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_domain_config
|
|
deprecated_since: T
|
|
description: Create domain configuration.
|
|
name: identity:create_domain_config
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/domains/{domain_id}/config
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The domain config API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_domain_config
|
|
deprecated_since: T
|
|
description: Get the entire domain configuration for a domain, an option group within
|
|
a domain, or a specific configuration option within a group for a domain.
|
|
name: identity:get_domain_config
|
|
operations:
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/config
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/config
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/config/{group}
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/config/{group}
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/config/{group}/{option}
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/config/{group}/{option}
|
|
scope_types:
|
|
- system
|
|
- check_str: ''
|
|
description: Get security compliance domain configuration for either a domain or
|
|
a specific option in a domain.
|
|
name: identity:get_security_compliance_domain_config
|
|
operations:
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/config/security_compliance
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/config/security_compliance
|
|
- method: GET
|
|
path: v3/domains/{domain_id}/config/security_compliance/{option}
|
|
- method: HEAD
|
|
path: v3/domains/{domain_id}/config/security_compliance/{option}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain config API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_domain_config
|
|
deprecated_since: T
|
|
description: Update domain configuration for either a domain, specific group or
|
|
a specific option in a group.
|
|
name: identity:update_domain_config
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/domains/{domain_id}/config
|
|
- method: PATCH
|
|
path: /v3/domains/{domain_id}/config/{group}
|
|
- method: PATCH
|
|
path: /v3/domains/{domain_id}/config/{group}/{option}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The domain config API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_domain_config
|
|
deprecated_since: T
|
|
description: Delete domain configuration for either a domain, specific group or
|
|
a specific option in a group.
|
|
name: identity:delete_domain_config
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}/config
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}/config/{group}
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}/config/{group}/{option}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The domain config API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_domain_config_default
|
|
deprecated_since: T
|
|
description: Get domain configuration default for either a domain, specific group
|
|
or a specific option in a group.
|
|
name: identity:get_domain_config_default
|
|
operations:
|
|
- method: GET
|
|
path: /v3/domains/config/default
|
|
- method: HEAD
|
|
path: /v3/domains/config/default
|
|
- method: GET
|
|
path: /v3/domains/config/{group}/default
|
|
- method: HEAD
|
|
path: /v3/domains/config/{group}/default
|
|
- method: GET
|
|
path: /v3/domains/config/{group}/{option}/default
|
|
- method: HEAD
|
|
path: /v3/domains/config/{group}/{option}/default
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The EC2 credential API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
name: identity:ec2_get_credential
|
|
deprecated_since: T
|
|
description: Show ec2 credential details.
|
|
name: identity:ec2_get_credential
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or rule:owner
|
|
deprecated_reason: The EC2 credential API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:ec2_list_credentials
|
|
deprecated_since: T
|
|
description: List ec2 credentials.
|
|
name: identity:ec2_list_credentials
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/credentials/OS-EC2
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or rule:owner
|
|
deprecated_reason: The EC2 credential API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:ec2_create_credentials
|
|
deprecated_since: T
|
|
description: Create ec2 credential.
|
|
name: identity:ec2_create_credential
|
|
operations:
|
|
- method: POST
|
|
path: /v3/users/{user_id}/credentials/OS-EC2
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
|
|
deprecated_reason: The EC2 credential API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
|
|
name: identity:ec2_delete_credentials
|
|
deprecated_since: T
|
|
description: Delete ec2 credential.
|
|
name: identity:ec2_delete_credential
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_endpoint
|
|
deprecated_since: S
|
|
description: Show endpoint details.
|
|
name: identity:get_endpoint
|
|
operations:
|
|
- method: GET
|
|
path: /v3/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoints
|
|
deprecated_since: S
|
|
description: List endpoints.
|
|
name: identity:list_endpoints
|
|
operations:
|
|
- method: GET
|
|
path: /v3/endpoints
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_endpoint
|
|
deprecated_since: S
|
|
description: Create endpoint.
|
|
name: identity:create_endpoint
|
|
operations:
|
|
- method: POST
|
|
path: /v3/endpoints
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_endpoint
|
|
deprecated_since: S
|
|
description: Update endpoint.
|
|
name: identity:update_endpoint
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_endpoint
|
|
deprecated_since: S
|
|
description: Delete endpoint.
|
|
name: identity:delete_endpoint
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_endpoint_group
|
|
deprecated_since: T
|
|
description: Create endpoint group.
|
|
name: identity:create_endpoint_group
|
|
operations:
|
|
- method: POST
|
|
path: /v3/OS-EP-FILTER/endpoint_groups
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoint_groups
|
|
deprecated_since: T
|
|
description: List endpoint groups.
|
|
name: identity:list_endpoint_groups
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoint_groups
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_endpoint_group
|
|
deprecated_since: T
|
|
description: Get endpoint group.
|
|
name: identity:get_endpoint_group
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
- method: HEAD
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_endpoint_group
|
|
deprecated_since: T
|
|
description: Update endpoint group.
|
|
name: identity:update_endpoint_group
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_endpoint_group
|
|
deprecated_since: T
|
|
description: Delete endpoint group.
|
|
name: identity:delete_endpoint_group
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_projects_associated_with_endpoint_group
|
|
deprecated_since: T
|
|
description: List all projects associated with a specific endpoint group.
|
|
name: identity:list_projects_associated_with_endpoint_group
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoints_associated_with_endpoint_group
|
|
deprecated_since: T
|
|
description: List all endpoints associated with an endpoint group.
|
|
name: identity:list_endpoints_associated_with_endpoint_group
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_endpoint_group_in_project
|
|
deprecated_since: T
|
|
description: Check if an endpoint group is associated with a project.
|
|
name: identity:get_endpoint_group_in_project
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
- method: HEAD
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoint_groups_for_project
|
|
deprecated_since: T
|
|
description: List endpoint groups associated with a specific project.
|
|
name: identity:list_endpoint_groups_for_project
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:add_endpoint_group_to_project
|
|
deprecated_since: T
|
|
description: Allow a project to access an endpoint group.
|
|
name: identity:add_endpoint_group_to_project
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The endpoint groups API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:remove_endpoint_group_from_project
|
|
deprecated_since: T
|
|
description: Remove endpoint group from project.
|
|
name: identity:remove_endpoint_group_from_project
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s
|
|
or None:%(target.role.domain_id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_grant
|
|
deprecated_since: S
|
|
description: Check a role grant between a target and an actor. A target can be either
|
|
a domain or a project. An actor can be either a user or a group. These terms also
|
|
apply to the OS-INHERIT APIs, where grants on the target are inherited to all
|
|
projects in the subtree, if applicable.
|
|
name: identity:check_grant
|
|
operations:
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: HEAD
|
|
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
- method: HEAD
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: HEAD
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.domain.id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_grants
|
|
deprecated_since: S
|
|
description: List roles granted to an actor on a target. A target can be either
|
|
a domain or a project. An actor can be either a user or a group. For the OS-INHERIT
|
|
APIs, it is possible to list inherited role grants for actors on domains, where
|
|
grants are inherited to all projects in the specified domain.
|
|
name: identity:list_grants
|
|
operations:
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles
|
|
- method: GET
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles
|
|
- method: HEAD
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
|
|
- method: GET
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s
|
|
or None:%(target.role.domain_id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_grant
|
|
deprecated_since: S
|
|
description: Create a role grant between a target and an actor. A target can be
|
|
either a domain or a project. An actor can be either a user or a group. These
|
|
terms also apply to the OS-INHERIT APIs, where grants on the target are inherited
|
|
to all projects in the subtree, if applicable.
|
|
name: identity:create_grant
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
- method: PUT
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
- method: PUT
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
- method: PUT
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
- method: PUT
|
|
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: PUT
|
|
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
- method: PUT
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: PUT
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s
|
|
and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s
|
|
or None:%(target.role.domain_id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:revoke_grant
|
|
deprecated_since: S
|
|
description: Revoke a role grant between a target and an actor. A target can be
|
|
either a domain or a project. An actor can be either a user or a group. These
|
|
terms also apply to the OS-INHERIT APIs, where grants on the target are inherited
|
|
to all projects in the subtree, if applicable. In that case, revoking the role
|
|
grant in the target would remove the logical effect of inheriting it to the target's
|
|
projects subtree.
|
|
name: identity:revoke_grant
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
- method: DELETE
|
|
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
- method: DELETE
|
|
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
- method: DELETE
|
|
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: DELETE
|
|
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
- method: DELETE
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
- method: DELETE
|
|
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_system_grants_for_user
|
|
deprecated_since: S
|
|
description: List all grants a specific user has on the system.
|
|
name: identity:list_system_grants_for_user
|
|
operations:
|
|
- method:
|
|
- HEAD
|
|
- GET
|
|
path: /v3/system/users/{user_id}/roles
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_system_grant_for_user
|
|
deprecated_since: S
|
|
description: Check if a user has a role on the system.
|
|
name: identity:check_system_grant_for_user
|
|
operations:
|
|
- method:
|
|
- HEAD
|
|
- GET
|
|
path: /v3/system/users/{user_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_system_grant_for_user
|
|
deprecated_since: S
|
|
description: Grant a user a role on the system.
|
|
name: identity:create_system_grant_for_user
|
|
operations:
|
|
- method:
|
|
- PUT
|
|
path: /v3/system/users/{user_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:revoke_system_grant_for_user
|
|
deprecated_since: S
|
|
description: Remove a role from a user on the system.
|
|
name: identity:revoke_system_grant_for_user
|
|
operations:
|
|
- method:
|
|
- DELETE
|
|
path: /v3/system/users/{user_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_system_grants_for_group
|
|
deprecated_since: S
|
|
description: List all grants a specific group has on the system.
|
|
name: identity:list_system_grants_for_group
|
|
operations:
|
|
- method:
|
|
- HEAD
|
|
- GET
|
|
path: /v3/system/groups/{group_id}/roles
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_system_grant_for_group
|
|
deprecated_since: S
|
|
description: Check if a group has a role on the system.
|
|
name: identity:check_system_grant_for_group
|
|
operations:
|
|
- method:
|
|
- HEAD
|
|
- GET
|
|
path: /v3/system/groups/{group_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_system_grant_for_group
|
|
deprecated_since: S
|
|
description: Grant a group a role on the system.
|
|
name: identity:create_system_grant_for_group
|
|
operations:
|
|
- method:
|
|
- PUT
|
|
path: /v3/system/groups/{group_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:revoke_system_grant_for_group
|
|
deprecated_since: S
|
|
description: Remove a role from a group on the system.
|
|
name: identity:revoke_system_grant_for_group
|
|
operations:
|
|
- method:
|
|
- DELETE
|
|
path: /v3/system/groups/{group_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_group
|
|
deprecated_since: S
|
|
description: Show group details.
|
|
name: identity:get_group
|
|
operations:
|
|
- method: GET
|
|
path: /v3/groups/{group_id}
|
|
- method: HEAD
|
|
path: /v3/groups/{group_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_groups
|
|
deprecated_since: S
|
|
description: List groups.
|
|
name: identity:list_groups
|
|
operations:
|
|
- method: GET
|
|
path: /v3/groups
|
|
- method: HEAD
|
|
path: /v3/groups
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s)
|
|
or user_id:%(user_id)s
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:list_groups_for_user
|
|
deprecated_since: S
|
|
description: List groups to which a user belongs.
|
|
name: identity:list_groups_for_user
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/groups
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}/groups
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_group
|
|
deprecated_since: S
|
|
description: Create group.
|
|
name: identity:create_group
|
|
operations:
|
|
- method: POST
|
|
path: /v3/groups
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_group
|
|
deprecated_since: S
|
|
description: Update group.
|
|
name: identity:update_group
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/groups/{group_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_group
|
|
deprecated_since: S
|
|
description: Delete group.
|
|
name: identity:delete_group
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/groups/{group_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_users_in_group
|
|
deprecated_since: S
|
|
description: List members of a specific group.
|
|
name: identity:list_users_in_group
|
|
operations:
|
|
- method: GET
|
|
path: /v3/groups/{group_id}/users
|
|
- method: HEAD
|
|
path: /v3/groups/{group_id}/users
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.user.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:remove_user_from_group
|
|
deprecated_since: S
|
|
description: Remove user from group.
|
|
name: identity:remove_user_from_group
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/groups/{group_id}/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.user.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_user_in_group
|
|
deprecated_since: S
|
|
description: Check whether a user is a member of a group.
|
|
name: identity:check_user_in_group
|
|
operations:
|
|
- method: HEAD
|
|
path: /v3/groups/{group_id}/users/{user_id}
|
|
- method: GET
|
|
path: /v3/groups/{group_id}/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s
|
|
and domain_id:%(target.user.domain_id)s)
|
|
deprecated_reason: The group API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:add_user_to_group
|
|
deprecated_since: S
|
|
description: Add user to group.
|
|
name: identity:add_user_to_group
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/groups/{group_id}/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The identity provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_identity_providers
|
|
deprecated_since: S
|
|
description: Create identity provider.
|
|
name: identity:create_identity_provider
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The identity provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_identity_providers
|
|
deprecated_since: S
|
|
description: List identity providers.
|
|
name: identity:list_identity_providers
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/identity_providers
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/identity_providers
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The identity provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_identity_providers
|
|
deprecated_since: S
|
|
description: Get identity provider.
|
|
name: identity:get_identity_provider
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The identity provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_identity_providers
|
|
deprecated_since: S
|
|
description: Update identity provider.
|
|
name: identity:update_identity_provider
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The identity provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_identity_providers
|
|
deprecated_since: S
|
|
description: Delete identity provider.
|
|
name: identity:delete_identity_provider
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_implied_role
|
|
deprecated_since: T
|
|
description: Get information about an association between two roles. When a relationship
|
|
exists between a prior role and an implied role and the prior role is assigned
|
|
to a user, the user also assumes the implied role.
|
|
name: identity:get_implied_role
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_implied_roles
|
|
deprecated_since: T
|
|
description: List associations between two roles. When a relationship exists between
|
|
a prior role and an implied role and the prior role is assigned to a user, the
|
|
user also assumes the implied role. This will return all the implied roles that
|
|
would be assumed by the user who gets the specified prior role.
|
|
name: identity:list_implied_roles
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles/{prior_role_id}/implies
|
|
- method: HEAD
|
|
path: /v3/roles/{prior_role_id}/implies
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_implied_role
|
|
deprecated_since: T
|
|
description: Create an association between two roles. When a relationship exists
|
|
between a prior role and an implied role and the prior role is assigned to a user,
|
|
the user also assumes the implied role.
|
|
name: identity:create_implied_role
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_implied_role
|
|
deprecated_since: T
|
|
description: Delete the association between two roles. When a relationship exists
|
|
between a prior role and an implied role and the prior role is assigned to a user,
|
|
the user also assumes the implied role. Removing the association will cause that
|
|
effect to be eliminated.
|
|
name: identity:delete_implied_role
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_role_inference_rules
|
|
deprecated_since: T
|
|
description: List all associations between two roles in the system. When a relationship
|
|
exists between a prior role and an implied role and the prior role is assigned
|
|
to a user, the user also assumes the implied role.
|
|
name: identity:list_role_inference_rules
|
|
operations:
|
|
- method: GET
|
|
path: /v3/role_inferences
|
|
- method: HEAD
|
|
path: /v3/role_inferences
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The implied role API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_implied_role
|
|
deprecated_since: T
|
|
description: Check an association between two roles. When a relationship exists
|
|
between a prior role and an implied role and the prior role is assigned to a user,
|
|
the user also assumes the implied role.
|
|
name: identity:check_implied_role
|
|
operations:
|
|
- method: HEAD
|
|
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: ''
|
|
description: Get limit enforcement model.
|
|
name: identity:get_limit_model
|
|
operations:
|
|
- method: GET
|
|
path: /v3/limits/model
|
|
- method: HEAD
|
|
path: /v3/limits/model
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s
|
|
or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s
|
|
and not None:%(target.limit.project_id)s)
|
|
description: Show limit details.
|
|
name: identity:get_limit
|
|
operations:
|
|
- method: GET
|
|
path: /v3/limits/{limit_id}
|
|
- method: HEAD
|
|
path: /v3/limits/{limit_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: ''
|
|
description: List limits.
|
|
name: identity:list_limits
|
|
operations:
|
|
- method: GET
|
|
path: /v3/limits
|
|
- method: HEAD
|
|
path: /v3/limits
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:admin and system_scope:all
|
|
description: Create limits.
|
|
name: identity:create_limits
|
|
operations:
|
|
- method: POST
|
|
path: /v3/limits
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
description: Update limit.
|
|
name: identity:update_limit
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/limits/{limit_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
description: Delete limit.
|
|
name: identity:delete_limit
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/limits/{limit_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated mapping API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_mapping
|
|
deprecated_since: S
|
|
description: Create a new federated mapping containing one or more sets of rules.
|
|
name: identity:create_mapping
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The federated mapping API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_mapping
|
|
deprecated_since: S
|
|
description: Get a federated mapping.
|
|
name: identity:get_mapping
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The federated mapping API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_mappings
|
|
deprecated_since: S
|
|
description: List federated mappings.
|
|
name: identity:list_mappings
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/mappings
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/mappings
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated mapping API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_mapping
|
|
deprecated_since: S
|
|
description: Delete a federated mapping.
|
|
name: identity:delete_mapping
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated mapping API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_mapping
|
|
deprecated_since: S
|
|
description: Update a federated mapping.
|
|
name: identity:update_mapping
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_policy
|
|
deprecated_since: T
|
|
description: Show policy details.
|
|
name: identity:get_policy
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies/{policy_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_policies
|
|
deprecated_since: T
|
|
description: List policies.
|
|
name: identity:list_policies
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_policy
|
|
deprecated_since: T
|
|
description: Create policy.
|
|
name: identity:create_policy
|
|
operations:
|
|
- method: POST
|
|
path: /v3/policies
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_policy
|
|
deprecated_since: T
|
|
description: Update policy.
|
|
name: identity:update_policy
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/policies/{policy_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_policy
|
|
deprecated_since: T
|
|
description: Delete policy.
|
|
name: identity:delete_policy
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/policies/{policy_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_policy_association_for_endpoint
|
|
deprecated_since: T
|
|
description: Associate a policy to a specific endpoint.
|
|
name: identity:create_policy_association_for_endpoint
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_policy_association_for_endpoint
|
|
deprecated_since: T
|
|
description: Check policy association for endpoint.
|
|
name: identity:check_policy_association_for_endpoint
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
- method: HEAD
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_policy_association_for_endpoint
|
|
deprecated_since: T
|
|
description: Delete policy association for endpoint.
|
|
name: identity:delete_policy_association_for_endpoint
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_policy_association_for_service
|
|
deprecated_since: T
|
|
description: Associate a policy to a specific service.
|
|
name: identity:create_policy_association_for_service
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_policy_association_for_service
|
|
deprecated_since: T
|
|
description: Check policy association for service.
|
|
name: identity:check_policy_association_for_service
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
- method: HEAD
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_policy_association_for_service
|
|
deprecated_since: T
|
|
description: Delete policy association for service.
|
|
name: identity:delete_policy_association_for_service
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_policy_association_for_region_and_service
|
|
deprecated_since: T
|
|
description: Associate a policy to a specific region and service combination.
|
|
name: identity:create_policy_association_for_region_and_service
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_policy_association_for_region_and_service
|
|
deprecated_since: T
|
|
description: Check policy association for region and service.
|
|
name: identity:check_policy_association_for_region_and_service
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
- method: HEAD
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_policy_association_for_region_and_service
|
|
deprecated_since: T
|
|
description: Delete policy association for region and service.
|
|
name: identity:delete_policy_association_for_region_and_service
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_policy_for_endpoint
|
|
deprecated_since: T
|
|
description: Get policy for endpoint.
|
|
name: identity:get_policy_for_endpoint
|
|
operations:
|
|
- method: GET
|
|
path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
|
- method: HEAD
|
|
path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The policy association API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoints_for_policy
|
|
deprecated_since: T
|
|
description: List endpoints for policy.
|
|
name: identity:list_endpoints_for_policy
|
|
operations:
|
|
- method: GET
|
|
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s)
|
|
or project_id:%(target.project.id)s
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or project_id:%(target.project.id)s
|
|
name: identity:get_project
|
|
deprecated_since: S
|
|
description: Show project details.
|
|
name: identity:get_project
|
|
operations:
|
|
- method: GET
|
|
path: /v3/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_projects
|
|
deprecated_since: S
|
|
description: List projects.
|
|
name: identity:list_projects
|
|
operations:
|
|
- method: GET
|
|
path: /v3/projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s)
|
|
or user_id:%(target.user.id)s
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:list_user_projects
|
|
deprecated_since: S
|
|
description: List projects for user.
|
|
name: identity:list_user_projects
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}/projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_project
|
|
deprecated_since: S
|
|
description: Create project.
|
|
name: identity:create_project
|
|
operations:
|
|
- method: POST
|
|
path: /v3/projects
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_project
|
|
deprecated_since: S
|
|
description: Update project.
|
|
name: identity:update_project
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
deprecated_reason: The project API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_project
|
|
deprecated_since: S
|
|
description: Delete project.
|
|
name: identity:delete_project
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/projects/{project_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s)
|
|
or project_id:%(target.project.id)s
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or project_id:%(target.project.id)s
|
|
name: identity:list_project_tags
|
|
deprecated_since: T
|
|
description: List tags for a project.
|
|
name: identity:list_project_tags
|
|
operations:
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/tags
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/tags
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s)
|
|
or project_id:%(target.project.id)s
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required or project_id:%(target.project.id)s
|
|
name: identity:get_project_tag
|
|
deprecated_since: T
|
|
description: Check if project contains a tag.
|
|
name: identity:get_project_tag
|
|
operations:
|
|
- method: GET
|
|
path: /v3/projects/{project_id}/tags/{value}
|
|
- method: HEAD
|
|
path: /v3/projects/{project_id}/tags/{value}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
or (role:admin and project_id:%(target.project.id)s)
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_project_tags
|
|
deprecated_since: T
|
|
description: Replace all tags on a project with the new set of tags.
|
|
name: identity:update_project_tags
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/projects/{project_id}/tags
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
or (role:admin and project_id:%(target.project.id)s)
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_project_tag
|
|
deprecated_since: T
|
|
description: Add a single tag to a project.
|
|
name: identity:create_project_tag
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/projects/{project_id}/tags/{value}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
or (role:admin and project_id:%(target.project.id)s)
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_project_tags
|
|
deprecated_since: T
|
|
description: Remove all tags from a project.
|
|
name: identity:delete_project_tags
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/projects/{project_id}/tags
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)
|
|
or (role:admin and project_id:%(target.project.id)s)
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project tags API understands how to handle
|
|
|
|
system-scoped tokens in addition to project and domain tokens, making the API
|
|
|
|
more accessible to users without compromising security or manageability for
|
|
|
|
administrators. The new default policies for this API account for these changes
|
|
|
|
automatically.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_project_tag
|
|
deprecated_since: T
|
|
description: Delete a specified tag from project.
|
|
name: identity:delete_project_tag
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/projects/{project_id}/tags/{value}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project endpoint API now understands default
|
|
|
|
roles and system-scoped tokens, making the API more granular by default without
|
|
|
|
compromising security. The new policy defaults account for these changes
|
|
|
|
automatically. Be sure to take these new defaults into consideration if you are
|
|
|
|
relying on overrides in your deployment for the project endpoint API.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_projects_for_endpoint
|
|
deprecated_since: T
|
|
description: List projects allowed to access an endpoint.
|
|
name: identity:list_projects_for_endpoint
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project endpoint API now understands default
|
|
|
|
roles and system-scoped tokens, making the API more granular by default without
|
|
|
|
compromising security. The new policy defaults account for these changes
|
|
|
|
automatically. Be sure to take these new defaults into consideration if you are
|
|
|
|
relying on overrides in your deployment for the project endpoint API.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:add_endpoint_to_project
|
|
deprecated_since: T
|
|
description: Allow project to access an endpoint.
|
|
name: identity:add_endpoint_to_project
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project endpoint API now understands default
|
|
|
|
roles and system-scoped tokens, making the API more granular by default without
|
|
|
|
compromising security. The new policy defaults account for these changes
|
|
|
|
automatically. Be sure to take these new defaults into consideration if you are
|
|
|
|
relying on overrides in your deployment for the project endpoint API.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:check_endpoint_in_project
|
|
deprecated_since: T
|
|
description: Check if a project is allowed to access an endpoint.
|
|
name: identity:check_endpoint_in_project
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
- method: HEAD
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project endpoint API now understands default
|
|
|
|
roles and system-scoped tokens, making the API more granular by default without
|
|
|
|
compromising security. The new policy defaults account for these changes
|
|
|
|
automatically. Be sure to take these new defaults into consideration if you are
|
|
|
|
relying on overrides in your deployment for the project endpoint API.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_endpoints_for_project
|
|
deprecated_since: T
|
|
description: List the endpoints a project is allowed to access.
|
|
name: identity:list_endpoints_for_project
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: '
|
|
|
|
As of the Train release, the project endpoint API now understands default
|
|
|
|
roles and system-scoped tokens, making the API more granular by default without
|
|
|
|
compromising security. The new policy defaults account for these changes
|
|
|
|
automatically. Be sure to take these new defaults into consideration if you are
|
|
|
|
relying on overrides in your deployment for the project endpoint API.
|
|
|
|
'
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:remove_endpoint_from_project
|
|
deprecated_since: T
|
|
description: Remove access to an endpoint from a project that has previously been
|
|
given explicit access.
|
|
name: identity:remove_endpoint_from_project
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated protocol API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_protocol
|
|
deprecated_since: S
|
|
description: Create federated protocol.
|
|
name: identity:create_protocol
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated protocol API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_protocol
|
|
deprecated_since: S
|
|
description: Update federated protocol.
|
|
name: identity:update_protocol
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The federated protocol API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_protocol
|
|
deprecated_since: S
|
|
description: Get federated protocol.
|
|
name: identity:get_protocol
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The federated protocol API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_protocols
|
|
deprecated_since: S
|
|
description: List federated protocols.
|
|
name: identity:list_protocols
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The federated protocol API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_protocol
|
|
deprecated_since: S
|
|
description: Delete federated protocol.
|
|
name: identity:delete_protocol
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: ''
|
|
description: Show region details.
|
|
name: identity:get_region
|
|
operations:
|
|
- method: GET
|
|
path: /v3/regions/{region_id}
|
|
- method: HEAD
|
|
path: /v3/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: ''
|
|
description: List regions.
|
|
name: identity:list_regions
|
|
operations:
|
|
- method: GET
|
|
path: /v3/regions
|
|
- method: HEAD
|
|
path: /v3/regions
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The region API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_region
|
|
deprecated_since: S
|
|
description: Create region.
|
|
name: identity:create_region
|
|
operations:
|
|
- method: POST
|
|
path: /v3/regions
|
|
- method: PUT
|
|
path: /v3/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The region API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_region
|
|
deprecated_since: S
|
|
description: Update region.
|
|
name: identity:update_region
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The region API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_region
|
|
deprecated_since: S
|
|
description: Delete region.
|
|
name: identity:delete_region
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/regions/{region_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: ''
|
|
description: Show registered limit details.
|
|
name: identity:get_registered_limit
|
|
operations:
|
|
- method: GET
|
|
path: /v3/registered_limits/{registered_limit_id}
|
|
- method: HEAD
|
|
path: /v3/registered_limits/{registered_limit_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: ''
|
|
description: List registered limits.
|
|
name: identity:list_registered_limits
|
|
operations:
|
|
- method: GET
|
|
path: /v3/registered_limits
|
|
- method: HEAD
|
|
path: /v3/registered_limits
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:admin and system_scope:all
|
|
description: Create registered limits.
|
|
name: identity:create_registered_limits
|
|
operations:
|
|
- method: POST
|
|
path: /v3/registered_limits
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
description: Update registered limit.
|
|
name: identity:update_registered_limit
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/registered_limits/{registered_limit_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
description: Delete registered limit.
|
|
name: identity:delete_registered_limit
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/registered_limits/{registered_limit_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: rule:service_or_admin
|
|
description: List revocation events.
|
|
name: identity:list_revoke_events
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-REVOKE/events
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_role
|
|
deprecated_since: S
|
|
description: Show role details.
|
|
name: identity:get_role
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_roles
|
|
deprecated_since: S
|
|
description: List roles.
|
|
name: identity:list_roles
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles
|
|
- method: HEAD
|
|
path: /v3/roles
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_role
|
|
deprecated_since: S
|
|
description: Create role.
|
|
name: identity:create_role
|
|
operations:
|
|
- method: POST
|
|
path: /v3/roles
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_role
|
|
deprecated_since: S
|
|
description: Update role.
|
|
name: identity:update_role
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_role
|
|
deprecated_since: S
|
|
description: Delete role.
|
|
name: identity:delete_role
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_domain_role
|
|
deprecated_since: T
|
|
description: Show domain role.
|
|
name: identity:get_domain_role
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_domain_roles
|
|
deprecated_since: T
|
|
description: List domain roles.
|
|
name: identity:list_domain_roles
|
|
operations:
|
|
- method: GET
|
|
path: /v3/roles?domain_id={domain_id}
|
|
- method: HEAD
|
|
path: /v3/roles?domain_id={domain_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_domain_role
|
|
deprecated_since: T
|
|
description: Create domain role.
|
|
name: identity:create_domain_role
|
|
operations:
|
|
- method: POST
|
|
path: /v3/roles
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_domain_role
|
|
deprecated_since: T
|
|
description: Update domain role.
|
|
name: identity:update_domain_role
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The role API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_domain_role
|
|
deprecated_since: T
|
|
description: Delete domain role.
|
|
name: identity:delete_domain_role
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_role_assignments
|
|
deprecated_since: S
|
|
description: List role assignments.
|
|
name: identity:list_role_assignments
|
|
operations:
|
|
- method: GET
|
|
path: /v3/role_assignments
|
|
- method: HEAD
|
|
path: /v3/role_assignments
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s)
|
|
or (role:admin and project_id:%(target.project.id)s)
|
|
deprecated_reason: The assignment API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_role_assignments_for_tree
|
|
deprecated_since: T
|
|
description: List all role assignments for a given tree of hierarchical projects.
|
|
name: identity:list_role_assignments_for_tree
|
|
operations:
|
|
- method: GET
|
|
path: /v3/role_assignments?include_subtree
|
|
- method: HEAD
|
|
path: /v3/role_assignments?include_subtree
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The service API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_service
|
|
deprecated_since: S
|
|
description: Show service details.
|
|
name: identity:get_service
|
|
operations:
|
|
- method: GET
|
|
path: /v3/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The service API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_services
|
|
deprecated_since: S
|
|
description: List services.
|
|
name: identity:list_services
|
|
operations:
|
|
- method: GET
|
|
path: /v3/services
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_service
|
|
deprecated_since: S
|
|
description: Create service.
|
|
name: identity:create_service
|
|
operations:
|
|
- method: POST
|
|
path: /v3/services
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_service
|
|
deprecated_since: S
|
|
description: Update service.
|
|
name: identity:update_service
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_service
|
|
deprecated_since: S
|
|
description: Delete service.
|
|
name: identity:delete_service
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/services/{service_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_service_provider
|
|
deprecated_since: S
|
|
description: Create federated service provider.
|
|
name: identity:create_service_provider
|
|
operations:
|
|
- method: PUT
|
|
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The service provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_service_providers
|
|
deprecated_since: S
|
|
description: List federated service providers.
|
|
name: identity:list_service_providers
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/service_providers
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/service_providers
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The service provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:get_service_provider
|
|
deprecated_since: S
|
|
description: Get federated service provider.
|
|
name: identity:get_service_provider
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
- method: HEAD
|
|
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_service_provider
|
|
deprecated_since: S
|
|
description: Update federated service provider.
|
|
name: identity:update_service_provider
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: role:admin and system_scope:all
|
|
deprecated_reason: The service provider API is now aware of system scope and default
|
|
roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_service_provider
|
|
deprecated_since: S
|
|
description: Delete federated service provider.
|
|
name: identity:delete_service_provider
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
scope_types:
|
|
- system
|
|
- check_str: rule:service_or_admin
|
|
deprecated_for_removal: true
|
|
deprecated_reason: '
|
|
|
|
The identity:revocation_list policy isn''t used to protect any APIs in keystone
|
|
|
|
now that the revocation list API has been deprecated and only returns a 410 or
|
|
|
|
403 depending on how keystone is configured. This policy can be safely removed
|
|
|
|
from policy files.
|
|
|
|
'
|
|
deprecated_since: T
|
|
description: List revoked PKI tokens.
|
|
name: identity:revocation_list
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/tokens/OS-PKI/revoked
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or rule:token_subject
|
|
deprecated_reason: The token API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_token_subject
|
|
name: identity:check_token
|
|
deprecated_since: T
|
|
description: Check a token.
|
|
name: identity:check_token
|
|
operations:
|
|
- method: HEAD
|
|
path: /v3/auth/tokens
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject
|
|
deprecated_reason: The token API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:service_admin_or_token_subject
|
|
name: identity:validate_token
|
|
deprecated_since: T
|
|
description: Validate a token.
|
|
name: identity:validate_token
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/tokens
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:admin and system_scope:all) or rule:token_subject
|
|
deprecated_reason: The token API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_token_subject
|
|
name: identity:revoke_token
|
|
deprecated_since: T
|
|
description: Revoke a token.
|
|
name: identity:revoke_token
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/auth/tokens
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: user_id:%(trust.trustor_user_id)s
|
|
description: Create trust.
|
|
name: identity:create_trust
|
|
operations:
|
|
- method: POST
|
|
path: /v3/OS-TRUST/trusts
|
|
scope_types:
|
|
- project
|
|
- check_str: role:reader and system_scope:all
|
|
deprecated_reason: The trust API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_trusts
|
|
deprecated_since: T
|
|
description: List trusts.
|
|
name: identity:list_trusts
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts
|
|
scope_types:
|
|
- system
|
|
- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
|
|
description: List trusts for trustor.
|
|
name: identity:list_trusts_for_trustor
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s
|
|
description: List trusts for trustee.
|
|
name: identity:list_trusts_for_trustee
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
|
|
or user_id:%(target.trust.trustee_user_id)s
|
|
deprecated_reason: The trust API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
|
|
name: identity:list_roles_for_trust
|
|
deprecated_since: T
|
|
description: List roles delegated by a trust.
|
|
name: identity:list_roles_for_trust
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts/{trust_id}/roles
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts/{trust_id}/roles
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
|
|
or user_id:%(target.trust.trustee_user_id)s
|
|
deprecated_reason: The trust API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
|
|
name: identity:get_role_for_trust
|
|
deprecated_since: T
|
|
description: Check if trust delegates a particular role.
|
|
name: identity:get_role_for_trust
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s
|
|
deprecated_reason: The trust API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: user_id:%(target.trust.trustor_user_id)s
|
|
name: identity:delete_trust
|
|
deprecated_since: T
|
|
description: Revoke trust.
|
|
name: identity:delete_trust
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/OS-TRUST/trusts/{trust_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
|
|
or user_id:%(target.trust.trustee_user_id)s
|
|
deprecated_reason: The trust API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
|
|
name: identity:get_trust
|
|
deprecated_since: T
|
|
description: Get trust.
|
|
name: identity:get_trust
|
|
operations:
|
|
- method: GET
|
|
path: /v3/OS-TRUST/trusts/{trust_id}
|
|
- method: HEAD
|
|
path: /v3/OS-TRUST/trusts/{trust_id}
|
|
scope_types:
|
|
- system
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s)
|
|
or user_id:%(target.user.id)s
|
|
deprecated_reason: The user API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_or_owner
|
|
name: identity:get_user
|
|
deprecated_since: S
|
|
description: Show user details.
|
|
name: identity:get_user
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users/{user_id}
|
|
- method: HEAD
|
|
path: /v3/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- project
|
|
- check_str: (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)
|
|
deprecated_reason: The user API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:list_users
|
|
deprecated_since: S
|
|
description: List users.
|
|
name: identity:list_users
|
|
operations:
|
|
- method: GET
|
|
path: /v3/users
|
|
- method: HEAD
|
|
path: /v3/users
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: ''
|
|
description: List all projects a user has access to via role assignments.
|
|
name: identity:list_projects_for_user
|
|
operations:
|
|
- method: GET
|
|
path: ' /v3/auth/projects'
|
|
scope_types: null
|
|
- check_str: ''
|
|
description: List all domains a user has access to via role assignments.
|
|
name: identity:list_domains_for_user
|
|
operations:
|
|
- method: GET
|
|
path: /v3/auth/domains
|
|
scope_types: null
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
|
|
deprecated_reason: The user API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:create_user
|
|
deprecated_since: S
|
|
description: Create a user.
|
|
name: identity:create_user
|
|
operations:
|
|
- method: POST
|
|
path: /v3/users
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
|
|
deprecated_reason: The user API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:update_user
|
|
deprecated_since: S
|
|
description: Update a user, including administrative password resets.
|
|
name: identity:update_user
|
|
operations:
|
|
- method: PATCH
|
|
path: /v3/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|
|
- check_str: (role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)
|
|
deprecated_reason: The user API is now aware of system scope and default roles.
|
|
deprecated_rule:
|
|
check_str: rule:admin_required
|
|
name: identity:delete_user
|
|
deprecated_since: S
|
|
description: Delete a user.
|
|
name: identity:delete_user
|
|
operations:
|
|
- method: DELETE
|
|
path: /v3/users/{user_id}
|
|
scope_types:
|
|
- system
|
|
- domain
|