openstack-attic
/
identity-api
Code Issues Proposed changes

JSON Home support 

Identity API V3.3 will support JSON Home.

bp json-home

Change-Id: I636391bfd800fb616c85d0e93070ac4b169bd8f0
This commit is contained in:
Brant Knudson 2014-07-27 14:57:13 -05:00
parent 555a1bde75
commit 277adf9c7d
8 changed files with 350 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
v3/src/markdown/identity-api-v3-os-ep-filter-ext.md
View File

@ -43,6 +43,8 @@ does not have the right authorization a HTTP 401 Unauthorized is returned.
#### Create Association: `PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint`
Modifies the endpoint resource adding an association between the project and
the endpoint.
@ -52,6 +54,8 @@ Response:
#### Check Association: `HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint`
Verifies the existence of an association between a project and an endpoint.
Response:
@ -60,6 +64,8 @@ Response:
#### List Associations for Project: `GET /OS-EP-FILTER/projects/{project_id}/endpoints`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints`
Returns all the endpoints that are currently associated with a specific project.
Response:
@ -97,6 +103,8 @@ Response:
#### Delete Association: `DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint`
Eliminates a previously created association between a project and an endpoint.
Response:
@ -105,6 +113,8 @@ Response:
#### Get projects associated with endpoint: `GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects`
Returns a list of projects that are currently associated with the given endpoint.
Response:
@ -145,6 +155,8 @@ Response:
#### Create Endpoint Group Filter: `POST /OS-EP-FILTER/endpoint_groups`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups`
Request:
{
@ -179,6 +191,8 @@ Response:
#### Get Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group`
Response:
Status: 200 OK
@ -200,12 +214,16 @@ Response:
#### Check Endpoint Group: `HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group`
Response:
Status: 200 OK
#### Update Endpoint Group: `PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group`
The request block is the same as the one for create endpoint group, except
that only the attributes that are being updated need to be included.
@ -243,12 +261,16 @@ Response:
#### Remove Endpoint Group: `DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group`
Response:
Status: 204 No Content
#### List All Endpoint Groups: `GET /OS-EP-FILTER/endpoint_groups`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups`
Response:
Status: 200 OK
@ -292,6 +314,8 @@ Response:
#### List Endpoint Groups Associated with Project: `GET /OS-EP-FILTER/endpoint_groups/projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups`
Response:
Status: 200 OK
@ -324,12 +348,16 @@ Response:
#### Create Endpoint Group to Project Association: `PUT /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project`
Response:
Status: 204 No Content
#### Get Endpoint Group to Project Association: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project`
Response:
Status: 200 OK
@ -349,18 +377,24 @@ Response:
#### Check Endpoint Group to Project Association: `HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project`
Response:
Status: 200 OK
#### Delete Endpoint Group to Project Association: `DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project`
Response:
Status: 204 No Content
#### List Projects Associated with Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects`
Response:
Status: 200 OK
@ -397,6 +431,8 @@ Response:
#### List Service Endpoints Associated with Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints`
Response:
Status: 200 OK

38
v3/src/markdown/identity-api-v3-os-federation-ext.md
View File

@ -143,6 +143,8 @@ Identity Provider API
### Register an Identity Provider: `PUT /OS-FEDERATION/identity_providers/{idp_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider`
Request:
{
@ -170,6 +172,8 @@ Response:
### List identity providers: `GET /OS-FEDERATION/identity_providers`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_providers`
Response:
Status: 200 OK
@ -204,6 +208,8 @@ Response:
### Get Identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider`
Response:
Status: 200 OK
@ -222,6 +228,8 @@ Response:
### Delete identity provider: `DELETE /OS-FEDERATION/identity_providers/{idp_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider`
When an identity provider is deleted, any tokens generated by that identity
provider will be revoked.
@ -231,6 +239,8 @@ Response:
### Update identity provider: `PATCH /OS-FEDERATION/identity_providers/{idp_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider`
Request:
{
@ -260,6 +270,8 @@ provider will be revoked.
### Add a supported protocol and attribute mapping combination to an identity provider: `PUT /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol`
Request:
{
@ -285,6 +297,8 @@ Response:
### List all supported protocol and attribute mapping combinations of an identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}/protocols`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocols`
Response:
Status: 200 OK
@ -309,6 +323,8 @@ Response:
### Get a supported protocol and attribute mapping combination for an identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol`
Response:
Status: 200 OK
@ -326,6 +342,8 @@ Response:
### Update the attribute mapping for an identity provider and protocol combination: `PATCH /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol`
Request:
{
@ -351,6 +369,8 @@ Response:
### Delete a supported protocol and attribute mapping combination from an identity provider: `DELETE /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol`
Response:
Status: 204 No Content
@ -360,6 +380,8 @@ Mapping API
### Create a mapping: `PUT /OS-FEDERATION/mappings/{mapping_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping`
Request:
{
@ -438,6 +460,8 @@ Response:
### Get a mapping: `GET /OS-FEDERATION/mappings/{mapping_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping`
Response:
Status: 200 OK
@ -481,6 +505,8 @@ Response:
### Update a mapping: `PATCH /OS-FEDERATION/mappings/{mapping_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping`
Request:
{
@ -559,6 +585,8 @@ Response:
### List all mappings: `GET /OS-FEDERATION/mappings`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mappings`
Response:
Status 200 OK
@ -609,6 +637,8 @@ Response:
### Delete a mapping: `DELETE /OS-FEDERATION/mappings/{mapping_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping`
Response:
Status: 204 No Content
@ -618,6 +648,8 @@ Listing projects and domains
### List projects a federated user can access: `GET /OS-FEDERATION/projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects`
Returns a collection of projects to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a project and request a scoped token. Note that only enabled
@ -657,6 +689,8 @@ Response:
### List domains a federated user can access: `GET /OS-FEDERATION/domains`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains`
Returns a collection of domains to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a domain and request a scoped token. Note that only enabled
@ -794,6 +828,8 @@ Authenticating
### Request an unscoped OS-FEDERATION token: `GET/POST /OS-FEDERATION/identity_providers/{identity_provider}/protocols/{protocol}/auth`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth`
A federated user may request an unscoped token, which can be used to get
a scoped token.
@ -834,6 +870,8 @@ Example of an OS-FEDERATION token:
### Request a scoped OS-FEDERATION token: `POST /auth/tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
A federated user may request a scoped token, by using the unscoped token.
A project or domain may be specified by either id or name. An id is sufficient to
uniquely identify a project or domain.

18
v3/src/markdown/identity-api-v3-os-inherit-ext.md
View File

@ -12,6 +12,8 @@ The following additional APIs are supported by this extension:
#### Assign role to user on projects owned by a domain:
`PUT /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects`
The inherited role is only applied to the owned projects (both existing and future
projects), and will not appear as a role in a domain scoped token.
@ -22,6 +24,8 @@ Response:
#### Assign role to group on projects owned by a domain:
`PUT /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects`
The inherited role is only applied to the owned projects (both existing and future
projects), and will not appear as a role in a domain scoped token.
@ -32,6 +36,8 @@ Response:
#### List user's inherited project roles on a domain:
`GET /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects`
Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects`
The list only contains those role assignments to the domain that were specified
as being inherited to projects within that domain.
@ -67,6 +73,8 @@ Response:
#### List group's inherited project roles on domain:
`GET /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects`
Relationship: `'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects`
The list only contains those role assignments to the domain that were specified
as being inherited to projects within that domain.
@ -102,6 +110,8 @@ Response:
#### Check if user has an inherited project role on domain:
`HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects`
Response:
Status: 204 No Content
@ -109,6 +119,8 @@ Response:
#### Check if group has an inherited project role on domain:
`HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects`
Response:
Status: 204 No Content
@ -116,6 +128,8 @@ Response:
#### Revoke an inherited project role from user on domain:
`DELETE /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects`
Response:
Status: 204 No Content
@ -123,6 +137,8 @@ Response:
#### Revoke an inherited project role from group on domain:
`DELETE /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects`
Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects`
Response:
Status: 204 No Content
@ -134,6 +150,8 @@ The following APIs are modified by this extension.
#### List effective role assignments: `GET /role_assignments`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments`
The scope section in the list response is extended to allow the representation of role
assignments that are inherited to projects.

28
v3/src/markdown/identity-api-v3-os-oauth1-ext.md
View File

@ -65,6 +65,8 @@ Consumers API
### Create Consumer: `POST /OS-OAUTH1/consumers`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers`
Request:
{
@ -92,6 +94,8 @@ The `secret` is only returned once, during consumer creation.
### List Consumers: `GET /OS-OAUTH1/consumers`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers`
Response:
Status: 200 OK
@ -121,6 +125,8 @@ Response:
### Get Consumer: `GET /OS-OAUTH1/consumers/{consumer_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer`
Response:
Status: 200 OK
@ -137,6 +143,8 @@ Response:
### Delete Consumer: `DELETE /OS-OAUTH1/consumers/{consumer_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer`
When a Consumer is deleted, any Request Tokens, Access Tokens, or Identity API
Tokens will also be deleted.
@ -146,6 +154,8 @@ Response:
### Update Consumer: `PATCH /OS-OAUTH1/consumers/{consumer_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer`
Only a Consumer's `description` is mutable. Attempting to PATCH an immutable
attribute should result in a HTTP 400 Bad Request.
@ -176,6 +186,8 @@ Delegated Auth APIs
### Create Request Token: `POST /OS-OAUTH1/request_token`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens`
A Consumer uses the Consumer Key and Secret to obtain a Request Token. The
Request Token is used to initiate User authorization. The Request Token, once
authorized, can be exchanged along with the OAuth Verifier for an Access
@ -214,6 +226,8 @@ Response Parameters:
### Authorize Request Token: `PUT /OS-OAUTH1/authorize/{request_token_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token`
To authorize the Request Token, the authorizing user must have access
to the requested project. Upon successful authorization, an OAuth
Verifier code is returned. The Consumer receives the OAuth Verifier
@ -242,6 +256,8 @@ Response:
### Create Access Token: `POST /OS-OAUTH1/access_token`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens`
After the User authorizes the Request Token, the Consumer exchanges the
authorized Request Token and OAuth Verifier for an Access Token. The Identity
service may include an `oauth_expires_at` parameter in the response. If no such
@ -267,6 +283,8 @@ Response Parameters:
### Request an Identity API Token: `POST /auth/tokens`
Relationship: `http://docs.openstack.org/identity/rel/v3/auth_tokens`
The Consumer can now request valid Identity API service tokens representing the
authorizing User's delegated authorization and identity (impersonation).
The generated token's roles and scope will match that which the Consumer
@ -313,6 +331,8 @@ User Access Token APIs
### List authorized access tokens: `GET /users/{user_id}/OS-OAUTH1/access_tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_tokens`
Response:
{
@ -338,6 +358,8 @@ Response:
### Get authorized access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token`
Response:
{
@ -356,14 +378,20 @@ Response:
### List roles of an access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles`
See `GET /v3/roles` for an [example](https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles) of this response format.
### Get a role of an access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role`
See `GET /v3/roles/{role_id}` for an [example](https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id) of this response format.
### Revoke access token: `DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token`
A User can revoke an Access Token, preventing the Consumer from requesting new
Identity API service tokens. This also revokes any Identity API tokens issued
to the Consumer using that Access Token.

2
v3/src/markdown/identity-api-v3-os-revoke-ext.md
View File

@ -81,6 +81,8 @@ API
#### List revocation events: `GET /OS-REVOKE/events`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events`
Optional query parameters:
- `since` (RFC 1123 format date time): limit the list of results to events that

4
v3/src/markdown/identity-api-v3-os-simple-certs-ext.md
View File

@ -30,6 +30,8 @@ API
#### Retrieve CA certificate chain: `GET /OS-SIMPLE-CERT/ca`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/ca_certificate`
Fetches the certificate chain used to authenticate signed tokens.
It is possible that a chain of certificates (more than one) is returned. In
@ -63,6 +65,8 @@ this case the chain should be used when validating a token.
#### Retrieve signing certificates: `GET /OS-SIMPLE-CERT/certificates`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates`
Fetches the certificates containing the public key for the private key that has
been used to sign tokens.

14
v3/src/markdown/identity-api-v3-os-trust-ext.md
View File

@ -203,6 +203,8 @@ the trust, the `impersonation` flag, the `trustee_user_id` and the
#### Create trust: `POST /OS-TRUST/trusts`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts`
Request:
{
@ -255,6 +257,8 @@ Response:
#### List trusts: `GET /OS-TRUST/trusts`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts`
query_string: page (optional)
query_string: per_page (optional, default 30)
query filter for "trustee_user_id", "trustor_user_id" (optional)
@ -355,6 +359,8 @@ Response:
#### Get trust: `GET /OS-TRUST/trusts/{trust_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust`
Response:
Status: 200 OK
@ -389,12 +395,16 @@ Response:
#### Delete trust: `DELETE /OS-TRUST/trusts/{trust_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust`
Response:
Status: 204 No Content
#### List roles delegated by a trust: `GET /OS-TRUST/trusts/{trust_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_roles`
Response:
Status: 200 OK
@ -420,12 +430,16 @@ Response:
#### Check if role is delegated by a trust: `HEAD /OS-TRUST/trusts/{trust_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role`
Response:
Status: 204 No Content
#### Get role delegated by a trust: `GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role`
Response:
Status: 200 OK

210
v3/src/markdown/identity-api-v3.md
View File

@ -17,6 +17,7 @@ These features are not yet considered stable (expected September 4th, 2014).
- Addition of `name` optional variable to be included from service definition
into the service catalog.
- Introduced a stand alone call to retrieve a service catalog.
- JSON Home support
What's New in Version 3.2
-------------------------
@ -1190,6 +1191,25 @@ Example entity:
}
}
JSON Home
---------
Identity API version 3.3 supports JSON Home for resource and extension
discovery. The identity server will return a JSON Home document on a `GET /v3`
request where the `Accept` header indicates that the response should be
`application/json-home`. The JSON Home document contains a mapping of
"relationships" to the relative path or path template to the actual resource.
The JSON Home document includes not only the core APIs that are supported for
that version of the identity API, but also the resources for the enabled
extensions. Disabled extensions won't have their relationships in the JSON Home
document. A client application can query the JSON Home document to see if an
extension is available.
Each of the resources in the Core API below specify the "relationship" for the
resource. A client application can look up the resource path or path template
for a resource by looking for that resource in the JSON Home document.
Core API
--------
@ -1223,6 +1243,32 @@ Response:
}
}
*New in 3.3*: `GET /v3/` will return a JSON Home response if the `Accept`
header indicates that the client wants an `application/json-home` response.
Note that the client must check the `Content-Type` in the response because
older servers will return a normal JSON response rather than the JSON Home
response. See http://tools.ietf.org/html/draft-nottingham-json-home-03 for a
description of the JSON Home document format.
The JSON Home document returned includes all the core components and also the
resources for the enabled extensions. Resources for disabled extensions aren't
included.
Request:
GET /v3
Accept: application/json-home
Response:
{
"resources": {
"http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens": {
"href": "/auth/tokens"
},
... One for each resource ...
}
}
### Tokens
@ -1238,6 +1284,8 @@ Use cases:
#### Authenticate: `POST /auth/tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
Each request to create a token contains an attribute with `identity`
information and, optionally, a `scope` describing the authorization scope being
requested. Example request structure:
@ -1497,6 +1545,8 @@ token will be issued without an explicit scope of authorization.
##### Catalog Opt-Out: `POST /v3/auth/tokens?nocatalog`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
*New in version 3.1* If the caller specifies a `nocatalog` query parameter in
the authentication request, then the authentication response will not contain
the service catalog. The service catalog will otherwise be included in the
@ -1769,6 +1819,8 @@ For example:
#### Validate token and get service catalog: `GET /auth/tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
To validate a token using the Identity API, pass your own token in the
`X-Auth-Token` header, and the token to be validated in the `X-Subject-Token`
header. The Identity service returns a service catalog in the response.
@ -1785,6 +1837,8 @@ token was issued by `POST /auth/tokens`.
#### Validate token: `GET /auth/tokens?nocatalog`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
*New in version 3.2*
To validate a token using the Identity API without returning a service catalog
@ -1795,12 +1849,16 @@ token was issued by `POST /auth/tokens?nocatalog`.
#### Check token: `HEAD /auth/tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
This call is identical to `GET /auth/tokens`, but no response body is provided,
even if an error occurs or the token is invalid. A 204 response indicates that
the `X-Subject-Token` is valid.
#### Revoke token: `DELETE /auth/tokens`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens`
This call is identical to `HEAD /auth/tokens` except that the `X-Subject-Token`
token is immediately invalidated, regardless of its `expires_at` attribute. An
additional `X-Auth-Token` is not required.
@ -1814,6 +1872,8 @@ The key use cases we need to cover:
#### Get service catalog: `GET /catalog`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/catalog`
*New in version 3.3*
This call returns a service catalog for the `X-Auth-Token` provided in the
@ -1864,6 +1924,8 @@ Response:
#### List regions: `GET /regions`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/regions`
Optional query parameters:
- `parent_region_id` (string)
@ -1894,6 +1956,8 @@ Response:
#### Get region: `GET /regions/{region_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region`
Response:
Status: 200 OK
@ -1912,6 +1976,8 @@ Response:
#### Create region: `POST /regions`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/regions`
Request:
{
@ -1944,6 +2010,8 @@ Response:
#### Create region with specific ID: `PUT /regions/{user_defined_region_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region`
Request:
{
@ -1980,6 +2048,8 @@ Response:
#### Update region: `PATCH /regions/{region_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region`
Request:
{
@ -2010,6 +2080,8 @@ Response:
#### Delete region: `DELETE /regions/{region_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region`
* Note: deleting a region with child regions should return a `409 Conflict`
Response:
@ -2018,6 +2090,8 @@ Response:
#### List services: `GET /services`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/services`
Optional query parameters:
- `name` (string) *New in version 3.3*
@ -2057,6 +2131,8 @@ Response:
#### Get service: `GET /services/{service_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service`
Response:
Status: 200 OK
@ -2075,6 +2151,8 @@ Response:
#### Create service: `POST /services`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/services`
Request:
{
@ -2103,6 +2181,8 @@ Response:
#### Update service: `PATCH /services/{service_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service`
The request block is the same as the one for create service, except that only
the attributes that are being updated need to be included.
@ -2124,6 +2204,8 @@ Response:
#### Delete service: `DELETE /services/{service_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service`
* Note: deleting a service when endpoints exist should either 1) delete all
associated endpoints or 2) fail until endpoints are deleted
@ -2135,6 +2217,8 @@ Response:
#### List endpoints: `GET /endpoints`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoints`
Optional query parameters:
- `interface` (string)
@ -2178,6 +2262,8 @@ Response:
#### Get endpoint: `GET /endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint`
Response:
Status: 200 OK
@ -2198,6 +2284,8 @@ Response:
#### Create endpoint: `POST /endpoints`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoints`
Request:
{
@ -2229,6 +2317,8 @@ Response:
#### Update endpoint: `PATCH /endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint`
The request block is the same as the one for create endpoint, except that only
the attributes that are being updated need to be included.
@ -2253,6 +2343,8 @@ Response:
#### Delete endpoint: `DELETE /endpoints/{endpoint_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint`
Response:
Status: 204 No Content
@ -2261,6 +2353,8 @@ Response:
#### List domains: `GET /domains`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domains`
Optional query parameters:
- `enabled` (key-only, no value expected)
@ -2300,6 +2394,8 @@ Response:
#### Get domain: `GET /domains/{domain_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain`
Response:
Status: 200 OK
@ -2318,6 +2414,8 @@ Response:
#### Create domain: `POST /domains`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domains`
Request:
{
@ -2346,6 +2444,8 @@ Response:
#### Update domain: `PATCH /domains/{domain_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain`
The request block is the same as the one for create domain, except that only
the attributes that are being updated need to be included.
@ -2375,6 +2475,8 @@ Response:
#### Delete domain: `DELETE /domains/{domain_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain`
Deleting a domain will delete all the entities owned by it (Users, Groups, and
Projects), as well as any credentials and role grants that relate to these
entities.
@ -2392,6 +2494,8 @@ Response:
#### List projects: `GET /projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/projects`
Optional query parameters:
- `domain_id` (string)
@ -2432,6 +2536,8 @@ Response:
#### Get project: `GET /projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project`
Response:
Status: 200 OK
@ -2450,6 +2556,8 @@ Response:
#### Create project: `POST /projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/projects`
Request:
{
@ -2480,6 +2588,8 @@ Response:
#### Update project: `PATCH /projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project`
The request block is the same as the one for create project, except that only
the attributes that are being updated need to be included.
@ -2511,12 +2621,16 @@ Response:
#### Delete project: `DELETE /projects/{project_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project`
Status: 204 No Content
### Users
#### List users: `GET /users`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/users`
Optional query parameters:
- `domain_id` (string)
@ -2563,6 +2677,8 @@ Response:
#### Get user: `GET /users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user`
Response:
Status: 200 OK
@ -2584,6 +2700,8 @@ Response:
#### List user projects: `GET /users/{user_id}/projects`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_projects`
Optional query parameters:
- `enabled` (key-only, no value expected)
@ -2623,6 +2741,8 @@ Response:
#### List groups of which a user is a member: `GET /users/{user_id}/groups`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_groups`
Optional query parameters:
- `name` (string)
@ -2661,6 +2781,8 @@ Response:
#### Create user: `POST /users`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/users`
Request:
{
@ -2696,6 +2818,8 @@ Response:
#### Update user: `PATCH /users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user`
The request block is the same as the one for create user, except that only the
attributes that are being updated need to be included. Use this method attempt
to update user password or enable/disable the user. This may return a HTTP 501
@ -2722,12 +2846,16 @@ Response:
#### Delete user: `DELETE /users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user`
Response:
Status: 204 No Content
#### Change user password: `POST /users/{user_id}/password`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_change_password`
Request:
{
@ -2745,6 +2873,8 @@ Response:
#### Create group: `POST /groups`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/groups`
Request:
{
@ -2772,6 +2902,8 @@ Response:
#### List groups: `GET /groups`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/groups`
Optional query parameters:
- `domain_id` (string)
@ -2820,6 +2952,8 @@ Response:
#### Get group: `GET /groups/{group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group`
Response:
Status: 200 OK
@ -2837,6 +2971,8 @@ Response:
#### List users who are members of a group: `GET /groups/{group_id}/users`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_users`
Optional query parameters:
- `enabled` (key-only, no value expected)
@ -2882,6 +3018,8 @@ Response:
#### Update group: `PATCH /groups/{group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group`
The request block is the same as the one for create group, except that only the
attributes that are being updated need to be included. This may return a HTTP
501 Not Implemented if the back-end driver doesn't allow for the functionality.
@ -2903,24 +3041,32 @@ Response:
#### Delete group: `DELETE /groups/{group_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group`
Response:
Status: 204 No Content
#### Add user to group: `PUT /groups/{group_id}/users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user`
Response:
Status: 204 No Content
#### Remove user from group: `DELETE /groups/{group_id}/users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user`
Response:
Status: 204 No Content
#### Check if user is member of group: `HEAD /groups/{group_id}/users/{user_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user`
Response:
Status: 204 No Content
@ -2933,6 +3079,8 @@ The key use cases we need to cover:
#### Create credential: `POST /credentials`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credentials`
This example shows creating an EC2 style credential where the credentials are a
combination of access_key and secret. Other credentials (such as access_key)
may be supported by simply changing the content of the key data.
@ -2967,6 +3115,8 @@ Response:
#### List credentials: `GET /credentials`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credentials`
Optional query parameters:
- `user_id` (string)
@ -3007,6 +3157,8 @@ Response:
#### Get credential: `GET /credentials/{credential_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential`
Response:
Status: 200 OK
@ -3026,6 +3178,8 @@ Response:
#### Update credential: `PATCH /credentials/{credential_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential`
The request block is the same as the one for create credential, except that
only the attributes that are being updated need to be included.
@ -3048,6 +3202,8 @@ Response:
#### Delete credential: `DELETE /credentials/{credential_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential`
Response:
Status: 204 No Content
@ -3061,6 +3217,8 @@ The key use cases we need to cover:
#### Create role: `POST /roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/roles`
Request:
{
@ -3085,6 +3243,8 @@ Response:
#### List roles: `GET /roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/roles`
Optional query parameters:
- `name` (string)
@ -3119,6 +3279,8 @@ Response:
#### Get role: `GET /roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role`
Response:
Status: 200 OK
@ -3135,6 +3297,8 @@ Response:
#### Update role: `PATCH /roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role`
The request block is the same as the one for create role, except that only the
attributes that are being updated need to be included.
@ -3154,24 +3318,32 @@ Response:
#### Delete role: `DELETE /roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role`
Response:
Status: 204 No Content
#### Grant role to user on domain: `PUT /domains/{domain_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role`
Response:
Status: 204 No Content
#### Grant role to group on domain: `PUT /domains/{domain_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role`
Response:
Status: 204 No Content
#### List user's roles on domain: `GET /domains/{domain_id}/users/{user_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles`
Response:
Status: 200 OK
@ -3202,6 +3374,8 @@ Response:
#### List group's roles on domain: `GET /domains/{domain_id}/groups/{group_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles`
Response:
Status: 200 OK
@ -3232,42 +3406,56 @@ Response:
#### Check if user has role on domain: `HEAD /domains/{domain_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role`
Response:
Status: 204 No Content
#### Check if group has role on domain: `HEAD /domains/{domain_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role`
Response:
Status: 204 No Content
#### Revoke role from user on domain: `DELETE /domains/{domain_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role`
Response:
Status: 204 No Content
#### Revoke role from group on domain: `DELETE /domains/{domain_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role`
Response:
Status: 204 No Content
#### Grant role to user on project: `PUT /projects/{project_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role`
Response:
Status: 204 No Content
#### Grant role to group on project: `PUT /projects/{project_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role`
Response:
Status: 204 No Content
#### List user's roles on project: `GET /projects/{project_id}/users/{user_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role`
Response:
Status: 200 OK
@ -3298,6 +3486,8 @@ Response:
#### List group's roles on project: `GET /projects/{project_id}/groups/{group_id}/roles`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_roles`
Response:
Status: 200 OK
@ -3328,30 +3518,40 @@ Response:
#### Check if user has role on project: `HEAD /projects/{project_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role`
Response:
Status: 204 No Content
#### Check if group has role on project: `HEAD /projects/{project_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role`
Response:
Status: 204 No Content
#### Revoke role from user on project: `DELETE /projects/{project_id}/users/{user_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role`
Response:
Status: 204 No Content
#### Revoke role from group on project: `DELETE /projects/{project_id}/groups/{group_id}/roles/{role_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role`
Response:
Status: 204 No Content
#### List effective role assignments: `GET /role_assignments`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments`
*New in version 3.1*
Optional query parameters:
@ -3506,6 +3706,8 @@ The key use cases we need to cover:
#### Create policy: `POST /policies`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policies`
Request:
{
@ -3530,6 +3732,8 @@ Response:
#### List policies: `GET /policies`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policies`
Optional query parameters:
- `type` (string)
@ -3566,6 +3770,8 @@ Response:
#### Get policy: `GET /policies/{policy_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy`
Response:
Status: 200 OK
@ -3583,6 +3789,8 @@ Response:
#### Update policy: `PATCH /policies/{policy_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy`
The request block is the same as the one for create policy, except that only
the attributes that are being updated need to be included.
@ -3603,6 +3811,8 @@ Response:
#### Delete policy: `DELETE /policies/{policy_id}`
Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy`
Response:
Status: 204 No Content