- check_str: role:admin or is_admin:1 description: null name: admin_required operations: [] scope_types: null - check_str: role:service description: null name: service_role operations: [] scope_types: null - check_str: rule:admin_required or rule:service_role description: null name: service_or_admin operations: [] scope_types: null - check_str: user_id:%(user_id)s description: null name: owner operations: [] scope_types: null - check_str: rule:admin_required or rule:owner description: null name: admin_or_owner operations: [] scope_types: null - check_str: user_id:%(target.token.user_id)s description: null name: token_subject operations: [] scope_types: null - check_str: rule:admin_required or rule:token_subject description: null name: admin_or_token_subject operations: [] scope_types: null - check_str: rule:service_or_admin or rule:token_subject description: null name: service_admin_or_token_subject operations: [] scope_types: null - check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s description: Show access rule details. name: identity:get_access_rule operations: - method: GET path: /v3/users/{user_id}/access_rules/{access_rule_id} - method: HEAD path: /v3/users/{user_id}/access_rules/{access_rule_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s description: List access rules for a user. name: identity:list_access_rules operations: - method: GET path: /v3/users/{user_id}/access_rules - method: HEAD path: /v3/users/{user_id}/access_rules scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s description: Delete an access_rule. name: identity:delete_access_rule operations: - method: DELETE path: /v3/users/{user_id}/access_rules/{access_rule_id} scope_types: - system - project - check_str: rule:admin_required description: Authorize OAUTH1 request token. name: identity:authorize_request_token operations: - method: PUT path: /v3/OS-OAUTH1/authorize/{request_token_id} scope_types: - project - check_str: rule:admin_required description: Get OAUTH1 access token for user by access token ID. name: identity:get_access_token operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} scope_types: - project - check_str: rule:admin_required description: Get role for user OAUTH1 access token. name: identity:get_access_token_role operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} scope_types: - project - check_str: rule:admin_required description: List OAUTH1 access tokens for user. name: identity:list_access_tokens operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens scope_types: - project - check_str: rule:admin_required description: List OAUTH1 access token roles. name: identity:list_access_token_roles operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles scope_types: - project - check_str: rule:admin_required description: Delete OAUTH1 access token. name: identity:delete_access_token operations: - method: DELETE path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} scope_types: - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:get_application_credential deprecated_since: null description: Show application credential details. name: identity:get_application_credential operations: - method: GET path: /v3/users/{user_id}/application_credentials/{application_credential_id} - method: HEAD path: /v3/users/{user_id}/application_credentials/{application_credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_application_credentials deprecated_since: null description: List application credentials for a user. name: identity:list_application_credentials operations: - method: GET path: /v3/users/{user_id}/application_credentials - method: HEAD path: /v3/users/{user_id}/application_credentials scope_types: - system - project - check_str: user_id:%(user_id)s description: Create an application credential. name: identity:create_application_credential operations: - method: POST path: /v3/users/{user_id}/application_credentials scope_types: - project - check_str: (role:admin and system_scope:all) or rule:owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:delete_application_credential deprecated_since: null description: Delete an application credential. name: identity:delete_application_credential operations: - method: DELETE path: /v3/users/{user_id}/application_credentials/{application_credential_id} scope_types: - system - project - check_str: '' description: Get service catalog. name: identity:get_auth_catalog operations: - method: GET path: /v3/auth/catalog - method: HEAD path: /v3/auth/catalog scope_types: null - check_str: '' description: List all projects a user has access to via role assignments. name: identity:get_auth_projects operations: - method: GET path: /v3/auth/projects - method: HEAD path: /v3/auth/projects scope_types: null - check_str: '' description: List all domains a user has access to via role assignments. name: identity:get_auth_domains operations: - method: GET path: /v3/auth/domains - method: HEAD path: /v3/auth/domains scope_types: null - check_str: '' description: List systems a user has access to via role assignments. name: identity:get_auth_system operations: - method: GET path: /v3/auth/system - method: HEAD path: /v3/auth/system scope_types: null - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_consumer deprecated_since: null description: Show OAUTH1 consumer details. name: identity:get_consumer operations: - method: GET path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_consumers deprecated_since: null description: List OAUTH1 consumers. name: identity:list_consumers operations: - method: GET path: /v3/OS-OAUTH1/consumers scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_consumer deprecated_since: null description: Create OAUTH1 consumer. name: identity:create_consumer operations: - method: POST path: /v3/OS-OAUTH1/consumers scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_consumer deprecated_since: null description: Update OAUTH1 consumer. name: identity:update_consumer operations: - method: PATCH path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_consumer deprecated_since: null description: Delete OAUTH1 consumer. name: identity:delete_consumer operations: - method: DELETE path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_credential deprecated_since: null description: Show credentials details. name: identity:get_credential operations: - method: GET path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_credentials deprecated_since: null description: List credentials. name: identity:list_credentials operations: - method: GET path: /v3/credentials scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_credential deprecated_since: null description: Create credential. name: identity:create_credential operations: - method: POST path: /v3/credentials scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_credential deprecated_since: null description: Update credential. name: identity:update_credential operations: - method: PATCH path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_credential deprecated_since: null description: Delete credential. name: identity:delete_credential operations: - method: DELETE path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s name: identity:get_domain deprecated_since: null description: Show domain details. name: identity:get_domain operations: - method: GET path: /v3/domains/{domain_id} scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_domains deprecated_since: null description: List domains. name: identity:list_domains operations: - method: GET path: /v3/domains scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain deprecated_since: null description: Create domain. name: identity:create_domain operations: - method: POST path: /v3/domains scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain deprecated_since: null description: Update domain. name: identity:update_domain operations: - method: PATCH path: /v3/domains/{domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain deprecated_since: null description: Delete domain. name: identity:delete_domain operations: - method: DELETE path: /v3/domains/{domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain_config deprecated_since: null description: Create domain configuration. name: identity:create_domain_config operations: - method: PUT path: /v3/domains/{domain_id}/config scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_config deprecated_since: null description: Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain. name: identity:get_domain_config operations: - method: GET path: /v3/domains/{domain_id}/config - method: HEAD path: /v3/domains/{domain_id}/config - method: GET path: /v3/domains/{domain_id}/config/{group} - method: HEAD path: /v3/domains/{domain_id}/config/{group} - method: GET path: /v3/domains/{domain_id}/config/{group}/{option} - method: HEAD path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: '' description: Get security compliance domain configuration for either a domain or a specific option in a domain. name: identity:get_security_compliance_domain_config operations: - method: GET path: /v3/domains/{domain_id}/config/security_compliance - method: HEAD path: /v3/domains/{domain_id}/config/security_compliance - method: GET path: /v3/domains/{domain_id}/config/security_compliance/{option} - method: HEAD path: /v3/domains/{domain_id}/config/security_compliance/{option} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain_config deprecated_since: null description: Update domain configuration for either a domain, specific group or a specific option in a group. name: identity:update_domain_config operations: - method: PATCH path: /v3/domains/{domain_id}/config - method: PATCH path: /v3/domains/{domain_id}/config/{group} - method: PATCH path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain_config deprecated_since: null description: Delete domain configuration for either a domain, specific group or a specific option in a group. name: identity:delete_domain_config operations: - method: DELETE path: /v3/domains/{domain_id}/config - method: DELETE path: /v3/domains/{domain_id}/config/{group} - method: DELETE path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_config_default deprecated_since: null description: Get domain configuration default for either a domain, specific group or a specific option in a group. name: identity:get_domain_config_default operations: - method: GET path: /v3/domains/config/default - method: HEAD path: /v3/domains/config/default - method: GET path: /v3/domains/config/{group}/default - method: HEAD path: /v3/domains/config/{group}/default - method: GET path: /v3/domains/config/{group}/{option}/default - method: HEAD path: /v3/domains/config/{group}/{option}/default scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) name: identity:ec2_get_credential deprecated_since: null description: Show ec2 credential details. name: identity:ec2_get_credential operations: - method: GET path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:ec2_list_credentials deprecated_since: null description: List ec2 credentials. name: identity:ec2_list_credentials operations: - method: GET path: /v3/users/{user_id}/credentials/OS-EC2 scope_types: - system - project - check_str: (role:admin and system_scope:all) or rule:owner deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:ec2_create_credential deprecated_since: null description: Create ec2 credential. name: identity:ec2_create_credential operations: - method: POST path: /v3/users/{user_id}/credentials/OS-EC2 scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) name: identity:ec2_delete_credential deprecated_since: null description: Delete ec2 credential. name: identity:ec2_delete_credential operations: - method: DELETE path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint deprecated_since: null description: Show endpoint details. name: identity:get_endpoint operations: - method: GET path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints deprecated_since: null description: List endpoints. name: identity:list_endpoints operations: - method: GET path: /v3/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_endpoint deprecated_since: null description: Create endpoint. name: identity:create_endpoint operations: - method: POST path: /v3/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_endpoint deprecated_since: null description: Update endpoint. name: identity:update_endpoint operations: - method: PATCH path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_endpoint deprecated_since: null description: Delete endpoint. name: identity:delete_endpoint operations: - method: DELETE path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_endpoint_group deprecated_since: null description: Create endpoint group. name: identity:create_endpoint_group operations: - method: POST path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoint_groups deprecated_since: null description: List endpoint groups. name: identity:list_endpoint_groups operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint_group deprecated_since: null description: Get endpoint group. name: identity:get_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - method: HEAD path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_endpoint_group deprecated_since: null description: Update endpoint group. name: identity:update_endpoint_group operations: - method: PATCH path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_endpoint_group deprecated_since: null description: Delete endpoint group. name: identity:delete_endpoint_group operations: - method: DELETE path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects_associated_with_endpoint_group deprecated_since: null description: List all projects associated with a specific endpoint group. name: identity:list_projects_associated_with_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_associated_with_endpoint_group deprecated_since: null description: List all endpoints associated with an endpoint group. name: identity:list_endpoints_associated_with_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_endpoint_group_in_project deprecated_since: null description: Check if an endpoint group is associated with a project. name: identity:get_endpoint_group_in_project operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} - method: HEAD path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoint_groups_for_project deprecated_since: null description: List endpoint groups associated with a specific project. name: identity:list_endpoint_groups_for_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_endpoint_group_to_project deprecated_since: null description: Allow a project to access an endpoint group. name: identity:add_endpoint_group_to_project operations: - method: PUT path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_endpoint_group_from_project deprecated_since: null description: Remove endpoint group from project. name: identity:remove_endpoint_group_from_project operations: - method: DELETE path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: (rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_grant deprecated_since: null description: Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. name: identity:check_grant operations: - method: HEAD path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: GET path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: HEAD path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: GET path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: HEAD path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: GET path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: HEAD path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: GET path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: HEAD path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_grants deprecated_since: null description: List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain. name: identity:list_grants operations: - method: GET path: /v3/projects/{project_id}/users/{user_id}/roles - method: HEAD path: /v3/projects/{project_id}/users/{user_id}/roles - method: GET path: /v3/projects/{project_id}/groups/{group_id}/roles - method: HEAD path: /v3/projects/{project_id}/groups/{group_id}/roles - method: GET path: /v3/domains/{domain_id}/users/{user_id}/roles - method: HEAD path: /v3/domains/{domain_id}/users/{user_id}/roles - method: GET path: /v3/domains/{domain_id}/groups/{group_id}/roles - method: HEAD path: /v3/domains/{domain_id}/groups/{group_id}/roles - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_grant deprecated_since: null description: Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. name: identity:create_grant operations: - method: PUT path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: PUT path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: PUT path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: PUT path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: PUT path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_grant deprecated_since: null description: Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target's projects subtree. name: identity:revoke_grant operations: - method: DELETE path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: DELETE path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: DELETE path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: DELETE path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: DELETE path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_system_grants_for_user deprecated_since: null description: List all grants a specific user has on the system. name: identity:list_system_grants_for_user operations: - method: - HEAD - GET path: /v3/system/users/{user_id}/roles scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_system_grant_for_user deprecated_since: null description: Check if a user has a role on the system. name: identity:check_system_grant_for_user operations: - method: - HEAD - GET path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_system_grant_for_user deprecated_since: null description: Grant a user a role on the system. name: identity:create_system_grant_for_user operations: - method: - PUT path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_system_grant_for_user deprecated_since: null description: Remove a role from a user on the system. name: identity:revoke_system_grant_for_user operations: - method: - DELETE path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_system_grants_for_group deprecated_since: null description: List all grants a specific group has on the system. name: identity:list_system_grants_for_group operations: - method: - HEAD - GET path: /v3/system/groups/{group_id}/roles scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_system_grant_for_group deprecated_since: null description: Check if a group has a role on the system. name: identity:check_system_grant_for_group operations: - method: - HEAD - GET path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_system_grant_for_group deprecated_since: null description: Grant a group a role on the system. name: identity:create_system_grant_for_group operations: - method: - PUT path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:revoke_system_grant_for_group deprecated_since: null description: Remove a role from a group on the system. name: identity:revoke_system_grant_for_group operations: - method: - DELETE path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_group deprecated_since: null description: Show group details. name: identity:get_group operations: - method: GET path: /v3/groups/{group_id} - method: HEAD path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_groups deprecated_since: null description: List groups. name: identity:list_groups operations: - method: GET path: /v3/groups - method: HEAD path: /v3/groups scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_groups_for_user deprecated_since: null description: List groups to which a user belongs. name: identity:list_groups_for_user operations: - method: GET path: /v3/users/{user_id}/groups - method: HEAD path: /v3/users/{user_id}/groups scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_group deprecated_since: null description: Create group. name: identity:create_group operations: - method: POST path: /v3/groups scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_group deprecated_since: null description: Update group. name: identity:update_group operations: - method: PATCH path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_group deprecated_since: null description: Delete group. name: identity:delete_group operations: - method: DELETE path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_users_in_group deprecated_since: null description: List members of a specific group. name: identity:list_users_in_group operations: - method: GET path: /v3/groups/{group_id}/users - method: HEAD path: /v3/groups/{group_id}/users scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_user_from_group deprecated_since: null description: Remove user from group. name: identity:remove_user_from_group operations: - method: DELETE path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_user_in_group deprecated_since: null description: Check whether a user is a member of a group. name: identity:check_user_in_group operations: - method: HEAD path: /v3/groups/{group_id}/users/{user_id} - method: GET path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_user_to_group deprecated_since: null description: Add user to group. name: identity:add_user_to_group operations: - method: PUT path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_identity_provider deprecated_since: null description: Create identity provider. name: identity:create_identity_provider operations: - method: PUT path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_identity_providers deprecated_since: null description: List identity providers. name: identity:list_identity_providers operations: - method: GET path: /v3/OS-FEDERATION/identity_providers - method: HEAD path: /v3/OS-FEDERATION/identity_providers scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_identity_provider deprecated_since: null description: Get identity provider. name: identity:get_identity_provider operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id} - method: HEAD path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_identity_provider deprecated_since: null description: Update identity provider. name: identity:update_identity_provider operations: - method: PATCH path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_identity_provider deprecated_since: null description: Delete identity provider. name: identity:delete_identity_provider operations: - method: DELETE path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_implied_role deprecated_since: null description: Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:get_implied_role operations: - method: GET path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_implied_roles deprecated_since: null description: List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role. name: identity:list_implied_roles operations: - method: GET path: /v3/roles/{prior_role_id}/implies - method: HEAD path: /v3/roles/{prior_role_id}/implies scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_implied_role deprecated_since: null description: Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:create_implied_role operations: - method: PUT path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_implied_role deprecated_since: null description: Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated. name: identity:delete_implied_role operations: - method: DELETE path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_inference_rules deprecated_since: null description: List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:list_role_inference_rules operations: - method: GET path: /v3/role_inferences - method: HEAD path: /v3/role_inferences scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_implied_role deprecated_since: null description: Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:check_implied_role operations: - method: HEAD path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: '' description: Get limit enforcement model. name: identity:get_limit_model operations: - method: GET path: /v3/limits/model - method: HEAD path: /v3/limits/model scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s) description: Show limit details. name: identity:get_limit operations: - method: GET path: /v3/limits/{limit_id} - method: HEAD path: /v3/limits/{limit_id} scope_types: - system - domain - project - check_str: '' description: List limits. name: identity:list_limits operations: - method: GET path: /v3/limits - method: HEAD path: /v3/limits scope_types: - system - domain - project - check_str: rule:admin_required description: Create limits. name: identity:create_limits operations: - method: POST path: /v3/limits scope_types: - system - project - check_str: rule:admin_required description: Update limit. name: identity:update_limit operations: - method: PATCH path: /v3/limits/{limit_id} scope_types: - system - project - check_str: rule:admin_required description: Delete limit. name: identity:delete_limit operations: - method: DELETE path: /v3/limits/{limit_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_mapping deprecated_since: null description: Create a new federated mapping containing one or more sets of rules. name: identity:create_mapping operations: - method: PUT path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_mapping deprecated_since: null description: Get a federated mapping. name: identity:get_mapping operations: - method: GET path: /v3/OS-FEDERATION/mappings/{mapping_id} - method: HEAD path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_mappings deprecated_since: null description: List federated mappings. name: identity:list_mappings operations: - method: GET path: /v3/OS-FEDERATION/mappings - method: HEAD path: /v3/OS-FEDERATION/mappings scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_mapping deprecated_since: null description: Delete a federated mapping. name: identity:delete_mapping operations: - method: DELETE path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_mapping deprecated_since: null description: Update a federated mapping. name: identity:update_mapping operations: - method: PATCH path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_policy deprecated_since: null description: Show policy details. name: identity:get_policy operations: - method: GET path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_policies deprecated_since: null description: List policies. name: identity:list_policies operations: - method: GET path: /v3/policies scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy deprecated_since: null description: Create policy. name: identity:create_policy operations: - method: POST path: /v3/policies scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_policy deprecated_since: null description: Update policy. name: identity:update_policy operations: - method: PATCH path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy deprecated_since: null description: Delete policy. name: identity:delete_policy operations: - method: DELETE path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_endpoint deprecated_since: null description: Associate a policy to a specific endpoint. name: identity:create_policy_association_for_endpoint operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_endpoint deprecated_since: null description: Check policy association for endpoint. name: identity:check_policy_association_for_endpoint operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_endpoint deprecated_since: null description: Delete policy association for endpoint. name: identity:delete_policy_association_for_endpoint operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_service deprecated_since: null description: Associate a policy to a specific service. name: identity:create_policy_association_for_service operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_service deprecated_since: null description: Check policy association for service. name: identity:check_policy_association_for_service operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_service deprecated_since: null description: Delete policy association for service. name: identity:delete_policy_association_for_service operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_policy_association_for_region_and_service deprecated_since: null description: Associate a policy to a specific region and service combination. name: identity:create_policy_association_for_region_and_service operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_policy_association_for_region_and_service deprecated_since: null description: Check policy association for region and service. name: identity:check_policy_association_for_region_and_service operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_policy_association_for_region_and_service deprecated_since: null description: Delete policy association for region and service. name: identity:delete_policy_association_for_region_and_service operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_policy_for_endpoint deprecated_since: null description: Get policy for endpoint. name: identity:get_policy_for_endpoint operations: - method: GET path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy - method: HEAD path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_for_policy deprecated_since: null description: List endpoints for policy. name: identity:list_endpoints_for_policy operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:get_project deprecated_since: null description: Show project details. name: identity:get_project operations: - method: GET path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects deprecated_since: null description: List projects. name: identity:list_projects operations: - method: GET path: /v3/projects scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:list_user_projects deprecated_since: null description: List projects for user. name: identity:list_user_projects operations: - method: GET path: /v3/users/{user_id}/projects scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_project deprecated_since: null description: Create project. name: identity:create_project operations: - method: POST path: /v3/projects scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_project deprecated_since: null description: Update project. name: identity:update_project operations: - method: PATCH path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project deprecated_since: null description: Delete project. name: identity:delete_project operations: - method: DELETE path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:list_project_tags deprecated_since: null description: List tags for a project. name: identity:list_project_tags operations: - method: GET path: /v3/projects/{project_id}/tags - method: HEAD path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s name: identity:get_project_tag deprecated_since: null description: Check if project contains a tag. name: identity:get_project_tag operations: - method: GET path: /v3/projects/{project_id}/tags/{value} - method: HEAD path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_project_tags deprecated_since: null description: Replace all tags on a project with the new set of tags. name: identity:update_project_tags operations: - method: PUT path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_project_tag deprecated_since: null description: Add a single tag to a project. name: identity:create_project_tag operations: - method: PUT path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project_tags deprecated_since: null description: Remove all tags from a project. name: identity:delete_project_tags operations: - method: DELETE path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_project_tag deprecated_since: null description: Delete a specified tag from project. name: identity:delete_project_tag operations: - method: DELETE path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_projects_for_endpoint deprecated_since: null description: List projects allowed to access an endpoint. name: identity:list_projects_for_endpoint operations: - method: GET path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:add_endpoint_to_project deprecated_since: null description: Allow project to access an endpoint. name: identity:add_endpoint_to_project operations: - method: PUT path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:check_endpoint_in_project deprecated_since: null description: Check if a project is allowed to access an endpoint. name: identity:check_endpoint_in_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} - method: HEAD path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_endpoints_for_project deprecated_since: null description: List the endpoints a project is allowed to access. name: identity:list_endpoints_for_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:remove_endpoint_from_project deprecated_since: null description: Remove access to an endpoint from a project that has previously been given explicit access. name: identity:remove_endpoint_from_project operations: - method: DELETE path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_protocol deprecated_since: null description: Create federated protocol. name: identity:create_protocol operations: - method: PUT path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_protocol deprecated_since: null description: Update federated protocol. name: identity:update_protocol operations: - method: PATCH path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_protocol deprecated_since: null description: Get federated protocol. name: identity:get_protocol operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_protocols deprecated_since: null description: List federated protocols. name: identity:list_protocols operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_protocol deprecated_since: null description: Delete federated protocol. name: identity:delete_protocol operations: - method: DELETE path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: '' description: Show region details. name: identity:get_region operations: - method: GET path: /v3/regions/{region_id} - method: HEAD path: /v3/regions/{region_id} scope_types: - system - domain - project - check_str: '' description: List regions. name: identity:list_regions operations: - method: GET path: /v3/regions - method: HEAD path: /v3/regions scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_region deprecated_since: null description: Create region. name: identity:create_region operations: - method: POST path: /v3/regions - method: PUT path: /v3/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_region deprecated_since: null description: Update region. name: identity:update_region operations: - method: PATCH path: /v3/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_region deprecated_since: null description: Delete region. name: identity:delete_region operations: - method: DELETE path: /v3/regions/{region_id} scope_types: - system - project - check_str: '' description: Show registered limit details. name: identity:get_registered_limit operations: - method: GET path: /v3/registered_limits/{registered_limit_id} - method: HEAD path: /v3/registered_limits/{registered_limit_id} scope_types: - system - domain - project - check_str: '' description: List registered limits. name: identity:list_registered_limits operations: - method: GET path: /v3/registered_limits - method: HEAD path: /v3/registered_limits scope_types: - system - domain - project - check_str: rule:admin_required description: Create registered limits. name: identity:create_registered_limits operations: - method: POST path: /v3/registered_limits scope_types: - system - project - check_str: rule:admin_required description: Update registered limit. name: identity:update_registered_limit operations: - method: PATCH path: /v3/registered_limits/{registered_limit_id} scope_types: - system - project - check_str: rule:admin_required description: Delete registered limit. name: identity:delete_registered_limit operations: - method: DELETE path: /v3/registered_limits/{registered_limit_id} scope_types: - system - project - check_str: rule:service_or_admin description: List revocation events. name: identity:list_revoke_events operations: - method: GET path: /v3/OS-REVOKE/events scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_role deprecated_since: null description: Show role details. name: identity:get_role operations: - method: GET path: /v3/roles/{role_id} - method: HEAD path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_roles deprecated_since: null description: List roles. name: identity:list_roles operations: - method: GET path: /v3/roles - method: HEAD path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_role deprecated_since: null description: Create role. name: identity:create_role operations: - method: POST path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_role deprecated_since: null description: Update role. name: identity:update_role operations: - method: PATCH path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_role deprecated_since: null description: Delete role. name: identity:delete_role operations: - method: DELETE path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_domain_role deprecated_since: null description: Show domain role. name: identity:get_domain_role operations: - method: GET path: /v3/roles/{role_id} - method: HEAD path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_domain_roles deprecated_since: null description: List domain roles. name: identity:list_domain_roles operations: - method: GET path: /v3/roles?domain_id={domain_id} - method: HEAD path: /v3/roles?domain_id={domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_domain_role deprecated_since: null description: Create domain role. name: identity:create_domain_role operations: - method: POST path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_domain_role deprecated_since: null description: Update domain role. name: identity:update_domain_role operations: - method: PATCH path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_domain_role deprecated_since: null description: Delete domain role. name: identity:delete_domain_role operations: - method: DELETE path: /v3/roles/{role_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_assignments deprecated_since: null description: List role assignments. name: identity:list_role_assignments operations: - method: GET path: /v3/role_assignments - method: HEAD path: /v3/role_assignments scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_role_assignments_for_tree deprecated_since: null description: List all role assignments for a given tree of hierarchical projects. name: identity:list_role_assignments_for_tree operations: - method: GET path: /v3/role_assignments?include_subtree - method: HEAD path: /v3/role_assignments?include_subtree scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_service deprecated_since: null description: Show service details. name: identity:get_service operations: - method: GET path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_services deprecated_since: null description: List services. name: identity:list_services operations: - method: GET path: /v3/services scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_service deprecated_since: null description: Create service. name: identity:create_service operations: - method: POST path: /v3/services scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_service deprecated_since: null description: Update service. name: identity:update_service operations: - method: PATCH path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_service deprecated_since: null description: Delete service. name: identity:delete_service operations: - method: DELETE path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_service_provider deprecated_since: null description: Create federated service provider. name: identity:create_service_provider operations: - method: PUT path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_service_providers deprecated_since: null description: List federated service providers. name: identity:list_service_providers operations: - method: GET path: /v3/OS-FEDERATION/service_providers - method: HEAD path: /v3/OS-FEDERATION/service_providers scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:get_service_provider deprecated_since: null description: Get federated service provider. name: identity:get_service_provider operations: - method: GET path: /v3/OS-FEDERATION/service_providers/{service_provider_id} - method: HEAD path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_service_provider deprecated_since: null description: Update federated service provider. name: identity:update_service_provider operations: - method: PATCH path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_service_provider deprecated_since: null description: Delete federated service provider. name: identity:delete_service_provider operations: - method: DELETE path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:service_or_admin deprecated_for_removal: true deprecated_reason: ' The identity:revocation_list policy isn''t used to protect any APIs in keystone now that the revocation list API has been deprecated and only returns a 410 or 403 depending on how keystone is configured. This policy can be safely removed from policy files. ' deprecated_since: T description: List revoked PKI tokens. name: identity:revocation_list operations: - method: GET path: /v3/auth/tokens/OS-PKI/revoked scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:token_subject deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject name: identity:check_token deprecated_since: null description: Check a token. name: identity:check_token operations: - method: HEAD path: /v3/auth/tokens scope_types: - system - domain - project - check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject deprecated_reason: null deprecated_rule: check_str: rule:service_admin_or_token_subject name: identity:validate_token deprecated_since: null description: Validate a token. name: identity:validate_token operations: - method: GET path: /v3/auth/tokens scope_types: - system - domain - project - check_str: (role:admin and system_scope:all) or rule:token_subject deprecated_reason: null deprecated_rule: check_str: rule:admin_or_token_subject name: identity:revoke_token deprecated_since: null description: Revoke a token. name: identity:revoke_token operations: - method: DELETE path: /v3/auth/tokens scope_types: - system - domain - project - check_str: user_id:%(trust.trustor_user_id)s description: Create trust. name: identity:create_trust operations: - method: POST path: /v3/OS-TRUST/trusts scope_types: - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_trusts deprecated_since: null description: List trusts. name: identity:list_trusts operations: - method: GET path: /v3/OS-TRUST/trusts - method: HEAD path: /v3/OS-TRUST/trusts scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s) description: List trusts for trustor. name: identity:list_trusts_for_trustor operations: - method: GET path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} - method: HEAD path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s) description: List trusts for trustee. name: identity:list_trusts_for_trustee operations: - method: GET path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} - method: HEAD path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:list_roles_for_trust deprecated_since: null description: List roles delegated by a trust. name: identity:list_roles_for_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id}/roles - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id}/roles scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:get_role_for_trust deprecated_since: null description: Check if trust delegates a particular role. name: identity:get_role_for_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or user_id:%(target.trust.trustor_user_id)s deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s name: identity:delete_trust deprecated_since: null description: Revoke trust. name: identity:delete_trust operations: - method: DELETE path: /v3/OS-TRUST/trusts/{trust_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_reason: null deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s name: identity:get_trust deprecated_since: null description: Get trust. name: identity:get_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id} - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_reason: null deprecated_rule: check_str: rule:admin_or_owner name: identity:get_user deprecated_since: null description: Show user details. name: identity:get_user operations: - method: GET path: /v3/users/{user_id} - method: HEAD path: /v3/users/{user_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:list_users deprecated_since: null description: List users. name: identity:list_users operations: - method: GET path: /v3/users - method: HEAD path: /v3/users scope_types: - system - domain - project - check_str: '' description: List all projects a user has access to via role assignments. name: identity:list_projects_for_user operations: - method: GET path: ' /v3/auth/projects' scope_types: null - check_str: '' description: List all domains a user has access to via role assignments. name: identity:list_domains_for_user operations: - method: GET path: /v3/auth/domains scope_types: null - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:create_user deprecated_since: null description: Create a user. name: identity:create_user operations: - method: POST path: /v3/users scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:update_user deprecated_since: null description: Update a user, including administrative password resets. name: identity:update_user operations: - method: PATCH path: /v3/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_reason: null deprecated_rule: check_str: rule:admin_required name: identity:delete_user deprecated_since: null description: Delete a user. name: identity:delete_user operations: - method: DELETE path: /v3/users/{user_id} scope_types: - system - domain - project