horizon/openstack_dashboard/conf/default_policies/keystone.yaml
manchandavishal 712dbd26d1 Sync default policy rules
This patch updates default policy-in-code rules in horizon based on
nova/neutron/cinder/keystone RC deliverables. It doesn't update policy
rules for glance as I have found no changes in their policy rules.
Horizon needs to update default policy-in-code rules for all backend
services before releasing the horizon[1].

[1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing

Change-Id: I7437b3a46377c18f026db103237b4d107dc787cb
2024-03-12 04:43:48 +00:00

2893 lines
85 KiB
YAML

- check_str: role:admin or is_admin:1
description: null
name: admin_required
operations: []
scope_types: null
- check_str: role:service
description: null
name: service_role
operations: []
scope_types: null
- check_str: rule:admin_required or rule:service_role
description: null
name: service_or_admin
operations: []
scope_types: null
- check_str: user_id:%(user_id)s
description: null
name: owner
operations: []
scope_types: null
- check_str: rule:admin_required or rule:owner
description: null
name: admin_or_owner
operations: []
scope_types: null
- check_str: user_id:%(target.token.user_id)s
description: null
name: token_subject
operations: []
scope_types: null
- check_str: rule:admin_required or rule:token_subject
description: null
name: admin_or_token_subject
operations: []
scope_types: null
- check_str: rule:service_or_admin or rule:token_subject
description: null
name: service_admin_or_token_subject
operations: []
scope_types: null
- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s
description: Show access rule details.
name: identity:get_access_rule
operations:
- method: GET
path: /v3/users/{user_id}/access_rules/{access_rule_id}
- method: HEAD
path: /v3/users/{user_id}/access_rules/{access_rule_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s
description: List access rules for a user.
name: identity:list_access_rules
operations:
- method: GET
path: /v3/users/{user_id}/access_rules
- method: HEAD
path: /v3/users/{user_id}/access_rules
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s
description: Delete an access_rule.
name: identity:delete_access_rule
operations:
- method: DELETE
path: /v3/users/{user_id}/access_rules/{access_rule_id}
scope_types:
- system
- project
- check_str: rule:admin_required
description: Authorize OAUTH1 request token.
name: identity:authorize_request_token
operations:
- method: PUT
path: /v3/OS-OAUTH1/authorize/{request_token_id}
scope_types:
- project
- check_str: rule:admin_required
description: Get OAUTH1 access token for user by access token ID.
name: identity:get_access_token
operations:
- method: GET
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
scope_types:
- project
- check_str: rule:admin_required
description: Get role for user OAUTH1 access token.
name: identity:get_access_token_role
operations:
- method: GET
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
scope_types:
- project
- check_str: rule:admin_required
description: List OAUTH1 access tokens for user.
name: identity:list_access_tokens
operations:
- method: GET
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens
scope_types:
- project
- check_str: rule:admin_required
description: List OAUTH1 access token roles.
name: identity:list_access_token_roles
operations:
- method: GET
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
scope_types:
- project
- check_str: rule:admin_required
description: Delete OAUTH1 access token.
name: identity:delete_access_token
operations:
- method: DELETE
path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
scope_types:
- project
- check_str: (role:reader and system_scope:all) or rule:owner
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:get_application_credential
deprecated_since: null
description: Show application credential details.
name: identity:get_application_credential
operations:
- method: GET
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
- method: HEAD
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or rule:owner
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:list_application_credentials
deprecated_since: null
description: List application credentials for a user.
name: identity:list_application_credentials
operations:
- method: GET
path: /v3/users/{user_id}/application_credentials
- method: HEAD
path: /v3/users/{user_id}/application_credentials
scope_types:
- system
- project
- check_str: user_id:%(user_id)s
description: Create an application credential.
name: identity:create_application_credential
operations:
- method: POST
path: /v3/users/{user_id}/application_credentials
scope_types:
- project
- check_str: (role:admin and system_scope:all) or rule:owner
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:delete_application_credential
deprecated_since: null
description: Delete an application credential.
name: identity:delete_application_credential
operations:
- method: DELETE
path: /v3/users/{user_id}/application_credentials/{application_credential_id}
scope_types:
- system
- project
- check_str: ''
description: Get service catalog.
name: identity:get_auth_catalog
operations:
- method: GET
path: /v3/auth/catalog
- method: HEAD
path: /v3/auth/catalog
scope_types: null
- check_str: ''
description: List all projects a user has access to via role assignments.
name: identity:get_auth_projects
operations:
- method: GET
path: /v3/auth/projects
- method: HEAD
path: /v3/auth/projects
scope_types: null
- check_str: ''
description: List all domains a user has access to via role assignments.
name: identity:get_auth_domains
operations:
- method: GET
path: /v3/auth/domains
- method: HEAD
path: /v3/auth/domains
scope_types: null
- check_str: ''
description: List systems a user has access to via role assignments.
name: identity:get_auth_system
operations:
- method: GET
path: /v3/auth/system
- method: HEAD
path: /v3/auth/system
scope_types: null
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_consumer
deprecated_since: null
description: Show OAUTH1 consumer details.
name: identity:get_consumer
operations:
- method: GET
path: /v3/OS-OAUTH1/consumers/{consumer_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_consumers
deprecated_since: null
description: List OAUTH1 consumers.
name: identity:list_consumers
operations:
- method: GET
path: /v3/OS-OAUTH1/consumers
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_consumer
deprecated_since: null
description: Create OAUTH1 consumer.
name: identity:create_consumer
operations:
- method: POST
path: /v3/OS-OAUTH1/consumers
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_consumer
deprecated_since: null
description: Update OAUTH1 consumer.
name: identity:update_consumer
operations:
- method: PATCH
path: /v3/OS-OAUTH1/consumers/{consumer_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_consumer
deprecated_since: null
description: Delete OAUTH1 consumer.
name: identity:delete_consumer
operations:
- method: DELETE
path: /v3/OS-OAUTH1/consumers/{consumer_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_credential
deprecated_since: null
description: Show credentials details.
name: identity:get_credential
operations:
- method: GET
path: /v3/credentials/{credential_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_credentials
deprecated_since: null
description: List credentials.
name: identity:list_credentials
operations:
- method: GET
path: /v3/credentials
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_credential
deprecated_since: null
description: Create credential.
name: identity:create_credential
operations:
- method: POST
path: /v3/credentials
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_credential
deprecated_since: null
description: Update credential.
name: identity:update_credential
operations:
- method: PATCH
path: /v3/credentials/{credential_id}
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_credential
deprecated_since: null
description: Delete credential.
name: identity:delete_credential
operations:
- method: DELETE
path: /v3/credentials/{credential_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s
or token.project.domain.id:%(target.domain.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s
name: identity:get_domain
deprecated_since: null
description: Show domain details.
name: identity:get_domain
operations:
- method: GET
path: /v3/domains/{domain_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain.id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_domains
deprecated_since: null
description: List domains.
name: identity:list_domains
operations:
- method: GET
path: /v3/domains
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_domain
deprecated_since: null
description: Create domain.
name: identity:create_domain
operations:
- method: POST
path: /v3/domains
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_domain
deprecated_since: null
description: Update domain.
name: identity:update_domain
operations:
- method: PATCH
path: /v3/domains/{domain_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_domain
deprecated_since: null
description: Delete domain.
name: identity:delete_domain
operations:
- method: DELETE
path: /v3/domains/{domain_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_domain_config
deprecated_since: null
description: Create domain configuration.
name: identity:create_domain_config
operations:
- method: PUT
path: /v3/domains/{domain_id}/config
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_domain_config
deprecated_since: null
description: Get the entire domain configuration for a domain, an option group within
a domain, or a specific configuration option within a group for a domain.
name: identity:get_domain_config
operations:
- method: GET
path: /v3/domains/{domain_id}/config
- method: HEAD
path: /v3/domains/{domain_id}/config
- method: GET
path: /v3/domains/{domain_id}/config/{group}
- method: HEAD
path: /v3/domains/{domain_id}/config/{group}
- method: GET
path: /v3/domains/{domain_id}/config/{group}/{option}
- method: HEAD
path: /v3/domains/{domain_id}/config/{group}/{option}
scope_types:
- system
- project
- check_str: ''
description: Get security compliance domain configuration for either a domain or
a specific option in a domain.
name: identity:get_security_compliance_domain_config
operations:
- method: GET
path: /v3/domains/{domain_id}/config/security_compliance
- method: HEAD
path: /v3/domains/{domain_id}/config/security_compliance
- method: GET
path: /v3/domains/{domain_id}/config/security_compliance/{option}
- method: HEAD
path: /v3/domains/{domain_id}/config/security_compliance/{option}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_domain_config
deprecated_since: null
description: Update domain configuration for either a domain, specific group or
a specific option in a group.
name: identity:update_domain_config
operations:
- method: PATCH
path: /v3/domains/{domain_id}/config
- method: PATCH
path: /v3/domains/{domain_id}/config/{group}
- method: PATCH
path: /v3/domains/{domain_id}/config/{group}/{option}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_domain_config
deprecated_since: null
description: Delete domain configuration for either a domain, specific group or
a specific option in a group.
name: identity:delete_domain_config
operations:
- method: DELETE
path: /v3/domains/{domain_id}/config
- method: DELETE
path: /v3/domains/{domain_id}/config/{group}
- method: DELETE
path: /v3/domains/{domain_id}/config/{group}/{option}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_domain_config_default
deprecated_since: null
description: Get domain configuration default for either a domain, specific group
or a specific option in a group.
name: identity:get_domain_config_default
operations:
- method: GET
path: /v3/domains/config/default
- method: HEAD
path: /v3/domains/config/default
- method: GET
path: /v3/domains/config/{group}/default
- method: HEAD
path: /v3/domains/config/{group}/default
- method: GET
path: /v3/domains/config/{group}/{option}/default
- method: HEAD
path: /v3/domains/config/{group}/{option}/default
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
name: identity:ec2_get_credential
deprecated_since: null
description: Show ec2 credential details.
name: identity:ec2_get_credential
operations:
- method: GET
path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or rule:owner
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:ec2_list_credentials
deprecated_since: null
description: List ec2 credentials.
name: identity:ec2_list_credentials
operations:
- method: GET
path: /v3/users/{user_id}/credentials/OS-EC2
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or rule:owner
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:ec2_create_credential
deprecated_since: null
description: Create ec2 credential.
name: identity:ec2_create_credential
operations:
- method: POST
path: /v3/users/{user_id}/credentials/OS-EC2
scope_types:
- system
- project
- check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)
name: identity:ec2_delete_credential
deprecated_since: null
description: Delete ec2 credential.
name: identity:ec2_delete_credential
operations:
- method: DELETE
path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_endpoint
deprecated_since: null
description: Show endpoint details.
name: identity:get_endpoint
operations:
- method: GET
path: /v3/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoints
deprecated_since: null
description: List endpoints.
name: identity:list_endpoints
operations:
- method: GET
path: /v3/endpoints
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_endpoint
deprecated_since: null
description: Create endpoint.
name: identity:create_endpoint
operations:
- method: POST
path: /v3/endpoints
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_endpoint
deprecated_since: null
description: Update endpoint.
name: identity:update_endpoint
operations:
- method: PATCH
path: /v3/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_endpoint
deprecated_since: null
description: Delete endpoint.
name: identity:delete_endpoint
operations:
- method: DELETE
path: /v3/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_endpoint_group
deprecated_since: null
description: Create endpoint group.
name: identity:create_endpoint_group
operations:
- method: POST
path: /v3/OS-EP-FILTER/endpoint_groups
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoint_groups
deprecated_since: null
description: List endpoint groups.
name: identity:list_endpoint_groups
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoint_groups
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_endpoint_group
deprecated_since: null
description: Get endpoint group.
name: identity:get_endpoint_group
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
- method: HEAD
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_endpoint_group
deprecated_since: null
description: Update endpoint group.
name: identity:update_endpoint_group
operations:
- method: PATCH
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_endpoint_group
deprecated_since: null
description: Delete endpoint group.
name: identity:delete_endpoint_group
operations:
- method: DELETE
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_projects_associated_with_endpoint_group
deprecated_since: null
description: List all projects associated with a specific endpoint group.
name: identity:list_projects_associated_with_endpoint_group
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoints_associated_with_endpoint_group
deprecated_since: null
description: List all endpoints associated with an endpoint group.
name: identity:list_endpoints_associated_with_endpoint_group
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_endpoint_group_in_project
deprecated_since: null
description: Check if an endpoint group is associated with a project.
name: identity:get_endpoint_group_in_project
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
- method: HEAD
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoint_groups_for_project
deprecated_since: null
description: List endpoint groups associated with a specific project.
name: identity:list_endpoint_groups_for_project
operations:
- method: GET
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:add_endpoint_group_to_project
deprecated_since: null
description: Allow a project to access an endpoint group.
name: identity:add_endpoint_group_to_project
operations:
- method: PUT
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:remove_endpoint_group_from_project
deprecated_since: null
description: Remove endpoint group from project.
name: identity:remove_endpoint_group_from_project
operations:
- method: DELETE
path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader
and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s)
or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s)
or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s)
or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))
and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_grant
deprecated_since: null
description: Check a role grant between a target and an actor. A target can be either
a domain or a project. An actor can be either a user or a group. These terms also
apply to the OS-INHERIT APIs, where grants on the target are inherited to all
projects in the subtree, if applicable.
name: identity:check_grant
operations:
- method: HEAD
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- method: GET
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- method: HEAD
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- method: GET
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- method: HEAD
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- method: GET
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- method: HEAD
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- method: GET
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- method: HEAD
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: GET
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: HEAD
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- method: GET
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- method: HEAD
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: GET
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: HEAD
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- method: GET
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or ((role:reader and system_scope:all) or (role:reader
and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s)
or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s)
or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s)
or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_grants
deprecated_since: null
description: List roles granted to an actor on a target. A target can be either
a domain or a project. An actor can be either a user or a group. For the OS-INHERIT
APIs, it is possible to list inherited role grants for actors on domains, where
grants are inherited to all projects in the specified domain.
name: identity:list_grants
operations:
- method: GET
path: /v3/projects/{project_id}/users/{user_id}/roles
- method: HEAD
path: /v3/projects/{project_id}/users/{user_id}/roles
- method: GET
path: /v3/projects/{project_id}/groups/{group_id}/roles
- method: HEAD
path: /v3/projects/{project_id}/groups/{group_id}/roles
- method: GET
path: /v3/domains/{domain_id}/users/{user_id}/roles
- method: HEAD
path: /v3/domains/{domain_id}/users/{user_id}/roles
- method: GET
path: /v3/domains/{domain_id}/groups/{group_id}/roles
- method: HEAD
path: /v3/domains/{domain_id}/groups/{group_id}/roles
- method: GET
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
- method: GET
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s
and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s
and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s
or None:%(target.role.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_grant
deprecated_since: null
description: Create a role grant between a target and an actor. A target can be
either a domain or a project. An actor can be either a user or a group. These
terms also apply to the OS-INHERIT APIs, where grants on the target are inherited
to all projects in the subtree, if applicable.
name: identity:create_grant
operations:
- method: PUT
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- method: PUT
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- method: PUT
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- method: PUT
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- method: PUT
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: PUT
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- method: PUT
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: PUT
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s
and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s
and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s
and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s
or None:%(target.role.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:revoke_grant
deprecated_since: null
description: Revoke a role grant between a target and an actor. A target can be
either a domain or a project. An actor can be either a user or a group. These
terms also apply to the OS-INHERIT APIs, where grants on the target are inherited
to all projects in the subtree, if applicable. In that case, revoking the role
grant in the target would remove the logical effect of inheriting it to the target's
projects subtree.
name: identity:revoke_grant
operations:
- method: DELETE
path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- method: DELETE
path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- method: DELETE
path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- method: DELETE
path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- method: DELETE
path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: DELETE
path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- method: DELETE
path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- method: DELETE
path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
scope_types:
- system
- domain
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_system_grants_for_user
deprecated_since: null
description: List all grants a specific user has on the system.
name: identity:list_system_grants_for_user
operations:
- method:
- HEAD
- GET
path: /v3/system/users/{user_id}/roles
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_system_grant_for_user
deprecated_since: null
description: Check if a user has a role on the system.
name: identity:check_system_grant_for_user
operations:
- method:
- HEAD
- GET
path: /v3/system/users/{user_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_system_grant_for_user
deprecated_since: null
description: Grant a user a role on the system.
name: identity:create_system_grant_for_user
operations:
- method:
- PUT
path: /v3/system/users/{user_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:revoke_system_grant_for_user
deprecated_since: null
description: Remove a role from a user on the system.
name: identity:revoke_system_grant_for_user
operations:
- method:
- DELETE
path: /v3/system/users/{user_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_system_grants_for_group
deprecated_since: null
description: List all grants a specific group has on the system.
name: identity:list_system_grants_for_group
operations:
- method:
- HEAD
- GET
path: /v3/system/groups/{group_id}/roles
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_system_grant_for_group
deprecated_since: null
description: Check if a group has a role on the system.
name: identity:check_system_grant_for_group
operations:
- method:
- HEAD
- GET
path: /v3/system/groups/{group_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_system_grant_for_group
deprecated_since: null
description: Grant a group a role on the system.
name: identity:create_system_grant_for_group
operations:
- method:
- PUT
path: /v3/system/groups/{group_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:revoke_system_grant_for_group
deprecated_since: null
description: Remove a role from a group on the system.
name: identity:revoke_system_grant_for_group
operations:
- method:
- DELETE
path: /v3/system/groups/{group_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.group.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_group
deprecated_since: null
description: Show group details.
name: identity:get_group
operations:
- method: GET
path: /v3/groups/{group_id}
- method: HEAD
path: /v3/groups/{group_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.group.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_groups
deprecated_since: null
description: List groups.
name: identity:list_groups
operations:
- method: GET
path: /v3/groups
- method: HEAD
path: /v3/groups
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:list_groups_for_user
deprecated_since: null
description: List groups to which a user belongs.
name: identity:list_groups_for_user
operations:
- method: GET
path: /v3/users/{user_id}/groups
- method: HEAD
path: /v3/users/{user_id}/groups
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_group
deprecated_since: null
description: Create group.
name: identity:create_group
operations:
- method: POST
path: /v3/groups
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_group
deprecated_since: null
description: Update group.
name: identity:update_group
operations:
- method: PATCH
path: /v3/groups/{group_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_group
deprecated_since: null
description: Delete group.
name: identity:delete_group
operations:
- method: DELETE
path: /v3/groups/{group_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.group.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_users_in_group
deprecated_since: null
description: List members of a specific group.
name: identity:list_users_in_group
operations:
- method: GET
path: /v3/groups/{group_id}/users
- method: HEAD
path: /v3/groups/{group_id}/users
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:remove_user_from_group
deprecated_since: null
description: Remove user from group.
name: identity:remove_user_from_group
operations:
- method: DELETE
path: /v3/groups/{group_id}/users/{user_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_user_in_group
deprecated_since: null
description: Check whether a user is a member of a group.
name: identity:check_user_in_group
operations:
- method: HEAD
path: /v3/groups/{group_id}/users/{user_id}
- method: GET
path: /v3/groups/{group_id}/users/{user_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:add_user_to_group
deprecated_since: null
description: Add user to group.
name: identity:add_user_to_group
operations:
- method: PUT
path: /v3/groups/{group_id}/users/{user_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_identity_provider
deprecated_since: null
description: Create identity provider.
name: identity:create_identity_provider
operations:
- method: PUT
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_identity_providers
deprecated_since: null
description: List identity providers.
name: identity:list_identity_providers
operations:
- method: GET
path: /v3/OS-FEDERATION/identity_providers
- method: HEAD
path: /v3/OS-FEDERATION/identity_providers
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_identity_provider
deprecated_since: null
description: Get identity provider.
name: identity:get_identity_provider
operations:
- method: GET
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
- method: HEAD
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_identity_provider
deprecated_since: null
description: Update identity provider.
name: identity:update_identity_provider
operations:
- method: PATCH
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_identity_provider
deprecated_since: null
description: Delete identity provider.
name: identity:delete_identity_provider
operations:
- method: DELETE
path: /v3/OS-FEDERATION/identity_providers/{idp_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_implied_role
deprecated_since: null
description: Get information about an association between two roles. When a relationship
exists between a prior role and an implied role and the prior role is assigned
to a user, the user also assumes the implied role.
name: identity:get_implied_role
operations:
- method: GET
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_implied_roles
deprecated_since: null
description: List associations between two roles. When a relationship exists between
a prior role and an implied role and the prior role is assigned to a user, the
user also assumes the implied role. This will return all the implied roles that
would be assumed by the user who gets the specified prior role.
name: identity:list_implied_roles
operations:
- method: GET
path: /v3/roles/{prior_role_id}/implies
- method: HEAD
path: /v3/roles/{prior_role_id}/implies
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_implied_role
deprecated_since: null
description: Create an association between two roles. When a relationship exists
between a prior role and an implied role and the prior role is assigned to a user,
the user also assumes the implied role.
name: identity:create_implied_role
operations:
- method: PUT
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_implied_role
deprecated_since: null
description: Delete the association between two roles. When a relationship exists
between a prior role and an implied role and the prior role is assigned to a user,
the user also assumes the implied role. Removing the association will cause that
effect to be eliminated.
name: identity:delete_implied_role
operations:
- method: DELETE
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_role_inference_rules
deprecated_since: null
description: List all associations between two roles in the system. When a relationship
exists between a prior role and an implied role and the prior role is assigned
to a user, the user also assumes the implied role.
name: identity:list_role_inference_rules
operations:
- method: GET
path: /v3/role_inferences
- method: HEAD
path: /v3/role_inferences
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_implied_role
deprecated_since: null
description: Check an association between two roles. When a relationship exists
between a prior role and an implied role and the prior role is assigned to a user,
the user also assumes the implied role.
name: identity:check_implied_role
operations:
- method: HEAD
path: /v3/roles/{prior_role_id}/implies/{implied_role_id}
scope_types:
- system
- project
- check_str: ''
description: Get limit enforcement model.
name: identity:get_limit_model
operations:
- method: GET
path: /v3/limits/model
- method: HEAD
path: /v3/limits/model
scope_types:
- system
- domain
- project
- check_str: rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s
or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s
and not None:%(target.limit.project_id)s)
description: Show limit details.
name: identity:get_limit
operations:
- method: GET
path: /v3/limits/{limit_id}
- method: HEAD
path: /v3/limits/{limit_id}
scope_types:
- system
- domain
- project
- check_str: ''
description: List limits.
name: identity:list_limits
operations:
- method: GET
path: /v3/limits
- method: HEAD
path: /v3/limits
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
description: Create limits.
name: identity:create_limits
operations:
- method: POST
path: /v3/limits
scope_types:
- system
- project
- check_str: rule:admin_required
description: Update limit.
name: identity:update_limit
operations:
- method: PATCH
path: /v3/limits/{limit_id}
scope_types:
- system
- project
- check_str: rule:admin_required
description: Delete limit.
name: identity:delete_limit
operations:
- method: DELETE
path: /v3/limits/{limit_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_mapping
deprecated_since: null
description: Create a new federated mapping containing one or more sets of rules.
name: identity:create_mapping
operations:
- method: PUT
path: /v3/OS-FEDERATION/mappings/{mapping_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_mapping
deprecated_since: null
description: Get a federated mapping.
name: identity:get_mapping
operations:
- method: GET
path: /v3/OS-FEDERATION/mappings/{mapping_id}
- method: HEAD
path: /v3/OS-FEDERATION/mappings/{mapping_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_mappings
deprecated_since: null
description: List federated mappings.
name: identity:list_mappings
operations:
- method: GET
path: /v3/OS-FEDERATION/mappings
- method: HEAD
path: /v3/OS-FEDERATION/mappings
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_mapping
deprecated_since: null
description: Delete a federated mapping.
name: identity:delete_mapping
operations:
- method: DELETE
path: /v3/OS-FEDERATION/mappings/{mapping_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_mapping
deprecated_since: null
description: Update a federated mapping.
name: identity:update_mapping
operations:
- method: PATCH
path: /v3/OS-FEDERATION/mappings/{mapping_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_policy
deprecated_since: null
description: Show policy details.
name: identity:get_policy
operations:
- method: GET
path: /v3/policies/{policy_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_policies
deprecated_since: null
description: List policies.
name: identity:list_policies
operations:
- method: GET
path: /v3/policies
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_policy
deprecated_since: null
description: Create policy.
name: identity:create_policy
operations:
- method: POST
path: /v3/policies
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_policy
deprecated_since: null
description: Update policy.
name: identity:update_policy
operations:
- method: PATCH
path: /v3/policies/{policy_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_policy
deprecated_since: null
description: Delete policy.
name: identity:delete_policy
operations:
- method: DELETE
path: /v3/policies/{policy_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_policy_association_for_endpoint
deprecated_since: null
description: Associate a policy to a specific endpoint.
name: identity:create_policy_association_for_endpoint
operations:
- method: PUT
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_policy_association_for_endpoint
deprecated_since: null
description: Check policy association for endpoint.
name: identity:check_policy_association_for_endpoint
operations:
- method: GET
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
- method: HEAD
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_policy_association_for_endpoint
deprecated_since: null
description: Delete policy association for endpoint.
name: identity:delete_policy_association_for_endpoint
operations:
- method: DELETE
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_policy_association_for_service
deprecated_since: null
description: Associate a policy to a specific service.
name: identity:create_policy_association_for_service
operations:
- method: PUT
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_policy_association_for_service
deprecated_since: null
description: Check policy association for service.
name: identity:check_policy_association_for_service
operations:
- method: GET
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
- method: HEAD
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_policy_association_for_service
deprecated_since: null
description: Delete policy association for service.
name: identity:delete_policy_association_for_service
operations:
- method: DELETE
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_policy_association_for_region_and_service
deprecated_since: null
description: Associate a policy to a specific region and service combination.
name: identity:create_policy_association_for_region_and_service
operations:
- method: PUT
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_policy_association_for_region_and_service
deprecated_since: null
description: Check policy association for region and service.
name: identity:check_policy_association_for_region_and_service
operations:
- method: GET
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
- method: HEAD
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_policy_association_for_region_and_service
deprecated_since: null
description: Delete policy association for region and service.
name: identity:delete_policy_association_for_region_and_service
operations:
- method: DELETE
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_policy_for_endpoint
deprecated_since: null
description: Get policy for endpoint.
name: identity:get_policy_for_endpoint
operations:
- method: GET
path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
- method: HEAD
path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoints_for_policy
deprecated_since: null
description: List endpoints for policy.
name: identity:list_endpoints_for_policy
operations:
- method: GET
path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or project_id:%(target.project.id)s
name: identity:get_project
deprecated_since: null
description: Show project details.
name: identity:get_project
operations:
- method: GET
path: /v3/projects/{project_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_projects
deprecated_since: null
description: List projects.
name: identity:list_projects
operations:
- method: GET
path: /v3/projects
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:list_user_projects
deprecated_since: null
description: List projects for user.
name: identity:list_user_projects
operations:
- method: GET
path: /v3/users/{user_id}/projects
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_project
deprecated_since: null
description: Create project.
name: identity:create_project
operations:
- method: POST
path: /v3/projects
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_project
deprecated_since: null
description: Update project.
name: identity:update_project
operations:
- method: PATCH
path: /v3/projects/{project_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_project
deprecated_since: null
description: Delete project.
name: identity:delete_project
operations:
- method: DELETE
path: /v3/projects/{project_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or project_id:%(target.project.id)s
name: identity:list_project_tags
deprecated_since: null
description: List tags for a project.
name: identity:list_project_tags
operations:
- method: GET
path: /v3/projects/{project_id}/tags
- method: HEAD
path: /v3/projects/{project_id}/tags
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required or project_id:%(target.project.id)s
name: identity:get_project_tag
deprecated_since: null
description: Check if project contains a tag.
name: identity:get_project_tag
operations:
- method: GET
path: /v3/projects/{project_id}/tags/{value}
- method: HEAD
path: /v3/projects/{project_id}/tags/{value}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_project_tags
deprecated_since: null
description: Replace all tags on a project with the new set of tags.
name: identity:update_project_tags
operations:
- method: PUT
path: /v3/projects/{project_id}/tags
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_project_tag
deprecated_since: null
description: Add a single tag to a project.
name: identity:create_project_tag
operations:
- method: PUT
path: /v3/projects/{project_id}/tags/{value}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_project_tags
deprecated_since: null
description: Remove all tags from a project.
name: identity:delete_project_tags
operations:
- method: DELETE
path: /v3/projects/{project_id}/tags
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_project_tag
deprecated_since: null
description: Delete a specified tag from project.
name: identity:delete_project_tag
operations:
- method: DELETE
path: /v3/projects/{project_id}/tags/{value}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_projects_for_endpoint
deprecated_since: null
description: List projects allowed to access an endpoint.
name: identity:list_projects_for_endpoint
operations:
- method: GET
path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:add_endpoint_to_project
deprecated_since: null
description: Allow project to access an endpoint.
name: identity:add_endpoint_to_project
operations:
- method: PUT
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:check_endpoint_in_project
deprecated_since: null
description: Check if a project is allowed to access an endpoint.
name: identity:check_endpoint_in_project
operations:
- method: GET
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
- method: HEAD
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_endpoints_for_project
deprecated_since: null
description: List the endpoints a project is allowed to access.
name: identity:list_endpoints_for_project
operations:
- method: GET
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:remove_endpoint_from_project
deprecated_since: null
description: Remove access to an endpoint from a project that has previously been
given explicit access.
name: identity:remove_endpoint_from_project
operations:
- method: DELETE
path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_protocol
deprecated_since: null
description: Create federated protocol.
name: identity:create_protocol
operations:
- method: PUT
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_protocol
deprecated_since: null
description: Update federated protocol.
name: identity:update_protocol
operations:
- method: PATCH
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_protocol
deprecated_since: null
description: Get federated protocol.
name: identity:get_protocol
operations:
- method: GET
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_protocols
deprecated_since: null
description: List federated protocols.
name: identity:list_protocols
operations:
- method: GET
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_protocol
deprecated_since: null
description: Delete federated protocol.
name: identity:delete_protocol
operations:
- method: DELETE
path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
scope_types:
- system
- project
- check_str: ''
description: Show region details.
name: identity:get_region
operations:
- method: GET
path: /v3/regions/{region_id}
- method: HEAD
path: /v3/regions/{region_id}
scope_types:
- system
- domain
- project
- check_str: ''
description: List regions.
name: identity:list_regions
operations:
- method: GET
path: /v3/regions
- method: HEAD
path: /v3/regions
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_region
deprecated_since: null
description: Create region.
name: identity:create_region
operations:
- method: POST
path: /v3/regions
- method: PUT
path: /v3/regions/{region_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_region
deprecated_since: null
description: Update region.
name: identity:update_region
operations:
- method: PATCH
path: /v3/regions/{region_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_region
deprecated_since: null
description: Delete region.
name: identity:delete_region
operations:
- method: DELETE
path: /v3/regions/{region_id}
scope_types:
- system
- project
- check_str: ''
description: Show registered limit details.
name: identity:get_registered_limit
operations:
- method: GET
path: /v3/registered_limits/{registered_limit_id}
- method: HEAD
path: /v3/registered_limits/{registered_limit_id}
scope_types:
- system
- domain
- project
- check_str: ''
description: List registered limits.
name: identity:list_registered_limits
operations:
- method: GET
path: /v3/registered_limits
- method: HEAD
path: /v3/registered_limits
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
description: Create registered limits.
name: identity:create_registered_limits
operations:
- method: POST
path: /v3/registered_limits
scope_types:
- system
- project
- check_str: rule:admin_required
description: Update registered limit.
name: identity:update_registered_limit
operations:
- method: PATCH
path: /v3/registered_limits/{registered_limit_id}
scope_types:
- system
- project
- check_str: rule:admin_required
description: Delete registered limit.
name: identity:delete_registered_limit
operations:
- method: DELETE
path: /v3/registered_limits/{registered_limit_id}
scope_types:
- system
- project
- check_str: rule:service_or_admin
description: List revocation events.
name: identity:list_revoke_events
operations:
- method: GET
path: /v3/OS-REVOKE/events
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_role
deprecated_since: null
description: Show role details.
name: identity:get_role
operations:
- method: GET
path: /v3/roles/{role_id}
- method: HEAD
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_roles
deprecated_since: null
description: List roles.
name: identity:list_roles
operations:
- method: GET
path: /v3/roles
- method: HEAD
path: /v3/roles
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_role
deprecated_since: null
description: Create role.
name: identity:create_role
operations:
- method: POST
path: /v3/roles
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_role
deprecated_since: null
description: Update role.
name: identity:update_role
operations:
- method: PATCH
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_role
deprecated_since: null
description: Delete role.
name: identity:delete_role
operations:
- method: DELETE
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_domain_role
deprecated_since: null
description: Show domain role.
name: identity:get_domain_role
operations:
- method: GET
path: /v3/roles/{role_id}
- method: HEAD
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_domain_roles
deprecated_since: null
description: List domain roles.
name: identity:list_domain_roles
operations:
- method: GET
path: /v3/roles?domain_id={domain_id}
- method: HEAD
path: /v3/roles?domain_id={domain_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_domain_role
deprecated_since: null
description: Create domain role.
name: identity:create_domain_role
operations:
- method: POST
path: /v3/roles
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_domain_role
deprecated_since: null
description: Update domain role.
name: identity:update_domain_role
operations:
- method: PATCH
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_domain_role
deprecated_since: null
description: Delete domain role.
name: identity:delete_domain_role
operations:
- method: DELETE
path: /v3/roles/{role_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_role_assignments
deprecated_since: null
description: List role assignments.
name: identity:list_role_assignments
operations:
- method: GET
path: /v3/role_assignments
- method: HEAD
path: /v3/role_assignments
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_role_assignments_for_tree
deprecated_since: null
description: List all role assignments for a given tree of hierarchical projects.
name: identity:list_role_assignments_for_tree
operations:
- method: GET
path: /v3/role_assignments?include_subtree
- method: HEAD
path: /v3/role_assignments?include_subtree
scope_types:
- system
- domain
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_service
deprecated_since: null
description: Show service details.
name: identity:get_service
operations:
- method: GET
path: /v3/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_services
deprecated_since: null
description: List services.
name: identity:list_services
operations:
- method: GET
path: /v3/services
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_service
deprecated_since: null
description: Create service.
name: identity:create_service
operations:
- method: POST
path: /v3/services
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_service
deprecated_since: null
description: Update service.
name: identity:update_service
operations:
- method: PATCH
path: /v3/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_service
deprecated_since: null
description: Delete service.
name: identity:delete_service
operations:
- method: DELETE
path: /v3/services/{service_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_service_provider
deprecated_since: null
description: Create federated service provider.
name: identity:create_service_provider
operations:
- method: PUT
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_service_providers
deprecated_since: null
description: List federated service providers.
name: identity:list_service_providers
operations:
- method: GET
path: /v3/OS-FEDERATION/service_providers
- method: HEAD
path: /v3/OS-FEDERATION/service_providers
scope_types:
- system
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:get_service_provider
deprecated_since: null
description: Get federated service provider.
name: identity:get_service_provider
operations:
- method: GET
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
- method: HEAD
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_service_provider
deprecated_since: null
description: Update federated service provider.
name: identity:update_service_provider
operations:
- method: PATCH
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
scope_types:
- system
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_service_provider
deprecated_since: null
description: Delete federated service provider.
name: identity:delete_service_provider
operations:
- method: DELETE
path: /v3/OS-FEDERATION/service_providers/{service_provider_id}
scope_types:
- system
- project
- check_str: rule:service_or_admin
deprecated_for_removal: true
deprecated_reason: '
The identity:revocation_list policy isn''t used to protect any APIs in keystone
now that the revocation list API has been deprecated and only returns a 410 or
403 depending on how keystone is configured. This policy can be safely removed
from policy files.
'
deprecated_since: T
description: List revoked PKI tokens.
name: identity:revocation_list
operations:
- method: GET
path: /v3/auth/tokens/OS-PKI/revoked
scope_types:
- system
- project
- check_str: (role:reader and system_scope:all) or rule:token_subject
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_token_subject
name: identity:check_token
deprecated_since: null
description: Check a token.
name: identity:check_token
operations:
- method: HEAD
path: /v3/auth/tokens
scope_types:
- system
- domain
- project
- check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject
deprecated_reason: null
deprecated_rule:
check_str: rule:service_admin_or_token_subject
name: identity:validate_token
deprecated_since: null
description: Validate a token.
name: identity:validate_token
operations:
- method: GET
path: /v3/auth/tokens
scope_types:
- system
- domain
- project
- check_str: (role:admin and system_scope:all) or rule:token_subject
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_token_subject
name: identity:revoke_token
deprecated_since: null
description: Revoke a token.
name: identity:revoke_token
operations:
- method: DELETE
path: /v3/auth/tokens
scope_types:
- system
- domain
- project
- check_str: user_id:%(trust.trustor_user_id)s
description: Create trust.
name: identity:create_trust
operations:
- method: POST
path: /v3/OS-TRUST/trusts
scope_types:
- project
- check_str: rule:admin_required or (role:reader and system_scope:all)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_trusts
deprecated_since: null
description: List trusts.
name: identity:list_trusts
operations:
- method: GET
path: /v3/OS-TRUST/trusts
- method: HEAD
path: /v3/OS-TRUST/trusts
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)
description: List trusts for trustor.
name: identity:list_trusts_for_trustor
operations:
- method: GET
path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
- method: HEAD
path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)
description: List trusts for trustee.
name: identity:list_trusts_for_trustee
operations:
- method: GET
path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
- method: HEAD
path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
or user_id:%(target.trust.trustee_user_id)s)
deprecated_reason: null
deprecated_rule:
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
name: identity:list_roles_for_trust
deprecated_since: null
description: List roles delegated by a trust.
name: identity:list_roles_for_trust
operations:
- method: GET
path: /v3/OS-TRUST/trusts/{trust_id}/roles
- method: HEAD
path: /v3/OS-TRUST/trusts/{trust_id}/roles
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
or user_id:%(target.trust.trustee_user_id)s)
deprecated_reason: null
deprecated_rule:
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
name: identity:get_role_for_trust
deprecated_since: null
description: Check if trust delegates a particular role.
name: identity:get_role_for_trust
operations:
- method: GET
path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
- method: HEAD
path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
scope_types:
- system
- project
- check_str: rule:admin_required or user_id:%(target.trust.trustor_user_id)s
deprecated_reason: null
deprecated_rule:
check_str: user_id:%(target.trust.trustor_user_id)s
name: identity:delete_trust
deprecated_since: null
description: Revoke trust.
name: identity:delete_trust
operations:
- method: DELETE
path: /v3/OS-TRUST/trusts/{trust_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s
or user_id:%(target.trust.trustee_user_id)s)
deprecated_reason: null
deprecated_rule:
check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s
name: identity:get_trust
deprecated_since: null
description: Get trust.
name: identity:get_trust
operations:
- method: GET
path: /v3/OS-TRUST/trusts/{trust_id}
- method: HEAD
path: /v3/OS-TRUST/trusts/{trust_id}
scope_types:
- system
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_or_owner
name: identity:get_user
deprecated_since: null
description: Show user details.
name: identity:get_user
operations:
- method: GET
path: /v3/users/{user_id}
- method: HEAD
path: /v3/users/{user_id}
scope_types:
- system
- domain
- project
- check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader
and domain_id:%(target.domain_id)s)
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:list_users
deprecated_since: null
description: List users.
name: identity:list_users
operations:
- method: GET
path: /v3/users
- method: HEAD
path: /v3/users
scope_types:
- system
- domain
- project
- check_str: ''
description: List all projects a user has access to via role assignments.
name: identity:list_projects_for_user
operations:
- method: GET
path: ' /v3/auth/projects'
scope_types: null
- check_str: ''
description: List all domains a user has access to via role assignments.
name: identity:list_domains_for_user
operations:
- method: GET
path: /v3/auth/domains
scope_types: null
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:create_user
deprecated_since: null
description: Create a user.
name: identity:create_user
operations:
- method: POST
path: /v3/users
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:update_user
deprecated_since: null
description: Update a user, including administrative password resets.
name: identity:update_user
operations:
- method: PATCH
path: /v3/users/{user_id}
scope_types:
- system
- domain
- project
- check_str: rule:admin_required
deprecated_reason: null
deprecated_rule:
check_str: rule:admin_required
name: identity:delete_user
deprecated_since: null
description: Delete a user.
name: identity:delete_user
operations:
- method: DELETE
path: /v3/users/{user_id}
scope_types:
- system
- domain
- project