712dbd26d1
This patch updates default policy-in-code rules in horizon based on nova/neutron/cinder/keystone RC deliverables. It doesn't update policy rules for glance as I have found no changes in their policy rules. Horizon needs to update default policy-in-code rules for all backend services before releasing the horizon[1]. [1] https://docs.openstack.org/horizon/latest/contributor/policies/releasing.html#things-to-do-before-releasing Change-Id: I7437b3a46377c18f026db103237b4d107dc787cb
2245 lines
93 KiB
YAML
2245 lines
93 KiB
YAML
#"admin_required": "role:admin or is_admin:1"
|
|
|
|
#"service_role": "role:service"
|
|
|
|
#"service_or_admin": "rule:admin_required or rule:service_role"
|
|
|
|
#"owner": "user_id:%(user_id)s"
|
|
|
|
#"admin_or_owner": "rule:admin_required or rule:owner"
|
|
|
|
#"token_subject": "user_id:%(target.token.user_id)s"
|
|
|
|
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"
|
|
|
|
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
|
|
|
|
# Show access rule details.
|
|
# GET /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
# HEAD /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"
|
|
|
|
# List access rules for a user.
|
|
# GET /v3/users/{user_id}/access_rules
|
|
# HEAD /v3/users/{user_id}/access_rules
|
|
# Intended scope(s): system, project
|
|
#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s"
|
|
|
|
# Delete an access_rule.
|
|
# DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s"
|
|
|
|
# Authorize OAUTH1 request token.
|
|
# PUT /v3/OS-OAUTH1/authorize/{request_token_id}
|
|
# Intended scope(s): project
|
|
#"identity:authorize_request_token": "rule:admin_required"
|
|
|
|
# Get OAUTH1 access token for user by access token ID.
|
|
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
|
# Intended scope(s): project
|
|
#"identity:get_access_token": "rule:admin_required"
|
|
|
|
# Get role for user OAUTH1 access token.
|
|
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
|
|
# Intended scope(s): project
|
|
#"identity:get_access_token_role": "rule:admin_required"
|
|
|
|
# List OAUTH1 access tokens for user.
|
|
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
|
|
# Intended scope(s): project
|
|
#"identity:list_access_tokens": "rule:admin_required"
|
|
|
|
# List OAUTH1 access token roles.
|
|
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
|
|
# Intended scope(s): project
|
|
#"identity:list_access_token_roles": "rule:admin_required"
|
|
|
|
# Delete OAUTH1 access token.
|
|
# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
|
# Intended scope(s): project
|
|
#"identity:delete_access_token": "rule:admin_required"
|
|
|
|
# Show application credential details.
|
|
# GET /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_application_credential":"rule:admin_or_owner" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_application_credential":"(role:reader and
|
|
# system_scope:all) or rule:owner".
|
|
# The application credential API is now aware of system scope and
|
|
# default roles.
|
|
|
|
# List application credentials for a user.
|
|
# GET /v3/users/{user_id}/application_credentials
|
|
# HEAD /v3/users/{user_id}/application_credentials
|
|
# Intended scope(s): system, project
|
|
#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_application_credentials":"rule:admin_or_owner" has
|
|
# been deprecated since T in favor of
|
|
# "identity:list_application_credentials":"(role:reader and
|
|
# system_scope:all) or rule:owner".
|
|
# The application credential API is now aware of system scope and
|
|
# default roles.
|
|
|
|
# Create an application credential.
|
|
# POST /v3/users/{user_id}/application_credentials
|
|
# Intended scope(s): project
|
|
#"identity:create_application_credential": "user_id:%(user_id)s"
|
|
|
|
# Delete an application credential.
|
|
# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_application_credential":"rule:admin_or_owner" has
|
|
# been deprecated since T in favor of
|
|
# "identity:delete_application_credential":"(role:admin and
|
|
# system_scope:all) or rule:owner".
|
|
# The application credential API is now aware of system scope and
|
|
# default roles.
|
|
|
|
# Get service catalog.
|
|
# GET /v3/auth/catalog
|
|
# HEAD /v3/auth/catalog
|
|
#"identity:get_auth_catalog": ""
|
|
|
|
# List all projects a user has access to via role assignments.
|
|
# GET /v3/auth/projects
|
|
# HEAD /v3/auth/projects
|
|
#"identity:get_auth_projects": ""
|
|
|
|
# List all domains a user has access to via role assignments.
|
|
# GET /v3/auth/domains
|
|
# HEAD /v3/auth/domains
|
|
#"identity:get_auth_domains": ""
|
|
|
|
# List systems a user has access to via role assignments.
|
|
# GET /v3/auth/system
|
|
# HEAD /v3/auth/system
|
|
#"identity:get_auth_system": ""
|
|
|
|
# Show OAUTH1 consumer details.
|
|
# GET /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_consumer": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_consumer":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:get_consumer":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The OAUTH1 consumer API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List OAUTH1 consumers.
|
|
# GET /v3/OS-OAUTH1/consumers
|
|
# Intended scope(s): system, project
|
|
#"identity:list_consumers": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_consumers":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:list_consumers":"rule:admin_required
|
|
# or (role:reader and system_scope:all)".
|
|
# The OAUTH1 consumer API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Create OAUTH1 consumer.
|
|
# POST /v3/OS-OAUTH1/consumers
|
|
# Intended scope(s): system, project
|
|
#"identity:create_consumer": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_consumer":"rule:admin_required" has been deprecated
|
|
# since T in favor of
|
|
# "identity:create_consumer":"rule:admin_required".
|
|
# The OAUTH1 consumer API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update OAUTH1 consumer.
|
|
# PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_consumer": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_consumer":"rule:admin_required" has been deprecated
|
|
# since T in favor of
|
|
# "identity:update_consumer":"rule:admin_required".
|
|
# The OAUTH1 consumer API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete OAUTH1 consumer.
|
|
# DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_consumer": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_consumer":"rule:admin_required" has been deprecated
|
|
# since T in favor of
|
|
# "identity:delete_consumer":"rule:admin_required".
|
|
# The OAUTH1 consumer API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show credentials details.
|
|
# GET /v3/credentials/{credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_credential":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:get_credential":"(role:reader and
|
|
# system_scope:all) or user_id:%(target.credential.user_id)s".
|
|
# The credential API is now aware of system scope and default roles.
|
|
|
|
# List credentials.
|
|
# GET /v3/credentials
|
|
# Intended scope(s): system, project
|
|
#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_credentials":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_credentials":"(role:reader and system_scope:all) or
|
|
# user_id:%(target.credential.user_id)s".
|
|
# The credential API is now aware of system scope and default roles.
|
|
|
|
# Create credential.
|
|
# POST /v3/credentials
|
|
# Intended scope(s): system, project
|
|
#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_credential":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:create_credential":"(role:admin and system_scope:all) or
|
|
# user_id:%(target.credential.user_id)s".
|
|
# The credential API is now aware of system scope and default roles.
|
|
|
|
# Update credential.
|
|
# PATCH /v3/credentials/{credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_credential":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:update_credential":"(role:admin and system_scope:all) or
|
|
# user_id:%(target.credential.user_id)s".
|
|
# The credential API is now aware of system scope and default roles.
|
|
|
|
# Delete credential.
|
|
# DELETE /v3/credentials/{credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_credential":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:delete_credential":"(role:admin and system_scope:all) or
|
|
# user_id:%(target.credential.user_id)s".
|
|
# The credential API is now aware of system scope and default roles.
|
|
|
|
# Show domain details.
|
|
# GET /v3/domains/{domain_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_domain": "rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_domain":"rule:admin_required or
|
|
# token.project.domain.id:%(target.domain.id)s" has been deprecated
|
|
# since S in favor of "identity:get_domain":"rule:admin_required or
|
|
# (role:reader and system_scope:all) or
|
|
# token.domain.id:%(target.domain.id)s or
|
|
# token.project.domain.id:%(target.domain.id)s".
|
|
# The domain API is now aware of system scope and default roles.
|
|
|
|
# List domains.
|
|
# GET /v3/domains
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_domains": "rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_domains":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_domains":"rule:admin_required or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.domain.id)s)".
|
|
# The domain API is now aware of system scope and default roles.
|
|
|
|
# Create domain.
|
|
# POST /v3/domains
|
|
# Intended scope(s): system, project
|
|
#"identity:create_domain": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_domain":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_domain":"rule:admin_required".
|
|
# The domain API is now aware of system scope and default roles.
|
|
|
|
# Update domain.
|
|
# PATCH /v3/domains/{domain_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_domain": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_domain":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_domain":"rule:admin_required".
|
|
# The domain API is now aware of system scope and default roles.
|
|
|
|
# Delete domain.
|
|
# DELETE /v3/domains/{domain_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_domain": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_domain":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_domain":"rule:admin_required".
|
|
# The domain API is now aware of system scope and default roles.
|
|
|
|
# Create domain configuration.
|
|
# PUT /v3/domains/{domain_id}/config
|
|
# Intended scope(s): system, project
|
|
#"identity:create_domain_config": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_domain_config":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:create_domain_config":"rule:admin_required".
|
|
# The domain config API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get the entire domain configuration for a domain, an option group
|
|
# within a domain, or a specific configuration option within a group
|
|
# for a domain.
|
|
# GET /v3/domains/{domain_id}/config
|
|
# HEAD /v3/domains/{domain_id}/config
|
|
# GET /v3/domains/{domain_id}/config/{group}
|
|
# HEAD /v3/domains/{domain_id}/config/{group}
|
|
# GET /v3/domains/{domain_id}/config/{group}/{option}
|
|
# HEAD /v3/domains/{domain_id}/config/{group}/{option}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_domain_config": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_domain_config":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_domain_config":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The domain config API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get security compliance domain configuration for either a domain or
|
|
# a specific option in a domain.
|
|
# GET /v3/domains/{domain_id}/config/security_compliance
|
|
# HEAD /v3/domains/{domain_id}/config/security_compliance
|
|
# GET /v3/domains/{domain_id}/config/security_compliance/{option}
|
|
# HEAD /v3/domains/{domain_id}/config/security_compliance/{option}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_security_compliance_domain_config": ""
|
|
|
|
# Update domain configuration for either a domain, specific group or a
|
|
# specific option in a group.
|
|
# PATCH /v3/domains/{domain_id}/config
|
|
# PATCH /v3/domains/{domain_id}/config/{group}
|
|
# PATCH /v3/domains/{domain_id}/config/{group}/{option}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_domain_config": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_domain_config":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:update_domain_config":"rule:admin_required".
|
|
# The domain config API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete domain configuration for either a domain, specific group or a
|
|
# specific option in a group.
|
|
# DELETE /v3/domains/{domain_id}/config
|
|
# DELETE /v3/domains/{domain_id}/config/{group}
|
|
# DELETE /v3/domains/{domain_id}/config/{group}/{option}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_domain_config": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_domain_config":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_domain_config":"rule:admin_required".
|
|
# The domain config API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get domain configuration default for either a domain, specific group
|
|
# or a specific option in a group.
|
|
# GET /v3/domains/config/default
|
|
# HEAD /v3/domains/config/default
|
|
# GET /v3/domains/config/{group}/default
|
|
# HEAD /v3/domains/config/{group}/default
|
|
# GET /v3/domains/config/{group}/{option}/default
|
|
# HEAD /v3/domains/config/{group}/{option}/default
|
|
# Intended scope(s): system, project
|
|
#"identity:get_domain_config_default": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_domain_config_default":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_domain_config_default":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The domain config API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show ec2 credential details.
|
|
# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:ec2_get_credential":"rule:admin_required or (rule:owner
|
|
# and user_id:%(target.credential.user_id)s)" has been deprecated
|
|
# since T in favor of "identity:ec2_get_credential":"(role:reader and
|
|
# system_scope:all) or user_id:%(target.credential.user_id)s".
|
|
# The EC2 credential API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List ec2 credentials.
|
|
# GET /v3/users/{user_id}/credentials/OS-EC2
|
|
# Intended scope(s): system, project
|
|
#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner"
|
|
|
|
# DEPRECATED
|
|
# "identity:ec2_list_credentials":"rule:admin_or_owner" has been
|
|
# deprecated since T in favor of
|
|
# "identity:ec2_list_credentials":"(role:reader and system_scope:all)
|
|
# or rule:owner".
|
|
# The EC2 credential API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Create ec2 credential.
|
|
# POST /v3/users/{user_id}/credentials/OS-EC2
|
|
# Intended scope(s): system, project
|
|
#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner"
|
|
|
|
# DEPRECATED
|
|
# "identity:ec2_create_credential":"rule:admin_or_owner" has been
|
|
# deprecated since T in favor of
|
|
# "identity:ec2_create_credential":"(role:admin and system_scope:all)
|
|
# or rule:owner".
|
|
# The EC2 credential API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete ec2 credential.
|
|
# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:ec2_delete_credential":"rule:admin_required or (rule:owner
|
|
# and user_id:%(target.credential.user_id)s)" has been deprecated
|
|
# since T in favor of "identity:ec2_delete_credential":"(role:admin
|
|
# and system_scope:all) or user_id:%(target.credential.user_id)s".
|
|
# The EC2 credential API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show endpoint details.
|
|
# GET /v3/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_endpoint": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_endpoint":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:get_endpoint":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The endpoint API is now aware of system scope and default roles.
|
|
|
|
# List endpoints.
|
|
# GET /v3/endpoints
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoints": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoints":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_endpoints":"rule:admin_required
|
|
# or (role:reader and system_scope:all)".
|
|
# The endpoint API is now aware of system scope and default roles.
|
|
|
|
# Create endpoint.
|
|
# POST /v3/endpoints
|
|
# Intended scope(s): system, project
|
|
#"identity:create_endpoint": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_endpoint":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:create_endpoint":"rule:admin_required".
|
|
# The endpoint API is now aware of system scope and default roles.
|
|
|
|
# Update endpoint.
|
|
# PATCH /v3/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_endpoint": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_endpoint":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:update_endpoint":"rule:admin_required".
|
|
# The endpoint API is now aware of system scope and default roles.
|
|
|
|
# Delete endpoint.
|
|
# DELETE /v3/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_endpoint": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_endpoint":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:delete_endpoint":"rule:admin_required".
|
|
# The endpoint API is now aware of system scope and default roles.
|
|
|
|
# Create endpoint group.
|
|
# POST /v3/OS-EP-FILTER/endpoint_groups
|
|
# Intended scope(s): system, project
|
|
#"identity:create_endpoint_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_endpoint_group":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:create_endpoint_group":"rule:admin_required".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List endpoint groups.
|
|
# GET /v3/OS-EP-FILTER/endpoint_groups
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoint_groups": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoint_groups":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_endpoint_groups":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get endpoint group.
|
|
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_endpoint_group":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_endpoint_group":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update endpoint group.
|
|
# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_endpoint_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_endpoint_group":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:update_endpoint_group":"rule:admin_required".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete endpoint group.
|
|
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_endpoint_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_endpoint_group":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_endpoint_group":"rule:admin_required".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List all projects associated with a specific endpoint group.
|
|
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
|
|
# Intended scope(s): system, project
|
|
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_projects_associated_with_endpoint_group":"rule:admin_
|
|
# required" has been deprecated since T in favor of "identity:list_pro
|
|
# jects_associated_with_endpoint_group":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List all endpoints associated with an endpoint group.
|
|
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin
|
|
# _required" has been deprecated since T in favor of "identity:list_en
|
|
# dpoints_associated_with_endpoint_group":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Check if an endpoint group is associated with a project.
|
|
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_endpoint_group_in_project": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_endpoint_group_in_project":"rule:admin_required" has
|
|
# been deprecated since T in favor of
|
|
# "identity:get_endpoint_group_in_project":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List endpoint groups associated with a specific project.
|
|
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoint_groups_for_project": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoint_groups_for_project":"rule:admin_required"
|
|
# has been deprecated since T in favor of
|
|
# "identity:list_endpoint_groups_for_project":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Allow a project to access an endpoint group.
|
|
# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:add_endpoint_group_to_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:add_endpoint_group_to_project":"rule:admin_required" has
|
|
# been deprecated since T in favor of
|
|
# "identity:add_endpoint_group_to_project":"rule:admin_required".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Remove endpoint group from project.
|
|
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:remove_endpoint_group_from_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:remove_endpoint_group_from_project":"rule:admin_required"
|
|
# has been deprecated since T in favor of
|
|
# "identity:remove_endpoint_group_from_project":"rule:admin_required".
|
|
# The endpoint groups API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Check a role grant between a target and an actor. A target can be
|
|
# either a domain or a project. An actor can be either a user or a
|
|
# group. These terms also apply to the OS-INHERIT APIs, where grants
|
|
# on the target are inherited to all projects in the subtree, if
|
|
# applicable.
|
|
# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:check_grant": "(rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s))"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_grant":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:check_grant":"(rule:admin_required) or
|
|
# ((role:reader and system_scope:all) or ((role:reader and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:reader and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.domain.id)s) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.domain.id)s)) and
|
|
# (domain_id:%(target.role.domain_id)s or
|
|
# None:%(target.role.domain_id)s))".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# List roles granted to an actor on a target. A target can be either a
|
|
# domain or a project. An actor can be either a user or a group. For
|
|
# the OS-INHERIT APIs, it is possible to list inherited role grants
|
|
# for actors on domains, where grants are inherited to all projects in
|
|
# the specified domain.
|
|
# GET /v3/projects/{project_id}/users/{user_id}/roles
|
|
# HEAD /v3/projects/{project_id}/users/{user_id}/roles
|
|
# GET /v3/projects/{project_id}/groups/{group_id}/roles
|
|
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles
|
|
# GET /v3/domains/{domain_id}/users/{user_id}/roles
|
|
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles
|
|
# GET /v3/domains/{domain_id}/groups/{group_id}/roles
|
|
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
|
|
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
|
|
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_grants": "(rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s))"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_grants":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_grants":"(rule:admin_required) or
|
|
# ((role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:reader and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.domain.id)s) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.domain.id)s))".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Create a role grant between a target and an actor. A target can be
|
|
# either a domain or a project. An actor can be either a user or a
|
|
# group. These terms also apply to the OS-INHERIT APIs, where grants
|
|
# on the target are inherited to all projects in the subtree, if
|
|
# applicable.
|
|
# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:create_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_grant":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_grant":"(rule:admin_required)
|
|
# or ((role:admin and domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:admin and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.domain.id)s) or (role:admin and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:admin and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.domain.id)s)) and
|
|
# (domain_id:%(target.role.domain_id)s or
|
|
# None:%(target.role.domain_id)s)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Revoke a role grant between a target and an actor. A target can be
|
|
# either a domain or a project. An actor can be either a user or a
|
|
# group. These terms also apply to the OS-INHERIT APIs, where grants
|
|
# on the target are inherited to all projects in the subtree, if
|
|
# applicable. In that case, revoking the role grant in the target
|
|
# would remove the logical effect of inheriting it to the target's
|
|
# projects subtree.
|
|
# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
|
|
# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
|
|
# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
|
|
# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
|
|
# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
|
# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:revoke_grant": "(rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:revoke_grant":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:revoke_grant":"(rule:admin_required)
|
|
# or ((role:admin and domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:admin and
|
|
# domain_id:%(target.user.domain_id)s and
|
|
# domain_id:%(target.domain.id)s) or (role:admin and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.project.domain_id)s) or (role:admin and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.domain.id)s)) and
|
|
# (domain_id:%(target.role.domain_id)s or
|
|
# None:%(target.role.domain_id)s)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# List all grants a specific user has on the system.
|
|
# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:list_system_grants_for_user": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_system_grants_for_user":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:list_system_grants_for_user":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Check if a user has a role on the system.
|
|
# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_system_grant_for_user": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_system_grant_for_user":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:check_system_grant_for_user":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Grant a user a role on the system.
|
|
# ['PUT'] /v3/system/users/{user_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_system_grant_for_user": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_system_grant_for_user":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:create_system_grant_for_user":"rule:admin_required".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Remove a role from a user on the system.
|
|
# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:revoke_system_grant_for_user": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:revoke_system_grant_for_user":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:revoke_system_grant_for_user":"rule:admin_required".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# List all grants a specific group has on the system.
|
|
# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:list_system_grants_for_group": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_system_grants_for_group":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:list_system_grants_for_group":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Check if a group has a role on the system.
|
|
# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_system_grant_for_group": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_system_grant_for_group":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:check_system_grant_for_group":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Grant a group a role on the system.
|
|
# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_system_grant_for_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_system_grant_for_group":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:create_system_grant_for_group":"rule:admin_required".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Remove a role from a group on the system.
|
|
# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:revoke_system_grant_for_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:revoke_system_grant_for_group":"rule:admin_required" has
|
|
# been deprecated since S in favor of
|
|
# "identity:revoke_system_grant_for_group":"rule:admin_required".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Show group details.
|
|
# GET /v3/groups/{group_id}
|
|
# HEAD /v3/groups/{group_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_group":"rule:admin_required" has been deprecated since
|
|
# S in favor of "identity:get_group":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s)".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# List groups.
|
|
# GET /v3/groups
|
|
# HEAD /v3/groups
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_groups": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_groups":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_groups":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s)".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# List groups to which a user belongs.
|
|
# GET /v3/users/{user_id}/groups
|
|
# HEAD /v3/users/{user_id}/groups
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_groups_for_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_groups_for_user":"rule:admin_or_owner" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_groups_for_user":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Create group.
|
|
# POST /v3/groups
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:create_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_group":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_group":"rule:admin_required".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Update group.
|
|
# PATCH /v3/groups/{group_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:update_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_group":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_group":"rule:admin_required".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Delete group.
|
|
# DELETE /v3/groups/{group_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:delete_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_group":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_group":"rule:admin_required".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# List members of a specific group.
|
|
# GET /v3/groups/{group_id}/users
|
|
# HEAD /v3/groups/{group_id}/users
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_users_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_users_in_group":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_users_in_group":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s)".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Remove user from group.
|
|
# DELETE /v3/groups/{group_id}/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:remove_user_from_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:remove_user_from_group":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:remove_user_from_group":"rule:admin_required".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Check whether a user is a member of a group.
|
|
# HEAD /v3/groups/{group_id}/users/{user_id}
|
|
# GET /v3/groups/{group_id}/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:check_user_in_group": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_user_in_group":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:check_user_in_group":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.group.domain_id)s and
|
|
# domain_id:%(target.user.domain_id)s)".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Add user to group.
|
|
# PUT /v3/groups/{group_id}/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:add_user_to_group": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:add_user_to_group":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:add_user_to_group":"rule:admin_required".
|
|
# The group API is now aware of system scope and default roles.
|
|
|
|
# Create identity provider.
|
|
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_identity_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_identity_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:create_identity_provider":"rule:admin_required".
|
|
# The identity provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List identity providers.
|
|
# GET /v3/OS-FEDERATION/identity_providers
|
|
# HEAD /v3/OS-FEDERATION/identity_providers
|
|
# Intended scope(s): system, project
|
|
#"identity:list_identity_providers": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_identity_providers":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_identity_providers":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The identity provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get identity provider.
|
|
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_identity_provider": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_identity_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:get_identity_provider":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The identity provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update identity provider.
|
|
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_identity_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_identity_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:update_identity_provider":"rule:admin_required".
|
|
# The identity provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete identity provider.
|
|
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_identity_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_identity_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:delete_identity_provider":"rule:admin_required".
|
|
# The identity provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get information about an association between two roles. When a
|
|
# relationship exists between a prior role and an implied role and the
|
|
# prior role is assigned to a user, the user also assumes the implied
|
|
# role.
|
|
# GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_implied_role": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_implied_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_implied_role":"rule:admin_required or (role:reader and
|
|
# system_scope:all)".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# List associations between two roles. When a relationship exists
|
|
# between a prior role and an implied role and the prior role is
|
|
# assigned to a user, the user also assumes the implied role. This
|
|
# will return all the implied roles that would be assumed by the user
|
|
# who gets the specified prior role.
|
|
# GET /v3/roles/{prior_role_id}/implies
|
|
# HEAD /v3/roles/{prior_role_id}/implies
|
|
# Intended scope(s): system, project
|
|
#"identity:list_implied_roles": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_implied_roles":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_implied_roles":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# Create an association between two roles. When a relationship exists
|
|
# between a prior role and an implied role and the prior role is
|
|
# assigned to a user, the user also assumes the implied role.
|
|
# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_implied_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_implied_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:create_implied_role":"rule:admin_required".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# Delete the association between two roles. When a relationship exists
|
|
# between a prior role and an implied role and the prior role is
|
|
# assigned to a user, the user also assumes the implied role. Removing
|
|
# the association will cause that effect to be eliminated.
|
|
# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_implied_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_implied_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_implied_role":"rule:admin_required".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# List all associations between two roles in the system. When a
|
|
# relationship exists between a prior role and an implied role and the
|
|
# prior role is assigned to a user, the user also assumes the implied
|
|
# role.
|
|
# GET /v3/role_inferences
|
|
# HEAD /v3/role_inferences
|
|
# Intended scope(s): system, project
|
|
#"identity:list_role_inference_rules": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_role_inference_rules":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_role_inference_rules":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# Check an association between two roles. When a relationship exists
|
|
# between a prior role and an implied role and the prior role is
|
|
# assigned to a user, the user also assumes the implied role.
|
|
# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_implied_role": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_implied_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:check_implied_role":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The implied role API is now aware of system scope and default roles.
|
|
|
|
# Get limit enforcement model.
|
|
# GET /v3/limits/model
|
|
# HEAD /v3/limits/model
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_limit_model": ""
|
|
|
|
# Show limit details.
|
|
# GET /v3/limits/{limit_id}
|
|
# HEAD /v3/limits/{limit_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_limit": "rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)"
|
|
|
|
# List limits.
|
|
# GET /v3/limits
|
|
# HEAD /v3/limits
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_limits": ""
|
|
|
|
# Create limits.
|
|
# POST /v3/limits
|
|
# Intended scope(s): system, project
|
|
#"identity:create_limits": "rule:admin_required"
|
|
|
|
# Update limit.
|
|
# PATCH /v3/limits/{limit_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_limit": "rule:admin_required"
|
|
|
|
# Delete limit.
|
|
# DELETE /v3/limits/{limit_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_limit": "rule:admin_required"
|
|
|
|
# Create a new federated mapping containing one or more sets of rules.
|
|
# PUT /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_mapping": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_mapping":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_mapping":"rule:admin_required".
|
|
# The federated mapping API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get a federated mapping.
|
|
# GET /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
# HEAD /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_mapping": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_mapping":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:get_mapping":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The federated mapping API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List federated mappings.
|
|
# GET /v3/OS-FEDERATION/mappings
|
|
# HEAD /v3/OS-FEDERATION/mappings
|
|
# Intended scope(s): system, project
|
|
#"identity:list_mappings": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_mappings":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_mappings":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The federated mapping API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete a federated mapping.
|
|
# DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_mapping": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_mapping":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_mapping":"rule:admin_required".
|
|
# The federated mapping API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update a federated mapping.
|
|
# PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_mapping": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_mapping":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_mapping":"rule:admin_required".
|
|
# The federated mapping API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show policy details.
|
|
# GET /v3/policies/{policy_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_policy": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_policy":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:get_policy":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The policy API is now aware of system scope and default roles.
|
|
|
|
# List policies.
|
|
# GET /v3/policies
|
|
# Intended scope(s): system, project
|
|
#"identity:list_policies": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_policies":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:list_policies":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The policy API is now aware of system scope and default roles.
|
|
|
|
# Create policy.
|
|
# POST /v3/policies
|
|
# Intended scope(s): system, project
|
|
#"identity:create_policy": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_policy":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:create_policy":"rule:admin_required".
|
|
# The policy API is now aware of system scope and default roles.
|
|
|
|
# Update policy.
|
|
# PATCH /v3/policies/{policy_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_policy": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_policy":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:update_policy":"rule:admin_required".
|
|
# The policy API is now aware of system scope and default roles.
|
|
|
|
# Delete policy.
|
|
# DELETE /v3/policies/{policy_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_policy": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_policy":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:delete_policy":"rule:admin_required".
|
|
# The policy API is now aware of system scope and default roles.
|
|
|
|
# Associate a policy to a specific endpoint.
|
|
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_policy_association_for_endpoint": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_policy_association_for_endpoint":"rule:admin_requir
|
|
# ed" has been deprecated since T in favor of "identity:create_policy_
|
|
# association_for_endpoint":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Check policy association for endpoint.
|
|
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_policy_association_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_policy_association_for_endpoint":"rule:admin_require
|
|
# d" has been deprecated since T in favor of "identity:check_policy_as
|
|
# sociation_for_endpoint":"rule:admin_required or (role:reader and
|
|
# system_scope:all)".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete policy association for endpoint.
|
|
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_policy_association_for_endpoint":"rule:admin_requir
|
|
# ed" has been deprecated since T in favor of "identity:delete_policy_
|
|
# association_for_endpoint":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Associate a policy to a specific service.
|
|
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_policy_association_for_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_policy_association_for_service":"rule:admin_require
|
|
# d" has been deprecated since T in favor of "identity:create_policy_a
|
|
# ssociation_for_service":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Check policy association for service.
|
|
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_policy_association_for_service": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_policy_association_for_service":"rule:admin_required
|
|
# " has been deprecated since T in favor of
|
|
# "identity:check_policy_association_for_service":"rule:admin_required
|
|
# or (role:reader and system_scope:all)".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete policy association for service.
|
|
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_policy_association_for_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_policy_association_for_service":"rule:admin_require
|
|
# d" has been deprecated since T in favor of "identity:delete_policy_a
|
|
# ssociation_for_service":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Associate a policy to a specific region and service combination.
|
|
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_policy_association_for_region_and_service":"rule:ad
|
|
# min_required" has been deprecated since T in favor of "identity:crea
|
|
# te_policy_association_for_region_and_service":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Check policy association for region and service.
|
|
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_policy_association_for_region_and_service": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_policy_association_for_region_and_service":"rule:adm
|
|
# in_required" has been deprecated since T in favor of "identity:check
|
|
# _policy_association_for_region_and_service":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete policy association for region and service.
|
|
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_policy_association_for_region_and_service":"rule:ad
|
|
# min_required" has been deprecated since T in favor of "identity:dele
|
|
# te_policy_association_for_region_and_service":"rule:admin_required".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get policy for endpoint.
|
|
# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
|
# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
|
# Intended scope(s): system, project
|
|
#"identity:get_policy_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_policy_for_endpoint":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:get_policy_for_endpoint":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List endpoints for policy.
|
|
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoints_for_policy": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoints_for_policy":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_endpoints_for_policy":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The policy association API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show project details.
|
|
# GET /v3/projects/{project_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_project": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_project":"rule:admin_required or
|
|
# project_id:%(target.project.id)s" has been deprecated since S in
|
|
# favor of "identity:get_project":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.project.domain_id)s) or
|
|
# project_id:%(target.project.id)s".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# List projects.
|
|
# GET /v3/projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_projects":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_projects":"(rule:admin_required)
|
|
# or (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.domain_id)s)".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# List projects for user.
|
|
# GET /v3/users/{user_id}/projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_user_projects": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_user_projects":"rule:admin_or_owner" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_user_projects":"(rule:admin_required) or (role:reader
|
|
# and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Create project.
|
|
# POST /v3/projects
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:create_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_project":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_project":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Update project.
|
|
# PATCH /v3/projects/{project_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:update_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_project":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_project":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Delete project.
|
|
# DELETE /v3/projects/{project_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:delete_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_project":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_project":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# List tags for a project.
|
|
# GET /v3/projects/{project_id}/tags
|
|
# HEAD /v3/projects/{project_id}/tags
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_project_tags": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_project_tags":"rule:admin_required or
|
|
# project_id:%(target.project.id)s" has been deprecated since T in
|
|
# favor of "identity:list_project_tags":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.project.domain_id)s) or
|
|
# project_id:%(target.project.id)s".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Check if project contains a tag.
|
|
# GET /v3/projects/{project_id}/tags/{value}
|
|
# HEAD /v3/projects/{project_id}/tags/{value}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_project_tag": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_project_tag":"rule:admin_required or
|
|
# project_id:%(target.project.id)s" has been deprecated since T in
|
|
# favor of "identity:get_project_tag":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.project.domain_id)s) or
|
|
# project_id:%(target.project.id)s".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Replace all tags on a project with the new set of tags.
|
|
# PUT /v3/projects/{project_id}/tags
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:update_project_tags": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_project_tags":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:update_project_tags":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Add a single tag to a project.
|
|
# PUT /v3/projects/{project_id}/tags/{value}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:create_project_tag": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_project_tag":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:create_project_tag":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Remove all tags from a project.
|
|
# DELETE /v3/projects/{project_id}/tags
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:delete_project_tags": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_project_tags":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_project_tags":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# Delete a specified tag from project.
|
|
# DELETE /v3/projects/{project_id}/tags/{value}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:delete_project_tag": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_project_tag":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_project_tag":"rule:admin_required".
|
|
# The project API is now aware of system scope and default roles.
|
|
|
|
# List projects allowed to access an endpoint.
|
|
# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
|
|
# Intended scope(s): system, project
|
|
#"identity:list_projects_for_endpoint": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_projects_for_endpoint":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_projects_for_endpoint":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# As of the Train release, the project endpoint API now understands
|
|
# default roles and system-scoped tokens, making the API more granular
|
|
# by default without compromising security. The new policy defaults
|
|
# account for these changes automatically. Be sure to take these new
|
|
# defaults into consideration if you are relying on overrides in your
|
|
# deployment for the project endpoint API.
|
|
|
|
# Allow project to access an endpoint.
|
|
# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:add_endpoint_to_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:add_endpoint_to_project":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:add_endpoint_to_project":"rule:admin_required".
|
|
# As of the Train release, the project endpoint API now understands
|
|
# default roles and system-scoped tokens, making the API more granular
|
|
# by default without compromising security. The new policy defaults
|
|
# account for these changes automatically. Be sure to take these new
|
|
# defaults into consideration if you are relying on overrides in your
|
|
# deployment for the project endpoint API.
|
|
|
|
# Check if a project is allowed to access an endpoint.
|
|
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:check_endpoint_in_project": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_endpoint_in_project":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:check_endpoint_in_project":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# As of the Train release, the project endpoint API now understands
|
|
# default roles and system-scoped tokens, making the API more granular
|
|
# by default without compromising security. The new policy defaults
|
|
# account for these changes automatically. Be sure to take these new
|
|
# defaults into consideration if you are relying on overrides in your
|
|
# deployment for the project endpoint API.
|
|
|
|
# List the endpoints a project is allowed to access.
|
|
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
|
|
# Intended scope(s): system, project
|
|
#"identity:list_endpoints_for_project": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_endpoints_for_project":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_endpoints_for_project":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# As of the Train release, the project endpoint API now understands
|
|
# default roles and system-scoped tokens, making the API more granular
|
|
# by default without compromising security. The new policy defaults
|
|
# account for these changes automatically. Be sure to take these new
|
|
# defaults into consideration if you are relying on overrides in your
|
|
# deployment for the project endpoint API.
|
|
|
|
# Remove access to an endpoint from a project that has previously been
|
|
# given explicit access.
|
|
# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:remove_endpoint_from_project": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:remove_endpoint_from_project":"rule:admin_required" has
|
|
# been deprecated since T in favor of
|
|
# "identity:remove_endpoint_from_project":"rule:admin_required".
|
|
# As of the Train release, the project endpoint API now understands
|
|
# default roles and system-scoped tokens, making the API more granular
|
|
# by default without compromising security. The new policy defaults
|
|
# account for these changes automatically. Be sure to take these new
|
|
# defaults into consideration if you are relying on overrides in your
|
|
# deployment for the project endpoint API.
|
|
|
|
# Create federated protocol.
|
|
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_protocol": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_protocol":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:create_protocol":"rule:admin_required".
|
|
# The federated protocol API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update federated protocol.
|
|
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_protocol": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_protocol":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:update_protocol":"rule:admin_required".
|
|
# The federated protocol API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get federated protocol.
|
|
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_protocol": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_protocol":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:get_protocol":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The federated protocol API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List federated protocols.
|
|
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
|
|
# Intended scope(s): system, project
|
|
#"identity:list_protocols": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_protocols":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_protocols":"rule:admin_required
|
|
# or (role:reader and system_scope:all)".
|
|
# The federated protocol API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete federated protocol.
|
|
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_protocol": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_protocol":"rule:admin_required" has been deprecated
|
|
# since S in favor of
|
|
# "identity:delete_protocol":"rule:admin_required".
|
|
# The federated protocol API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Show region details.
|
|
# GET /v3/regions/{region_id}
|
|
# HEAD /v3/regions/{region_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_region": ""
|
|
|
|
# List regions.
|
|
# GET /v3/regions
|
|
# HEAD /v3/regions
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_regions": ""
|
|
|
|
# Create region.
|
|
# POST /v3/regions
|
|
# PUT /v3/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_region": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_region":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_region":"rule:admin_required".
|
|
# The region API is now aware of system scope and default roles.
|
|
|
|
# Update region.
|
|
# PATCH /v3/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_region": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_region":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_region":"rule:admin_required".
|
|
# The region API is now aware of system scope and default roles.
|
|
|
|
# Delete region.
|
|
# DELETE /v3/regions/{region_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_region": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_region":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_region":"rule:admin_required".
|
|
# The region API is now aware of system scope and default roles.
|
|
|
|
# Show registered limit details.
|
|
# GET /v3/registered_limits/{registered_limit_id}
|
|
# HEAD /v3/registered_limits/{registered_limit_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_registered_limit": ""
|
|
|
|
# List registered limits.
|
|
# GET /v3/registered_limits
|
|
# HEAD /v3/registered_limits
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_registered_limits": ""
|
|
|
|
# Create registered limits.
|
|
# POST /v3/registered_limits
|
|
# Intended scope(s): system, project
|
|
#"identity:create_registered_limits": "rule:admin_required"
|
|
|
|
# Update registered limit.
|
|
# PATCH /v3/registered_limits/{registered_limit_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_registered_limit": "rule:admin_required"
|
|
|
|
# Delete registered limit.
|
|
# DELETE /v3/registered_limits/{registered_limit_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_registered_limit": "rule:admin_required"
|
|
|
|
# List revocation events.
|
|
# GET /v3/OS-REVOKE/events
|
|
# Intended scope(s): system, project
|
|
#"identity:list_revoke_events": "rule:service_or_admin"
|
|
|
|
# Show role details.
|
|
# GET /v3/roles/{role_id}
|
|
# HEAD /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_role": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_role":"rule:admin_required" has been deprecated since
|
|
# S in favor of "identity:get_role":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# List roles.
|
|
# GET /v3/roles
|
|
# HEAD /v3/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:list_roles": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_roles":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_roles":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Create role.
|
|
# POST /v3/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:create_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_role":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Update role.
|
|
# PATCH /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_role":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Delete role.
|
|
# DELETE /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_role":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Show domain role.
|
|
# GET /v3/roles/{role_id}
|
|
# HEAD /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_domain_role": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_domain_role":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:get_domain_role":"rule:admin_required
|
|
# or (role:reader and system_scope:all)".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# List domain roles.
|
|
# GET /v3/roles?domain_id={domain_id}
|
|
# HEAD /v3/roles?domain_id={domain_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:list_domain_roles": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_domain_roles":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_domain_roles":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Create domain role.
|
|
# POST /v3/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:create_domain_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_domain_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:create_domain_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Update domain role.
|
|
# PATCH /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_domain_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_domain_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:update_domain_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# Delete domain role.
|
|
# DELETE /v3/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_domain_role": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_domain_role":"rule:admin_required" has been
|
|
# deprecated since T in favor of
|
|
# "identity:delete_domain_role":"rule:admin_required".
|
|
# The role API is now aware of system scope and default roles.
|
|
|
|
# List role assignments.
|
|
# GET /v3/role_assignments
|
|
# HEAD /v3/role_assignments
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_role_assignments": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_role_assignments":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_role_assignments":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.domain_id)s)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# List all role assignments for a given tree of hierarchical projects.
|
|
# GET /v3/role_assignments?include_subtree
|
|
# HEAD /v3/role_assignments?include_subtree
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_role_assignments_for_tree": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_role_assignments_for_tree":"rule:admin_required" has
|
|
# been deprecated since T in favor of
|
|
# "identity:list_role_assignments_for_tree":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.domain_id)s)".
|
|
# The assignment API is now aware of system scope and default roles.
|
|
|
|
# Show service details.
|
|
# GET /v3/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_service": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_service":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:get_service":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The service API is now aware of system scope and default roles.
|
|
|
|
# List services.
|
|
# GET /v3/services
|
|
# Intended scope(s): system, project
|
|
#"identity:list_services": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_services":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_services":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The service API is now aware of system scope and default roles.
|
|
|
|
# Create service.
|
|
# POST /v3/services
|
|
# Intended scope(s): system, project
|
|
#"identity:create_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_service":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_service":"rule:admin_required".
|
|
# The service API is now aware of system scope and default roles.
|
|
|
|
# Update service.
|
|
# PATCH /v3/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_service":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_service":"rule:admin_required".
|
|
# The service API is now aware of system scope and default roles.
|
|
|
|
# Delete service.
|
|
# DELETE /v3/services/{service_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_service": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_service":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_service":"rule:admin_required".
|
|
# The service API is now aware of system scope and default roles.
|
|
|
|
# Create federated service provider.
|
|
# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:create_service_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_service_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:create_service_provider":"rule:admin_required".
|
|
# The service provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# List federated service providers.
|
|
# GET /v3/OS-FEDERATION/service_providers
|
|
# HEAD /v3/OS-FEDERATION/service_providers
|
|
# Intended scope(s): system, project
|
|
#"identity:list_service_providers": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_service_providers":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:list_service_providers":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The service provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Get federated service provider.
|
|
# GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_service_provider": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_service_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:get_service_provider":"rule:admin_required or (role:reader
|
|
# and system_scope:all)".
|
|
# The service provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Update federated service provider.
|
|
# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:update_service_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_service_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:update_service_provider":"rule:admin_required".
|
|
# The service provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# Delete federated service provider.
|
|
# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_service_provider": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_service_provider":"rule:admin_required" has been
|
|
# deprecated since S in favor of
|
|
# "identity:delete_service_provider":"rule:admin_required".
|
|
# The service provider API is now aware of system scope and default
|
|
# roles.
|
|
|
|
# DEPRECATED
|
|
# "identity:revocation_list" has been deprecated since T.
|
|
# The identity:revocation_list policy isn't used to protect any APIs
|
|
# in keystone now that the revocation list API has been deprecated and
|
|
# only returns a 410 or 403 depending on how keystone is configured.
|
|
# This policy can be safely removed from policy files.
|
|
# List revoked PKI tokens.
|
|
# GET /v3/auth/tokens/OS-PKI/revoked
|
|
# Intended scope(s): system, project
|
|
#"identity:revocation_list": "rule:service_or_admin"
|
|
|
|
# Check a token.
|
|
# HEAD /v3/auth/tokens
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject"
|
|
|
|
# DEPRECATED
|
|
# "identity:check_token":"rule:admin_or_token_subject" has been
|
|
# deprecated since T in favor of "identity:check_token":"(role:reader
|
|
# and system_scope:all) or rule:token_subject".
|
|
# The token API is now aware of system scope and default roles.
|
|
|
|
# Validate a token.
|
|
# GET /v3/auth/tokens
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject"
|
|
|
|
# DEPRECATED
|
|
# "identity:validate_token":"rule:service_admin_or_token_subject" has
|
|
# been deprecated since T in favor of
|
|
# "identity:validate_token":"(role:reader and system_scope:all) or
|
|
# rule:service_role or rule:token_subject".
|
|
# The token API is now aware of system scope and default roles.
|
|
|
|
# Revoke a token.
|
|
# DELETE /v3/auth/tokens
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject"
|
|
|
|
# DEPRECATED
|
|
# "identity:revoke_token":"rule:admin_or_token_subject" has been
|
|
# deprecated since T in favor of "identity:revoke_token":"(role:admin
|
|
# and system_scope:all) or rule:token_subject".
|
|
# The token API is now aware of system scope and default roles.
|
|
|
|
# Create trust.
|
|
# POST /v3/OS-TRUST/trusts
|
|
# Intended scope(s): project
|
|
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"
|
|
|
|
# List trusts.
|
|
# GET /v3/OS-TRUST/trusts
|
|
# HEAD /v3/OS-TRUST/trusts
|
|
# Intended scope(s): system, project
|
|
#"identity:list_trusts": "rule:admin_required or (role:reader and system_scope:all)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_trusts":"rule:admin_required" has been deprecated
|
|
# since T in favor of "identity:list_trusts":"rule:admin_required or
|
|
# (role:reader and system_scope:all)".
|
|
# The trust API is now aware of system scope and default roles.
|
|
|
|
# List trusts for trustor.
|
|
# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
|
|
# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:list_trusts_for_trustor": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s)"
|
|
|
|
# List trusts for trustee.
|
|
# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
|
|
# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:list_trusts_for_trustee": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s)"
|
|
|
|
# List roles delegated by a trust.
|
|
# GET /v3/OS-TRUST/trusts/{trust_id}/roles
|
|
# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles
|
|
# Intended scope(s): system, project
|
|
#"identity:list_roles_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user
|
|
# _id)s or user_id:%(target.trust.trustee_user_id)s" has been
|
|
# deprecated since T in favor of
|
|
# "identity:list_roles_for_trust":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all or
|
|
# user_id:%(target.trust.trustor_user_id)s or
|
|
# user_id:%(target.trust.trustee_user_id)s)".
|
|
# The trust API is now aware of system scope and default roles.
|
|
|
|
# Check if trust delegates a particular role.
|
|
# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
|
# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_role_for_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i
|
|
# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated
|
|
# since T in favor of
|
|
# "identity:get_role_for_trust":"(rule:admin_required) or (role:reader
|
|
# and system_scope:all or user_id:%(target.trust.trustor_user_id)s or
|
|
# user_id:%(target.trust.trustee_user_id)s)".
|
|
# The trust API is now aware of system scope and default roles.
|
|
|
|
# Revoke trust.
|
|
# DELETE /v3/OS-TRUST/trusts/{trust_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:delete_trust": "rule:admin_required or user_id:%(target.trust.trustor_user_id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s"
|
|
# has been deprecated since T in favor of
|
|
# "identity:delete_trust":"rule:admin_required or
|
|
# user_id:%(target.trust.trustor_user_id)s".
|
|
# The trust API is now aware of system scope and default roles.
|
|
|
|
# Get trust.
|
|
# GET /v3/OS-TRUST/trusts/{trust_id}
|
|
# HEAD /v3/OS-TRUST/trusts/{trust_id}
|
|
# Intended scope(s): system, project
|
|
#"identity:get_trust": "(rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or
|
|
# user_id:%(target.trust.trustee_user_id)s" has been deprecated since
|
|
# T in favor of "identity:get_trust":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all or
|
|
# user_id:%(target.trust.trustor_user_id)s or
|
|
# user_id:%(target.trust.trustee_user_id)s)".
|
|
# The trust API is now aware of system scope and default roles.
|
|
|
|
# Show user details.
|
|
# GET /v3/users/{user_id}
|
|
# HEAD /v3/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:get_user": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s"
|
|
|
|
# DEPRECATED
|
|
# "identity:get_user":"rule:admin_or_owner" has been deprecated since
|
|
# S in favor of "identity:get_user":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# token.domain.id:%(target.user.domain_id)s) or
|
|
# user_id:%(target.user.id)s".
|
|
# The user API is now aware of system scope and default roles.
|
|
|
|
# List users.
|
|
# GET /v3/users
|
|
# HEAD /v3/users
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:list_users": "(rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"
|
|
|
|
# DEPRECATED
|
|
# "identity:list_users":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:list_users":"(rule:admin_required) or
|
|
# (role:reader and system_scope:all) or (role:reader and
|
|
# domain_id:%(target.domain_id)s)".
|
|
# The user API is now aware of system scope and default roles.
|
|
|
|
# List all projects a user has access to via role assignments.
|
|
# GET /v3/auth/projects
|
|
#"identity:list_projects_for_user": ""
|
|
|
|
# List all domains a user has access to via role assignments.
|
|
# GET /v3/auth/domains
|
|
#"identity:list_domains_for_user": ""
|
|
|
|
# Create a user.
|
|
# POST /v3/users
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:create_user": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:create_user":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:create_user":"rule:admin_required".
|
|
# The user API is now aware of system scope and default roles.
|
|
|
|
# Update a user, including administrative password resets.
|
|
# PATCH /v3/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:update_user": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:update_user":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:update_user":"rule:admin_required".
|
|
# The user API is now aware of system scope and default roles.
|
|
|
|
# Delete a user.
|
|
# DELETE /v3/users/{user_id}
|
|
# Intended scope(s): system, domain, project
|
|
#"identity:delete_user": "rule:admin_required"
|
|
|
|
# DEPRECATED
|
|
# "identity:delete_user":"rule:admin_required" has been deprecated
|
|
# since S in favor of "identity:delete_user":"rule:admin_required".
|
|
# The user API is now aware of system scope and default roles.
|
|
|