openstack/keystone-specs
Code Issues Proposed changes

Merge "add v3 API documentation"

Browse Source
This commit is contained in:
Jenkins 2014-10-22 02:33:38 +00:00 committed by Gerrit Code Review
commit 944af4d2cc
12 changed files with 9507 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

261
api/identity-api-v3-os-endpoint-policy.rst Normal file
View File

@ -0,0 +1,261 @@
OpenStack Identity API v3 OS-ENDPOINT-POLICY Extension
======================================================
This extension provides associations between service endpoints and
policies that are already stored in the Identity server and referenced
by policy ID. Such associations enable an endpoint to request the
appropriate policy for itself. Three types of association are supported:
- A policy associated to a specific endpoint
- A policy associated to any endpoint of a given service type in a
given region
- A policy associated to any endpoint of a given service type
When an endpoint requests the appropriate policy for itself, the
extension will look for an association *in the order given above* (which
is essentially in order from most specific to least specific) and select
the first one it finds. For region associations, any parent regions will
also be examined in ascending order. No combination of polices will
occur.
Policy-Endpoint Associations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create association with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Creates an association between the policy and the endpoint. If another
association already existed for the specified endpoint, this will
replace that association. Any body supplied with this API will be
ignored.
Response:
::
Status: 204 No Content
Check association with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Verifies the existence of an association between a policy and an
endpoint. A HEAD version of this API is also supported.
Response:
::
Status: 204 No Content
Delete association with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Deletes an association between the policy and the endpoint.
Response:
::
Status: 204 No Content
Create association with service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Creates an association between the policy and the service. If another
association already existed for the specified service, this will replace
that association. Any body supplied with this API will be ignored.
Response:
::
Status: 204 No Content
Check association with service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Verifies the existence of an association between a policy and a service.
A HEAD version of this API is also supported.
Response:
::
Status: 204 No Content
Delete association with service
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Deletes an association between the policy and the service.
Response:
::
Status: 204 No Content
Create association with service in a region
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Creates an association between the policy and the service in the given
region. If another association already existed for the specified service
and region, this will replace that association. Any body supplied with
this API will be ignored.
Response:
::
Status: 204 No Content
Check association with service in a region
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Verifies the existence of an association between a policy and a service
in the given region. A HEAD version of this API is also supported.
Response:
::
Status: 204 No Content
Delete association with service in a region
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Deletes an association between the policy and the service in the given
region.
Response:
::
Status: 204 No Content
List effective endpoint associations for policy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
Returns all the endpoints that are currently associated with a specific
policy via any of the association methods.
Response:
::
Status: 200 OK
{
"endpoints": [
{
"id": "--endpoint-id--",
"interface": "public",
"links": {
"self": "http://identity:35357/v3/endpoints/--endpoint-id--"
},
"region": "north",
"service_id": "--service-id--",
"url": "http://identity:35357/"
},
{
"id": "--endpoint-id--",
"interface": "internal",
"links": {
"self": "http://identity:35357/v3/endpoints/--endpoint-id--"
},
"region": "south",
"service_id": "--service-id--",
"url": "http://identity:35357/"
}
],
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-ENDPOINT-POLICY/policies/{policy_id}/endpoints"
}
}
Get effective policy associated with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Returns the policy that is currently associated with the given endpoint,
by working through the ordered sequence of methods of association. The
first association that is found will be returned. If the region of the
endpoint has a parent, then region associations will be examined up the
region tree in ascending order.
Response:
::
Status: 200 OK
{
"policy": {
"blob": "--serialized-blob--",
"id": "--policy-id--",
"links": {
"self": "http://identity:35357/v3/policies/--policy-id--"
},
"type": "--serialization-mime-type--"
}
}
Check if a policy is associated with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
HEAD /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Checks if a policy is currently associated with the given endpoint.
Response:
::
Status: 200 OK

680
api/identity-api-v3-os-ep-filter-ext.rst Normal file
View File

@ -0,0 +1,680 @@
OpenStack Identity API v3 OS-EP-FILTER Extension
================================================
This extension enables creation of ad-hoc catalogs for each
project-scoped token request. To do so, this extension uses either
static project-endpoint associations or dynamic custom endpoints groups
to associate service endpoints with projects.
What's New in Version 1.1
-------------------------
These features are not yet considered stable (expected September 4th,
2014).
- Introduced support for Endpoint Groups
API Resources
-------------
*New in version 1.1*
Endpoint Group
~~~~~~~~~~~~~~
Represents a dynamic collection of service endpoints having the same
characteristics, such as service\_id, interface, or region. Indeed, any
endpoint attribute could be used as part of a filter.
A classic use case is to filter endpoints based on region. For example,
suppose a user wants to filter service endpoints returned in the service
catalog by region, the following endpoint group may be used:
::
{
"endpoint_group": {
"description": "Example Endpoint Group",
"filters": {
"region_id": "e68c72"
},
"name": "EP-GROUP-1"
}
}
This implies an Endpoint Group with filtering criteria of the form:
::
region_id = "e68c72"
API
---
Project-Endpoint Associations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If a valid X-Auth-Token token in not present in the HTTP header and/or
the user does not have the right authorization a HTTP 401 Unauthorized
is returned.
Create Association
^^^^^^^^^^^^^^^^^^
::
PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Modifies the endpoint resource adding an association between the project
and the endpoint.
Response:
::
Status: 204 No Content
Check Association
^^^^^^^^^^^^^^^^^
::
HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Verifies the existence of an association between a project and an
endpoint.
Response:
::
Status: 204 No Content
List Associations for Project
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/projects/{project_id}/endpoints
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints``
Returns all the endpoints that are currently associated with a specific
project.
Response:
::
Status: 200 OK
{
"endpoints": [
{
"id": "6fedc0",
"interface": "public",
"url": "http://identity:35357/",
"region": "north",
"links": {
"self": "http://identity:35357/v3/endpoints/6fedc0"
},
"service_id": "1b501a"
},
{
"id": "6fedc0",
"interface": "internal",
"region": "south",
"url": "http://identity:35357/",
"links": {
"self": "http://identity:35357/v3/endpoints/6fedc0"
},
"service_id": "1b501a"
}
],
"links": {
"self": "http://identity:35357/v3/OS-EP-FILTER/projects/{project_id}/endpoints",
"previous": null,
"next": null
}
}
Delete Association
^^^^^^^^^^^^^^^^^^
::
DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Eliminates a previously created association between a project and an
endpoint.
Response:
::
Status: 204 No Content
Get projects associated with endpoint
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects``
Returns a list of projects that are currently associated with the given
endpoint.
Response:
::
Status: 200 OK
{
"projects": [
{
"domain_id": "1789d1",
"enabled": true,
"id": "263fd9",
"links": {
"self": "http://identity:35357/v3/projects/263fd9"
},
"name": "a project name 1",
"description": "a project description 1"
},
{
"domain_id": "1789d1",
"enabled": true,
"id": "61a1b7",
"links": {
"self": "http://identity:35357/v3/projects/61a1b7"
},
"name": "a project name 2",
"description": "a project description 2"
}
],
"links": {
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoints/6fedc0/projects",
"previous": null,
"next": null
}
}
Endpoint Groups
~~~~~~~~~~~~~~~
*New in version 1.1*
Required attributes:
- ``name`` (string)
User-facing name of the service.
- ``filters`` (object)
Describes the filtering performed by the endpoint group. The filter used
must be an ``endpoint`` property, such as ``interface``, ``service_id``,
``region_id`` and ``enabled``. Note that if using ``interface`` as a
filter, the only available values are ``public``, ``internal`` and
``admin``.
Optional attributes:
- ``description`` (string)
User-facing description of the service.
Create Endpoint Group Filter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
POST /OS-EP-FILTER/endpoint_groups
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups``
Request:
::
{
"endpoint_group": {
"description": "endpoint group description",
"filters": {
"interface": "admin",
"service_id": "1b501a"
}
"name": "endpoint group name",
}
}
Response:
::
Status: 201 Created
{
"endpoint_group": {
"description": "endpoint group description",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"id": "ac4861",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
},
"name": "endpoint group name"
}
}
Get Endpoint Group
^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
Response:
::
Status: 200 OK
{
"endpoint_group": {
"description": "endpoint group description",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"id": "ac4861",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
},
"name": "endpoint group name"
}
}
Check Endpoint Group
^^^^^^^^^^^^^^^^^^^^
::
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
Response:
::
Status: 200 OK
Update Endpoint Group
^^^^^^^^^^^^^^^^^^^^^
::
PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
The request block is the same as the one for create endpoint group,
except that only the attributes that are being updated need to be
included.
Request:
::
{
"endpoint_group": {
"description": "endpoint group description",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"name": "endpoint group name"
}
}
Response:
::
Status: 200 OK
{
"endpoint_group": {
"description": "endpoint group description",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"id": "ac4861",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
},
"name": "endpoint group name"
}
}
Remove Endpoint Group
^^^^^^^^^^^^^^^^^^^^^
::
DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
Response:
::
Status: 204 No Content
List All Endpoint Groups
^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups``
Response:
::
Status: 200 OK
{
"endpoint_groups": [
{
"endpoint_group": {
"description": "endpoint group description #1",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"id": "ac4861",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
},
"name": "endpoint group name #1"
}
},
{
"endpoint_group": {
"description": "endpoint group description #2",
"filters": {
"interface": "admin"
},
"id": "3de68c",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/3de68c"
},
"name": "endpoint group name #2"
}
}
],
"links": {
"self": "https://identity:35357/v3/OS-EP-FILTER/endpoint_groups",
"previous": null,
"next": null
}
}
List Endpoint Groups Associated with Project
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups/projects/{project_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups``
Response:
::
Status: 200 OK
{
"endpoint_groups": [
{
"endpoint_group": {
"description": "endpoint group description #1",
"filters": {
"interface": "admin",
"service_id": "1b501a"
},
"id": "ac4861",
"links": {
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
},
"name": "endpoint group name #1"
}
}
],
"links": {
"self": "https://identity:35357/v3/OS-EP-FILTER/endpoint_groups",
"previous": null,
"next": null
}
}
Project to Endpoint Group Relationship
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create Endpoint Group to Project Association
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
Response:
::
Status: 204 No Content
Get Endpoint Group to Project Association
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
Response:
::
Status: 200 OK
{
"project": {
"domain_id": "1789d1",
"enabled": true,
"id": "263fd9",
"links": {
"self": "http://identity:35357/v3/projects/263fd9"
},
"name": "project name #1",
"description": "project description #1"
}
}
Check Endpoint Group to Project Association
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
Response:
::
Status: 200 OK
Delete Endpoint Group to Project Association
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
Response:
::
Status: 204 No Content
List Projects Associated with Endpoint Group
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects``
Response:
::
Status: 200 OK
{
"projects": [
{
"domain_id": "1789d1",
"enabled": true,
"id": "263fd9",
"links": {
"self": "http://identity:35357/v3/projects/263fd9"
},
"name": "a project name 1",
"description": "a project description 1"
},
{
"domain_id": "1789d1",
"enabled": true,
"id": "61a1b7",
"links": {
"self": "http://identity:35357/v3/projects/61a1b7"
},
"name": "a project name 2",
"description": "a project description 2"
}
],
"links": {
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects",
"previous": null,
"next": null
}
}
List Service Endpoints Associated with Endpoint Group
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints``
Response:
::
Status: 200 OK
{
"endpoints": [
{
"enabled": true,
"id": "6fedc0"
"interface": "admin",
"legacy_endpoint_id": "6fedc0",
"links": {
"self": "http://identity:35357/v3/endpoints/6fedc0"
},
"region": "RegionOne",
"service_id": "1b501a",
"url": "http://localhost:9292"
},
{
"enabled": true,
"id": "b501aa"
"interface": "internal",
"legacy_endpoint_id": "b501aa",
"links": {
"self": "http://identity:35357/v3/endpoints/b501aa"
},
"region": "RegionOne",
"service_id": "1b501a",
"url": "http://localhost:9292"
},
{
"enabled": true,
"id": "b7c573"
"interface": "public",
"legacy_endpoint_id": "b7c573",
"links": {
"self": "http://identity:35357/v3/endpoints/b7c573"
},
"region": "RegionOne",
"service_id": "1b501a",
"url": "http://localhost:9292"
}
],
"links": {
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints",
"previous": null,
"next": null
}
}

1400
api/identity-api-v3-os-federation-ext.rst Normal file
View File

File diff suppressed because it is too large Load Diff

344
api/identity-api-v3-os-inherit-ext.rst Normal file
View File

@ -0,0 +1,344 @@
OpenStack Identity API v3 OS-INHERIT Extension
==============================================
Provide an ability for projects to inherit roles from their owning
domain. This extension requires v3.1 of the Identity API.
API
---
The following additional APIs are supported by this extension:
Assign role to user on projects owned by a domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
The inherited role is only applied to the owned projects (both existing
and future projects), and will not appear as a role in a domain scoped
token.
Response:
::
Status: 204 No Content
Assign role to group on projects owned by a domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
PUT /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
The inherited role is only applied to the owned projects (both existing
and future projects), and will not appear as a role in a domain scoped
token.
Response:
::
Status: 204 No Content
List user's inherited project roles on a domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects``
The list only contains those role assignments to the domain that were
specified as being inherited to projects within that domain.
Response:
::
Status: 200 OK
{
"roles": [
{
"id": "--role-id--",
"links": {
"self": "http://identity:35357/v3/roles/--role-id--"
},
"name": "--role-name--",
},
{
"id": "--role-id--",
"links": {
"self": "http://identity:35357/v3/roles/--role-id--"
},
"name": "--role-name--"
}
],
"links": {
"self": "http://identity:35357/v3/OS-INHERIT/domains/--domain_id--/
users/--user_id--/roles/inherited_to_projects",
"previous": null,
"next": null
}
}
List group's inherited project roles on domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
Relationship:
``'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects``
The list only contains those role assignments to the domain that were
specified as being inherited to projects within that domain.
Response:
::
Status: 200 OK
{
"roles": [
{
"id": "--role-id--",
"links": {
"self": "http://identity:35357/v3/roles/--role-id--"
},
"name": "--role-name--",
},
{
"id": "--role-id--",
"links": {
"self": "http://identity:35357/v3/roles/--role-id--"
},
"name": "--role-name--"
}
],
"links": {
"self": "http://identity:35357/v3/OS-INHERIT/domains/--domain_id--/
groups/--group_id--/roles/inherited_to_projects",
"previous": null,
"next": null
}
}
Check if user has an inherited project role on domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
Response:
::
Status: 204 No Content
Check if group has an inherited project role on domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
Response:
::
Status: 204 No Content
Revoke an inherited project role from user on domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
Response:
::
Status: 204 No Content
Revoke an inherited project role from group on domain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
DELETE /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
Response:
::
Status: 204 No Content
Modified APIs
-------------
The following APIs are modified by this extension.
List effective role assignments
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /role_assignments
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
The scope section in the list response is extended to allow the
representation of role assignments that are inherited to projects.
Response:
::
Status: 200 OK
{
"role_assignments": [
{
"links": {
"assignment": "http://identity:35357/v3/OS-INHERIT/
domains/--domain-id--/users/--user-id--/
roles/--role-id--/inherited_to_projects"
},
"role": {
"id": "--role-id--"
},
"scope": {
"domain": {
"id": "--domain-id--"
},
"OS-INHERIT:inherited_to": ["projects"]
},
"user": {
"id": "--user-id--"
}
},
{
"group": {
"id": "--group-id--"
},
"links": {
"assignment": "http://identity:35357/v3/projects/--project-id--/
groups/--group-id--/roles/--role-id--"
},
"role": {
"id": "--role-id--"
},
"scope": {
"project": {
"id": "--project-id--"
}
}
}
],
"links": {
"self": "http://identity:35357/v3/role_assignments",
"previous": null,
"next": null
}
}
An additional query filter ``scope.OS-INHERIT:inherited_to`` is
supported to allow for filtering based on role assignments that are
inherited. The only value of ``scope.OS-INHERIT:inherited_to`` that is
currently supported is ``projects``, indicating that this role is
inherited to all projects of the owning domain.
If the query\_string ``effective`` is specified then the list of
effective assignments at the user, project and domain level allows for
the effects of both group membership as well as inheritance from the
parent domain (for role assignments that were made using OS-INHERIT
assignment APIs). Since, like group membership, the effects of
inheritance have already been allowed for, the role assignment entities
themselves that specify the inheritance will not be returned in the
collection.
An example response for an API call with the query\_string ``effective``
specified is given below:
Response:
::
Status: 200 OK
{
"role_assignments": [
{
"links": {
"assignment": "http://identity:35357/v3/OS-INHERIT/
domains/--domain-id--/users/--user-id--/
roles/--role-id--/inherited_to_projects"
},
"role": {
"id": "--role-id--"
},
"scope": {
"project": {
"id": "--project-id--"
}
},
"user": {
"id": "--user-id--"
}
},
{
"links": {
"assignment": "http://identity:35357/v3/projects/--project-id--/
groups/--group-id--/roles/--role-id--",
"membership": "http://identity:35357/v3/groups/--group-id--/
users/--user-id--"
},
"role": {
"id": "--role-id--"
},
"scope": {
"project": {
"id": "--project-id--"
}
},
"user": {
"id": "--user-id--"
}
}
],
"links": {
"self": "http://identity:35357/v3/role_assignments?effective",
"previous": null,
"next": null
}
}

524
api/identity-api-v3-os-kds-ext.rst Normal file
View File

@ -0,0 +1,524 @@
OpenStack Identity API v3 Key Distribution Service Extension
============================================================
Key Distribution Server (KDS) serves as a trusted third party that is
responsible for generation and secure distribution of signing and
encryption keys to communicating parties. These shared keys allow
messages to be exchanged between communicating parties with message
authentication, integrity and confidentiality. KDS is an integral part
of the implementation of RPC message security.
To establish a trusted relationship between a communicating party and
KDS, a long term shared key needs to be assigned to the party by a
properly authorized user, such as a cloud administrator. Assigning a key
to a party requires assigning an identity to that party in KDS. An
identity is comprised of a unique party name and the long term shared
key that it is associated with. This party name is used to identify a
party when it communicates with KDS or another party.
KDS is designed to enable secure messages to be exchanged between two
individual parties as well as between one individual party and a group
party. When a party wants to obtain keys to be used for communication
with another party, it makes an authenticated request to KDS for a
ticket. KDS returns a ticket to the requesting party that is encrypted
with the long term shared key that is associated with that party. This
encryption ensures that the ticket can only be decrypted by one who
possesses the long term key, which should only be the associated party
and KDS itself.
A ticket that has been issued by KDS contains a copy of the shared
encryption and signing keys. These keys are for the source party, which
is the party that requested the ticket. The ticket also contains a
payload that is intended for the destination party, which is the party
that the source party wants to communicate with. This payload contains
the information that is needed for the destination party to be able to
derive the shared encryption and signing keys. When the destination
party is an individual, the payload is encrypted with the long term
shared key that is associated with the destination party. When the
destination party is a group, the payload is encrypted with a shared
group key that KDS makes available to all members of the group. This
encryption allows the destination party to trust that the information in
the payload was supplied by KDS. When the source party is ready to
communicate with the destination party, it sends this encrypted payload
to the destination party along with whatever data it has protected with
the shared signing and encryption keys. The destination party can then
decrypt the payload and derive the shared encryption and signing keys
using the information in the payload. This results in both parties
having a copy of the shared signing and encryption keys that are trusted
as being issued by KDS. These shared keys can then be used by the
destination party to authenticate and decrypt the data sent by the
source party.
When a source party needs to send secure messages to multiple
recipients, an authorized user can define a group for those recipients
in KDS. Membership in a group is determined by comparing a party name
with the group name. If the name of a party matches ``<group name>.*``,
it is considered to be a member. For example, a party named
``scheduler.host.example.com`` would be considered a member of a group
named ``scheduler``. This matches up with the way that message queues
are named within OpenStack.
When a source party requests a ticket where the destination party is a
group, KDS generates a short-lived group key and assigns it to the
group. This group key is used to encrypt the payload in the ticket,
which contains the information that the destination party uses to derive
the shared signing and encryption keys. When an individual destination
party needs to decrypt the payload that it receives from the source
party as a part of a group message, it makes an authenticated request to
KDS to obtain the short-lived group key. If the requester is a member of
the target group, KDS provides the short-lived group key encrypted with
the long term shared key associated with the individual destination
party. The group key can then be decrypted by the individual destination
party, allowing it to decrypt the payload and derive the shared signing
and encryption keys that can be used to authenticate and decrypt the
data sent by the source party.
When keys are obtained to send a message to a group, it is important to
note that all members of the group and the sender share the signing and
encryption keys. This makes it impossible for an individual destination
party to determine if a message was truly sent by the source party or
another destination party who is a member of the group. The only
assurance that a destination party has is that a message was sent by a
party who has possession of the shared signing and encryption keys. This
requires that all parties within a group trust each other to not
impersonate the source party.
The signing and encryption keys that are shared between communicating
parties are short-lived. The lifetime of these keys is defined by an
validity period that is set by KDS when it issues the ticket. A
suggested reasonable default validity period is 15 minutes, though it is
left up to the implementation to determine the appropriate validity
period. Once the validity period for the keys expires, a party should
refuse to use those keys anymore to prevent using keys that may have
been compromised. This requires the source party to request a new ticket
from KDS to get a new set of keys. If desired, an implementation could
choose to implement a grace period to account for clock skew between
parties. This grace period would allow a destination party to accept
messages that use recently expired keys. If a grace period is used, it
is recommended that the duration be kept small, such as 5 minutes or
less.
The principal advantage of using a key server compared to a pure public
key based system is that the encryption and signing key exchange can be
regulated by the key server. Since the key server is actively involved
in distributing keys to the communicating parties, it has the ability to
apply access control and deny communication between arbitrary peers in
the system when keys are requested. This allows for centralized access
control, prevents unauthorized communication and avoids the need to
perform post-authentication access control and policy look-ups on the
receiving side.
API Considerations
------------------
The Key Distribution Server (KDS) requires that all ticket requests are
authenticated and data is encrypted where appropriate.
All timestamp values used in the API must be specified as a UTC ISO 8601
extended format date/time string that includes microseconds. An example
of a properly formatted timestamp is ``2012-03-26T10:01:01.720000``.
The default algorithms for message authentication and encryption are
respectively HMAC-SHA-256 and AES-128-CBC. Therefore the default block
size is 128bit.
The source party that obtains a ticket is responsible for sending the
encrypted payload ``esek`` to the destination party. The source and
destination strings used when requesting the ticket also need to be sent
to the destination party to allow it to derive the shared signing end
encryption keys. Transferring this data to the destination party is
handled outside of the API described in this document, as it's expected
to be performed by the messaging implementation.
The key derivation used to generate the shared signing and encryption
keys uses the Hashed Message Authentication Code (HMAC)-based key
derivation function (HKDF) standard as described in RFC 5869. The
destination party needs to use the HKDF ``expand`` function using the
information that it receives from the source party in order to complete
derivation of the shared signing and encryption keys. The inputs to the
HKDF ``expand`` function are as follows:
::
HKDF-Expand(esek.key, info, 256)
The ``info`` input for the HKDF ``expand`` function is a string that
concatenates the source, destination, and ``esek.timestamp`` strings
using a ``,`` separator between each element. An example of a valid
``info`` string where ``scheduler.host.example.com`` is the source,
``compute.host.example.com`` is the destination, and
``2012-03-26T10:01:01.720000`` is the ``esek.timestamp`` is as follows:
::
scheduler.host.example.com,compute.host.example.com,2012-03-26T10:01:01.720000
The output of the HKDF expand function is an array of bytes of 256 bit
length. The first half is used as the signing key, and the second half
is used as the encryption key.
The requests to create and delete long term keys should be restricted
such that only a properly authorized user, such as a cloud administrator
is allowed to successfully perform the operations. The authentication
and authorization for these requests is left up to the implementation,
though it expected that one would leverage the Identity API for these
purposes.
Resources and Operations
------------------------
Create Key
^^^^^^^^^^
::
PUT /v1/keys/{name}
Create a long term key in the KDS.
Request
'''''''
The request resource name is the party associated with the key, and the
body consists of just the key.
- ``key`` - A base64 encoded 128 bit long cryptographic random key.
{ "key": "TXkgcHJlY2lvdXNzcy4u..." }
Response
''''''''
The response contains a name and generation value. The generation value
will only be changed if a new key is set. If the request sets the key to
the same value that already exists, the existing generation value will
be returned in the response. This makes the request idempotent.
- ``name`` - The party name associated with the key.
- ``generation`` - A unique integer used to identify the key.
Status: 201 Created Location: /v1/keys/--key-name--
{ "name": "--key-name--", "generation": 2 }
Delete Key
^^^^^^^^^^
::
DELETE /v1/keys/{name}
Delete a key from KDS.
Request
'''''''
The request body is empty.
Response
''''''''
::
Status: 204 No Content
Generate Ticket
^^^^^^^^^^^^^^^
::
POST /v1/tickets
A ticket is generated to facilitate messaging between a ``source`` and a
``destination``.
Request
'''''''
A generate ticket request comprises metadata supplied as a base64
encoded JSON object and a signature.
::
{
"metadata": "Zhn8yhasf8hihkf...",
"signature": "c2lnbmF0dXJl..."
}
Metadata:
A base64 encoded JSON object containing the following key/value pairs:
- ``source`` - The identity requesting a ticket.
- ``destination`` - The target for which the ticket will be valid.
- ``timestamp`` - Current timestamp from the requester.
- ``nonce`` - Random single use data.
A timestamp and a nonce are necessary to avoid replay attacks.
::
{
"source": "scheduler.host.example.com",
"destination": "compute.host.example.com",
"timestamp": "2012-03-26T10:01:01.720000",
"nonce": 1234567890
}
Signature:
A base64 encoded HMAC Signature over the base64 encoded request metadata
object.
::
Base64encode(HMAC(SigningKey, RequestMetadata))
The key used for the signature is the requester's long term key. The KDS
should verify the signature upon receipt of the request. This requires
that the KDS access the ``source`` from the request metadata in order to
lookup the associated long term key that can be used to verify the
signature. The KDS should not access any other data contained in the
request metadata before verifying the signature. Failure to verify the
signature leaves the KDS open to issuing a ticket to a party that is
impersonating the source.
Response
''''''''
The response always returns a triplet of metadata, encrypted ticket and
signature.
::
Status: 200 OK
{
"metadata": "Zhn8yhasf8hihkf...",
"ticket": "ZW5jcnlwdGVkIHRpY2tldA==",
"signature": "c2lnbmF0dXJl..."
}
Metadata:
A base64 encoded JSON object containing the following key/value pairs:
- ``source`` - The identity of the requester.
- ``destination`` - The target for which the ticket is valid.
- ``expiration`` - Timestamp of when the ticket expires.
{ "source": "scheduler.host.example.com", "destination":
"compute.host.example.com", "expiration":
"2012-03-26T11:01:01.720000" }
Ticket:
The ticket is encrypted with the source's long term key and contains a
base64 encoded JSON object containing the following key/value pairs:
- ``skey`` - The newly generated base64 encoded message signing key.
- ``ekey`` - The newly generated base64 encoded message encryption key.
- ``esek`` - Encrypted signing and encryption key pair for the
receiver.
{ "skey": "ZjhkuYZH8y87rzhgi7..." "ekey": "Fk8yksa8z8zKtakc8s..."
"esek": "KBo8fajfo8ysad5hq2..." }
The ``esek`` is encrypted with the destination's long term key and
contains a base64 encoded JSON object containing the following key/value
pairs:
- ``key`` - The base64 encoded random key used to derive the signing
and encryption keys.
- ``timestamp`` - Timestamp of when the key was created.
- ``ttl`` - An integer containing the validity length of the key in
seconds.
{ "key": "Afa8sad2hgsd7asv7ad..." "timestamp":
"2012-03-26T10:01:01.720000" "ttl": 28800 }
The ``key`` and ``timestamp`` are used as inputs to the HKDF ``expand``
function to derive the signing and encryption keys as described in the
``API Considerations`` section of this document.
The ``timestamp`` plus ``ttl`` should be equivalent to the
``expiration`` timestamp contained in the response metadata.
Signature:
A base64 encoded HMAC signature over the concatenation of the base64
encoded response metadata object and base64 encoded ticket object.
::
Base64encode(HMAC(SigningKey, ResponseMetadata + Ticket))
The key used for the signature is the requester's long term key. The
requester should verify the signature upon receipt of the response
before accessing any data contained in the response metadata or the
ticket. Failure to verify the signature leaves the requester open to
using metadata that was not actually issued by the KDS.
Create Group
^^^^^^^^^^^^
::
PUT /v1/groups/{name}
Create a group in the KDS.
Membership in groups is based on the party name. For example, a group
named ``scheduler`` will implicitly include any party name starting with
``scheduler.`` as a member (e.g. scheduler.host.example.com).
Request
'''''''
The request body is empty.
Response
''''''''
The response returns the group name from the request.
::
Status: 201 Created
Location: /v1/groups/--group-name--
{
"name": "--group-name--"
}
Delete Group
^^^^^^^^^^^^
::
DELETE /v1/groups/{name}
Delete a group from the KDS.
Request
'''''''
The request body is empty.
Response
''''''''
::
Status: 204 No Content
Retrieve Group Key
^^^^^^^^^^^^^^^^^^
::
POST /v1/groups
When a ticket is requested where the destination is a group, a group key
is generated that is valid for a predetermined amount of time. Any
member of the group can retrieve the key as long as it is still valid.
Group keys are necessary to verify signatures and decrypt messages that
have a group name as the target.
Request
'''''''
A group key retrieval request is identical to a generate ticket request
except the destination is a group name instead of an individual party
name.
Response
''''''''
The response always returns a triplet of metadata, encrypted group key
and signature.
::
Status: 200 OK
{
"metadata": "Zhn8yhasf8hihkf...",
"group_key": "ZW5jcnlwdGVkIGdyb3VwIGtleQ==",
"signature": "c2lnbmF0dXJl"
}
Metadata:
A base64 encoded JSON object containing the following key/value pairs:
- ``source`` - The identity of the requester.
- ``destination`` - The target for which the ticket is valid.
- ``expiration`` - Timestamp of when the ticket expires.
{ "source": "api.host.example.com", "destination": "scheduler",
"expiration": "2012-03-26T11:01:01.720000" }
Group key:
The group key is encrypted with the requester's long term key.
Signature:
A base64 encoded HMAC signature over the concatenation of the base64
encoded response metadata object and the group key.
::
Base64encode(HMAC(SigningKey, ResponseMetadata + GroupKey))
The key used for the signature is the requester's long term key. The
requester should verify the signature upon receipt of the response
before accessing any data contained in the response metadata or the
group key. Failure to verify the signature leaves the requester open to
using data that was not actually issued by the KDS.
HTTP Status Codes
~~~~~~~~~~~~~~~~~
KDS uses the following HTTP status codes to communicate specific success
and failure conditions to the client.
200 OK
^^^^^^
This status code is returned in response to a successful ``POST``
request to generate a ticket or a retrieve a group key.
201 Created
^^^^^^^^^^^
This status code is returned in response to a successful ``PUT`` request
to create a group or long term key.
204 No Content
^^^^^^^^^^^^^^
This status code is returned in response to a successful ``DELETE``
request to delete a group or long term key. No content body is returned.
401 Unauthorized
^^^^^^^^^^^^^^^^
This status code is returned when either authentication has not been
performed, or authentication fails.
403 Forbidden
^^^^^^^^^^^^^
This status code is returned when the requester field does not match
either the sender or the receiver fields, or if the body of the request
does not result in the supplied signature.
404 Not Found
^^^^^^^^^^^^^
This status code is returned in response to a failed ``DELETE`` request
when a referenced entity cannot be found. It is also returned when a
``POST`` request is made where the destination party specified in the
request does not exist.

535
api/identity-api-v3-os-oauth1-ext.rst Normal file
View File

@ -0,0 +1,535 @@
OpenStack Identity API v3 OS-OAUTH1 Extension
=============================================
Provide the ability for identity users to delegate roles to third party
consumers via the `OAuth 1.0a
specification <http://oauth.net/core/1.0a/>`__. This extension requires
v3.0+ of the Identity API. An OAuth-derived token will provide a means
of acting on behalf of the authorizing user.
Definitions
-----------
- *User:* An Identity API service user, the entity whose role(s) will
be delegated, and the entity that authorizes Request Tokens.
- *Request Token:* A token used by the Consumer to obtain authorization
from the User, and exchanged with an OAuth Verifier for an Access
Token.
- *Access Token:* A token used by the Consumer to request new Identity
API tokens on behalf of the authorizing User, instead of using the
Users credentials.
- *Token Key:* A key used by the token to identify itself. Both Request
Tokens and Access Tokens have Token Keys. For OpenStack purposes, the
Token Key is the Token ID.
- *Token Secret:* A secret used by the Consumer to establish ownership
of a given Token. Both Request Tokens and Access Tokens have Token
Secrets.
- *OAuth Verifier:* A string that must be provided with the
corresponding Request Token in exchange for an Access Token.
Delegated Authentication Flow
-----------------------------
Delegated Authentication via OAuth is done in five steps:
1. An Identity API service User `creates a
Consumer <#create-consumer-post-os-oauth1consumers>`__.
2. The Consumer `obtains an unauthorized Request
Token <#create-request-token-post-os-oauth1request_token>`__.
3. The User `authorizes the Request
Token <#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
4. The Consumer `exchanges the Request Token for an Access
Token <#create-access-token-post-os-oauth1access_token>`__.
5. The Consumer `uses the Access Token to request an Identity API
service Token <#request-an-identity-api-token-post-authtokens>`__.
API Resources
-------------
Consumers
~~~~~~~~~
::
/OS-OAUTH1/consumers
A Consumer is an application that uses OAuth to access a protected
resource.
Optional attributes:
- ``description`` (string)
Immutable attributes provided by the Identity service:
- ``secret`` (string)
A consumer's ``secret`` is only returned once, during consumer creation.
The Consumer is given its key and secret, out-of-band. For OpenStack,
the ID of the Consumer is the Key.
Consumers API
-------------
Create Consumer
~~~~~~~~~~~~~~~
::
POST /OS-OAUTH1/consumers
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers``
Request:
::
{
"consumer": {
"description": "My consumer"
}
}
Response:
The ``secret`` is only returned once, during consumer creation.
::
Status: 201 Created
{
"consumer": {
"secret": "4c7832",
"description": "My consumer",
"id": "7fea2d",
"links": {
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
}
}
}
List Consumers
~~~~~~~~~~~~~~
::
GET /OS-OAUTH1/consumers
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers``
Response:
::
Status: 200 OK
{
"consumers": [
{
"id": "0c2a74",
"links": {
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/0c2a74"
}
},
{
"description": "My consumer",
"id": "7fea2d",
"links": {
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
}
}
],
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-OAUTH1/consumers"
}
}
Get Consumer
~~~~~~~~~~~~
::
GET /OS-OAUTH1/consumers/{consumer_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
Response:
::
Status: 200 OK
{
"consumer": {
"id": "7fea2d",
"description": "My consumer",
"links": {
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
}
}
}
Delete Consumer
~~~~~~~~~~~~~~~
::
DELETE /OS-OAUTH1/consumers/{consumer_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
When a Consumer is deleted, any Request Tokens, Access Tokens, or
Identity API Tokens will also be deleted.
Response:
::
Status: 204 No Content
Update Consumer
~~~~~~~~~~~~~~~
::
PATCH /OS-OAUTH1/consumers/{consumer_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
Only a Consumer's ``description`` is mutable. Attempting to PATCH an
immutable attribute should result in a HTTP 400 Bad Request.
Request:
::
{
"consumer": {
"description": "My new consumer"
}
}
Response:
::
Status: 200 OK
{
"consumer": {
"description": "My new consumer",
"id": "7fea2d",
"links": {
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
}
}
}
Delegated Auth APIs
-------------------
Create Request Token
~~~~~~~~~~~~~~~~~~~~
::
POST /OS-OAUTH1/request_token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens``
A Consumer uses the Consumer Key and Secret to obtain a Request Token.
The Request Token is used to initiate User authorization. The Request
Token, once authorized, can be exchanged along with the OAuth Verifier
for an Access Token. Note that there is one extra parameter,
``requested_project_id``. ``requested_project_id`` contains the ID of
the project upon which the Consumer would like authorization. The
Identity service may include an ``oauth_expires_at`` attribute in the
response. If no such attribute is included, or is null, then the token
may last indefinitely.
The authorizing User receives the Request Token Key from the Consumer
out-of-band.
Supported signature methods: ``HMAC-SHA1``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request Parameters:
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#auth_step1
Additional Request Parameters:
- ``requested_project_id``: IDs of requested project
- Example: ``requested_project_id=b9fca3``
Response:
``oauth_token=29971f&oauth_token_secret=238eb8&oauth_expires_at=2013-09-11T06:07:51.501805Z``
Response Parameters:
- ``oauth_token``: The Request Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Request Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a
Request Token will expire.
Authorize Request Token
~~~~~~~~~~~~~~~~~~~~~~~
::
PUT /OS-OAUTH1/authorize/{request_token_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token``
To authorize the Request Token, the authorizing user must have access to
the requested project. Upon successful authorization, an OAuth Verifier
code is returned. The Consumer receives the OAuth Verifier from the User
out-of-band.
Request:
::
{
"roles": [
{
"id": "a3b29b"
},
{
"id": "49993e"
}
]
}
Response:
::
{
"token": {
"oauth_verifier": "8171"
}
}
Create Access Token
~~~~~~~~~~~~~~~~~~~
::
POST /OS-OAUTH1/access_token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens``
After the User authorizes the Request Token, the Consumer exchanges the
authorized Request Token and OAuth Verifier for an Access Token. The
Identity service may include an ``oauth_expires_at`` parameter in the
response. If no such parameter is included, then the token lasts
indefinitely.
Supported signature methods: ``HMAC-SHA1``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request Parameters:
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#auth_step3
Response:
::
oauth_token=accd36&oauth_token_secret=aa47da&oauth_expires_at=2013-09-11T06:07:51.501805Z
Response Parameters:
- ``oauth_token``: The Access Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Access Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an
Access Token expires.
Request an Identity API Token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
POST /auth/tokens
Relationship: ``http://docs.openstack.org/identity/rel/v3/auth_tokens``
The Consumer can now request valid Identity API service tokens
representing the authorizing User's delegated authorization and identity
(impersonation). The generated token's roles and scope will match that
which the Consumer initially requested.
Supported signature methods: ``HMAC-SHA1``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request Parameters:
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#anchor12
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be
specified as an authentication method. Example request:
::
{
"auth": {
"identity": {
"methods": [
"oauth1"
],
"oauth1": {}
}
}
}
The returned token is scoped to the requested project and with the
delegated roles. In addition to the standard token response, as seen in
the link below, the token has an OAuth-specific object.
Example OpenStack token response: `Various OpenStack token
responses <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
Example OAuth-specific object in a token:
::
"OS-OAUTH1": {
"consumer_id": "7fea2d",
"access_token_id": "cce0b8be7"
}
User Access Token APIs
----------------------
List authorized access tokens
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /users/{user_id}/OS-OAUTH1/access_tokens
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_tokens``
Response:
::
{
"access_tokens": [
{
"consumer_id": "7fea2d",
"id": "6be26a",
"expires_at": "2013-09-11T06:07:51.501805Z",
"links": {
"roles": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a/roles"
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a"
},
"project_id": "b9fca3",
"authorizing_user_id": "ce9e07"
}
],
"links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens"
}
}
Get authorized access token
~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
Response:
::
{
"access_token": {
"consumer_id": "7fea2d",
"id": "6be26a",
"expires_at": "2013-09-11T06:07:51.501805Z",
"links": {
"roles": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a/roles"
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a"
},
"project_id": "b9fca3",
"authorizing_user_id": "ce9e07"
}
}
List roles of an access token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles``
See ``GET /v3/roles`` for an
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
of this response format.
Get a role of an access token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role``
See ``GET /v3/roles/{role_id}`` for an
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
of this response format.
Revoke access token
~~~~~~~~~~~~~~~~~~~
::
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
A User can revoke an Access Token, preventing the Consumer from
requesting new Identity API service tokens. This also revokes any
Identity API tokens issued to the Consumer using that Access Token.
Response:
::
Status: 204 No Content

175
api/identity-api-v3-os-revoke-ext.rst Normal file
View File

@ -0,0 +1,175 @@
OpenStack Identity API v3 OS-REVOKE Extension
=============================================
This extension provides a list of token revocations. Each event
expresses a set of criteria which describes a set of tokens that are no
longer valid.
This extension requires v3.2+ of the Identity API.
What's New in v1.1
------------------
- Use of ``expires_at`` has been deprecated in favor of using
``audit_id`` and ``audit_chain_id``.
- Revocation events can use ``audit_id`` to revoke an individual token.
- Revocation events can use ``audit_chain_id`` to revoke all related
tokens. A related token is defined by the first (non-rescoped) token.
All tokens in the chain will have the same ``audit_chain_id``.
API Resources
-------------
Revocation Events
~~~~~~~~~~~~~~~~~
Revocation events are objects that contain criteria used to evaluate
token validity. Tokens that match all the criteria of a revocation event
are considered revoked, and should not be accepted as proof of
authorization for the user.
Revocation events do not have a unique identifier (``id``).
Required attributes:
- ``issued_before`` (string, ISO 8601 extended format date time with
microseconds)
Tokens issued before this time are considered revoked.
This attribute can be used to determine how long the expiration event is
valid. It can also be used in queries to filter events, so that only a
subset that have occurred since the last request are returned.
Optional attributes:
- ``domain_id`` (string)
Revoke tokens scoped to a particular domain.
- ``project_id`` (string)
Revoke tokens scoped to a particular project.
- ``user_id`` (string)
Revoke tokens expressing the identity of a particular user.
- ``role_id`` (string)
Revoke tokens issued with a specific role.
- ``OS-TRUST:trust_id`` (string)
Revoke tokens issued as the result of a particular trust, as part of the
OS-TRUST API extension.
- ``OS-OAUTH1:consumer_id`` (string)
Revoke tokens issued to a specific OAuth consumer, as part of the
OS-OAUTH1 API extension.
- ``expires_at`` (string, ISO 8601 extended format date time with
microseconds)
**Deprecated as of the Juno release in favor of ``audit_id`` and
``audit_chain_id``.** If ``expires_at`` exists in the revocation event,
it will be utilized to match tokens.
Specifies the exact expiration time of one or more tokens to be revoked.
This attribute is useful for revoking chains of tokens, such as those
produced when re-scoping an existing token. When a token is issued based
on initial authentication, it is given an ``expires_at`` value. When a
token is used to get another token, the new token will have the same
``expires_at`` value as the original.
- ``audit_id`` (string)
Specifies the unique identifier (UUID) assigned to the token itself.
This will revoke a single token only. This attribute mirrors the use of
the ``Token Revocation List`` (the mechanism used prior to revocation
events) but does not utilize data that could convey authorization (the
``token id``).
If an event is issued for ``audit_id`` then the event cannot contain an
``audit_chain_id``.
- ``audit_chain_id`` (string)
Specifies a group of tokens based upon the ``audit_id`` of the first
token in the chain. If a revocation event specifies the
``audit_chain_id`` any token that is part of the token chain (based upon
the original token at the start of the chain) will be revoked, including
the original token at the start of the chain.
If an event is issued for ``audit_chain_id`` then the event cannot
contain an ``audit_id``.
The properties are additive: Only a token that meets all of the
specified criteria is considered revoked.
Minimal example entity:
::
{
"issued_before": "2014-02-27T18:30:59.999999Z"
}
API
---
List revocation events
~~~~~~~~~~~~~~~~~~~~~~
::
GET /OS-REVOKE/events
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events``
Optional query parameters:
- ``since`` (RFC 1123 format date time): limit the list of results to
events that occurred on or after the specified time.
The HTTP Date header returned in the response reflects the timestamp of
the most recently issued revocation event. Clients can then use this
value in the ``since`` query parameter to limit the list of events in
subsequent requests.
Response:
::
Status: 200 OK
Date: Sun, 17 Feb 2013 18:30:59 GMT
{
"events": [
{
"issued_before": "2014-02-27T18:30:59.999999Z",
"user_id": "f287de"
},
{
"audit_id": "VcxU2JYqT8OzfUVvrjEITQ",
"issued_before": "2014-02-27T18:30:59.999999Z",
},
{
"audit_chain_id": "VcxU2JYqT8OzfUVvrjEITQ",
"issued_before": "2014-02-27T18:30:59.999999Z",
"project_id": "976bf9"
},
{
"domain_id": "be2c70",
"issued_before": "2014-02-2805:15:59.999999Z",
"user_id": "f287de"
}
]
}

197
api/identity-api-v3-os-simple-certs-ext.rst Normal file
View File

@ -0,0 +1,197 @@
OpenStack Identity API v3 OS-SIMPLE-CERT Extension
==================================================
When using Public Key Infrastructure (PKI) tokens with the identity
service, users must have access to the signing certificate and the
certificate authority's (CA) certificate for the token issuer in order
to validate tokens. This extension provides a simple means of retrieving
these certificates from an identity service.
API Resources
-------------
Certificates
------------
The identity server uses X.509 certificates to cryptographically sign
issued tokens. Certificates are a public resource and can be shared.
Typically when validating a certificate we would only require the
issuing certificate authority's certificate however PKI tokens are
distributed without including the original signing certificate in the
message so this must be retrievable as well.
Certificates are provided in the Private Enchanced Mail (PEM) file
format. Certificates in PEM files can be represented with or without the
certificate data (examples shown). The represented certificate is for
informative purposes and the only required information is presented
between the ``-----BEGIN CERTIFICATE-----`` and
``-----END CERTIFICATE-----`` tags.
API
---
Retrieve CA certificate chain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-SIMPLE-CERT/ca
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/ca_certificate``
Fetches the certificate chain used to authenticate signed tokens.
It is possible that a chain of certificates (more than one) is returned.
In this case the chain should be used when validating a token.
::
Status: 200 OK
Content-Type: application/x-pem-file
-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIJAJpWjfJuWL+oMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoM
BVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMTMxMjA5MDEzMDUw
WhcNMjMxMjA3MDEzMDUwWjBXMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVW5zZXQx
DjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzQwzCPN
3zMsUX6GwNcS9n/dJq4gzddClFB7ZgfVKOwdEVx/XX9w8wflFWq+JqqMA81ZtLFP
w0fKJFISMSVH7TXPRp096cC41Nv5dCt0kfVChyUUKUGiEzvUU8WagU7uWE4Rj+6d
CQvdbot0/5eDFJL90cj+Ck5dn/lqBxLSnHjTLLqHscpD+qOc6XL4JxCM1SOkS1LL
aRPLksqyKZwz8R86yR/9FnIREGO52VDje0hYUwLw0TzurSi1QHuBB/aZ2aC7A79G
YBBMo79amu8Oc4x+VzOxtY1hlrxYb1oV7SAcZgmPQKo8uwl47yqd5Ya85HC3AsVY
HSGYjsHrTS8QlQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTkjsL2
BVqZImdt+VxEo+9b7fymQzAfBgNVHSMEGDAWgBTkjsL2BVqZImdt+VxEo+9b7fym
QzANBgkqhkiG9w0BAQUFAAOCAQEAC7y75ST8tOFp6VOhTTdjGxGU+FJhKNikYCfw
TL5bzjSpmzBXcy5ep+klxVtLyU0KJeuAwep9g6bPlYQP44vshsZEIH4EV5b9Ztzh
FnKfd0jeP0GLhQiQYDkvpNAu/uMbT4+/3jhM3mJoslDZDl7x7MF4FQU0N7fzRj/Y
/XNzA6DWllQs62Up5WcqQJes0NeTKXyLoDH9Mf1W7hLHWLxr5bY3xD2MdrdDTtp1
KxPZVcFaBpI+hVHfi5jhLXBK0I8jgHqQLxjhp8TfIy6U4m4KpdlOvET2R55Lttrs
SFP+fy+e3IO9wMXmQKQJdj3ArieW0hkmz9xTYIRm5vS494gi6Q==
-----END CERTIFICATE-----
Retrieve signing certificates
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
::
GET /OS-SIMPLE-CERT/certificates
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates``
Fetches the certificates containing the public key for the private key
that has been used to sign tokens.
In an environment with multiple token signers this call will return all
valid certificates.
::
Status: 200 OK
Content-Type: application/x-pem-file
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com
Validity
Not Before: Dec 9 01:30:50 2013 GMT
Not After : Dec 7 01:30:50 2023 GMT
Subject: C=US, ST=Unset, O=Unset, CN=www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:da:a1:9a:00:3f:52:16:63:87:f7:7c:fb:27:ef:
04:7b:b3:f8:59:e3:d1:79:cc:22:af:f2:02:5c:d7:
0f:e8:53:bd:5c:db:a4:93:98:62:25:ad:c9:6e:60:
37:98:29:c6:e7:0b:3d:b6:64:f6:ad:58:96:e3:87:
af:2a:a4:17:ef:31:3c:60:ef:97:27:db:5e:83:95:
5b:4f:d6:4b:e8:34:c9:ff:d9:79:bc:f6:7c:db:dc:
d4:91:1b:3d:61:53:54:95:7e:1d:71:dd:9d:cb:39:
e3:ba:ed:39:f4:27:48:60:1b:8d:82:c8:65:e5:a1:
30:ff:83:bc:84:e8:35:3a:a5:c2:27:7c:84:15:1b:
91:27:34:44:9d:af:b1:cb:14:54:e0:52:d3:ce:b4:
03:b7:4c:63:f7:aa:3f:1d:aa:17:ac:2b:81:ec:ad:
e5:30:ac:fa:08:25:00:50:dc:0c:1c:bd:6c:38:eb:
30:55:5a:e0:ca:11:a8:57:a5:db:65:78:5b:58:76:
f4:01:52:87:4f:d5:a1:80:77:66:8a:2c:d8:77:92:
11:49:b6:00:fd:28:85:80:23:d7:87:8a:50:15:7d:
07:2a:6f:44:dc:83:cf:f1:67:5e:8a:9c:b7:2a:2e:
f3:e9:4d:9a:33:9d:e5:1d:7d:3a:9b:ce:80:f4:78:
d7:55
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D5:50:6E:6A:AA:8E:21:36:44:28:D4:AB:E4:D3:01:09:D7:BC:CB:73
X509v3 Authority Key Identifier:
keyid:E4:8E:C2:F6:05:5A:99:22:67:6D:F9:5C:44:A3:EF:5B:ED:FC:A6:43
Signature Algorithm: sha1WithRSAEncryption
80:60:ef:84:25:e9:02:ea:1e:da:70:fe:0b:b6:15:69:27:15:
0a:8e:5e:69:7b:b3:af:91:0e:78:08:37:98:56:be:eb:60:af:
7e:6b:e3:62:eb:dc:86:9f:9b:20:81:32:75:05:32:c9:f7:7b:
2b:32:00:10:83:07:a0:e2:f4:81:63:5e:50:e7:5b:00:67:a6:
19:54:ea:31:9a:02:a8:f1:fa:92:5b:e1:13:23:a1:28:5c:8e:
64:03:22:16:02:d2:a5:52:aa:34:39:ab:70:0c:46:77:53:5b:
07:71:41:0a:0b:a8:76:2c:45:e6:38:3b:aa:ee:dc:ca:8b:2f:
85:18:57:0a:e3:cf:3d:cc:a8:46:5a:4b:42:14:e8:66:10:8a:
91:79:c1:2e:27:5f:b1:60:5a:d1:5e:d5:98:c7:11:fe:da:89:
ee:7b:24:e4:19:7a:5f:56:ba:63:70:31:01:87:8d:7a:90:88:
14:4f:a1:23:46:0e:3b:df:33:01:98:53:71:d6:f4:25:37:52:
ff:43:b8:60:03:65:29:98:45:a8:da:62:a3:be:66:bf:59:68:
2c:50:3d:de:36:e9:75:8a:d3:69:a2:74:3c:80:c1:fe:cf:53:
4f:46:28:fe:f9:b0:a9:6a:db:2a:30:9a:e7:b5:c0:cc:0b:d6:
39:b8:6b:ee
-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEO
MAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEY
MBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTEzMTIwOTAxMzA1MFoXDTIzMTIw
NzAxMzA1MFowRzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQK
DAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA2qGaAD9SFmOH93z7J+8Ee7P4WePRecwir/ICXNcP
6FO9XNukk5hiJa3JbmA3mCnG5ws9tmT2rViW44evKqQX7zE8YO+XJ9teg5VbT9ZL
6DTJ/9l5vPZ829zUkRs9YVNUlX4dcd2dyznjuu059CdIYBuNgshl5aEw/4O8hOg1
OqXCJ3yEFRuRJzREna+xyxRU4FLTzrQDt0xj96o/HaoXrCuB7K3lMKz6CCUAUNwM
HL1sOOswVVrgyhGoV6XbZXhbWHb0AVKHT9WhgHdmiizYd5IRSbYA/SiFgCPXh4pQ
FX0HKm9E3IPP8Wdeipy3Ki7z6U2aM53lHX06m86A9HjXVQIDAQABo00wSzAJBgNV
HRMEAjAAMB0GA1UdDgQWBBTVUG5qqo4hNkQo1Kvk0wEJ17zLczAfBgNVHSMEGDAW
gBTkjsL2BVqZImdt+VxEo+9b7fymQzANBgkqhkiG9w0BAQUFAAOCAQEAgGDvhCXp
Auoe2nD+C7YVaScVCo5eaXuzr5EOeAg3mFa+62CvfmvjYuvchp+bIIEydQUyyfd7
KzIAEIMHoOL0gWNeUOdbAGemGVTqMZoCqPH6klvhEyOhKFyOZAMiFgLSpVKqNDmr
cAxGd1NbB3FBCguodixF5jg7qu7cyosvhRhXCuPPPcyoRlpLQhToZhCKkXnBLidf
sWBa0V7VmMcR/tqJ7nsk5Bl6X1a6Y3AxAYeNepCIFE+hI0YOO98zAZhTcdb0JTdS
/0O4YANlKZhFqNpio75mv1loLFA93jbpdYrTaaJ0PIDB/s9TT0Yo/vmwqWrbKjCa
57XAzAvWObhr7g==
-----END CERTIFICATE-----
HTTP Status Codes
~~~~~~~~~~~~~~~~~
The following codes are used to indicate success of failure conditions.
200 OK
^^^^^^
Certificates are successfully found and returned.
403 Forbidden
^^^^^^^^^^^^^
There are no certificates to be returned. This will typically indicate
that keystone is using UUID tokens and therefore there are no
certificates available.
500 Internal Server Error
^^^^^^^^^^^^^^^^^^^^^^^^^
An Error was produced on the server. A typical example is that the
server is configured to use PKI tokens but is misconfigured and the
certificates were unable to be found.

542
api/identity-api-v3-os-trust-ext.rst Normal file
View File

@ -0,0 +1,542 @@
OpenStack Identity API v3 OS-TRUST Extension
============================================
Trusts provide project-specific role delegation between users, with
optional impersonation.
API Resources
-------------
Trusts
~~~~~~
A trust represents a user's (the *trustor*) authorization to delegate
roles to another user (the *trustee*), and optionally allow the trustee
to impersonate the trustor. After the trustor has created a trust, the
trustee can specify the trust's ``id`` attribute as part of an
authentication request to then create a token representing the delegated
authority.
The trust contains constraints on the delegated attributes. A token
created based on a trust will convey a subset of the trustor's roles on
the specified project. Optionally, the trust may only be valid for a
specified time period, as defined by ``expires_at``. If no
``expires_at`` is specified, then the trust is valid until it is
explicitly revoked.
The ``impersonation`` flag allows the trustor to optionally delegate
impersonation abilities to the trustee. To services validating the
token, the trustee will appear as the trustor, although the token will
also contain the ``impersonation`` flag to indicate that this behavior
is in effect.
A ``project_id`` may not be specified without at least one role, and
vice versa. In other words, there is no way of implicitly delegating all
roles to a trustee, in order to prevent users accidentally creating
trust that are much more broad in scope than intended. A trust without a
``project_id`` or any delegated roles is unscoped, and therefore does
not represent authorization on a specific resource.
Trusts are immutable. If the trustee wishes to modify the attributes of
the trust, they should create a new trust and delete the old trust. If a
trust is deleted, any tokens generated based on the trust are
immediately revoked.
If the trustor loses access to any delegated attributes, the trust
becomes immediately invalid and any tokens generated based on the trust
are immediately revoked.
Additional required attributes:
- ``trustor_user_id`` (string)
Represents the user who created the trust, and who's authorization is
being delegated.
- ``trustee_user_id`` (string)
Represents the user who is capable of consuming the trust.
- ``impersonation``: (boolean)
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
tokens token's generated based on the trust will represent that of the
trustor rather than the trustee, thus allowing the trustee to
impersonate the trustor. If ``impersonation`` is set to ``false``, then
the token's ``user`` attribute will represent that of the trustee.
Optional attributes:
- ``project_id`` (string)
Identifies the project upon which the trustor is delegating
authorization.
- ``roles``: (list of objects)
Specifies the subset of the trustor's roles on the ``project_id`` to be
granted to the trustee when the token in consumed. The trustor must
already be granted these roles in the project referenced by the
``project_id`` attribute.
Roles are only provided when the trust is created, and are subsequently
available as a separate read-only collection. Each role can be specified
by either ``id`` or ``name``.
- ``expires_at`` (string, ISO 8601 extended format date time with
microseconds)
Specifies the expiration time of the trust. A trust may be revoked ahead
of expiration. If the value represents a time in the past, the trust is
deactivated.
- ``remaining_uses`` (integer or null)
Specifies how many times the trust can be used to obtain a token. This
value is decreased each time a token is issued through the trust. Once
it reaches 0, no further tokens will be issued through the trust. The
default value is null, meaning there is no limit on the number of tokens
issued through the trust.
Example entity:
::
{
"trust": {
"id": "987fe7",
"impersonation": true,
"project_id": "0f1233",
"remaining_uses": null,
"links": {
"self": "http://identity:35357/v3/trusts/987fe7"
},
"trustee_user_id": "fea342",
"trustor_user_id": "56aed3"
}
}
Tokens
~~~~~~
Additional attributes:
- ``trust`` (object)
If present, indicates that the token was created based on a trust. This
attribute identifies both the trustor and trustee, and indicates whether
the token represents the trustee impersonating the trustor.
API
---
Consuming a trust
~~~~~~~~~~~~~~~~~
::
POST /auth/tokens
Consuming a trust effectively assumes the scope as delegated in the
trust. No other scope attributes may be specified.
The user specified by ``authentication`` must match the trust's
``trustee_user_id`` attribute.
If the trust has the ``impersonation`` attribute set to ``true``, then
the resulting token's ``user`` attribute will also represent the
trustor, rather than the authenticating user (the trustee).
::
{
"auth": {
"identity": {
"methods": [
"token"
],
"token": {
"id": "e80b74"
}
},
"scope": {
"OS-TRUST:trust": {
"id": "de0945a"
}
}
}
}
A token created from a trust will have a ``trust`` section containing
the ``id`` of the trust, the ``impersonation`` flag, the
``trustee_user_id`` and the ``trustor_user_id``. Example response:
::
Headers: X-Subject-Token
X-Subject-Token: e80b74
{
"token": {
"expires_at": "2013-02-27T18:30:59.999999Z",
"issued_at": "2013-02-27T16:30:59.999999Z",
"methods": [
"password"
],
"OS-TRUST:trust": {
"id": "fe0aef",
"impersonation": false,
"links": {
"self": "http://identity:35357/v3/trusts/fe0aef"
},
"trustee_user": {
"id": "0ca8f6",
"links": {
"self": "http://identity:35357/v3/users/0ca8f6"
}
},
"trustor_user": {
"id": "bd263c",
"links": {
"self": "http://identity:35357/v3/users/bd263c"
}
}
},
"user": {
"domain": {
"id": "1789d1",
"links": {
"self": "http://identity:35357/v3/domains/1789d1"
},
"name": "example.com"
},
"email": "joe@example.com",
"id": "0ca8f6",
"links": {
"self": "http://identity:35357/v3/users/0ca8f6"
},
"name": "Joe"
}
}
}
Create trust
~~~~~~~~~~~~
::
POST /OS-TRUST/trusts
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
Request:
::
{
"trust": {
"expires_at": "2013-02-27T18:30:59.999999Z",
"impersonation": true,
"project_id": "ddef321",
"roles": [
{
"name": "member"
}
],
"trustee_user_id": "86c0d5",
"trustor_user_id": "a0fdfd"
}
}
Response:
::
Status: 201 Created
{
"trust": {
"expires_at": "2013-02-27T18:30:59.999999Z",
"id": "1ff900",
"impersonation": true,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
},
"project_id": "ddef321",
"remaining_uses": null,
"roles": [
{
"id": "ed7b78",
"links": {
"self": "http://identity:35357/v3/roles/ed7b78"
},
"name": "member"
}
],
"roles_links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900/roles"
},
"trustee_user_id": "86c0d5",
"trustor_user_id": "a0fdfd"
}
}
List trusts
~~~~~~~~~~~
::
GET /OS-TRUST/trusts
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
query\_string: page (optional) query\_string: per\_page (optional,
default 30) query filter for "trustee\_user\_id", "trustor\_user\_id"
(optional)
Response:
::
Status: 200 OK
{
"trusts": [
{
"id": "1ff900",
"expires_at": "2013-02-27T18:30:59.999999Z",
"impersonation": true,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
},
"project_id": "0f1233",
"trustee_user_id": "86c0d5",
"trustor_user_id": "a0fdfd"
},
{
"id": "f4513a",
"impersonation": true,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/f4513a"
},
"project_id": "0f1233",
"trustee_user_id": "86c0d5",
"trustor_user_id": "3cd2ce"
}
]
}
In order to list trusts for a given trustor, filter the collection using
a query string (e.g., ``?trustor_user_id={user_id}``).
Request:
::
GET /OS-TRUST/trusts?trustor_user_id=a0fdfd
Response:
::
Status: 200 OK
{
"trusts": [
{
"id": "1ff900",
"expires_at": "2013-02-27T18:30:59.999999Z",
"impersonation": false,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
},
"project_id": "0f1233",
"trustee_user_id": "86c0d5",
"trustor_user_id": "a0fdfd"
}
]
}
In order to list trusts for a given trustee, filter the collection using
a query string (e.g., ``?trustee_user_id={user_id}``).
Request:
::
GET /OS-TRUST/trusts?trustee_user_id=86c0d5
Response:
::
Status: 200 OK
{
"trusts": [
{
"id": "1ff900",
"expires_at": "2013-02-27T18:30:59.999999Z",
"impersonation": true,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
},
"project_id": "0f1233",
"trustee_user_id": "86c0d5",
"trustor_user_id": "a0fdfd"
},
{
"id": "f4513a",
"impersonation": false,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/f45513a"
},
"project_id": "0f1233",
"trustee_user_id": "86c0d5",
"trustor_user_id": "3cd2ce"
}
]
}
Get trust
~~~~~~~~~
::
GET /OS-TRUST/trusts/{trust_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust``
Response:
::
Status: 200 OK
{
"trust": {
"id": "987fe8",
"expires_at": "2013-02-27T18:30:59.999999Z",
"impersonation": true,
"links": {
"self": "http://identity:35357/v3/OS-TRUST/trusts/987fe8"
},
"roles": [
{
"id": "ed7b78",
"links": {
"self": "http://identity:35357/v3/roles/ed7b78"
},
"name": "member"
}
],
"roles_links": {
"next": null,
"previous": null,
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900/roles"
},
"project_id": "0f1233",
"trustee_user_id": "be34d1",
"trustor_user_id": "56ae32"
}
}
Delete trust
~~~~~~~~~~~~
::
DELETE /OS-TRUST/trusts/{trust_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust``
Response:
::
Status: 204 No Content
List roles delegated by a trust
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /OS-TRUST/trusts/{trust_id}/roles
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_roles``
Response:
::
Status: 200 OK
{
"roles": [
{
"id": "c1648e",
"links": {
"self": "http://identity:35357/v3/roles/c1648e"
},
"name": "manager"
},
{
"id": "ed7b78",
"links": {
"self": "http://identity:35357/v3/roles/ed7b78"
},
"name": "member"
}
]
}
Check if role is delegated by a trust
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
HEAD /OS-TRUST/trusts/{trust_id}/roles/{role_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role``
Response:
::
Status: 200 OK
Get role delegated by a trust
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
::
GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role``
Response:
::
Status: 200 OK
{
"role": {
"id": "c1648e",
"links": {
"self": "http://identity:35357/v3/roles/c1648e"
},
"name": "manager"
}
}

4845
api/identity-api-v3.rst Normal file
View File

File diff suppressed because it is too large Load Diff

3
specs/template.rst
View File

@ -38,6 +38,9 @@ Some notes about using this template:
having to look at additional files which can not be viewed in gerrit. It
will also allow inline feedback on the diagram itself.
If your spec has an impact on the HTTP API, propose the corresponding changes
to the ``api/`` directory for review along with your spec.
Problem Description
===================

2
tox.ini
View File

@ -10,7 +10,7 @@ install_command = pip install -U {opts} {packages}
deps = -r{toxinidir}/requirements.txt
commands =
python setup.py testr --slowest --testr-args='{posargs}'
doc8 specs/
doc8 api/ specs/
[testenv:venv]
commands = {posargs}