Merge "add v3 API documentation"
This commit is contained in:
commit
944af4d2cc
261
api/identity-api-v3-os-endpoint-policy.rst
Normal file
261
api/identity-api-v3-os-endpoint-policy.rst
Normal file
@ -0,0 +1,261 @@
|
||||
OpenStack Identity API v3 OS-ENDPOINT-POLICY Extension
|
||||
======================================================
|
||||
|
||||
This extension provides associations between service endpoints and
|
||||
policies that are already stored in the Identity server and referenced
|
||||
by policy ID. Such associations enable an endpoint to request the
|
||||
appropriate policy for itself. Three types of association are supported:
|
||||
|
||||
- A policy associated to a specific endpoint
|
||||
- A policy associated to any endpoint of a given service type in a
|
||||
given region
|
||||
- A policy associated to any endpoint of a given service type
|
||||
|
||||
When an endpoint requests the appropriate policy for itself, the
|
||||
extension will look for an association *in the order given above* (which
|
||||
is essentially in order from most specific to least specific) and select
|
||||
the first one it finds. For region associations, any parent regions will
|
||||
also be examined in ascending order. No combination of polices will
|
||||
occur.
|
||||
|
||||
Policy-Endpoint Associations
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Create association with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
||||
|
||||
Creates an association between the policy and the endpoint. If another
|
||||
association already existed for the specified endpoint, this will
|
||||
replace that association. Any body supplied with this API will be
|
||||
ignored.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Check association with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
||||
|
||||
Verifies the existence of an association between a policy and an
|
||||
endpoint. A HEAD version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Delete association with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
||||
|
||||
Deletes an association between the policy and the endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Create association with service
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
||||
|
||||
Creates an association between the policy and the service. If another
|
||||
association already existed for the specified service, this will replace
|
||||
that association. Any body supplied with this API will be ignored.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Check association with service
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
||||
|
||||
Verifies the existence of an association between a policy and a service.
|
||||
A HEAD version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Delete association with service
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
||||
|
||||
Deletes an association between the policy and the service.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Create association with service in a region
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Creates an association between the policy and the service in the given
|
||||
region. If another association already existed for the specified service
|
||||
and region, this will replace that association. Any body supplied with
|
||||
this API will be ignored.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Check association with service in a region
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Verifies the existence of an association between a policy and a service
|
||||
in the given region. A HEAD version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Delete association with service in a region
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Deletes an association between the policy and the service in the given
|
||||
region.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List effective endpoint associations for policy
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
|
||||
|
||||
Returns all the endpoints that are currently associated with a specific
|
||||
policy via any of the association methods.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoints": [
|
||||
{
|
||||
"id": "--endpoint-id--",
|
||||
"interface": "public",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/--endpoint-id--"
|
||||
},
|
||||
"region": "north",
|
||||
"service_id": "--service-id--",
|
||||
"url": "http://identity:35357/"
|
||||
},
|
||||
{
|
||||
"id": "--endpoint-id--",
|
||||
"interface": "internal",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/--endpoint-id--"
|
||||
},
|
||||
"region": "south",
|
||||
"service_id": "--service-id--",
|
||||
"url": "http://identity:35357/"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"next": null,
|
||||
"previous": null,
|
||||
"self": "http://identity:35357/v3/OS-ENDPOINT-POLICY/policies/{policy_id}/endpoints"
|
||||
}
|
||||
}
|
||||
|
||||
Get effective policy associated with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
||||
|
||||
Returns the policy that is currently associated with the given endpoint,
|
||||
by working through the ordered sequence of methods of association. The
|
||||
first association that is found will be returned. If the region of the
|
||||
endpoint has a parent, then region associations will be examined up the
|
||||
region tree in ascending order.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"policy": {
|
||||
"blob": "--serialized-blob--",
|
||||
"id": "--policy-id--",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/policies/--policy-id--"
|
||||
},
|
||||
"type": "--serialization-mime-type--"
|
||||
}
|
||||
}
|
||||
|
||||
Check if a policy is associated with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
||||
|
||||
Checks if a policy is currently associated with the given endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
680
api/identity-api-v3-os-ep-filter-ext.rst
Normal file
680
api/identity-api-v3-os-ep-filter-ext.rst
Normal file
@ -0,0 +1,680 @@
|
||||
OpenStack Identity API v3 OS-EP-FILTER Extension
|
||||
================================================
|
||||
|
||||
This extension enables creation of ad-hoc catalogs for each
|
||||
project-scoped token request. To do so, this extension uses either
|
||||
static project-endpoint associations or dynamic custom endpoints groups
|
||||
to associate service endpoints with projects.
|
||||
|
||||
What's New in Version 1.1
|
||||
-------------------------
|
||||
|
||||
These features are not yet considered stable (expected September 4th,
|
||||
2014).
|
||||
|
||||
- Introduced support for Endpoint Groups
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
||||
*New in version 1.1*
|
||||
|
||||
Endpoint Group
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Represents a dynamic collection of service endpoints having the same
|
||||
characteristics, such as service\_id, interface, or region. Indeed, any
|
||||
endpoint attribute could be used as part of a filter.
|
||||
|
||||
A classic use case is to filter endpoints based on region. For example,
|
||||
suppose a user wants to filter service endpoints returned in the service
|
||||
catalog by region, the following endpoint group may be used:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "Example Endpoint Group",
|
||||
"filters": {
|
||||
"region_id": "e68c72"
|
||||
},
|
||||
"name": "EP-GROUP-1"
|
||||
}
|
||||
}
|
||||
|
||||
This implies an Endpoint Group with filtering criteria of the form:
|
||||
|
||||
::
|
||||
|
||||
region_id = "e68c72"
|
||||
|
||||
API
|
||||
---
|
||||
|
||||
Project-Endpoint Associations
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If a valid X-Auth-Token token in not present in the HTTP header and/or
|
||||
the user does not have the right authorization a HTTP 401 Unauthorized
|
||||
is returned.
|
||||
|
||||
Create Association
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Modifies the endpoint resource adding an association between the project
|
||||
and the endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Check Association
|
||||
^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Verifies the existence of an association between a project and an
|
||||
endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List Associations for Project
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/projects/{project_id}/endpoints
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints``
|
||||
|
||||
Returns all the endpoints that are currently associated with a specific
|
||||
project.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
{
|
||||
"endpoints": [
|
||||
{
|
||||
"id": "6fedc0",
|
||||
"interface": "public",
|
||||
"url": "http://identity:35357/",
|
||||
"region": "north",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/6fedc0"
|
||||
},
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
{
|
||||
"id": "6fedc0",
|
||||
"interface": "internal",
|
||||
"region": "south",
|
||||
"url": "http://identity:35357/",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/6fedc0"
|
||||
},
|
||||
"service_id": "1b501a"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-EP-FILTER/projects/{project_id}/endpoints",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
Delete Association
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Eliminates a previously created association between a project and an
|
||||
endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Get projects associated with endpoint
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects``
|
||||
|
||||
Returns a list of projects that are currently associated with the given
|
||||
endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"projects": [
|
||||
{
|
||||
"domain_id": "1789d1",
|
||||
"enabled": true,
|
||||
"id": "263fd9",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/projects/263fd9"
|
||||
},
|
||||
"name": "a project name 1",
|
||||
"description": "a project description 1"
|
||||
},
|
||||
{
|
||||
"domain_id": "1789d1",
|
||||
"enabled": true,
|
||||
"id": "61a1b7",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/projects/61a1b7"
|
||||
},
|
||||
"name": "a project name 2",
|
||||
"description": "a project description 2"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoints/6fedc0/projects",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Endpoint Groups
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
*New in version 1.1*
|
||||
|
||||
Required attributes:
|
||||
|
||||
- ``name`` (string)
|
||||
|
||||
User-facing name of the service.
|
||||
|
||||
- ``filters`` (object)
|
||||
|
||||
Describes the filtering performed by the endpoint group. The filter used
|
||||
must be an ``endpoint`` property, such as ``interface``, ``service_id``,
|
||||
``region_id`` and ``enabled``. Note that if using ``interface`` as a
|
||||
filter, the only available values are ``public``, ``internal`` and
|
||||
``admin``.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``description`` (string)
|
||||
|
||||
User-facing description of the service.
|
||||
|
||||
Create Endpoint Group Filter
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
POST /OS-EP-FILTER/endpoint_groups
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups``
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
}
|
||||
"name": "endpoint group name",
|
||||
}
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 201 Created
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"id": "ac4861",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
|
||||
},
|
||||
"name": "endpoint group name"
|
||||
}
|
||||
}
|
||||
|
||||
Get Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"id": "ac4861",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
|
||||
},
|
||||
"name": "endpoint group name"
|
||||
}
|
||||
}
|
||||
|
||||
Check Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
Update Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
|
||||
|
||||
The request block is the same as the one for create endpoint group,
|
||||
except that only the attributes that are being updated need to be
|
||||
included.
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"name": "endpoint group name"
|
||||
}
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"id": "ac4861",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
|
||||
},
|
||||
"name": "endpoint group name"
|
||||
}
|
||||
}
|
||||
|
||||
Remove Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List All Endpoint Groups
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoint_groups": [
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description #1",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"id": "ac4861",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
|
||||
},
|
||||
"name": "endpoint group name #1"
|
||||
}
|
||||
},
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description #2",
|
||||
"filters": {
|
||||
"interface": "admin"
|
||||
},
|
||||
"id": "3de68c",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/3de68c"
|
||||
},
|
||||
"name": "endpoint group name #2"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "https://identity:35357/v3/OS-EP-FILTER/endpoint_groups",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
List Endpoint Groups Associated with Project
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups/projects/{project_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoint_groups": [
|
||||
{
|
||||
"endpoint_group": {
|
||||
"description": "endpoint group description #1",
|
||||
"filters": {
|
||||
"interface": "admin",
|
||||
"service_id": "1b501a"
|
||||
},
|
||||
"id": "ac4861",
|
||||
"links": {
|
||||
"self": "http://localhost:35357/v3/OS-EP-FILTER/endpoint_groups/ac4861"
|
||||
},
|
||||
"name": "endpoint group name #1"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "https://identity:35357/v3/OS-EP-FILTER/endpoint_groups",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
Project to Endpoint Group Relationship
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Create Endpoint Group to Project Association
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Get Endpoint Group to Project Association
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"project": {
|
||||
"domain_id": "1789d1",
|
||||
"enabled": true,
|
||||
"id": "263fd9",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/projects/263fd9"
|
||||
},
|
||||
"name": "project name #1",
|
||||
"description": "project description #1"
|
||||
}
|
||||
}
|
||||
|
||||
Check Endpoint Group to Project Association
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
Delete Endpoint Group to Project Association
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List Projects Associated with Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"projects": [
|
||||
{
|
||||
"domain_id": "1789d1",
|
||||
"enabled": true,
|
||||
"id": "263fd9",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/projects/263fd9"
|
||||
},
|
||||
"name": "a project name 1",
|
||||
"description": "a project description 1"
|
||||
},
|
||||
{
|
||||
"domain_id": "1789d1",
|
||||
"enabled": true,
|
||||
"id": "61a1b7",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/projects/61a1b7"
|
||||
},
|
||||
"name": "a project name 2",
|
||||
"description": "a project description 2"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
List Service Endpoints Associated with Endpoint Group
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"endpoints": [
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "6fedc0"
|
||||
"interface": "admin",
|
||||
"legacy_endpoint_id": "6fedc0",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/6fedc0"
|
||||
},
|
||||
"region": "RegionOne",
|
||||
"service_id": "1b501a",
|
||||
"url": "http://localhost:9292"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "b501aa"
|
||||
"interface": "internal",
|
||||
"legacy_endpoint_id": "b501aa",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/b501aa"
|
||||
},
|
||||
"region": "RegionOne",
|
||||
"service_id": "1b501a",
|
||||
"url": "http://localhost:9292"
|
||||
},
|
||||
{
|
||||
"enabled": true,
|
||||
"id": "b7c573"
|
||||
"interface": "public",
|
||||
"legacy_endpoint_id": "b7c573",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/endpoints/b7c573"
|
||||
},
|
||||
"region": "RegionOne",
|
||||
"service_id": "1b501a",
|
||||
"url": "http://localhost:9292"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
1400
api/identity-api-v3-os-federation-ext.rst
Normal file
1400
api/identity-api-v3-os-federation-ext.rst
Normal file
File diff suppressed because it is too large
Load Diff
344
api/identity-api-v3-os-inherit-ext.rst
Normal file
344
api/identity-api-v3-os-inherit-ext.rst
Normal file
@ -0,0 +1,344 @@
|
||||
OpenStack Identity API v3 OS-INHERIT Extension
|
||||
==============================================
|
||||
|
||||
Provide an ability for projects to inherit roles from their owning
|
||||
domain. This extension requires v3.1 of the Identity API.
|
||||
|
||||
API
|
||||
---
|
||||
|
||||
The following additional APIs are supported by this extension:
|
||||
|
||||
Assign role to user on projects owned by a domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
|
||||
|
||||
The inherited role is only applied to the owned projects (both existing
|
||||
and future projects), and will not appear as a role in a domain scoped
|
||||
token.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Assign role to group on projects owned by a domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
|
||||
|
||||
The inherited role is only applied to the owned projects (both existing
|
||||
and future projects), and will not appear as a role in a domain scoped
|
||||
token.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List user's inherited project roles on a domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects``
|
||||
|
||||
The list only contains those role assignments to the domain that were
|
||||
specified as being inherited to projects within that domain.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"roles": [
|
||||
{
|
||||
"id": "--role-id--",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/--role-id--"
|
||||
},
|
||||
"name": "--role-name--",
|
||||
},
|
||||
{
|
||||
"id": "--role-id--",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/--role-id--"
|
||||
},
|
||||
"name": "--role-name--"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-INHERIT/domains/--domain_id--/
|
||||
users/--user_id--/roles/inherited_to_projects",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
List group's inherited project roles on domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects``
|
||||
|
||||
The list only contains those role assignments to the domain that were
|
||||
specified as being inherited to projects within that domain.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"roles": [
|
||||
{
|
||||
"id": "--role-id--",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/--role-id--"
|
||||
},
|
||||
"name": "--role-name--",
|
||||
},
|
||||
{
|
||||
"id": "--role-id--",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/--role-id--"
|
||||
},
|
||||
"name": "--role-name--"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-INHERIT/domains/--domain_id--/
|
||||
groups/--group_id--/roles/inherited_to_projects",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
Check if user has an inherited project role on domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Check if group has an inherited project role on domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Revoke an inherited project role from user on domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Revoke an inherited project role from group on domain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Modified APIs
|
||||
-------------
|
||||
|
||||
The following APIs are modified by this extension.
|
||||
|
||||
List effective role assignments
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /role_assignments
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
|
||||
|
||||
The scope section in the list response is extended to allow the
|
||||
representation of role assignments that are inherited to projects.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"role_assignments": [
|
||||
{
|
||||
"links": {
|
||||
"assignment": "http://identity:35357/v3/OS-INHERIT/
|
||||
domains/--domain-id--/users/--user-id--/
|
||||
roles/--role-id--/inherited_to_projects"
|
||||
},
|
||||
"role": {
|
||||
"id": "--role-id--"
|
||||
},
|
||||
"scope": {
|
||||
"domain": {
|
||||
"id": "--domain-id--"
|
||||
},
|
||||
"OS-INHERIT:inherited_to": ["projects"]
|
||||
},
|
||||
"user": {
|
||||
"id": "--user-id--"
|
||||
}
|
||||
},
|
||||
{
|
||||
"group": {
|
||||
"id": "--group-id--"
|
||||
},
|
||||
"links": {
|
||||
"assignment": "http://identity:35357/v3/projects/--project-id--/
|
||||
groups/--group-id--/roles/--role-id--"
|
||||
},
|
||||
"role": {
|
||||
"id": "--role-id--"
|
||||
},
|
||||
"scope": {
|
||||
"project": {
|
||||
"id": "--project-id--"
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/role_assignments",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
An additional query filter ``scope.OS-INHERIT:inherited_to`` is
|
||||
supported to allow for filtering based on role assignments that are
|
||||
inherited. The only value of ``scope.OS-INHERIT:inherited_to`` that is
|
||||
currently supported is ``projects``, indicating that this role is
|
||||
inherited to all projects of the owning domain.
|
||||
|
||||
If the query\_string ``effective`` is specified then the list of
|
||||
effective assignments at the user, project and domain level allows for
|
||||
the effects of both group membership as well as inheritance from the
|
||||
parent domain (for role assignments that were made using OS-INHERIT
|
||||
assignment APIs). Since, like group membership, the effects of
|
||||
inheritance have already been allowed for, the role assignment entities
|
||||
themselves that specify the inheritance will not be returned in the
|
||||
collection.
|
||||
|
||||
An example response for an API call with the query\_string ``effective``
|
||||
specified is given below:
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"role_assignments": [
|
||||
{
|
||||
"links": {
|
||||
"assignment": "http://identity:35357/v3/OS-INHERIT/
|
||||
domains/--domain-id--/users/--user-id--/
|
||||
roles/--role-id--/inherited_to_projects"
|
||||
},
|
||||
"role": {
|
||||
"id": "--role-id--"
|
||||
},
|
||||
"scope": {
|
||||
"project": {
|
||||
"id": "--project-id--"
|
||||
}
|
||||
},
|
||||
"user": {
|
||||
"id": "--user-id--"
|
||||
}
|
||||
},
|
||||
{
|
||||
"links": {
|
||||
"assignment": "http://identity:35357/v3/projects/--project-id--/
|
||||
groups/--group-id--/roles/--role-id--",
|
||||
"membership": "http://identity:35357/v3/groups/--group-id--/
|
||||
users/--user-id--"
|
||||
},
|
||||
"role": {
|
||||
"id": "--role-id--"
|
||||
},
|
||||
"scope": {
|
||||
"project": {
|
||||
"id": "--project-id--"
|
||||
}
|
||||
},
|
||||
"user": {
|
||||
"id": "--user-id--"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/role_assignments?effective",
|
||||
"previous": null,
|
||||
"next": null
|
||||
}
|
||||
}
|
||||
|
524
api/identity-api-v3-os-kds-ext.rst
Normal file
524
api/identity-api-v3-os-kds-ext.rst
Normal file
@ -0,0 +1,524 @@
|
||||
OpenStack Identity API v3 Key Distribution Service Extension
|
||||
============================================================
|
||||
|
||||
Key Distribution Server (KDS) serves as a trusted third party that is
|
||||
responsible for generation and secure distribution of signing and
|
||||
encryption keys to communicating parties. These shared keys allow
|
||||
messages to be exchanged between communicating parties with message
|
||||
authentication, integrity and confidentiality. KDS is an integral part
|
||||
of the implementation of RPC message security.
|
||||
|
||||
To establish a trusted relationship between a communicating party and
|
||||
KDS, a long term shared key needs to be assigned to the party by a
|
||||
properly authorized user, such as a cloud administrator. Assigning a key
|
||||
to a party requires assigning an identity to that party in KDS. An
|
||||
identity is comprised of a unique party name and the long term shared
|
||||
key that it is associated with. This party name is used to identify a
|
||||
party when it communicates with KDS or another party.
|
||||
|
||||
KDS is designed to enable secure messages to be exchanged between two
|
||||
individual parties as well as between one individual party and a group
|
||||
party. When a party wants to obtain keys to be used for communication
|
||||
with another party, it makes an authenticated request to KDS for a
|
||||
ticket. KDS returns a ticket to the requesting party that is encrypted
|
||||
with the long term shared key that is associated with that party. This
|
||||
encryption ensures that the ticket can only be decrypted by one who
|
||||
possesses the long term key, which should only be the associated party
|
||||
and KDS itself.
|
||||
|
||||
A ticket that has been issued by KDS contains a copy of the shared
|
||||
encryption and signing keys. These keys are for the source party, which
|
||||
is the party that requested the ticket. The ticket also contains a
|
||||
payload that is intended for the destination party, which is the party
|
||||
that the source party wants to communicate with. This payload contains
|
||||
the information that is needed for the destination party to be able to
|
||||
derive the shared encryption and signing keys. When the destination
|
||||
party is an individual, the payload is encrypted with the long term
|
||||
shared key that is associated with the destination party. When the
|
||||
destination party is a group, the payload is encrypted with a shared
|
||||
group key that KDS makes available to all members of the group. This
|
||||
encryption allows the destination party to trust that the information in
|
||||
the payload was supplied by KDS. When the source party is ready to
|
||||
communicate with the destination party, it sends this encrypted payload
|
||||
to the destination party along with whatever data it has protected with
|
||||
the shared signing and encryption keys. The destination party can then
|
||||
decrypt the payload and derive the shared encryption and signing keys
|
||||
using the information in the payload. This results in both parties
|
||||
having a copy of the shared signing and encryption keys that are trusted
|
||||
as being issued by KDS. These shared keys can then be used by the
|
||||
destination party to authenticate and decrypt the data sent by the
|
||||
source party.
|
||||
|
||||
When a source party needs to send secure messages to multiple
|
||||
recipients, an authorized user can define a group for those recipients
|
||||
in KDS. Membership in a group is determined by comparing a party name
|
||||
with the group name. If the name of a party matches ``<group name>.*``,
|
||||
it is considered to be a member. For example, a party named
|
||||
``scheduler.host.example.com`` would be considered a member of a group
|
||||
named ``scheduler``. This matches up with the way that message queues
|
||||
are named within OpenStack.
|
||||
|
||||
When a source party requests a ticket where the destination party is a
|
||||
group, KDS generates a short-lived group key and assigns it to the
|
||||
group. This group key is used to encrypt the payload in the ticket,
|
||||
which contains the information that the destination party uses to derive
|
||||
the shared signing and encryption keys. When an individual destination
|
||||
party needs to decrypt the payload that it receives from the source
|
||||
party as a part of a group message, it makes an authenticated request to
|
||||
KDS to obtain the short-lived group key. If the requester is a member of
|
||||
the target group, KDS provides the short-lived group key encrypted with
|
||||
the long term shared key associated with the individual destination
|
||||
party. The group key can then be decrypted by the individual destination
|
||||
party, allowing it to decrypt the payload and derive the shared signing
|
||||
and encryption keys that can be used to authenticate and decrypt the
|
||||
data sent by the source party.
|
||||
|
||||
When keys are obtained to send a message to a group, it is important to
|
||||
note that all members of the group and the sender share the signing and
|
||||
encryption keys. This makes it impossible for an individual destination
|
||||
party to determine if a message was truly sent by the source party or
|
||||
another destination party who is a member of the group. The only
|
||||
assurance that a destination party has is that a message was sent by a
|
||||
party who has possession of the shared signing and encryption keys. This
|
||||
requires that all parties within a group trust each other to not
|
||||
impersonate the source party.
|
||||
|
||||
The signing and encryption keys that are shared between communicating
|
||||
parties are short-lived. The lifetime of these keys is defined by an
|
||||
validity period that is set by KDS when it issues the ticket. A
|
||||
suggested reasonable default validity period is 15 minutes, though it is
|
||||
left up to the implementation to determine the appropriate validity
|
||||
period. Once the validity period for the keys expires, a party should
|
||||
refuse to use those keys anymore to prevent using keys that may have
|
||||
been compromised. This requires the source party to request a new ticket
|
||||
from KDS to get a new set of keys. If desired, an implementation could
|
||||
choose to implement a grace period to account for clock skew between
|
||||
parties. This grace period would allow a destination party to accept
|
||||
messages that use recently expired keys. If a grace period is used, it
|
||||
is recommended that the duration be kept small, such as 5 minutes or
|
||||
less.
|
||||
|
||||
The principal advantage of using a key server compared to a pure public
|
||||
key based system is that the encryption and signing key exchange can be
|
||||
regulated by the key server. Since the key server is actively involved
|
||||
in distributing keys to the communicating parties, it has the ability to
|
||||
apply access control and deny communication between arbitrary peers in
|
||||
the system when keys are requested. This allows for centralized access
|
||||
control, prevents unauthorized communication and avoids the need to
|
||||
perform post-authentication access control and policy look-ups on the
|
||||
receiving side.
|
||||
|
||||
API Considerations
|
||||
------------------
|
||||
|
||||
The Key Distribution Server (KDS) requires that all ticket requests are
|
||||
authenticated and data is encrypted where appropriate.
|
||||
|
||||
All timestamp values used in the API must be specified as a UTC ISO 8601
|
||||
extended format date/time string that includes microseconds. An example
|
||||
of a properly formatted timestamp is ``2012-03-26T10:01:01.720000``.
|
||||
|
||||
The default algorithms for message authentication and encryption are
|
||||
respectively HMAC-SHA-256 and AES-128-CBC. Therefore the default block
|
||||
size is 128bit.
|
||||
|
||||
The source party that obtains a ticket is responsible for sending the
|
||||
encrypted payload ``esek`` to the destination party. The source and
|
||||
destination strings used when requesting the ticket also need to be sent
|
||||
to the destination party to allow it to derive the shared signing end
|
||||
encryption keys. Transferring this data to the destination party is
|
||||
handled outside of the API described in this document, as it's expected
|
||||
to be performed by the messaging implementation.
|
||||
|
||||
The key derivation used to generate the shared signing and encryption
|
||||
keys uses the Hashed Message Authentication Code (HMAC)-based key
|
||||
derivation function (HKDF) standard as described in RFC 5869. The
|
||||
destination party needs to use the HKDF ``expand`` function using the
|
||||
information that it receives from the source party in order to complete
|
||||
derivation of the shared signing and encryption keys. The inputs to the
|
||||
HKDF ``expand`` function are as follows:
|
||||
|
||||
::
|
||||
|
||||
HKDF-Expand(esek.key, info, 256)
|
||||
|
||||
The ``info`` input for the HKDF ``expand`` function is a string that
|
||||
concatenates the source, destination, and ``esek.timestamp`` strings
|
||||
using a ``,`` separator between each element. An example of a valid
|
||||
``info`` string where ``scheduler.host.example.com`` is the source,
|
||||
``compute.host.example.com`` is the destination, and
|
||||
``2012-03-26T10:01:01.720000`` is the ``esek.timestamp`` is as follows:
|
||||
|
||||
::
|
||||
|
||||
scheduler.host.example.com,compute.host.example.com,2012-03-26T10:01:01.720000
|
||||
|
||||
The output of the HKDF expand function is an array of bytes of 256 bit
|
||||
length. The first half is used as the signing key, and the second half
|
||||
is used as the encryption key.
|
||||
|
||||
The requests to create and delete long term keys should be restricted
|
||||
such that only a properly authorized user, such as a cloud administrator
|
||||
is allowed to successfully perform the operations. The authentication
|
||||
and authorization for these requests is left up to the implementation,
|
||||
though it expected that one would leverage the Identity API for these
|
||||
purposes.
|
||||
|
||||
Resources and Operations
|
||||
------------------------
|
||||
|
||||
Create Key
|
||||
^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /v1/keys/{name}
|
||||
|
||||
Create a long term key in the KDS.
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
The request resource name is the party associated with the key, and the
|
||||
body consists of just the key.
|
||||
|
||||
- ``key`` - A base64 encoded 128 bit long cryptographic random key.
|
||||
|
||||
{ "key": "TXkgcHJlY2lvdXNzcy4u..." }
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
The response contains a name and generation value. The generation value
|
||||
will only be changed if a new key is set. If the request sets the key to
|
||||
the same value that already exists, the existing generation value will
|
||||
be returned in the response. This makes the request idempotent.
|
||||
|
||||
- ``name`` - The party name associated with the key.
|
||||
- ``generation`` - A unique integer used to identify the key.
|
||||
|
||||
Status: 201 Created Location: /v1/keys/--key-name--
|
||||
|
||||
{ "name": "--key-name--", "generation": 2 }
|
||||
|
||||
Delete Key
|
||||
^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /v1/keys/{name}
|
||||
|
||||
Delete a key from KDS.
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
The request body is empty.
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Generate Ticket
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
POST /v1/tickets
|
||||
|
||||
A ticket is generated to facilitate messaging between a ``source`` and a
|
||||
``destination``.
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
A generate ticket request comprises metadata supplied as a base64
|
||||
encoded JSON object and a signature.
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"metadata": "Zhn8yhasf8hihkf...",
|
||||
"signature": "c2lnbmF0dXJl..."
|
||||
}
|
||||
|
||||
Metadata:
|
||||
|
||||
A base64 encoded JSON object containing the following key/value pairs:
|
||||
|
||||
- ``source`` - The identity requesting a ticket.
|
||||
- ``destination`` - The target for which the ticket will be valid.
|
||||
- ``timestamp`` - Current timestamp from the requester.
|
||||
- ``nonce`` - Random single use data.
|
||||
|
||||
A timestamp and a nonce are necessary to avoid replay attacks.
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"source": "scheduler.host.example.com",
|
||||
"destination": "compute.host.example.com",
|
||||
"timestamp": "2012-03-26T10:01:01.720000",
|
||||
"nonce": 1234567890
|
||||
}
|
||||
|
||||
Signature:
|
||||
|
||||
A base64 encoded HMAC Signature over the base64 encoded request metadata
|
||||
object.
|
||||
|
||||
::
|
||||
|
||||
Base64encode(HMAC(SigningKey, RequestMetadata))
|
||||
|
||||
The key used for the signature is the requester's long term key. The KDS
|
||||
should verify the signature upon receipt of the request. This requires
|
||||
that the KDS access the ``source`` from the request metadata in order to
|
||||
lookup the associated long term key that can be used to verify the
|
||||
signature. The KDS should not access any other data contained in the
|
||||
request metadata before verifying the signature. Failure to verify the
|
||||
signature leaves the KDS open to issuing a ticket to a party that is
|
||||
impersonating the source.
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
The response always returns a triplet of metadata, encrypted ticket and
|
||||
signature.
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"metadata": "Zhn8yhasf8hihkf...",
|
||||
"ticket": "ZW5jcnlwdGVkIHRpY2tldA==",
|
||||
"signature": "c2lnbmF0dXJl..."
|
||||
}
|
||||
|
||||
Metadata:
|
||||
|
||||
A base64 encoded JSON object containing the following key/value pairs:
|
||||
|
||||
- ``source`` - The identity of the requester.
|
||||
- ``destination`` - The target for which the ticket is valid.
|
||||
- ``expiration`` - Timestamp of when the ticket expires.
|
||||
|
||||
{ "source": "scheduler.host.example.com", "destination":
|
||||
"compute.host.example.com", "expiration":
|
||||
"2012-03-26T11:01:01.720000" }
|
||||
|
||||
Ticket:
|
||||
|
||||
The ticket is encrypted with the source's long term key and contains a
|
||||
base64 encoded JSON object containing the following key/value pairs:
|
||||
|
||||
- ``skey`` - The newly generated base64 encoded message signing key.
|
||||
- ``ekey`` - The newly generated base64 encoded message encryption key.
|
||||
- ``esek`` - Encrypted signing and encryption key pair for the
|
||||
receiver.
|
||||
|
||||
{ "skey": "ZjhkuYZH8y87rzhgi7..." "ekey": "Fk8yksa8z8zKtakc8s..."
|
||||
"esek": "KBo8fajfo8ysad5hq2..." }
|
||||
|
||||
The ``esek`` is encrypted with the destination's long term key and
|
||||
contains a base64 encoded JSON object containing the following key/value
|
||||
pairs:
|
||||
|
||||
- ``key`` - The base64 encoded random key used to derive the signing
|
||||
and encryption keys.
|
||||
- ``timestamp`` - Timestamp of when the key was created.
|
||||
- ``ttl`` - An integer containing the validity length of the key in
|
||||
seconds.
|
||||
|
||||
{ "key": "Afa8sad2hgsd7asv7ad..." "timestamp":
|
||||
"2012-03-26T10:01:01.720000" "ttl": 28800 }
|
||||
|
||||
The ``key`` and ``timestamp`` are used as inputs to the HKDF ``expand``
|
||||
function to derive the signing and encryption keys as described in the
|
||||
``API Considerations`` section of this document.
|
||||
|
||||
The ``timestamp`` plus ``ttl`` should be equivalent to the
|
||||
``expiration`` timestamp contained in the response metadata.
|
||||
|
||||
Signature:
|
||||
|
||||
A base64 encoded HMAC signature over the concatenation of the base64
|
||||
encoded response metadata object and base64 encoded ticket object.
|
||||
|
||||
::
|
||||
|
||||
Base64encode(HMAC(SigningKey, ResponseMetadata + Ticket))
|
||||
|
||||
The key used for the signature is the requester's long term key. The
|
||||
requester should verify the signature upon receipt of the response
|
||||
before accessing any data contained in the response metadata or the
|
||||
ticket. Failure to verify the signature leaves the requester open to
|
||||
using metadata that was not actually issued by the KDS.
|
||||
|
||||
Create Group
|
||||
^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
PUT /v1/groups/{name}
|
||||
|
||||
Create a group in the KDS.
|
||||
|
||||
Membership in groups is based on the party name. For example, a group
|
||||
named ``scheduler`` will implicitly include any party name starting with
|
||||
``scheduler.`` as a member (e.g. scheduler.host.example.com).
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
The request body is empty.
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
The response returns the group name from the request.
|
||||
|
||||
::
|
||||
|
||||
Status: 201 Created
|
||||
Location: /v1/groups/--group-name--
|
||||
|
||||
{
|
||||
"name": "--group-name--"
|
||||
}
|
||||
|
||||
Delete Group
|
||||
^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
DELETE /v1/groups/{name}
|
||||
|
||||
Delete a group from the KDS.
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
The request body is empty.
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Retrieve Group Key
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
POST /v1/groups
|
||||
|
||||
When a ticket is requested where the destination is a group, a group key
|
||||
is generated that is valid for a predetermined amount of time. Any
|
||||
member of the group can retrieve the key as long as it is still valid.
|
||||
Group keys are necessary to verify signatures and decrypt messages that
|
||||
have a group name as the target.
|
||||
|
||||
Request
|
||||
'''''''
|
||||
|
||||
A group key retrieval request is identical to a generate ticket request
|
||||
except the destination is a group name instead of an individual party
|
||||
name.
|
||||
|
||||
Response
|
||||
''''''''
|
||||
|
||||
The response always returns a triplet of metadata, encrypted group key
|
||||
and signature.
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"metadata": "Zhn8yhasf8hihkf...",
|
||||
"group_key": "ZW5jcnlwdGVkIGdyb3VwIGtleQ==",
|
||||
"signature": "c2lnbmF0dXJl"
|
||||
}
|
||||
|
||||
Metadata:
|
||||
|
||||
A base64 encoded JSON object containing the following key/value pairs:
|
||||
|
||||
- ``source`` - The identity of the requester.
|
||||
- ``destination`` - The target for which the ticket is valid.
|
||||
- ``expiration`` - Timestamp of when the ticket expires.
|
||||
|
||||
{ "source": "api.host.example.com", "destination": "scheduler",
|
||||
"expiration": "2012-03-26T11:01:01.720000" }
|
||||
|
||||
Group key:
|
||||
|
||||
The group key is encrypted with the requester's long term key.
|
||||
|
||||
Signature:
|
||||
|
||||
A base64 encoded HMAC signature over the concatenation of the base64
|
||||
encoded response metadata object and the group key.
|
||||
|
||||
::
|
||||
|
||||
Base64encode(HMAC(SigningKey, ResponseMetadata + GroupKey))
|
||||
|
||||
The key used for the signature is the requester's long term key. The
|
||||
requester should verify the signature upon receipt of the response
|
||||
before accessing any data contained in the response metadata or the
|
||||
group key. Failure to verify the signature leaves the requester open to
|
||||
using data that was not actually issued by the KDS.
|
||||
|
||||
HTTP Status Codes
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
KDS uses the following HTTP status codes to communicate specific success
|
||||
and failure conditions to the client.
|
||||
|
||||
200 OK
|
||||
^^^^^^
|
||||
|
||||
This status code is returned in response to a successful ``POST``
|
||||
request to generate a ticket or a retrieve a group key.
|
||||
|
||||
201 Created
|
||||
^^^^^^^^^^^
|
||||
|
||||
This status code is returned in response to a successful ``PUT`` request
|
||||
to create a group or long term key.
|
||||
|
||||
204 No Content
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
This status code is returned in response to a successful ``DELETE``
|
||||
request to delete a group or long term key. No content body is returned.
|
||||
|
||||
401 Unauthorized
|
||||
^^^^^^^^^^^^^^^^
|
||||
|
||||
This status code is returned when either authentication has not been
|
||||
performed, or authentication fails.
|
||||
|
||||
403 Forbidden
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
This status code is returned when the requester field does not match
|
||||
either the sender or the receiver fields, or if the body of the request
|
||||
does not result in the supplied signature.
|
||||
|
||||
404 Not Found
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
This status code is returned in response to a failed ``DELETE`` request
|
||||
when a referenced entity cannot be found. It is also returned when a
|
||||
``POST`` request is made where the destination party specified in the
|
||||
request does not exist.
|
535
api/identity-api-v3-os-oauth1-ext.rst
Normal file
535
api/identity-api-v3-os-oauth1-ext.rst
Normal file
@ -0,0 +1,535 @@
|
||||
OpenStack Identity API v3 OS-OAUTH1 Extension
|
||||
=============================================
|
||||
|
||||
Provide the ability for identity users to delegate roles to third party
|
||||
consumers via the `OAuth 1.0a
|
||||
specification <http://oauth.net/core/1.0a/>`__. This extension requires
|
||||
v3.0+ of the Identity API. An OAuth-derived token will provide a means
|
||||
of acting on behalf of the authorizing user.
|
||||
|
||||
Definitions
|
||||
-----------
|
||||
|
||||
- *User:* An Identity API service user, the entity whose role(s) will
|
||||
be delegated, and the entity that authorizes Request Tokens.
|
||||
- *Request Token:* A token used by the Consumer to obtain authorization
|
||||
from the User, and exchanged with an OAuth Verifier for an Access
|
||||
Token.
|
||||
- *Access Token:* A token used by the Consumer to request new Identity
|
||||
API tokens on behalf of the authorizing User, instead of using the
|
||||
User’s credentials.
|
||||
- *Token Key:* A key used by the token to identify itself. Both Request
|
||||
Tokens and Access Tokens have Token Keys. For OpenStack purposes, the
|
||||
Token Key is the Token ID.
|
||||
- *Token Secret:* A secret used by the Consumer to establish ownership
|
||||
of a given Token. Both Request Tokens and Access Tokens have Token
|
||||
Secrets.
|
||||
- *OAuth Verifier:* A string that must be provided with the
|
||||
corresponding Request Token in exchange for an Access Token.
|
||||
|
||||
Delegated Authentication Flow
|
||||
-----------------------------
|
||||
|
||||
Delegated Authentication via OAuth is done in five steps:
|
||||
|
||||
1. An Identity API service User `creates a
|
||||
Consumer <#create-consumer-post-os-oauth1consumers>`__.
|
||||
2. The Consumer `obtains an unauthorized Request
|
||||
Token <#create-request-token-post-os-oauth1request_token>`__.
|
||||
3. The User `authorizes the Request
|
||||
Token <#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
|
||||
4. The Consumer `exchanges the Request Token for an Access
|
||||
Token <#create-access-token-post-os-oauth1access_token>`__.
|
||||
5. The Consumer `uses the Access Token to request an Identity API
|
||||
service Token <#request-an-identity-api-token-post-authtokens>`__.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
||||
Consumers
|
||||
~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
/OS-OAUTH1/consumers
|
||||
|
||||
A Consumer is an application that uses OAuth to access a protected
|
||||
resource.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``description`` (string)
|
||||
|
||||
Immutable attributes provided by the Identity service:
|
||||
|
||||
- ``secret`` (string)
|
||||
|
||||
A consumer's ``secret`` is only returned once, during consumer creation.
|
||||
|
||||
The Consumer is given its key and secret, out-of-band. For OpenStack,
|
||||
the ID of the Consumer is the Key.
|
||||
|
||||
Consumers API
|
||||
-------------
|
||||
|
||||
Create Consumer
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /OS-OAUTH1/consumers
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers``
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"consumer": {
|
||||
"description": "My consumer"
|
||||
}
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
The ``secret`` is only returned once, during consumer creation.
|
||||
|
||||
::
|
||||
|
||||
Status: 201 Created
|
||||
|
||||
{
|
||||
"consumer": {
|
||||
"secret": "4c7832",
|
||||
"description": "My consumer",
|
||||
"id": "7fea2d",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
List Consumers
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-OAUTH1/consumers
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
"id": "0c2a74",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/0c2a74"
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "My consumer",
|
||||
"id": "7fea2d",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
|
||||
}
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"next": null,
|
||||
"previous": null,
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers"
|
||||
}
|
||||
}
|
||||
|
||||
Get Consumer
|
||||
~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-OAUTH1/consumers/{consumer_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"consumer": {
|
||||
"id": "7fea2d",
|
||||
"description": "My consumer",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Delete Consumer
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-OAUTH1/consumers/{consumer_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
|
||||
|
||||
When a Consumer is deleted, any Request Tokens, Access Tokens, or
|
||||
Identity API Tokens will also be deleted.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
Update Consumer
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
PATCH /OS-OAUTH1/consumers/{consumer_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
|
||||
|
||||
Only a Consumer's ``description`` is mutable. Attempting to PATCH an
|
||||
immutable attribute should result in a HTTP 400 Bad Request.
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"consumer": {
|
||||
"description": "My new consumer"
|
||||
}
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"consumer": {
|
||||
"description": "My new consumer",
|
||||
"id": "7fea2d",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-OAUTH1/consumers/7fea2d"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Delegated Auth APIs
|
||||
-------------------
|
||||
|
||||
Create Request Token
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /OS-OAUTH1/request_token
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens``
|
||||
|
||||
A Consumer uses the Consumer Key and Secret to obtain a Request Token.
|
||||
The Request Token is used to initiate User authorization. The Request
|
||||
Token, once authorized, can be exchanged along with the OAuth Verifier
|
||||
for an Access Token. Note that there is one extra parameter,
|
||||
``requested_project_id``. ``requested_project_id`` contains the ID of
|
||||
the project upon which the Consumer would like authorization. The
|
||||
Identity service may include an ``oauth_expires_at`` attribute in the
|
||||
response. If no such attribute is included, or is null, then the token
|
||||
may last indefinitely.
|
||||
|
||||
The authorizing User receives the Request Token Key from the Consumer
|
||||
out-of-band.
|
||||
|
||||
Supported signature methods: ``HMAC-SHA1``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#auth_step1
|
||||
|
||||
Additional Request Parameters:
|
||||
|
||||
- ``requested_project_id``: IDs of requested project
|
||||
|
||||
- Example: ``requested_project_id=b9fca3``
|
||||
|
||||
Response:
|
||||
|
||||
``oauth_token=29971f&oauth_token_secret=238eb8&oauth_expires_at=2013-09-11T06:07:51.501805Z``
|
||||
|
||||
Response Parameters:
|
||||
|
||||
- ``oauth_token``: The Request Token key that the Identity API returns.
|
||||
- ``oauth_token_secret``: The secret associated with the Request Token.
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a
|
||||
Request Token will expire.
|
||||
|
||||
Authorize Request Token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
PUT /OS-OAUTH1/authorize/{request_token_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token``
|
||||
|
||||
To authorize the Request Token, the authorizing user must have access to
|
||||
the requested project. Upon successful authorization, an OAuth Verifier
|
||||
code is returned. The Consumer receives the OAuth Verifier from the User
|
||||
out-of-band.
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"roles": [
|
||||
{
|
||||
"id": "a3b29b"
|
||||
},
|
||||
{
|
||||
"id": "49993e"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"token": {
|
||||
"oauth_verifier": "8171"
|
||||
}
|
||||
}
|
||||
|
||||
Create Access Token
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /OS-OAUTH1/access_token
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens``
|
||||
|
||||
After the User authorizes the Request Token, the Consumer exchanges the
|
||||
authorized Request Token and OAuth Verifier for an Access Token. The
|
||||
Identity service may include an ``oauth_expires_at`` parameter in the
|
||||
response. If no such parameter is included, then the token lasts
|
||||
indefinitely.
|
||||
|
||||
Supported signature methods: ``HMAC-SHA1``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#auth_step3
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
oauth_token=accd36&oauth_token_secret=aa47da&oauth_expires_at=2013-09-11T06:07:51.501805Z
|
||||
|
||||
Response Parameters:
|
||||
|
||||
- ``oauth_token``: The Access Token key that the Identity API returns.
|
||||
- ``oauth_token_secret``: The secret associated with the Access Token.
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an
|
||||
Access Token expires.
|
||||
|
||||
Request an Identity API Token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /auth/tokens
|
||||
|
||||
Relationship: ``http://docs.openstack.org/identity/rel/v3/auth_tokens``
|
||||
|
||||
The Consumer can now request valid Identity API service tokens
|
||||
representing the authorizing User's delegated authorization and identity
|
||||
(impersonation). The generated token's roles and scope will match that
|
||||
which the Consumer initially requested.
|
||||
|
||||
Supported signature methods: ``HMAC-SHA1``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#anchor12
|
||||
|
||||
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be
|
||||
specified as an authentication method. Example request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"oauth1"
|
||||
],
|
||||
"oauth1": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
The returned token is scoped to the requested project and with the
|
||||
delegated roles. In addition to the standard token response, as seen in
|
||||
the link below, the token has an OAuth-specific object.
|
||||
|
||||
Example OpenStack token response: `Various OpenStack token
|
||||
responses <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
|
||||
|
||||
Example OAuth-specific object in a token:
|
||||
|
||||
::
|
||||
|
||||
"OS-OAUTH1": {
|
||||
"consumer_id": "7fea2d",
|
||||
"access_token_id": "cce0b8be7"
|
||||
}
|
||||
|
||||
User Access Token APIs
|
||||
----------------------
|
||||
|
||||
List authorized access tokens
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /users/{user_id}/OS-OAUTH1/access_tokens
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_tokens``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"access_tokens": [
|
||||
{
|
||||
"consumer_id": "7fea2d",
|
||||
"id": "6be26a",
|
||||
"expires_at": "2013-09-11T06:07:51.501805Z",
|
||||
"links": {
|
||||
"roles": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a/roles"
|
||||
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a"
|
||||
},
|
||||
"project_id": "b9fca3",
|
||||
"authorizing_user_id": "ce9e07"
|
||||
}
|
||||
],
|
||||
"links": {
|
||||
"next": null,
|
||||
"previous": null,
|
||||
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens"
|
||||
}
|
||||
}
|
||||
|
||||
Get authorized access token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"access_token": {
|
||||
"consumer_id": "7fea2d",
|
||||
"id": "6be26a",
|
||||
"expires_at": "2013-09-11T06:07:51.501805Z",
|
||||
"links": {
|
||||
"roles": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a/roles"
|
||||
"self": "http://identity:35357/v3/users/ce9e07/OS-OAUTH1/access_tokens/6be26a"
|
||||
},
|
||||
"project_id": "b9fca3",
|
||||
"authorizing_user_id": "ce9e07"
|
||||
}
|
||||
}
|
||||
|
||||
List roles of an access token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles``
|
||||
|
||||
See ``GET /v3/roles`` for an
|
||||
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
|
||||
of this response format.
|
||||
|
||||
Get a role of an access token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role``
|
||||
|
||||
See ``GET /v3/roles/{role_id}`` for an
|
||||
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
|
||||
of this response format.
|
||||
|
||||
Revoke access token
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
|
||||
|
||||
A User can revoke an Access Token, preventing the Consumer from
|
||||
requesting new Identity API service tokens. This also revokes any
|
||||
Identity API tokens issued to the Consumer using that Access Token.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
175
api/identity-api-v3-os-revoke-ext.rst
Normal file
175
api/identity-api-v3-os-revoke-ext.rst
Normal file
@ -0,0 +1,175 @@
|
||||
OpenStack Identity API v3 OS-REVOKE Extension
|
||||
=============================================
|
||||
|
||||
This extension provides a list of token revocations. Each event
|
||||
expresses a set of criteria which describes a set of tokens that are no
|
||||
longer valid.
|
||||
|
||||
This extension requires v3.2+ of the Identity API.
|
||||
|
||||
What's New in v1.1
|
||||
------------------
|
||||
|
||||
- Use of ``expires_at`` has been deprecated in favor of using
|
||||
``audit_id`` and ``audit_chain_id``.
|
||||
|
||||
- Revocation events can use ``audit_id`` to revoke an individual token.
|
||||
|
||||
- Revocation events can use ``audit_chain_id`` to revoke all related
|
||||
tokens. A related token is defined by the first (non-rescoped) token.
|
||||
All tokens in the chain will have the same ``audit_chain_id``.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
||||
Revocation Events
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
Revocation events are objects that contain criteria used to evaluate
|
||||
token validity. Tokens that match all the criteria of a revocation event
|
||||
are considered revoked, and should not be accepted as proof of
|
||||
authorization for the user.
|
||||
|
||||
Revocation events do not have a unique identifier (``id``).
|
||||
|
||||
Required attributes:
|
||||
|
||||
- ``issued_before`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
|
||||
Tokens issued before this time are considered revoked.
|
||||
|
||||
This attribute can be used to determine how long the expiration event is
|
||||
valid. It can also be used in queries to filter events, so that only a
|
||||
subset that have occurred since the last request are returned.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``domain_id`` (string)
|
||||
|
||||
Revoke tokens scoped to a particular domain.
|
||||
|
||||
- ``project_id`` (string)
|
||||
|
||||
Revoke tokens scoped to a particular project.
|
||||
|
||||
- ``user_id`` (string)
|
||||
|
||||
Revoke tokens expressing the identity of a particular user.
|
||||
|
||||
- ``role_id`` (string)
|
||||
|
||||
Revoke tokens issued with a specific role.
|
||||
|
||||
- ``OS-TRUST:trust_id`` (string)
|
||||
|
||||
Revoke tokens issued as the result of a particular trust, as part of the
|
||||
OS-TRUST API extension.
|
||||
|
||||
- ``OS-OAUTH1:consumer_id`` (string)
|
||||
|
||||
Revoke tokens issued to a specific OAuth consumer, as part of the
|
||||
OS-OAUTH1 API extension.
|
||||
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
|
||||
**Deprecated as of the Juno release in favor of ``audit_id`` and
|
||||
``audit_chain_id``.** If ``expires_at`` exists in the revocation event,
|
||||
it will be utilized to match tokens.
|
||||
|
||||
Specifies the exact expiration time of one or more tokens to be revoked.
|
||||
|
||||
This attribute is useful for revoking chains of tokens, such as those
|
||||
produced when re-scoping an existing token. When a token is issued based
|
||||
on initial authentication, it is given an ``expires_at`` value. When a
|
||||
token is used to get another token, the new token will have the same
|
||||
``expires_at`` value as the original.
|
||||
|
||||
- ``audit_id`` (string)
|
||||
|
||||
Specifies the unique identifier (UUID) assigned to the token itself.
|
||||
|
||||
This will revoke a single token only. This attribute mirrors the use of
|
||||
the ``Token Revocation List`` (the mechanism used prior to revocation
|
||||
events) but does not utilize data that could convey authorization (the
|
||||
``token id``).
|
||||
|
||||
If an event is issued for ``audit_id`` then the event cannot contain an
|
||||
``audit_chain_id``.
|
||||
|
||||
- ``audit_chain_id`` (string)
|
||||
|
||||
Specifies a group of tokens based upon the ``audit_id`` of the first
|
||||
token in the chain. If a revocation event specifies the
|
||||
``audit_chain_id`` any token that is part of the token chain (based upon
|
||||
the original token at the start of the chain) will be revoked, including
|
||||
the original token at the start of the chain.
|
||||
|
||||
If an event is issued for ``audit_chain_id`` then the event cannot
|
||||
contain an ``audit_id``.
|
||||
|
||||
The properties are additive: Only a token that meets all of the
|
||||
specified criteria is considered revoked.
|
||||
|
||||
Minimal example entity:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"issued_before": "2014-02-27T18:30:59.999999Z"
|
||||
}
|
||||
|
||||
API
|
||||
---
|
||||
|
||||
List revocation events
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-REVOKE/events
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events``
|
||||
|
||||
Optional query parameters:
|
||||
|
||||
- ``since`` (RFC 1123 format date time): limit the list of results to
|
||||
events that occurred on or after the specified time.
|
||||
|
||||
The HTTP Date header returned in the response reflects the timestamp of
|
||||
the most recently issued revocation event. Clients can then use this
|
||||
value in the ``since`` query parameter to limit the list of events in
|
||||
subsequent requests.
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
Date: Sun, 17 Feb 2013 18:30:59 GMT
|
||||
|
||||
{
|
||||
"events": [
|
||||
{
|
||||
"issued_before": "2014-02-27T18:30:59.999999Z",
|
||||
"user_id": "f287de"
|
||||
},
|
||||
{
|
||||
"audit_id": "VcxU2JYqT8OzfUVvrjEITQ",
|
||||
"issued_before": "2014-02-27T18:30:59.999999Z",
|
||||
},
|
||||
{
|
||||
"audit_chain_id": "VcxU2JYqT8OzfUVvrjEITQ",
|
||||
"issued_before": "2014-02-27T18:30:59.999999Z",
|
||||
"project_id": "976bf9"
|
||||
},
|
||||
{
|
||||
"domain_id": "be2c70",
|
||||
"issued_before": "2014-02-2805:15:59.999999Z",
|
||||
"user_id": "f287de"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
197
api/identity-api-v3-os-simple-certs-ext.rst
Normal file
197
api/identity-api-v3-os-simple-certs-ext.rst
Normal file
@ -0,0 +1,197 @@
|
||||
OpenStack Identity API v3 OS-SIMPLE-CERT Extension
|
||||
==================================================
|
||||
|
||||
When using Public Key Infrastructure (PKI) tokens with the identity
|
||||
service, users must have access to the signing certificate and the
|
||||
certificate authority's (CA) certificate for the token issuer in order
|
||||
to validate tokens. This extension provides a simple means of retrieving
|
||||
these certificates from an identity service.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
||||
Certificates
|
||||
------------
|
||||
|
||||
The identity server uses X.509 certificates to cryptographically sign
|
||||
issued tokens. Certificates are a public resource and can be shared.
|
||||
Typically when validating a certificate we would only require the
|
||||
issuing certificate authority's certificate however PKI tokens are
|
||||
distributed without including the original signing certificate in the
|
||||
message so this must be retrievable as well.
|
||||
|
||||
Certificates are provided in the Private Enchanced Mail (PEM) file
|
||||
format. Certificates in PEM files can be represented with or without the
|
||||
certificate data (examples shown). The represented certificate is for
|
||||
informative purposes and the only required information is presented
|
||||
between the ``-----BEGIN CERTIFICATE-----`` and
|
||||
``-----END CERTIFICATE-----`` tags.
|
||||
|
||||
API
|
||||
---
|
||||
|
||||
Retrieve CA certificate chain
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-SIMPLE-CERT/ca
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/ca_certificate``
|
||||
|
||||
Fetches the certificate chain used to authenticate signed tokens.
|
||||
|
||||
It is possible that a chain of certificates (more than one) is returned.
|
||||
In this case the chain should be used when validating a token.
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
Content-Type: application/x-pem-file
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDgTCCAmmgAwIBAgIJAJpWjfJuWL+oMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNV
|
||||
BAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoM
|
||||
BVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMTMxMjA5MDEzMDUw
|
||||
WhcNMjMxMjA3MDEzMDUwWjBXMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVW5zZXQx
|
||||
DjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4
|
||||
YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzQwzCPN
|
||||
3zMsUX6GwNcS9n/dJq4gzddClFB7ZgfVKOwdEVx/XX9w8wflFWq+JqqMA81ZtLFP
|
||||
w0fKJFISMSVH7TXPRp096cC41Nv5dCt0kfVChyUUKUGiEzvUU8WagU7uWE4Rj+6d
|
||||
CQvdbot0/5eDFJL90cj+Ck5dn/lqBxLSnHjTLLqHscpD+qOc6XL4JxCM1SOkS1LL
|
||||
aRPLksqyKZwz8R86yR/9FnIREGO52VDje0hYUwLw0TzurSi1QHuBB/aZ2aC7A79G
|
||||
YBBMo79amu8Oc4x+VzOxtY1hlrxYb1oV7SAcZgmPQKo8uwl47yqd5Ya85HC3AsVY
|
||||
HSGYjsHrTS8QlQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTkjsL2
|
||||
BVqZImdt+VxEo+9b7fymQzAfBgNVHSMEGDAWgBTkjsL2BVqZImdt+VxEo+9b7fym
|
||||
QzANBgkqhkiG9w0BAQUFAAOCAQEAC7y75ST8tOFp6VOhTTdjGxGU+FJhKNikYCfw
|
||||
TL5bzjSpmzBXcy5ep+klxVtLyU0KJeuAwep9g6bPlYQP44vshsZEIH4EV5b9Ztzh
|
||||
FnKfd0jeP0GLhQiQYDkvpNAu/uMbT4+/3jhM3mJoslDZDl7x7MF4FQU0N7fzRj/Y
|
||||
/XNzA6DWllQs62Up5WcqQJes0NeTKXyLoDH9Mf1W7hLHWLxr5bY3xD2MdrdDTtp1
|
||||
KxPZVcFaBpI+hVHfi5jhLXBK0I8jgHqQLxjhp8TfIy6U4m4KpdlOvET2R55Lttrs
|
||||
SFP+fy+e3IO9wMXmQKQJdj3ArieW0hkmz9xTYIRm5vS494gi6Q==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Retrieve signing certificates
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
::
|
||||
|
||||
GET /OS-SIMPLE-CERT/certificates
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates``
|
||||
|
||||
Fetches the certificates containing the public key for the private key
|
||||
that has been used to sign tokens.
|
||||
|
||||
In an environment with multiple token signers this call will return all
|
||||
valid certificates.
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
Content-Type: application/x-pem-file
|
||||
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com
|
||||
Validity
|
||||
Not Before: Dec 9 01:30:50 2013 GMT
|
||||
Not After : Dec 7 01:30:50 2023 GMT
|
||||
Subject: C=US, ST=Unset, O=Unset, CN=www.example.com
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:da:a1:9a:00:3f:52:16:63:87:f7:7c:fb:27:ef:
|
||||
04:7b:b3:f8:59:e3:d1:79:cc:22:af:f2:02:5c:d7:
|
||||
0f:e8:53:bd:5c:db:a4:93:98:62:25:ad:c9:6e:60:
|
||||
37:98:29:c6:e7:0b:3d:b6:64:f6:ad:58:96:e3:87:
|
||||
af:2a:a4:17:ef:31:3c:60:ef:97:27:db:5e:83:95:
|
||||
5b:4f:d6:4b:e8:34:c9:ff:d9:79:bc:f6:7c:db:dc:
|
||||
d4:91:1b:3d:61:53:54:95:7e:1d:71:dd:9d:cb:39:
|
||||
e3:ba:ed:39:f4:27:48:60:1b:8d:82:c8:65:e5:a1:
|
||||
30:ff:83:bc:84:e8:35:3a:a5:c2:27:7c:84:15:1b:
|
||||
91:27:34:44:9d:af:b1:cb:14:54:e0:52:d3:ce:b4:
|
||||
03:b7:4c:63:f7:aa:3f:1d:aa:17:ac:2b:81:ec:ad:
|
||||
e5:30:ac:fa:08:25:00:50:dc:0c:1c:bd:6c:38:eb:
|
||||
30:55:5a:e0:ca:11:a8:57:a5:db:65:78:5b:58:76:
|
||||
f4:01:52:87:4f:d5:a1:80:77:66:8a:2c:d8:77:92:
|
||||
11:49:b6:00:fd:28:85:80:23:d7:87:8a:50:15:7d:
|
||||
07:2a:6f:44:dc:83:cf:f1:67:5e:8a:9c:b7:2a:2e:
|
||||
f3:e9:4d:9a:33:9d:e5:1d:7d:3a:9b:ce:80:f4:78:
|
||||
d7:55
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:FALSE
|
||||
X509v3 Subject Key Identifier:
|
||||
D5:50:6E:6A:AA:8E:21:36:44:28:D4:AB:E4:D3:01:09:D7:BC:CB:73
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:E4:8E:C2:F6:05:5A:99:22:67:6D:F9:5C:44:A3:EF:5B:ED:FC:A6:43
|
||||
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
80:60:ef:84:25:e9:02:ea:1e:da:70:fe:0b:b6:15:69:27:15:
|
||||
0a:8e:5e:69:7b:b3:af:91:0e:78:08:37:98:56:be:eb:60:af:
|
||||
7e:6b:e3:62:eb:dc:86:9f:9b:20:81:32:75:05:32:c9:f7:7b:
|
||||
2b:32:00:10:83:07:a0:e2:f4:81:63:5e:50:e7:5b:00:67:a6:
|
||||
19:54:ea:31:9a:02:a8:f1:fa:92:5b:e1:13:23:a1:28:5c:8e:
|
||||
64:03:22:16:02:d2:a5:52:aa:34:39:ab:70:0c:46:77:53:5b:
|
||||
07:71:41:0a:0b:a8:76:2c:45:e6:38:3b:aa:ee:dc:ca:8b:2f:
|
||||
85:18:57:0a:e3:cf:3d:cc:a8:46:5a:4b:42:14:e8:66:10:8a:
|
||||
91:79:c1:2e:27:5f:b1:60:5a:d1:5e:d5:98:c7:11:fe:da:89:
|
||||
ee:7b:24:e4:19:7a:5f:56:ba:63:70:31:01:87:8d:7a:90:88:
|
||||
14:4f:a1:23:46:0e:3b:df:33:01:98:53:71:d6:f4:25:37:52:
|
||||
ff:43:b8:60:03:65:29:98:45:a8:da:62:a3:be:66:bf:59:68:
|
||||
2c:50:3d:de:36:e9:75:8a:d3:69:a2:74:3c:80:c1:fe:cf:53:
|
||||
4f:46:28:fe:f9:b0:a9:6a:db:2a:30:9a:e7:b5:c0:cc:0b:d6:
|
||||
39:b8:6b:ee
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEO
|
||||
MAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEY
|
||||
MBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTEzMTIwOTAxMzA1MFoXDTIzMTIw
|
||||
NzAxMzA1MFowRzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQK
|
||||
DAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
|
||||
AQEFAAOCAQ8AMIIBCgKCAQEA2qGaAD9SFmOH93z7J+8Ee7P4WePRecwir/ICXNcP
|
||||
6FO9XNukk5hiJa3JbmA3mCnG5ws9tmT2rViW44evKqQX7zE8YO+XJ9teg5VbT9ZL
|
||||
6DTJ/9l5vPZ829zUkRs9YVNUlX4dcd2dyznjuu059CdIYBuNgshl5aEw/4O8hOg1
|
||||
OqXCJ3yEFRuRJzREna+xyxRU4FLTzrQDt0xj96o/HaoXrCuB7K3lMKz6CCUAUNwM
|
||||
HL1sOOswVVrgyhGoV6XbZXhbWHb0AVKHT9WhgHdmiizYd5IRSbYA/SiFgCPXh4pQ
|
||||
FX0HKm9E3IPP8Wdeipy3Ki7z6U2aM53lHX06m86A9HjXVQIDAQABo00wSzAJBgNV
|
||||
HRMEAjAAMB0GA1UdDgQWBBTVUG5qqo4hNkQo1Kvk0wEJ17zLczAfBgNVHSMEGDAW
|
||||
gBTkjsL2BVqZImdt+VxEo+9b7fymQzANBgkqhkiG9w0BAQUFAAOCAQEAgGDvhCXp
|
||||
Auoe2nD+C7YVaScVCo5eaXuzr5EOeAg3mFa+62CvfmvjYuvchp+bIIEydQUyyfd7
|
||||
KzIAEIMHoOL0gWNeUOdbAGemGVTqMZoCqPH6klvhEyOhKFyOZAMiFgLSpVKqNDmr
|
||||
cAxGd1NbB3FBCguodixF5jg7qu7cyosvhRhXCuPPPcyoRlpLQhToZhCKkXnBLidf
|
||||
sWBa0V7VmMcR/tqJ7nsk5Bl6X1a6Y3AxAYeNepCIFE+hI0YOO98zAZhTcdb0JTdS
|
||||
/0O4YANlKZhFqNpio75mv1loLFA93jbpdYrTaaJ0PIDB/s9TT0Yo/vmwqWrbKjCa
|
||||
57XAzAvWObhr7g==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
HTTP Status Codes
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
The following codes are used to indicate success of failure conditions.
|
||||
|
||||
200 OK
|
||||
^^^^^^
|
||||
|
||||
Certificates are successfully found and returned.
|
||||
|
||||
403 Forbidden
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
There are no certificates to be returned. This will typically indicate
|
||||
that keystone is using UUID tokens and therefore there are no
|
||||
certificates available.
|
||||
|
||||
500 Internal Server Error
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
An Error was produced on the server. A typical example is that the
|
||||
server is configured to use PKI tokens but is misconfigured and the
|
||||
certificates were unable to be found.
|
542
api/identity-api-v3-os-trust-ext.rst
Normal file
542
api/identity-api-v3-os-trust-ext.rst
Normal file
@ -0,0 +1,542 @@
|
||||
OpenStack Identity API v3 OS-TRUST Extension
|
||||
============================================
|
||||
|
||||
Trusts provide project-specific role delegation between users, with
|
||||
optional impersonation.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
||||
Trusts
|
||||
~~~~~~
|
||||
|
||||
A trust represents a user's (the *trustor*) authorization to delegate
|
||||
roles to another user (the *trustee*), and optionally allow the trustee
|
||||
to impersonate the trustor. After the trustor has created a trust, the
|
||||
trustee can specify the trust's ``id`` attribute as part of an
|
||||
authentication request to then create a token representing the delegated
|
||||
authority.
|
||||
|
||||
The trust contains constraints on the delegated attributes. A token
|
||||
created based on a trust will convey a subset of the trustor's roles on
|
||||
the specified project. Optionally, the trust may only be valid for a
|
||||
specified time period, as defined by ``expires_at``. If no
|
||||
``expires_at`` is specified, then the trust is valid until it is
|
||||
explicitly revoked.
|
||||
|
||||
The ``impersonation`` flag allows the trustor to optionally delegate
|
||||
impersonation abilities to the trustee. To services validating the
|
||||
token, the trustee will appear as the trustor, although the token will
|
||||
also contain the ``impersonation`` flag to indicate that this behavior
|
||||
is in effect.
|
||||
|
||||
A ``project_id`` may not be specified without at least one role, and
|
||||
vice versa. In other words, there is no way of implicitly delegating all
|
||||
roles to a trustee, in order to prevent users accidentally creating
|
||||
trust that are much more broad in scope than intended. A trust without a
|
||||
``project_id`` or any delegated roles is unscoped, and therefore does
|
||||
not represent authorization on a specific resource.
|
||||
|
||||
Trusts are immutable. If the trustee wishes to modify the attributes of
|
||||
the trust, they should create a new trust and delete the old trust. If a
|
||||
trust is deleted, any tokens generated based on the trust are
|
||||
immediately revoked.
|
||||
|
||||
If the trustor loses access to any delegated attributes, the trust
|
||||
becomes immediately invalid and any tokens generated based on the trust
|
||||
are immediately revoked.
|
||||
|
||||
Additional required attributes:
|
||||
|
||||
- ``trustor_user_id`` (string)
|
||||
|
||||
Represents the user who created the trust, and who's authorization is
|
||||
being delegated.
|
||||
|
||||
- ``trustee_user_id`` (string)
|
||||
|
||||
Represents the user who is capable of consuming the trust.
|
||||
|
||||
- ``impersonation``: (boolean)
|
||||
|
||||
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
|
||||
tokens token's generated based on the trust will represent that of the
|
||||
trustor rather than the trustee, thus allowing the trustee to
|
||||
impersonate the trustor. If ``impersonation`` is set to ``false``, then
|
||||
the token's ``user`` attribute will represent that of the trustee.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``project_id`` (string)
|
||||
|
||||
Identifies the project upon which the trustor is delegating
|
||||
authorization.
|
||||
|
||||
- ``roles``: (list of objects)
|
||||
|
||||
Specifies the subset of the trustor's roles on the ``project_id`` to be
|
||||
granted to the trustee when the token in consumed. The trustor must
|
||||
already be granted these roles in the project referenced by the
|
||||
``project_id`` attribute.
|
||||
|
||||
Roles are only provided when the trust is created, and are subsequently
|
||||
available as a separate read-only collection. Each role can be specified
|
||||
by either ``id`` or ``name``.
|
||||
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
|
||||
Specifies the expiration time of the trust. A trust may be revoked ahead
|
||||
of expiration. If the value represents a time in the past, the trust is
|
||||
deactivated.
|
||||
|
||||
- ``remaining_uses`` (integer or null)
|
||||
|
||||
Specifies how many times the trust can be used to obtain a token. This
|
||||
value is decreased each time a token is issued through the trust. Once
|
||||
it reaches 0, no further tokens will be issued through the trust. The
|
||||
default value is null, meaning there is no limit on the number of tokens
|
||||
issued through the trust.
|
||||
|
||||
Example entity:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"trust": {
|
||||
"id": "987fe7",
|
||||
"impersonation": true,
|
||||
"project_id": "0f1233",
|
||||
"remaining_uses": null,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/trusts/987fe7"
|
||||
},
|
||||
"trustee_user_id": "fea342",
|
||||
"trustor_user_id": "56aed3"
|
||||
}
|
||||
}
|
||||
|
||||
Tokens
|
||||
~~~~~~
|
||||
|
||||
Additional attributes:
|
||||
|
||||
- ``trust`` (object)
|
||||
|
||||
If present, indicates that the token was created based on a trust. This
|
||||
attribute identifies both the trustor and trustee, and indicates whether
|
||||
the token represents the trustee impersonating the trustor.
|
||||
|
||||
API
|
||||
---
|
||||
|
||||
Consuming a trust
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /auth/tokens
|
||||
|
||||
Consuming a trust effectively assumes the scope as delegated in the
|
||||
trust. No other scope attributes may be specified.
|
||||
|
||||
The user specified by ``authentication`` must match the trust's
|
||||
``trustee_user_id`` attribute.
|
||||
|
||||
If the trust has the ``impersonation`` attribute set to ``true``, then
|
||||
the resulting token's ``user`` attribute will also represent the
|
||||
trustor, rather than the authenticating user (the trustee).
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"auth": {
|
||||
"identity": {
|
||||
"methods": [
|
||||
"token"
|
||||
],
|
||||
"token": {
|
||||
"id": "e80b74"
|
||||
}
|
||||
},
|
||||
"scope": {
|
||||
"OS-TRUST:trust": {
|
||||
"id": "de0945a"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
A token created from a trust will have a ``trust`` section containing
|
||||
the ``id`` of the trust, the ``impersonation`` flag, the
|
||||
``trustee_user_id`` and the ``trustor_user_id``. Example response:
|
||||
|
||||
::
|
||||
|
||||
Headers: X-Subject-Token
|
||||
|
||||
X-Subject-Token: e80b74
|
||||
|
||||
{
|
||||
"token": {
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"issued_at": "2013-02-27T16:30:59.999999Z",
|
||||
"methods": [
|
||||
"password"
|
||||
],
|
||||
"OS-TRUST:trust": {
|
||||
"id": "fe0aef",
|
||||
"impersonation": false,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/trusts/fe0aef"
|
||||
},
|
||||
"trustee_user": {
|
||||
"id": "0ca8f6",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/users/0ca8f6"
|
||||
}
|
||||
},
|
||||
"trustor_user": {
|
||||
"id": "bd263c",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/users/bd263c"
|
||||
}
|
||||
}
|
||||
},
|
||||
"user": {
|
||||
"domain": {
|
||||
"id": "1789d1",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/domains/1789d1"
|
||||
},
|
||||
"name": "example.com"
|
||||
},
|
||||
"email": "joe@example.com",
|
||||
"id": "0ca8f6",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/users/0ca8f6"
|
||||
},
|
||||
"name": "Joe"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Create trust
|
||||
~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
POST /OS-TRUST/trusts
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"trust": {
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"impersonation": true,
|
||||
"project_id": "ddef321",
|
||||
"roles": [
|
||||
{
|
||||
"name": "member"
|
||||
}
|
||||
],
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "a0fdfd"
|
||||
}
|
||||
}
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 201 Created
|
||||
|
||||
{
|
||||
"trust": {
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"id": "1ff900",
|
||||
"impersonation": true,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
|
||||
},
|
||||
"project_id": "ddef321",
|
||||
"remaining_uses": null,
|
||||
"roles": [
|
||||
{
|
||||
"id": "ed7b78",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/ed7b78"
|
||||
},
|
||||
"name": "member"
|
||||
}
|
||||
],
|
||||
"roles_links": {
|
||||
"next": null,
|
||||
"previous": null,
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900/roles"
|
||||
},
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "a0fdfd"
|
||||
}
|
||||
}
|
||||
|
||||
List trusts
|
||||
~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
|
||||
|
||||
query\_string: page (optional) query\_string: per\_page (optional,
|
||||
default 30) query filter for "trustee\_user\_id", "trustor\_user\_id"
|
||||
(optional)
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"trusts": [
|
||||
{
|
||||
"id": "1ff900",
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"impersonation": true,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "a0fdfd"
|
||||
},
|
||||
{
|
||||
"id": "f4513a",
|
||||
"impersonation": true,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/f4513a"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "3cd2ce"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
In order to list trusts for a given trustor, filter the collection using
|
||||
a query string (e.g., ``?trustor_user_id={user_id}``).
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts?trustor_user_id=a0fdfd
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"trusts": [
|
||||
{
|
||||
"id": "1ff900",
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"impersonation": false,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "a0fdfd"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
In order to list trusts for a given trustee, filter the collection using
|
||||
a query string (e.g., ``?trustee_user_id={user_id}``).
|
||||
|
||||
Request:
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts?trustee_user_id=86c0d5
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"trusts": [
|
||||
{
|
||||
"id": "1ff900",
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"impersonation": true,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "a0fdfd"
|
||||
},
|
||||
{
|
||||
"id": "f4513a",
|
||||
"impersonation": false,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/f45513a"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "86c0d5",
|
||||
"trustor_user_id": "3cd2ce"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Get trust
|
||||
~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts/{trust_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"trust": {
|
||||
"id": "987fe8",
|
||||
"expires_at": "2013-02-27T18:30:59.999999Z",
|
||||
"impersonation": true,
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/987fe8"
|
||||
},
|
||||
"roles": [
|
||||
{
|
||||
"id": "ed7b78",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/ed7b78"
|
||||
},
|
||||
"name": "member"
|
||||
}
|
||||
],
|
||||
"roles_links": {
|
||||
"next": null,
|
||||
"previous": null,
|
||||
"self": "http://identity:35357/v3/OS-TRUST/trusts/1ff900/roles"
|
||||
},
|
||||
"project_id": "0f1233",
|
||||
"trustee_user_id": "be34d1",
|
||||
"trustor_user_id": "56ae32"
|
||||
}
|
||||
}
|
||||
|
||||
Delete trust
|
||||
~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
DELETE /OS-TRUST/trusts/{trust_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 204 No Content
|
||||
|
||||
List roles delegated by a trust
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts/{trust_id}/roles
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_roles``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"roles": [
|
||||
{
|
||||
"id": "c1648e",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/c1648e"
|
||||
},
|
||||
"name": "manager"
|
||||
},
|
||||
{
|
||||
"id": "ed7b78",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/ed7b78"
|
||||
},
|
||||
"name": "member"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
Check if role is delegated by a trust
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
HEAD /OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
Get role delegated by a trust
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
::
|
||||
|
||||
GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}
|
||||
|
||||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role``
|
||||
|
||||
Response:
|
||||
|
||||
::
|
||||
|
||||
Status: 200 OK
|
||||
|
||||
{
|
||||
"role": {
|
||||
"id": "c1648e",
|
||||
"links": {
|
||||
"self": "http://identity:35357/v3/roles/c1648e"
|
||||
},
|
||||
"name": "manager"
|
||||
}
|
||||
}
|
||||
|
4845
api/identity-api-v3.rst
Normal file
4845
api/identity-api-v3.rst
Normal file
File diff suppressed because it is too large
Load Diff
@ -38,6 +38,9 @@ Some notes about using this template:
|
||||
having to look at additional files which can not be viewed in gerrit. It
|
||||
will also allow inline feedback on the diagram itself.
|
||||
|
||||
If your spec has an impact on the HTTP API, propose the corresponding changes
|
||||
to the ``api/`` directory for review along with your spec.
|
||||
|
||||
Problem Description
|
||||
===================
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user