[api] set `is_admin_project` on tokens for admin project

This patch update api_doc to include 'is_admin_project' Change-Id: I7d8345ea75659f6397098979531edf286df69485 Closes-Bug:#1523012
2016-12-12 16:58:27 +08:00 · 2016-12-12 16:58:27 +08:00 · 1a004987a4
parent d11c2ca775
commit 1a004987a4
1 changed files with 9 additions and 0 deletions
--- a/api-ref/source/v3/authenticate-v3.inc
+++ b/api-ref/source/v3/authenticate-v3.inc
@ -39,6 +39,15 @@ After you obtain an authentication token, you can:

 - List revoked public key infrastructure (PKI) tokens.

+In v3.7 of the Identity API service, two new configuration options
+were added: ``[resource] admin_project_name`` and
+``[resource] admin_project_domain_name``. The options represent the
+project that only the cloud administrator should be able to access.
+When an authentication request for a token scoped to the admin project
+is processed, it will have an additional field in the token
+``{is_admin_project: True}``. The additional field can be used when
+writing policy rules that evaluate access control to APIs.
+
 The Identity API treats expired tokens as no longer valid tokens.
 The deployment determines how long expired tokens are stored.