From 9e845eaae0c20d56d437b48c0dea93ce45833ee0 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Fri, 13 Feb 2015 17:34:45 -0600
Subject: [PATCH] Document mapping of policy action to operation

There was no documentation that showed the mapping between the
actions in the policy file to the REST operation. The mapping is
now shown in the sample policy.json files.

DocImpact
This info also needs to be in an admin guide.

Closes-Bug: 1424496
Change-Id: I7c973068ec1a62d39287f926b71ba61de0566f58
---
 etc/policy.json               | 171 ++++++++++++++++++++++++++++++++-
 etc/policy.v3cloudsample.json | 175 ++++++++++++++++++++++++++++++++++
 2 files changed, 345 insertions(+), 1 deletion(-)

diff --git a/etc/policy.json b/etc/policy.json
index e7db5ea33c..aa965492bd 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -9,175 +9,344 @@
 
     "default": "rule:admin_required",
 
+    "#": "GET /v3/regions/{region_id}",
     "identity:get_region": "",
+    "#": "GET /v3/regions",
     "identity:list_regions": "",
+    "#": "POST /v3/regions",
     "identity:create_region": "rule:admin_required",
+    "#": "PATCH /v3/regions/{region_id}",
     "identity:update_region": "rule:admin_required",
+    "#": "DELETE /v3/regions/{region_id}",
     "identity:delete_region": "rule:admin_required",
 
+    "#": "GET /v3/services/{service_id}",
     "identity:get_service": "rule:admin_required",
+    "#": "GET /v3/services",
     "identity:list_services": "rule:admin_required",
+    "#": "POST /v3/services",
     "identity:create_service": "rule:admin_required",
+    "#": "PATCH /v3/services/{service__id}",
     "identity:update_service": "rule:admin_required",
+    "#": "DELETE /v3/services/{service__id}",
     "identity:delete_service": "rule:admin_required",
 
+    "#": "GET /v3/endpoints/{endpoint_id}",
     "identity:get_endpoint": "rule:admin_required",
+    "#": "GET /v3/endpoints",
     "identity:list_endpoints": "rule:admin_required",
+    "#": "POST /v3/endpoints",
     "identity:create_endpoint": "rule:admin_required",
+    "#": "PATCH /v3/endpoints/{endpoint_id}",
     "identity:update_endpoint": "rule:admin_required",
+    "#": "DELETE /v3/endpoints/{endpoint_id}",
     "identity:delete_endpoint": "rule:admin_required",
 
+    "#": "GET /v3/domains/{domain_id}",
     "identity:get_domain": "rule:admin_required",
+    "#": "GET /v3/domains",
     "identity:list_domains": "rule:admin_required",
+    "#": "POST /v3/domains/{domain_id}",
     "identity:create_domain": "rule:admin_required",
+    "#": "PATCH /v3/domains/{domain_id}",
     "identity:update_domain": "rule:admin_required",
+    "#": "DELETE /v3/domains/{domain_id}",
     "identity:delete_domain": "rule:admin_required",
 
+    "#": "GET /v3/projects/{project_id}",
     "identity:get_project": "rule:admin_required",
+    "#": "GET /v3/projects",
     "identity:list_projects": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/projects",
     "identity:list_user_projects": "rule:admin_or_owner",
+    "#": "POST /v3/projects",
     "identity:create_project": "rule:admin_required",
+    "#": "PATCH /v3/projects/{project_id}",
     "identity:update_project": "rule:admin_required",
+    "#": "DELETE /v3/projects/{project_id}",
     "identity:delete_project": "rule:admin_required",
 
+    "#": "GET /v3/users/{user_id}",
     "identity:get_user": "rule:admin_required",
+    "#": "GET /v3/users",
     "identity:list_users": "rule:admin_required",
+    "#": "POST /v3/users",
     "identity:create_user": "rule:admin_required",
+    "#": "PATCH /v3/users/{user_id}",
     "identity:update_user": "rule:admin_required",
+    "#": "DELETE /v3/users/{user_id}",
     "identity:delete_user": "rule:admin_required",
+    "#": "POST /v3/users/{user_id}/password",
     "identity:change_password": "rule:admin_or_owner",
 
+    "#": "GET /v3/groups/{group_id}",
     "identity:get_group": "rule:admin_required",
+    "#": "GET /v3/groups",
     "identity:list_groups": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/groups",
     "identity:list_groups_for_user": "rule:admin_or_owner",
+    "#": "POST /v3/groups",
     "identity:create_group": "rule:admin_required",
+    "#": "PATCH /v3/groups/{group_id}",
     "identity:update_group": "rule:admin_required",
+    "#": "DELETE /v3/groups/{group_id}",
     "identity:delete_group": "rule:admin_required",
+    "#": "GET /v3/groups/{group_id}/users",
     "identity:list_users_in_group": "rule:admin_required",
+    "#": "DELETE /v3/groups/{group_id}/users/{user_id}",
     "identity:remove_user_from_group": "rule:admin_required",
+    "#": "GET /v3/groups/{group_id}/users/{user_id}",
     "identity:check_user_in_group": "rule:admin_required",
+    "#": "PUT /v3/groups/{group_id}/users/{user_id}",
     "identity:add_user_to_group": "rule:admin_required",
 
+    "#": "GET /v3/credentials/{credential_id}",
     "identity:get_credential": "rule:admin_required",
+    "#": "GET /v3/credentials",
     "identity:list_credentials": "rule:admin_required",
+    "#": "POST /v3/credentials",
     "identity:create_credential": "rule:admin_required",
+    "#": "PATCH /v3/credentials/{credential_id}",
     "identity:update_credential": "rule:admin_required",
+    "#": "DELETE /v3/credentials/{credential_id}",
     "identity:delete_credential": "rule:admin_required",
 
+    "#": "GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}",
     "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
+    "#": "GET /v3/users/{user_id}/credentials/OS-EC2",
     "identity:ec2_list_credentials": "rule:admin_or_owner",
+    "#": "POST /v3/users/{user_id}/credentials/OS-EC2",
     "identity:ec2_create_credential": "rule:admin_or_owner",
+    "#": "DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}",
     "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)",
 
+    "#": "GET /v3/roles/{role_id}",
     "identity:get_role": "rule:admin_required",
+    "#": "GET /v3/roles",
     "identity:list_roles": "rule:admin_required",
+    "#": "POST /v3/roles",
     "identity:create_role": "rule:admin_required",
+    "#": "PATCH /v3/roles/{role_id}",
     "identity:update_role": "rule:admin_required",
+    "#": "DELETE /v3/roles/{role_id}",
     "identity:delete_role": "rule:admin_required",
 
+    "#": "grant_resources are:",
+    "#": " /v3/projects/{project_id}/users/{user_id}/roles/{role_id}",
+    "#": " /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}",
+    "#": " /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}",
+    "#": " /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects",
+
+    "#": "grant_collections are:",
+    "#": " /v3/projects/{project_id}/users/{user_id}/roles",
+    "#": " /v3/projects/{project_id}/groups/{group_id}/roles",
+    "#": " /v3/domains/{domain_id}/users/{user_id}/roles",
+    "#": " /v3/domains/{domain_id}/groups/{group_id}/role",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects",
+
+    "#": "GET <grant_resources>",
     "identity:check_grant": "rule:admin_required",
+    "#": "GET <grant_collections>",
     "identity:list_grants": "rule:admin_required",
+    "#": "PUT <grant_resources>",
     "identity:create_grant": "rule:admin_required",
+    "#": "DELETE <grant_resources>",
     "identity:revoke_grant": "rule:admin_required",
 
+    "#": "GET /v3/role_assignments",
     "identity:list_role_assignments": "rule:admin_required",
 
+    "#": "GET /v3/policy/{policy_id}",
     "identity:get_policy": "rule:admin_required",
+    "#": "GET /v3/policy",
     "identity:list_policies": "rule:admin_required",
+    "#": "POST /v3/policy",
     "identity:create_policy": "rule:admin_required",
+    "#": "PATCH /v3/policy/{policy_id}",
     "identity:update_policy": "rule:admin_required",
+    "#": "DELETE /v3/policy/{policy_id}",
     "identity:delete_policy": "rule:admin_required",
 
+    "#": "HEAD /v3/auth/tokens",
     "identity:check_token": "rule:admin_required",
+    "#": "GET /v2.0/tokens/{token_id}",
+    "#": "GET /v3/auth/tokens",
     "identity:validate_token": "rule:service_or_admin",
+    "#": "HEAD /v2.0/tokens/{token_id}",
     "identity:validate_token_head": "rule:service_or_admin",
+    "#": "GET /v2.0/tokens/revoked",
+    "#": "GET /v3/auth/tokens/OS-PKI/revoked",
     "identity:revocation_list": "rule:service_or_admin",
+    "#": "DELETE /v3/auth/tokens",
     "identity:revoke_token": "rule:admin_or_token_subject",
-
+    "#": "POST /v3/OS-TRUST/trusts",
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}",
     "identity:get_trust": "rule:admin_or_owner",
+    "#": "GET /v3/OS-TRUST/trusts",
     "identity:list_trusts": "",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}/roles",
     "identity:list_roles_for_trust": "",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}",
     "identity:get_role_for_trust": "",
+    "#": "DELETE /v3/OS-TRUST/trusts/{trust_id}",
     "identity:delete_trust": "",
 
+    "#": "POST /v3/OS-OAUTH1/consumers",
     "identity:create_consumer": "rule:admin_required",
+    "#": "GET /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:get_consumer": "rule:admin_required",
+    "#": "GET /v3/OS-OAUTH1/consumers",
     "identity:list_consumers": "rule:admin_required",
+    "#": "DELETE /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:delete_consumer": "rule:admin_required",
+    "#": "PATCH /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:update_consumer": "rule:admin_required",
 
+    "#": "PUT /v3/OS-OAUTH1/authorize/{request_token_id}",
     "identity:authorize_request_token": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles",
     "identity:list_access_token_roles": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}",
     "identity:get_access_token_role": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens",
     "identity:list_access_tokens": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}",
     "identity:get_access_token": "rule:admin_required",
+    "#": "DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}",
     "identity:delete_access_token": "rule:admin_required",
 
+    "#": "GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects",
     "identity:list_projects_for_endpoint": "rule:admin_required",
+    "#": "PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:add_endpoint_to_project": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:check_endpoint_in_project": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints",
     "identity:list_endpoints_for_project": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:remove_endpoint_from_project": "rule:admin_required",
 
+    "#": "POST /v3/OS-EP-FILTER/endpoint_groups",
     "identity:create_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups",
     "identity:list_endpoint_groups": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:get_endpoint_group": "rule:admin_required",
+    "#": "PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:update_endpoint_group": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:delete_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects",
     "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints",
     "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:get_endpoint_group_in_project": "rule:admin_required",
+    "#": "PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:add_endpoint_group_to_project": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
+    "#": "PUT /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:create_identity_provider": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/identity_providers",
     "identity:list_identity_providers": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:get_identity_providers": "rule:admin_required",
+    "#": "PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:update_identity_provider": "rule:admin_required",
+    "#": "DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:delete_identity_provider": "rule:admin_required",
 
+    "#": "PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:create_protocol": "rule:admin_required",
+    "#": "PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:update_protocol": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:get_protocol": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols",
     "identity:list_protocols": "rule:admin_required",
+    "#": "DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:delete_protocol": "rule:admin_required",
 
+    "#": "PUT /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:create_mapping": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:get_mapping": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/mappings",
     "identity:list_mappings": "rule:admin_required",
+    "#": "DELETE /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:delete_mapping": "rule:admin_required",
+    "#": "PATCH /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:update_mapping": "rule:admin_required",
 
+    "#": "PUT /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:create_service_provider": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/service_providers",
     "identity:list_service_providers": "rule:admin_required",
+    "#": "GET /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:get_service_provider": "rule:admin_required",
+    "#": "PATCH /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:update_service_provider": "rule:admin_required",
+    "#": "DELETE /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:delete_service_provider": "rule:admin_required",
 
+    "#": "GET /v3/auth/catalog",
     "identity:get_auth_catalog": "",
+    "#": "GET /v3/auth/projects",
     "identity:get_auth_projects": "",
+    "#": "GET /v3/auth/domains",
     "identity:get_auth_domains": "",
 
+    "#": "GET /v3/OS-FEDERATION/projects",
     "identity:list_projects_for_groups": "",
+    "#": "GET /v3/OS-FEDERATION/domains",
     "identity:list_domains_for_groups": "",
 
+    "#": "GET /v3/OS-REVOKE/events",
     "identity:list_revoke_events": "",
 
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:create_policy_association_for_endpoint": "rule:admin_required",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:check_policy_association_for_endpoint": "rule:admin_required",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:delete_policy_association_for_endpoint": "rule:admin_required",
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:create_policy_association_for_service": "rule:admin_required",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:check_policy_association_for_service": "rule:admin_required",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:delete_policy_association_for_service": "rule:admin_required",
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:create_policy_association_for_region_and_service": "rule:admin_required",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:check_policy_association_for_region_and_service": "rule:admin_required",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:delete_policy_association_for_region_and_service": "rule:admin_required",
+    "#": "GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy",
     "identity:get_policy_for_endpoint": "rule:admin_required",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints",
     "identity:list_endpoints_for_policy": "rule:admin_required",
 
+    "#": "PUT /v3/domains/{domain_id}/config",
     "identity:create_domain_config": "rule:admin_required",
+    "#": "GET /v3/domains/{domain_id}/config",
+    "#": "GET /v3/domains/{domain_id}/config/{group}",
+    "#": "GET /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:get_domain_config": "rule:admin_required",
+    "#": "PATCH /v3/domains/{domain_id}/config",
+    "#": "PATCH /v3/domains/{domain_id}/config/{group}",
+    "#": "PATCH /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:update_domain_config": "rule:admin_required",
+    "#": "DELETE /v3/domains/{domain_id}/config",
+    "#": "DELETE /v3/domains/{domain_id}/config/{group}",
+    "#": "DELETE /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:delete_domain_config": "rule:admin_required"
 }
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index a15b33f239..489084e21e 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -10,185 +10,360 @@
 
     "default": "rule:admin_required",
 
+    "#": "GET /v3/regions/{region_id}",
     "identity:get_region": "",
+    "#": "GET /v3/regions",
     "identity:list_regions": "",
+    "#": "POST /v3/regions",
     "identity:create_region": "rule:cloud_admin",
+    "#": "PATCH /v3/regions/{region_id}",
     "identity:update_region": "rule:cloud_admin",
+    "#": "DELETE /v3/regions/{region_id}",
     "identity:delete_region": "rule:cloud_admin",
 
+    "#": "GET /v3/services/{service_id}",
     "identity:get_service": "rule:admin_or_cloud_admin",
+    "#": "GET /v3/services",
     "identity:list_services": "rule:admin_or_cloud_admin",
+    "#": "POST /v3/services",
     "identity:create_service": "rule:cloud_admin",
+    "#": "PATCH /v3/services/{service__id}",
     "identity:update_service": "rule:cloud_admin",
+    "#": "DELETE /v3/services/{service__id}",
     "identity:delete_service": "rule:cloud_admin",
 
+    "#": "GET /v3/endpoints/{endpoint_id}",
     "identity:get_endpoint": "rule:admin_or_cloud_admin",
+    "#": "GET /v3/endpoints",
     "identity:list_endpoints": "rule:admin_or_cloud_admin",
+    "#": "POST /v3/endpoints",
     "identity:create_endpoint": "rule:cloud_admin",
+    "#": "PATCH /v3/endpoints/{endpoint_id}",
     "identity:update_endpoint": "rule:cloud_admin",
+    "#": "DELETE /v3/endpoints/{endpoint_id}",
     "identity:delete_endpoint": "rule:cloud_admin",
 
+    "#": "GET /v3/domains/{domain_id}",
     "identity:get_domain": "rule:cloud_admin",
+    "#": "GET /v3/domains",
     "identity:list_domains": "rule:cloud_admin",
+    "#": "POST /v3/domains/{domain_id}",
     "identity:create_domain": "rule:cloud_admin",
+    "#": "PATCH /v3/domains/{domain_id}",
     "identity:update_domain": "rule:cloud_admin",
+    "#": "DELETE /v3/domains/{domain_id}",
     "identity:delete_domain": "rule:cloud_admin",
 
     "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",
     "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",
+
+    "#": "GET /v3/projects/{project_id}",
     "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "#": "GET /v3/projects",
     "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "#": "GET /v3/users/{user_id}/projects",
     "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id",
+    "#": "POST /v3/projects",
     "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
+    "#": "PATCH /v3/projects/{project_id}",
     "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "#": "DELETE /v3/projects/{project_id}",
     "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
 
     "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
     "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
+
+    "#": "GET /v3/users/{user_id}",
     "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
+    "#": "GET /v3/users",
     "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "#": "POST /v3/users",
     "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id",
+    "#": "PATCH /v3/users/{user_id}",
     "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
+    "#": "DELETE /v3/users/{user_id}",
     "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id",
 
     "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s",
     "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s",
+
+    "#": "GET /v3/groups/{group_id}",
     "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "GET /v3/groups",
     "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id",
+    "#": "GET /v3/users/{user_id}/groups",
     "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_domain_id",
+     "#": "POST /v3/groups",
     "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id",
+    "#": "PATCH /v3/groups/{group_id}",
     "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "DELETE /v3/groups/{group_id}",
     "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "GET /v3/groups/{group_id}/users",
     "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "DELETE /v3/groups/{group_id}/users/{user_id}",
     "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "GET /v3/groups/{group_id}/users/{user_id}",
     "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
+    "#": "PUT /v3/groups/{group_id}/users/{user_id}",
     "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
 
+    "#": "GET /v3/credentials/{credential_id}",
     "identity:get_credential": "rule:admin_required",
+    "#": "GET /v3/credentials",
     "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s",
+    "#": "POST /v3/credentials",
     "identity:create_credential": "rule:admin_required",
+    "#": "PATCH /v3/credentials/{credential_id}",
     "identity:update_credential": "rule:admin_required",
+    "#": "DELETE /v3/credentials/{credential_id}",
     "identity:delete_credential": "rule:admin_required",
 
+    "#": "GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}",
     "identity:ec2_get_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
+    "#": "GET /v3/users/{user_id}/credentials/OS-EC2",
     "identity:ec2_list_credentials": "rule:admin_or_cloud_admin or rule:owner",
+    "#": "POST /v3/users/{user_id}/credentials/OS-EC2",
     "identity:ec2_create_credential": "rule:admin_or_cloud_admin or rule:owner",
+    "#": "DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}",
     "identity:ec2_delete_credential": "rule:admin_or_cloud_admin or (rule:owner and user_id:%(target.credential.user_id)s)",
 
+    "#": "GET /v3/roles/{role_id}",
     "identity:get_role": "rule:admin_or_cloud_admin",
+    "#": "GET /v3/roles",
     "identity:list_roles": "rule:admin_or_cloud_admin",
+    "#": "POST /v3/roles",
     "identity:create_role": "rule:cloud_admin",
+    "#": "PATCH /v3/roles/{role_id}",
     "identity:update_role": "rule:cloud_admin",
+    "#": "DELETE /v3/roles/{role_id}",
     "identity:delete_role": "rule:cloud_admin",
 
+    "#": "grant_resources are:",
+    "#": " /v3/projects/{project_id}/users/{user_id}/roles/{role_id}",
+    "#": " /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}",
+    "#": " /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}",
+    "#": " /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects",
+
+    "#": "grant_collections are:",
+    "#": " /v3/projects/{project_id}/users/{user_id}/roles",
+    "#": " /v3/projects/{project_id}/groups/{group_id}/roles",
+    "#": " /v3/domains/{domain_id}/users/{user_id}/roles",
+    "#": " /v3/domains/{domain_id}/groups/{group_id}/role",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects",
+    "#": " /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects",
+
     "domain_admin_for_grants": "rule:admin_required and (domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s)",
     "project_admin_for_grants": "rule:admin_required and project_id:%(project_id)s",
+
+    "#": "GET <grant_resources>",
     "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+    "#": "GET <grant_collections>",
     "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+    "#": "PUT <grant_resources>",
     "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
+    "#": "DELETE <grant_resources>",
     "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants",
 
     "admin_on_domain_filter" : "rule:cloud_admin or (rule:admin_required and domain_id:%(scope.domain.id)s)",
     "admin_on_project_filter" : "rule:cloud_admin or (rule:admin_required and project_id:%(scope.project.id)s)",
+
+    "#": "GET /v3/role_assignments",
     "identity:list_role_assignments": "rule:admin_on_domain_filter or rule:admin_on_project_filter",
 
+    "#": "GET /v3/policy/{policy_id}",
     "identity:get_policy": "rule:cloud_admin",
+    "#": "GET /v3/policy",
     "identity:list_policies": "rule:cloud_admin",
+    "#": "POST /v3/policy",
     "identity:create_policy": "rule:cloud_admin",
+    "#": "PATCH /v3/policy/{policy_id}",
     "identity:update_policy": "rule:cloud_admin",
+    "#": "DELETE /v3/policy/{policy_id}",
     "identity:delete_policy": "rule:cloud_admin",
 
+    "#": "POST /v3/users/{user_id}/password",
     "identity:change_password": "rule:owner",
+    "#": "HEAD /v3/auth/tokens",
     "identity:check_token": "rule:admin_or_owner",
+    "#": "GET /v2.0/tokens/{token_id}",
+    "#": "GET /v3/auth/tokens",
     "identity:validate_token": "rule:service_or_admin",
+    "#": "HEAD /v2.0/tokens/{token_id}",
     "identity:validate_token_head": "rule:service_or_admin",
+    "#": "GET /v2.0/tokens/revoked",
+    "#": "GET /v3/auth/tokens/OS-PKI/revoked",
     "identity:revocation_list": "rule:service_or_admin",
+    "#": "DELETE /v3/auth/tokens",
     "identity:revoke_token": "rule:admin_or_owner",
 
+    "#": "POST /v3/OS-TRUST/trusts",
     "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}",
     "identity:get_trust": "rule:admin_or_owner",
+    "#": "GET /v3/OS-TRUST/trusts",
     "identity:list_trusts": "",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}/roles",
     "identity:list_roles_for_trust": "",
+    "#": "GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}",
     "identity:get_role_for_trust": "",
+    "#": "DELETE /v3/OS-TRUST/trusts/{trust_id}",
     "identity:delete_trust": "",
 
+    "#": "POST /v3/OS-OAUTH1/consumers",
     "identity:create_consumer": "rule:admin_required",
+    "#": "GET /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:get_consumer": "rule:admin_required",
+    "#": "GET /v3/OS-OAUTH1/consumers",
     "identity:list_consumers": "rule:admin_required",
+    "#": "DELETE /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:delete_consumer": "rule:admin_required",
+    "#": "PATCH /v3/OS-OAUTH1/consumers/{consumer_id}",
     "identity:update_consumer": "rule:admin_required",
 
+    "#": "PUT /v3/OS-OAUTH1/authorize/{request_token_id}",
     "identity:authorize_request_token": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles",
     "identity:list_access_token_roles": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}",
     "identity:get_access_token_role": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens",
     "identity:list_access_tokens": "rule:admin_required",
+    "#": "GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}",
     "identity:get_access_token": "rule:admin_required",
+    "#": "DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}",
     "identity:delete_access_token": "rule:admin_required",
 
+    "#": "GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects",
     "identity:list_projects_for_endpoint": "rule:admin_required",
+    "#": "PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:add_endpoint_to_project": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:check_endpoint_in_project": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints",
     "identity:list_endpoints_for_project": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}",
     "identity:remove_endpoint_from_project": "rule:admin_required",
 
+    "#": "POST /v3/OS-EP-FILTER/endpoint_groups",
     "identity:create_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups",
     "identity:list_endpoint_groups": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:get_endpoint_group": "rule:admin_required",
+    "#": "PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:update_endpoint_group": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}",
     "identity:delete_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects",
     "identity:list_projects_associated_with_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints",
     "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required",
+    "#": "GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:get_endpoint_group_in_project": "rule:admin_required",
+    "#": "PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:add_endpoint_group_to_project": "rule:admin_required",
+    "#": "DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}",
     "identity:remove_endpoint_group_from_project": "rule:admin_required",
 
+    "#": "PUT /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:create_identity_provider": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/identity_providers",
     "identity:list_identity_providers": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:get_identity_providers": "rule:cloud_admin",
+    "#": "PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:update_identity_provider": "rule:cloud_admin",
+    "#": "DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}",
     "identity:delete_identity_provider": "rule:cloud_admin",
 
+    "#": "PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:create_protocol": "rule:cloud_admin",
+    "#": "PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:update_protocol": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:get_protocol": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols",
     "identity:list_protocols": "rule:cloud_admin",
+    "#": "DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}",
     "identity:delete_protocol": "rule:cloud_admin",
 
+    "#": "PUT /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:create_mapping": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:get_mapping": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/mappings",
     "identity:list_mappings": "rule:cloud_admin",
+    "#": "DELETE /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:delete_mapping": "rule:cloud_admin",
+    "#": "PATCH /v3/OS-FEDERATION/mappings/{mapping_id}",
     "identity:update_mapping": "rule:cloud_admin",
 
+    "#": "PUT /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:create_service_provider": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/service_providers",
     "identity:list_service_providers": "rule:cloud_admin",
+    "#": "GET /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:get_service_provider": "rule:cloud_admin",
+    "#": "PATCH /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:update_service_provider": "rule:cloud_admin",
+    "#": "DELETE /v3/OS-FEDERATION/service_providers/{sp_id}",
     "identity:delete_service_provider": "rule:cloud_admin",
 
+    "#": "GET /v3/auth/catalog",
     "identity:get_auth_catalog": "",
+    "#": "GET /v3/auth/projects",
     "identity:get_auth_projects": "",
+    "#": "GET /v3/auth/domains",
     "identity:get_auth_domains": "",
 
+    "#": "GET /v3/OS-FEDERATION/projects",
     "identity:list_projects_for_groups": "",
+    "#": "GET /v3/OS-FEDERATION/domains",
     "identity:list_domains_for_groups": "",
 
+    "#": "GET /v3/OS-REVOKE/events",
     "identity:list_revoke_events": "",
 
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:create_policy_association_for_endpoint": "rule:cloud_admin",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:check_policy_association_for_endpoint": "rule:cloud_admin",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}",
     "identity:delete_policy_association_for_endpoint": "rule:cloud_admin",
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:create_policy_association_for_service": "rule:cloud_admin",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:check_policy_association_for_service": "rule:cloud_admin",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}",
     "identity:delete_policy_association_for_service": "rule:cloud_admin",
+    "#": "PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:create_policy_association_for_region_and_service": "rule:cloud_admin",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:check_policy_association_for_region_and_service": "rule:cloud_admin",
+    "#": "DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}",
     "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin",
+    "#": "GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy",
     "identity:get_policy_for_endpoint": "rule:cloud_admin",
+    "#": "GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints",
     "identity:list_endpoints_for_policy": "rule:cloud_admin",
 
+    "#": "PUT /v3/domains/{domain_id}/config",
     "identity:create_domain_config": "rule:cloud_admin",
+    "#": "GET /v3/domains/{domain_id}/config",
+    "#": "GET /v3/domains/{domain_id}/config/{group}",
+    "#": "GET /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:get_domain_config": "rule:cloud_admin",
+    "#": "PATCH /v3/domains/{domain_id}/config",
+    "#": "PATCH /v3/domains/{domain_id}/config/{group}",
+    "#": "PATCH /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:update_domain_config": "rule:cloud_admin",
+    "#": "DELETE /v3/domains/{domain_id}/config",
+    "#": "DELETE /v3/domains/{domain_id}/config/{group}",
+    "#": "DELETE /v3/domains/{domain_id}/config/{group}/{option}",
     "identity:delete_domain_config": "rule:cloud_admin"
 }