Update documentation to reflect system-scope
This patch takes a first pass at including system-scope token in the authentication/authorization documentation. bp system-scope Change-Id: I3f334bfe8286d3863610582e4c3d5942b755987d
This commit is contained in:
parent
c2b93dcb36
commit
f5322a850e
api-ref/source/v3
doc/source
@ -4,25 +4,20 @@
|
|||||||
Authentication and token management
|
Authentication and token management
|
||||||
=====================================
|
=====================================
|
||||||
|
|
||||||
In exchange for a set of authentication credentials, the Identity
|
The Identity service generates tokens in exchange for authentication
|
||||||
service generates tokens. A token represents the authenticated
|
credentials. A token represents the authenticated identity of a user and,
|
||||||
identity of a user and, optionally, grants authorization on a
|
optionally, grants authorization on a specific project, domain, or the
|
||||||
specific project or domain.
|
deployment system.
|
||||||
|
|
||||||
The body of an authentication request must include a payload that
|
The body of an authentication request must include a payload that
|
||||||
specifies the authentication method, which is ``password`` or
|
specifies the authentication method, which is ``password`` or
|
||||||
``token``, the credentials, and, optionally, the authorization
|
``token``, the credentials, and, optionally, the authorization
|
||||||
scope. You can scope a token to a project or domain, or the token
|
scope. You can scope a token to a project, domain, the deployment system, or
|
||||||
can be unscoped. You cannot scope a token to both a project and
|
the token can be unscoped. You cannot scope a token to multiple scope targets.
|
||||||
domain.
|
|
||||||
|
|
||||||
Tokens have IDs, which the Identity API returns in the
|
Tokens have IDs, which the Identity API returns in the
|
||||||
``X-Subject-Token`` response header.
|
``X-Subject-Token`` response header.
|
||||||
|
|
||||||
Also, validates an authentication token and lists the domains,
|
|
||||||
projects, roles, and endpoints to which the token gives access.
|
|
||||||
Forces the immediate revocation of a token.
|
|
||||||
|
|
||||||
After you obtain an authentication token, you can:
|
After you obtain an authentication token, you can:
|
||||||
|
|
||||||
- Make REST API requests to other OpenStack services. You supply the
|
- Make REST API requests to other OpenStack services. You supply the
|
||||||
@ -48,8 +43,12 @@ is processed, it will have an additional field in the token
|
|||||||
``{is_admin_project: True}``. The additional field can be used when
|
``{is_admin_project: True}``. The additional field can be used when
|
||||||
writing policy rules that evaluate access control to APIs.
|
writing policy rules that evaluate access control to APIs.
|
||||||
|
|
||||||
The Identity API treats expired tokens as no longer valid tokens.
|
Alternatively, in v3.10 the Identity API service introduced the concept of
|
||||||
The deployment determines how long expired tokens are stored.
|
system role assignments and system-scoped tokens. APIs that affect the
|
||||||
|
deployment system require system-scoped tokens.
|
||||||
|
|
||||||
|
The Identity API considers expired tokens as invalid, which is determined by
|
||||||
|
the deployment's configuration.
|
||||||
|
|
||||||
These authentication errors can occur:
|
These authentication errors can occur:
|
||||||
|
|
||||||
@ -231,6 +230,7 @@ Parameters
|
|||||||
- token: token
|
- token: token
|
||||||
- expires_at: expires_at
|
- expires_at: expires_at
|
||||||
- project: project
|
- project: project
|
||||||
|
- system: system
|
||||||
- issued_at: issued_at
|
- issued_at: issued_at
|
||||||
- catalog: catalog
|
- catalog: catalog
|
||||||
- user: user
|
- user: user
|
||||||
|
@ -1469,9 +1469,9 @@ roles:
|
|||||||
type: array
|
type: array
|
||||||
scope_string:
|
scope_string:
|
||||||
description: |
|
description: |
|
||||||
The authorization scope, including either a project or
|
The authorization scope, including the system (Since v3.10), a
|
||||||
a domain (Since v3.4). If both a domain and a project are
|
project, or a domain (Since v3.4). If both a domain and a project
|
||||||
specified, an HTTP 400 Bad Request will be returned, as a
|
are specified, an HTTP ``400 Bad Request`` will be returned, as a
|
||||||
token cannot be simultaneously scoped to both a project
|
token cannot be simultaneously scoped to both a project
|
||||||
and a domain. An ID is sufficient to uniquely identify
|
and a domain. An ID is sufficient to uniquely identify
|
||||||
a project but if a project is specified by name, then
|
a project but if a project is specified by name, then
|
||||||
@ -1572,6 +1572,12 @@ signed:
|
|||||||
in: body
|
in: body
|
||||||
required: true
|
required: true
|
||||||
type: string
|
type: string
|
||||||
|
system:
|
||||||
|
description: |
|
||||||
|
A ``system`` object.
|
||||||
|
in: body
|
||||||
|
required: false
|
||||||
|
type: object
|
||||||
system_roles_response_body:
|
system_roles_response_body:
|
||||||
description: |
|
description: |
|
||||||
A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
|
A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
|
||||||
@ -1579,6 +1585,14 @@ system_roles_response_body:
|
|||||||
in: body
|
in: body
|
||||||
required: true
|
required: true
|
||||||
type: array
|
type: array
|
||||||
|
system_scope_string:
|
||||||
|
description: |
|
||||||
|
Authorization scope specific to the deployment system (Since v3.10).
|
||||||
|
Specifying a project or domain scope in addition to system scope results
|
||||||
|
in an HTTP ``400 Bad Request``.
|
||||||
|
in: body
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
token:
|
token:
|
||||||
description: |
|
description: |
|
||||||
A ``token`` object.
|
A ``token`` object.
|
||||||
|
@ -0,0 +1,23 @@
|
|||||||
|
{
|
||||||
|
"auth": {
|
||||||
|
"identity": {
|
||||||
|
"methods": [
|
||||||
|
"password"
|
||||||
|
],
|
||||||
|
"password": {
|
||||||
|
"user": {
|
||||||
|
"name": "admin",
|
||||||
|
"domain": {
|
||||||
|
"name": "Default"
|
||||||
|
},
|
||||||
|
"password": "devstacker"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"scope": {
|
||||||
|
"system": {
|
||||||
|
"all": true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -11,10 +11,12 @@ deployment characteristics.
|
|||||||
Authorization scopes
|
Authorization scopes
|
||||||
--------------------
|
--------------------
|
||||||
|
|
||||||
Tokens can express your authorization in different scopes. You likely have
|
Tokens are used to relay information about your user's role assignments. It's
|
||||||
different sets of roles, in different projects, and in different domains.
|
not uncommon for a user to have multiple role assignments, sometimes spanning
|
||||||
While tokens always express your identity, they may only ever express one set
|
projects, domains, or the entire system. These are referred to as authorization
|
||||||
of roles in one authorization scope at a time.
|
scopes, where a token has a single scope of operation. For example, a token
|
||||||
|
scoped to a project can't be reused to do something else in a different
|
||||||
|
project.
|
||||||
|
|
||||||
Each level of authorization scope is useful for certain types of operations in
|
Each level of authorization scope is useful for certain types of operations in
|
||||||
certain OpenStack services, and are not interchangeable.
|
certain OpenStack services, and are not interchangeable.
|
||||||
@ -39,9 +41,9 @@ The following conditions must be met to receive an unscoped token:
|
|||||||
Project-scoped tokens
|
Project-scoped tokens
|
||||||
~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Project-scoped tokens are the bread and butter of OpenStack. They express your
|
Project-scoped tokens express your authorization to operate in a specific
|
||||||
authorization to operate in a specific tenancy of the cloud and are useful to
|
tenancy of the cloud and are useful to authenticate yourself when working with
|
||||||
authenticate yourself when working with most other services.
|
most other services.
|
||||||
|
|
||||||
They contain a service catalog, a set of roles, and details of the project upon
|
They contain a service catalog, a set of roles, and details of the project upon
|
||||||
which you have authorization.
|
which you have authorization.
|
||||||
@ -49,11 +51,11 @@ which you have authorization.
|
|||||||
Domain-scoped tokens
|
Domain-scoped tokens
|
||||||
~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Domain-scoped tokens also have limited use cases in OpenStack. They express
|
Domain-scoped tokens have limited use cases in OpenStack. They express your
|
||||||
your authorization to operate a domain-level, above that of the user and
|
authorization to operate a domain-level, above that of the user and projects
|
||||||
projects contained therein (typically as a domain-level administrator).
|
contained therein (typically as a domain-level administrator). Depending on
|
||||||
Depending on Keystone's configuration, they are useful for working with a
|
Keystone's configuration, they are useful for working with a single domain in
|
||||||
single domain in Keystone.
|
Keystone.
|
||||||
|
|
||||||
They contain a limited service catalog (only those services which do not
|
They contain a limited service catalog (only those services which do not
|
||||||
explicitly require per-project endpoints), a set of roles, and details of the
|
explicitly require per-project endpoints), a set of roles, and details of the
|
||||||
@ -63,6 +65,16 @@ They can also be used to work with domain-level concerns in other services,
|
|||||||
such as to configure domain-wide quotas that apply to all users or projects in
|
such as to configure domain-wide quotas that apply to all users or projects in
|
||||||
a specific domain.
|
a specific domain.
|
||||||
|
|
||||||
|
System-scoped tokens
|
||||||
|
~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
There are APIs across OpenStack that fit nicely within the concept of a project
|
||||||
|
or domain, but there are also APIs that affect the entire deployment system
|
||||||
|
(e.g. modifying endpoints, service management, or listing information about
|
||||||
|
hypervisors). These operations require the use of a system-scoped token, which
|
||||||
|
represents the role assignments a user has to operate on the deployment as a
|
||||||
|
whole.
|
||||||
|
|
||||||
Token providers
|
Token providers
|
||||||
---------------
|
---------------
|
||||||
|
|
||||||
|
@ -68,6 +68,15 @@ cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
|||||||
driver-impl-uuid=complete
|
driver-impl-uuid=complete
|
||||||
driver-impl-fernet=complete
|
driver-impl-fernet=complete
|
||||||
|
|
||||||
|
[operation.create_system_token]
|
||||||
|
title=Create system-scoped token
|
||||||
|
status=mandatory
|
||||||
|
notes=All token providers must be capable of issuing system-scoped tokens.
|
||||||
|
cli=openstack --os-username=<username> --os-user-domain-name=<domain>
|
||||||
|
--os-system token issue
|
||||||
|
driver-impl-uuid=complete
|
||||||
|
driver-impl-fernet=complete
|
||||||
|
|
||||||
[operation.create_project_scoped_token]
|
[operation.create_project_scoped_token]
|
||||||
title=Create project-scoped token
|
title=Create project-scoped token
|
||||||
status=mandatory
|
status=mandatory
|
||||||
|
@ -481,14 +481,15 @@ What is Scope?
|
|||||||
|
|
||||||
Scope is an overloaded term.
|
Scope is an overloaded term.
|
||||||
|
|
||||||
In reference to authenticating, as seen above, scope refers to the portion
|
In reference to authenticating, as seen above, scope refers to the portion of
|
||||||
of the POST data that dictates what ``Resource`` (project or domain) the user
|
the POST data that dictates what ``Resource`` (project, domain, or system) the
|
||||||
wants to access.
|
user wants to access.
|
||||||
|
|
||||||
In reference to tokens, scope refers to the effectiveness of a token,
|
In reference to tokens, scope refers to the effectiveness of a token,
|
||||||
i.e.: a `project-scoped` token is only useful on the project it was initially
|
i.e.: a `project-scoped` token is only useful on the project it was initially
|
||||||
granted for. A `domain-scoped` token may be used to perform domain-related
|
granted for. A `domain-scoped` token may be used to perform domain-related
|
||||||
function.
|
function. A `system-scoped` token is only useful for interacting with APIs that
|
||||||
|
affect the entire deployment.
|
||||||
|
|
||||||
In reference to users, groups, and projects, scope often refers to the domain
|
In reference to users, groups, and projects, scope often refers to the domain
|
||||||
that the entity is owned by. i.e.: a user in domain X is scoped to domain X.
|
that the entity is owned by. i.e.: a user in domain X is scoped to domain X.
|
||||||
|
Loading…
Reference in New Issue
Block a user