Only x-auth-token is required for these api calls, but the
api-ref mentions x-subject-token as required also.
This fixes that by removing x-subject-token from the call docs.
Change-Id: I26342250c74918c21fce951bf0706d50141aa58c
Closes-Bug: 1673301
Currently the api ref states the return code for
GET /v3/auth/catalog returns 204 no content. However
after testing the return code is 200 ok. This commit
updates api-ref to correct return code.
Change-Id: I5f1049b565b1e11fb6e748b43ae9dfe1e16250a6
Closes-Bug: 1670380
Only x-auth-token is required for these api calls, but the
api-ref mentions x-subject-token as required also.
This fixes that by removing x-subject-token from the call docs.
Change-Id: Ib30a71b81939b11363aced4aecd545049c210380
Closes-Bug: 1667194
This patch removes any unused parameters in the v2 and v3 api's.
In order to find which parameters were unused, I wrote a script
that found all the parameters used in the `parameters.yaml` files,
then is searched the same api directory (ex: v3/, v3-ext/, etc.)
for any reference to these parameters. Anything unreferenced was
flagged and then removed.
Script: http://cdn.pasteraw.com/8cdh0e76aqhtliuh874veautr7as8k7
Change-Id: I1558ac94e1041f9fbb1d6713b394c4f97f997ada
Some parameters of similar name would follow the convention
such as `region_id` and `region_id_1` which gave no good
information as to the differences.
This patch changes these names to help give such information.
Change-Id: I2dec61ed06042990ff54e86c02dc3fca9d566366
As per the bug, 'name' and 'nme' are not part of the 'endpoint'
table and were being assigned to the 'extras' column. This is
why they are not being validated.
The endpoint docs also show that `region_id` is not optional, even
though it is. This updates the docs to reflect optional `region_id`.
Closes-Bug: #1579014
Change-Id: I085b75c59767eb96b3bdfe3b887e5e2639122a34
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I30a462e03d1fd7852511e22cac34c6bc0e8917f4
There were a couple comments about making minor changes in the patch
set for changing change_password to not require a token. These comments
mentioned fixing the wording on the change_user api-ref note and
adding an additional assertion for one of the added unit tests.
https://review.openstack.org/#/c/404022/
This change corrects the wording in the api-ref note for
change_password about not needing an authentication token and
adds an additional assertion for changing an expired password to
verify that once an expired password is successfully changed, the
user is able to authenticate and create a token.
Change-Id: I8e557d344ee77e0c9c28391d3ef09913bd87fef6
This patch adds filters to list_user that enable the user to query for
unique_id, idp_id, protocol_id, or a mix of these to get back the
corresponding users of the federated attributes.
Partially-Implements: bp support-federated-attr
Change-Id: Iea5681791e521e9b8d96137fe30c388c10a02b30
Currently, if a users password expires, they must contact an
administrator in order to have their password reset for them.
This change allows a user to perform the change_password call
without a token, which will allow a user with an expired password
to change it if they are using PCI-DSS related features. This
removes the issue of needing an administrator to reset any
user's password that has expired.
Also updated the api-ref with the related changes.
Change-Id: I4d3421c56642cfdbb25cb33b3aaaacbac4c64dd1
Closes-Bug: #1641645
The token issue response has timestamps like this:
"issued_at": "2017-01-03T22:42:55.000000Z"
"expires_at": "2017-01-03T23:42:55.000000Z"
Which didn't match the format documented in the API spec (the
response has subsecond precision and Z rather than ±HHMM).
Change-Id: I1deeac1776a7716ee66d187d1c1c7c1f5b02235f
Closes-Bug: 1634568
The v3 API spec for tokens documents the format of timestamps.
It says the format is like "CCYY-MM-DDThh:mm:ss±hh:mm".
By this, the timestamps returned by keystone like this:
2016-12-13T15:33:12+0000
Change-Id: I616865c1b12457487c4aeb5b8e907ca01cb79ef9
Closes-Bug:#1634568
New proposal on how we document the password_expires_at query.
bp pci-dss-query-password-expired-users
Co-Authored-By: Samuel Pilla <sp516w@att.com>
Change-Id: I81facd0a84f5c05f72294eb1a143c7632b2406e1
The api documentation for the following queries:
/v3/users?password_expires_at={operator}:{timestamp}
/v3/groups/{group_id}/users?password_expires_at={operator}:{timestamp}
The acceptable operators are lt, lte, gt, gte, eq, and neq.
They allow for querying for a range of timestamps rather than
an exact time for password expiration.
Examples:
- GET /v3/users?password_expires_at=lt:2016-11-06T15:32:17Z
- GET /v3/groups/079c578fd99b428ab61fcd4c9bd88ecd/users?password_expires_at=gt:2016-12-08T22:02:00Z
Partially-Implements: bp pci-dss-query-password-expired-users
Parent-Id: If0b9cc3c8af92b2ea5d41a0e8afeb78e12b7689c
Change-Id: I737dd6b703cc5af16b3d748ebaeebe0fbada039e
Updates the api-ref to reflect that list_role_assignment now also
return the donain id and name for roles.
Related-Bug: #1607114
Change-Id: Ie887907b9410e84b5f3ff958b05b2fd98efbe5aa
GET /role_assignments do not list the effective role_assignments,
this is done via the "effective" query param as described in the
doc.
For listing role assignments, we also have a similar explanation in
the "roles.inc" doc. After giving some thought, I guess the best option
is to leave both entries. This can sound redundant, but both entries give
pertinent explanation to the doc they are part of. For example, in the
"inherit.inc" doc, we have a introduction to the GET /role_assignments
API and explanations about the "effective", "include_subtree" and
"inherit_to" query parameters, which are essentially part of the
inherited roles feature.
Closes-Bug: 1645554
Change-Id: I38fa771295a1e1f482b10013f922a0bd0e432f8d
A service user from auth_token middleware should be able to fetch a
token that has expired within a certain window so that long running
operations can finish.
Implements bp: allow-expired
Change-Id: I784f719be88481048f5aa7a79d34a54907438cf3
Changed the new password value in the JSON request for
V3 "Change User Password" example to be more clear about which field
the "new" password should be in and that the user's password will be
that "new" password.
Change-Id: I6790422956ed99f90fd41b6774bd266fd57d7130
The v3 endpoint documentation /v3/auth/tokens/OS-PKI/revoked is missing
in /api-ref. This patch set adds the documentation for v3.
A separate patch set will be submitted for v2.
Change-Id: I3db3356d24cc8885012756016a90a0996fcf14f5
Partial-Bug: #1626778
The current API doc for v3 roles is very difficult to navigate. This
patch reorders the APIs in the following order:
- roles
- group roles on domain
- user roles on domain
- group roles on project
- user roles on project
- implied (infererence) roles
- others
Inside each group, APIs are reordered as following:
- list
- create (assign)
- get/retrieve
- verify/confirm (if applicable)
- update (if applicable)
- delete
Change-Id: I465cd493958a3e8384a7ae750b528d5fc08326de
This patch reorders the APIs documented for v3 groups. After the
revision the order becomes:
- list group
- create group
- show group
- update group
- delete group
- list users in group
- add user to group
- check whether user belongs to a group
- remove user from group
This reordering is for consistency among all APIs and for ease of
browsing (List followed by CRUD in that order).
Change-Id: I7d829e993ae9bffac95c04d1f40613bcf65eed49
The sample is not used anywhere and it is duplicated with
'auth-password-unscoped-request-with-domain.json'.
Change-Id: Ia47b05dfbd588b0d4886027d9e770864fff964ba
When authenticating, it is more common for a user to supply a name
for a resource rather than an ID.
Further, since the bootstrapping command was introduced the "id" of the
default domain is no longer "default" but rather a UUID.
Change-Id: Ib75fac089924ab9c513861027f1875058232408e
Closes-Bug: #1633285
- The doc was incorrectly defined the relationship by a link to
the doc.
- Remove couple of APIs that have not implemented yet, this patch
reference with the BP, so that they can be added back if those APIs
is implemented one day.
Change-Id: I32155733b848fafa809114182a164db777e33e93
Implements: blueprint hierarchical-multitenancy
The new user attribute, password_expires_at, is not being returned
during auth; this patch adds it.
bp password-expires-validation
Change-Id: I1f17a849d9da4067d6be7d612c5a561bcb247ebb
Mention that project names are limited to domain, 64 characters,
and utf8 support depends on the given backend.
Change-Id: Idc266d693c9e81d2bc9b51f20ad5f1282bda5721
Closes-Bug: 1631517
This patch changes the representation of response codes using tables.
Some error codes that are never returned from keystone are removed.
For example, 503 service unavailable is never returned from keystone.
Change-Id: I5e1e0ea1dab7dcb229bce44199f57a9a3bd45ae8
This patch reorders the APIs listed in the api-ref doc for v3 users so
that we have APIs documented in the following order:
- list users
- create user
- show user
- update user
- delete user
- list user groups
- list user projects
- change passwd
The rationale behind the change is that we want the order of API docs
for all resources to be consistent and easy to navigate. This patch
reorders the users APIs so that:
- Plural form of resources comes always come before singlar form because
it has a unique URI;
- APIs about a specific resource (usually with an ID) are documented
in the order of CRUD (create, retrieve, update and delete);
- All other helper APIs are documented at the end and they are grouped
based on resource URIs when appropriate.
Change-Id: Ie594a45a51064a5f9089e2663bd970f10707ffaa
This patch reorders the sections about services and endpoints which were
previously interleaved randomly. After the reordering, all services APIs
appear before all endpoint APIs so browsing through the APIs would be
much easier. This patch aslo changes the representations of status codes
using the new stanza in os-api-ref.
Change-Id: I89aabd3d9a336f5f6f65aaca51353f2d23b4cb2a
The support of updating project or deleting project cascadely has
not yet implemented in the controller [1] and no routed is defined
yet for this feature.
So, remove they from the public doc and can be added back when this
feature is fully implemented in order not to mislead readers.
[1] https://review.openstack.org/#/c/243585/
bp project-tree-deletion
Change-Id: I22b2cb41d44975bca6bc96ba2e3daa61d5029cce
This patch adds the status code table into the api-ref doc for projects.
It brings in a 'status.yaml' file that could be shared by other *.inc
files.
Change-Id: Ic536a4dd686cf9bde70b91f5575e8f3053fd1295
