# variables in header Openstack-Auth-Receipt: description: | The auth receipt. A partially successful authentication response returns the auth receipt ID in this header rather than in the response body. in: header required: true type: string X-Auth-Token: description: | A valid authentication token for an administrative user. in: header required: true type: string X-Subject-Token: description: | The authentication token. An authentication response returns the token ID in this header rather than in the response body. in: header required: true type: string # variables in path credential_id_path: description: | The UUID for the credential. in: path required: true type: string domain_id_path: description: | The domain ID. in: path required: true type: string endpoint_id_path: description: | The endpoint ID. in: path required: true type: string group_id: description: | The group ID. in: path required: true type: string group_id_path: description: | The group ID. in: path required: true type: string implies_role_id: description: | Role ID for an implied role. in: path required: true type: string limit_id_path: description: | The limit ID. in: path required: true type: string option: description: | The option name. For the ``ldap`` group, a valid value is ``url`` or ``user_tree_dn``. For the ``identity`` group, a valid value is ``driver``. in: path required: true type: string policy_id_path: description: | The policy ID. in: path required: true type: string prior_role_id: description: | Role ID for a prior role. in: path required: true type: string project_id_path: description: | The project ID. in: path required: true type: string project_tag_path: description: | A simple string associated with a project. Can be used for assigning values to projects and filtering based on those values. in: path required: true type: string region_id_path: description: | The region ID. in: path required: true type: string registered_limit_id_path: description: | The registered limit ID. in: path required: true type: string request_access_rule_id_path_required: description: | The ID of the access rule. in: path required: true type: string request_access_rule_user_id_path_required: description: | The ID of the user who owns the access rule. in: path required: true type: string request_application_credential_id_path_required: description: | The ID of the application credential. in: path required: true type: string request_application_credential_user_id_path_required: description: | The ID of the user who owns the application credential. in: path required: true type: string role_id: description: | The role ID. in: path required: true type: string role_id_path: description: | The role ID. in: path required: true type: string service_id_path: description: | The service ID. in: path required: true type: string user_id_path: description: | The user ID. in: path required: true type: string # variables in query allow_expired: description: | (Since v3.8) Allow fetching a token that has expired. By default expired tokens return a 404 exception. in: query required: false type: bool domain_enabled_query: description: | If set to true, then only domains that are enabled will be returned, if set to false only that are disabled will be returned. Any value other than ``0``, including no value, will be interpreted as true. in: query required: false type: string domain_id_query: description: | Filters the response by a domain ID. in: query required: false type: string domain_name_query: description: | Filters the response by a domain name. in: query required: false type: string effective_query: description: | Returns the effective assignments, including any assignments gained by virtue of group membership. in: query required: false type: key-only (no value required) enabled_user_query: description: | Filters the response by either enabled (``true``) or disabled (``false``) users. in: query required: false type: string group_id_query: description: | Filters the response by a group ID. in: query required: false type: string group_name_query: description: | Filters the response by a group name. in: query required: false type: string idp_id_query: description: | Filters the response by an identity provider ID. in: query required: false type: string include_limits: description: | It should be used together with `parents_as_list` or `subtree_as_list` filter to add the related project's limits into the response body. in: query required: false type: key-only, no value expected include_names_query: description: | If set to true, then the names of any entities returned will be include as well as their IDs. Any value other than ``0`` (including no value) will be interpreted as true. in: query required: false type: boolean min_version: 3.6 include_subtree_query: description: | If set to true, then relevant assignments in the project hierarchy below the project specified in the ``scope.project_id`` query parameter are also included in the response. Any value other than ``0`` (including no value) for ``include_subtree`` will be interpreted as true. in: query required: false type: boolean min_version: 3.6 interface_query: description: | Filters the response by an interface. in: query required: false type: string is_domain_query: description: | If this is specified as true, then only projects acting as a domain are included. Otherwise, only projects that are not acting as a domain are included. in: query required: false type: boolean min_version: 3.6 name_user_query: description: | Filters the response by a user name. in: query required: false type: string nocatalog: description: | (Since v3.1) The authentication response excludes the service catalog. By default, the response includes the service catalog. in: query required: false type: string parent_id_query: description: | Filters the response by a parent ID. in: query required: false type: string min_version: 3.4 parent_region_id_query_not_required: description: | Filters the response by a parent region, by ID. in: query required: false type: string parents_as_ids: description: | The entire parent hierarchy will be included as nested dictionaries in the response. It will contain all projects ids found by traversing up the hierarchy to the top-level project. in: query required: false type: key-only, no value expected min_version: 3.4 parents_as_list: description: | The parent hierarchy will be included as a list in the response. This list will contain the projects found by traversing up the hierarchy to the top-level project. The returned list will be filtered against the projects the user has an effective role assignment on. in: query required: false type: key-only, no value expected min_version: 3.4 password_expires_at_query: description: | Filter results based on which user passwords have expired. The query should include an ``operator`` and a ``timestamp`` with a colon (``:``) separating the two, for example:: password_expires_at={operator}:{timestamp} - Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq`` - lt: expiration time lower than the timestamp - lte: expiration time lower than or equal to the timestamp - gt: expiration time higher than the timestamp - gte: expiration time higher than or equal to the timestamp - eq: expiration time equal to the timestamp - neq: expiration time not equal to the timestamp - Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``. For example:: /v3/users?password_expires_at=lt:2016-12-08T22:02:00Z The example would return a list of users whose password expired before the timestamp (``2016-12-08T22:02:00Z``). in: query required: false type: string policy_type_query: description: | Filters the response by a MIME media type for the serialized policy blob. For example, ``application/json``. in: query required: false type: string project_enabled_query: description: | If set to true, then only enabled projects will be returned. Any value other than ``0`` (including no value) will be interpreted as true. in: query required: false type: boolean project_name_query: description: | Filters the response by a project name. in: query required: false type: string protocol_id_query: description: | Filters the response by a protocol ID. in: query required: false type: string region_id_query: description: | Filters the response by a region ID. in: query required: false type: string request_application_credential_name_query_not_required: description: | The name of the application credential. Must be unique to a user. in: query required: false type: string request_nocatalog_unscoped_path_not_required: description: | (Since v3.1) nocatalog only works for scoped token. For unscoped token, the authentication response always excludes the service catalog. in: query required: false type: string resource_name_query: description: | Filters the response by a specified resource name. in: query required: false type: string role_id_query: description: | Filters the response by a role ID. in: query required: false type: string role_name_query: description: | Filters the response by a role name. in: query required: false type: string scope_domain_id_query: description: | Filters the response by a domain ID. in: query required: false type: string scope_os_inherit_inherited_to: description: | Filters based on role assignments that are inherited. The only value of ``inherited_to`` that is currently supported is ``projects``. in: query required: false type: string scope_project_id_query: description: | Filters the response by a project ID. in: query required: false type: string scope_system_query: description: | Filters the response by system assignments. in: query required: false type: string service_id_query: description: | Filters the response by a service ID. in: query required: false type: string service_type_query: description: | Filters the response by a service type. A valid value is ``compute``, ``ec2``, ``identity``, ``image``, ``network``, or ``volume``. in: query required: false type: string subtree_as_ids: description: | The entire child hierarchy will be included as nested dictionaries in the response. It will contain all the projects ids found by traversing down the hierarchy. in: query required: false type: key-only, no value expected min_version: 3.4 subtree_as_list: description: | The child hierarchy will be included as a list in the response. This list will contain the projects found by traversing down the hierarchy. The returned list will be filtered against the projects the user has an effective role assignment on. in: query required: false type: key-only, no value expected min_version: 3.4 unique_id_query: description: | Filters the response by a unique ID. in: query required: false type: string user_id_query: description: | Filters the response by a user ID. in: query required: false type: string # variables in body audit_ids: description: | A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. in: body required: true type: array auth: description: | An ``auth`` object. in: body required: true type: object auth_application_credential_restricted_body: description: | Whether the application credential is permitted to be used for creating and deleting additional application credentials and trusts. in: body required: true type: object auth_domain: description: | Specify either ``id`` or ``name`` to uniquely identify the domain. in: body required: false type: object auth_methods: description: | The authentication methods, which are commonly ``password``, ``token``, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains ``password``. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both ``password`` and ``token`` in their ``methods`` attribute. Unlike multi-factor authentication, the ``methods`` attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. in: body required: true type: array auth_methods_application_credential: description: | The authentication method. To authenticate with an application credential, specify ``application_credential``. in: body required: true type: array auth_methods_passwd: description: | The authentication method. For password authentication, specify ``password``. in: body required: true type: array auth_methods_receipt: description: | The authentication methods, which are commonly ``password``, ``totp``, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the receipt. For example, if the receipt was obtained by password authentication, it contains ``password``. Later, if the receipt is exchanged by using another authentication method one or more times, the subsequently created receipts could contain both ``password`` and ``totp`` in their ``methods`` attribute. in: body required: true type: array auth_methods_token: description: | The authentication method. For token authentication, specify ``token``. in: body required: true type: array auth_methods_totp: description: | The authentication method. For totp authentication, specify ``totp``. in: body required: true type: array auth_token: description: | A ``token`` object. The token authentication method is used. This method is typically used in combination with a request to change authorization scope. in: body required: true type: object auth_token_id: description: | A token ID. in: body required: true type: string catalog: description: | A ``catalog`` object. in: body required: true type: array catalog_response_body_optional: description: | A ``catalog`` object. in: body required: false type: array credential: description: | A ``credential`` object. in: body required: true type: object credential_blob: description: | The credential itself, as a serialized blob. in: body required: true type: string credential_blob_not_required: description: | The credential itself, as a serialized blob. in: body required: false type: string credential_id: description: | The UUID for the credential. in: body required: true type: string credential_links: description: | The links for the ``credential`` resource. in: body required: true type: object credential_type: description: | The credential type, such as ``ec2`` or ``cert``. The implementation determines the list of supported types. in: body required: true type: string credential_type_not_required: description: | The credential type, such as ``ec2`` or ``cert``. The implementation determines the list of supported types. in: body required: false type: string credential_user_id: description: | The ID of the user who owns the credential. in: body required: true type: string credential_user_id_not_required: description: | The ID of the user who owns the credential. in: body required: false type: string credentials: description: | A list of ``credential`` objects. in: body required: true type: array credentials_links: description: | The links for the ``credentials`` resource. in: body required: true type: object default_limit: description: | The default limit for the registered limit. in: body required: true type: integer default_project_id_request_body: description: | The ID of the default project for the user. A user's default project must not be a domain. Setting this attribute does not grant any actual authorization on the project, and is merely provided for convenience. Therefore, the referenced project does not need to exist within the user domain. (Since v3.1) If the user does not have authorization to their default project, the default project is ignored at token creation. (Since v3.1) Additionally, if your default project is not valid, a token is issued without an explicit scope of authorization. in: body required: false type: string default_project_id_response_body: description: | The ID of the default project for the user. in: body required: false type: string default_project_id_update_body: description: | The new ID of the default project for the user. in: body required: false type: string description_limit_request_body: description: | The limit description. in: body required: false type: string description_limit_response_body: description: | The limit description. in: body required: true type: string description_region_request_body: description: | The region description. in: body required: false type: string description_region_response_body: description: | The region description. in: body required: true type: string description_registered_limit_request_body: description: | The registered limit description. in: body required: false type: string description_registered_limit_response_body: description: | The registered limit description. in: body required: true type: string domain: description: | A ``domain`` object in: body required: true type: object domain_config: description: | A ``config`` object. in: body required: true type: object domain_description_request_body: description: | The description of the domain. in: body required: false type: string domain_description_response_body: description: | The description of the domain. in: body required: true type: string domain_description_update_request_body: description: | The new description of the domain. in: body required: false type: string domain_driver: description: | The Identity backend driver. in: body required: true type: string domain_enabled_request_body: description: | If set to ``true``, domain is created enabled. If set to ``false``, domain is created disabled. The default is ``true``. Users can only authorize against an enabled domain (and any of its projects). In addition, users can only authenticate if the domain that owns them is also enabled. Disabling a domain prevents both of these things. in: body required: false type: string domain_enabled_response_body: description: | If set to ``true``, domain is enabled. If set to ``false``, domain is disabled. in: body required: true type: string domain_enabled_update_request_body: description: | If set to ``true``, domain is enabled. If set to ``false``, domain is disabled. The default is ``true``. Users can only authorize against an enabled domain (and any of its projects). In addition, users can only authenticate if the domain that owns them is also enabled. Disabling a domain prevents both of these things. When you disable a domain, all tokens that are authorized for that domain become invalid. However, if you reenable the domain, these tokens become valid again, providing that they haven't expired. in: body required: false type: string domain_id_response_body: description: | The ID of the domain. in: body required: true type: string domain_ldap: description: | An ``ldap`` object. Required to set the LDAP group configuration options. in: body required: true type: object domain_link_response_body: description: | The links to the ``domain`` resource. in: body required: true type: object domain_name_request_body: description: | The name of the domain. in: body required: true type: string domain_name_response_body: description: | The name of the domain. in: body required: true type: string domain_name_update_request_body: description: | The new name of the domain. in: body required: false type: string domain_scope_response_body_optional: description: | A ``domain`` object including the ``id`` and ``name`` representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain. in: body required: false type: object domain_url: description: | The LDAP URL. in: body required: true type: string domain_user_tree_dn: description: | The base distinguished name (DN) of LDAP, from where all users can be reached. For example, ``ou=Users,dc=root,dc=org``. in: body required: true type: string domains: description: | A list of ``domain`` objects in: body required: true type: array email: description: | The email address for the user. in: body required: true type: string enabled_user_request_body: description: | If the user is enabled, this value is ``true``. If the user is disabled, this value is ``false``. in: body required: false type: boolean enabled_user_response_body: description: | If the user is enabled, this value is ``true``. If the user is disabled, this value is ``false``. in: body required: true type: boolean enabled_user_update_body: description: | Enables or disables the user. An enabled user can authenticate and receive authorization. A disabled user cannot authenticate or receive authorization. Additionally, all tokens that the user holds become no longer valid. If you reenable this user, pre-existing tokens do not become valid. To enable the user, set to ``true``. To disable the user, set to ``false``. Default is ``true``. in: body required: false type: boolean endpoint: description: | An ``endpoint`` object. in: body required: true type: object endpoint_enabled: description: | Indicates whether the endpoint appears in the service catalog: - ``false``. The endpoint does not appear in the service catalog. - ``true``. The endpoint appears in the service catalog. in: body required: true type: boolean endpoint_enabled_not_required: description: | Defines whether the endpoint appears in the service catalog: - ``false``. The endpoint does not appear in the service catalog. - ``true``. The endpoint appears in the service catalog. Default is ``true``. in: body required: false type: boolean endpoint_id: description: | The endpoint ID. in: body required: true type: string endpoint_interface: description: | The interface type, which describes the visibility of the endpoint. Value is: - ``public``. Visible by end users on a publicly available network interface. - ``internal``. Visible by end users on an unmetered internal network interface. - ``admin``. Visible by administrative users on a secure network interface. in: body required: true type: string endpoint_links: description: | The links for the ``endpoint`` resource. in: body required: true type: object endpoint_name: description: | The endpoint name. in: body required: true type: string endpoint_region: description: | (Deprecated in v3.2) The geographic location of the service endpoint. in: body required: true type: string endpoint_type: description: | The endpoint type. in: body required: true type: string endpoint_url: description: | The endpoint URL. in: body required: true type: string endpoints: description: | A list of ``endpoint`` objects. in: body required: true type: array endpoints_links: description: | The links for the ``endpoints`` resource. in: body required: true type: object expires_at: description: | The date and time when the token expires. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss.sssZ For example, ``2015-08-27T09:49:58.000000Z``. A ``null`` value indicates that the token never expires. in: body required: true type: string explicit_unscoped_string: description: | The authorization scope (Since v3.4). Specify ``unscoped`` to make an explicit unscoped token request, which returns an unscoped response without any authorization. This request behaves the same as a token request with no scope where the user has no default project defined. If an explicit, ``unscoped`` token request is not made and the user has authorization to their default project, then the response will return a project-scoped token. If a default project is not defined, a token is issued without an explicit scope of authorization, which is the same as asking for an explicit unscoped token. in: body required: false type: string extra_request_body: description: | The extra attributes of a resource. The actual name ``extra`` is not the key name in the request body, but rather a collection of any attributes that a resource may contain that are not part of the resource's default attributes. Generally these are custom fields that are added to a resource in keystone by operators for their own specific uses, such as ``email`` and ``description`` for users. in: body required: false type: string federated_in_request_body: description: | List of federated objects associated with a user. Each object in the list contains the ``idp_id`` and ``protocols``. ``protocols`` is a list of objects, each of which contains ``protocol_id`` and ``unique_id`` of the protocol and user respectively. For example:: "federated": [ { "idp_id": "efbab5a6acad4d108fec6c63d9609d83", "protocols": [ {"protocol_id": mapped, "unique_id": "test@example.com"} ] } ] in: body required: false type: list federated_in_response_body: description: | List of federated objects associated with a user. Each object in the list contains the ``idp_id`` and ``protocols``. ``protocols`` is a list of objects, each of which contains ``protocol_id`` and ``unique_id`` of the protocol and user respectively. For example:: "federated": [ { "idp_id": "efbab5a6acad4d108fec6c63d9609d83", "protocols": [ {"protocol_id": "mapped", "unique_id": "test@example.com"} ] } ] in: body required: false type: list group: description: | A ``group`` object in: body required: true type: object group_description_request_body: description: | The description of the group. in: body required: false type: string group_description_response_body: description: | The description of the group. in: body required: true type: string group_description_update_request_body: description: | The new description of the group. in: body required: false type: string group_domain_id: description: | The ID of the domain that owns the group. If you omit the domain ID, defaults to the domain to which the client token is scoped. in: body required: false type: string group_domain_id_request_body: description: | The ID of the domain of the group. If the domain ID is not provided in the request, the Identity service will attempt to pull the domain ID from the token used in the request. Note that this requires the use of a domain-scoped token. in: body required: false type: string group_domain_id_response_body: description: | The ID of the domain of the group. in: body required: true type: string group_domain_id_update_request_body: description: | The ID of the new domain for the group. The ability to change the domain of a group is now deprecated, and will be removed in subsequent release. It is already disabled by default in most Identity service implementations. in: body required: false type: string group_id_response_body: description: | The ID of the group. in: body required: true type: string group_name_request_body: description: | The name of the group. in: body required: true type: string group_name_response_body: description: | The name of the group. in: body required: true type: string group_name_update_request_body: description: | The new name of the group. in: body required: false type: string groups: description: | A list of ``group`` objects in: body required: true type: array id_region_response_body: description: | The ID for the region. in: body required: true type: string id_region_resquest_body: description: | The ID for the region. in: body required: false type: string id_user_body: description: | The user ID. in: body required: true type: string identity: description: | An ``identity`` object. in: body required: true type: object implies_role_array_body: description: | An array of implied role objects. in: body required: true type: array implies_role_object_body: description: | An implied role object. in: body required: true type: object is_domain_request_body: description: | Indicates whether the project also acts as a domain. If set to ``true``, this project acts as both a project and domain. As a domain, the project provides a name space in which you can create users, groups, and other projects. If set to ``false``, this project behaves as a regular project that contains only resources. Default is ``false``. You cannot update this parameter after you create the project. in: body required: false type: boolean min_version: 3.6 is_domain_response_body: description: | Indicates whether the project also acts as a domain. If set to ``true``, this project acts as both a project and domain. As a domain, the project provides a name space in which you can create users, groups, and other projects. If set to ``false``, this project behaves as a regular project that contains only resources. in: body required: true type: boolean min_version: 3.6 issued_at: description: | The date and time when the token was issued. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss.sssZ For example, ``2015-08-27T09:49:58.000000Z``. in: body required: true type: string limit: description: | A ``limit`` object in: body required: true type: array limit_id: description: | The limit ID. in: body required: true type: string limit_model_description_required_response_body: description: A short description of the enforcement model used in: body required: true type: string limit_model_name_required_response_body: description: The name of the enforcement model in: body required: true type: string limit_model_required_response_body: description: A model object describing the configured enforcement model used by the deployment. in: body required: true type: object limits: description: | A list of ``limits`` objects in: body required: true type: array link_collection: description: | The link to the collection of resources. in: body required: true type: object link_response_body: description: | The link to the resources in question. in: body required: true type: object links_project: description: | The links for the ``project`` resource. in: body required: true type: object links_region: description: | The links for the ``region`` resource. in: body required: true type: object links_user: description: | The links for the ``user`` resource. in: body required: true type: object membership_expires_at_response_body: description: | The date and time when the group membership expires. A ``null`` value indicates that the membership never expires. in: body required: true type: string min_version: 3.14 original_password: description: | The original password for the user. in: body required: true type: string parent_region_id_request_body: description: | To make this region a child of another region, set this parameter to the ID of the parent region. in: body required: false type: string parent_region_id_response_body: description: | To make this region a child of another region, set this parameter to the ID of the parent region. in: body required: true type: string password: description: | The ``password`` object, contains the authentication information. in: body required: true type: object password_expires_at: description: | The date and time when the password expires. The time zone is UTC. This is a response object attribute; not valid for requests. A ``null`` value indicates that the password never expires. in: body required: true type: string min_version: 3.7 password_request_body: description: | The password for the user. in: body required: false type: string policies: description: | A ``policies`` object. in: body required: true type: array policy: description: | A ``policy`` object. in: body required: true type: object policy_blob_obj: description: | The policy rule itself, as a serialized blob. in: body required: true type: object policy_blob_str: description: | The policy rule set itself, as a serialized blob. in: body required: true type: string policy_id: description: | The policy ID. in: body required: true type: string policy_links: description: | The links for the ``policy`` resource. in: body required: true type: object policy_type: description: | The MIME media type of the serialized policy blob. in: body required: true type: string prior_role_body: description: | A prior role object. in: body required: true type: object project: description: | A ``project`` object in: body required: true type: object project_description_request_body: description: | The description of the project. in: body required: false type: string project_description_response_body: description: | The description of the project. in: body required: true type: string project_domain_id: description: | The ID of the domain for the project. If you omit the domain ID, default is the domain to which your token is scoped. in: body required: false type: string project_domain_id_request_body: description: | The ID of the domain for the project. For projects acting as a domain, the ``domain_id`` must not be specified, it will be generated by the Identity service implementation. For regular projects (i.e. those not acing as a domain), if ``domain_id`` is not specified, but ``parent_id`` is specified, then the domain ID of the parent will be used. If neither ``domain_id`` or ``parent_id`` is specified, the Identity service implementation will default to the domain to which the client's token is scoped. If both ``domain_id`` and ``parent_id`` are specified, and they do not indicate the same domain, an ``Bad Request (400)`` will be returned. in: body required: false type: string project_domain_id_response_body: description: | The ID of the domain for the project. in: body required: true type: string project_domain_id_update_request_body: description: | The ID of the new domain for the project. The ability to change the domain of a project is now deprecated, and will be removed in subequent release. It is already disabled by default in most Identity service implementations. in: body required: false type: string project_enabled_request_body: description: | If set to ``true``, project is enabled. If set to ``false``, project is disabled. The default is ``true``. in: body required: false type: boolean project_enabled_response_body: description: | If set to ``true``, project is enabled. If set to ``false``, project is disabled. in: body required: true type: boolean project_enabled_update_request_body: description: | If set to ``true``, project is enabled. If set to ``false``, project is disabled. in: body required: false type: boolean project_id: description: | The ID for the project. in: body required: true type: string project_name_request_body: description: | The name of the project, which must be unique within the owning domain. A project can have the same name as its domain. in: body required: true type: string project_name_response_body: description: | The name of the project. in: body required: true type: string project_name_update_request_body: description: | The name of the project, which must be unique within the owning domain. A project can have the same name as its domain. in: body required: false type: string project_parent_id_request_body: description: | The ID of the parent of the project. If specified on project creation, this places the project within a hierarchy and implicitly defines the owning domain, which will be the same domain as the parent specified. If ``parent_id`` is not specified and ``is_domain`` is ``false``, then the project will use its owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project is acting as a domain), then ``parent_id`` must not specified (or if it is, it must be ``null``) since domains have no parents. ``parent_id`` is immutable, and can't be updated after the project is created - hence a project cannot be moved within the hierarchy. in: body required: false type: string min_version: 3.4 project_parent_id_response_body: description: | The ID of the parent for the project. in: body required: true type: string min_version: 3.4 project_scope_response_body_optional: description: | A ``project`` object including the ``id``, ``name`` and ``domain`` object representing the project the token is scoped to. This is only included in tokens that are scoped to a project. in: body required: false type: object project_tags_request_body: description: | A list of simple strings assigned to a project. Tags can be used to classify projects into groups. in: body required: false type: array projects: description: | A list of ``project`` objects in: body required: true type: array receipt_expires_at: description: | The date and time when the receipt expires. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss.sssZ For example, ``2015-08-27T09:49:58.000000Z``. A ``null`` value indicates that the receipt never expires. in: body required: true type: string receipt_issued_at: description: | The date and time when the receipt was issued. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss.sssZ For example, ``2015-08-27T09:49:58.000000Z``. in: body required: true type: string region_id_not_required: description: | (Since v3.2) The ID of the region that contains the service endpoint. in: body required: false type: string region_id_request_body: description: | The ID of the region that contains the service endpoint. in: body required: false type: string region_id_required: description: | (Since v3.2) The ID of the region that contains the service endpoint. in: body required: true type: string region_id_response_body: description: | The ID of the region that contains the service endpoint. The value can be None. in: body required: true type: string region_object: description: | A ``region`` object in: body required: true type: object regions_object: description: | A list of ``region`` object in: body required: true type: array registered_limit: description: | A ``registered_limit`` objects in: body required: true type: array registered_limit_id: description: | The registered limit ID. in: body required: true type: string registered_limits: description: | A list of ``registered_limits`` objects in: body required: true type: array request_application_credential_access_rules_body_not_required: description: | A list of ``access_rules`` objects in: body required: false type: list request_application_credential_auth_id_body_not_required: description: | The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user. in: body required: false type: string request_application_credential_auth_name_body_not_required: description: | The name of the application credential used for authentication. If provided, must be accompanied by a user object. in: body required: false type: string request_application_credential_auth_secret_body_required: description: | The secret for authenticating the application credential. in: body required: true type: string request_application_credential_body_required: description: | An application credential object. in: body required: true type: object request_application_credential_description_body_not_required: description: | A description of the application credential's purpose. in: body required: false type: string request_application_credential_expires_at_body_not_required: description: | An optional expiry time for the application credential. If unset, the application credential does not expire. in: body required: false type: string request_application_credential_name_body_required: description: | The name of the application credential. Must be unique to a user. in: body required: true type: string request_application_credential_roles_body_not_required: description: | An optional list of role objects, identified by ID or name. The list may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token. in: body required: false type: array request_application_credential_secret_body_not_required: description: | The secret that the application credential will be created with. If not provided, one will be generated. in: body required: false type: string request_application_credential_unrestricted_body_not_required: description: | An optional flag to restrict whether the application credential may be used for the creation or destruction of other application credentials or trusts. Defaults to false. in: body required: false type: boolean request_application_credential_user_body_not_required: description: | A ``user`` object, required if an application credential is identified by name and not ID. in: body required: false type: object request_default_limit_body_not_required: description: | The default limit for the registered limit. in: body required: false type: integer request_domain_options_body_not_required: description: | The resource options for the domain. Available resource options are ``immutable``. in: body required: false type: object request_limit_domain_id_not_required: description: | The name of the domain. in: body required: false type: string request_limit_project_id_not_required: description: | The ID for the project. in: body required: false type: string request_project_options_body_not_required: description: | The resource options for the project. Available resource options are ``immutable``. in: body required: false type: object request_region_id_registered_limit_body_not_required: description: | The ID of the region that contains the service endpoint. Either service_id, resource_name, or region_id must be different than existing value otherwise it will raise 409. in: body required: false type: string request_resource_limit_body_not_required: description: | The override limit. in: body required: false type: integer request_resource_name_body_not_required: description: | The resource name. Either service_id, resource_name or region_id must be different than existing value otherwise it will raise 409. in: body required: false type: string request_role_options_body_not_required: description: | The resource options for the role. Available resource options are ``immutable``. in: body required: false type: object request_service_id_registered_limit_body_not_required: description: | The UUID of the service to update to which the registered limit belongs. Either service_id, resource_name, or region_id must be different than existing value otherwise it will raise 409. in: body required: false type: string required_auth_methods: description: | A list of authentication rules that may be used with the auth receipt to complete the authentication process. in: body required: true type: list of lists resource_limit: description: | The override limit. in: body required: true type: integer resource_name: description: | The resource name. in: body required: true type: string response_access_rules_body: description: | A list of ``access_rules`` objects in: body type: list required: true response_access_rules_id_body: description: | The ID of the access rule in: body type: string required: true response_access_rules_method_body: description: | The request method that the application credential is permitted to use for a given API endpoint. in: body type: string required: true response_access_rules_path_body: description: | The API path that the application credential is permitted to access. May use named wildcards such as ``{tag}`` or the unnamed wildcard ``*`` to match against any string in the path up to a ``/``, or the recursive wildcard ``**`` to include ``/`` in the matched path. in: body type: string required: true response_access_rules_service_body: description: | The service type identifier for the service that the application credential is permitted to access. Must be a service type that is listed in the service catalog and not a code name for a service. in: body type: string required: true response_application_credential_access_rules_body: description: | A list of ``access_rules`` objects in: body type: list required: true response_application_credential_body: description: | The application credential object. in: body type: object required: true response_application_credential_description_body: description: | A description of the application credential's purpose. in: body type: string required: true response_application_credential_expires_at_body: description: | The expiration time of the application credential, if one was specified. in: body type: string required: true response_application_credential_id_body: description: | The ID of the application credential. in: body type: string required: true response_application_credential_name_body: description: | The name of the application credential. in: body type: string required: true response_application_credential_project_id_body: description: | The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to. in: body type: string required: true response_application_credential_roles_body: description: | A list of one or more roles that this application credential has associated with its project. A token using this application credential will have these same roles. in: body type: array required: true response_application_credential_secret_body: description: | The secret for the application credential, either generated by the server or provided by the user. This is only ever shown once in the response to a create request. It is not stored nor ever shown again. If the secret is lost, a new application credential must be created. in: body type: string required: true response_application_credential_unrestricted_body: description: | A flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts. in: body type: boolean required: true response_body_project_tags_required: description: | A list of simple strings assigned to a project. in: body required: true type: array response_body_system_required: description: | A list of systems to access based on role assignments. in: body required: true type: array response_domain_options_body_required: description: | The resource options for the domain. Available resource options are ``immutable``. in: body required: true type: object response_limit_domain_id_body: description: | The ID of the domain. in: body required: true type: string response_project_options_body_required: description: | The resource options for the project. Available resource options are ``immutable``. in: body required: true type: object response_role_options_body_required: description: | The resource options for the role. Available resource options are ``immutable``. in: body required: true type: object response_user_options_body_required: description: | The resource options for the user. Available resource options are ``ignore_change_password_upon_first_use``, ``ignore_password_expiry``, ``ignore_lockout_failure_attempts``, ``lock_password``, ``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``. in: body required: true type: object role: description: | A ``role`` object in: body required: true type: object role_assignments: description: | A list of ``role_assignment`` objects. in: body required: true type: array role_description_create_body: description: | Add description about the role. in: body required: false type: string role_description_response_body_required: description: | The role description. in: body required: true type: string role_description_update_body: description: | The new role description. in: body required: false type: string role_domain_id_request_body: description: | The ID of the domain of the role. in: body required: false type: string role_id_response_body: description: | The role ID. in: body required: true type: string role_inference_array_body: description: | An array of ``role_inference`` object. in: body required: true type: array role_inference_body: description: | Role inference object that contains ``prior_role`` object and ``implies`` object. in: body required: true type: object role_name_create_body: description: | The role name. in: body required: true type: string role_name_response_body: description: | The role name. in: body required: true type: string role_name_update_body: description: | The new role name. in: body required: false type: string roles: description: | A list of ``role`` objects in: body required: true type: array scope_string: description: | The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. ``project`` and ``domain`` or ``domain`` and ``system``) an HTTP ``400 Bad Request`` will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain's ID or name with equivalent results. in: body required: false type: string service: description: | A ``service`` object. in: body required: true type: object service_description: description: | The service description. in: body required: false type: string service_description_not_required: description: | The service description. in: body required: false type: string service_enabled: description: | Defines whether the service and its endpoints appear in the service catalog: - ``false``. The service and its endpoints do not appear in the service catalog. - ``true``. The service and its endpoints appear in the service catalog. in: body required: false type: boolean service_enabled_not_required: description: | Defines whether the service and its endpoints appear in the service catalog: - ``false``. The service and its endpoints do not appear in the service catalog. - ``true``. The service and its endpoints appear in the service catalog. Default is ``true``. in: body required: false type: boolean service_id: description: | The UUID of the service to which the endpoint belongs. in: body required: true type: string service_id_limit: description: | The UUID of the service to which the limit belongs. in: body required: true type: string service_id_registered_limit: description: | The UUID of the service to which the registered limit belongs. in: body required: true type: string service_links: description: | The links for the ``service`` resource. in: body required: true type: object service_name: description: | The service name. in: body required: true type: string service_type: description: | The service type, which describes the API implemented by the service. Value is ``compute``, ``ec2``, ``identity``, ``image``, ``network``, or ``volume``. in: body required: true type: string services: description: | A list of ``service`` object. in: body required: true type: array system: description: | A ``system`` object. in: body required: false type: object system_roles_response_body: description: | A list of ``role`` objects containing ``domain_id``, ``id``, ``links``, and ``name`` attributes. in: body required: true type: array system_scope_response_body_optional: description: | A ``system`` object containing information about which parts of the system the token is scoped to. If the token is scoped to the entire deployment system, the ``system`` object will consist of ``{"all": true}``. This is only included in tokens that are scoped to the system. in: body required: false type: object system_scope_string: description: | Authorization scope specific to the deployment system (Since v3.10). Specifying a project or domain scope in addition to system scope results in an HTTP ``400 Bad Request``. in: body required: false type: string token: description: | A ``token`` object. in: body required: true type: object totp: description: | The ``totp`` object, contains the authentication information. in: body required: true type: object user: description: | A ``user`` object. in: body required: true type: object user_domain_id: description: | The ID of the domain for the user. in: body required: false type: string user_domain_id_request_body: description: | The ID of the domain of the user. If the domain ID is not provided in the request, the Identity service will attempt to pull the domain ID from the token used in the request. Note that this requires the use of a domain-scoped token. in: body required: false type: string user_domain_id_update_body: description: | The ID of the new domain for the user. The ability to change the domain of a user is now deprecated, and will be removed in subequent release. It is already disabled by default in most Identity service implementations. in: body required: false type: string user_id: description: | The ID of the user. Required if you do not specify the user name. in: body required: false type: string user_name: description: | The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. in: body required: false type: string user_name_create_request_body: description: | The user name. Must be unique within the owning domain. in: body required: true type: string user_name_response_body: description: | The user name. Must be unique within the owning domain. in: body required: true type: string user_name_update_body: description: | The new name for the user. Must be unique within the owning domain. in: body required: false type: string user_object: description: | A ``user`` object in: body required: true type: object user_options_request_body: description: | The resource options for the user. Available resource options are ``ignore_change_password_upon_first_use``, ``ignore_password_expiry``, ``ignore_lockout_failure_attempts``, ``lock_password``, ``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``. in: body required: false type: object user_password_update_body: description: | The new password for the user. in: body required: true type: string user_update_password_body: description: | The new password for the user. in: body required: false type: string users: description: | A ``users`` object. in: body required: true type: array users_object: description: | A list of ``user`` objects in: body required: true type: array