# variables in header
X-Auth-Token:
  description: |
    A valid authentication token for an
    administrative user.
  in: header
  required: true
  type: string
X-Subject-Token:
  description: |
    The authentication token.  An authentication
    response returns the token ID in this header rather than in the
    response body.
  in: header
  required: true
  type: string

# variables in path
credential_id_path:
  description: |
    The UUID for the credential.
  in: path
  required: true
  type: string
domain_id_path:
  description: |
    The domain ID.
  in: path
  required: true
  type: string
endpoint_id_path:
  description: |
    The endpoint ID.
  in: path
  required: true
  type: string
group_id:
  description: |
    The group ID.
  in: path
  required: true
  type: string
group_id_path:
  description: |
    The group ID.
  in: path
  required: true
  type: string
implies_role_id:
  description: |
    Role ID for an implied role.
  in: path
  required: true
  type: string
option:
  description: |
    The option name. For the ``ldap`` group, a valid
    value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
    a valid value is ``driver``.
  in: path
  required: true
  type: string
policy_id_path:
  description: |
    The policy ID.
  in: path
  required: true
  type: string
prior_role_id:
  description: |
    Role ID for a prior role.
  in: path
  required: true
  type: string
project_id_path:
  description: |
    The project ID.
  in: path
  required: true
  type: string
region_id_path:
  description: |
    The region ID.
  in: path
  required: true
  type: string
role_id:
  description: |
    The role ID.
  in: path
  required: true
  type: string
role_id_path:
  description: |
    The role ID.
  in: path
  required: true
  type: string
service_id_path:
  description: |
    The service ID.
  in: path
  required: true
  type: string
user_id_path:
  description: |
    The user ID.
  in: path
  required: true
  type: string

# variables in query
allow_expired:
  description: |
    (Since v3.8) Allow fetching a token that has expired. By default expired
    tokens return a 404 exception.
  in: query
  required: false
  type: bool
domain_enabled_query:
  description: |
    If set to true, then only domains that are enabled will be returned, if set
    to false only that are disabled will be returned. Any value other than
    ``0``, including no value, will be interpreted as true.
  in: query
  required: false
  type: string
domain_id_query:
  description: |
    Filters the response by a domain ID.
  in: query
  required: false
  type: string
domain_name_query:
  description: |
    Filters the response by a domain name.
  in: query
  required: false
  type: string
effective_query:
  description: |
    Returns the effective assignments, including any assignments gained by
    virtue of group membership.
  in: query
  required: false
  type: key-only (no value required)
enabled_user_query:
  description: |
    Filters the response by either enabled (``true``)
    or disabled (``false``) users.
  in: query
  required: false
  type: string
group_id_query:
  description: |
    Filters the response by a group ID.
  in: query
  required: false
  type: string
group_name_query:
  description: |
    Filters the response by a group name.
  in: query
  required: false
  type: string
idp_id_query:
  description: |
    Filters the response by an identity provider ID.
  in: query
  required: false
  type: string
include_names_query:
  description: |
    If set to true, then the names of any entities returned will be include as
    well as their IDs. Any value other than ``0`` (including no value) will be
    interpreted as true.
  in: query
  required: false
  type: boolean
  min_version: 3.6
include_subtree_query:
  description: |
    If set to true, then relevant assignments in the project hierarchy below
    the project specified in the ``scope.project_id`` query parameter are also
    included in the response. Any value other than ``0`` (including no value)
    for ``include_subtree`` will be interpreted as true.
  in: query
  required: false
  type: boolean
  min_version: 3.6
interface_query:
  description: |
    Filters the response by an interface.
  in: query
  required: false
  type: string
is_domain_query:
  description: |
    If this is specified as true, then only projects acting as a domain are
    included. Otherwise, only projects that are not acting as a domain are
    included.
  in: query
  required: false
  type: boolean
  min_version: 3.6
name_user_query:
  description: |
    Filters the response by a user name.
  in: query
  required: false
  type: string
nocatalog:
  description: |
    (Since v3.1) The authentication response excludes
    the service catalog. By default, the response includes the service
    catalog.
  in: query
  required: false
  type: string
parent_id_query:
  description: |
    Filters the response by a parent ID.
  in: query
  required: false
  type: string
  min_version: 3.4
parent_region_id_query_not_required:
  description: |
    Filters the response by a parent region, by ID.
  in: query
  required: false
  type: string
parents_as_ids:
  description: |
    The entire parent hierarchy will be included as
    nested dictionaries in the response. It will contain
    all projects ids found by traversing up the hierarchy
    to the top-level project.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
parents_as_list:
  description: |
    The parent hierarchy will be included as a list in the response.
    This list will contain the projects found by traversing up the
    hierarchy to the top-level project.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
password_expires_at_query:
  description: |
    Filter results based on which user passwords have expired. The query should
    include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
    the two, for example::

      password_expires_at={operator}:{timestamp}

    - Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``

      - lt: expiration time lower than the timestamp
      - lte: expiration time lower than or equal to the timestamp
      - gt: expiration time higher than the timestamp
      - gte: expiration time higher than or equal to the timestamp
      - eq: expiration time equal to the timestamp
      - neq: expiration time not equal to the timestamp

    - Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.

    For example::

      /v3/users?password_expires_at=lt:2016-12-08T22:02:00Z

    The example would return a list of users whose password expired before the
    timestamp (``2016-12-08T22:02:00Z``).

  in: query
  required: false
  type: string
policy_type_query:
  description: |
    Filters the response by a MIME media type for the
    serialized policy blob. For example, ``application/json``.
  in: query
  required: false
  type: string
project_enabled_query:
  description: |
    If set to true, then only enabled projects will be returned. Any value
    other than ``0`` (including no value) will be interpreted as true.
  in: query
  required: false
  type: boolean
project_name_query:
  description: |
    Filters the response by a project name.
  in: query
  required: false
  type: string
protocol_id_query:
  description: |
    Filters the response by a protocol ID.
  in: query
  required: false
  type: string
role_id_query:
  description: |
    Filters the response by a role ID.
  in: query
  required: false
  type: string
role_name_query:
  description: |
    Filters the response by a role name.
  in: query
  required: false
  type: string
scope_domain_id_query:
  description: |
    Filters the response by a domain ID.
  in: query
  required: false
  type: string
scope_os_inherit_inherited_to:
  description: |
    Filters based on role assignments that are inherited.
    The only value of ``inherited_to`` that is currently
    supported is ``projects``.
  in: query
  required: false
  type: string
scope_project_id_query:
  description: |
    Filters the response by a project ID.
  in: query
  required: false
  type: string
service_id_query:
  description: |
    Filters the response by a service ID.
  in: query
  required: false
  type: string
service_type_query:
  description: |
    Filters the response by a service type. A valid
    value is ``compute``, ``ec2``, ``identity``, ``image``,
    ``network``, or ``volume``.
  in: query
  required: false
  type: string
subtree_as_ids:
  description: |
    The entire child hierarchy will be included as nested dictionaries
    in the response. It will contain all the projects ids found by
    traversing down the hierarchy.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
subtree_as_list:
  description: |
    The child hierarchy will be included as a list in the response.
    This list will contain the projects found by traversing down
    the hierarchy.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
unique_id_query:
  description: |
    Filters the response by a unique ID.
  in: query
  required: false
  type: string
user_id_query:
  description: |
    Filters the response by a user ID.
  in: query
  required: false
  type: string

# variables in body
audit_ids:
  description: |
    A list of one or two audit IDs. An audit ID is a
    unique, randomly generated, URL-safe string that you can use to
    track a token.  The first audit ID is the current audit ID for the
    token.  The second audit ID is present for only re-scoped tokens
    and is the audit ID from the token before it was re-scoped. A re-
    scoped token is one that was exchanged for another token of the
    same or different scope.  You can use these audit IDs to track the
    use of a token or chain of tokens across multiple requests and
    endpoints without exposing the token ID to non-privileged users.
  in: body
  required: true
  type: array
auth:
  description: |
    An ``auth`` object.
  in: body
  required: true
  type: object
auth_domain:
  description: |
    Specify either ``id`` or ``name`` to uniquely
    identify the domain.
  in: body
  required: false
  type: object
auth_methods:
  description: |
    The authentication method, which is ``password``,
    ``token``, or both methods.  Indicates the accumulated set of
    authentication methods that were used to obtain the token. For
    example, if the token was obtained by password authentication, it
    contains ``password``. Later, if the token is exchanged by using
    the token authentication method one or more times, the
    subsequently created tokens contain both ``password`` and
    ``token`` in their ``methods`` attribute.  Unlike multi-factor
    authentication, the ``methods`` attribute merely indicates the
    methods that were used to authenticate the user in exchange for a
    token. The client is responsible for determining the total number
    of authentication factors.
  in: body
  required: true
  type: array
auth_methods_passwd:
  description: |
    The authentication method. For password
    authentication, specify ``password``.
  in: body
  required: true
  type: array
auth_methods_token:
  description: |
    The authentication method. For token
    authentication, specify ``token``.
  in: body
  required: true
  type: array
auth_token:
  description: |
    A ``token`` object. The token authentication
    method is used. This method is typically used in combination with
    a request to change authorization scope.
  in: body
  required: true
  type: object
auth_token_id:
  description: |
    A token ID.
  in: body
  required: true
  type: string
catalog:
  description: |
    A ``catalog`` object.
  in: body
  required: true
  type: array
credential:
  description: |
    A ``credential`` object.
  in: body
  required: true
  type: object
credential_blob:
  description: |
    The credential itself, as a serialized blob.
  in: body
  required: true
  type: string
credential_blob_not_required:
  description: |
    The credential itself, as a serialized blob.
  in: body
  required: false
  type: string
credential_id:
  description: |
    The UUID for the credential.
  in: body
  required: true
  type: string
credential_links:
  description: |
    The links for the ``credential`` resource.
  in: body
  required: true
  type: object
credential_type:
  description: |
    The credential type, such as ``ec2`` or ``cert``.
    The implementation determines the list of supported types.
  in: body
  required: true
  type: string
credential_type_not_required:
  description: |
    The credential type, such as ``ec2`` or ``cert``.
    The implementation determines the list of supported types.
  in: body
  required: false
  type: string
credential_user_id:
  description: |
    The ID of the user who owns the credential.
  in: body
  required: true
  type: string
credential_user_id_not_required:
  description: |
    The ID of the user who owns the credential.
  in: body
  required: false
  type: string
credentials:
  description: |
    A list of ``credential`` objects.
  in: body
  required: true
  type: array
credentials_links:
  description: |
    The links for the ``credentials`` resource.
  in: body
  required: true
  type: object
default_project_id_request_body:
  description: |
    The ID of the default project for the user.
    Setting this attribute does not grant any actual authorization on
    the project, and is merely provided for convenience. Therefore,
    the referenced project does not need to exist within the user
    domain.  (Since v3.1) If the user does not have authorization to
    their default project, the default project is ignored at token
    creation.  (Since v3.1) Additionally, if your default project is
    not valid, a token is issued without an explicit scope of
    authorization.
  in: body
  required: false
  type: string
default_project_id_response_body:
  description: |
    The ID of the default project for the user.
  in: body
  required: false
  type: string
default_project_id_update_body:
  description: |
    The new ID of the default project for the user.
  in: body
  required: false
  type: string
description_region_request_body:
  description: |
    The region description.
  in: body
  required: false
  type: string
description_region_response_body:
  description: |
    The region description.
  in: body
  required: true
  type: string
domain:
  description: |
    A ``domain`` object, containing:
  in: body
  required: true
  type: object
domain_config:
  description: |
    A ``config`` object.
  in: body
  required: true
  type: object
domain_description_request_body:
  description: |
    The description of the domain.
  in: body
  required: false
  type: string
domain_description_response_body:
  description: |
    The description of the domain.
  in: body
  required: true
  type: string
domain_description_update_request_body:
  description: |
    The new description of the domain.
  in: body
  required: false
  type: string
domain_driver:
  description: |
    The Identity backend driver.
  in: body
  required: true
  type: string
domain_enabled_request_body:
  description: |
    If set to ``true``, domain is created enabled. If set to
    ``false``, domain is created disabled. The default is ``true``.

    Users can only authorize against an enabled domain (and any of its
    projects). In addition, users can only authenticate if the domain that owns
    them is also enabled. Disabling a domain prevents both of these things.
  in: body
  required: false
  type: string
domain_enabled_response_body:
  description: |
    If set to ``true``, domain is enabled. If set to
    ``false``, domain is disabled.
  in: body
  required: true
  type: string
domain_enabled_update_request_body:
  description: |
    If set to ``true``, domain is enabled. If set to
    ``false``, domain is disabled. The default is ``true``.

    Users can only authorize against an enabled domain (and any of its
    projects). In addition, users can only authenticate if the domain that owns
    them is also enabled. Disabling a domain prevents both of these things.
    When you disable a domain, all tokens that are authorized for that domain
    become no longer valid. If you reenable the domain, these tokens
    are not re-enabled.
  in: body
  required: false
  type: string
domain_id_response_body:
  description: |
    The ID of the domain.
  in: body
  required: true
  type: string
domain_ldap:
  description: |
    An ``ldap`` object. Required to set the LDAP
    group configuration options.
  in: body
  required: true
  type: object
domain_link_response_body:
  description: |
    The links to the ``domain`` resource.
  in: body
  required: true
  type: object
domain_name_request_body:
  description: |
    The name of the domain.
  in: body
  required: true
  type: string
domain_name_response_body:
  description: |
    The name of the domain.
  in: body
  required: true
  type: string
domain_name_update_request_body:
  description: |
    The new name of the domain.
  in: body
  required: false
  type: string
domain_url:
  description: |
    The LDAP URL.
  in: body
  required: true
  type: string
domain_user_tree_dn:
  description: |
    The base distinguished name (DN) of LDAP, from
    where all users can be reached. For example,
    ``ou=Users,dc=root,dc=org``.
  in: body
  required: true
  type: string
domains:
  description: |
    A list of ``domain`` objects, each containing:
  in: body
  required: true
  type: array
email:
  description: |
    The email address for the user.
  in: body
  required: true
  type: string
enabled_user_request_body:
  description: |
    If the user is enabled, this value is ``true``.
    If the user is disabled, this value is ``false``.
  in: body
  required: false
  type: boolean
enabled_user_response_body:
  description: |
    If the user is enabled, this value is ``true``.
    If the user is disabled, this value is ``false``.
  in: body
  required: true
  type: boolean
enabled_user_update_body:
  description: |
    Enables or disables the user.  An enabled user
    can authenticate and receive authorization.  A disabled user
    cannot authenticate or receive authorization. Additionally, all
    tokens that the user holds become no longer valid. If you reenable
    this user, pre-existing tokens do not become valid.  To enable the
    user, set to ``true``. To disable the user, set to ``false``.
    Default is ``true``.
  in: body
  required: false
  type: boolean
endpoint:
  description: |
    An ``endpoint`` object.
  in: body
  required: true
  type: object
endpoint_enabled:
  description: |
    Indicates whether the endpoint appears in the
    service catalog:  - ``false``. The endpoint does not appear in the
    service catalog.  - ``true``. The endpoint appears in the service
    catalog.
  in: body
  required: true
  type: boolean
endpoint_enabled_not_required:
  description: |
    Defines whether the endpoint appears in the
    service catalog:  - ``false``. The endpoint does not appear in the
    service catalog.  - ``true``. The endpoint appears in the service
    catalog.  Default is ``true``.
  in: body
  required: false
  type: boolean
endpoint_id:
  description: |
    The endpoint ID.
  in: body
  required: true
  type: string
endpoint_interface:
  description: |
    The interface type, which describes the
    visibility of the endpoint.  Value is:  - ``public``. Visible by
    end users on a publicly available network   interface.  -
    ``internal``. Visible by end users on an unmetered internal
    network interface.  - ``admin``. Visible by administrative users
    on a secure network   interface.
  in: body
  required: true
  type: string
endpoint_links:
  description: |
    The links for the ``endpoint`` resource.
  in: body
  required: true
  type: object
endpoint_name:
  description: |
    The endpoint name.
  in: body
  required: true
  type: string
endpoint_region:
  description: |
    (Deprecated in v3.2) The geographic location of
    the service endpoint.
  in: body
  required: true
  type: string
endpoint_type:
  description: |
    The endpoint type.
  in: body
  required: true
  type: string
endpoint_url:
  description: |
    The endpoint URL.
  in: body
  required: true
  type: string
endpoints:
  description: |
    A list of ``endpoint`` objects.
  in: body
  required: true
  type: array
endpoints_links:
  description: |
    The links for the ``endpoints`` resource.
  in: body
  required: true
  type: object
expires_at:
  description: |
    The date and time when the token expires.

    The date and time stamp format is `ISO 8601
    <https://en.wikipedia.org/wiki/ISO_8601>`_:

    ::

       CCYY-MM-DDThh:mm:ss.sssZ

    For example, ``2015-08-27T09:49:58.000000Z``.

    A ``null`` value indicates that the token never expires.
  in: body
  required: true
  type: string
extras:
  description: |
    A set of metadata key and value pairs, if any.
  in: body
  required: true
  type: object
group:
  description: |
    A ``group`` object, containing:
  in: body
  required: true
  type: object
group_description_request_body:
  description: |
    The description of the group.
  in: body
  required: true
  type: string
group_description_response_body:
  description: |
    The description of the group.
  in: body
  required: true
  type: string
group_description_update_request_body:
  description: |
    The new description of the group.
  in: body
  required: false
  type: string
group_domain_id:
  description: |
    The ID of the domain that owns the group.  If you
    omit the domain ID, defaults to the domain to which the client
    token is scoped.
  in: body
  required: false
  type: string
group_domain_id_request_body:
  description: |
    The ID of the domain of the group.
  in: body
  required: true
  type: string
group_domain_id_response_body:
  description: |
    The ID of the domain of the group.
  in: body
  required: true
  type: string
group_domain_id_update_request_body:
  description: |
    The ID of the new domain for the group. The ability to change the domain
    of a group is now deprecated, and will be removed in subsequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
group_id_response_body:
  description: |
    The ID of the group.
  in: body
  required: true
  type: string
group_name_request_body:
  description: |
    The name of the group.
  in: body
  required: true
  type: string
group_name_response_body:
  description: |
    The name of the group.
  in: body
  required: true
  type: string
group_name_update_request_body:
  description: |
    The new name of the group.
  in: body
  required: false
  type: string
groups:
  description: |
    A list of ``group`` objects, each containing:
  in: body
  required: true
  type: array
id_region_response_body:
  description: |
    The ID for the region.
  in: body
  required: true
  type: string
id_region_resquest_body:
  description: |
    The ID for the region.
  in: body
  required: false
  type: string
id_user_body:
  description: |
    The user ID.
  in: body
  required: true
  type: string
identity:
  description: |
    An ``identity`` object.
  in: body
  required: true
  type: object
implies_role_array_body:
  description: |
    An array of implied role objects.
  in: body
  required: true
  type: array
implies_role_object_body:
  description: |
    An implied role object.
  in: body
  required: true
  type: object
is_domain_request_body:
  description: |
    Indicates whether the project also acts as a domain. If set to ``true``,
    this project acts as both a project and domain. As a domain, the project
    provides a name space in which you can create users, groups, and other
    projects. If set to ``false``, this project behaves as a regular project
    that contains only resources. Default is ``false``. You cannot update
    this parameter after you create the project.
  in: body
  required: false
  type: boolean
  min_version: 3.6
is_domain_response_body:
  description: |
    Indicates whether the project also acts as a domain. If set to ``true``,
    this project acts as both a project and domain. As a domain, the project
    provides a name space in which you can create users, groups, and other
    projects. If set to ``false``, this project behaves as a regular project
    that contains only resources.
  in: body
  required: true
  type: boolean
  min_version: 3.6
issued_at:
  description: |
    The date and time when the token was issued.

    The date and time stamp format is `ISO 8601
    <https://en.wikipedia.org/wiki/ISO_8601>`_:

    ::

       CCYY-MM-DDThh:mm:ss.sssZ

    For example, ``2015-08-27T09:49:58.000000Z``.
  in: body
  required: true
  type: string
link_collection:
  description: |
    The link to the collection of resources.
  in: body
  required: true
  type: object
link_response_body:
  description: |
    The link to the resources in question.
  in: body
  required: true
  type: object
links_project:
  description: |
    The links for the ``project`` resource.
  in: body
  required: true
  type: object
links_region:
  description: |
    The links for the ``region`` resource.
  in: body
  required: true
  type: object
links_user:
  description: |
    The links for the ``user`` resource.
  in: body
  required: true
  type: object
original_password:
  description: |
    The original password for the user.
  in: body
  required: true
  type: string
parent_region_id_request_body:
  description: |
    To make this region a child of another region,
    set this parameter to the ID of the parent region.
  in: body
  required: false
  type: string
parent_region_id_response_body:
  description: |
    To make this region a child of another region,
    set this parameter to the ID of the parent region.
  in: body
  required: true
  type: string
password:
  description: |
    The ``password`` object, contains the authentication information.
  in: body
  required: true
  type: object
password_expires_at:
  description: |
    The date and time when the password expires. The time zone
    is UTC.

    This is a response object attribute; not valid for requests.
    A ``null`` value indicates that the password never expires.
  in: body
  required: true
  type: string
  min_version: 3.7
password_request_body:
  description: |
    The password for the user.
  in: body
  required: false
  type: string
policies:
  description: |
    A ``policies`` object.
  in: body
  required: true
  type: array
policy:
  description: |
    A ``policy`` object.
  in: body
  required: true
  type: object
policy_blob_obj:
  description: |
    The policy rule itself, as a serialized blob.
  in: body
  required: true
  type: object
policy_blob_str:
  description: |
    The policy rule set itself, as a serialized blob.
  in: body
  required: true
  type: string
policy_id:
  description: |
    The policy ID.
  in: body
  required: true
  type: string
policy_links:
  description: |
    The links for the ``policy`` resource.
  in: body
  required: true
  type: object
policy_type:
  description: |
    The MIME media type of the serialized policy
    blob.
  in: body
  required: true
  type: string
prior_role_body:
  description: |
    A prior role object.
  in: body
  required: true
  type: object
project:
  description: |
    A ``project`` object, containing:
  in: body
  required: true
  type: object
project_description_request_body:
  description: |
    The description of the project.
  in: body
  required: false
  type: string
project_description_response_body:
  description: |
    The description of the project.
  in: body
  required: true
  type: string
project_domain_id:
  description: |
    The ID of the domain for the project.  If you
    omit the domain ID, default is the domain to which your token is
    scoped.
  in: body
  required: false
  type: string
project_domain_id_request_body:
  description: |
    The ID of the domain for the project.

    For projects acting as a domain, the ``domain_id`` must not be specified,
    it will be generated by the Identity service implementation.

    For regular projects (i.e. those not acing as a domain), if ``domain_id``
    is not specified, but ``parent_id`` is specified, then the domain ID of the
    parent will be used. If neither ``domain_id`` or ``parent_id`` is
    specified, the Identity service implementation will default to the domain
    to which the client's token is scoped. If both ``domain_id`` and
    ``parent_id`` are specified, and they do not indicate the same domain, an
    ``Bad Request (400)`` will be returned.
  in: body
  required: false
  type: string
project_domain_id_response_body:
  description: |
    The ID of the domain for the project.
  in: body
  required: true
  type: string
project_domain_id_update_request_body:
  description: |
    The ID of the new domain for the project. The ability to change the domain
    of a project is now deprecated, and will be removed in subequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
project_enabled_request_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled. The default is ``true``.
  in: body
  required: false
  type: boolean
project_enabled_response_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled.
  in: body
  required: true
  type: boolean
project_enabled_update_request_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled.
  in: body
  required: false
  type: boolean
project_id:
  description: |
    The ID for the project.
  in: body
  required: true
  type: string
project_name_request_body:
  description: |
    The name of the project, which must be unique within the
    owning domain. A project can have the same name as its domain.
  in: body
  required: true
  type: string
project_name_response_body:
  description: |
    The name of the project.
  in: body
  required: true
  type: string
project_name_update_request_body:
  description: |
    The name of the project, which must be unique within the
    owning domain. A project can have the same name as its domain.
  in: body
  required: false
  type: string
project_parent_id_request_body:
  description: |
    The ID of the parent of the project.

    If specified on project creation, this places the project within a
    hierarchy and implicitly defines the owning domain, which will be the
    same domain as the parent specified. If ``parent_id`` is
    not specified and ``is_domain`` is ``false``, then the project will use its
    owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
    is acting as a domain), then ``parent_id`` must not specified (or if it is,
    it must be ``null``) since domains have no parents.

    ``parent_id`` is immutable, and can't be updated after the project is
    created - hence a project cannot be moved within the hierarchy.
  in: body
  required: false
  type: string
  min_version: 3.4
project_parent_id_response_body:
  description: |
    The ID of the parent for the project.
  in: body
  required: true
  type: string
  min_version: 3.4
projects:
  description: |
    A list of ``project`` objects, each containing:
  in: body
  required: true
  type: array
region_id_not_required:
  description: |
    (Since v3.2) The ID of the region that contains
    the service endpoint.
  in: body
  required: false
  type: string
region_id_required:
  description: |
    (Since v3.2) The ID of the region that contains
    the service endpoint.
  in: body
  required: true
  type: string
region_object:
  description: |
    A ``region`` object, containing the following:
  in: body
  required: true
  type: object
regions_object:
  description: |
    A list of ``region`` object, each containing the following:
  in: body
  required: true
  type: array
role:
  description: |
    A ``role`` object, containing:
  in: body
  required: true
  type: object
role_assignments:
  description: |
    A list of ``role_assignment`` objects.
  in: body
  required: true
  type: array
role_id_response_body:
  description: |
    The role ID.
  in: body
  required: true
  type: string
role_inference_array_body:
  description: |
    An array of ``role_inference`` object.
  in: body
  required: true
  type: array
role_inference_body:
  description: |
    Role inference object that contains ``prior_role`` object
    and ``implies`` object.
  in: body
  required: true
  type: object
role_name_create_body:
  description: |
    The role name.
  in: body
  required: true
  type: string
role_name_response_body:
  description: |
    The role name.
  in: body
  required: true
  type: string
role_name_update_body:
  description: |
    The new role name.
  in: body
  required: false
  type: string
roles:
  description: |
    A list of ``role`` objects, each containing:
  in: body
  required: true
  type: array
scope_string:
  description: |
    The authorization scope.  (Since v3.4) Specify
    ``unscoped`` to make an explicit unscoped token request, which
    returns an unscoped response without any authorization. This
    request behaves the same as a token request with no scope where
    the user has no default project defined.  If you do not make an
    explicit ``unscoped`` token request and your role has a default
    project, the response might return a project- scoped token. If a
    default project is not defined, a token is issued without an
    explicit scope of authorization, which is the same as asking for
    an explicit unscoped token.
  in: body
  required: false
  type: string
service:
  description: |
    A ``service`` object.
  in: body
  required: true
  type: object
service_description:
  description: |
    The service description.
  in: body
  required: true
  type: string
service_description_not_required:
  description: |
    The service description.
  in: body
  required: false
  type: string
service_enabled:
  description: |
    Defines whether the service and its endpoints
    appear in the service catalog:  - ``false``. The service and its
    endpoints do not appear in the   service catalog.  - ``true``. The
    service and its endpoints appear in the service   catalog.
  in: body
  required: true
  type: boolean
service_enabled_not_required:
  description: |
    Defines whether the service and its endpoints
    appear in the service catalog:  - ``false``. The service and its
    endpoints do not appear in the   service catalog.  - ``true``. The
    service and its endpoints appear in the service   catalog.
    Default is ``true``.
  in: body
  required: false
  type: boolean
service_id:
  description: |
    The UUID of the service to which the endpoint
    belongs.
  in: body
  required: true
  type: string
service_links:
  description: |
    The links for the ``service`` resource.
  in: body
  required: true
  type: object
service_name:
  description: |
    The service name.
  in: body
  required: true
  type: string
service_type:
  description: |
    The service type, which describes the API
    implemented by the service. Value is ``compute``, ``ec2``,
    ``identity``, ``image``, ``network``, or ``volume``.
  in: body
  required: true
  type: string
services:
  description: |
    A list of ``service`` object.
  in: body
  required: true
  type: array
signed:
  description: |
    List of expired PKI tokens, signed by the
    cryptographic message syntax (CMS).
  in: body
  required: true
  type: string
token:
  description: |
    A ``token`` object.
  in: body
  required: true
  type: object
user:
  description: |
    A ``user`` object.
  in: body
  required: true
  type: object
user_domain_id:
  description: |
    The ID of the domain for the user.
  in: body
  required: false
  type: string
user_domain_id_request_body:
  description: |
    The ID of the domain for the user.
  in: body
  required: false
  type: string
user_domain_id_update_body:
  description: |
    The ID of the new domain for the user. The ability to change the domain
    of a user is now deprecated, and will be removed in subequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
user_id:
  description: |
    The ID of the user.  Required if you do not
    specify the user name.
  in: body
  required: false
  type: string
user_name:
  description: |
    The user name.  Required if you do not specify
    the ID of the user.  If you specify the user name, you must also
    specify the domain, by ID or name.
  in: body
  required: false
  type: string
user_name_create_request_body:
  description: |
    The user name. Must be unique within the owning domain.
  in: body
  required: true
  type: string
user_name_response_body:
  description: |
    The user name. Must be unique within the owning domain.
  in: body
  required: true
  type: string
user_name_update_body:
  description: |
    The new name for the user. Must be unique within the owning domain.
  in: body
  required: false
  type: string
user_object:
  description: |
    A ``user`` object, containing:
  in: body
  required: true
  type: object
user_password_update_body:
  description: |
    The new password for the user.
  in: body
  required: true
  type: string
user_update_password_body:
  description: |
    The new password for the user.
  in: body
  required: false
  type: string
users:
  description: |
    A ``users`` object.
  in: body
  required: true
  type: array
users_object:
  description: |
    A list of ``user`` object, each containing:
  in: body
  required: true
  type: array