# variables in header # variables in path access_token_id_path: description: | The UUID of the access token. in: path required: true type: string consumer_id_path: description: | The UUID of the consumer. in: path required: true type: string domain_id: description: | The UUID of the domain. in: path required: true type: string endpoint_group_id_path: description: | The UUID of the endpoint group. in: path required: false type: string endpoint_id_path: description: | The endpoint ID. in: path required: true type: string group_id: description: | The UUID of the group. in: path required: true type: string name: description: | The name of the group. in: path required: true type: string policy_id_path: description: | The policy ID. in: path required: true type: string project_id_path: description: | The UUID of the project. in: path required: true type: string region_id_path: description: | The region ID. in: path required: true type: string role_id_path: description: | The UUID of the role. in: path required: true type: string service_id_path: description: | The service ID. in: path required: true type: string trust_id_path: description: | The trust ID. in: path required: true type: string user_id_path: description: | The UUID of the user. in: path required: true type: string # variables in query since_query: description: | A timestamp used to limit the list of results to events that occurred on or after the specified time. (RFC 1123 format date time) in: query required: false type: string # variables in body allow_redelegation: description: | If set to `true` then a trust between a ``trustor`` and any third-party user may be issued by the ``trustee`` just like a regular trust. If set to `false`, stops further redelegation. `false` by default. in: body required: false type: boolean consumer_description: description: | The consumer description. in: body required: false type: string consumer_id: description: | The ID of the consumer. in: body required: true type: string eg_description: description: | The endpoint group description. in: body required: false type: string eg_filters: description: | Describes the filtering performed by the endpoint group. The filter used must be an ``endpoint`` property, such as ``interface``, ``service_id``, ``region_id`` and ``enabled``. Note that if using ``interface`` as a filter, the only available values are ``public``, ``internal`` and ``admin``. in: body required: true type: object eg_name: description: | User-facing name of the service. in: body required: true type: string endpoint_id: description: | The endpoint UUID. in: body required: true type: string endpoints: description: | An ``endpoints`` object. in: body required: true type: array endpoints_links: description: | The links for the ``endpoints`` resource. in: body required: true type: object id: description: | [WIP] in: body required: true type: string impersonation: description: | If set to `true`, then the user attribute of tokens generated based on the trust will represent that of the ``trustor`` rather than the ``trustee``, thus allowing the ``trustee`` to impersonate the ``trustor``. If impersonation is set to `false`, then the token’s user attribute will represent that of the ``trustee``. in: body required: true type: boolean interface: description: | The interface type, which describes the visibility of the endpoint. Value is: - ``public``. Visible by end users on a publicly available network interface. - ``internal``. Visible by end users on an unmetered internal network interface. - ``admin``. Visible by administrative users on a secure network interface. in: body required: true type: string links: description: | A links object. in: body required: true type: object name_1: description: | The role name. in: body required: true type: string name_2: description: | The name of the group. in: body required: true type: string next: description: | The ``next`` relative link for the ``endpoints`` resource. in: body required: true type: string oauth_expires_at: description: | The date and time when an oauth token expires. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss±hh:mm The ``±hh:mm`` value, if included, is the time zone as an offset from UTC. For example, ``2015-08-27T09:49:58-05:00``. If the Identity API does not include this attribute or its value is ``null``, the token never expires. in: body required: false type: string oauth_token: description: | The key value for the oauth token that the Identity API returns. in: body required: true type: string oauth_token_secret: description: | The secret value associated with the oauth Token. in: body required: true type: string policy: description: | A ``policy`` object. in: body required: true type: object policy_blob: description: | The policy rule itself, as a serialized blob. in: body required: true type: object policy_id: description: | The ID of the policy. in: body required: true type: string policy_links: description: | The links for the ``policy`` resource. in: body required: true type: object policy_type: description: | The MIME media type of the serialized policy blob. From the perspective of the Identity API, a policy blob can be based on any technology. In OpenStack, the ``policy.json`` blob (``type="application/json"``) is the conventional solution. However, you might want to use an alternative policy engine that uses a different policy language type. For example, ``type="application/xacml+xml"``. in: body required: true type: string previous: description: | The ``previous`` relative link for the ``endpoints`` resource. in: body required: true type: string project_id: description: | The ID of the project. in: body required: true type: string redelegated_trust_id: description: | Returned with redelegated trust provides information about the predecessor in the trust chain. in: body required: false type: string redelegation_count: description: | Specifies the maximum remaining depth of the redelegated trust chain. Each subsequent trust has this field decremented by `1` automatically. The initial ``trustor`` issuing new trust that can be redelegated, must set ``allow_redelegation`` to `true` and may set ``redelegation_count`` to an integer value less than or equal to ``max_redelegation_count`` configuration parameter in order to limit the possible length of derivated trust chains. The trust issued by the trustor using a project-scoped token (not redelegating), in which ``allow_redelegation`` is set to `true` (the new trust is redelegatable), will be populated with the value specified in the ``max_redelegation_count`` configuration parameter if ``redelegation_count`` is not set or set to `null`. If ``allow_redelegation`` is set to `false` then ``redelegation_count`` will be set to `0` in the trust. If the trust is being issued by the ``trustee`` of a redelegatable trust-scoped token (redelegation case) then ``redelegation_count`` should not be set, as it will automatically be set to the value in the redelegatable trust-scoped token decremented by `1`. Note, if the resulting value is `0`, this means that the new trust will not be redelegatable, regardless of the value of ``allow_redelegation``. in: body required: false type: integer region: description: | (Deprecated in v3.2) The geographic location of the service endpoint. in: body required: true type: string remaining_uses: description: | Specifies how many times the trust can be used to obtain a token. This value is decreased each time a token is issued through the trust. Once it reaches `0`, no further tokens will be issued through the trust. The default value is `null`, meaning there is no limit on the number of tokens issued through the trust. If redelegation is enabled it must not be set. in: body required: false type: boolean requested_project_id: description: | The ID of the requested project. in: body required: true type: string revoke_audit_chain_id: description: | Specifies a group of tokens based upon the ``audit_id`` of the first token in the chain. If a revocation event specifies the ``audit_chain_id`` any token that is part of the token chain (based upon the original token at the start of the chain) will be revoked, including the original token at the start of the chain. If an event is issued for ``audit_chain_id`` then the event cannot contain an ``audit_id``. in: body required: true type: string revoke_audit_id: description: | Specifies the unique identifier (UUID) assigned to the token itself. This will revoke a single token only. This attribute mirrors the use of the Token Revocation List (the mechanism used prior to revocation events) but does not utilize data that could convey authorization (the token id). If an event is issued for ``audit_id`` then the event cannot contain an ``audit_chain_id``. in: body required: true type: string revoke_consumer_id: description: | Revoke tokens issued to a specific OAuth consumer, as part of the OS-OAUTH1 API extension. in: body required: true type: string revoke_domain_id: description: | Revoke tokens scoped to a particular domain. in: body required: true type: string revoke_events: description: | List of recovation events. in: body required: true type: string revoke_expires_at: description: | Specifies the exact expiration time of one or more tokens to be revoked. This attribute is useful for revoking chains of tokens, such as those produced when re-scoping an existing token. When a token is issued based on initial authentication, it is given an expires_at value. When a token is used to get another token, the new token will have the same expires_at value as the original. in: body required: true type: string revoke_issued_before: description: | (string, ISO 8601 extended format date time with microseconds). Tokens issued before this time are considered revoked. This attribute can be used to determine how long the expiration event is valid. It can also be used in queries to filter events, so that only a subset that have occurred since the last request are returned. in: body required: true type: string revoke_project_id: description: | Revoke tokens scoped to a particular project. in: body required: true type: string revoke_role_id: description: | Revoke tokens issued with a specific role. in: body required: true type: string revoke_trust_id: description: | Revoke tokens issued as the result of a particular trust, as part of the OS-TRUST API extension. in: body required: true type: string revoke_user_id: description: | Revoke tokens expressing the identity of a particular user. in: body required: true type: string roles: description: | A roles object. in: body required: true type: array roles_links: description: | A roles links object. Includes ``next``, ``previous``, and ``self`` links for roles. in: body required: true type: object self: description: | The ``self`` relative link for the ``endpoints`` resource. in: body required: true type: string service_id: description: | The UUID of the service to which the endpoint belongs. in: body required: true type: string trust: description: | A trust object. in: body required: true type: object trust_expires_at: description: | Specifies the expiration time of the trust. A trust may be revoked ahead of expiration. If the value represents a time in the past, the trust is deactivated. In the redelegation case it must not exceed the value of the corresponding ``expires_at`` field of the redelegated trust or it may be omitted, then the ``expires_at`` value is copied from the redelegated trust. in: body required: false type: string trust_id: description: | The ID of the trust. in: body required: true type: string trust_links: description: | A trust links object. Includes ``next``, ``previous``, and ``self`` links for trusts. in: body required: true type: object trust_project_id: description: | Identifies the project upon which the trustor is delegating authorization. in: body required: false type: string trust_roles: description: | Specifies the subset of the trustor’s roles on the ``project_id`` to be granted to the ``trustee`` when the token is consumed. The ``trustor`` must already be granted these roles in the project referenced by the ``project_id`` attribute. If redelegation is used (when trust-scoped token is used and consumed trust has ``allow_redelegation`` set to `true`) this parameter should contain redelegated trust’s roles only. Roles are only provided when the trust is created, and are subsequently available as a separate read-only collection. Each role can be specified by either ``id`` or ``name``. in: body required: false type: list trustee_user_id: description: | Represents the user who is capable of consuming the trust. in: body required: true type: string trustor_user_id: description: | Represents the user who created the trust, and who’s authorization is being delegated. in: body required: true type: string trusts: description: | An array of trust objects. in: body required: true type: array url: description: | The endpoint URL. in: body required: true type: string