b43b402ca9
Now use domain_id_response_body in the request parameters of creating role, but its required is true. When we create a role, the domain id is optional. This patch add role_domain_id_request_body in request parameters. Change-Id: Ib384f2b074e86691223fbc3d480fbb82a903e209
1538 lines
38 KiB
YAML
1538 lines
38 KiB
YAML
# variables in header
|
|
X-Auth-Token:
|
|
description: |
|
|
A valid authentication token for an
|
|
administrative user.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
X-Subject-Token:
|
|
description: |
|
|
The authentication token. An authentication
|
|
response returns the token ID in this header rather than in the
|
|
response body.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
|
|
# variables in path
|
|
credential_id_path:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
domain_id_path:
|
|
description: |
|
|
The domain ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
endpoint_id_path:
|
|
description: |
|
|
The endpoint ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id_path:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
implies_role_id:
|
|
description: |
|
|
Role ID for an implied role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
option:
|
|
description: |
|
|
The option name. For the ``ldap`` group, a valid
|
|
value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
|
|
a valid value is ``driver``.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
policy_id_path:
|
|
description: |
|
|
The policy ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
prior_role_id:
|
|
description: |
|
|
Role ID for a prior role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
project_id_path:
|
|
description: |
|
|
The project ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
region_id_path:
|
|
description: |
|
|
The region ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id_path:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
service_id_path:
|
|
description: |
|
|
The service ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
user_id_path:
|
|
description: |
|
|
The user ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
|
|
# variables in query
|
|
allow_expired:
|
|
description: |
|
|
(Since v3.8) Allow fetching a token that has expired. By default expired
|
|
tokens return a 404 exception.
|
|
in: query
|
|
required: false
|
|
type: bool
|
|
domain_enabled_query:
|
|
description: |
|
|
If set to true, then only domains that are enabled will be returned, if set
|
|
to false only that are disabled will be returned. Any value other than
|
|
``0``, including no value, will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_name_query:
|
|
description: |
|
|
Filters the response by a domain name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
effective_query:
|
|
description: |
|
|
Returns the effective assignments, including any assignments gained by
|
|
virtue of group membership.
|
|
in: query
|
|
required: false
|
|
type: key-only (no value required)
|
|
enabled_user_query:
|
|
description: |
|
|
Filters the response by either enabled (``true``)
|
|
or disabled (``false``) users.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_id_query:
|
|
description: |
|
|
Filters the response by a group ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_name_query:
|
|
description: |
|
|
Filters the response by a group name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
idp_id_query:
|
|
description: |
|
|
Filters the response by an identity provider ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
include_names_query:
|
|
description: |
|
|
If set to true, then the names of any entities returned will be include as
|
|
well as their IDs. Any value other than ``0`` (including no value) will be
|
|
interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
include_subtree_query:
|
|
description: |
|
|
If set to true, then relevant assignments in the project hierarchy below
|
|
the project specified in the ``scope.project_id`` query parameter are also
|
|
included in the response. Any value other than ``0`` (including no value)
|
|
for ``include_subtree`` will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
interface_query:
|
|
description: |
|
|
Filters the response by an interface.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
is_domain_query:
|
|
description: |
|
|
If this is specified as true, then only projects acting as a domain are
|
|
included. Otherwise, only projects that are not acting as a domain are
|
|
included.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
name_user_query:
|
|
description: |
|
|
Filters the response by a user name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
nocatalog:
|
|
description: |
|
|
(Since v3.1) The authentication response excludes
|
|
the service catalog. By default, the response includes the service
|
|
catalog.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parent_id_query:
|
|
description: |
|
|
Filters the response by a parent ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
parent_region_id_query_not_required:
|
|
description: |
|
|
Filters the response by a parent region, by ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parents_as_ids:
|
|
description: |
|
|
The entire parent hierarchy will be included as
|
|
nested dictionaries in the response. It will contain
|
|
all projects ids found by traversing up the hierarchy
|
|
to the top-level project.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
parents_as_list:
|
|
description: |
|
|
The parent hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing up the
|
|
hierarchy to the top-level project. The returned list will be
|
|
filtered against the projects the user has an effective role
|
|
assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
password_expires_at_query:
|
|
description: |
|
|
Filter results based on which user passwords have expired. The query should
|
|
include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
|
|
the two, for example::
|
|
|
|
password_expires_at={operator}:{timestamp}
|
|
|
|
- Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``
|
|
|
|
- lt: expiration time lower than the timestamp
|
|
- lte: expiration time lower than or equal to the timestamp
|
|
- gt: expiration time higher than the timestamp
|
|
- gte: expiration time higher than or equal to the timestamp
|
|
- eq: expiration time equal to the timestamp
|
|
- neq: expiration time not equal to the timestamp
|
|
|
|
- Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.
|
|
|
|
For example::
|
|
|
|
/v3/users?password_expires_at=lt:2016-12-08T22:02:00Z
|
|
|
|
The example would return a list of users whose password expired before the
|
|
timestamp (``2016-12-08T22:02:00Z``).
|
|
|
|
in: query
|
|
required: false
|
|
type: string
|
|
policy_type_query:
|
|
description: |
|
|
Filters the response by a MIME media type for the
|
|
serialized policy blob. For example, ``application/json``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
project_enabled_query:
|
|
description: |
|
|
If set to true, then only enabled projects will be returned. Any value
|
|
other than ``0`` (including no value) will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
project_name_query:
|
|
description: |
|
|
Filters the response by a project name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
protocol_id_query:
|
|
description: |
|
|
Filters the response by a protocol ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_id_query:
|
|
description: |
|
|
Filters the response by a role ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_name_query:
|
|
description: |
|
|
Filters the response by a role name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_os_inherit_inherited_to:
|
|
description: |
|
|
Filters based on role assignments that are inherited.
|
|
The only value of ``inherited_to`` that is currently
|
|
supported is ``projects``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_project_id_query:
|
|
description: |
|
|
Filters the response by a project ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_id_query:
|
|
description: |
|
|
Filters the response by a service ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_type_query:
|
|
description: |
|
|
Filters the response by a service type. A valid
|
|
value is ``compute``, ``ec2``, ``identity``, ``image``,
|
|
``network``, or ``volume``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
subtree_as_ids:
|
|
description: |
|
|
The entire child hierarchy will be included as nested dictionaries
|
|
in the response. It will contain all the projects ids found by
|
|
traversing down the hierarchy.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
subtree_as_list:
|
|
description: |
|
|
The child hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing down
|
|
the hierarchy. The returned list will be filtered against the
|
|
projects the user has an effective role assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
unique_id_query:
|
|
description: |
|
|
Filters the response by a unique ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
user_id_query:
|
|
description: |
|
|
Filters the response by a user ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
|
|
# variables in body
|
|
audit_ids:
|
|
description: |
|
|
A list of one or two audit IDs. An audit ID is a
|
|
unique, randomly generated, URL-safe string that you can use to
|
|
track a token. The first audit ID is the current audit ID for the
|
|
token. The second audit ID is present for only re-scoped tokens
|
|
and is the audit ID from the token before it was re-scoped. A re-
|
|
scoped token is one that was exchanged for another token of the
|
|
same or different scope. You can use these audit IDs to track the
|
|
use of a token or chain of tokens across multiple requests and
|
|
endpoints without exposing the token ID to non-privileged users.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth:
|
|
description: |
|
|
An ``auth`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_domain:
|
|
description: |
|
|
Specify either ``id`` or ``name`` to uniquely
|
|
identify the domain.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
auth_methods:
|
|
description: |
|
|
The authentication method, which is ``password``,
|
|
``token``, or both methods. Indicates the accumulated set of
|
|
authentication methods that were used to obtain the token. For
|
|
example, if the token was obtained by password authentication, it
|
|
contains ``password``. Later, if the token is exchanged by using
|
|
the token authentication method one or more times, the
|
|
subsequently created tokens contain both ``password`` and
|
|
``token`` in their ``methods`` attribute. Unlike multi-factor
|
|
authentication, the ``methods`` attribute merely indicates the
|
|
methods that were used to authenticate the user in exchange for a
|
|
token. The client is responsible for determining the total number
|
|
of authentication factors.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_passwd:
|
|
description: |
|
|
The authentication method. For password
|
|
authentication, specify ``password``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_token:
|
|
description: |
|
|
The authentication method. For token
|
|
authentication, specify ``token``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_token:
|
|
description: |
|
|
A ``token`` object. The token authentication
|
|
method is used. This method is typically used in combination with
|
|
a request to change authorization scope.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_token_id:
|
|
description: |
|
|
A token ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
catalog:
|
|
description: |
|
|
A ``catalog`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
credential:
|
|
description: |
|
|
A ``credential`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_blob:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_blob_not_required:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_id:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_links:
|
|
description: |
|
|
The links for the ``credential`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_type:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_type_not_required:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_user_id:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_user_id_not_required:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credentials:
|
|
description: |
|
|
A list of ``credential`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
credentials_links:
|
|
description: |
|
|
The links for the ``credentials`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
default_project_id_request_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
Setting this attribute does not grant any actual authorization on
|
|
the project, and is merely provided for convenience. Therefore,
|
|
the referenced project does not need to exist within the user
|
|
domain. (Since v3.1) If the user does not have authorization to
|
|
their default project, the default project is ignored at token
|
|
creation. (Since v3.1) Additionally, if your default project is
|
|
not valid, a token is issued without an explicit scope of
|
|
authorization.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_response_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_update_body:
|
|
description: |
|
|
The new ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_region_request_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_region_response_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain:
|
|
description: |
|
|
A ``domain`` object, containing:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_config:
|
|
description: |
|
|
A ``config`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_description_request_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_description_response_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_description_update_request_body:
|
|
description: |
|
|
The new description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_driver:
|
|
description: |
|
|
The Identity backend driver.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, domain is created enabled. If set to
|
|
``false``, domain is created disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
When you disable a domain, all tokens that are authorized for that domain
|
|
become no longer valid. If you reenable the domain, these tokens
|
|
are not re-enabled.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_id_response_body:
|
|
description: |
|
|
The ID of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_ldap:
|
|
description: |
|
|
An ``ldap`` object. Required to set the LDAP
|
|
group configuration options.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_link_response_body:
|
|
description: |
|
|
The links to the ``domain`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_name_request_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_response_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_update_request_body:
|
|
description: |
|
|
The new name of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_url:
|
|
description: |
|
|
The LDAP URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_user_tree_dn:
|
|
description: |
|
|
The base distinguished name (DN) of LDAP, from
|
|
where all users can be reached. For example,
|
|
``ou=Users,dc=root,dc=org``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domains:
|
|
description: |
|
|
A list of ``domain`` objects, each containing:
|
|
in: body
|
|
required: true
|
|
type: array
|
|
email:
|
|
description: |
|
|
The email address for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
enabled_user_request_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
enabled_user_response_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
enabled_user_update_body:
|
|
description: |
|
|
Enables or disables the user. An enabled user
|
|
can authenticate and receive authorization. A disabled user
|
|
cannot authenticate or receive authorization. Additionally, all
|
|
tokens that the user holds become no longer valid. If you reenable
|
|
this user, pre-existing tokens do not become valid. To enable the
|
|
user, set to ``true``. To disable the user, set to ``false``.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint:
|
|
description: |
|
|
An ``endpoint`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_enabled:
|
|
description: |
|
|
Indicates whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
endpoint_enabled_not_required:
|
|
description: |
|
|
Defines whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog. Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint_id:
|
|
description: |
|
|
The endpoint ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_interface:
|
|
description: |
|
|
The interface type, which describes the
|
|
visibility of the endpoint. Value is: - ``public``. Visible by
|
|
end users on a publicly available network interface. -
|
|
``internal``. Visible by end users on an unmetered internal
|
|
network interface. - ``admin``. Visible by administrative users
|
|
on a secure network interface.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_links:
|
|
description: |
|
|
The links for the ``endpoint`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_name:
|
|
description: |
|
|
The endpoint name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_region:
|
|
description: |
|
|
(Deprecated in v3.2) The geographic location of
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_type:
|
|
description: |
|
|
The endpoint type.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_url:
|
|
description: |
|
|
The endpoint URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoints:
|
|
description: |
|
|
A list of ``endpoint`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
endpoints_links:
|
|
description: |
|
|
The links for the ``endpoints`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
expires_at:
|
|
description: |
|
|
The date and time when the token expires.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
|
|
A ``null`` value indicates that the token never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
explicit_unscoped_string:
|
|
description: |
|
|
The authorization scope (Since v3.4). Specify
|
|
``unscoped`` to make an explicit unscoped token request, which
|
|
returns an unscoped response without any authorization. This
|
|
request behaves the same as a token request with no scope where
|
|
the user has no default project defined. If an explicit,
|
|
``unscoped`` token request is not made and the user has
|
|
authorization to their default project, then the response will
|
|
return a project-scoped token. If a default project is not defined,
|
|
a token is issued without an explicit scope of authorization,
|
|
which is the same as asking for an explicit unscoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
extras:
|
|
description: |
|
|
A set of metadata key and value pairs, if any.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
group:
|
|
description: |
|
|
A ``group`` object, containing:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
group_description_request_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_description_response_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_description_update_request_body:
|
|
description: |
|
|
The new description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id:
|
|
description: |
|
|
The ID of the domain that owns the group. If you
|
|
omit the domain ID, defaults to the domain to which the client
|
|
token is scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the group. The ability to change the domain
|
|
of a group is now deprecated, and will be removed in subsequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_id_response_body:
|
|
description: |
|
|
The ID of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_request_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_response_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_update_request_body:
|
|
description: |
|
|
The new name of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
groups:
|
|
description: |
|
|
A list of ``group`` objects, each containing:
|
|
in: body
|
|
required: true
|
|
type: array
|
|
id_region_response_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
id_region_resquest_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
id_user_body:
|
|
description: |
|
|
The user ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
identity:
|
|
description: |
|
|
An ``identity`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
implies_role_array_body:
|
|
description: |
|
|
An array of implied role objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
implies_role_object_body:
|
|
description: |
|
|
An implied role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
is_domain_request_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources. Default is ``false``. You cannot update
|
|
this parameter after you create the project.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
is_domain_response_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
min_version: 3.6
|
|
issued_at:
|
|
description: |
|
|
The date and time when the token was issued.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
link_collection:
|
|
description: |
|
|
The link to the collection of resources.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
link_response_body:
|
|
description: |
|
|
The link to the resources in question.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_project:
|
|
description: |
|
|
The links for the ``project`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_region:
|
|
description: |
|
|
The links for the ``region`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_user:
|
|
description: |
|
|
The links for the ``user`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
original_password:
|
|
description: |
|
|
The original password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
parent_region_id_request_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
parent_region_id_response_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
password:
|
|
description: |
|
|
The ``password`` object, contains the authentication information.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
password_expires_at:
|
|
description: |
|
|
The date and time when the password expires. The time zone
|
|
is UTC.
|
|
|
|
This is a response object attribute; not valid for requests.
|
|
A ``null`` value indicates that the password never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.7
|
|
password_request_body:
|
|
description: |
|
|
The password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
policies:
|
|
description: |
|
|
A ``policies`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
policy:
|
|
description: |
|
|
A ``policy`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_obj:
|
|
description: |
|
|
The policy rule itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_str:
|
|
description: |
|
|
The policy rule set itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_id:
|
|
description: |
|
|
The policy ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_links:
|
|
description: |
|
|
The links for the ``policy`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_type:
|
|
description: |
|
|
The MIME media type of the serialized policy
|
|
blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
prior_role_body:
|
|
description: |
|
|
A prior role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project:
|
|
description: |
|
|
A ``project`` object, containing:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project_description_request_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_description_response_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id:
|
|
description: |
|
|
The ID of the domain for the project. If you
|
|
omit the domain ID, default is the domain to which your token is
|
|
scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
|
|
For projects acting as a domain, the ``domain_id`` must not be specified,
|
|
it will be generated by the Identity service implementation.
|
|
|
|
For regular projects (i.e. those not acing as a domain), if ``domain_id``
|
|
is not specified, but ``parent_id`` is specified, then the domain ID of the
|
|
parent will be used. If neither ``domain_id`` or ``parent_id`` is
|
|
specified, the Identity service implementation will default to the domain
|
|
to which the client's token is scoped. If both ``domain_id`` and
|
|
``parent_id`` are specified, and they do not indicate the same domain, an
|
|
``Bad Request (400)`` will be returned.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the project. The ability to change the domain
|
|
of a project is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled. The default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
project_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_id:
|
|
description: |
|
|
The ID for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_response_body:
|
|
description: |
|
|
The name of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_update_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_parent_id_request_body:
|
|
description: |
|
|
The ID of the parent of the project.
|
|
|
|
If specified on project creation, this places the project within a
|
|
hierarchy and implicitly defines the owning domain, which will be the
|
|
same domain as the parent specified. If ``parent_id`` is
|
|
not specified and ``is_domain`` is ``false``, then the project will use its
|
|
owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
|
|
is acting as a domain), then ``parent_id`` must not specified (or if it is,
|
|
it must be ``null``) since domains have no parents.
|
|
|
|
``parent_id`` is immutable, and can't be updated after the project is
|
|
created - hence a project cannot be moved within the hierarchy.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
project_parent_id_response_body:
|
|
description: |
|
|
The ID of the parent for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.4
|
|
projects:
|
|
description: |
|
|
A list of ``project`` objects, each containing:
|
|
in: body
|
|
required: true
|
|
type: array
|
|
region_id_not_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
region_id_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_object:
|
|
description: |
|
|
A ``region`` object, containing the following:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
regions_object:
|
|
description: |
|
|
A list of ``region`` object, each containing the following:
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role:
|
|
description: |
|
|
A ``role`` object, containing:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_assignments:
|
|
description: |
|
|
A list of ``role_assignment`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the role.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_id_response_body:
|
|
description: |
|
|
The role ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_inference_array_body:
|
|
description: |
|
|
An array of ``role_inference`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_inference_body:
|
|
description: |
|
|
Role inference object that contains ``prior_role`` object
|
|
and ``implies`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_name_create_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_response_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_update_body:
|
|
description: |
|
|
The new role name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
roles:
|
|
description: |
|
|
A list of ``role`` objects, each containing:
|
|
in: body
|
|
required: true
|
|
type: array
|
|
scope_string:
|
|
description: |
|
|
The authorization scope, including either a project or
|
|
a domain (Since v3.4). If both a domain and a project are
|
|
specified, an HTTP 400 Bad Request will be returned, as a
|
|
token cannot be simultaneously scoped to both a project
|
|
and a domain. An ID is sufficient to uniquely identify
|
|
a project but if a project is specified by name, then
|
|
the domain of the project must also be specified in order
|
|
to uniquely identify the project by name. A domain scope may be
|
|
specified by either the domain's ID or name with
|
|
equivalent results.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service:
|
|
description: |
|
|
A ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_description:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_description_not_required:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_enabled:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_enabled_not_required:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_id:
|
|
description: |
|
|
The UUID of the service to which the endpoint
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_links:
|
|
description: |
|
|
The links for the ``service`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_name:
|
|
description: |
|
|
The service name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_type:
|
|
description: |
|
|
The service type, which describes the API
|
|
implemented by the service. Value is ``compute``, ``ec2``,
|
|
``identity``, ``image``, ``network``, or ``volume``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
services:
|
|
description: |
|
|
A list of ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
signed:
|
|
description: |
|
|
List of expired PKI tokens, signed by the
|
|
cryptographic message syntax (CMS).
|
|
in: body
|
|
required: true
|
|
type: string
|
|
token:
|
|
description: |
|
|
A ``token`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user:
|
|
description: |
|
|
A ``user`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_domain_id:
|
|
description: |
|
|
The ID of the domain for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_update_body:
|
|
description: |
|
|
The ID of the new domain for the user. The ability to change the domain
|
|
of a user is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_id:
|
|
description: |
|
|
The ID of the user. Required if you do not
|
|
specify the user name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name:
|
|
description: |
|
|
The user name. Required if you do not specify
|
|
the ID of the user. If you specify the user name, you must also
|
|
specify the domain, by ID or name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name_create_request_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_response_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_update_body:
|
|
description: |
|
|
The new name for the user. Must be unique within the owning domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_object:
|
|
description: |
|
|
A ``user`` object, containing:
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_password_update_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_update_password_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
users:
|
|
description: |
|
|
A ``users`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
users_object:
|
|
description: |
|
|
A list of ``user`` object, each containing:
|
|
in: body
|
|
required: true
|
|
type: array
|