openstack/keystone
Code Issues Proposed changes
28bce595bb
keystone/doc/source/getting-started/policy_mapping.rst
Colleen Murphy 67682dcd07 Expose access rules as its own API 
This change creates a /v3/users/{user_id}/access_rules endpoint to allow
users to view and delete their own access rules. Access rules are not
automatically deleted when an application credential is deleted, so they
can be re-used for other application credentials or explicitly deleted
by the user. Access rules are automatically deleted when the user is
deleted, the same way that application credentials are. Access rules
that are in use by an application credential may not be deleted.

bp whitelist-extension-for-app-creds

Change-Id: I37d243d802cd538189ccfffee6ebf0624b7785d3
2019-09-14 03:14:20 -07:00

274 lines
22 KiB
ReStructuredText
Raw Blame History

===============================
Mapping of policy target to API
===============================
The following table shows the target in the policy.json file for each API.
========================================================= ===
Target API
========================================================= ===
identity:get_region GET /v3/regions/{region_id}
identity:list_regions GET /v3/regions
identity:create_region POST /v3/regions
identity:update_region PATCH /v3/regions/{region_id}
identity:delete_region DELETE /v3/regions/{region_id}
identity:get_service GET /v3/services/{service_id}
identity:list_services GET /v3/services
identity:create_service POST /v3/services
identity:update_service PATCH /v3/services/{service__id}
identity:delete_service DELETE /v3/services/{service__id}
identity:get_endpoint GET /v3/endpoints/{endpoint_id}
identity:list_endpoints GET /v3/endpoints
identity:create_endpoint POST /v3/endpoints
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}
identity:delete_endpoint DELETE /v3/endpoints/{endpoint_id}
identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
identity:list_registered_limits GET /v3/registered_limits
identity:create_registered_limits POST /v3/registered_limits
identity:update_registered_limit PATCH /v3/registered_limits/{registered_limit_id}
identity:delete_registered_limit DELETE /v3/registered_limits/{registered_limit_id}
identity:get_limit GET /v3/limits/{limit_id}
identity:list_limits GET /v3/limits
identity:create_limits POST /v3/limits
identity:update_limit PATCH /v3/limits/{limit_id}
identity:delete_limit DELETE /v3/limits/{limit_id}
identity:get_limit_model GET /v3/limits/model
HEAD /v3/limits/model
identity:get_domain GET /v3/domains/{domain_id}
identity:list_domains GET /v3/domains
identity:create_domain POST /v3/domains
identity:update_domain PATCH /v3/domains/{domain_id}
identity:delete_domain DELETE /v3/domains/{domain_id}
identity:get_project GET /v3/projects/{project_id}
identity:list_projects GET /v3/projects
identity:list_user_projects GET /v3/users/{user_id}/projects
identity:create_project POST /v3/projects
identity:update_project PATCH /v3/projects/{project_id}
identity:delete_project DELETE /v3/projects/{project_id}
identity:get_project_tag GET /v3/projects/{project_id}/tags/{tag_name}
HEAD /v3/projects/{project_id}/tags/{tag_name}
identity:list_project_tags GET /v3/projects/{project_id}/tags
HEAD /v3/projects/{project_id}/tags
identity:create_project_tag PUT /v3/projects/{project_id}/tags/{tag_name}
identity:update_project_tags PUT /v3/projects/{project_id}/tags
identity:delete_project_tag DELETE /v3/projects/{project_id}/tags/{tag_name}
identity:delete_project_tags DELETE /v3/projects/{project_id}/tags
identity:get_user GET /v3/users/{user_id}
identity:list_users GET /v3/users
identity:create_user POST /v3/users
identity:update_user PATCH /v3/users/{user_id}
identity:delete_user DELETE /v3/users/{user_id}
identity:get_group GET /v3/groups/{group_id}
identity:list_groups GET /v3/groups
identity:list_groups_for_user GET /v3/users/{user_id}/groups
identity:create_group POST /v3/groups
identity:update_group PATCH /v3/groups/{group_id}
identity:delete_group DELETE /v3/groups/{group_id}
identity:list_users_in_group GET /v3/groups/{group_id}/users
identity:remove_user_from_group DELETE /v3/groups/{group_id}/users/{user_id}
identity:check_user_in_group GET /v3/groups/{group_id}/users/{user_id}
identity:add_user_to_group PUT /v3/groups/{group_id}/users/{user_id}
identity:get_credential GET /v3/credentials/{credential_id}
identity:list_credentials GET /v3/credentials
identity:create_credential POST /v3/credentials
identity:update_credential PATCH /v3/credentials/{credential_id}
identity:delete_credential DELETE /v3/credentials/{credential_id}
identity:ec2_get_credential GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
identity:ec2_list_credentials GET /v3/users/{user_id}/credentials/OS-EC2
identity:ec2_create_credential POST /v3/users/{user_id}/credentials/OS-EC2
identity:ec2_delete_credential DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
identity:get_role GET /v3/roles/{role_id}
identity:list_roles GET /v3/roles
identity:create_role POST /v3/roles
identity:update_role PATCH /v3/roles/{role_id}
identity:delete_role DELETE /v3/roles/{role_id}
identity:get_domain_role GET /v3/roles/{role_id} where role.domain_id is not null
identity:list_domain_roles GET /v3/roles?domain_id where role.domain_id is not null
identity:create_domain_role POST /v3/roles where role.domain_id is not null
identity:update_domain_role PATCH /v3/roles/{role_id} where role.domain_id is not null
identity:delete_domain_role DELETE /v3/roles/{role_id} where role.domain_id is not null
identity:get_implied_role GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_implied_roles GET /v3/roles/{prior_role_id}/implies
identity:create_implied_role PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:delete_implied_role DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_role_inference_rules GET /v3/role_inferences
identity:check_implied_role HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:check_grant GET `grant_resources`_
identity:list_grants GET `grant_collections`_
identity:create_grant PUT `grant_resources`_
identity:revoke_grant DELETE `grant_resources`_
identity:list_system_grants_for_user GET /v3/system/users/{user_id}/roles
identity:check_system_grant_for_user GET /v3/system/users/{user_id}/roles/{role_id}
identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id}
identity:revoke_system_grant_for_user DELETE /v3/system/users/{user_id}/roles/{role_id}
identity:list_system_grants_for_group GET /v3/system/groups/{group_id}/roles
identity:check_system_grant_for_group GET /v3/system/groups/{group_id}/roles/{role_id}
identity:create_system_grant_for_group PUT /v3/system/groups/{group_id}/roles/{role_id}
identity:revoke_system_grant_for_group DELETE /v3/system/groups/{group_id}/roles/{role_id}
identity:list_role_assignments GET /v3/role_assignments
identity:list_role_assignments_for_tree GET /v3/role_assignments?include_subtree
identity:get_policy GET /v3/policy/{policy_id}
identity:list_policies GET /v3/policy
identity:create_policy POST /v3/policy
identity:update_policy PATCH /v3/policy/{policy_id}
identity:delete_policy DELETE /v3/policy/{policy_id}
identity:check_token HEAD /v3/auth/tokens
identity:validate_token GET /v3/auth/tokens
identity:revocation_list GET /v3/auth/tokens/OS-PKI/revoked
identity:revoke_token DELETE /v3/auth/tokens
identity:create_trust POST /v3/OS-TRUST/trusts
identity:list_trusts GET /v3/OS-TRUST/trusts
identity:list_trusts_for_trustor GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
identity:list_trusts_for_trustee GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
identity:list_roles_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles
identity:get_role_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
identity:delete_trust DELETE /v3/OS-TRUST/trusts/{trust_id}
identity:get_trust GET /v3/OS-TRUST/trusts/{trust_id}
identity:create_consumer POST /v3/OS-OAUTH1/consumers
identity:get_consumer GET /v3/OS-OAUTH1/consumers/{consumer_id}
identity:list_consumers GET /v3/OS-OAUTH1/consumers
identity:delete_consumer DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
identity:update_consumer PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
identity:authorize_request_token PUT /v3/OS-OAUTH1/authorize/{request_token_id}
identity:list_access_token_roles GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
identity:get_access_token_role GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
identity:list_access_tokens GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
identity:get_access_token GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
identity:delete_access_token DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
identity:list_projects_for_endpoint GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
identity:add_endpoint_to_project PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:check_endpoint_in_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:list_endpoints_for_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
identity:remove_endpoint_from_project DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:create_endpoint_group POST /v3/OS-EP-FILTER/endpoint_groups
identity:list_endpoint_groups GET /v3/OS-EP-FILTER/endpoint_groups
identity:get_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:update_endpoint_group PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:delete_endpoint_group DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:list_projects_associated_with_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
identity:list_endpoints_associated_with_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
identity:get_endpoint_group_in_project GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:list_endpoint_groups_for_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
identity:add_endpoint_group_to_project PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:remove_endpoint_group_from_project DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:create_identity_provider PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:list_identity_providers GET /v3/OS-FEDERATION/identity_providers
identity:get_identity_provider GET /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:update_identity_provider PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:delete_identity_provider DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:create_protocol PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:update_protocol PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:get_protocol GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:list_protocols GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
identity:delete_protocol DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:create_mapping PUT /v3/OS-FEDERATION/mappings/{mapping_id}
identity:get_mapping GET /v3/OS-FEDERATION/mappings/{mapping_id}
identity:list_mappings GET /v3/OS-FEDERATION/mappings
identity:delete_mapping DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
identity:update_mapping PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
identity:create_service_provider PUT /v3/OS-FEDERATION/service_providers/{sp_id}
identity:list_service_providers GET /v3/OS-FEDERATION/service_providers
identity:get_service_provider GET /v3/OS-FEDERATION/service_providers/{sp_id}
identity:update_service_provider PATCH /v3/OS-FEDERATION/service_providers/{sp_id}
identity:delete_service_provider DELETE /v3/OS-FEDERATION/service_providers/{sp_id}
identity:get_auth_catalog GET /v3/auth/catalog
identity:get_auth_projects GET /v3/auth/projects
identity:get_auth_domains GET /v3/auth/domains
identity:get_auth_system GET /v3/auth/system
identity:list_projects_for_user GET /v3/OS-FEDERATION/projects
identity:list_domains_for_user GET /v3/OS-FEDERATION/domains
identity:list_revoke_events GET /v3/OS-REVOKE/events
identity:create_policy_association_for_endpoint PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:check_policy_association_for_endpoint GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:delete_policy_association_for_endpoint DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:create_policy_association_for_service PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:check_policy_association_for_service GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:delete_policy_association_for_service DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:create_policy_association_for_region_and_service PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:check_policy_association_for_region_and_service GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:delete_policy_association_for_region_and_service DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:get_policy_for_endpoint GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
identity:list_endpoints_for_policy GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
identity:create_domain_config PUT /v3/domains/{domain_id}/config
identity:get_domain_config GET /v3/domains/{domain_id}/config
GET /v3/domains/{domain_id}/config/{group}
GET /v3/domains/{domain_id}/config/{group}/{option}
identity:get_security_compliance_domain_config GET /v3/domains/{domain_id}/config/security_compliance
GET /v3/domains/{domain_id}/config/security_compliance/{option}
identity:update_domain_config PATCH /v3/domains/{domain_id}/config
PATCH /v3/domains/{domain_id}/config/{group}
PATCH /v3/domains/{domain_id}/config/{group}/{option}
identity:delete_domain_config DELETE /v3/domains/{domain_id}/config
DELETE /v3/domains/{domain_id}/config/{group}
DELETE /v3/domains/{domain_id}/config/{group}/{option}
identity:get_domain_config_default GET /v3/domains/config/default
GET /v3/domains/config/{group}/default
GET /v3/domains/config/{group}/{option}/default
identity:get_application_credential GET /v3/users/{user_id}/application_credentials/{application_credential_id}
identity:list_application_credentials GET /v3/users/{user_id}/application_credentials
identity:create_application_credential POST /v3/users/{user_id}/application_credential
identity:delete_application_credential DELETE /v3/users/{user_id}/application_credential/{application_credential_id}
identity:get_access_rule GET /v3/users/{user_id}/access_rules/{access_rule_id}
identity:list_access_rules GET /v3/users/{user_id}/access_rules
identity:delete_access_rule DELETE /v3/users/{user_id}/access_rules/{access_rule_id}
========================================================= ===
.. _grant_resources:
*grant_resources* are:
- /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
.. _grant_collections:
*grant_collections* are:
- /v3/projects/{project_id}/users/{user_id}/roles
- /v3/projects/{project_id}/groups/{group_id}/roles
- /v3/domains/{domain_id}/users/{user_id}/roles
- /v3/domains/{domain_id}/groups/{group_id}/roles
- /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
- /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
View Git Blame Copy Permalink