325d9eea33
This commit formally adds resources options for users to the identity API reference. Descriptions of the behavior provided by each option is left to the administrator guide, but the examples here at least show how to access and use the options implemented for users. Co-Authored-By: Lance Bragstad <lbragstad@gmail.com> Closes-Bug: #1792026 Change-Id: I5af3761e42dfe544431ae0bd4b2c032391023bcc
2023 lines
52 KiB
YAML
2023 lines
52 KiB
YAML
# variables in header
|
|
X-Auth-Token:
|
|
description: |
|
|
A valid authentication token for an
|
|
administrative user.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
X-Subject-Token:
|
|
description: |
|
|
The authentication token. An authentication
|
|
response returns the token ID in this header rather than in the
|
|
response body.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
|
|
# variables in path
|
|
credential_id_path:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
domain_id_path:
|
|
description: |
|
|
The domain ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
endpoint_id_path:
|
|
description: |
|
|
The endpoint ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id_path:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
implies_role_id:
|
|
description: |
|
|
Role ID for an implied role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
limit_id_path:
|
|
description: |
|
|
The limit ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
option:
|
|
description: |
|
|
The option name. For the ``ldap`` group, a valid
|
|
value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
|
|
a valid value is ``driver``.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
policy_id_path:
|
|
description: |
|
|
The policy ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
prior_role_id:
|
|
description: |
|
|
Role ID for a prior role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
project_id_path:
|
|
description: |
|
|
The project ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
project_tag_path:
|
|
description: |
|
|
A simple string associated with a project. Can be used for assigning
|
|
values to projects and filtering based on those values.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
region_id_path:
|
|
description: |
|
|
The region ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
registered_limit_id_path:
|
|
description: |
|
|
The registered limit ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
request_application_credential_id_path_required:
|
|
description: |
|
|
The ID of the application credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
request_application_credential_user_id_path_required:
|
|
description: |
|
|
The ID of the user who owns the application credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id_path:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
service_id_path:
|
|
description: |
|
|
The service ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
user_id_path:
|
|
description: |
|
|
The user ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
|
|
# variables in query
|
|
allow_expired:
|
|
description: |
|
|
(Since v3.8) Allow fetching a token that has expired. By default expired
|
|
tokens return a 404 exception.
|
|
in: query
|
|
required: false
|
|
type: bool
|
|
domain_enabled_query:
|
|
description: |
|
|
If set to true, then only domains that are enabled will be returned, if set
|
|
to false only that are disabled will be returned. Any value other than
|
|
``0``, including no value, will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_name_query:
|
|
description: |
|
|
Filters the response by a domain name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
effective_query:
|
|
description: |
|
|
Returns the effective assignments, including any assignments gained by
|
|
virtue of group membership.
|
|
in: query
|
|
required: false
|
|
type: key-only (no value required)
|
|
enabled_user_query:
|
|
description: |
|
|
Filters the response by either enabled (``true``)
|
|
or disabled (``false``) users.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_id_query:
|
|
description: |
|
|
Filters the response by a group ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_name_query:
|
|
description: |
|
|
Filters the response by a group name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
idp_id_query:
|
|
description: |
|
|
Filters the response by an identity provider ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
include_limits:
|
|
description: |
|
|
It should be used together with `parents_as_list` or `subtree_as_list`
|
|
filter to add the related project's limits into the response body.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
include_names_query:
|
|
description: |
|
|
If set to true, then the names of any entities returned will be include as
|
|
well as their IDs. Any value other than ``0`` (including no value) will be
|
|
interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
include_subtree_query:
|
|
description: |
|
|
If set to true, then relevant assignments in the project hierarchy below
|
|
the project specified in the ``scope.project_id`` query parameter are also
|
|
included in the response. Any value other than ``0`` (including no value)
|
|
for ``include_subtree`` will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
interface_query:
|
|
description: |
|
|
Filters the response by an interface.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
is_domain_query:
|
|
description: |
|
|
If this is specified as true, then only projects acting as a domain are
|
|
included. Otherwise, only projects that are not acting as a domain are
|
|
included.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
name_user_query:
|
|
description: |
|
|
Filters the response by a user name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
nocatalog:
|
|
description: |
|
|
(Since v3.1) The authentication response excludes
|
|
the service catalog. By default, the response includes the service
|
|
catalog.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parent_id_query:
|
|
description: |
|
|
Filters the response by a parent ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
parent_region_id_query_not_required:
|
|
description: |
|
|
Filters the response by a parent region, by ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parents_as_ids:
|
|
description: |
|
|
The entire parent hierarchy will be included as
|
|
nested dictionaries in the response. It will contain
|
|
all projects ids found by traversing up the hierarchy
|
|
to the top-level project.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
parents_as_list:
|
|
description: |
|
|
The parent hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing up the
|
|
hierarchy to the top-level project. The returned list will be
|
|
filtered against the projects the user has an effective role
|
|
assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
password_expires_at_query:
|
|
description: |
|
|
Filter results based on which user passwords have expired. The query should
|
|
include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
|
|
the two, for example::
|
|
|
|
password_expires_at={operator}:{timestamp}
|
|
|
|
- Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``
|
|
|
|
- lt: expiration time lower than the timestamp
|
|
- lte: expiration time lower than or equal to the timestamp
|
|
- gt: expiration time higher than the timestamp
|
|
- gte: expiration time higher than or equal to the timestamp
|
|
- eq: expiration time equal to the timestamp
|
|
- neq: expiration time not equal to the timestamp
|
|
|
|
- Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.
|
|
|
|
For example::
|
|
|
|
/v3/users?password_expires_at=lt:2016-12-08T22:02:00Z
|
|
|
|
The example would return a list of users whose password expired before the
|
|
timestamp (``2016-12-08T22:02:00Z``).
|
|
|
|
in: query
|
|
required: false
|
|
type: string
|
|
policy_type_query:
|
|
description: |
|
|
Filters the response by a MIME media type for the
|
|
serialized policy blob. For example, ``application/json``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
project_enabled_query:
|
|
description: |
|
|
If set to true, then only enabled projects will be returned. Any value
|
|
other than ``0`` (including no value) will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
project_name_query:
|
|
description: |
|
|
Filters the response by a project name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
protocol_id_query:
|
|
description: |
|
|
Filters the response by a protocol ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
region_id_query:
|
|
description: |
|
|
Filters the response by a region ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
resource_name_query:
|
|
description: |
|
|
Filters the response by a specified resource name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_id_query:
|
|
description: |
|
|
Filters the response by a role ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_name_query:
|
|
description: |
|
|
Filters the response by a role name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_os_inherit_inherited_to:
|
|
description: |
|
|
Filters based on role assignments that are inherited.
|
|
The only value of ``inherited_to`` that is currently
|
|
supported is ``projects``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_project_id_query:
|
|
description: |
|
|
Filters the response by a project ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_system_query:
|
|
description: |
|
|
Filters the response by system assignments.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_id_query:
|
|
description: |
|
|
Filters the response by a service ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_type_query:
|
|
description: |
|
|
Filters the response by a service type. A valid
|
|
value is ``compute``, ``ec2``, ``identity``, ``image``,
|
|
``network``, or ``volume``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
subtree_as_ids:
|
|
description: |
|
|
The entire child hierarchy will be included as nested dictionaries
|
|
in the response. It will contain all the projects ids found by
|
|
traversing down the hierarchy.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
subtree_as_list:
|
|
description: |
|
|
The child hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing down
|
|
the hierarchy. The returned list will be filtered against the
|
|
projects the user has an effective role assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
unique_id_query:
|
|
description: |
|
|
Filters the response by a unique ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
user_id_query:
|
|
description: |
|
|
Filters the response by a user ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
|
|
# variables in body
|
|
audit_ids:
|
|
description: |
|
|
A list of one or two audit IDs. An audit ID is a
|
|
unique, randomly generated, URL-safe string that you can use to
|
|
track a token. The first audit ID is the current audit ID for the
|
|
token. The second audit ID is present for only re-scoped tokens
|
|
and is the audit ID from the token before it was re-scoped. A re-
|
|
scoped token is one that was exchanged for another token of the
|
|
same or different scope. You can use these audit IDs to track the
|
|
use of a token or chain of tokens across multiple requests and
|
|
endpoints without exposing the token ID to non-privileged users.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth:
|
|
description: |
|
|
An ``auth`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_application_credential_restricted_body:
|
|
description: |
|
|
Whether the application credential is permitted to be used for creating and
|
|
deleting additional application credentials and trusts.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_domain:
|
|
description: |
|
|
Specify either ``id`` or ``name`` to uniquely
|
|
identify the domain.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
auth_methods:
|
|
description: |
|
|
The authentication method, which is ``password``,
|
|
``token``, or both methods. Indicates the accumulated set of
|
|
authentication methods that were used to obtain the token. For
|
|
example, if the token was obtained by password authentication, it
|
|
contains ``password``. Later, if the token is exchanged by using
|
|
the token authentication method one or more times, the
|
|
subsequently created tokens contain both ``password`` and
|
|
``token`` in their ``methods`` attribute. Unlike multi-factor
|
|
authentication, the ``methods`` attribute merely indicates the
|
|
methods that were used to authenticate the user in exchange for a
|
|
token. The client is responsible for determining the total number
|
|
of authentication factors.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_application_credential:
|
|
description: |
|
|
The authentication method. To authenticate with an application credential,
|
|
specify ``application_credential``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_passwd:
|
|
description: |
|
|
The authentication method. For password
|
|
authentication, specify ``password``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_token:
|
|
description: |
|
|
The authentication method. For token
|
|
authentication, specify ``token``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_token:
|
|
description: |
|
|
A ``token`` object. The token authentication
|
|
method is used. This method is typically used in combination with
|
|
a request to change authorization scope.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_token_id:
|
|
description: |
|
|
A token ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
catalog:
|
|
description: |
|
|
A ``catalog`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
catalog_response_body_optional:
|
|
description: |
|
|
A ``catalog`` object.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
credential:
|
|
description: |
|
|
A ``credential`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_blob:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_blob_not_required:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_id:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_links:
|
|
description: |
|
|
The links for the ``credential`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_type:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_type_not_required:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_user_id:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_user_id_not_required:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credentials:
|
|
description: |
|
|
A list of ``credential`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
credentials_links:
|
|
description: |
|
|
The links for the ``credentials`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
default_limit:
|
|
description: |
|
|
The default limit for the registered limit.
|
|
in: body
|
|
required: true
|
|
type: integer
|
|
default_project_id_request_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
A user's default project must not be a domain. Setting this
|
|
attribute does not grant any actual authorization on the project,
|
|
and is merely provided for convenience. Therefore, the referenced
|
|
project does not need to exist within the user domain. (Since v3.1)
|
|
If the user does not have authorization to their default project,
|
|
the default project is ignored at token creation. (Since v3.1)
|
|
Additionally, if your default project is not valid, a token is
|
|
issued without an explicit scope of authorization.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_response_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_update_body:
|
|
description: |
|
|
The new ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_limit_request_body:
|
|
description: |
|
|
The limit description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_limit_response_body:
|
|
description: |
|
|
The limit description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
description_region_request_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_region_response_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
description_registered_limit_request_body:
|
|
description: |
|
|
The registered limit description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_registered_limit_response_body:
|
|
description: |
|
|
The registered limit description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain:
|
|
description: |
|
|
A ``domain`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_config:
|
|
description: |
|
|
A ``config`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_description_request_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_description_response_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_description_update_request_body:
|
|
description: |
|
|
The new description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_driver:
|
|
description: |
|
|
The Identity backend driver.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, domain is created enabled. If set to
|
|
``false``, domain is created disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
When you disable a domain, all tokens that are authorized for that domain
|
|
become no longer valid. If you reenable the domain, these tokens
|
|
are not re-enabled.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_id_response_body:
|
|
description: |
|
|
The ID of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_ldap:
|
|
description: |
|
|
An ``ldap`` object. Required to set the LDAP
|
|
group configuration options.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_link_response_body:
|
|
description: |
|
|
The links to the ``domain`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_name_request_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_response_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_update_request_body:
|
|
description: |
|
|
The new name of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_scope_response_body_optional:
|
|
description: |
|
|
A ``domain`` object including the ``id`` and ``name`` representing the
|
|
domain the token is scoped to. This is only included in tokens that are
|
|
scoped to a domain.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
domain_url:
|
|
description: |
|
|
The LDAP URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_user_tree_dn:
|
|
description: |
|
|
The base distinguished name (DN) of LDAP, from
|
|
where all users can be reached. For example,
|
|
``ou=Users,dc=root,dc=org``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domains:
|
|
description: |
|
|
A list of ``domain`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
email:
|
|
description: |
|
|
The email address for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
enabled_user_request_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
enabled_user_response_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
enabled_user_update_body:
|
|
description: |
|
|
Enables or disables the user. An enabled user
|
|
can authenticate and receive authorization. A disabled user
|
|
cannot authenticate or receive authorization. Additionally, all
|
|
tokens that the user holds become no longer valid. If you reenable
|
|
this user, pre-existing tokens do not become valid. To enable the
|
|
user, set to ``true``. To disable the user, set to ``false``.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint:
|
|
description: |
|
|
An ``endpoint`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_enabled:
|
|
description: |
|
|
Indicates whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
endpoint_enabled_not_required:
|
|
description: |
|
|
Defines whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog. Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint_id:
|
|
description: |
|
|
The endpoint ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_interface:
|
|
description: |
|
|
The interface type, which describes the
|
|
visibility of the endpoint. Value is: - ``public``. Visible by
|
|
end users on a publicly available network interface. -
|
|
``internal``. Visible by end users on an unmetered internal
|
|
network interface. - ``admin``. Visible by administrative users
|
|
on a secure network interface.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_links:
|
|
description: |
|
|
The links for the ``endpoint`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_name:
|
|
description: |
|
|
The endpoint name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_region:
|
|
description: |
|
|
(Deprecated in v3.2) The geographic location of
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_type:
|
|
description: |
|
|
The endpoint type.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_url:
|
|
description: |
|
|
The endpoint URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoints:
|
|
description: |
|
|
A list of ``endpoint`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
endpoints_links:
|
|
description: |
|
|
The links for the ``endpoints`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
expires_at:
|
|
description: |
|
|
The date and time when the token expires.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
|
|
A ``null`` value indicates that the token never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
explicit_unscoped_string:
|
|
description: |
|
|
The authorization scope (Since v3.4). Specify
|
|
``unscoped`` to make an explicit unscoped token request, which
|
|
returns an unscoped response without any authorization. This
|
|
request behaves the same as a token request with no scope where
|
|
the user has no default project defined. If an explicit,
|
|
``unscoped`` token request is not made and the user has
|
|
authorization to their default project, then the response will
|
|
return a project-scoped token. If a default project is not defined,
|
|
a token is issued without an explicit scope of authorization,
|
|
which is the same as asking for an explicit unscoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
extra_request_body:
|
|
description: |
|
|
The extra attributes of a resource.
|
|
The actual name ``extra`` is not the key name in the request body,
|
|
but rather a collection of any attributes that a resource may contain
|
|
that are not part of the resource's default attributes.
|
|
Generally these are custom fields that are added to a resource in keystone
|
|
by operators for their own specific uses,
|
|
such as ``email`` and ``description`` for users.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group:
|
|
description: |
|
|
A ``group`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
group_description_request_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_description_response_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_description_update_request_body:
|
|
description: |
|
|
The new description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id:
|
|
description: |
|
|
The ID of the domain that owns the group. If you
|
|
omit the domain ID, defaults to the domain to which the client
|
|
token is scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the group. If the domain ID is not
|
|
provided in the request, the Identity service will attempt to
|
|
pull the domain ID from the token used in the request. Note that
|
|
this requires the use of a domain-scoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the group. The ability to change the domain
|
|
of a group is now deprecated, and will be removed in subsequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_id_response_body:
|
|
description: |
|
|
The ID of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_request_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_response_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_update_request_body:
|
|
description: |
|
|
The new name of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
groups:
|
|
description: |
|
|
A list of ``group`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
id_region_response_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
id_region_resquest_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
id_user_body:
|
|
description: |
|
|
The user ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
identity:
|
|
description: |
|
|
An ``identity`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
implies_role_array_body:
|
|
description: |
|
|
An array of implied role objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
implies_role_object_body:
|
|
description: |
|
|
An implied role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
is_domain_request_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources. Default is ``false``. You cannot update
|
|
this parameter after you create the project.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
is_domain_response_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
min_version: 3.6
|
|
issued_at:
|
|
description: |
|
|
The date and time when the token was issued.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit:
|
|
description: |
|
|
A ``limit`` object
|
|
in: body
|
|
required: true
|
|
type: array
|
|
limit_id:
|
|
description: |
|
|
The limit ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_description_required_response_body:
|
|
description: A short description of the enforcement model used
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_name_required_response_body:
|
|
description: The name of the enforcement model
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_required_response_body:
|
|
description: A model object describing the configured enforcement model used
|
|
by the deployment.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
limits:
|
|
description: |
|
|
A list of ``limits`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
link_collection:
|
|
description: |
|
|
The link to the collection of resources.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
link_response_body:
|
|
description: |
|
|
The link to the resources in question.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_project:
|
|
description: |
|
|
The links for the ``project`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_region:
|
|
description: |
|
|
The links for the ``region`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_user:
|
|
description: |
|
|
The links for the ``user`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
original_password:
|
|
description: |
|
|
The original password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
parent_region_id_request_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
parent_region_id_response_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
password:
|
|
description: |
|
|
The ``password`` object, contains the authentication information.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
password_expires_at:
|
|
description: |
|
|
The date and time when the password expires. The time zone
|
|
is UTC.
|
|
|
|
This is a response object attribute; not valid for requests.
|
|
A ``null`` value indicates that the password never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.7
|
|
password_request_body:
|
|
description: |
|
|
The password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
policies:
|
|
description: |
|
|
A ``policies`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
policy:
|
|
description: |
|
|
A ``policy`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_obj:
|
|
description: |
|
|
The policy rule itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_str:
|
|
description: |
|
|
The policy rule set itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_id:
|
|
description: |
|
|
The policy ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_links:
|
|
description: |
|
|
The links for the ``policy`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_type:
|
|
description: |
|
|
The MIME media type of the serialized policy
|
|
blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
prior_role_body:
|
|
description: |
|
|
A prior role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project:
|
|
description: |
|
|
A ``project`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project_description_request_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_description_response_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id:
|
|
description: |
|
|
The ID of the domain for the project. If you
|
|
omit the domain ID, default is the domain to which your token is
|
|
scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
|
|
For projects acting as a domain, the ``domain_id`` must not be specified,
|
|
it will be generated by the Identity service implementation.
|
|
|
|
For regular projects (i.e. those not acing as a domain), if ``domain_id``
|
|
is not specified, but ``parent_id`` is specified, then the domain ID of the
|
|
parent will be used. If neither ``domain_id`` or ``parent_id`` is
|
|
specified, the Identity service implementation will default to the domain
|
|
to which the client's token is scoped. If both ``domain_id`` and
|
|
``parent_id`` are specified, and they do not indicate the same domain, an
|
|
``Bad Request (400)`` will be returned.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the project. The ability to change the domain
|
|
of a project is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled. The default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
project_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_id:
|
|
description: |
|
|
The ID for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_response_body:
|
|
description: |
|
|
The name of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_update_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_parent_id_request_body:
|
|
description: |
|
|
The ID of the parent of the project.
|
|
|
|
If specified on project creation, this places the project within a
|
|
hierarchy and implicitly defines the owning domain, which will be the
|
|
same domain as the parent specified. If ``parent_id`` is
|
|
not specified and ``is_domain`` is ``false``, then the project will use its
|
|
owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
|
|
is acting as a domain), then ``parent_id`` must not specified (or if it is,
|
|
it must be ``null``) since domains have no parents.
|
|
|
|
``parent_id`` is immutable, and can't be updated after the project is
|
|
created - hence a project cannot be moved within the hierarchy.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
project_parent_id_response_body:
|
|
description: |
|
|
The ID of the parent for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.4
|
|
project_scope_response_body_optional:
|
|
description: |
|
|
A ``project`` object including the ``id``, ``name`` and ``domain`` object
|
|
representing the project the token is scoped to. This is only included in
|
|
tokens that are scoped to a project.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
project_tags_request_body:
|
|
description: |
|
|
A list of simple strings assigned to a project.
|
|
Tags can be used to classify projects into groups.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
projects:
|
|
description: |
|
|
A list of ``project`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
region_id_not_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
region_id_request_body:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
region_id_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_id_response_body:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
The value can be None.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_object:
|
|
description: |
|
|
A ``region`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
regions_object:
|
|
description: |
|
|
A list of ``region`` object
|
|
in: body
|
|
required: true
|
|
type: array
|
|
registered_limit:
|
|
description: |
|
|
A ``registered_limit`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
registered_limit_id:
|
|
description: |
|
|
The registered limit ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
registered_limits:
|
|
description: |
|
|
A list of ``registered_limits`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
request_application_credential_auth_id_body_not_required:
|
|
description: |
|
|
The ID of the application credential used for authentication. If not
|
|
provided, the application credential must be identified by its name and
|
|
its owning user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_auth_name_body_not_required:
|
|
description: |
|
|
The name of the application credential used for authentication. If
|
|
provided, must be accompanied by a user object.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_auth_secret_body_required:
|
|
description: |
|
|
The secret for authenticating the application credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
request_application_credential_body_required:
|
|
description: |
|
|
An application credential object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
request_application_credential_description_body_not_required:
|
|
description: |
|
|
A description of the application credential's purpose.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_expires_at_body_not_required:
|
|
description: |
|
|
An optional expiry time for the application credential. If unset, the
|
|
application credential does not expire.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_name_body_required:
|
|
description: |
|
|
The name of the application credential. Must be unique to a user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
request_application_credential_roles_body_not_required:
|
|
description: |
|
|
An optional list of role objects, identified by ID or name. The list
|
|
may only contain roles that the user has assigned on the project.
|
|
If not provided, the roles assigned to the application credential will
|
|
be the same as the roles in the current token.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
request_application_credential_secret_body_not_required:
|
|
description: |
|
|
The secret that the application credential will be created with. If not
|
|
provided, one will be generated.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_unrestricted_body_not_required:
|
|
description: |
|
|
An optional flag to restrict whether the application credential may be
|
|
used for the creation or destruction of other application credentials or
|
|
trusts. Defaults to false.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
request_application_credential_user_body_not_required:
|
|
description: |
|
|
A ``user`` object, required if an application credential is identified by
|
|
name and not ID.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
request_default_limit_body_not_required:
|
|
description: |
|
|
The default limit for the registered limit.
|
|
in: body
|
|
required: false
|
|
type: integer
|
|
request_region_id_registered_limit_body_not_required:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
Either service_id, resource_name, or region_id must be
|
|
different than existing value otherwise it will raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_resource_limit_body_not_required:
|
|
description: |
|
|
The override limit.
|
|
in: body
|
|
required: false
|
|
type: integer
|
|
request_resource_name_body_not_required:
|
|
description: |
|
|
The resource name. Either service_id, resource_name or
|
|
region_id must be different than existing value otherwise
|
|
it will raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_service_id_registered_limit_body_not_required:
|
|
description: |
|
|
The UUID of the service to update to which the registered
|
|
limit belongs. Either service_id, resource_name, or region_id
|
|
must be different than existing value otherwise it will
|
|
raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
resource_limit:
|
|
description: |
|
|
The override limit.
|
|
in: body
|
|
required: true
|
|
type: integer
|
|
resource_name:
|
|
description: |
|
|
The resource name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
response_application_credential_body:
|
|
description: |
|
|
The application credential object.
|
|
in: body
|
|
type: object
|
|
required: true
|
|
response_application_credential_description_body:
|
|
description: |
|
|
A description of the application credential's purpose.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_expires_at_body:
|
|
description: |
|
|
The expiration time of the application credential, if one was specified.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_id_body:
|
|
description: |
|
|
The ID of the application credential.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_name_body:
|
|
description: |
|
|
The name of the application credential.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_project_id_body:
|
|
description: |
|
|
The ID of the project the application credential was created for and that
|
|
authentication requests using this application credential will be scoped
|
|
to.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_roles_body:
|
|
description: |
|
|
A list of one or more roles that this application credential has
|
|
associated with its project. A token using this application credential
|
|
will have these same roles.
|
|
in: body
|
|
type: array
|
|
required: true
|
|
response_application_credential_secret_body:
|
|
description: |
|
|
The secret for the application credential, either generated by the server
|
|
or provided by the user. This is only ever shown once in the response to a
|
|
create request. It is not stored nor ever shown again. If the secret is
|
|
lost, a new application credential must be created.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_unrestricted_body:
|
|
description: |
|
|
A flag indicating whether the application credential may be used for
|
|
creation or destruction of other application credentials or trusts.
|
|
in: body
|
|
type: boolean
|
|
required: true
|
|
response_body_project_tags_required:
|
|
description: |
|
|
A list of simple strings assigned to a project.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
response_body_system_required:
|
|
description: |
|
|
A list of systems to access based on role assignments.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role:
|
|
description: |
|
|
A ``role`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_assignments:
|
|
description: |
|
|
A list of ``role_assignment`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_description_create_body:
|
|
description: |
|
|
Add description about the role.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_description_response_body:
|
|
description: |
|
|
The role description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_description_update_body:
|
|
description: |
|
|
The new role description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the role.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_id_response_body:
|
|
description: |
|
|
The role ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_inference_array_body:
|
|
description: |
|
|
An array of ``role_inference`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_inference_body:
|
|
description: |
|
|
Role inference object that contains ``prior_role`` object
|
|
and ``implies`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_name_create_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_response_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_update_body:
|
|
description: |
|
|
The new role name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
roles:
|
|
description: |
|
|
A list of ``role`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
scope_string:
|
|
description: |
|
|
The authorization scope, including the system (Since v3.10), a project, or
|
|
a domain (Since v3.4). If multiple scopes are specified in the same request
|
|
(e.g. ``project`` and ``domain`` or ``domain`` and ``system``) an HTTP
|
|
``400 Bad Request`` will be returned, as a token cannot be simultaneously
|
|
scoped to multiple authorization targets. An ID is sufficient to uniquely
|
|
identify a project but if a project is specified by name, then the domain
|
|
of the project must also be specified in order to uniquely identify the
|
|
project by name. A domain scope may be specified by either the domain's ID
|
|
or name with equivalent results.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service:
|
|
description: |
|
|
A ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_description:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_description_not_required:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_enabled:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_enabled_not_required:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_id:
|
|
description: |
|
|
The UUID of the service to which the endpoint
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_id_limit:
|
|
description: |
|
|
The UUID of the service to which the limit belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_id_registered_limit:
|
|
description: |
|
|
The UUID of the service to which the registered limit
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_links:
|
|
description: |
|
|
The links for the ``service`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_name:
|
|
description: |
|
|
The service name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_type:
|
|
description: |
|
|
The service type, which describes the API
|
|
implemented by the service. Value is ``compute``, ``ec2``,
|
|
``identity``, ``image``, ``network``, or ``volume``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
services:
|
|
description: |
|
|
A list of ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
signed:
|
|
description: |
|
|
List of expired PKI tokens, signed by the
|
|
cryptographic message syntax (CMS).
|
|
in: body
|
|
required: true
|
|
type: string
|
|
system:
|
|
description: |
|
|
A ``system`` object.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
system_roles_response_body:
|
|
description: |
|
|
A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
|
|
and ``name`` attributes.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
system_scope_response_body_optional:
|
|
description: |
|
|
A ``system`` object containing information about which parts of the system
|
|
the token is scoped to. If the token is scoped to the entire deployment
|
|
system, the ``system`` object will consist of ``{"all": true}``. This is
|
|
only included in tokens that are scoped to the system.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
system_scope_string:
|
|
description: |
|
|
Authorization scope specific to the deployment system (Since v3.10).
|
|
Specifying a project or domain scope in addition to system scope results
|
|
in an HTTP ``400 Bad Request``.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
token:
|
|
description: |
|
|
A ``token`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user:
|
|
description: |
|
|
A ``user`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_domain_id:
|
|
description: |
|
|
The ID of the domain for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the user. If the domain ID is not
|
|
provided in the request, the Identity service will attempt to
|
|
pull the domain ID from the token used in the request. Note that
|
|
this requires the use of a domain-scoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_update_body:
|
|
description: |
|
|
The ID of the new domain for the user. The ability to change the domain
|
|
of a user is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_id:
|
|
description: |
|
|
The ID of the user. Required if you do not
|
|
specify the user name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name:
|
|
description: |
|
|
The user name. Required if you do not specify
|
|
the ID of the user. If you specify the user name, you must also
|
|
specify the domain, by ID or name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name_create_request_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_response_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_update_body:
|
|
description: |
|
|
The new name for the user. Must be unique within the owning domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_object:
|
|
description: |
|
|
A ``user`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_options_request_body:
|
|
description: |
|
|
The resource options for the user. Available resource options are
|
|
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
|
|
``ignore_lockout_failure_attempts``, ``lock_password``,
|
|
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
user_options_response_body:
|
|
description: |
|
|
The resource options for the user. Only present in the response if set on
|
|
the user entity. Available resource options are
|
|
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
|
|
``ignore_lockout_failure_attempts``, ``lock_password``,
|
|
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
user_password_update_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_update_password_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
users:
|
|
description: |
|
|
A ``users`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
users_object:
|
|
description: |
|
|
A list of ``user`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|