c8ffdf0bf6
Currently, the oauth documentation for the `create_request_token` endpoint is incorrect. The parameter "requested_project_id" [0] is actually spelled "Request-Project-Id" and is located in the header, not the body, of the request object [1]. [0] https://developer.openstack.org/api-ref/identity/v3-ext/?expanded=create-request-token-detail [1] https://github.com/openstack/keystone/blob/master/keystone/oauth1/controllers.py#L220 Change-Id: Ib249efffc1e7a14635ab5d767cb70caa8b8baf0f Closes-Bug: #1685634
533 lines
14 KiB
YAML
533 lines
14 KiB
YAML
# variables in header
|
||
requested_project_id:
|
||
description: |
|
||
The ID of the requested project.
|
||
in: header
|
||
required: true
|
||
type: string
|
||
|
||
# variables in path
|
||
access_token_id_path:
|
||
description: |
|
||
The UUID of the access token.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
consumer_id_path:
|
||
description: |
|
||
The UUID of the consumer.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
domain_id:
|
||
description: |
|
||
The UUID of the domain.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
endpoint_group_id_path:
|
||
description: |
|
||
The UUID of the endpoint group.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
endpoint_id_path:
|
||
description: |
|
||
The endpoint ID.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
group_id:
|
||
description: |
|
||
The UUID of the group.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
name:
|
||
description: |
|
||
The name of the group.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
policy_id_path:
|
||
description: |
|
||
The policy ID.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
project_id_path:
|
||
description: |
|
||
The UUID of the project.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
region_id_path:
|
||
description: |
|
||
The region ID.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
role_id_path:
|
||
description: |
|
||
The UUID of the role.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
service_id_path:
|
||
description: |
|
||
The service ID.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
trust_id_path:
|
||
description: |
|
||
The trust ID.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
user_id_path:
|
||
description: |
|
||
The UUID of the user.
|
||
in: path
|
||
required: true
|
||
type: string
|
||
|
||
# variables in query
|
||
|
||
since_query:
|
||
description: |
|
||
A timestamp used to limit the list of results to events
|
||
that occurred on or after the specified time.
|
||
(RFC 1123 format date time)
|
||
in: query
|
||
required: false
|
||
type: string
|
||
|
||
# variables in body
|
||
allow_redelegation:
|
||
description: |
|
||
If set to `true` then a trust between a ``trustor`` and any third-party
|
||
user may be issued by the ``trustee`` just like a regular trust.
|
||
If set to `false`, stops further redelegation. `false` by default.
|
||
in: body
|
||
required: false
|
||
type: boolean
|
||
consumer_description:
|
||
description: |
|
||
The consumer description.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
consumer_id:
|
||
description: |
|
||
The ID of the consumer.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
eg_description:
|
||
description: |
|
||
The endpoint group description.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
eg_filters:
|
||
description: |
|
||
Describes the filtering performed by the endpoint group. The filter used must
|
||
be an ``endpoint`` property, such as ``interface``, ``service_id``,
|
||
``region_id`` and ``enabled``. Note that if using ``interface`` as a filter,
|
||
the only available values are ``public``, ``internal`` and ``admin``.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
eg_name:
|
||
description: |
|
||
The name of the endpoint group.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
endpoint_id:
|
||
description: |
|
||
The endpoint UUID.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
endpoints:
|
||
description: |
|
||
An ``endpoints`` object.
|
||
in: body
|
||
required: true
|
||
type: array
|
||
id:
|
||
description: |
|
||
[WIP]
|
||
in: body
|
||
required: true
|
||
type: string
|
||
impersonation:
|
||
description: |
|
||
If set to `true`, then the user attribute of tokens generated based on the
|
||
trust will represent that of the ``trustor`` rather than the ``trustee``,
|
||
thus allowing the ``trustee`` to impersonate the ``trustor``. If impersonation
|
||
is set to `false`, then the token’s user attribute will represent that of the
|
||
``trustee``.
|
||
in: body
|
||
required: true
|
||
type: boolean
|
||
interface:
|
||
description: |
|
||
The interface type, which describes the
|
||
visibility of the endpoint. Value is: - ``public``. Visible by
|
||
end users on a publicly available network interface. -
|
||
``internal``. Visible by end users on an unmetered internal
|
||
network interface. - ``admin``. Visible by administrative users
|
||
on a secure network interface.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
links:
|
||
description: |
|
||
A links object.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
next:
|
||
description: |
|
||
The ``next`` relative link for the ``endpoints``
|
||
resource.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
oauth_expires_at:
|
||
description: |
|
||
The date and time when an oauth token expires.
|
||
|
||
The date and time stamp format is `ISO 8601
|
||
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
||
|
||
::
|
||
|
||
CCYY-MM-DDThh:mm:ss±hh:mm
|
||
|
||
The ``±hh:mm`` value, if included, is the time zone as an offset
|
||
from UTC.
|
||
|
||
For example, ``2015-08-27T09:49:58-05:00``.
|
||
|
||
If the Identity API does not include this attribute or its value is
|
||
``null``, the token never expires.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
oauth_token:
|
||
description: |
|
||
The key value for the oauth token that the Identity API returns.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
oauth_token_secret:
|
||
description: |
|
||
The secret value associated with the oauth Token.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
policy:
|
||
description: |
|
||
A ``policy`` object.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
policy_blob:
|
||
description: |
|
||
The policy rule itself, as a serialized blob.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
policy_id:
|
||
description: |
|
||
The ID of the policy.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
policy_links:
|
||
description: |
|
||
The links for the ``policy`` resource.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
policy_type:
|
||
description: |
|
||
The MIME media type of the serialized policy
|
||
blob. From the perspective of the Identity API, a policy blob can
|
||
be based on any technology. In OpenStack, the ``policy.json`` blob
|
||
(``type="application/json"``) is the conventional solution.
|
||
However, you might want to use an alternative policy engine that
|
||
uses a different policy language type. For example,
|
||
``type="application/xacml+xml"``.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
previous:
|
||
description: |
|
||
The ``previous`` relative link for the
|
||
``endpoints`` resource.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
project_id:
|
||
description: |
|
||
The ID of the project.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
redelegated_trust_id:
|
||
description: |
|
||
Returned with redelegated trust provides information about the predecessor
|
||
in the trust chain.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
redelegation_count:
|
||
description: |
|
||
Specifies the maximum remaining depth of the redelegated trust chain.
|
||
Each subsequent trust has this field decremented by `1` automatically.
|
||
The initial ``trustor`` issuing new trust that can be redelegated, must
|
||
set ``allow_redelegation`` to `true` and may set ``redelegation_count``
|
||
to an integer value less than or equal to ``max_redelegation_count``
|
||
configuration parameter in order to limit the possible length of derivated
|
||
trust chains. The trust issued by the trustor using a project-scoped token
|
||
(not redelegating), in which ``allow_redelegation`` is set to `true` (the new
|
||
trust is redelegatable), will be populated with the value specified in the
|
||
``max_redelegation_count`` configuration parameter if ``redelegation_count``
|
||
is not set or set to `null`. If ``allow_redelegation`` is set to `false`
|
||
then ``redelegation_count`` will be set to `0` in the trust.
|
||
|
||
If the trust is being issued by the ``trustee`` of a redelegatable trust-scoped
|
||
token (redelegation case) then ``redelegation_count`` should not be set, as it
|
||
will automatically be set to the value in the redelegatable trust-scoped token
|
||
decremented by `1`. Note, if the resulting value is `0`, this means that the new
|
||
trust will not be redelegatable, regardless of the value of ``allow_redelegation``.
|
||
|
||
in: body
|
||
required: false
|
||
type: integer
|
||
region:
|
||
description: |
|
||
(Deprecated in v3.2) The geographic location of
|
||
the service endpoint.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
remaining_uses:
|
||
description: |
|
||
Specifies how many times the trust can be used to obtain a token. This value
|
||
is decreased each time a token is issued through the trust. Once it reaches
|
||
`0`, no further tokens will be issued through the trust. The default value is
|
||
`null`, meaning there is no limit on the number of tokens issued through the
|
||
trust. If redelegation is enabled it must not be set.
|
||
in: body
|
||
required: false
|
||
type: boolean
|
||
revoke_audit_chain_id:
|
||
description: |
|
||
Specifies a group of tokens based upon the ``audit_id`` of the
|
||
first token in the chain.
|
||
|
||
If a revocation event specifies the ``audit_chain_id`` any
|
||
token that is part of the token chain (based upon the original
|
||
token at the start of the chain) will be revoked, including
|
||
the original token at the start of the chain.
|
||
|
||
If an event is issued for ``audit_chain_id`` then the event cannot
|
||
contain an ``audit_id``.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_audit_id:
|
||
description: |
|
||
Specifies the unique identifier (UUID) assigned to the token
|
||
itself.
|
||
|
||
This will revoke a single token only. This attribute mirrors
|
||
the use of the Token Revocation List (the mechanism used
|
||
prior to revocation events) but does not utilize data that
|
||
could convey authorization (the token id).
|
||
|
||
If an event is issued for ``audit_id`` then the event cannot
|
||
contain an ``audit_chain_id``.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_consumer_id:
|
||
description: |
|
||
Revoke tokens issued to a specific OAuth consumer, as part
|
||
of the OS-OAUTH1 API extension.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_domain_id:
|
||
description: |
|
||
Revoke tokens scoped to a particular domain.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_events:
|
||
description: |
|
||
List of recovation events.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_expires_at:
|
||
description: |
|
||
Specifies the exact expiration time of one or more tokens to
|
||
be revoked.
|
||
|
||
This attribute is useful for revoking chains of tokens, such
|
||
as those produced when re-scoping an existing token. When a
|
||
token is issued based on initial authentication, it is given
|
||
an expires_at value. When a token is used to get another
|
||
token, the new token will have the same expires_at value as
|
||
the original.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_issued_before:
|
||
description: |
|
||
(string, ISO 8601 extended format date time with
|
||
microseconds).
|
||
|
||
Tokens issued before this time are considered revoked.
|
||
|
||
This attribute can be used to determine how long the
|
||
expiration event is valid. It can also be used in
|
||
queries to filter events, so that only a subset that
|
||
have occurred since the last request are returned.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_project_id:
|
||
description: |
|
||
Revoke tokens scoped to a particular project.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_role_id:
|
||
description: |
|
||
Revoke tokens issued with a specific role.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_trust_id:
|
||
description: |
|
||
Revoke tokens issued as the result of a particular
|
||
trust, as part of the OS-TRUST API extension.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
revoke_user_id:
|
||
description: |
|
||
Revoke tokens expressing the identity of a particular user.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
roles:
|
||
description: |
|
||
A roles object.
|
||
in: body
|
||
required: true
|
||
type: array
|
||
roles_links:
|
||
description: |
|
||
A roles links object. Includes ``next``,
|
||
``previous``, and ``self`` links for roles.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
self:
|
||
description: |
|
||
The ``self`` relative link for the ``endpoints``
|
||
resource.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
service_id:
|
||
description: |
|
||
The UUID of the service to which the endpoint
|
||
belongs.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
trust:
|
||
description: |
|
||
A trust object.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
trust_expires_at:
|
||
description: |
|
||
Specifies the expiration time of the trust. A trust may be revoked ahead of
|
||
expiration. If the value represents a time in the past, the trust is deactivated.
|
||
In the redelegation case it must not exceed the value of the corresponding
|
||
``expires_at`` field of the redelegated trust or it may be omitted, then the
|
||
``expires_at`` value is copied from the redelegated trust.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
trust_id:
|
||
description: |
|
||
The ID of the trust.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
trust_links:
|
||
description: |
|
||
A trust links object. Includes ``next``, ``previous``, and ``self`` links for trusts.
|
||
in: body
|
||
required: true
|
||
type: object
|
||
trust_project_id:
|
||
description: |
|
||
Identifies the project upon which the trustor is delegating authorization.
|
||
in: body
|
||
required: false
|
||
type: string
|
||
trust_roles:
|
||
description: |
|
||
Specifies the subset of the trustor’s roles on the ``project_id`` to be granted
|
||
to the ``trustee`` when the token is consumed. The ``trustor`` must already be
|
||
granted these roles in the project referenced by the ``project_id`` attribute.
|
||
If redelegation is used (when trust-scoped token is used and consumed trust has
|
||
``allow_redelegation`` set to `true`) this parameter should contain redelegated
|
||
trust’s roles only.
|
||
|
||
Roles are only provided when the trust is created, and are subsequently available
|
||
as a separate read-only collection. Each role can be specified by either ``id`` or
|
||
``name``.
|
||
in: body
|
||
required: false
|
||
type: array
|
||
trustee_user_id:
|
||
description: |
|
||
Represents the user who is capable of consuming the trust.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
trustor_user_id:
|
||
description: |
|
||
Represents the user who created the trust, and who’s authorization is being delegated.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
trusts:
|
||
description: |
|
||
An array of trust objects.
|
||
in: body
|
||
required: true
|
||
type: array
|
||
url:
|
||
description: |
|
||
The endpoint URL.
|
||
in: body
|
||
required: true
|
||
type: string
|
||
|