OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

1655 lines
42 KiB

# variables in header
X-Auth-Token:
description: |
A valid authentication token for an
administrative user.
in: header
required: true
type: string
X-Subject-Token:
description: |
The authentication token. An authentication
response returns the token ID in this header rather than in the
response body.
in: header
required: true
type: string
X-Subject-Token_1:
description: |
The authentication token for which you want to
perform the operation.
in: header
required: true
type: string
# variables in path
access_token_id:
description: |
The ID of the access token.
in: path
required: true
type: string
credential_id_path:
description: |
The UUID for the credential.
in: path
required: true
type: string
domain_group_template:
description: |
The group name, which is ``ldap`` or
``identity``.
in: path
required: false
type: string
domain_id_path:
description: |
The domain ID.
in: path
required: true
type: string
endpoint_id_path:
description: |
The endpoint ID.
in: path
required: true
type: string
group_id:
description: |
The group ID.
in: path
required: true
type: string
group_id_path:
description: |
The group ID.
in: path
required: true
type: string
option:
description: |
The option name. For the ``ldap`` group, a valid
value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
a valid value is ``driver``.
in: path
required: true
type: string
policy_id_path:
description: |
The policy ID.
in: path
required: true
type: string
project_id_path:
description: |
The project ID.
in: path
required: true
type: string
region_id_path:
description: |
The region ID.
in: path
required: true
type: string
role_id:
description: |
The role ID.
in: path
required: true
type: string
role_id_path:
description: |
The role ID.
in: path
required: true
type: string
service_id_path:
description: |
The service ID.
in: path
required: false
type: string
user_id_path:
description: |
The user ID.
in: path
required: true
type: string
# variables in query
domain_enabled_query:
description: |
If set to true, then only domains that are enabled will be returned, if set
to false only that are disabled will be returned. Any value other than
``0``, including no value, will be interpreted as true.
in: query
required: false
type: string
domain_id_query:
description: |
Filters the response by a domain ID.
in: query
required: false
type: string
domain_name_query:
description: |
Filters the response by a domain name.
in: query
required: false
type: string
effective_query:
description: |
Returns the effective assignments, including any assignments gained by
virtue of group membership.
in: query
required: false
type: key-only (no value required)
enabled_6:
description: |
Filters the response by either enabled (``true``)
or disabled (``false``) domains. Users can authorize against an
enabled domain and any of its projects. Users that are owned by an
enabled domain can authenticate and receive additional
authorization. Users cannot authorize against a disabled domain
or any of its projects. Users that are owned by a disabled domain
cannot authenticate or receive additional authorization. All
tokens that are authorized for a disabled domain or its projects
become no longer valid. If you reenable the domain, these tokens
are not re- enabled.
in: query
required: false
type: string
enabled_9:
description: |
Filters the response by either enabled (``true``)
or disabled (``false``) projects.
in: query
required: false
type: string
enabled_user_query:
description: |
Filters the response by either enabled (``true``)
or disabled (``false``) users.
in: query
required: false
type: string
group_id_query:
description: |
Filters the response by a group ID.
in: query
required: false
type: string
group_name_query:
description: |
Filters the response by a group name.
in: query
required: false
type: string
include_names_query:
description: |
If set to true, then the names of any entities returned will be include as
well as their IDs. Any value other than ``0`` (including no value) will be
interpreted as true.
in: query
required: false
type: boolean
min_version: 3.6
include_subtree_query:
description: |
If set to true, then relevant assignments in the project hierarchy below
the project specified in the ``scope.project_id`` query parameter are also
included in the response. Any value other than ``0`` (including no value)
for ``include_subtree`` will be interpreted as true.
in: query
required: false
type: boolean
min_version: 3.6
interface_query:
description: |
Filters the response by an interface.
in: query
required: false
type: string
is_domain_query:
description: |
If this is specified as true, then only projects acting as a domain are
included. Otherwise, only projects that are not acting as a domain are
included.
in: query
required: false
type: boolen
min_version: 3.6
name_user_query:
description: |
Filters the response by a user name.
in: query
required: false
type: string
nocatalog:
description: |
(Since v3.1) The authentication response excludes
the service catalog. By default, the response includes the service
catalog.
in: query
required: false
type: string
parent_id_query:
description: |
Filters the response by a parent ID.
in: query
required: false
type: string
min_version: 3.4
parent_region_id_query:
description: |
Filters the response by a parent region, by ID.
in: query
required: false
type: string
parents_as_ids:
description: |
The entire parent hierarchy will be included as
nested dictionaries in the response. It will contain
all projects ids found by traversing up the hierarchy
to the top-level project.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
parents_as_list:
description: |
The parent hierarchy will be included as a list in the response.
This list will contain the projects found by traversing up the
hierarchy to the top-level project.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
policy_type_query:
description: |
Filters the response by a MIME media type for the
serialized policy blob. For example, ``application/json``.
in: query
required: false
type: string
project_enabled_query:
description: |
If set to true, then only enabled projects will be returned. Any value
other than ``0`` (including no value) will be interpreted as true.
in: query
required: false
type: boolen
project_name_query:
description: |
Filters the response by a project name.
in: query
required: false
type: string
role_id_query:
description: |
Filters the response by a role ID.
in: query
required: false
type: string
role_name_query:
description: |
Filters the response by a role name.
in: query
required: false
type: string
scope_domain_id_query:
description: |
Filters the response by a domain ID.
in: query
required: false
type: string
scope_os_inherit_inherited_to:
description: |
Filters based on role assignments that are inherited.
The only value of ``inherited_to`` that is currently
supported is ``projects``.
in: query
required: false
type: string
scope_project_id_query:
description: |
Filters the response by a project ID.
in: query
required: false
type: string
service_id_query:
description: |
Filters the response by a service ID.
in: query
required: false
type: string
service_type_query:
description: |
Filters the response by a service type. A valid
value is ``compute``, ``ec2``, ``identity``, ``image``,
``network``, or ``volume``.
in: query
required: false
type: string
subtree_as_ids:
description: |
The entire child hierarchy will be included as nested dictionaries
in the response. It will contain all the projects ids found by
traversing down the hierarchy.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
subtree_as_list:
description: |
The child hierarchy will be included as a list in the response.
This list will contain the projects found by traversing down
the hierarchy.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
user_id_query:
description: |
Filters the response by a user ID.
in: query
required: false
type: string
# variables in body
audit_ids:
description: |
A list of one or two audit IDs. An audit ID is a
unique, randomly generated, URL-safe string that you can use to
track a token. The first audit ID is the current audit ID for the
token. The second audit ID is present for only re-scoped tokens
and is the audit ID from the token before it was re-scoped. A re-
scoped token is one that was exchanged for another token of the
same or different scope. You can use these audit IDs to track the
use of a token or chain of tokens across multiple requests and
endpoints without exposing the token ID to non-privileged users.
in: body
required: true
type: array
auth:
description: |
An ``auth`` object.
in: body
required: true
type: object
auth_domain:
description: |
Specify either ``id`` or ``name`` to uniquely
identify the domain.
in: body
required: false
type: object
auth_domain_id:
description: |
The ID of the domain. If you specify a user
name, you must specify either a domain ID or domain name.
in: body
required: false
type: string
auth_methods:
description: |
The authentication method, which is ``password``,
``token``, or both methods. Indicates the accumulated set of
authentication methods that were used to obtain the token. For
example, if the token was obtained by password authentication, it
contains ``password``. Later, if the token is exchanged by using
the token authentication method one or more times, the
subsequently created tokens contain both ``password`` and
``token`` in their ``methods`` attribute. Unlike multi-factor
authentication, the ``methods`` attribute merely indicates the
methods that were used to authenticate the user in exchange for a
token. The client is responsible for determining the total number
of authentication factors.
in: body
required: true
type: array
auth_methods_passwd:
description: |
The authentication method. For password
authentication, specify ``password``.
in: body
required: true
type: array
auth_methods_token:
description: |
The authentication method. For token
authentication, specify ``token``.
in: body
required: true
type: array
auth_token:
description: |
A ``token`` object. The token authentication
method is used. This method is typically used in combination with
a request to change authorization scope.
in: body
required: true
type: object
auth_token_id:
description: |
A token ID.
in: body
required: true
type: string
catalog:
description: |
A ``catalog`` object.
in: body
required: true
type: array
credential:
description: |
A ``credential`` object.
in: body
required: true
type: object
credential_blob:
description: |
The credential itself, as a serialized blob.
in: body
required: true
type: string
credential_blob_notRequired:
description: |
The credential itself, as a serialized blob.
in: body
required: false
type: string
credential_id:
description: |
The UUID for the credential.
in: body
required: true
type: string
credential_links:
description: |
The links for the ``credential`` resource.
in: body
required: true
type: object
credential_type:
description: |
The credential type, such as ``ec2`` or ``cert``.
The implementation determines the list of supported types.
in: body
required: true
type: string
credential_type_notRequired:
description: |
The credential type, such as ``ec2`` or ``cert``.
The implementation determines the list of supported types.
in: body
required: false
type: string
credential_user_id:
description: |
The ID of the user who owns the credential.
in: body
required: true
type: string
credential_user_id_notRequired:
description: |
The ID of the user who owns the credential.
in: body
required: false
type: string
credentials:
description: |
A list of ``credential`` objects.
in: body
required: true
type: array
credentials_links:
description: |
The links for the ``credentials`` resource.
in: body
required: true
type: object
default_project_id_request_body:
description: |
The ID of the default project for the user.
Setting this attribute does not grant any actual authorization on
the project, and is merely provided for convenience. Therefore,
the referenced project does not need to exist within the user
domain. (Since v3.1) If the user does not have authorization to
their default project, the default project is ignored at token
creation. (Since v3.1) Additionally, if your default project is
not valid, a token is issued without an explicit scope of
authorization.
in: body
required: false
type: string
default_project_id_response_body:
description: |
The ID of the default project for the user.
in: body
required: false
type: string
default_project_id_update_body:
description: |
The new ID of the default project for the user.
in: body
required: false
type: string
description_region_request_body:
description: |
The region description.
in: body
required: false
type: string
description_region_response_body:
description: |
The region description.
in: body
required: true
type: string
domain:
description: |
A ``domain`` object, containing:
in: body
required: true
type: object
domain_config:
description: |
A ``config`` object.
in: body
required: true
type: object
domain_description_request_body:
description: |
The description of the domain.
in: body
required: false
type: string
domain_description_response_body:
description: |
The description of the domain.
in: body
required: true
type: string
domain_description_update_request_body:
description: |
The new description of the domain.
in: body
required: false
type: string
domain_driver:
description: |
The Identity backend driver.
in: body
required: true
type: string
domain_driver_notRequired:
description: |
The Identity backend driver.
in: body
required: false
type: string
domain_enabled_request_body:
description: |
If set to ``true``, domain is created enabled. If set to
``false``, domain is created disabled. The default is ``true``.
Users can only authorize against an enabled domain (and any of its
projects). In addition, users can only authenticate if the domain that owns
them is also enabled. Disabling a domain prevents both of these things.
in: body
required: false
type: string
domain_enabled_response_body:
description: |
If set to ``true``, domain is enabled. If set to
``false``, domain is disabled.
in: body
required: true
type: string
domain_enabled_update_request_body:
description: |
If set to ``true``, domain is enabled. If set to
``false``, domain is disabled. The default is ``true``.
Users can only authorize against an enabled domain (and any of its
projects). In addition, users can only authenticate if the domain that owns
them is also enabled. Disabling a domain prevents both of these things.
When you disable a domain, all tokens that are authorized for that domain
become no longer valid. If you reenable the domain, these tokens
are not re-enabled.
in: body
required: false
type: string
domain_group_identity:
description: |
An ``identity`` object. Required to set the
identity group configuration options.
in: body
required: true
type: object
domain_id_response_body:
description: |
The ID of the domain for the user.
in: body
required: true
type: string
domain_id_response_body:
description: |
The ID of the domain.
in: body
required: true
type: string
domain_ldap:
description: |
An ``ldap`` object. Required to set the LDAP
group configuration options.
in: body
required: true
type: object
domain_link_response_body:
description: |
The links to the ``domain`` resource.
in: body
required: true
type: object
domain_name_request_body:
description: |
The name of the domain.
in: body
required: true
type: string
domain_name_response_body:
description: |
The name of the domain.
in: body
required: true
type: string
domain_name_update_request_body:
description: |
The new name of the domain.
in: body
required: false
type: string
domain_url:
description: |
The LDAP URL.
in: body
required: true
type: string
domain_url_notRequired:
description: |
The LDAP URL.
in: body
required: false
type: string
domain_user_tree_dn:
description: |
The base distinguished name (DN) of LDAP, from
where all users can be reached. For example,
``ou=Users,dc=root,dc=org``.
in: body
required: true
type: string
domain_user_tree_dn_notRequired:
description: |
The base distinguished name (DN) of LDAP, from
where all users can be reached. For example,
``ou=Users,dc=root,dc=org``.
in: body
required: false
type: string
domains:
description: |
A list of ``domain`` objects, each containing:
in: body
required: true
type: array
domains_links:
description: |
The links for the ``domains`` resource.
in: body
required: true
type: object
email:
description: |
The email address for the user.
in: body
required: true
type: string
email_notRequired:
description: |
The email address for the user.
in: body
required: false
type: string
enabled:
description: |
Enables or disables the domain. Users can
authorize against an enabled domain and any of its projects. Users
that are owned by an enabled domain can authenticate and receive
additional authorization. Users cannot authorize against a
disabled domain or any of its projects. Users that are owned by a
disabled domain cannot authenticate or receive additional
authorization. All tokens that are authorized for a disabled
domain or its projects become no longer valid. If you reenable the
domain, these tokens are not re- enabled. To enable the domain,
set to ``true``. To disable the domain, set to ``false``. Default
is ``true``.
in: body
required: false
type: boolean
enabled_2:
description: |
Enables or disables the project. Users can
authorize against an enabled project. Users cannot authorize
against a disabled project. All tokens that are authorized for a
disabled project become no longer valid. If you reenable the
project, these tokens are not re-enabled. To enable the project,
set to ``true``. To disable the project, set to ``false``. Default
is ``true``.
in: body
required: false
type: boolean
enabled_user_request_body:
description: |
If the user is enabled, this value is ``true``.
If the user is disabled, this value is ``false``.
in: body
required: false
type: boolean
enabled_user_response_body:
description: |
If the user is enabled, this value is ``true``.
If the user is disabled, this value is ``false``.
in: body
required: true
type: boolean
enabled_user_update_body:
description: |
Enables or disables the user. An enabled user
can authenticate and receive authorization. A disabled user
cannot authenticate or receive authorization. Additionally, all
tokens that the user holds become no longer valid. If you reenable
this user, pre-existing tokens do not become valid. To enable the
user, set to ``true``. To disable the user, set to ``false``.
Default is ``true``.
in: body
required: false
type: boolean
endpoint:
description: |
An ``endpoint`` object.
in: body
required: true
type: object
endpoint_enabled:
description: |
Indicates whether the endpoint appears in the
service catalog: - ``false``. The endpoint does not appear in the
service catalog. - ``true``. The endpoint appears in the service
catalog.
in: body
required: true
type: boolean
endpoint_enabled_notRequired:
description: |
Defines whether the endpoint appears in the
service catalog: - ``false``. The endpoint does not appear in the
service catalog. - ``true``. The endpoint appears in the service
catalog. Default is ``true``.
in: body
required: false
type: boolean
endpoint_id:
description: |
The endpoint ID.
in: body
required: true
type: string
endpoint_interface:
description: |
The interface type, which describes the
visibility of the endpoint. Value is: - ``public``. Visible by
end users on a publicly available network interface. -
``internal``. Visible by end users on an unmetered internal
network interface. - ``admin``. Visible by administrative users
on a secure network interface.
in: body
required: true
type: string
endpoint_links:
description: |
The links for the ``endpoint`` resource.
in: body
required: true
type: object
endpoint_name:
description: |
The endpoint name.
in: body
required: true
type: string
endpoint_region:
description: |
(Deprecated in v3.2) The geographic location of
the service endpoint.
in: body
required: true
type: string
endpoint_region_notRequired:
description: |
(Deprecated in v3.2) The geographic location of
the service endpoint. Use the ``region_id`` parameter instead.
in: body
required: false
type: string
endpoint_type:
description: |
The endpoint type.
in: body
required: true
type: string
endpoint_url:
description: |
The endpoint URL.
in: body
required: true
type: string
endpoints:
description: |
A list of ``endpoint`` objects.
in: body
required: true
type: array
endpoints_links:
description: |
The links for the ``endpoints`` resource.
in: body
required: true
type: object
expires_at:
description: |
The date and time when the token expires.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss±hh:mm
For example, ``2015-08-27T09:49:58-05:00``.
The ``±hh:mm`` value, if included, is the time zone as an offset
from UTC. In the previous example, the offset value is ``-05:00``.
A ``null`` value indicates that the token never expires.
in: body
required: true
type: string
extras:
description: |
A set of metadata key and value pairs, if any.
in: body
required: true
type: object
group:
description: |
A ``group`` object, containing:
in: body
required: true
type: object
group_description_request_body:
description: |
The description of the group.
in: body
required: true
type: string
group_description_response_body:
description: |
The description of the group.
in: body
required: true
type: string
group_description_update_request_body:
description: |
The new description of the group.
in: body
required: false
type: string
group_domain_id:
description: |
The ID of the domain that owns the group. If you
omit the domain ID, defaults to the domain to which the client
token is scoped.
in: body
required: false
type: string
group_domain_id_request_body:
description: |
The ID of the domain of the group.
in: body
required: true
type: string
group_domain_id_response_body:
description: |
The ID of the domain of the group.
in: body
required: true
type: string
group_domain_id_update_request_body:
description: |
The ID of the new domain for the group. The ability to change the domain
of a group is now deprecated, and will be removed in subsequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
group_id_response_body:
description: |
The ID of the group.
in: body
required: true
type: string
group_links:
description: |
The links for the ``group`` resource.
in: body
required: true
type: object
group_name_request_body:
description: |
The name of the group.
in: body
required: true
type: string
group_name_response_body:
description: |
The name of the group.
in: body
required: true
type: string
group_name_update_request_body:
description: |
The new name of the group.
in: body
required: false
type: string
groups:
description: |
A list of ``group`` objects, each containing:
in: body
required: true
type: array
id_region_response_body:
description: |
The ID for the region.
in: body
required: true
type: string
id_region_resquest_body:
description: |
The ID for the region.
in: body
required: false
type: string
id_user_body:
description: |
The user ID.
in: body
required: true
type: string
identity:
description: |
An ``identity`` object.
in: body
required: true
type: object
is_domain_request_body:
description: |
Indicates whether the project also acts as a domain. If set to ``true``,
this project acts as both a project and domain. As a domain, the project
provides a name space in which you can create users, groups, and other
projects. If set to ``false``, this project behaves as a regular project
that contains only resources. Default is ``false``. You cannot update
this parameter after you create the project.
in: body
required: false
type: boolean
min_version: 3.6
is_domain_response_body:
description: |
Indicates whether the project also acts as a domain. If set to ``true``,
this project acts as both a project and domain. As a domain, the project
provides a name space in which you can create users, groups, and other
projects. If set to ``false``, this project behaves as a regular project
that contains only resources.
in: body
required: true
type: boolean
min_version: 3.6
issued_at:
description: |
The date and time when the token was issued.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss±hh:mm
For example, ``2015-08-27T09:49:58-05:00``.
The ``±hh:mm`` value, if included, is the time zone as an offset
from UTC. In the previous example, the offset value is ``-05:00``.
in: body
required: true
type: string
link_collection:
description: |
The link to the collection of resources.
in: body
required: true
type: string
link_response_body:
description: |
The link to the resources in question.
in: body
required: true
type: string
links_project:
description: |
The links for the ``project`` resource.
in: body
required: true
type: object
links_region:
description: |
The links for the ``region`` resource.
in: body
required: true
type: object
links_user:
description: |
The links for the ``user`` resource.
in: body
required: true
type: object
original_password:
description: |
The original password for the user.
in: body
required: true
type: string
parent_id:
description: |
(Since v3.4) The ID of the parent project. If
you omit the parent project ID, the project is a top-level
project.
in: body
required: false
type: string
parent_id_1:
description: |
(Since v3.4) The ID of the parent project. If
``null``, the project is a top-level project.
in: body
required: true
type: string
parent_region_id_2:
description: |
If the region is a child of another region, the
ID for the parent region. Otherwise, this value is ``null``.
in: body
required: true
type: string
parent_region_id_request_body:
description: |
To make this region a child of another region,
set this parameter to the ID of the parent region.
in: body
required: false
type: string
parent_region_id_response_body:
description: |
To make this region a child of another region,
set this parameter to the ID of the parent region.
in: body
required: true
type: string
password:
description: |
The ``password`` object, contains the authentication information.
in: body
required: true
type: object
password_auth_domain:
description: |
A ``domain`` object. Required if you specify a
user name.
in: body
required: false
type: object
password_auth_domain_name:
description: |
The name of the domain. If you specify a user
name, you must specify either a domain ID or domain name.
in: body
required: false
type: string
password_expires_at:
description: |
The date and time when the password expires. The time zone
is UTC.
This is a response object attribute; not valid for requests.
A ``null`` value indicates that the password never expires.
in: body
required: true
type: string
min_version: 3.7
password_request_body:
description: |
The password for the user.
in: body
required: false
type: string
policies:
description: |
A ``policies`` object.
in: body
required: true
type: array
policy:
description: |
A ``policy`` object.
in: body
required: true
type: object
policy_blob_obj:
description: |
The policy rule itself, as a serialized blob.
in: body
required: true
type: object
policy_blob_str:
description: |
The policy rule set itself, as a serialized blob.
in: body
required: true
type: string
policy_id:
description: |
The policy ID.
in: body
required: true
type: string
policy_links:
description: |
The links for the ``policy`` resource.
in: body
required: true
type: object
policy_type:
description: |
The MIME media type of the serialized policy
blob.
in: body
required: true
type: string
policy_user_id:
description: |
The ID of the user who owns the policy.
in: body
required: true
type: string
policy_user_id_notRequired:
description: |
The ID of the user who owns the policy.
in: body
required: false
type: string
project:
description: |
A ``project`` object, containing:
in: body
required: true
type: object
project_description_request_body:
description: |
The description of the project.
in: body
required: false
type: string
project_description_response_body:
description: |
The description of the project.
in: body
required: true
type: string
project_domain_id:
description: |
The ID of the domain for the project. If you
omit the domain ID, default is the domain to which your token is
scoped.
in: body
required: false
type: string
project_domain_id_request_body:
description: |
The ID of the domain for the project.
For projects acting as a domain, the ``domain_id`` must not be specified,
it will be generated by the Identity service implementation.
For regular projects (i.e. those not acing as a domain), if ``domain_id``
is not specified, but ``parent_id`` is specified, then the domain ID of the
parent will be used. If neither ``domain_id`` or ``parent_id`` is
specified, the Identity service implementation will default to the domain
to which the client's token is scoped. If both ``domain_id`` and
``parent_id`` are specified, and they do not indicate the same domain, an
``Bad Request (400)`` will be returned.
in: body
required: false
type: string
project_domain_id_response_body:
description: |
The ID of the domain for the project.
in: body
required: true
type: string
project_domain_id_update_request_body:
description: |
The ID of the new domain for the project. The ability to change the domain
of a project is now deprecated, and will be removed in subequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
project_enabled_cascade_request_body:
description: |
Enables or disables the project and its subtree.
Users can authorize against an enabled project, but not against a disabled
project. All tokens that are authorized for all projects in the affected
hierarchy become no longer valid. If you reenable the projects, these tokens
are not re-enabled. To enable the project and its subtree, set to ``true``.
To disable the project and its subtree, set to ``false``.
in: body
required: true
type: boolean
project_enabled_request_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled. The default is ``true``.
in: body
required: false
type: boolean
project_enabled_response_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled.
in: body
required: true
type: boolean
project_enabled_update_request_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled.
in: body
required: false
type: boolean
project_id:
description: |
The ID for the project.
in: body
required: true
type: string
project_name_request_body:
description: |
The name of the project, which must be unique within the
owning domain. A project can have the same name as its domain.
in: body
required: true
type: string
project_name_response_body:
description: |
The name of the project.
in: body
required: true
type: string
project_name_update_request_body:
description: |
The name of the project, which must be unique within the
owning domain. A project can have the same name as its domain.
in: body
required: false
type: string
project_parent_id_request_body:
description: |
The ID of the parent of the project.
If specified on project creation, this places the project within a
hierarchy and implicitly defines the owning domain, which will be the
same domain as the parent specified. If ``parent_id`` is
not specified and ``is_domain`` is ``false``, then the project will use its
owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
is acting as a domain), then ``parent_id`` must not specified (or if it is,
it must be ``null``) since domains have no parents.
``parent_id`` is immutable, and can't be updated after the project is
created - hence a project cannot be moved within the hierarchy.
in: body
required: false
type: string
min_version: 3.4
project_parent_id_response_body:
description: |
The ID of the parent for the project.
in: body
required: true
type: string
min_version: 3.4
projects:
description: |
A list of ``project`` objects, each containing:
in: body
required: true
type: array
region_id:
description: |
(Since v3.2) The ID of the region that contains
the service endpoint.
in: body
required: true
type: string
region_id_1:
description: |
(Since v3.2) The ID of the region that contains
the service endpoint.
in: body
required: false
type: string
region_id_notRequired:
description: |
A user-defined region ID. If you include
characters in the region ID that are not allowed in a URI, you
must URL-encode the ID. If you omit an ID, the API assigns an ID
to the region.
in: body
required: false
type: string
region_object:
description: |
A ``region`` object, containing the following:
in: body
required: true
type: object
regions_object:
description: |
A list of ``region`` object, each containing the following:
in: body
required: true
type: array
role:
description: |
A ``role`` object, containing:
in: body
required: true
type: object
role_assignments:
description: |
A list of ``role_assignment`` objects.
in: body
required: true
type: array
role_id_response_body:
description: |
The role ID.
in: body
required: true
type: string
role_links:
description: |
The links for the ``role`` resource.
in: body
required: true
type: object
role_name_create_body:
description: |
The role name.
in: body
required: true
type: string
role_name_response_body:
description: |
The role name.
in: body
required: true
type: string
role_name_update_body:
description: |
The new role name.
in: body
required: false
type: string
roles:
description: |
A list of ``role`` objects, each containing:
in: body
required: true
type: array
roles_links:
description: |
The links for the ``roles`` resource.
in: body
required: true
type: object
scope:
description: |
The authorization scope. (Since v3.4) Specify
``unscoped`` to make an explicit unscoped token request, which
returns an unscoped response without any authorization. This
request behaves the same as a token request with no scope where
the user has no default project defined. If you do not make an
explicit ``unscoped`` token request and your role has a default
project, the response might return a project- scoped token. If a
default project is not defined, a token is issued without an
explicit scope of authorization, which is the same as asking for
an explicit unscoped token.
in: body
required: false
type: string
scope_1:
description: |
The authorization scope. - Specify ``project``
to scope to a project, by ID or name. If you specify the project
by name, you must also specify the project domain to uniquely
identify the project. Because a project can have the same name
as its owning domain, the scope is determined, as follows: -
If the project name is truly unique, the token is scoped to the
project. - If a name clash exists between a project acting as a
domain and a regular project within that domain, the token is
scoped to the regular project. - In a name-clash situation,
if the user wants the token scoped to the project acting as
the domain, you must either specify use the project ID to
specify the scope or rename either the project acting as a
domain or the regular project. Alternatively, you can use a
domain name to uniquely identify the project. - Specify
``domain`` to scope to a domain, by ID or name with equivalent
results to project scoping. The catalog returned from a domain-
scoped request contains all endpoints of a project- scoped
catalog, excluding ones that require a project ID as part of
their URL. You cannot simultaneously scope a token to a project
and domain.
in: body
required: false
type: object
service:
description: |
A ``service`` object.
in: body
required: true
type: object
service_description:
description: |
The service description.
in: body
required: true
type: string
service_enabled:
description: |
Defines whether the service and its endpoints
appear in the service catalog: - ``false``. The service and its
endpoints do not appear in the service catalog. - ``true``. The
service and its endpoints appear in the service catalog.
in: body
required: true
type: boolean
service_enabled_notRequired:
description: |
Defines whether the service and its endpoints
appear in the service catalog: - ``false``. The service and its
endpoints do not appear in the service catalog. - ``true``. The
service and its endpoints appear in the service catalog.
Default is ``true``.
in: body
required: false
type: boolean
service_id:
description: |
The UUID of the service to which the endpoint
belongs.
in: body
required: true
type: string
service_links:
description: |
The links for the ``service`` resource.
in: body
required: true
type: object
service_name:
description: |
The service name.
in: body
required: false
type: string
service_type:
description: |
The service type, which describes the API
implemented by the service. Value is ``compute``, ``ec2``,
``identity``, ``image``, ``network``, or ``volume``.
in: body
required: true
type: string
services:
description: |
A list of ``service`` object.
in: body
required: true
type: array
token:
description: |
A ``token`` object.
in: body
required: true
type: object
user:
description: |
A ``user`` object.
in: body
required: true
type: object
user_description:
description: |
The user description.
in: body
required: true
type: string
user_domain_id:
description: |
The ID of the domain for the user.
in: body
required: false
type: string
user_domain_id_request_body:
description: |
The ID of the domain for the user.
in: body
required: false
type: string
user_domain_id_update_body:
description: |
The ID of the new domain for the user. The ability to change the domain
of a user is now deprecated, and will be removed in subequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
user_id:
description: |
The ID of the user. Required if you do not
specify the user name.
in: body
required: false
type: string
user_name:
description: |
The user name. Required if you do not specify
the ID of the user. If you specify the user name, you must also
specify the domain, by ID or name.
in: body
required: false
type: string
user_name_create_request_body:
description: |
The user name. Must be unique within the owning domain.
in: body
required: true
type: string
user_name_response_body:
description: |
The user name. Must be unique within the owning domain.
in: body
required: true
type: string
user_name_update_body:
description: |
The new name for the user. Must be unique within the owning domain.
in: body
required: false
type: string
user_object:
description: |
A ``user`` object, containing:
in: body
required: true
type: object
user_password_update_body:
description: |
The new password for the user.
in: body
required: true
type: string
user_update_password_body:
description: |
The new password for the user.
in: body
required: false
type: string
users:
description: |
A ``users`` object.
in: body
required: true
type: array
users_object:
description: |
A list of ``user`` object, each containing:
in: body
required: true
type: array