OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

417 lines
7.2 KiB

.. -*- rst -*-
=======================
System Role Assignments
=======================
A system role assignment ultimately controls access to system-level API calls.
System role assignments are similar to project or domain role assignments, but
are meant for a different target. Instead of giving a user or group a role on a
project, they can be given a system role.
Good examples of system-level APIs include management of the service catalog
and compute hypervisors.
List system role assignments for a user
=======================================
.. rest_method:: GET /v3/system/users/{user_id}/roles
Lists all system role assignment a user has.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_user_roles``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- user_id: user_id_path
Response
--------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- links: link_response_body
- roles: system_roles_response_body
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 200
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
Example
~~~~~~~
.. literalinclude:: ./samples/admin/list-system-roles-for-user-response.json
:language: javascript
The functionality of this request can also be achieved using the generalized
list assignments API::
GET /role_assignments?user.id={user_id}&scope.system
Assign a system role to a user
==============================
.. rest_method:: PUT /v3/system/users/{user_id}/roles/{role_id}
Grant a user a role on the system.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- user_id: user_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 401
- 403
- 404
Check user for a system role assignment
=======================================
.. rest_method:: HEAD /v3/system/users/{user_id}/roles/{role_id}
Check if a specific user has a role assignment on the system.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- user_id: user_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 401
- 403
- 404
Get system role assignment for a user
=====================================
.. rest_method:: GET /v3/system/users/{user_id}/roles/{role_id}
Get a specific system role assignment for a user. This is the same API as
``HEAD /v3/system/users/{user_id}/roles/{role_id}``.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- user_id: user_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404
Delete a system role assignment from a user
===========================================
.. rest_method:: DELETE /v3/system/users/{user_id}/roles/{role_id}
Remove a system role assignment from a user.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- user_id: user_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404
List system role assignments for a group
========================================
.. rest_method:: GET /v3/system/groups/{group_id}/roles
Lists all system role assignment a group has.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_group_roles``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- group_id: group_id_path
Response
--------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- links: link_response_body
- roles: system_roles_response_body
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 200
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
Example
~~~~~~~
.. literalinclude:: ./samples/admin/list-system-roles-for-group-response.json
:language: javascript
The functionality of this request can also be achieved using the generalized
list assignments API::
GET /role_assignments?group.id={group_id}&scope.system
Assign a system role to a group
===============================
.. rest_method:: PUT /v3/system/groups/{group_id}/roles/{role_id}
Grant a group a role on the system.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- group_id: group_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404
Check group for a system role assignment
========================================
.. rest_method:: HEAD /v3/system/groups/{group_id}/roles/{role_id}
Check if a specific group has a role assignment on the system.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- group_id: group_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404
Get system role assignment for a group
======================================
.. rest_method:: GET /v3/system/groups/{group_id}/roles/{role_id}
Get a specific system role assignment for a group. This is the same API as
``HEAD /v3/system/groups/{group_id}/roles/{role_id}``.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- group_id: group_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404
Delete a system role assignment from a group
============================================
.. rest_method:: DELETE /v3/system/groups/{group_id}/roles/{role_id}
Remove a system role assignment from a group.
Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role``
Request
-------
Parameters
~~~~~~~~~~
.. rest_parameters:: parameters.yaml
- group_id: group_id_path
- role_id: role_id_path
Response
--------
Status Codes
~~~~~~~~~~~~
.. rest_status_code:: success status.yaml
- 204
.. rest_status_code:: error status.yaml
- 400
- 401
- 403
- 404