openstack/keystone
Code Issues Proposed changes
99733f172f
keystone/doc/source/getting-started/policy_mapping.rst
Colleen Murphy 67682dcd07 Expose access rules as its own API 
This change creates a /v3/users/{user_id}/access_rules endpoint to allow
users to view and delete their own access rules. Access rules are not
automatically deleted when an application credential is deleted, so they
can be re-used for other application credentials or explicitly deleted
by the user. Access rules are automatically deleted when the user is
deleted, the same way that application credentials are. Access rules
that are in use by an application credential may not be deleted.

bp whitelist-extension-for-app-creds

Change-Id: I37d243d802cd538189ccfffee6ebf0624b7785d3
2019-09-14 03:14:20 -07:00

22 KiB
Raw Blame History

Mapping of policy target to API

The following table shows the target in the policy.json file for each API.

Target API
identity:get_region GET /v3/regions/{region_id}
identity:list_regions GET /v3/regions
identity:create_region POST /v3/regions
identity:update_region PATCH /v3/regions/{region_id}

identity:delete_region

DELETE /v3/regions/{region_id}
identity:get_service GET /v3/services/{service_id}
identity:list_services GET /v3/services
identity:create_service POST /v3/services
identity:update_service PATCH /v3/services/{service__id}

identity:delete_service

DELETE /v3/services/{service__id}
identity:get_endpoint GET /v3/endpoints/{endpoint_id}
identity:list_endpoints GET /v3/endpoints
identity:create_endpoint POST /v3/endpoints
identity:update_endpoint PATCH /v3/endpoints/{endpoint_id}

identity:delete_endpoint

DELETE /v3/endpoints/{endpoint_id}
identity:get_registered_limit GET /v3/registered_limits/{registered_limit_id}
identity:list_registered_limits GET /v3/registered_limits
identity:create_registered_limits POST /v3/registered_limits
identity:update_registered_limit PATCH /v3/registered_limits/{registered_limit_id}

identity:delete_registered_limit

DELETE /v3/registered_limits/{registered_limit_id}
identity:get_limit GET /v3/limits/{limit_id}
identity:list_limits GET /v3/limits
identity:create_limits POST /v3/limits
identity:update_limit PATCH /v3/limits/{limit_id}
identity:delete_limit DELETE /v3/limits/{limit_id}

identity:get_limit_model

GET /v3/limits/model HEAD /v3/limits/model
identity:get_domain GET /v3/domains/{domain_id}
identity:list_domains GET /v3/domains
identity:create_domain POST /v3/domains
identity:update_domain PATCH /v3/domains/{domain_id}

identity:delete_domain

DELETE /v3/domains/{domain_id}
identity:get_project GET /v3/projects/{project_id}
identity:list_projects GET /v3/projects
identity:list_user_projects GET /v3/users/{user_id}/projects
identity:create_project POST /v3/projects
identity:update_project PATCH /v3/projects/{project_id}

identity:delete_project

DELETE /v3/projects/{project_id}

identity:get_project_tag

GET /v3/projects/{project_id}/tags/{tag_name} HEAD /v3/projects/{project_id}/tags/{tag_name}

identity:list_project_tags

GET /v3/projects/{project_id}/tags HEAD /v3/projects/{project_id}/tags
identity:create_project_tag PUT /v3/projects/{project_id}/tags/{tag_name}
identity:update_project_tags PUT /v3/projects/{project_id}/tags
identity:delete_project_tag DELETE /v3/projects/{project_id}/tags/{tag_name}

identity:delete_project_tags

DELETE /v3/projects/{project_id}/tags
identity:get_user GET /v3/users/{user_id}
identity:list_users GET /v3/users
identity:create_user POST /v3/users
identity:update_user PATCH /v3/users/{user_id}

identity:delete_user

DELETE /v3/users/{user_id}
identity:get_group GET /v3/groups/{group_id}
identity:list_groups GET /v3/groups
identity:list_groups_for_user GET /v3/users/{user_id}/groups
identity:create_group POST /v3/groups
identity:update_group PATCH /v3/groups/{group_id}
identity:delete_group DELETE /v3/groups/{group_id}
identity:list_users_in_group GET /v3/groups/{group_id}/users
identity:remove_user_from_group DELETE /v3/groups/{group_id}/users/{user_id}
identity:check_user_in_group GET /v3/groups/{group_id}/users/{user_id}

identity:add_user_to_group

PUT /v3/groups/{group_id}/users/{user_id}
identity:get_credential GET /v3/credentials/{credential_id}
identity:list_credentials GET /v3/credentials
identity:create_credential POST /v3/credentials
identity:update_credential PATCH /v3/credentials/{credential_id}

identity:delete_credential

DELETE /v3/credentials/{credential_id}
identity:ec2_get_credential GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
identity:ec2_list_credentials GET /v3/users/{user_id}/credentials/OS-EC2
identity:ec2_create_credential POST /v3/users/{user_id}/credentials/OS-EC2

identity:ec2_delete_credential

DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
identity:get_role GET /v3/roles/{role_id}
identity:list_roles GET /v3/roles
identity:create_role POST /v3/roles
identity:update_role PATCH /v3/roles/{role_id}

identity:delete_role

DELETE /v3/roles/{role_id}
identity:get_domain_role GET /v3/roles/{role_id} where role.domain_id is not null
identity:list_domain_roles GET /v3/roles?domain_id where role.domain_id is not null
identity:create_domain_role POST /v3/roles where role.domain_id is not null
identity:update_domain_role PATCH /v3/roles/{role_id} where role.domain_id is not null

identity:delete_domain_role

DELETE /v3/roles/{role_id} where role.domain_id is not null
identity:get_implied_role GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_implied_roles GET /v3/roles/{prior_role_id}/implies
identity:create_implied_role PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:delete_implied_role DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_role_inference_rules GET /v3/role_inferences

identity:check_implied_role

HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:check_grant GET grant_resources
identity:list_grants GET grant_collections
identity:create_grant PUT grant_resources

identity:revoke_grant

DELETE grant_resources
identity:list_system_grants_for_user GET /v3/system/users/{user_id}/roles
identity:check_system_grant_for_user GET /v3/system/users/{user_id}/roles/{role_id}
identity:create_system_grant_for_user PUT /v3/system/users/{user_id}/roles/{role_id}

identity:revoke_system_grant_for_user

DELETE /v3/system/users/{user_id}/roles/{role_id}
identity:list_system_grants_for_group GET /v3/system/groups/{group_id}/roles
identity:check_system_grant_for_group GET /v3/system/groups/{group_id}/roles/{role_id}
identity:create_system_grant_for_group PUT /v3/system/groups/{group_id}/roles/{role_id}

identity:revoke_system_grant_for_group

DELETE /v3/system/groups/{group_id}/roles/{role_id}
identity:list_role_assignments GET /v3/role_assignments

identity:list_role_assignments_for_tree

GET /v3/role_assignments?include_subtree
identity:get_policy GET /v3/policy/{policy_id}
identity:list_policies GET /v3/policy
identity:create_policy POST /v3/policy
identity:update_policy PATCH /v3/policy/{policy_id}

identity:delete_policy

DELETE /v3/policy/{policy_id}
identity:check_token HEAD /v3/auth/tokens
identity:validate_token GET /v3/auth/tokens
identity:revocation_list GET /v3/auth/tokens/OS-PKI/revoked
identity:revoke_token DELETE /v3/auth/tokens
identity:create_trust POST /v3/OS-TRUST/trusts
identity:list_trusts GET /v3/OS-TRUST/trusts
identity:list_trusts_for_trustor GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
identity:list_trusts_for_trustee GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
identity:list_roles_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles
identity:get_role_for_trust GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
identity:delete_trust DELETE /v3/OS-TRUST/trusts/{trust_id}

identity:get_trust

GET /v3/OS-TRUST/trusts/{trust_id}
identity:create_consumer POST /v3/OS-OAUTH1/consumers
identity:get_consumer GET /v3/OS-OAUTH1/consumers/{consumer_id}
identity:list_consumers GET /v3/OS-OAUTH1/consumers
identity:delete_consumer DELETE /v3/OS-OAUTH1/consumers/{consumer_id}

identity:update_consumer

PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
identity:authorize_request_token PUT /v3/OS-OAUTH1/authorize/{request_token_id}
identity:list_access_token_roles GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
identity:get_access_token_role GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
identity:list_access_tokens GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
identity:get_access_token GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

identity:delete_access_token

DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
identity:list_projects_for_endpoint GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
identity:add_endpoint_to_project PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:check_endpoint_in_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:list_endpoints_for_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints

identity:remove_endpoint_from_project

DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:create_endpoint_group POST /v3/OS-EP-FILTER/endpoint_groups
identity:list_endpoint_groups GET /v3/OS-EP-FILTER/endpoint_groups
identity:get_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:update_endpoint_group PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:delete_endpoint_group DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:list_projects_associated_with_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
identity:list_endpoints_associated_with_endpoint_group GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
identity:get_endpoint_group_in_project GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:list_endpoint_groups_for_project GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
identity:add_endpoint_group_to_project PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

identity:remove_endpoint_group_from_project

DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:create_identity_provider PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:list_identity_providers GET /v3/OS-FEDERATION/identity_providers
identity:get_identity_provider GET /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:update_identity_provider PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}

identity:delete_identity_provider

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:create_protocol PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:update_protocol PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:get_protocol GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:list_protocols GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

identity:delete_protocol

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:create_mapping PUT /v3/OS-FEDERATION/mappings/{mapping_id}
identity:get_mapping GET /v3/OS-FEDERATION/mappings/{mapping_id}
identity:list_mappings GET /v3/OS-FEDERATION/mappings
identity:delete_mapping DELETE /v3/OS-FEDERATION/mappings/{mapping_id}

identity:update_mapping

PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
identity:create_service_provider PUT /v3/OS-FEDERATION/service_providers/{sp_id}
identity:list_service_providers GET /v3/OS-FEDERATION/service_providers
identity:get_service_provider GET /v3/OS-FEDERATION/service_providers/{sp_id}
identity:update_service_provider PATCH /v3/OS-FEDERATION/service_providers/{sp_id}

identity:delete_service_provider

DELETE /v3/OS-FEDERATION/service_providers/{sp_id}
identity:get_auth_catalog GET /v3/auth/catalog
identity:get_auth_projects GET /v3/auth/projects
identity:get_auth_domains GET /v3/auth/domains

identity:get_auth_system

GET /v3/auth/system
identity:list_projects_for_user GET /v3/OS-FEDERATION/projects

identity:list_domains_for_user

GET /v3/OS-FEDERATION/domains

identity:list_revoke_events

GET /v3/OS-REVOKE/events
identity:create_policy_association_for_endpoint PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:check_policy_association_for_endpoint GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:delete_policy_association_for_endpoint DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:create_policy_association_for_service PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:check_policy_association_for_service GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:delete_policy_association_for_service DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:create_policy_association_for_region_and_service PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:check_policy_association_for_region_and_service GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:delete_policy_association_for_region_and_service DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:get_policy_for_endpoint GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

identity:list_endpoints_for_policy

GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
identity:create_domain_config PUT /v3/domains/{domain_id}/config

identity:get_domain_config

GET /v3/domains/{domain_id}/config GET /v3/domains/{domain_id}/config/{group} GET /v3/domains/{domain_id}/config/{group}/{option}

identity:get_security_compliance_domain_config

GET /v3/domains/{domain_id}/config/security_compliance GET /v3/domains/{domain_id}/config/security_compliance/{option}

identity:update_domain_config

PATCH /v3/domains/{domain_id}/config PATCH /v3/domains/{domain_id}/config/{group} PATCH /v3/domains/{domain_id}/config/{group}/{option}

identity:delete_domain_config

DELETE /v3/domains/{domain_id}/config DELETE /v3/domains/{domain_id}/config/{group} DELETE /v3/domains/{domain_id}/config/{group}/{option}

identity:get_domain_config_default

GET /v3/domains/config/default GET /v3/domains/config/{group}/default GET /v3/domains/config/{group}/{option}/default
identity:get_application_credential GET /v3/users/{user_id}/application_credentials/{application_credential_id}
identity:list_application_credentials GET /v3/users/{user_id}/application_credentials
identity:create_application_credential POST /v3/users/{user_id}/application_credential

identity:delete_application_credential

DELETE /v3/users/{user_id}/application_credential/{application_credential_id}
identity:get_access_rule GET /v3/users/{user_id}/access_rules/{access_rule_id}
identity:list_access_rules GET /v3/users/{user_id}/access_rules

identity:delete_access_rule

DELETE /v3/users/{user_id}/access_rules/{access_rule_id}

grant_resources are:

  • /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

grant_collections are:

  • /v3/projects/{project_id}/users/{user_id}/roles
  • /v3/projects/{project_id}/groups/{group_id}/roles
  • /v3/domains/{domain_id}/users/{user_id}/roles
  • /v3/domains/{domain_id}/groups/{group_id}/roles
  • /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
  • /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects