OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

2179 lines
56 KiB

# variables in header
Openstack-Auth-Receipt:
description: |
The auth receipt. A partially successful authentication
response returns the auth receipt ID in this header rather than in the
response body.
in: header
required: true
type: string
X-Auth-Token:
description: |
A valid authentication token for an
administrative user.
in: header
required: true
type: string
X-Subject-Token:
description: |
The authentication token. An authentication
response returns the token ID in this header rather than in the
response body.
in: header
required: true
type: string
# variables in path
credential_id_path:
description: |
The UUID for the credential.
in: path
required: true
type: string
domain_id_path:
description: |
The domain ID.
in: path
required: true
type: string
endpoint_id_path:
description: |
The endpoint ID.
in: path
required: true
type: string
group_id:
description: |
The group ID.
in: path
required: true
type: string
group_id_path:
description: |
The group ID.
in: path
required: true
type: string
implies_role_id:
description: |
Role ID for an implied role.
in: path
required: true
type: string
limit_id_path:
description: |
The limit ID.
in: path
required: true
type: string
option:
description: |
The option name. For the ``ldap`` group, a valid
value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
a valid value is ``driver``.
in: path
required: true
type: string
policy_id_path:
description: |
The policy ID.
in: path
required: true
type: string
prior_role_id:
description: |
Role ID for a prior role.
in: path
required: true
type: string
project_id_path:
description: |
The project ID.
in: path
required: true
type: string
project_tag_path:
description: |
A simple string associated with a project. Can be used for assigning
values to projects and filtering based on those values.
in: path
required: true
type: string
region_id_path:
description: |
The region ID.
in: path
required: true
type: string
registered_limit_id_path:
description: |
The registered limit ID.
in: path
required: true
type: string
request_access_rule_id_path_required:
description: |
The ID of the access rule.
in: path
required: true
type: string
request_access_rule_user_id_path_required:
description: |
The ID of the user who owns the access rule.
in: path
required: true
type: string
request_application_credential_id_path_required:
description: |
The ID of the application credential.
in: path
required: true
type: string
request_application_credential_user_id_path_required:
description: |
The ID of the user who owns the application credential.
in: path
required: true
type: string
role_id:
description: |
The role ID.
in: path
required: true
type: string
role_id_path:
description: |
The role ID.
in: path
required: true
type: string
service_id_path:
description: |
The service ID.
in: path
required: true
type: string
user_id_path:
description: |
The user ID.
in: path
required: true
type: string
# variables in query
allow_expired:
description: |
(Since v3.8) Allow fetching a token that has expired. By default expired
tokens return a 404 exception.
in: query
required: false
type: bool
domain_enabled_query:
description: |
If set to true, then only domains that are enabled will be returned, if set
to false only that are disabled will be returned. Any value other than
``0``, including no value, will be interpreted as true.
in: query
required: false
type: string
domain_id_query:
description: |
Filters the response by a domain ID.
in: query
required: false
type: string
domain_name_query:
description: |
Filters the response by a domain name.
in: query
required: false
type: string
effective_query:
description: |
Returns the effective assignments, including any assignments gained by
virtue of group membership.
in: query
required: false
type: key-only (no value required)
enabled_user_query:
description: |
Filters the response by either enabled (``true``)
or disabled (``false``) users.
in: query
required: false
type: string
group_id_query:
description: |
Filters the response by a group ID.
in: query
required: false
type: string
group_name_query:
description: |
Filters the response by a group name.
in: query
required: false
type: string
idp_id_query:
description: |
Filters the response by an identity provider ID.
in: query
required: false
type: string
include_limits:
description: |
It should be used together with `parents_as_list` or `subtree_as_list`
filter to add the related project's limits into the response body.
in: query
required: false
type: key-only, no value expected
include_names_query:
description: |
If set to true, then the names of any entities returned will be include as
well as their IDs. Any value other than ``0`` (including no value) will be
interpreted as true.
in: query
required: false
type: boolean
min_version: 3.6
include_subtree_query:
description: |
If set to true, then relevant assignments in the project hierarchy below
the project specified in the ``scope.project_id`` query parameter are also
included in the response. Any value other than ``0`` (including no value)
for ``include_subtree`` will be interpreted as true.
in: query
required: false
type: boolean
min_version: 3.6
interface_query:
description: |
Filters the response by an interface.
in: query
required: false
type: string
is_domain_query:
description: |
If this is specified as true, then only projects acting as a domain are
included. Otherwise, only projects that are not acting as a domain are
included.
in: query
required: false
type: boolean
min_version: 3.6
name_user_query:
description: |
Filters the response by a user name.
in: query
required: false
type: string
nocatalog:
description: |
(Since v3.1) The authentication response excludes
the service catalog. By default, the response includes the service
catalog.
in: query
required: false
type: string
parent_id_query:
description: |
Filters the response by a parent ID.
in: query
required: false
type: string
min_version: 3.4
parent_region_id_query_not_required:
description: |
Filters the response by a parent region, by ID.
in: query
required: false
type: string
parents_as_ids:
description: |
The entire parent hierarchy will be included as
nested dictionaries in the response. It will contain
all projects ids found by traversing up the hierarchy
to the top-level project.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
parents_as_list:
description: |
The parent hierarchy will be included as a list in the response.
This list will contain the projects found by traversing up the
hierarchy to the top-level project. The returned list will be
filtered against the projects the user has an effective role
assignment on.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
password_expires_at_query:
description: |
Filter results based on which user passwords have expired. The query should
include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
the two, for example::
password_expires_at={operator}:{timestamp}
- Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``
- lt: expiration time lower than the timestamp
- lte: expiration time lower than or equal to the timestamp
- gt: expiration time higher than the timestamp
- gte: expiration time higher than or equal to the timestamp
- eq: expiration time equal to the timestamp
- neq: expiration time not equal to the timestamp
- Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.
For example::
/v3/users?password_expires_at=lt:2016-12-08T22:02:00Z
The example would return a list of users whose password expired before the
timestamp (``2016-12-08T22:02:00Z``).
in: query
required: false
type: string
policy_type_query:
description: |
Filters the response by a MIME media type for the
serialized policy blob. For example, ``application/json``.
in: query
required: false
type: string
project_enabled_query:
description: |
If set to true, then only enabled projects will be returned. Any value
other than ``0`` (including no value) will be interpreted as true.
in: query
required: false
type: boolean
project_name_query:
description: |
Filters the response by a project name.
in: query
required: false
type: string
protocol_id_query:
description: |
Filters the response by a protocol ID.
in: query
required: false
type: string
region_id_query:
description: |
Filters the response by a region ID.
in: query
required: false
type: string
request_application_credential_name_query_not_required:
description: |
The name of the application credential. Must be unique to a user.
in: query
required: false
type: string
request_nocatalog_unscoped_path_not_required:
description: |
(Since v3.1) nocatalog only works for scoped token. For unscoped token, the
authentication response always excludes the service catalog.
in: query
required: false
type: string
resource_name_query:
description: |
Filters the response by a specified resource name.
in: query
required: false
type: string
role_id_query:
description: |
Filters the response by a role ID.
in: query
required: false
type: string
role_name_query:
description: |
Filters the response by a role name.
in: query
required: false
type: string
scope_domain_id_query:
description: |
Filters the response by a domain ID.
in: query
required: false
type: string
scope_os_inherit_inherited_to:
description: |
Filters based on role assignments that are inherited.
The only value of ``inherited_to`` that is currently
supported is ``projects``.
in: query
required: false
type: string
scope_project_id_query:
description: |
Filters the response by a project ID.
in: query
required: false
type: string
scope_system_query:
description: |
Filters the response by system assignments.
in: query
required: false
type: string
service_id_query:
description: |
Filters the response by a service ID.
in: query
required: false
type: string
service_type_query:
description: |
Filters the response by a service type. A valid
value is ``compute``, ``ec2``, ``identity``, ``image``,
``network``, or ``volume``.
in: query
required: false
type: string
subtree_as_ids:
description: |
The entire child hierarchy will be included as nested dictionaries
in the response. It will contain all the projects ids found by
traversing down the hierarchy.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
subtree_as_list:
description: |
The child hierarchy will be included as a list in the response.
This list will contain the projects found by traversing down
the hierarchy. The returned list will be filtered against the
projects the user has an effective role assignment on.
in: query
required: false
type: key-only, no value expected
min_version: 3.4
unique_id_query:
description: |
Filters the response by a unique ID.
in: query
required: false
type: string
user_id_query:
description: |
Filters the response by a user ID.
in: query
required: false
type: string
# variables in body
audit_ids:
description: |
A list of one or two audit IDs. An audit ID is a
unique, randomly generated, URL-safe string that you can use to
track a token. The first audit ID is the current audit ID for the
token. The second audit ID is present for only re-scoped tokens
and is the audit ID from the token before it was re-scoped. A re-
scoped token is one that was exchanged for another token of the
same or different scope. You can use these audit IDs to track the
use of a token or chain of tokens across multiple requests and
endpoints without exposing the token ID to non-privileged users.
in: body
required: true
type: array
auth:
description: |
An ``auth`` object.
in: body
required: true
type: object
auth_application_credential_restricted_body:
description: |
Whether the application credential is permitted to be used for creating and
deleting additional application credentials and trusts.
in: body
required: true
type: object
auth_domain:
description: |
Specify either ``id`` or ``name`` to uniquely
identify the domain.
in: body
required: false
type: object
auth_methods:
description: |
The authentication methods, which are commonly ``password``,
``token``, or other methods. Indicates the accumulated set of
authentication methods that were used to obtain the token. For
example, if the token was obtained by password authentication, it
contains ``password``. Later, if the token is exchanged by using
the token authentication method one or more times, the
subsequently created tokens contain both ``password`` and
``token`` in their ``methods`` attribute. Unlike multi-factor
authentication, the ``methods`` attribute merely indicates the
methods that were used to authenticate the user in exchange for a
token. The client is responsible for determining the total number
of authentication factors.
in: body
required: true
type: array
auth_methods_application_credential:
description: |
The authentication method. To authenticate with an application credential,
specify ``application_credential``.
in: body
required: true
type: array
auth_methods_passwd:
description: |
The authentication method. For password
authentication, specify ``password``.
in: body
required: true
type: array
auth_methods_receipt:
description: |
The authentication methods, which are commonly ``password``,
``totp``, or other methods. Indicates the accumulated set of
authentication methods that were used to obtain the receipt. For
example, if the receipt was obtained by password authentication, it
contains ``password``. Later, if the receipt is exchanged by using
another authentication method one or more times, the
subsequently created receipts could contain both ``password`` and
``totp`` in their ``methods`` attribute.
in: body
required: true
type: array
auth_methods_token:
description: |
The authentication method. For token
authentication, specify ``token``.
in: body
required: true
type: array
auth_methods_totp:
description: |
The authentication method. For totp
authentication, specify ``totp``.
in: body
required: true
type: array
auth_token:
description: |
A ``token`` object. The token authentication
method is used. This method is typically used in combination with
a request to change authorization scope.
in: body
required: true
type: object
auth_token_id:
description: |
A token ID.
in: body
required: true
type: string
catalog:
description: |
A ``catalog`` object.
in: body
required: true
type: array
catalog_response_body_optional:
description: |
A ``catalog`` object.
in: body
required: false
type: array
credential:
description: |
A ``credential`` object.
in: body
required: true
type: object
credential_blob:
description: |
The credential itself, as a serialized blob.
in: body
required: true
type: string
credential_blob_not_required:
description: |
The credential itself, as a serialized blob.
in: body
required: false
type: string
credential_id:
description: |
The UUID for the credential.
in: body
required: true
type: string
credential_links:
description: |
The links for the ``credential`` resource.
in: body
required: true
type: object
credential_type:
description: |
The credential type, such as ``ec2`` or ``cert``.
The implementation determines the list of supported types.
in: body
required: true
type: string
credential_type_not_required:
description: |
The credential type, such as ``ec2`` or ``cert``.
The implementation determines the list of supported types.
in: body
required: false
type: string
credential_user_id:
description: |
The ID of the user who owns the credential.
in: body
required: true
type: string
credential_user_id_not_required:
description: |
The ID of the user who owns the credential.
in: body
required: false
type: string
credentials:
description: |
A list of ``credential`` objects.
in: body
required: true
type: array
credentials_links:
description: |
The links for the ``credentials`` resource.
in: body
required: true
type: object
default_limit:
description: |
The default limit for the registered limit.
in: body
required: true
type: integer
default_project_id_request_body:
description: |
The ID of the default project for the user.
A user's default project must not be a domain. Setting this
attribute does not grant any actual authorization on the project,
and is merely provided for convenience. Therefore, the referenced
project does not need to exist within the user domain. (Since v3.1)
If the user does not have authorization to their default project,
the default project is ignored at token creation. (Since v3.1)
Additionally, if your default project is not valid, a token is
issued without an explicit scope of authorization.
in: body
required: false
type: string
default_project_id_response_body:
description: |
The ID of the default project for the user.
in: body
required: false
type: string
default_project_id_update_body:
description: |
The new ID of the default project for the user.
in: body
required: false
type: string
description_limit_request_body:
description: |
The limit description.
in: body
required: false
type: string
description_limit_response_body:
description: |
The limit description.
in: body
required: true
type: string
description_region_request_body:
description: |
The region description.
in: body
required: false
type: string
description_region_response_body:
description: |
The region description.
in: body
required: true
type: string
description_registered_limit_request_body:
description: |
The registered limit description.
in: body
required: false
type: string
description_registered_limit_response_body:
description: |
The registered limit description.
in: body
required: true
type: string
domain:
description: |
A ``domain`` object
in: body
required: true
type: object
domain_config:
description: |
A ``config`` object.
in: body
required: true
type: object
domain_description_request_body:
description: |
The description of the domain.
in: body
required: false
type: string
domain_description_response_body:
description: |
The description of the domain.
in: body
required: true
type: string
domain_description_update_request_body:
description: |
The new description of the domain.
in: body
required: false
type: string
domain_driver:
description: |
The Identity backend driver.
in: body
required: true
type: string
domain_enabled_request_body:
description: |
If set to ``true``, domain is created enabled. If set to
``false``, domain is created disabled. The default is ``true``.
Users can only authorize against an enabled domain (and any of its
projects). In addition, users can only authenticate if the domain that owns
them is also enabled. Disabling a domain prevents both of these things.
in: body
required: false
type: string
domain_enabled_response_body:
description: |
If set to ``true``, domain is enabled. If set to
``false``, domain is disabled.
in: body
required: true
type: string
domain_enabled_update_request_body:
description: |
If set to ``true``, domain is enabled. If set to
``false``, domain is disabled. The default is ``true``.
Users can only authorize against an enabled domain (and any of its
projects). In addition, users can only authenticate if the domain that owns
them is also enabled. Disabling a domain prevents both of these things.
When you disable a domain, all tokens that are authorized for that domain
become invalid. However, if you reenable the domain, these tokens become
valid again, providing that they haven't expired.
in: body
required: false
type: string
domain_id_response_body:
description: |
The ID of the domain.
in: body
required: true
type: string
domain_ldap:
description: |
An ``ldap`` object. Required to set the LDAP
group configuration options.
in: body
required: true
type: object
domain_link_response_body:
description: |
The links to the ``domain`` resource.
in: body
required: true
type: object
domain_name_request_body:
description: |
The name of the domain.
in: body
required: true
type: string
domain_name_response_body:
description: |
The name of the domain.
in: body
required: true
type: string
domain_name_update_request_body:
description: |
The new name of the domain.
in: body
required: false
type: string
domain_scope_response_body_optional:
description: |
A ``domain`` object including the ``id`` and ``name`` representing the
domain the token is scoped to. This is only included in tokens that are
scoped to a domain.
in: body
required: false
type: object
domain_url:
description: |
The LDAP URL.
in: body
required: true
type: string
domain_user_tree_dn:
description: |
The base distinguished name (DN) of LDAP, from
where all users can be reached. For example,
``ou=Users,dc=root,dc=org``.
in: body
required: true
type: string
domains:
description: |
A list of ``domain`` objects
in: body
required: true
type: array
email:
description: |
The email address for the user.
in: body
required: true
type: string
enabled_user_request_body:
description: |
If the user is enabled, this value is ``true``.
If the user is disabled, this value is ``false``.
in: body
required: false
type: boolean
enabled_user_response_body:
description: |
If the user is enabled, this value is ``true``.
If the user is disabled, this value is ``false``.
in: body
required: true
type: boolean
enabled_user_update_body:
description: |
Enables or disables the user. An enabled user
can authenticate and receive authorization. A disabled user
cannot authenticate or receive authorization. Additionally, all
tokens that the user holds become no longer valid. If you reenable
this user, pre-existing tokens do not become valid. To enable the
user, set to ``true``. To disable the user, set to ``false``.
Default is ``true``.
in: body
required: false
type: boolean
endpoint:
description: |
An ``endpoint`` object.
in: body
required: true
type: object
endpoint_enabled:
description: |
Indicates whether the endpoint appears in the
service catalog: - ``false``. The endpoint does not appear in the
service catalog. - ``true``. The endpoint appears in the service
catalog.
in: body
required: true
type: boolean
endpoint_enabled_not_required:
description: |
Defines whether the endpoint appears in the
service catalog: - ``false``. The endpoint does not appear in the
service catalog. - ``true``. The endpoint appears in the service
catalog. Default is ``true``.
in: body
required: false
type: boolean
endpoint_id:
description: |
The endpoint ID.
in: body
required: true
type: string
endpoint_interface:
description: |
The interface type, which describes the
visibility of the endpoint. Value is: - ``public``. Visible by
end users on a publicly available network interface. -
``internal``. Visible by end users on an unmetered internal
network interface. - ``admin``. Visible by administrative users
on a secure network interface.
in: body
required: true
type: string
endpoint_links:
description: |
The links for the ``endpoint`` resource.
in: body
required: true
type: object
endpoint_name:
description: |
The endpoint name.
in: body
required: true
type: string
endpoint_region:
description: |
(Deprecated in v3.2) The geographic location of
the service endpoint.
in: body
required: true
type: string
endpoint_type:
description: |
The endpoint type.
in: body
required: true
type: string
endpoint_url:
description: |
The endpoint URL.
in: body
required: true
type: string
endpoints:
description: |
A list of ``endpoint`` objects.
in: body
required: true
type: array
endpoints_links:
description: |
The links for the ``endpoints`` resource.
in: body
required: true
type: object
expires_at:
description: |
The date and time when the token expires.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss.sssZ
For example, ``2015-08-27T09:49:58.000000Z``.
A ``null`` value indicates that the token never expires.
in: body
required: true
type: string
explicit_unscoped_string:
description: |
The authorization scope (Since v3.4). Specify
``unscoped`` to make an explicit unscoped token request, which
returns an unscoped response without any authorization. This
request behaves the same as a token request with no scope where
the user has no default project defined. If an explicit,
``unscoped`` token request is not made and the user has
authorization to their default project, then the response will
return a project-scoped token. If a default project is not defined,
a token is issued without an explicit scope of authorization,
which is the same as asking for an explicit unscoped token.
in: body
required: false
type: string
extra_request_body:
description: |
The extra attributes of a resource.
The actual name ``extra`` is not the key name in the request body,
but rather a collection of any attributes that a resource may contain
that are not part of the resource's default attributes.
Generally these are custom fields that are added to a resource in keystone
by operators for their own specific uses,
such as ``email`` and ``description`` for users.
in: body
required: false
type: string
group:
description: |
A ``group`` object
in: body
required: true
type: object
group_description_request_body:
description: |
The description of the group.
in: body
required: false
type: string
group_description_response_body:
description: |
The description of the group.
in: body
required: true
type: string
group_description_update_request_body:
description: |
The new description of the group.
in: body
required: false
type: string
group_domain_id:
description: |
The ID of the domain that owns the group. If you
omit the domain ID, defaults to the domain to which the client
token is scoped.
in: body
required: false
type: string
group_domain_id_request_body:
description: |
The ID of the domain of the group. If the domain ID is not
provided in the request, the Identity service will attempt to
pull the domain ID from the token used in the request. Note that
this requires the use of a domain-scoped token.
in: body
required: false
type: string
group_domain_id_response_body:
description: |
The ID of the domain of the group.
in: body
required: true
type: string
group_domain_id_update_request_body:
description: |
The ID of the new domain for the group. The ability to change the domain
of a group is now deprecated, and will be removed in subsequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
group_id_response_body:
description: |
The ID of the group.
in: body
required: true
type: string
group_name_request_body:
description: |
The name of the group.
in: body
required: true
type: string
group_name_response_body:
description: |
The name of the group.
in: body
required: true
type: string
group_name_update_request_body:
description: |
The new name of the group.
in: body
required: false
type: string
groups:
description: |
A list of ``group`` objects
in: body
required: true
type: array
id_region_response_body:
description: |
The ID for the region.
in: body
required: true
type: string
id_region_resquest_body:
description: |
The ID for the region.
in: body
required: false
type: string
id_user_body:
description: |
The user ID.
in: body
required: true
type: string
identity:
description: |
An ``identity`` object.
in: body
required: true
type: object
implies_role_array_body:
description: |
An array of implied role objects.
in: body
required: true
type: array
implies_role_object_body:
description: |
An implied role object.
in: body
required: true
type: object
is_domain_request_body:
description: |
Indicates whether the project also acts as a domain. If set to ``true``,
this project acts as both a project and domain. As a domain, the project
provides a name space in which you can create users, groups, and other
projects. If set to ``false``, this project behaves as a regular project
that contains only resources. Default is ``false``. You cannot update
this parameter after you create the project.
in: body
required: false
type: boolean
min_version: 3.6
is_domain_response_body:
description: |
Indicates whether the project also acts as a domain. If set to ``true``,
this project acts as both a project and domain. As a domain, the project
provides a name space in which you can create users, groups, and other
projects. If set to ``false``, this project behaves as a regular project
that contains only resources.
in: body
required: true
type: boolean
min_version: 3.6
issued_at:
description: |
The date and time when the token was issued.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss.sssZ
For example, ``2015-08-27T09:49:58.000000Z``.
in: body
required: true
type: string
limit:
description: |
A ``limit`` object
in: body
required: true
type: array
limit_id:
description: |
The limit ID.
in: body
required: true
type: string
limit_model_description_required_response_body:
description: A short description of the enforcement model used
in: body
required: true
type: string
limit_model_name_required_response_body:
description: The name of the enforcement model
in: body
required: true
type: string
limit_model_required_response_body:
description: A model object describing the configured enforcement model used
by the deployment.
in: body
required: true
type: object
limits:
description: |
A list of ``limits`` objects
in: body
required: true
type: array
link_collection:
description: |
The link to the collection of resources.
in: body
required: true
type: object
link_response_body:
description: |
The link to the resources in question.
in: body
required: true
type: object
links_project:
description: |
The links for the ``project`` resource.
in: body
required: true
type: object
links_region:
description: |
The links for the ``region`` resource.
in: body
required: true
type: object
links_user:
description: |
The links for the ``user`` resource.
in: body
required: true
type: object
original_password:
description: |
The original password for the user.
in: body
required: true
type: string
parent_region_id_request_body:
description: |
To make this region a child of another region,
set this parameter to the ID of the parent region.
in: body
required: false
type: string
parent_region_id_response_body:
description: |
To make this region a child of another region,
set this parameter to the ID of the parent region.
in: body
required: true
type: string
password:
description: |
The ``password`` object, contains the authentication information.
in: body
required: true
type: object
password_expires_at:
description: |
The date and time when the password expires. The time zone
is UTC.
This is a response object attribute; not valid for requests.
A ``null`` value indicates that the password never expires.
in: body
required: true
type: string
min_version: 3.7
password_request_body:
description: |
The password for the user.
in: body
required: false
type: string
policies:
description: |
A ``policies`` object.
in: body
required: true
type: array
policy:
description: |
A ``policy`` object.
in: body
required: true
type: object
policy_blob_obj:
description: |
The policy rule itself, as a serialized blob.
in: body
required: true
type: object
policy_blob_str:
description: |
The policy rule set itself, as a serialized blob.
in: body
required: true
type: string
policy_id:
description: |
The policy ID.
in: body
required: true
type: string
policy_links:
description: |
The links for the ``policy`` resource.
in: body
required: true
type: object
policy_type:
description: |
The MIME media type of the serialized policy
blob.
in: body
required: true
type: string
prior_role_body:
description: |
A prior role object.
in: body
required: true
type: object
project:
description: |
A ``project`` object
in: body
required: true
type: object
project_description_request_body:
description: |
The description of the project.
in: body
required: false
type: string
project_description_response_body:
description: |
The description of the project.
in: body
required: true
type: string
project_domain_id:
description: |
The ID of the domain for the project. If you
omit the domain ID, default is the domain to which your token is
scoped.
in: body
required: false
type: string
project_domain_id_request_body:
description: |
The ID of the domain for the project.
For projects acting as a domain, the ``domain_id`` must not be specified,
it will be generated by the Identity service implementation.
For regular projects (i.e. those not acing as a domain), if ``domain_id``
is not specified, but ``parent_id`` is specified, then the domain ID of the
parent will be used. If neither ``domain_id`` or ``parent_id`` is
specified, the Identity service implementation will default to the domain
to which the client's token is scoped. If both ``domain_id`` and
``parent_id`` are specified, and they do not indicate the same domain, an
``Bad Request (400)`` will be returned.
in: body
required: false
type: string
project_domain_id_response_body:
description: |
The ID of the domain for the project.
in: body
required: true
type: string
project_domain_id_update_request_body:
description: |
The ID of the new domain for the project. The ability to change the domain
of a project is now deprecated, and will be removed in subequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
project_enabled_request_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled. The default is ``true``.
in: body
required: false
type: boolean
project_enabled_response_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled.
in: body
required: true
type: boolean
project_enabled_update_request_body:
description: |
If set to ``true``, project is enabled. If set to
``false``, project is disabled.
in: body
required: false
type: boolean
project_id:
description: |
The ID for the project.
in: body
required: true
type: string
project_name_request_body:
description: |
The name of the project, which must be unique within the
owning domain. A project can have the same name as its domain.
in: body
required: true
type: string
project_name_response_body:
description: |
The name of the project.
in: body
required: true
type: string
project_name_update_request_body:
description: |
The name of the project, which must be unique within the
owning domain. A project can have the same name as its domain.
in: body
required: false
type: string
project_parent_id_request_body:
description: |
The ID of the parent of the project.
If specified on project creation, this places the project within a
hierarchy and implicitly defines the owning domain, which will be the
same domain as the parent specified. If ``parent_id`` is
not specified and ``is_domain`` is ``false``, then the project will use its
owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
is acting as a domain), then ``parent_id`` must not specified (or if it is,
it must be ``null``) since domains have no parents.
``parent_id`` is immutable, and can't be updated after the project is
created - hence a project cannot be moved within the hierarchy.
in: body
required: false
type: string
min_version: 3.4
project_parent_id_response_body:
description: |
The ID of the parent for the project.
in: body
required: true
type: string
min_version: 3.4
project_scope_response_body_optional:
description: |
A ``project`` object including the ``id``, ``name`` and ``domain`` object
representing the project the token is scoped to. This is only included in
tokens that are scoped to a project.
in: body
required: false
type: object
project_tags_request_body:
description: |
A list of simple strings assigned to a project.
Tags can be used to classify projects into groups.
in: body
required: false
type: array
projects:
description: |
A list of ``project`` objects
in: body
required: true
type: array
receipt_expires_at:
description: |
The date and time when the receipt expires.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss.sssZ
For example, ``2015-08-27T09:49:58.000000Z``.
A ``null`` value indicates that the receipt never expires.
in: body
required: true
type: string
receipt_issued_at:
description: |
The date and time when the receipt was issued.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss.sssZ
For example, ``2015-08-27T09:49:58.000000Z``.
in: body
required: true
type: string
region_id_not_required:
description: |
(Since v3.2) The ID of the region that contains
the service endpoint.
in: body
required: false
type: string
region_id_request_body:
description: |
The ID of the region that contains the service endpoint.
in: body
required: false
type: string
region_id_required:
description: |
(Since v3.2) The ID of the region that contains
the service endpoint.
in: body
required: true
type: string
region_id_response_body:
description: |
The ID of the region that contains the service endpoint.
The value can be None.
in: body
required: true
type: string
region_object:
description: |
A ``region`` object
in: body
required: true
type: object
regions_object:
description: |
A list of ``region`` object
in: body
required: true
type: array
registered_limit:
description: |
A ``registered_limit`` objects
in: body
required: true
type: array
registered_limit_id:
description: |
The registered limit ID.
in: body
required: true
type: string
registered_limits:
description: |
A list of ``registered_limits`` objects
in: body
required: true
type: array
request_application_credential_access_rules_body_not_required:
description: |
A list of ``access_rules`` objects
in: body
required: false
type: list
request_application_credential_auth_id_body_not_required:
description: |
The ID of the application credential used for authentication. If not
provided, the application credential must be identified by its name and
its owning user.
in: body
required: false
type: string
request_application_credential_auth_name_body_not_required:
description: |
The name of the application credential used for authentication. If
provided, must be accompanied by a user object.
in: body
required: false
type: string
request_application_credential_auth_secret_body_required:
description: |
The secret for authenticating the application credential.
in: body
required: true
type: string
request_application_credential_body_required:
description: |
An application credential object.
in: body
required: true
type: object
request_application_credential_description_body_not_required:
description: |
A description of the application credential's purpose.
in: body
required: false
type: string
request_application_credential_expires_at_body_not_required:
description: |
An optional expiry time for the application credential. If unset, the
application credential does not expire.
in: body
required: false
type: string
request_application_credential_name_body_required:
description: |
The name of the application credential. Must be unique to a user.
in: body
required: true
type: string
request_application_credential_roles_body_not_required:
description: |
An optional list of role objects, identified by ID or name. The list
may only contain roles that the user has assigned on the project.
If not provided, the roles assigned to the application credential will
be the same as the roles in the current token.
in: body
required: false
type: array
request_application_credential_secret_body_not_required:
description: |
The secret that the application credential will be created with. If not
provided, one will be generated.
in: body
required: false
type: string
request_application_credential_unrestricted_body_not_required:
description: |
An optional flag to restrict whether the application credential may be
used for the creation or destruction of other application credentials or
trusts. Defaults to false.
in: body
required: false
type: boolean
request_application_credential_user_body_not_required:
description: |
A ``user`` object, required if an application credential is identified by
name and not ID.
in: body
required: false
type: object
request_default_limit_body_not_required:
description: |
The default limit for the registered limit.
in: body
required: false
type: integer
request_limit_domain_id_not_required:
description: |
The name of the domain.
in: body
required: false
type: string
request_limit_project_id_not_required:
description: |
The ID for the project.
in: body
required: false
type: string
request_region_id_registered_limit_body_not_required:
description: |
The ID of the region that contains the service endpoint.
Either service_id, resource_name, or region_id must be
different than existing value otherwise it will raise 409.
in: body
required: false
type: string
request_resource_limit_body_not_required:
description: |
The override limit.
in: body
required: false
type: integer
request_resource_name_body_not_required:
description: |
The resource name. Either service_id, resource_name or
region_id must be different than existing value otherwise
it will raise 409.
in: body
required: false
type: string
request_service_id_registered_limit_body_not_required:
description: |
The UUID of the service to update to which the registered
limit belongs. Either service_id, resource_name, or region_id
must be different than existing value otherwise it will
raise 409.
in: body
required: false
type: string
required_auth_methods:
description: |
A list of authentication rules that may be used with the auth receipt
to complete the authentication process.
in: body
required: true
type: list of lists
resource_limit:
description: |
The override limit.
in: body
required: true
type: integer
resource_name:
description: |
The resource name.
in: body
required: true
type: string
response_access_rules_body:
description: |
A list of ``access_rules`` objects
in: body
type: list
required: true
response_access_rules_id_body:
description: |
The ID of the access rule
in: body
type: string
required: true
response_access_rules_method_body:
description: |
The request method that the application credential is permitted to use for
a given API endpoint.
in: body
type: string
required: true
response_access_rules_path_body:
description: |
The API path that the application credential is permitted to access. May
use named wildcards such as ``{tag}`` or the unnamed wildcard ``*`` to
match against any string in the path up to a ``/``, or the recursive
wildcard ``**`` to include ``/`` in the matched path.
in: body
type: string
required: true
response_access_rules_service_body:
description: |
The service type identifier for the service that the application credential
is permitted to access. Must be a service type that is listed in the
service catalog and not a code name for a service.
in: body
type: string
required: true
response_application_credential_access_rules_body:
description: |
A list of ``access_rules`` objects
in: body
type: list
required: true
response_application_credential_body:
description: |
The application credential object.
in: body
type: object
required: true
response_application_credential_description_body:
description: |
A description of the application credential's purpose.
in: body
type: string
required: true
response_application_credential_expires_at_body:
description: |
The expiration time of the application credential, if one was specified.
in: body
type: string
required: true
response_application_credential_id_body:
description: |
The ID of the application credential.
in: body
type: string
required: true
response_application_credential_name_body:
description: |
The name of the application credential.
in: body
type: string
required: true
response_application_credential_project_id_body:
description: |
The ID of the project the application credential was created for and that
authentication requests using this application credential will be scoped
to.
in: body
type: string
required: true
response_application_credential_roles_body:
description: |
A list of one or more roles that this application credential has
associated with its project. A token using this application credential
will have these same roles.
in: body
type: array
required: true
response_application_credential_secret_body:
description: |
The secret for the application credential, either generated by the server
or provided by the user. This is only ever shown once in the response to a
create request. It is not stored nor ever shown again. If the secret is
lost, a new application credential must be created.
in: body
type: string
required: true
response_application_credential_unrestricted_body:
description: |
A flag indicating whether the application credential may be used for
creation or destruction of other application credentials or trusts.
in: body
type: boolean
required: true
response_body_project_tags_required:
description: |
A list of simple strings assigned to a project.
in: body
required: true
type: array
response_body_system_required:
description: |
A list of systems to access based on role assignments.
in: body
required: true
type: array
response_limit_domain_id_body:
description: |
The ID of the domain.
in: body
required: true
type: string
role:
description: |
A ``role`` object
in: body
required: true
type: object
role_assignments:
description: |
A list of ``role_assignment`` objects.
in: body
required: true
type: array
role_description_create_body:
description: |
Add description about the role.
in: body
required: false
type: string
role_description_response_body_required:
description: |
The role description.
in: body
required: true
type: string
role_description_update_body:
description: |
The new role description.
in: body
required: false
type: string
role_domain_id_request_body:
description: |
The ID of the domain of the role.
in: body
required: false
type: string
role_id_response_body:
description: |
The role ID.
in: body
required: true
type: string
role_inference_array_body:
description: |
An array of ``role_inference`` object.
in: body
required: true
type: array
role_inference_body:
description: |
Role inference object that contains ``prior_role`` object
and ``implies`` object.
in: body
required: true
type: object
role_name_create_body:
description: |
The role name.
in: body
required: true
type: string
role_name_response_body:
description: |
The role name.
in: body
required: true
type: string
role_name_update_body:
description: |
The new role name.
in: body
required: false
type: string
roles:
description: |
A list of ``role`` objects
in: body
required: true
type: array
scope_string:
description: |
The authorization scope, including the system (Since v3.10), a project, or
a domain (Since v3.4). If multiple scopes are specified in the same request
(e.g. ``project`` and ``domain`` or ``domain`` and ``system``) an HTTP
``400 Bad Request`` will be returned, as a token cannot be simultaneously
scoped to multiple authorization targets. An ID is sufficient to uniquely
identify a project but if a project is specified by name, then the domain
of the project must also be specified in order to uniquely identify the
project by name. A domain scope may be specified by either the domain's ID
or name with equivalent results.
in: body
required: false
type: string
service:
description: |
A ``service`` object.
in: body
required: true
type: object
service_description:
description: |
The service description.
in: body
required: false
type: string
service_description_not_required:
description: |
The service description.
in: body
required: false
type: string
service_enabled:
description: |
Defines whether the service and its endpoints
appear in the service catalog: - ``false``. The service and its
endpoints do not appear in the service catalog. - ``true``. The
service and its endpoints appear in the service catalog.
in: body
required: false
type: boolean
service_enabled_not_required:
description: |
Defines whether the service and its endpoints
appear in the service catalog: - ``false``. The service and its
endpoints do not appear in the service catalog. - ``true``. The
service and its endpoints appear in the service catalog.
Default is ``true``.
in: body
required: false
type: boolean
service_id:
description: |
The UUID of the service to which the endpoint
belongs.
in: body
required: true
type: string
service_id_limit:
description: |
The UUID of the service to which the limit belongs.
in: body
required: true
type: string
service_id_registered_limit:
description: |
The UUID of the service to which the registered limit
belongs.
in: body
required: true
type: string
service_links:
description: |
The links for the ``service`` resource.
in: body
required: true
type: object
service_name:
description: |
The service name.
in: body
required: true
type: string
service_type:
description: |
The service type, which describes the API
implemented by the service. Value is ``compute``, ``ec2``,
``identity``, ``image``, ``network``, or ``volume``.
in: body
required: true
type: string
services:
description: |
A list of ``service`` object.
in: body
required: true
type: array
system:
description: |
A ``system`` object.
in: body
required: false
type: object
system_roles_response_body:
description: |
A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
and ``name`` attributes.
in: body
required: true
type: array
system_scope_response_body_optional:
description: |
A ``system`` object containing information about which parts of the system
the token is scoped to. If the token is scoped to the entire deployment
system, the ``system`` object will consist of ``{"all": true}``. This is
only included in tokens that are scoped to the system.
in: body
required: false
type: object
system_scope_string:
description: |
Authorization scope specific to the deployment system (Since v3.10).
Specifying a project or domain scope in addition to system scope results
in an HTTP ``400 Bad Request``.
in: body
required: false
type: string
token:
description: |
A ``token`` object.
in: body
required: true
type: object
totp:
description: |
The ``totp`` object, contains the authentication information.
in: body
required: true
type: object
user:
description: |
A ``user`` object.
in: body
required: true
type: object
user_domain_id:
description: |
The ID of the domain for the user.
in: body
required: false
type: string
user_domain_id_request_body:
description: |
The ID of the domain of the user. If the domain ID is not
provided in the request, the Identity service will attempt to
pull the domain ID from the token used in the request. Note that
this requires the use of a domain-scoped token.
in: body
required: false
type: string
user_domain_id_update_body:
description: |
The ID of the new domain for the user. The ability to change the domain
of a user is now deprecated, and will be removed in subequent release.
It is already disabled by default in most Identity service implementations.
in: body
required: false
type: string
user_id:
description: |
The ID of the user. Required if you do not
specify the user name.
in: body
required: false
type: string
user_name:
description: |
The user name. Required if you do not specify
the ID of the user. If you specify the user name, you must also
specify the domain, by ID or name.
in: body
required: false
type: string
user_name_create_request_body:
description: |
The user name. Must be unique within the owning domain.
in: body
required: true
type: string
user_name_response_body:
description: |
The user name. Must be unique within the owning domain.
in: body
required: true
type: string
user_name_update_body:
description: |
The new name for the user. Must be unique within the owning domain.
in: body
required: false
type: string
user_object:
description: |
A ``user`` object
in: body
required: true
type: object
user_options_request_body:
description: |
The resource options for the user. Available resource options are
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
``ignore_lockout_failure_attempts``, ``lock_password``,
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
in: body
required: false
type: object
user_options_response_body:
description: |
The resource options for the user. Only present in the response if set on
the user entity. Available resource options are
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
``ignore_lockout_failure_attempts``, ``lock_password``,
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
in: body
required: false
type: object
user_password_update_body:
description: |
The new password for the user.
in: body
required: true
type: string
user_update_password_body:
description: |
The new password for the user.
in: body
required: false
type: string
users:
description: |
A ``users`` object.
in: body
required: true
type: array
users_object:
description: |
A list of ``user`` objects
in: body
required: true
type: array