6564b40641
Adds API ref examples for TOTP and Auth receipts. Adds docs for MFA and changes some of the user options docs. Change-Id: Id5497064e580093e4a2c7d904670a58095833b3b
2096 lines
54 KiB
YAML
2096 lines
54 KiB
YAML
# variables in header
|
|
Openstack-Auth-Receipt:
|
|
description: |
|
|
The auth receipt. A partially successful authentication
|
|
response returns the auth receipt ID in this header rather than in the
|
|
response body.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
X-Auth-Token:
|
|
description: |
|
|
A valid authentication token for an
|
|
administrative user.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
X-Subject-Token:
|
|
description: |
|
|
The authentication token. An authentication
|
|
response returns the token ID in this header rather than in the
|
|
response body.
|
|
in: header
|
|
required: true
|
|
type: string
|
|
|
|
# variables in path
|
|
credential_id_path:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
domain_id_path:
|
|
description: |
|
|
The domain ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
endpoint_id_path:
|
|
description: |
|
|
The endpoint ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
group_id_path:
|
|
description: |
|
|
The group ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
implies_role_id:
|
|
description: |
|
|
Role ID for an implied role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
limit_id_path:
|
|
description: |
|
|
The limit ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
option:
|
|
description: |
|
|
The option name. For the ``ldap`` group, a valid
|
|
value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
|
|
a valid value is ``driver``.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
policy_id_path:
|
|
description: |
|
|
The policy ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
prior_role_id:
|
|
description: |
|
|
Role ID for a prior role.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
project_id_path:
|
|
description: |
|
|
The project ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
project_tag_path:
|
|
description: |
|
|
A simple string associated with a project. Can be used for assigning
|
|
values to projects and filtering based on those values.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
region_id_path:
|
|
description: |
|
|
The region ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
registered_limit_id_path:
|
|
description: |
|
|
The registered limit ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
request_application_credential_id_path_required:
|
|
description: |
|
|
The ID of the application credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
request_application_credential_user_id_path_required:
|
|
description: |
|
|
The ID of the user who owns the application credential.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
role_id_path:
|
|
description: |
|
|
The role ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
service_id_path:
|
|
description: |
|
|
The service ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
user_id_path:
|
|
description: |
|
|
The user ID.
|
|
in: path
|
|
required: true
|
|
type: string
|
|
|
|
# variables in query
|
|
allow_expired:
|
|
description: |
|
|
(Since v3.8) Allow fetching a token that has expired. By default expired
|
|
tokens return a 404 exception.
|
|
in: query
|
|
required: false
|
|
type: bool
|
|
domain_enabled_query:
|
|
description: |
|
|
If set to true, then only domains that are enabled will be returned, if set
|
|
to false only that are disabled will be returned. Any value other than
|
|
``0``, including no value, will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
domain_name_query:
|
|
description: |
|
|
Filters the response by a domain name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
effective_query:
|
|
description: |
|
|
Returns the effective assignments, including any assignments gained by
|
|
virtue of group membership.
|
|
in: query
|
|
required: false
|
|
type: key-only (no value required)
|
|
enabled_user_query:
|
|
description: |
|
|
Filters the response by either enabled (``true``)
|
|
or disabled (``false``) users.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_id_query:
|
|
description: |
|
|
Filters the response by a group ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
group_name_query:
|
|
description: |
|
|
Filters the response by a group name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
idp_id_query:
|
|
description: |
|
|
Filters the response by an identity provider ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
include_limits:
|
|
description: |
|
|
It should be used together with `parents_as_list` or `subtree_as_list`
|
|
filter to add the related project's limits into the response body.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
include_names_query:
|
|
description: |
|
|
If set to true, then the names of any entities returned will be include as
|
|
well as their IDs. Any value other than ``0`` (including no value) will be
|
|
interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
include_subtree_query:
|
|
description: |
|
|
If set to true, then relevant assignments in the project hierarchy below
|
|
the project specified in the ``scope.project_id`` query parameter are also
|
|
included in the response. Any value other than ``0`` (including no value)
|
|
for ``include_subtree`` will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
interface_query:
|
|
description: |
|
|
Filters the response by an interface.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
is_domain_query:
|
|
description: |
|
|
If this is specified as true, then only projects acting as a domain are
|
|
included. Otherwise, only projects that are not acting as a domain are
|
|
included.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
name_user_query:
|
|
description: |
|
|
Filters the response by a user name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
nocatalog:
|
|
description: |
|
|
(Since v3.1) The authentication response excludes
|
|
the service catalog. By default, the response includes the service
|
|
catalog.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parent_id_query:
|
|
description: |
|
|
Filters the response by a parent ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
parent_region_id_query_not_required:
|
|
description: |
|
|
Filters the response by a parent region, by ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
parents_as_ids:
|
|
description: |
|
|
The entire parent hierarchy will be included as
|
|
nested dictionaries in the response. It will contain
|
|
all projects ids found by traversing up the hierarchy
|
|
to the top-level project.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
parents_as_list:
|
|
description: |
|
|
The parent hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing up the
|
|
hierarchy to the top-level project. The returned list will be
|
|
filtered against the projects the user has an effective role
|
|
assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
password_expires_at_query:
|
|
description: |
|
|
Filter results based on which user passwords have expired. The query should
|
|
include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
|
|
the two, for example::
|
|
|
|
password_expires_at={operator}:{timestamp}
|
|
|
|
- Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``
|
|
|
|
- lt: expiration time lower than the timestamp
|
|
- lte: expiration time lower than or equal to the timestamp
|
|
- gt: expiration time higher than the timestamp
|
|
- gte: expiration time higher than or equal to the timestamp
|
|
- eq: expiration time equal to the timestamp
|
|
- neq: expiration time not equal to the timestamp
|
|
|
|
- Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.
|
|
|
|
For example::
|
|
|
|
/v3/users?password_expires_at=lt:2016-12-08T22:02:00Z
|
|
|
|
The example would return a list of users whose password expired before the
|
|
timestamp (``2016-12-08T22:02:00Z``).
|
|
|
|
in: query
|
|
required: false
|
|
type: string
|
|
policy_type_query:
|
|
description: |
|
|
Filters the response by a MIME media type for the
|
|
serialized policy blob. For example, ``application/json``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
project_enabled_query:
|
|
description: |
|
|
If set to true, then only enabled projects will be returned. Any value
|
|
other than ``0`` (including no value) will be interpreted as true.
|
|
in: query
|
|
required: false
|
|
type: boolean
|
|
project_name_query:
|
|
description: |
|
|
Filters the response by a project name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
protocol_id_query:
|
|
description: |
|
|
Filters the response by a protocol ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
region_id_query:
|
|
description: |
|
|
Filters the response by a region ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
resource_name_query:
|
|
description: |
|
|
Filters the response by a specified resource name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_id_query:
|
|
description: |
|
|
Filters the response by a role ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
role_name_query:
|
|
description: |
|
|
Filters the response by a role name.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_domain_id_query:
|
|
description: |
|
|
Filters the response by a domain ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_os_inherit_inherited_to:
|
|
description: |
|
|
Filters based on role assignments that are inherited.
|
|
The only value of ``inherited_to`` that is currently
|
|
supported is ``projects``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_project_id_query:
|
|
description: |
|
|
Filters the response by a project ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
scope_system_query:
|
|
description: |
|
|
Filters the response by system assignments.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_id_query:
|
|
description: |
|
|
Filters the response by a service ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
service_type_query:
|
|
description: |
|
|
Filters the response by a service type. A valid
|
|
value is ``compute``, ``ec2``, ``identity``, ``image``,
|
|
``network``, or ``volume``.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
subtree_as_ids:
|
|
description: |
|
|
The entire child hierarchy will be included as nested dictionaries
|
|
in the response. It will contain all the projects ids found by
|
|
traversing down the hierarchy.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
subtree_as_list:
|
|
description: |
|
|
The child hierarchy will be included as a list in the response.
|
|
This list will contain the projects found by traversing down
|
|
the hierarchy. The returned list will be filtered against the
|
|
projects the user has an effective role assignment on.
|
|
in: query
|
|
required: false
|
|
type: key-only, no value expected
|
|
min_version: 3.4
|
|
unique_id_query:
|
|
description: |
|
|
Filters the response by a unique ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
user_id_query:
|
|
description: |
|
|
Filters the response by a user ID.
|
|
in: query
|
|
required: false
|
|
type: string
|
|
|
|
# variables in body
|
|
audit_ids:
|
|
description: |
|
|
A list of one or two audit IDs. An audit ID is a
|
|
unique, randomly generated, URL-safe string that you can use to
|
|
track a token. The first audit ID is the current audit ID for the
|
|
token. The second audit ID is present for only re-scoped tokens
|
|
and is the audit ID from the token before it was re-scoped. A re-
|
|
scoped token is one that was exchanged for another token of the
|
|
same or different scope. You can use these audit IDs to track the
|
|
use of a token or chain of tokens across multiple requests and
|
|
endpoints without exposing the token ID to non-privileged users.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth:
|
|
description: |
|
|
An ``auth`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_application_credential_restricted_body:
|
|
description: |
|
|
Whether the application credential is permitted to be used for creating and
|
|
deleting additional application credentials and trusts.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_domain:
|
|
description: |
|
|
Specify either ``id`` or ``name`` to uniquely
|
|
identify the domain.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
auth_methods:
|
|
description: |
|
|
The authentication methods, which are commonly ``password``,
|
|
``token``, or other methods. Indicates the accumulated set of
|
|
authentication methods that were used to obtain the token. For
|
|
example, if the token was obtained by password authentication, it
|
|
contains ``password``. Later, if the token is exchanged by using
|
|
the token authentication method one or more times, the
|
|
subsequently created tokens contain both ``password`` and
|
|
``token`` in their ``methods`` attribute. Unlike multi-factor
|
|
authentication, the ``methods`` attribute merely indicates the
|
|
methods that were used to authenticate the user in exchange for a
|
|
token. The client is responsible for determining the total number
|
|
of authentication factors.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_application_credential:
|
|
description: |
|
|
The authentication method. To authenticate with an application credential,
|
|
specify ``application_credential``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_passwd:
|
|
description: |
|
|
The authentication method. For password
|
|
authentication, specify ``password``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_receipt:
|
|
description: |
|
|
The authentication methods, which are commonly ``password``,
|
|
``totp``, or other methods. Indicates the accumulated set of
|
|
authentication methods that were used to obtain the receipt. For
|
|
example, if the receipt was obtained by password authentication, it
|
|
contains ``password``. Later, if the receipt is exchanged by using
|
|
another authentication method one or more times, the
|
|
subsequently created receipts could contain both ``password`` and
|
|
``totp`` in their ``methods`` attribute.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_token:
|
|
description: |
|
|
The authentication method. For token
|
|
authentication, specify ``token``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_methods_totp:
|
|
description: |
|
|
The authentication method. For totp
|
|
authentication, specify ``totp``.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
auth_token:
|
|
description: |
|
|
A ``token`` object. The token authentication
|
|
method is used. This method is typically used in combination with
|
|
a request to change authorization scope.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
auth_token_id:
|
|
description: |
|
|
A token ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
catalog:
|
|
description: |
|
|
A ``catalog`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
catalog_response_body_optional:
|
|
description: |
|
|
A ``catalog`` object.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
credential:
|
|
description: |
|
|
A ``credential`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_blob:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_blob_not_required:
|
|
description: |
|
|
The credential itself, as a serialized blob.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_id:
|
|
description: |
|
|
The UUID for the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_links:
|
|
description: |
|
|
The links for the ``credential`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
credential_type:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_type_not_required:
|
|
description: |
|
|
The credential type, such as ``ec2`` or ``cert``.
|
|
The implementation determines the list of supported types.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credential_user_id:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
credential_user_id_not_required:
|
|
description: |
|
|
The ID of the user who owns the credential.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
credentials:
|
|
description: |
|
|
A list of ``credential`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
credentials_links:
|
|
description: |
|
|
The links for the ``credentials`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
default_limit:
|
|
description: |
|
|
The default limit for the registered limit.
|
|
in: body
|
|
required: true
|
|
type: integer
|
|
default_project_id_request_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
A user's default project must not be a domain. Setting this
|
|
attribute does not grant any actual authorization on the project,
|
|
and is merely provided for convenience. Therefore, the referenced
|
|
project does not need to exist within the user domain. (Since v3.1)
|
|
If the user does not have authorization to their default project,
|
|
the default project is ignored at token creation. (Since v3.1)
|
|
Additionally, if your default project is not valid, a token is
|
|
issued without an explicit scope of authorization.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_response_body:
|
|
description: |
|
|
The ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
default_project_id_update_body:
|
|
description: |
|
|
The new ID of the default project for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_limit_request_body:
|
|
description: |
|
|
The limit description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_limit_response_body:
|
|
description: |
|
|
The limit description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
description_region_request_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_region_response_body:
|
|
description: |
|
|
The region description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
description_registered_limit_request_body:
|
|
description: |
|
|
The registered limit description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
description_registered_limit_response_body:
|
|
description: |
|
|
The registered limit description.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain:
|
|
description: |
|
|
A ``domain`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_config:
|
|
description: |
|
|
A ``config`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_description_request_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_description_response_body:
|
|
description: |
|
|
The description of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_description_update_request_body:
|
|
description: |
|
|
The new description of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_driver:
|
|
description: |
|
|
The Identity backend driver.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, domain is created enabled. If set to
|
|
``false``, domain is created disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, domain is enabled. If set to
|
|
``false``, domain is disabled. The default is ``true``.
|
|
|
|
Users can only authorize against an enabled domain (and any of its
|
|
projects). In addition, users can only authenticate if the domain that owns
|
|
them is also enabled. Disabling a domain prevents both of these things.
|
|
When you disable a domain, all tokens that are authorized for that domain
|
|
become invalid. However, if you reenable the domain, these tokens become
|
|
valid again, providing that they haven't expired.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_id_response_body:
|
|
description: |
|
|
The ID of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_ldap:
|
|
description: |
|
|
An ``ldap`` object. Required to set the LDAP
|
|
group configuration options.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_link_response_body:
|
|
description: |
|
|
The links to the ``domain`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
domain_name_request_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_response_body:
|
|
description: |
|
|
The name of the domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_name_update_request_body:
|
|
description: |
|
|
The new name of the domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
domain_scope_response_body_optional:
|
|
description: |
|
|
A ``domain`` object including the ``id`` and ``name`` representing the
|
|
domain the token is scoped to. This is only included in tokens that are
|
|
scoped to a domain.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
domain_url:
|
|
description: |
|
|
The LDAP URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domain_user_tree_dn:
|
|
description: |
|
|
The base distinguished name (DN) of LDAP, from
|
|
where all users can be reached. For example,
|
|
``ou=Users,dc=root,dc=org``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
domains:
|
|
description: |
|
|
A list of ``domain`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
email:
|
|
description: |
|
|
The email address for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
enabled_user_request_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
enabled_user_response_body:
|
|
description: |
|
|
If the user is enabled, this value is ``true``.
|
|
If the user is disabled, this value is ``false``.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
enabled_user_update_body:
|
|
description: |
|
|
Enables or disables the user. An enabled user
|
|
can authenticate and receive authorization. A disabled user
|
|
cannot authenticate or receive authorization. Additionally, all
|
|
tokens that the user holds become no longer valid. If you reenable
|
|
this user, pre-existing tokens do not become valid. To enable the
|
|
user, set to ``true``. To disable the user, set to ``false``.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint:
|
|
description: |
|
|
An ``endpoint`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_enabled:
|
|
description: |
|
|
Indicates whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
endpoint_enabled_not_required:
|
|
description: |
|
|
Defines whether the endpoint appears in the
|
|
service catalog: - ``false``. The endpoint does not appear in the
|
|
service catalog. - ``true``. The endpoint appears in the service
|
|
catalog. Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
endpoint_id:
|
|
description: |
|
|
The endpoint ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_interface:
|
|
description: |
|
|
The interface type, which describes the
|
|
visibility of the endpoint. Value is: - ``public``. Visible by
|
|
end users on a publicly available network interface. -
|
|
``internal``. Visible by end users on an unmetered internal
|
|
network interface. - ``admin``. Visible by administrative users
|
|
on a secure network interface.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_links:
|
|
description: |
|
|
The links for the ``endpoint`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoint_name:
|
|
description: |
|
|
The endpoint name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_region:
|
|
description: |
|
|
(Deprecated in v3.2) The geographic location of
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_type:
|
|
description: |
|
|
The endpoint type.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoint_url:
|
|
description: |
|
|
The endpoint URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
endpoints:
|
|
description: |
|
|
A list of ``endpoint`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
endpoints_links:
|
|
description: |
|
|
The links for the ``endpoints`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
expires_at:
|
|
description: |
|
|
The date and time when the token expires.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
|
|
A ``null`` value indicates that the token never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
explicit_unscoped_string:
|
|
description: |
|
|
The authorization scope (Since v3.4). Specify
|
|
``unscoped`` to make an explicit unscoped token request, which
|
|
returns an unscoped response without any authorization. This
|
|
request behaves the same as a token request with no scope where
|
|
the user has no default project defined. If an explicit,
|
|
``unscoped`` token request is not made and the user has
|
|
authorization to their default project, then the response will
|
|
return a project-scoped token. If a default project is not defined,
|
|
a token is issued without an explicit scope of authorization,
|
|
which is the same as asking for an explicit unscoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
extra_request_body:
|
|
description: |
|
|
The extra attributes of a resource.
|
|
The actual name ``extra`` is not the key name in the request body,
|
|
but rather a collection of any attributes that a resource may contain
|
|
that are not part of the resource's default attributes.
|
|
Generally these are custom fields that are added to a resource in keystone
|
|
by operators for their own specific uses,
|
|
such as ``email`` and ``description`` for users.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group:
|
|
description: |
|
|
A ``group`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
group_description_request_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_description_response_body:
|
|
description: |
|
|
The description of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_description_update_request_body:
|
|
description: |
|
|
The new description of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id:
|
|
description: |
|
|
The ID of the domain that owns the group. If you
|
|
omit the domain ID, defaults to the domain to which the client
|
|
token is scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the group. If the domain ID is not
|
|
provided in the request, the Identity service will attempt to
|
|
pull the domain ID from the token used in the request. Note that
|
|
this requires the use of a domain-scoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the group. The ability to change the domain
|
|
of a group is now deprecated, and will be removed in subsequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
group_id_response_body:
|
|
description: |
|
|
The ID of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_request_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_response_body:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
group_name_update_request_body:
|
|
description: |
|
|
The new name of the group.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
groups:
|
|
description: |
|
|
A list of ``group`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
id_region_response_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
id_region_resquest_body:
|
|
description: |
|
|
The ID for the region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
id_user_body:
|
|
description: |
|
|
The user ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
identity:
|
|
description: |
|
|
An ``identity`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
implies_role_array_body:
|
|
description: |
|
|
An array of implied role objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
implies_role_object_body:
|
|
description: |
|
|
An implied role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
is_domain_request_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources. Default is ``false``. You cannot update
|
|
this parameter after you create the project.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
min_version: 3.6
|
|
is_domain_response_body:
|
|
description: |
|
|
Indicates whether the project also acts as a domain. If set to ``true``,
|
|
this project acts as both a project and domain. As a domain, the project
|
|
provides a name space in which you can create users, groups, and other
|
|
projects. If set to ``false``, this project behaves as a regular project
|
|
that contains only resources.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
min_version: 3.6
|
|
issued_at:
|
|
description: |
|
|
The date and time when the token was issued.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit:
|
|
description: |
|
|
A ``limit`` object
|
|
in: body
|
|
required: true
|
|
type: array
|
|
limit_id:
|
|
description: |
|
|
The limit ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_description_required_response_body:
|
|
description: A short description of the enforcement model used
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_name_required_response_body:
|
|
description: The name of the enforcement model
|
|
in: body
|
|
required: true
|
|
type: string
|
|
limit_model_required_response_body:
|
|
description: A model object describing the configured enforcement model used
|
|
by the deployment.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
limits:
|
|
description: |
|
|
A list of ``limits`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
link_collection:
|
|
description: |
|
|
The link to the collection of resources.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
link_response_body:
|
|
description: |
|
|
The link to the resources in question.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_project:
|
|
description: |
|
|
The links for the ``project`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_region:
|
|
description: |
|
|
The links for the ``region`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_user:
|
|
description: |
|
|
The links for the ``user`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
original_password:
|
|
description: |
|
|
The original password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
parent_region_id_request_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
parent_region_id_response_body:
|
|
description: |
|
|
To make this region a child of another region,
|
|
set this parameter to the ID of the parent region.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
password:
|
|
description: |
|
|
The ``password`` object, contains the authentication information.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
password_expires_at:
|
|
description: |
|
|
The date and time when the password expires. The time zone
|
|
is UTC.
|
|
|
|
This is a response object attribute; not valid for requests.
|
|
A ``null`` value indicates that the password never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.7
|
|
password_request_body:
|
|
description: |
|
|
The password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
policies:
|
|
description: |
|
|
A ``policies`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
policy:
|
|
description: |
|
|
A ``policy`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_obj:
|
|
description: |
|
|
The policy rule itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_blob_str:
|
|
description: |
|
|
The policy rule set itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_id:
|
|
description: |
|
|
The policy ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
policy_links:
|
|
description: |
|
|
The links for the ``policy`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
policy_type:
|
|
description: |
|
|
The MIME media type of the serialized policy
|
|
blob.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
prior_role_body:
|
|
description: |
|
|
A prior role object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project:
|
|
description: |
|
|
A ``project`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
project_description_request_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_description_response_body:
|
|
description: |
|
|
The description of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id:
|
|
description: |
|
|
The ID of the domain for the project. If you
|
|
omit the domain ID, default is the domain to which your token is
|
|
scoped.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
|
|
For projects acting as a domain, the ``domain_id`` must not be specified,
|
|
it will be generated by the Identity service implementation.
|
|
|
|
For regular projects (i.e. those not acing as a domain), if ``domain_id``
|
|
is not specified, but ``parent_id`` is specified, then the domain ID of the
|
|
parent will be used. If neither ``domain_id`` or ``parent_id`` is
|
|
specified, the Identity service implementation will default to the domain
|
|
to which the client's token is scoped. If both ``domain_id`` and
|
|
``parent_id`` are specified, and they do not indicate the same domain, an
|
|
``Bad Request (400)`` will be returned.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_domain_id_response_body:
|
|
description: |
|
|
The ID of the domain for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_domain_id_update_request_body:
|
|
description: |
|
|
The ID of the new domain for the project. The ability to change the domain
|
|
of a project is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_enabled_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled. The default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_enabled_response_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: true
|
|
type: boolean
|
|
project_enabled_update_request_body:
|
|
description: |
|
|
If set to ``true``, project is enabled. If set to
|
|
``false``, project is disabled.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
project_id:
|
|
description: |
|
|
The ID for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_response_body:
|
|
description: |
|
|
The name of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_name_update_request_body:
|
|
description: |
|
|
The name of the project, which must be unique within the
|
|
owning domain. A project can have the same name as its domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
project_parent_id_request_body:
|
|
description: |
|
|
The ID of the parent of the project.
|
|
|
|
If specified on project creation, this places the project within a
|
|
hierarchy and implicitly defines the owning domain, which will be the
|
|
same domain as the parent specified. If ``parent_id`` is
|
|
not specified and ``is_domain`` is ``false``, then the project will use its
|
|
owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
|
|
is acting as a domain), then ``parent_id`` must not specified (or if it is,
|
|
it must be ``null``) since domains have no parents.
|
|
|
|
``parent_id`` is immutable, and can't be updated after the project is
|
|
created - hence a project cannot be moved within the hierarchy.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
min_version: 3.4
|
|
project_parent_id_response_body:
|
|
description: |
|
|
The ID of the parent for the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
min_version: 3.4
|
|
project_scope_response_body_optional:
|
|
description: |
|
|
A ``project`` object including the ``id``, ``name`` and ``domain`` object
|
|
representing the project the token is scoped to. This is only included in
|
|
tokens that are scoped to a project.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
project_tags_request_body:
|
|
description: |
|
|
A list of simple strings assigned to a project.
|
|
Tags can be used to classify projects into groups.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
projects:
|
|
description: |
|
|
A list of ``project`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
receipt_expires_at:
|
|
description: |
|
|
The date and time when the receipt expires.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
|
|
A ``null`` value indicates that the receipt never expires.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
receipt_issued_at:
|
|
description: |
|
|
The date and time when the receipt was issued.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss.sssZ
|
|
|
|
For example, ``2015-08-27T09:49:58.000000Z``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_id_not_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
region_id_request_body:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
region_id_required:
|
|
description: |
|
|
(Since v3.2) The ID of the region that contains
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_id_response_body:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
The value can be None.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region_object:
|
|
description: |
|
|
A ``region`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
regions_object:
|
|
description: |
|
|
A list of ``region`` object
|
|
in: body
|
|
required: true
|
|
type: array
|
|
registered_limit:
|
|
description: |
|
|
A ``registered_limit`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
registered_limit_id:
|
|
description: |
|
|
The registered limit ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
registered_limits:
|
|
description: |
|
|
A list of ``registered_limits`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
request_application_credential_auth_id_body_not_required:
|
|
description: |
|
|
The ID of the application credential used for authentication. If not
|
|
provided, the application credential must be identified by its name and
|
|
its owning user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_auth_name_body_not_required:
|
|
description: |
|
|
The name of the application credential used for authentication. If
|
|
provided, must be accompanied by a user object.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_auth_secret_body_required:
|
|
description: |
|
|
The secret for authenticating the application credential.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
request_application_credential_body_required:
|
|
description: |
|
|
An application credential object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
request_application_credential_description_body_not_required:
|
|
description: |
|
|
A description of the application credential's purpose.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_expires_at_body_not_required:
|
|
description: |
|
|
An optional expiry time for the application credential. If unset, the
|
|
application credential does not expire.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_name_body_required:
|
|
description: |
|
|
The name of the application credential. Must be unique to a user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
request_application_credential_roles_body_not_required:
|
|
description: |
|
|
An optional list of role objects, identified by ID or name. The list
|
|
may only contain roles that the user has assigned on the project.
|
|
If not provided, the roles assigned to the application credential will
|
|
be the same as the roles in the current token.
|
|
in: body
|
|
required: false
|
|
type: array
|
|
request_application_credential_secret_body_not_required:
|
|
description: |
|
|
The secret that the application credential will be created with. If not
|
|
provided, one will be generated.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_application_credential_unrestricted_body_not_required:
|
|
description: |
|
|
An optional flag to restrict whether the application credential may be
|
|
used for the creation or destruction of other application credentials or
|
|
trusts. Defaults to false.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
request_application_credential_user_body_not_required:
|
|
description: |
|
|
A ``user`` object, required if an application credential is identified by
|
|
name and not ID.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
request_default_limit_body_not_required:
|
|
description: |
|
|
The default limit for the registered limit.
|
|
in: body
|
|
required: false
|
|
type: integer
|
|
request_region_id_registered_limit_body_not_required:
|
|
description: |
|
|
The ID of the region that contains the service endpoint.
|
|
Either service_id, resource_name, or region_id must be
|
|
different than existing value otherwise it will raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_resource_limit_body_not_required:
|
|
description: |
|
|
The override limit.
|
|
in: body
|
|
required: false
|
|
type: integer
|
|
request_resource_name_body_not_required:
|
|
description: |
|
|
The resource name. Either service_id, resource_name or
|
|
region_id must be different than existing value otherwise
|
|
it will raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
request_service_id_registered_limit_body_not_required:
|
|
description: |
|
|
The UUID of the service to update to which the registered
|
|
limit belongs. Either service_id, resource_name, or region_id
|
|
must be different than existing value otherwise it will
|
|
raise 409.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
required_auth_methods:
|
|
description: |
|
|
A list of authentication rules that may be used with the auth receipt
|
|
to complete the authentication process.
|
|
in: body
|
|
required: true
|
|
type: list of lists
|
|
resource_limit:
|
|
description: |
|
|
The override limit.
|
|
in: body
|
|
required: true
|
|
type: integer
|
|
resource_name:
|
|
description: |
|
|
The resource name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
response_application_credential_body:
|
|
description: |
|
|
The application credential object.
|
|
in: body
|
|
type: object
|
|
required: true
|
|
response_application_credential_description_body:
|
|
description: |
|
|
A description of the application credential's purpose.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_expires_at_body:
|
|
description: |
|
|
The expiration time of the application credential, if one was specified.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_id_body:
|
|
description: |
|
|
The ID of the application credential.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_name_body:
|
|
description: |
|
|
The name of the application credential.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_project_id_body:
|
|
description: |
|
|
The ID of the project the application credential was created for and that
|
|
authentication requests using this application credential will be scoped
|
|
to.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_roles_body:
|
|
description: |
|
|
A list of one or more roles that this application credential has
|
|
associated with its project. A token using this application credential
|
|
will have these same roles.
|
|
in: body
|
|
type: array
|
|
required: true
|
|
response_application_credential_secret_body:
|
|
description: |
|
|
The secret for the application credential, either generated by the server
|
|
or provided by the user. This is only ever shown once in the response to a
|
|
create request. It is not stored nor ever shown again. If the secret is
|
|
lost, a new application credential must be created.
|
|
in: body
|
|
type: string
|
|
required: true
|
|
response_application_credential_unrestricted_body:
|
|
description: |
|
|
A flag indicating whether the application credential may be used for
|
|
creation or destruction of other application credentials or trusts.
|
|
in: body
|
|
type: boolean
|
|
required: true
|
|
response_body_project_tags_required:
|
|
description: |
|
|
A list of simple strings assigned to a project.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
response_body_system_required:
|
|
description: |
|
|
A list of systems to access based on role assignments.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role:
|
|
description: |
|
|
A ``role`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_assignments:
|
|
description: |
|
|
A list of ``role_assignment`` objects.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_description_create_body:
|
|
description: |
|
|
Add description about the role.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_description_response_body:
|
|
description: |
|
|
The role description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_description_update_body:
|
|
description: |
|
|
The new role description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the role.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
role_id_response_body:
|
|
description: |
|
|
The role ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_inference_array_body:
|
|
description: |
|
|
An array of ``role_inference`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
role_inference_body:
|
|
description: |
|
|
Role inference object that contains ``prior_role`` object
|
|
and ``implies`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
role_name_create_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_response_body:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
role_name_update_body:
|
|
description: |
|
|
The new role name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
roles:
|
|
description: |
|
|
A list of ``role`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|
|
scope_string:
|
|
description: |
|
|
The authorization scope, including the system (Since v3.10), a project, or
|
|
a domain (Since v3.4). If multiple scopes are specified in the same request
|
|
(e.g. ``project`` and ``domain`` or ``domain`` and ``system``) an HTTP
|
|
``400 Bad Request`` will be returned, as a token cannot be simultaneously
|
|
scoped to multiple authorization targets. An ID is sufficient to uniquely
|
|
identify a project but if a project is specified by name, then the domain
|
|
of the project must also be specified in order to uniquely identify the
|
|
project by name. A domain scope may be specified by either the domain's ID
|
|
or name with equivalent results.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service:
|
|
description: |
|
|
A ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_description:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_description_not_required:
|
|
description: |
|
|
The service description.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
service_enabled:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_enabled_not_required:
|
|
description: |
|
|
Defines whether the service and its endpoints
|
|
appear in the service catalog: - ``false``. The service and its
|
|
endpoints do not appear in the service catalog. - ``true``. The
|
|
service and its endpoints appear in the service catalog.
|
|
Default is ``true``.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
service_id:
|
|
description: |
|
|
The UUID of the service to which the endpoint
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_id_limit:
|
|
description: |
|
|
The UUID of the service to which the limit belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_id_registered_limit:
|
|
description: |
|
|
The UUID of the service to which the registered limit
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_links:
|
|
description: |
|
|
The links for the ``service`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
service_name:
|
|
description: |
|
|
The service name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_type:
|
|
description: |
|
|
The service type, which describes the API
|
|
implemented by the service. Value is ``compute``, ``ec2``,
|
|
``identity``, ``image``, ``network``, or ``volume``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
services:
|
|
description: |
|
|
A list of ``service`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
signed:
|
|
description: |
|
|
List of expired PKI tokens, signed by the
|
|
cryptographic message syntax (CMS).
|
|
in: body
|
|
required: true
|
|
type: string
|
|
system:
|
|
description: |
|
|
A ``system`` object.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
system_roles_response_body:
|
|
description: |
|
|
A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
|
|
and ``name`` attributes.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
system_scope_response_body_optional:
|
|
description: |
|
|
A ``system`` object containing information about which parts of the system
|
|
the token is scoped to. If the token is scoped to the entire deployment
|
|
system, the ``system`` object will consist of ``{"all": true}``. This is
|
|
only included in tokens that are scoped to the system.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
system_scope_string:
|
|
description: |
|
|
Authorization scope specific to the deployment system (Since v3.10).
|
|
Specifying a project or domain scope in addition to system scope results
|
|
in an HTTP ``400 Bad Request``.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
token:
|
|
description: |
|
|
A ``token`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
totp:
|
|
description: |
|
|
The ``totp`` object, contains the authentication information.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user:
|
|
description: |
|
|
A ``user`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_domain_id:
|
|
description: |
|
|
The ID of the domain for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_request_body:
|
|
description: |
|
|
The ID of the domain of the user. If the domain ID is not
|
|
provided in the request, the Identity service will attempt to
|
|
pull the domain ID from the token used in the request. Note that
|
|
this requires the use of a domain-scoped token.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_domain_id_update_body:
|
|
description: |
|
|
The ID of the new domain for the user. The ability to change the domain
|
|
of a user is now deprecated, and will be removed in subequent release.
|
|
It is already disabled by default in most Identity service implementations.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_id:
|
|
description: |
|
|
The ID of the user. Required if you do not
|
|
specify the user name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name:
|
|
description: |
|
|
The user name. Required if you do not specify
|
|
the ID of the user. If you specify the user name, you must also
|
|
specify the domain, by ID or name.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_name_create_request_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_response_body:
|
|
description: |
|
|
The user name. Must be unique within the owning domain.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_name_update_body:
|
|
description: |
|
|
The new name for the user. Must be unique within the owning domain.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
user_object:
|
|
description: |
|
|
A ``user`` object
|
|
in: body
|
|
required: true
|
|
type: object
|
|
user_options_request_body:
|
|
description: |
|
|
The resource options for the user. Available resource options are
|
|
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
|
|
``ignore_lockout_failure_attempts``, ``lock_password``,
|
|
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
user_options_response_body:
|
|
description: |
|
|
The resource options for the user. Only present in the response if set on
|
|
the user entity. Available resource options are
|
|
``ignore_change_password_upon_first_use``, ``ignore_password_expiry``,
|
|
``ignore_lockout_failure_attempts``, ``lock_password``,
|
|
``multi_factor_auth_enabled``, and ``multi_factor_auth_rules``.
|
|
in: body
|
|
required: false
|
|
type: object
|
|
user_password_update_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
user_update_password_body:
|
|
description: |
|
|
The new password for the user.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
users:
|
|
description: |
|
|
A ``users`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
users_object:
|
|
description: |
|
|
A list of ``user`` objects
|
|
in: body
|
|
required: true
|
|
type: array
|