Policy configuration¶
Configuration¶
The following is an overview of all available policies in Keystone. For a sample configuration file, refer to policy.yaml.
keystone¶
admin_requiredDefault: role:admin or is_admin:1(no description provided)
service_roleDefault: role:service(no description provided)
service_or_adminDefault: rule:admin_required or rule:service_role(no description provided)
ownerDefault: user_id:%(user_id)s(no description provided)
admin_or_ownerDefault: rule:admin_required or rule:owner(no description provided)
token_subjectDefault: user_id:%(target.token.user_id)s(no description provided)
admin_or_token_subjectDefault: rule:admin_required or rule:token_subject(no description provided)
service_admin_or_token_subjectDefault: rule:service_or_admin or rule:token_subject(no description provided)
identity:authorize_request_tokenDefault: rule:admin_requiredOperations: - PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
Authorize OAUTH1 request token.
- PUT
identity:get_access_tokenDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Get OAUTH1 access token for user by access token ID.
- GET
identity:get_access_token_roleDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
Get role for user OAUTH1 access token.
- GET
identity:list_access_tokensDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
List OAUTH1 access tokens for user.
- GET
identity:list_access_token_rolesDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
List OAUTH1 access token roles.
- GET
identity:delete_access_tokenDefault: rule:admin_requiredOperations: - DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Delete OAUTH1 access token.
- DELETE
identity:get_auth_catalogDefault: <empty string>
Operations: - GET
/v3/auth/catalog - HEAD
/v3/auth/catalog
Get service catalog.
- GET
identity:get_auth_projectsDefault: <empty string>
Operations: - GET
/v3/auth/projects - HEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
- GET
identity:get_auth_domainsDefault: <empty string>
Operations: - GET
/v3/auth/domains - HEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
- GET
identity:get_consumerDefault: rule:admin_requiredOperations: - GET
/v3/OS-OAUTH1/consumers/{consumer_id}
Show OAUTH1 consumer details.
- GET
identity:list_consumersDefault: rule:admin_requiredOperations: - GET
/v3/OS-OAUTH1/consumers
List OAUTH1 consumers.
- GET
identity:create_consumerDefault: rule:admin_requiredOperations: - POST
/v3/OS-OAUTH1/consumers
Create OAUTH1 consumer.
- POST
identity:update_consumerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
Update OAUTH1 consumer.
- PATCH
identity:delete_consumerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
Delete OAUTH1 consumer.
- DELETE
identity:get_credentialDefault: rule:admin_requiredOperations: - GET
/v3/credentials/{credential_id}
Show credentials details.
- GET
identity:list_credentialsDefault: rule:admin_requiredOperations: - GET
/v3/credentials
List credentials.
- GET
identity:create_credentialDefault: rule:admin_requiredOperations: - POST
/v3/credentials
Create credential.
- POST
identity:update_credentialDefault: rule:admin_requiredOperations: - PATCH
/v3/credentials/{credential_id}
Update credential.
- PATCH
identity:delete_credentialDefault: rule:admin_requiredOperations: - DELETE
/v3/credentials/{credential_id}
Delete credential.
- DELETE
identity:get_domainDefault: rule:admin_required or token.project.domain.id:%(target.domain.id)sOperations: - GET
/v3/domains/{domain_id}
Show domain details.
- GET
identity:list_domainsDefault: rule:admin_requiredOperations: - GET
/v3/domains
List domains.
- GET
identity:create_domainDefault: rule:admin_requiredOperations: - POST
/v3/domains
Create domain.
- POST
identity:update_domainDefault: rule:admin_requiredOperations: - PATCH
/v3/domains/{domain_id}
Update domain.
- PATCH
identity:delete_domainDefault: rule:admin_requiredOperations: - DELETE
/v3/domains/{domain_id}
Delete domain.
- DELETE
identity:create_domain_configDefault: rule:admin_requiredOperations: - PUT
/v3/domains/{domain_id}/config
Create domain configuration.
- PUT
identity:get_domain_configDefault: rule:admin_requiredOperations: - GET
/v3/domains/{domain_id}/config - HEAD
/v3/domains/{domain_id}/config - GET
/v3/domains/{domain_id}/config/{group} - HEAD
/v3/domains/{domain_id}/config/{group} - GET
/v3/domains/{domain_id}/config/{group}/{option} - HEAD
/v3/domains/{domain_id}/config/{group}/{option}
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
- GET
identity:get_security_compliance_domain_configDefault: <empty string>
Operations: - GET
/v3/domains/{domain_id}/config/security_compliance - HEAD
/v3/domains/{domain_id}/config/security_compliance - GET
v3/domains/{domain_id}/config/security_compliance/{option} - HEAD
v3/domains/{domain_id}/config/security_compliance/{option}
Get security compliance domain configuration for either a domain or a specific option in a domain.
- GET
identity:update_domain_configDefault: rule:admin_requiredOperations: - PATCH
/v3/domains/{domain_id}/config - PATCH
/v3/domains/{domain_id}/config/{group} - PATCH
/v3/domains/{domain_id}/config/{group}/{option}
Update domain configuration for either a domain, specific group or a specific option in a group.
- PATCH
identity:delete_domain_configDefault: rule:admin_requiredOperations: - DELETE
/v3/domains/{domain_id}/config - DELETE
/v3/domains/{domain_id}/config/{group} - DELETE
/v3/domains/{domain_id}/config/{group}/{option}
Delete domain configuration for either a domain, specific group or a specific option in a group.
- DELETE
identity:get_domain_config_defaultDefault: rule:admin_requiredOperations: - GET
/v3/domains/config/default - HEAD
/v3/domains/config/default - GET
/v3/domains/config/{group}/default - HEAD
/v3/domains/config/{group}/default - GET
/v3/domains/config/{group}/{option}/default - HEAD
/v3/domains/config/{group}/{option}/default
Get domain configuration default for either a domain, specific group or a specific option in a group.
- GET
identity:ec2_get_credentialDefault: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)Operations: - GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
Show ec2 credential details.
- GET
identity:ec2_list_credentialsDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/credentials/OS-EC2
List ec2 credentials.
- GET
identity:ec2_create_credentialDefault: rule:admin_or_ownerOperations: - POST
/v3/users/{user_id}/credentials/OS-EC2
Create ec2 credential.
- POST
identity:ec2_delete_credentialDefault: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)Operations: - DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
Delete ec2 credential.
- DELETE
identity:get_endpointDefault: rule:admin_requiredOperations: - GET
/v3/endpoints/{endpoint_id}
Show endpoint details.
- GET
identity:list_endpointsDefault: rule:admin_requiredOperations: - GET
/v3/endpoints
List endpoints.
- GET
identity:create_endpointDefault: rule:admin_requiredOperations: - POST
/v3/endpoints
Create endpoint.
- POST
identity:update_endpointDefault: rule:admin_requiredOperations: - PATCH
/v3/endpoints/{endpoint_id}
Update endpoint.
- PATCH
identity:delete_endpointDefault: rule:admin_requiredOperations: - DELETE
/v3/endpoints/{endpoint_id}
Delete endpoint.
- DELETE
identity:create_endpoint_groupDefault: rule:admin_requiredOperations: - POST
/v3/OS-EP-FILTER/endpoint_groups
Create endpoint group.
- POST
identity:list_endpoint_groupsDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups
List endpoint groups.
- GET
identity:get_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Get endpoint group.
- GET
identity:update_endpoint_groupDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Update endpoint group.
- PATCH
identity:delete_endpoint_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Delete endpoint group.
- DELETE
identity:list_projects_associated_with_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
List all projects associated with a specific endpoint group.
- GET
identity:list_endpoints_associated_with_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
List all endpoints associated with an endpoint group.
- GET
identity:get_endpoint_group_in_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} - HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Check if an endpoint group is associated with a project.
- GET
identity:list_endpoint_groups_for_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
List endpoint groups associated with a specific project.
- GET
identity:add_endpoint_group_to_projectDefault: rule:admin_requiredOperations: - PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Allow a project to access an endpoint group.
- PUT
identity:remove_endpoint_group_from_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Remove endpoint group from project.
- DELETE
identity:check_grantDefault: rule:admin_requiredOperations: - HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
- HEAD
identity:list_grantsDefault: rule:admin_requiredOperations: - GET
/v3/projects/{project_id}/users/{user_id}/roles - HEAD
/v3/projects/{project_id}/users/{user_id}/roles - GET
/v3/projects/{project_id}/groups/{group_id}/roles - HEAD
/v3/projects/{project_id}/groups/{group_id}/roles - GET
/v3/domains/{domain_id}/users/{user_id}/roles - HEAD
/v3/domains/{domain_id}/users/{user_id}/roles - GET
/v3/domains/{domain_id}/groups/{group_id}/roles - HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles - GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
- GET
identity:create_grantDefault: rule:admin_requiredOperations: - PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
- PUT
identity:revoke_grantDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
- DELETE
identity:get_groupDefault: rule:admin_requiredOperations: - GET
/v3/groups/{group_id} - HEAD
/v3/groups/{group_id}
Show group details.
- GET
identity:list_groupsDefault: rule:admin_requiredOperations: - GET
/v3/groups - HEAD
/v3/groups
List groups.
- GET
identity:list_groups_for_userDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/groups - HEAD
/v3/users/{user_id}/groups
List groups to which a user belongs.
- GET
identity:create_groupDefault: rule:admin_requiredOperations: - POST
/v3/groups
Create group.
- POST
identity:update_groupDefault: rule:admin_requiredOperations: - PATCH
/v3/groups/{group_id}
Update group.
- PATCH
identity:delete_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/groups/{group_id}
Delete group.
- DELETE
identity:list_users_in_groupDefault: rule:admin_requiredOperations: - GET
/v3/groups/{group_id}/users - HEAD
/v3/groups/{group_id}/users
List members of a specific group.
- GET
identity:remove_user_from_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/groups/{group_id}/users/{user_id}
Remove user from group.
- DELETE
identity:check_user_in_groupDefault: rule:admin_requiredOperations: - HEAD
/v3/groups/{group_id}/users/{user_id} - GET
/v3/groups/{group_id}/users/{user_id}
Check whether a user is a member of a group.
- HEAD
identity:add_user_to_groupDefault: rule:admin_requiredOperations: - PUT
/v3/groups/{group_id}/users/{user_id}
Add user to group.
- PUT
identity:create_identity_providerDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
Create identity provider.
- PUT
identity:list_identity_providersDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers - HEAD
/v3/OS-FEDERATION/identity_providers
List identity providers.
- GET
identity:get_identity_providerDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id} - HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
Get identity provider.
- GET
identity:update_identity_providerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
Update identity provider.
- PATCH
identity:delete_identity_providerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
Delete identity provider.
- DELETE
identity:get_implied_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- GET
identity:list_implied_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles/{prior_role_id}/implies - HEAD
/v3/roles/{prior_role_id}/implies
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
- GET
identity:create_implied_roleDefault: rule:admin_requiredOperations: - PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- PUT
identity:delete_implied_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
- DELETE
identity:list_role_inference_rulesDefault: rule:admin_requiredOperations: - GET
/v3/role_inferences - HEAD
/v3/role_inferences
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- GET
identity:check_implied_roleDefault: rule:admin_requiredOperations: - HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- HEAD
identity:create_mappingDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
Create a new federated mapping containing one or more sets of rules.
- PUT
identity:get_mappingDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/mappings/{mapping_id} - HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
Get a federated mapping.
- GET
identity:list_mappingsDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/mappings - HEAD
/v3/OS-FEDERATION/mappings
List federated mappings.
- GET
identity:delete_mappingDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
Delete a federated mapping.
- DELETE
identity:update_mappingDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
Update a federated mapping.
- PATCH
identity:get_policyDefault: rule:admin_requiredOperations: - GET
/v3/policy/{policy_id}
Show policy details.
- GET
identity:list_policiesDefault: rule:admin_requiredOperations: - GET
/v3/policies
List policies.
- GET
identity:create_policyDefault: rule:admin_requiredOperations: - POST
/v3/policies
Create policy.
- POST
identity:update_policyDefault: rule:admin_requiredOperations: - PATCH
/v3/policies/{policy_id}
Update policy.
- PATCH
identity:delete_policyDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}
Delete policy.
- DELETE
identity:create_policy_association_for_endpointDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Associate a policy to a specific endpoint.
- PUT
identity:check_policy_association_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Check policy association for endpoint.
- GET
identity:delete_policy_association_for_endpointDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Delete policy association for endpoint.
- DELETE
identity:create_policy_association_for_serviceDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Associate a policy to a specific service.
- PUT
identity:check_policy_association_for_serviceDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Check policy association for service.
- GET
identity:delete_policy_association_for_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Delete policy association for service.
- DELETE
identity:create_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Associate a policy to a specific region and service combination.
- PUT
identity:check_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Check policy association for region and service.
- GET
identity:delete_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Delete policy association for region and service.
- DELETE
identity:get_policy_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy - HEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Get policy for endpoint.
- GET
identity:list_endpoints_for_policyDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
List endpoints for policy.
- GET
identity:get_projectDefault: rule:admin_required or project_id:%(target.project.id)sOperations: - GET
/v3/projects/{project_id}
Show project details.
- GET
identity:list_projectsDefault: rule:admin_requiredOperations: - GET
/v3/projects
List projects.
- GET
identity:list_user_projectsDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/projects
List projects for user.
- GET
identity:create_projectDefault: rule:admin_requiredOperations: - POST
/v3/projects
Create project.
- POST
identity:update_projectDefault: rule:admin_requiredOperations: - PATCH
/v3/projects/{project_id}
Update project.
- PATCH
identity:delete_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}
Delete project.
- DELETE
identity:list_projects_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
List projects allowed to access an endpoint.
- GET
identity:add_endpoint_to_projectDefault: rule:admin_requiredOperations: - PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Allow project to access an endpoint.
- PUT
identity:check_endpoint_in_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} - HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Check if a project is allowed to access an endpoint.
- GET
identity:list_endpoints_for_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
List the endpoints a project is allowed to access.
- GET
identity:remove_endpoint_from_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Remove access to an endpoint from a project that has previously been given explicit access.
- DELETE
identity:create_protocolDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Create federated protocol.
- PUT
identity:update_protocolDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Update federated protocol.
- PATCH
identity:get_protocolDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Get federated protocol.
- GET
identity:list_protocolsDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
List federated protocols.
- GET
identity:delete_protocolDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Delete federated protocol.
- DELETE
identity:get_regionDefault: <empty string>
Operations: - GET
/v3/regions/{region_id} - HEAD
/v3/regions/{region_id}
Show region details.
- GET
identity:list_regionsDefault: <empty string>
Operations: - GET
/v3/regions - HEAD
/v3/regions
List regions.
- GET
identity:create_regionDefault: rule:admin_requiredOperations: - POST
/v3/regions - PUT
/v3/regions/{region_id}
Create region.
- POST
identity:update_regionDefault: rule:admin_requiredOperations: - PATCH
/v3/regions/{region_id}
Update region.
- PATCH
identity:delete_regionDefault: rule:admin_requiredOperations: - DELETE
/v3/regions/{region_id}
Delete region.
- DELETE
identity:list_revoke_eventsDefault: rule:service_or_adminOperations: - GET
/v3/OS-REVOKE/events
List revocation events.
- GET
identity:get_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{role_id} - HEAD
/v3/roles/{role_id}
Show role details.
- GET
identity:list_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles - HEAD
/v3/roles
List roles.
- GET
identity:create_roleDefault: rule:admin_requiredOperations: - POST
/v3/roles
Create role.
- POST
identity:update_roleDefault: rule:admin_requiredOperations: - PATCH
/v3/roles/{role_id}
Update role.
- PATCH
identity:delete_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{role_id}
Delete role.
- DELETE
identity:get_domain_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{role_id} - HEAD
/v3/roles/{role_id}
Show domain role.
- GET
identity:list_domain_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles?domain_id={domain_id} - HEAD
/v3/roles?domain_id={domain_id}
List domain roles.
- GET
identity:create_domain_roleDefault: rule:admin_requiredOperations: - POST
/v3/roles
Create domain role.
- POST
identity:update_domain_roleDefault: rule:admin_requiredOperations: - PATCH
/v3/roles/{role_id}
Update domain role.
- PATCH
identity:delete_domain_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{role_id}
Delete domain role.
- DELETE
identity:list_role_assignmentsDefault: rule:admin_requiredOperations: - GET
/v3/role_assignments - HEAD
/v3/role_assignments
List role assignments.
- GET
identity:list_role_assignments_for_treeDefault: rule:admin_requiredOperations: - GET
/v3/role_assignments?include_subtree - HEAD
/v3/role_assignments?include_subtree
List all role assignments for a given tree of hierarchical projects.
- GET
identity:get_serviceDefault: rule:admin_requiredOperations: - GET
/v3/services/{service_id}
Show service details.
- GET
identity:list_servicesDefault: rule:admin_requiredOperations: - GET
/v3/services
List services.
- GET
identity:create_serviceDefault: rule:admin_requiredOperations: - POST
/v3/services
Create service.
- POST
identity:update_serviceDefault: rule:admin_requiredOperations: - PATCH
/v3/services/{service_id}
Update service.
- PATCH
identity:delete_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/services/{service_id}
Delete service.
- DELETE
identity:create_service_providerDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Create federated service provider.
- PUT
identity:list_service_providersDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/service_providers - HEAD
/v3/OS-FEDERATION/service_providers
List federated service providers.
- GET
identity:get_service_providerDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/service_providers/{service_provider_id} - HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Get federated service provider.
- GET
identity:update_service_providerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Update federated service provider.
- PATCH
identity:delete_service_providerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Delete federated service provider.
- DELETE
identity:revocation_listDefault: rule:service_or_adminOperations: - GET
/v3/auth/tokens/OS-PKI/revoked
List revoked PKI tokens.
- GET
identity:check_tokenDefault: rule:admin_or_token_subjectOperations: - HEAD
/v3/auth/tokens
Check a token.
- HEAD
identity:validate_tokenDefault: rule:service_admin_or_token_subjectOperations: - GET
/v3/auth/tokens - GET
/v2.0/tokens/{token_id}
Validate a token.
- GET
identity:validate_token_headDefault: rule:service_or_adminOperations: - HEAD
/v2.0/tokens/{token_id}
Validate a token.
- HEAD
identity:revoke_tokenDefault: rule:admin_or_token_subjectOperations: - DELETE
/v3/auth/tokens
Revoke a token.
- DELETE
identity:create_trustDefault: user_id:%(trust.trustor_user_id)sOperations: - POST
/v3/OS-TRUST/trusts
Create trust.
- POST
identity:list_trustsDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts - HEAD
/v3/OS-TRUST/trusts
List trusts.
- GET
identity:list_roles_for_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id}/roles - HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
List roles delegated by a trust.
- GET
identity:get_role_for_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} - HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
Check if trust delegates a particular role.
- GET
identity:delete_trustDefault: <empty string>
Operations: - DELETE
/v3/OS-TRUST/trusts/{trust_id}
Revoke trust.
- DELETE
identity:get_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id} - HEAD
/v3/OS-TRUST/trusts/{trust_id}
Get trust.
- GET
identity:get_userDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id} - HEAD
/v3/users/{user_id}
Show user details.
- GET
identity:list_usersDefault: rule:admin_requiredOperations: - GET
/v3/users - HEAD
/v3/users
List users.
- GET
identity:list_projects_for_userDefault: <empty string>
Operations: - GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_userDefault: <empty string>
Operations: - GET
/v3/auth/domains
List all domains a user has access to via role assignments.
- GET
identity:create_userDefault: rule:admin_requiredOperations: - POST
/v3/users
Create a user.
- POST
identity:update_userDefault: rule:admin_requiredOperations: - PATCH
/v3/users/{user_id}
Update a user, including administrative password resets.
- PATCH
identity:delete_userDefault: rule:admin_requiredOperations: - DELETE
/v3/users/{user_id}
Delete a user.
- DELETE
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.