Policy configuration¶
Configuration¶
The following is an overview of all available policies in Keystone. For a sample configuration file, refer to policy.yaml.
keystone¶
admin_requiredDefault: role:admin or is_admin:1(no description provided)
service_roleDefault: role:service(no description provided)
service_or_adminDefault: rule:admin_required or rule:service_role(no description provided)
ownerDefault: user_id:%(user_id)s(no description provided)
admin_or_ownerDefault: rule:admin_required or rule:owner(no description provided)
token_subjectDefault: user_id:%(target.token.user_id)s(no description provided)
admin_or_token_subjectDefault: rule:admin_required or rule:token_subject(no description provided)
service_admin_or_token_subjectDefault: rule:service_or_admin or rule:token_subject(no description provided)
identity:get_application_credentialDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/application_credentials/{application_credential_id} - HEAD
/v3/users/{user_id}/application_credentials/{application_credential_id}
Show application credential details.
- GET
identity:list_application_credentialsDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/application_credentials - HEAD
/v3/users/{user_id}/application_credentials
List application credentials for a user.
- GET
identity:create_application_credentialDefault: rule:admin_or_ownerOperations: - POST
/v3/users/{user_id}/application_credentials
Create an application credential.
- POST
identity:delete_application_credentialDefault: rule:admin_or_ownerOperations: - DELETE
/v3/users/{user_id}/application_credentials/{application_credential_id}
Delete an application credential.
- DELETE
identity:authorize_request_tokenDefault: rule:admin_requiredOperations: - PUT
/v3/OS-OAUTH1/authorize/{request_token_id}
Scope Types: - project
Authorize OAUTH1 request token.
- PUT
identity:get_access_tokenDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Scope Types: - project
Get OAUTH1 access token for user by access token ID.
- GET
identity:get_access_token_roleDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
Scope Types: - project
Get role for user OAUTH1 access token.
- GET
identity:list_access_tokensDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens
Scope Types: - project
List OAUTH1 access tokens for user.
- GET
identity:list_access_token_rolesDefault: rule:admin_requiredOperations: - GET
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
Scope Types: - project
List OAUTH1 access token roles.
- GET
identity:delete_access_tokenDefault: rule:admin_requiredOperations: - DELETE
/v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Scope Types: - project
Delete OAUTH1 access token.
- DELETE
identity:get_auth_catalogDefault: <empty string>
Operations: - GET
/v3/auth/catalog - HEAD
/v3/auth/catalog
Get service catalog.
- GET
identity:get_auth_projectsDefault: <empty string>
Operations: - GET
/v3/auth/projects - HEAD
/v3/auth/projects
List all projects a user has access to via role assignments.
- GET
identity:get_auth_domainsDefault: <empty string>
Operations: - GET
/v3/auth/domains - HEAD
/v3/auth/domains
List all domains a user has access to via role assignments.
- GET
identity:get_auth_systemDefault: <empty string>
Operations: - GET
/v3/auth/system - HEAD
/v3/auth/system
List systems a user has access to via role assignments.
- GET
identity:get_consumerDefault: rule:admin_requiredOperations: - GET
/v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types: - system
Show OAUTH1 consumer details.
- GET
identity:list_consumersDefault: rule:admin_requiredOperations: - GET
/v3/OS-OAUTH1/consumers
Scope Types: - system
List OAUTH1 consumers.
- GET
identity:create_consumerDefault: rule:admin_requiredOperations: - POST
/v3/OS-OAUTH1/consumers
Scope Types: - system
Create OAUTH1 consumer.
- POST
identity:update_consumerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types: - system
Update OAUTH1 consumer.
- PATCH
identity:delete_consumerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types: - system
Delete OAUTH1 consumer.
- DELETE
identity:get_credentialDefault: rule:admin_requiredOperations: - GET
/v3/credentials/{credential_id}
Show credentials details.
- GET
identity:list_credentialsDefault: rule:admin_requiredOperations: - GET
/v3/credentials
List credentials.
- GET
identity:create_credentialDefault: rule:admin_requiredOperations: - POST
/v3/credentials
Create credential.
- POST
identity:update_credentialDefault: rule:admin_requiredOperations: - PATCH
/v3/credentials/{credential_id}
Update credential.
- PATCH
identity:delete_credentialDefault: rule:admin_requiredOperations: - DELETE
/v3/credentials/{credential_id}
Delete credential.
- DELETE
identity:get_domainDefault: rule:admin_required or project_domain_id:%(target.domain.id)sOperations: - GET
/v3/domains/{domain_id}
Scope Types: - system
Show domain details.
- GET
identity:list_domainsDefault: rule:admin_requiredOperations: - GET
/v3/domains
Scope Types: - system
List domains.
- GET
identity:create_domainDefault: rule:admin_requiredOperations: - POST
/v3/domains
Scope Types: - system
Create domain.
- POST
identity:update_domainDefault: rule:admin_requiredOperations: - PATCH
/v3/domains/{domain_id}
Scope Types: - system
Update domain.
- PATCH
identity:delete_domainDefault: rule:admin_requiredOperations: - DELETE
/v3/domains/{domain_id}
Scope Types: - system
Delete domain.
- DELETE
identity:create_domain_configDefault: rule:admin_requiredOperations: - PUT
/v3/domains/{domain_id}/config
Scope Types: - system
Create domain configuration.
- PUT
identity:get_domain_configDefault: rule:admin_requiredOperations: - GET
/v3/domains/{domain_id}/config - HEAD
/v3/domains/{domain_id}/config - GET
/v3/domains/{domain_id}/config/{group} - HEAD
/v3/domains/{domain_id}/config/{group} - GET
/v3/domains/{domain_id}/config/{group}/{option} - HEAD
/v3/domains/{domain_id}/config/{group}/{option}
Scope Types: - system
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
- GET
identity:get_security_compliance_domain_configDefault: <empty string>
Operations: - GET
/v3/domains/{domain_id}/config/security_compliance - HEAD
/v3/domains/{domain_id}/config/security_compliance - GET
v3/domains/{domain_id}/config/security_compliance/{option} - HEAD
v3/domains/{domain_id}/config/security_compliance/{option}
Scope Types: - system
- project
Get security compliance domain configuration for either a domain or a specific option in a domain.
- GET
identity:update_domain_configDefault: rule:admin_requiredOperations: - PATCH
/v3/domains/{domain_id}/config - PATCH
/v3/domains/{domain_id}/config/{group} - PATCH
/v3/domains/{domain_id}/config/{group}/{option}
Scope Types: - system
Update domain configuration for either a domain, specific group or a specific option in a group.
- PATCH
identity:delete_domain_configDefault: rule:admin_requiredOperations: - DELETE
/v3/domains/{domain_id}/config - DELETE
/v3/domains/{domain_id}/config/{group} - DELETE
/v3/domains/{domain_id}/config/{group}/{option}
Scope Types: - system
Delete domain configuration for either a domain, specific group or a specific option in a group.
- DELETE
identity:get_domain_config_defaultDefault: rule:admin_requiredOperations: - GET
/v3/domains/config/default - HEAD
/v3/domains/config/default - GET
/v3/domains/config/{group}/default - HEAD
/v3/domains/config/{group}/default - GET
/v3/domains/config/{group}/{option}/default - HEAD
/v3/domains/config/{group}/{option}/default
Scope Types: - system
Get domain configuration default for either a domain, specific group or a specific option in a group.
- GET
identity:ec2_get_credentialDefault: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)Operations: - GET
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
Show ec2 credential details.
- GET
identity:ec2_list_credentialsDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/credentials/OS-EC2
List ec2 credentials.
- GET
identity:ec2_create_credentialDefault: rule:admin_or_ownerOperations: - POST
/v3/users/{user_id}/credentials/OS-EC2
Create ec2 credential.
- POST
identity:ec2_delete_credentialDefault: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)Operations: - DELETE
/v3/users/{user_id}/credentials/OS-EC2/{credential_id}
Delete ec2 credential.
- DELETE
identity:get_endpointDefault: rule:admin_requiredOperations: - GET
/v3/endpoints/{endpoint_id}
Scope Types: - system
Show endpoint details.
- GET
identity:list_endpointsDefault: rule:admin_requiredOperations: - GET
/v3/endpoints
Scope Types: - system
List endpoints.
- GET
identity:create_endpointDefault: rule:admin_requiredOperations: - POST
/v3/endpoints
Scope Types: - system
Create endpoint.
- POST
identity:update_endpointDefault: rule:admin_requiredOperations: - PATCH
/v3/endpoints/{endpoint_id}
Scope Types: - system
Update endpoint.
- PATCH
identity:delete_endpointDefault: rule:admin_requiredOperations: - DELETE
/v3/endpoints/{endpoint_id}
Scope Types: - system
Delete endpoint.
- DELETE
identity:create_endpoint_groupDefault: rule:admin_requiredOperations: - POST
/v3/OS-EP-FILTER/endpoint_groups
Scope Types: - system
Create endpoint group.
- POST
identity:list_endpoint_groupsDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups
Scope Types: - system
List endpoint groups.
- GET
identity:get_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types: - system
Get endpoint group.
- GET
identity:update_endpoint_groupDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types: - system
Update endpoint group.
- PATCH
identity:delete_endpoint_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types: - system
Delete endpoint group.
- DELETE
identity:list_projects_associated_with_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
Scope Types: - system
List all projects associated with a specific endpoint group.
- GET
identity:list_endpoints_associated_with_endpoint_groupDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
Scope Types: - system
List all endpoints associated with an endpoint group.
- GET
identity:get_endpoint_group_in_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} - HEAD
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types: - system
Check if an endpoint group is associated with a project.
- GET
identity:list_endpoint_groups_for_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
Scope Types: - system
List endpoint groups associated with a specific project.
- GET
identity:add_endpoint_group_to_projectDefault: rule:admin_requiredOperations: - PUT
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types: - system
Allow a project to access an endpoint group.
- PUT
identity:remove_endpoint_group_from_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types: - system
Remove endpoint group from project.
- DELETE
identity:check_grantDefault: rule:admin_requiredOperations: - HEAD
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - GET
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - HEAD
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - GET
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - HEAD
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - GET
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - GET
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - HEAD
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - HEAD
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types: - system
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
- HEAD
identity:list_grantsDefault: rule:admin_requiredOperations: - GET
/v3/projects/{project_id}/users/{user_id}/roles - HEAD
/v3/projects/{project_id}/users/{user_id}/roles - GET
/v3/projects/{project_id}/groups/{group_id}/roles - HEAD
/v3/projects/{project_id}/groups/{group_id}/roles - GET
/v3/domains/{domain_id}/users/{user_id}/roles - HEAD
/v3/domains/{domain_id}/users/{user_id}/roles - GET
/v3/domains/{domain_id}/groups/{group_id}/roles - HEAD
/v3/domains/{domain_id}/groups/{group_id}/roles - GET
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects - GET
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
Scope Types: - system
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
- GET
identity:create_grantDefault: rule:admin_requiredOperations: - PUT
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - PUT
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - PUT
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - PUT
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - PUT
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - PUT
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types: - system
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
- PUT
identity:revoke_grantDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}/users/{user_id}/roles/{role_id} - DELETE
/v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - DELETE
/v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - DELETE
/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - DELETE
/v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - DELETE
/v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types: - system
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
- DELETE
identity:list_system_grants_for_userDefault: rule:admin_requiredOperations: - [‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles
Scope Types: - system
List all grants a specific user has on the system.
- [‘HEAD’, ‘GET’]
identity:check_system_grant_for_userDefault: rule:admin_requiredOperations: - [‘HEAD’, ‘GET’]
/v3/system/users/{user_id}/roles/{role_id}
Scope Types: - system
Check if a user has a role on the system.
- [‘HEAD’, ‘GET’]
identity:create_system_grant_for_userDefault: rule:admin_requiredOperations: - [‘PUT’]
/v3/system/users/{user_id}/roles/{role_id}
Scope Types: - system
Grant a user a role on the system.
- [‘PUT’]
identity:revoke_system_grant_for_userDefault: rule:admin_requiredOperations: - [‘DELETE’]
/v3/system/users/{user_id}/roles/{role_id}
Scope Types: - system
Remove a role from a user on the system.
- [‘DELETE’]
identity:list_system_grants_for_groupDefault: rule:admin_requiredOperations: - [‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles
Scope Types: - system
List all grants a specific group has on the system.
- [‘HEAD’, ‘GET’]
identity:check_system_grant_for_groupDefault: rule:admin_requiredOperations: - [‘HEAD’, ‘GET’]
/v3/system/groups/{group_id}/roles/{role_id}
Scope Types: - system
Check if a group has a role on the system.
- [‘HEAD’, ‘GET’]
identity:create_system_grant_for_groupDefault: rule:admin_requiredOperations: - [‘PUT’]
/v3/system/groups/{group_id}/roles/{role_id}
Scope Types: - system
Grant a group a role on the system.
- [‘PUT’]
identity:revoke_system_grant_for_groupDefault: rule:admin_requiredOperations: - [‘DELETE’]
/v3/system/groups/{group_id}/roles/{role_id}
Scope Types: - system
Remove a role from a group on the system.
- [‘DELETE’]
identity:get_groupDefault: rule:admin_requiredOperations: - GET
/v3/groups/{group_id} - HEAD
/v3/groups/{group_id}
Scope Types: - system
Show group details.
- GET
identity:list_groupsDefault: rule:admin_requiredOperations: - GET
/v3/groups - HEAD
/v3/groups
Scope Types: - system
List groups.
- GET
identity:list_groups_for_userDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/groups - HEAD
/v3/users/{user_id}/groups
Scope Types: - system
List groups to which a user belongs.
- GET
identity:create_groupDefault: rule:admin_requiredOperations: - POST
/v3/groups
Scope Types: - system
Create group.
- POST
identity:update_groupDefault: rule:admin_requiredOperations: - PATCH
/v3/groups/{group_id}
Scope Types: - system
Update group.
- PATCH
identity:delete_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/groups/{group_id}
Scope Types: - system
Delete group.
- DELETE
identity:list_users_in_groupDefault: rule:admin_requiredOperations: - GET
/v3/groups/{group_id}/users - HEAD
/v3/groups/{group_id}/users
Scope Types: - system
List members of a specific group.
- GET
identity:remove_user_from_groupDefault: rule:admin_requiredOperations: - DELETE
/v3/groups/{group_id}/users/{user_id}
Scope Types: - system
Remove user from group.
- DELETE
identity:check_user_in_groupDefault: rule:admin_requiredOperations: - HEAD
/v3/groups/{group_id}/users/{user_id} - GET
/v3/groups/{group_id}/users/{user_id}
Scope Types: - system
Check whether a user is a member of a group.
- HEAD
identity:add_user_to_groupDefault: rule:admin_requiredOperations: - PUT
/v3/groups/{group_id}/users/{user_id}
Scope Types: - system
Add user to group.
- PUT
identity:create_identity_providerDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types: - system
Create identity provider.
- PUT
identity:list_identity_providersDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers - HEAD
/v3/OS-FEDERATION/identity_providers
Scope Types: - system
List identity providers.
- GET
identity:get_identity_providerDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id} - HEAD
/v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types: - system
Get identity provider.
- GET
identity:update_identity_providerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types: - system
Update identity provider.
- PATCH
identity:delete_identity_providerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types: - system
Delete identity provider.
- DELETE
identity:get_implied_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types: - system
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- GET
identity:list_implied_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles/{prior_role_id}/implies - HEAD
/v3/roles/{prior_role_id}/implies
Scope Types: - system
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
- GET
identity:create_implied_roleDefault: rule:admin_requiredOperations: - PUT
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types: - system
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- PUT
identity:delete_implied_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types: - system
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
- DELETE
identity:list_role_inference_rulesDefault: rule:admin_requiredOperations: - GET
/v3/role_inferences - HEAD
/v3/role_inferences
Scope Types: - system
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- GET
identity:check_implied_roleDefault: rule:admin_requiredOperations: - HEAD
/v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types: - system
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
- HEAD
identity:get_limit_modelDefault: <empty string>
Operations: - GET
/v3/limits/model - HEAD
/v3/limits/model
Scope Types: - system
- project
Get limit enforcement model.
- GET
identity:get_limitDefault: <empty string>
Operations: - GET
/v3/limits/{limit_id} - HEAD
/v3/limits/{limit_id}
Scope Types: - system
- project
Show limit details.
- GET
identity:list_limitsDefault: <empty string>
Operations: - GET
/v3/limits - HEAD
/v3/limits
Scope Types: - system
- project
List limits.
- GET
identity:create_limitsDefault: rule:admin_requiredOperations: - POST
/v3/limits
Scope Types: - system
Create limits.
- POST
identity:update_limitDefault: rule:admin_requiredOperations: - PATCH
/v3/limits/{limit_id}
Scope Types: - system
Update limit.
- PATCH
identity:delete_limitDefault: rule:admin_requiredOperations: - DELETE
/v3/limits/{limit_id}
Scope Types: - system
Delete limit.
- DELETE
identity:create_mappingDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types: - system
Create a new federated mapping containing one or more sets of rules.
- PUT
identity:get_mappingDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/mappings/{mapping_id} - HEAD
/v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types: - system
Get a federated mapping.
- GET
identity:list_mappingsDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/mappings - HEAD
/v3/OS-FEDERATION/mappings
Scope Types: - system
List federated mappings.
- GET
identity:delete_mappingDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types: - system
Delete a federated mapping.
- DELETE
identity:update_mappingDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types: - system
Update a federated mapping.
- PATCH
identity:get_policyDefault: rule:admin_requiredOperations: - GET
/v3/policy/{policy_id}
Scope Types: - system
Show policy details.
- GET
identity:list_policiesDefault: rule:admin_requiredOperations: - GET
/v3/policies
Scope Types: - system
List policies.
- GET
identity:create_policyDefault: rule:admin_requiredOperations: - POST
/v3/policies
Scope Types: - system
Create policy.
- POST
identity:update_policyDefault: rule:admin_requiredOperations: - PATCH
/v3/policies/{policy_id}
Scope Types: - system
Update policy.
- PATCH
identity:delete_policyDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}
Scope Types: - system
Delete policy.
- DELETE
identity:create_policy_association_for_endpointDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types: - system
Associate a policy to a specific endpoint.
- PUT
identity:check_policy_association_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types: - system
Check policy association for endpoint.
- GET
identity:delete_policy_association_for_endpointDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types: - system
Delete policy association for endpoint.
- DELETE
identity:create_policy_association_for_serviceDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types: - system
Associate a policy to a specific service.
- PUT
identity:check_policy_association_for_serviceDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types: - system
Check policy association for service.
- GET
identity:delete_policy_association_for_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types: - system
Delete policy association for service.
- DELETE
identity:create_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - PUT
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types: - system
Associate a policy to a specific region and service combination.
- PUT
identity:check_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} - HEAD
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types: - system
Check policy association for region and service.
- GET
identity:delete_policy_association_for_region_and_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types: - system
Delete policy association for region and service.
- DELETE
identity:get_policy_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy - HEAD
/v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Scope Types: - system
Get policy for endpoint.
- GET
identity:list_endpoints_for_policyDefault: rule:admin_requiredOperations: - GET
/v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
Scope Types: - system
List endpoints for policy.
- GET
identity:get_projectDefault: rule:admin_required or project_id:%(target.project.id)sOperations: - GET
/v3/projects/{project_id}
Show project details.
- GET
identity:list_projectsDefault: rule:admin_requiredOperations: - GET
/v3/projects
Scope Types: - system
List projects.
- GET
identity:list_user_projectsDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id}/projects
List projects for user.
- GET
identity:create_projectDefault: rule:admin_requiredOperations: - POST
/v3/projects
Scope Types: - system
Create project.
- POST
identity:update_projectDefault: rule:admin_requiredOperations: - PATCH
/v3/projects/{project_id}
Scope Types: - system
Update project.
- PATCH
identity:delete_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}
Scope Types: - system
Delete project.
- DELETE
identity:list_project_tagsDefault: rule:admin_required or project_id:%(target.project.id)sOperations: - GET
/v3/projects/{project_id}/tags - HEAD
/v3/projects/{project_id}/tags
List tags for a project.
- GET
identity:get_project_tagDefault: rule:admin_required or project_id:%(target.project.id)sOperations: - GET
/v3/projects/{project_id}/tags/{value} - HEAD
/v3/projects/{project_id}/tags/{value}
Check if project contains a tag.
- GET
identity:update_project_tagsDefault: rule:admin_requiredOperations: - PUT
/v3/projects/{project_id}/tags
Scope Types: - system
Replace all tags on a project with the new set of tags.
- PUT
identity:create_project_tagDefault: rule:admin_requiredOperations: - PUT
/v3/projects/{project_id}/tags/{value}
Scope Types: - system
Add a single tag to a project.
- PUT
identity:delete_project_tagsDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}/tags
Scope Types: - system
Remove all tags from a project.
- DELETE
identity:delete_project_tagDefault: rule:admin_requiredOperations: - DELETE
/v3/projects/{project_id}/tags/{value}
Scope Types: - system
Delete a specified tag from project.
- DELETE
identity:list_projects_for_endpointDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
Scope Types: - system
List projects allowed to access an endpoint.
- GET
identity:add_endpoint_to_projectDefault: rule:admin_requiredOperations: - PUT
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types: - system
Allow project to access an endpoint.
- PUT
identity:check_endpoint_in_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} - HEAD
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types: - system
Check if a project is allowed to access an endpoint.
- GET
identity:list_endpoints_for_projectDefault: rule:admin_requiredOperations: - GET
/v3/OS-EP-FILTER/projects/{project_id}/endpoints
Scope Types: - system
List the endpoints a project is allowed to access.
- GET
identity:remove_endpoint_from_projectDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types: - system
Remove access to an endpoint from a project that has previously been given explicit access.
- DELETE
identity:create_protocolDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types: - system
Create federated protocol.
- PUT
identity:update_protocolDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types: - system
Update federated protocol.
- PATCH
identity:get_protocolDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types: - system
Get federated protocol.
- GET
identity:list_protocolsDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
Scope Types: - system
List federated protocols.
- GET
identity:delete_protocolDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types: - system
Delete federated protocol.
- DELETE
identity:get_regionDefault: <empty string>
Operations: - GET
/v3/regions/{region_id} - HEAD
/v3/regions/{region_id}
Scope Types: - system
- project
Show region details.
- GET
identity:list_regionsDefault: <empty string>
Operations: - GET
/v3/regions - HEAD
/v3/regions
Scope Types: - system
- project
List regions.
- GET
identity:create_regionDefault: rule:admin_requiredOperations: - POST
/v3/regions - PUT
/v3/regions/{region_id}
Scope Types: - system
Create region.
- POST
identity:update_regionDefault: rule:admin_requiredOperations: - PATCH
/v3/regions/{region_id}
Scope Types: - system
Update region.
- PATCH
identity:delete_regionDefault: rule:admin_requiredOperations: - DELETE
/v3/regions/{region_id}
Scope Types: - system
Delete region.
- DELETE
identity:get_registered_limitDefault: <empty string>
Operations: - GET
/v3/registered_limits/{registered_limit_id} - HEAD
/v3/registered_limits/{registered_limit_id}
Scope Types: - system
- project
Show registered limit details.
- GET
identity:list_registered_limitsDefault: <empty string>
Operations: - GET
/v3/registered_limits - HEAD
/v3/registered_limits
Scope Types: - system
- project
List registered limits.
- GET
identity:create_registered_limitsDefault: rule:admin_requiredOperations: - POST
/v3/registered_limits
Scope Types: - system
Create registered limits.
- POST
identity:update_registered_limitDefault: rule:admin_requiredOperations: - PATCH
/v3/registered_limits/{registered_limit_id}
Scope Types: - system
Update registered limit.
- PATCH
identity:delete_registered_limitDefault: rule:admin_requiredOperations: - DELETE
/v3/registered_limits/{registered_limit_id}
Scope Types: - system
Delete registered limit.
- DELETE
identity:list_revoke_eventsDefault: rule:service_or_adminOperations: - GET
/v3/OS-REVOKE/events
Scope Types: - system
List revocation events.
- GET
identity:get_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{role_id} - HEAD
/v3/roles/{role_id}
Scope Types: - system
Show role details.
- GET
identity:list_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles - HEAD
/v3/roles
Scope Types: - system
List roles.
- GET
identity:create_roleDefault: rule:admin_requiredOperations: - POST
/v3/roles
Scope Types: - system
Create role.
- POST
identity:update_roleDefault: rule:admin_requiredOperations: - PATCH
/v3/roles/{role_id}
Scope Types: - system
Update role.
- PATCH
identity:delete_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{role_id}
Scope Types: - system
Delete role.
- DELETE
identity:get_domain_roleDefault: rule:admin_requiredOperations: - GET
/v3/roles/{role_id} - HEAD
/v3/roles/{role_id}
Scope Types: - system
Show domain role.
- GET
identity:list_domain_rolesDefault: rule:admin_requiredOperations: - GET
/v3/roles?domain_id={domain_id} - HEAD
/v3/roles?domain_id={domain_id}
Scope Types: - system
List domain roles.
- GET
identity:create_domain_roleDefault: rule:admin_requiredOperations: - POST
/v3/roles
Scope Types: - system
Create domain role.
- POST
identity:update_domain_roleDefault: rule:admin_requiredOperations: - PATCH
/v3/roles/{role_id}
Scope Types: - system
Update domain role.
- PATCH
identity:delete_domain_roleDefault: rule:admin_requiredOperations: - DELETE
/v3/roles/{role_id}
Scope Types: - system
Delete domain role.
- DELETE
identity:list_role_assignmentsDefault: rule:admin_requiredOperations: - GET
/v3/role_assignments - HEAD
/v3/role_assignments
Scope Types: - system
List role assignments.
- GET
identity:list_role_assignments_for_treeDefault: rule:admin_requiredOperations: - GET
/v3/role_assignments?include_subtree - HEAD
/v3/role_assignments?include_subtree
Scope Types: - project
List all role assignments for a given tree of hierarchical projects.
- GET
identity:get_serviceDefault: rule:admin_requiredOperations: - GET
/v3/services/{service_id}
Scope Types: - system
Show service details.
- GET
identity:list_servicesDefault: rule:admin_requiredOperations: - GET
/v3/services
Scope Types: - system
List services.
- GET
identity:create_serviceDefault: rule:admin_requiredOperations: - POST
/v3/services
Scope Types: - system
Create service.
- POST
identity:update_serviceDefault: rule:admin_requiredOperations: - PATCH
/v3/services/{service_id}
Scope Types: - system
Update service.
- PATCH
identity:delete_serviceDefault: rule:admin_requiredOperations: - DELETE
/v3/services/{service_id}
Scope Types: - system
Delete service.
- DELETE
identity:create_service_providerDefault: rule:admin_requiredOperations: - PUT
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types: - system
Create federated service provider.
- PUT
identity:list_service_providersDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/service_providers - HEAD
/v3/OS-FEDERATION/service_providers
Scope Types: - system
List federated service providers.
- GET
identity:get_service_providerDefault: rule:admin_requiredOperations: - GET
/v3/OS-FEDERATION/service_providers/{service_provider_id} - HEAD
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types: - system
Get federated service provider.
- GET
identity:update_service_providerDefault: rule:admin_requiredOperations: - PATCH
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types: - system
Update federated service provider.
- PATCH
identity:delete_service_providerDefault: rule:admin_requiredOperations: - DELETE
/v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types: - system
Delete federated service provider.
- DELETE
identity:revocation_listDefault: rule:service_or_adminOperations: - GET
/v3/auth/tokens/OS-PKI/revoked
Scope Types: - system
- project
List revoked PKI tokens.
- GET
identity:check_tokenDefault: rule:admin_or_token_subjectOperations: - HEAD
/v3/auth/tokens
Check a token.
- HEAD
identity:validate_tokenDefault: rule:service_admin_or_token_subjectOperations: - GET
/v3/auth/tokens
Validate a token.
- GET
identity:revoke_tokenDefault: rule:admin_or_token_subjectOperations: - DELETE
/v3/auth/tokens
Revoke a token.
- DELETE
identity:create_trustDefault: user_id:%(trust.trustor_user_id)sOperations: - POST
/v3/OS-TRUST/trusts
Scope Types: - project
Create trust.
- POST
identity:list_trustsDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts - HEAD
/v3/OS-TRUST/trusts
Scope Types: - project
List trusts.
- GET
identity:list_roles_for_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id}/roles - HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles
Scope Types: - project
List roles delegated by a trust.
- GET
identity:get_role_for_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} - HEAD
/v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
Scope Types: - project
Check if trust delegates a particular role.
- GET
identity:delete_trustDefault: <empty string>
Operations: - DELETE
/v3/OS-TRUST/trusts/{trust_id}
Scope Types: - project
Revoke trust.
- DELETE
identity:get_trustDefault: <empty string>
Operations: - GET
/v3/OS-TRUST/trusts/{trust_id} - HEAD
/v3/OS-TRUST/trusts/{trust_id}
Scope Types: - project
Get trust.
- GET
identity:get_userDefault: rule:admin_or_ownerOperations: - GET
/v3/users/{user_id} - HEAD
/v3/users/{user_id}
Show user details.
- GET
identity:list_usersDefault: rule:admin_requiredOperations: - GET
/v3/users - HEAD
/v3/users
Scope Types: - system
List users.
- GET
identity:list_projects_for_userDefault: <empty string>
Operations: - GET `` /v3/auth/projects``
List all projects a user has access to via role assignments.
identity:list_domains_for_userDefault: <empty string>
Operations: - GET
/v3/auth/domains
List all domains a user has access to via role assignments.
- GET
identity:create_userDefault: rule:admin_requiredOperations: - POST
/v3/users
Scope Types: - system
Create a user.
- POST
identity:update_userDefault: rule:admin_requiredOperations: - PATCH
/v3/users/{user_id}
Scope Types: - system
Update a user, including administrative password resets.
- PATCH
identity:delete_userDefault: rule:admin_requiredOperations: - DELETE
/v3/users/{user_id}
Scope Types: - system
Delete a user.
- DELETE
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.