Identity v3 Commands¶
access rule¶
Access rules are fine-grained permissions for application credentials. An access rule comprises of a service type, a request path, and a request method. Access rules may only be created as attributes of application credentials, but they may be viewed and deleted independently.
access rule delete¶
Delete access rule(s)
openstack access rule delete <access-rule> [<access-rule> ...]
- access-rule¶
Access rule ID(s) to delete
access rule list¶
List access rules
openstack access rule list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--user <user>]
[--user-domain <user-domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --user <user>¶
User whose access rules to list (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
access rule show¶
Display access rule details
openstack access rule show <access-rule>
- access-rule¶
Access rule ID to display
access token¶
An access token is used by the Identity service’s OS-OAUTH1 extension. It is used by the consumer to request new Identity API tokens on behalf of the authorizing user.
access token create¶
Create an access token
openstack access token create
--consumer-key <consumer-key>
--consumer-secret <consumer-secret>
--request-key <request-key>
--request-secret <request-secret>
--verifier <verifier>
- --consumer-key <consumer-key>¶
Consumer key (required)
- --consumer-secret <consumer-secret>¶
Consumer secret (required)
- --request-key <request-key>¶
Request token to exchange for access token (required)
- --request-secret <request-secret>¶
Secret associated with <request-key> (required)
- --verifier <verifier>¶
Verifier associated with <request-key> (required)
application credential¶
With application credentials, a user can grant their applications limited
access to their cloud resources. Once created, users can authenticate with an
application credential by using the v3applicationcredential auth type.
application credential create¶
Create new application credential
openstack application credential create
[--secret <secret>]
[--role <role>]
[--expiration <expiration>]
[--description <description>]
[--unrestricted]
[--restricted]
[--access-rules <access-rules>]
<name>
- --secret <secret>¶
Secret to use for authentication (if not provided, one will be generated)
- --role <role>¶
Roles to authorize (name or ID) (repeat option to set multiple values)
- --expiration <expiration>¶
Sets an expiration date for the application credential, format of YYYY-mm-ddTHH:MM:SS (if not provided, the application credential will not expire)
- --description <description>¶
Application credential description
- --unrestricted¶
Enable application credential to create and delete other application credentials and trusts (this is potentially dangerous behavior and is disabled by default)
- --restricted¶
Prohibit application credential from creating and deleting other application credentials and trusts (this is the default behavior)
- --access-rules <access-rules>¶
Either a string or file path containing a JSON-formatted list of access rules, each containing a request method, path, and service, for example ‘[{“method”: “GET”, “path”: “/v2.1/servers”, “service”: “compute”}]’
- name¶
Name of the application credential
application credential delete¶
Delete application credentials(s)
openstack application credential delete
<application-credential>
[<application-credential> ...]
- application-credential¶
Application credentials(s) to delete (name or ID)
application credential list¶
List application credentials
openstack application credential list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--user <user>]
[--user-domain <user-domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --user <user>¶
User whose application credentials to list (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
application credential show¶
Display application credential details
openstack application credential show <application-credential>
- application-credential¶
Application credential to display (name or ID)
catalog¶
A catalog lists OpenStack services that are available on the cloud.
catalog list¶
List services in the service catalog
openstack catalog list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
catalog show¶
Display service catalog details
openstack catalog show <service>
- service¶
Service to display (type or name)
consumer¶
An consumer is used by the Identity service’s OS-OAUTH1 extension. It is used to create a request token and access token.
consumer create¶
Create new consumer
openstack consumer create [--description <description>]
- --description <description>¶
New consumer description
consumer delete¶
Delete consumer(s)
openstack consumer delete <consumer> [<consumer> ...]
- consumer¶
Consumer(s) to delete
consumer list¶
List consumers
openstack consumer list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
consumer set¶
Set consumer properties
openstack consumer set [--description <description>] <consumer>
- --description <description>¶
New consumer description
- consumer¶
Consumer to modify
consumer show¶
Display consumer details
openstack consumer show <consumer>
- consumer¶
Consumer to display
credential¶
credential create¶
Create new credential
openstack credential create
[--type <type>]
[--project <project>]
<user>
<data>
- --type <type>¶
New credential type: cert, ec2, totp and so on
- --project <project>¶
Project which limits the scope of the credential (name or ID)
- user¶
user that owns the credential (name or ID)
- data¶
New credential data
credential delete¶
Delete credential(s)
openstack credential delete <credential-id> [<credential-id> ...]
- credential-id¶
ID of credential(s) to delete
credential list¶
List credentials
openstack credential list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--user <user>]
[--user-domain <user-domain>]
[--type <type>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --user <user>¶
Filter credentials by <user> (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --type <type>¶
Filter credentials by type: cert, ec2, totp and so on
credential set¶
Set credential properties
openstack credential set
--user <user>
--type <type>
--data <data>
[--project <project>]
<credential-id>
- --user <user>¶
User that owns the credential (name or ID)
- --type <type>¶
New credential type: cert, ec2, totp and so on
- --data <data>¶
New credential data
- --project <project>¶
Project which limits the scope of the credential (name or ID)
- credential-id¶
ID of credential to change
credential show¶
Display credential details
openstack credential show <credential-id>
- credential-id¶
ID of credential to display
domain¶
A domain is a collection of users, groups, and projects. Each group and project is owned by exactly one domain.
domain create¶
Create new domain
openstack domain create
[--description <description>]
[--enable | --disable]
[--or-show]
[--immutable | --no-immutable]
<domain-name>
- --description <description>¶
New domain description
- --enable¶
Enable domain (default)
- --disable¶
Disable domain
- --or-show¶
Return existing domain
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- domain-name¶
New domain name
domain delete¶
Delete domain(s)
openstack domain delete <domain> [<domain> ...]
- domain¶
Domain(s) to delete (name or ID)
domain list¶
List domains
openstack domain list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--name <name>]
[--enabled]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --name <name>¶
The domain name
- --enabled¶
The domains that are enabled will be returned
domain set¶
Set domain properties
openstack domain set
[--name <name>]
[--description <description>]
[--enable | --disable]
[--immutable | --no-immutable]
<domain>
- --name <name>¶
New domain name
- --description <description>¶
New domain description
- --enable¶
Enable domain
- --disable¶
Disable domain
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- domain¶
Domain to modify (name or ID)
domain show¶
Display domain details
openstack domain show <domain>
- domain¶
Domain to display (name or ID)
ec2 credentials (Identity v3)¶
ec2 credentials create¶
Create EC2 credentials
openstack ec2 credentials create
[--project <project>]
[--user <user>]
[--user-domain <user-domain>]
[--project-domain <project-domain>]
- --project <project>¶
Create credentials in project (name or ID; default: current authenticated project)
- --user <user>¶
Create credentials for user (name or ID; default: current authenticated user)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
ec2 credentials delete¶
Delete EC2 credentials
openstack ec2 credentials delete
[--user <user>]
[--user-domain <user-domain>]
<access-key>
[<access-key> ...]
- --user <user>¶
Delete credentials for user (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- access-key¶
Credentials access key(s)
ec2 credentials list¶
List EC2 credentials
openstack ec2 credentials list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--user <user>]
[--user-domain <user-domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --user <user>¶
Filter list by user (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
ec2 credentials show¶
Display EC2 credentials details
openstack ec2 credentials show
[--user <user>]
[--user-domain <user-domain>]
<access-key>
- --user <user>¶
Show credentials for user (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- access-key¶
Credentials access key
endpoint group¶
A endpoint group is used to create groups of endpoints that then can be used to filter the endpoints that are available to a project.
endpoint group add project¶
Add a project to an endpoint group
openstack endpoint group add project
[--project-domain <project-domain>]
<endpoint-group>
<project>
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- endpoint-group¶
Endpoint group (name or ID)
- project¶
Project to associate (name or ID)
endpoint group create¶
Create new endpoint group
openstack endpoint group create
[--description DESCRIPTION]
<name>
<filename>
- --description <DESCRIPTION>¶
Description of the endpoint group
- name¶
Name of the endpoint group
- filename¶
Filename that contains a new set of filters
endpoint group delete¶
Delete endpoint group(s)
openstack endpoint group delete <endpoint-group> [<endpoint-group> ...]
- endpoint-group¶
Endpoint group(s) to delete (name or ID)
endpoint group list¶
List endpoint groups
openstack endpoint group list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--endpointgroup <endpoint-group> | --project <project>]
[--domain <domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --endpointgroup <endpoint-group>¶
Endpoint Group (name or ID)
- --project <project>¶
Project (name or ID)
- --domain <domain>¶
Domain owning <project> (name or ID)
endpoint group remove project¶
Remove project from endpoint group
openstack endpoint group remove project
[--project-domain <project-domain>]
<endpoint-group>
<project>
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- endpoint-group¶
Endpoint group (name or ID)
- project¶
Project to remove (name or ID)
endpoint group set¶
Set endpoint group properties
openstack endpoint group set
[--name <name>]
[--filters <filename>]
[--description <description>]
<endpoint-group>
- --name <name>¶
New endpoint group name
- --filters <filename>¶
Filename that contains a new set of filters
- --description <description>¶
New endpoint group description
- endpoint-group¶
Endpoint Group to modify (name or ID)
endpoint group show¶
Display endpoint group details
openstack endpoint group show <endpointgroup>
- endpointgroup¶
Endpoint group (name or ID)
endpoint (Identity v3)¶
endpoint add project¶
Associate a project to an endpoint
openstack endpoint add project
[--project-domain <project-domain>]
<endpoint>
<project>
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- endpoint¶
Endpoint to associate with specified project (name or ID)
- project¶
Project to associate with specified endpoint name or ID)
endpoint create¶
Create new endpoint
openstack endpoint create
[--region <region-id>]
[--enable | --disable]
<service>
<interface>
<url>
- --region <region-id>¶
New endpoint region ID
- --enable¶
Enable endpoint (default)
- --disable¶
Disable endpoint
- service¶
Service to be associated with new endpoint (name or ID)
- interface¶
New endpoint interface type (admin, public or internal)
- url¶
New endpoint URL
endpoint delete¶
Delete endpoint(s)
openstack endpoint delete <endpoint-id> [<endpoint-id> ...]
- endpoint-id¶
Endpoint(s) to delete (ID only)
endpoint list¶
List endpoints
openstack endpoint list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--service <service>]
[--interface <interface>]
[--region <region-id>]
[--endpoint <endpoint-group> | --project <project>]
[--project-domain <project-domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --service <service>¶
Filter by service (type, name or ID)
- --interface <interface>¶
Filter by interface type (admin, public or internal)
- --region <region-id>¶
Filter by region ID
- --endpoint <endpoint-group>¶
Endpoint to list filters
- --project <project>¶
Project to list filters (name or ID)
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
endpoint remove project¶
Dissociate a project from an endpoint
openstack endpoint remove project
[--project-domain <project-domain>]
<endpoint>
<project>
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- endpoint¶
Endpoint to dissociate from specified project (name or ID)
- project¶
Project to dissociate from specified endpoint name or ID)
endpoint set¶
Set endpoint properties
openstack endpoint set
[--region <region-id>]
[--interface <interface>]
[--url <url>]
[--service <service>]
[--enable | --disable]
<endpoint-id>
- --region <region-id>¶
New endpoint region ID
- --interface <interface>¶
New endpoint interface type (admin, public or internal)
- --url <url>¶
New endpoint URL
- --service <service>¶
New endpoint service (name or ID)
- --enable¶
Enable endpoint
- --disable¶
Disable endpoint
- endpoint-id¶
Endpoint to modify (ID only)
endpoint show¶
Display endpoint details
openstack endpoint show <endpoint>
- endpoint¶
Endpoint to display (endpoint ID, service ID, service name, service type)
federation domain/project¶
federation domain list¶
List accessible domains
openstack federation domain list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
federation project list¶
List accessible projects
openstack federation project list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
federation protocol¶
A federation protocol is used by the Identity service’s OS-FEDERATION extension. It is used by identity providers and mappings.
federation protocol create¶
Create new federation protocol
openstack federation protocol create
--identity-provider <identity-provider>
--mapping <mapping>
<name>
- --identity-provider <identity-provider>¶
Identity provider that will support the new federation protocol (name or ID) (required)
- --mapping <mapping>¶
Mapping that is to be used (name or ID) (required)
- name¶
New federation protocol name (must be unique per identity provider)
federation protocol delete¶
Delete federation protocol(s)
openstack federation protocol delete
--identity-provider <identity-provider>
<federation-protocol>
[<federation-protocol> ...]
- --identity-provider <identity-provider>¶
Identity provider that supports <federation-protocol> (name or ID) (required)
- federation-protocol¶
Federation protocol(s) to delete (name or ID)
federation protocol list¶
List federation protocols
openstack federation protocol list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
--identity-provider <identity-provider>
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --identity-provider <identity-provider>¶
Identity provider to list (name or ID) (required)
federation protocol set¶
Set federation protocol properties
openstack federation protocol set
--identity-provider <identity-provider>
[--mapping <mapping>]
<name>
- --identity-provider <identity-provider>¶
Identity provider that supports <federation-protocol> (name or ID) (required)
- --mapping <mapping>¶
Mapping that is to be used (name or ID)
- name¶
Federation protocol to modify (name or ID)
federation protocol show¶
Display federation protocol details
openstack federation protocol show
--identity-provider <identity-provider>
<federation-protocol>
- --identity-provider <identity-provider>¶
Identity provider that supports <federation-protocol> (name or ID) (required)
- federation-protocol¶
Federation protocol to display (name or ID)
group¶
group add user¶
Add user to group
openstack group add user
[--group-domain <group-domain>]
[--user-domain <user-domain>]
<group>
<user>
[<user> ...]
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- group¶
Group to contain <user> (name or ID)
- user¶
User(s) to add to <group> (name or ID) (repeat option to add multiple users)
group contains user¶
Check user membership in group
openstack group contains user
[--group-domain <group-domain>]
[--user-domain <user-domain>]
<group>
<user>
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- group¶
Group to check (name or ID)
- user¶
User to check (name or ID)
group create¶
Create new group
openstack group create
[--domain <domain>]
[--description <description>]
[--or-show]
<group-name>
- --domain <domain>¶
Domain to contain new group (name or ID)
- --description <description>¶
New group description
- --or-show¶
Return existing group
- group-name¶
New group name
group delete¶
Delete group(s)
openstack group delete [--domain <domain>] <group> [<group> ...]
- --domain <domain>¶
Domain containing group(s) (name or ID)
- group¶
Group(s) to delete (name or ID)
group list¶
List groups
openstack group list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--domain <domain>]
[--user <user>]
[--user-domain <user-domain>]
[--long]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --domain <domain>¶
Filter group list by <domain> (name or ID)
- --user <user>¶
Filter group list by <user> (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --long¶
List additional fields in output
group remove user¶
Remove user from group
openstack group remove user
[--group-domain <group-domain>]
[--user-domain <user-domain>]
<group>
<user>
[<user> ...]
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- group¶
Group containing <user> (name or ID)
- user¶
User(s) to remove from <group> (name or ID) (repeat option to remove multiple users)
group set¶
Set group properties
openstack group set
[--domain <domain>]
[--name <name>]
[--description <description>]
<group>
- --domain <domain>¶
Domain containing <group> (name or ID)
- --name <name>¶
New group name
- --description <description>¶
New group description
- group¶
Group to modify (name or ID)
group show¶
Display group details
openstack group show [--domain <domain>] <group>
- --domain <domain>¶
Domain containing <group> (name or ID)
- group¶
Group to display (name or ID)
identity provider¶
An identity provider is used by the Identity service’s OS-FEDERATION extension. It is used by federation protocols and mappings.
identity provider create¶
Create new identity provider
openstack identity provider create
[--remote-id <remote-id> | --remote-id-file <file-name>]
[--description <description>]
[--domain <domain>]
[--authorization-ttl <authorization-ttl>]
[--enable | --disable]
<name>
- --remote-id <remote-id>¶
Remote IDs to associate with the Identity Provider (repeat option to provide multiple values)
- --remote-id-file <file-name>¶
Name of a file that contains many remote IDs to associate with the identity provider, one per line
- --description <description>¶
New identity provider description
- --domain <domain>¶
Domain to associate with the identity provider. If not specified, a domain will be created automatically. (Name or ID)
- --authorization-ttl <authorization-ttl>¶
Time to keep the role assignments for users authenticating via this identity provider. When not provided, global default configured in the Identity service will be used. Available since Identity API version 3.14 (Ussuri).
- --enable¶
Enable identity provider (default)
- --disable¶
Disable the identity provider
- name¶
New identity provider name (must be unique)
identity provider delete¶
Delete identity provider(s)
openstack identity provider delete
<identity-provider>
[<identity-provider> ...]
- identity-provider¶
Identity provider(s) to delete
identity provider list¶
List identity providers
openstack identity provider list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--id <id>]
[--enabled]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --id <id>¶
Filter identity providers by ID
- --enabled¶
List only enabled identity providers
identity provider set¶
Set identity provider properties
openstack identity provider set
[--description <description>]
[--remote-id <remote-id> | --remote-id-file <file-name>]
[--authorization-ttl <authorization-ttl>]
[--enable | --disable]
<identity-provider>
- --description <description>¶
Set identity provider description
- --remote-id <remote-id>¶
Remote IDs to associate with the Identity Provider (repeat option to provide multiple values)
- --remote-id-file <file-name>¶
Name of a file that contains many remote IDs to associate with the identity provider, one per line
- --authorization-ttl <authorization-ttl>¶
Time to keep the role assignments for users authenticating via this identity provider. Available since Identity API version 3.14 (Ussuri).
- --enable¶
Enable the identity provider
- --disable¶
Disable the identity provider
- identity-provider¶
Identity provider to modify
identity provider show¶
Display identity provider details
openstack identity provider show <identity-provider>
- identity-provider¶
Identity provider to display
implied role¶
implied role create¶
Creates an association between prior and implied roles
openstack implied role create --implied-role <role> <role>
- --implied-role <role>¶
<role> (name or ID) implied by another role
- role¶
Role (name or ID) that implies another role
implied role delete¶
Deletes an association between prior and implied roles
openstack implied role delete --implied-role <role> <role>
- --implied-role <role>¶
<role> (name or ID) implied by another role
- role¶
Role (name or ID) that implies another role
implied role list¶
List implied roles
openstack implied role list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
limit¶
Limits are used to specify project-specific limits thresholds of resources.
limit create¶
Create a limit
openstack limit create
[--description <description>]
[--region <region>]
--project <project>
[--project-domain <project-domain>]
--service <service>
--resource-limit <resource-limit>
<resource-name>
- --description <description>¶
Description of the limit
- --region <region>¶
Region for the limit to affect.
- --project <project>¶
Project to associate the resource limit to
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --service <service>¶
Service responsible for the resource to limit
- --resource-limit <resource-limit>¶
The resource limit for the project to assume
- resource-name¶
The name of the resource to limit
limit delete¶
Delete a limit
openstack limit delete <limit-id> [<limit-id> ...]
- limit-id¶
Limit to delete (ID) (repeat option to remove multiple limits)
limit list¶
List limits
openstack limit list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--service <service>]
[--resource-name <resource-name>]
[--region <region>]
[--project <project>]
[--project-domain <project-domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --service <service>¶
Service responsible for the resource to limit
- --resource-name <resource-name>¶
The name of the resource to limit
- --region <region>¶
Region for the registered limit to affect.
- --project <project>¶
List resource limits associated with project
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
limit set¶
Update information about a limit
openstack limit set
[--description <description>]
[--resource-limit <resource-limit>]
<limit-id>
- --description <description>¶
Description of the limit
- --resource-limit <resource-limit>¶
The resource limit for the project to assume
- limit-id¶
Limit to update (ID)
limit show¶
Display limit details
openstack limit show <limit-id>
- limit-id¶
Limit to display (ID)
mapping¶
A mapping is used by the Identity service’s OS-FEDERATION extension. It is used by federation protocols and identity providers.
mapping create¶
Create new mapping
openstack mapping create
--rules <filename>
[--schema-version <schema_version>]
<name>
- --rules <filename>¶
Filename that contains a set of mapping rules (required)
- --schema-version <schema_version>¶
The federated attribute mapping schema version. The default value on the client side is ‘None’; however, that will lead the backend to set the default according to ‘attribute_mapping_default_schema_version’ option.
- name¶
New mapping name (must be unique)
mapping delete¶
Delete mapping(s)
openstack mapping delete <mapping> [<mapping> ...]
- mapping¶
Mapping(s) to delete
mapping list¶
List mappings
openstack mapping list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
mapping set¶
Set mapping properties
openstack mapping set
[--rules <filename>]
[--schema-version <schema_version>]
<name>
- --rules <filename>¶
Filename that contains a new set of mapping rules
- --schema-version <schema_version>¶
The federated attribute mapping schema version. The default value on the client side is ‘None’; however, that will lead the backend to set the default according to ‘attribute_mapping_default_schema_version’ option.
- name¶
Mapping to modify
mapping show¶
Display mapping details
openstack mapping show <mapping>
- mapping¶
Mapping to display
policy¶
A policy is an arbitrarily serialized policy engine rule set to be consumed by a remote service.
policy create¶
Create new policy
openstack policy create [--type <type>] <filename>
- --type <type>¶
New MIME type of the policy rules file (defaults to application/json)
- filename¶
New serialized policy rules file
policy delete¶
Delete policy(s)
openstack policy delete <policy> [<policy> ...]
- policy¶
Policy(s) to delete
policy list¶
List policies
openstack policy list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--long]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --long¶
List additional fields in output
policy set¶
Set policy properties
openstack policy set [--type <type>] [--rules <filename>] <policy>
- --type <type>¶
New MIME type of the policy rules file
- --rules <filename>¶
New serialized policy rules file
- policy¶
Policy to modify
policy show¶
Display policy details
openstack policy show <policy>
- policy¶
Policy to display
project (Identity v3)¶
project create¶
Create new project
openstack project create
[--domain <domain>]
[--parent <project>]
[--description <description>]
[--enable | --disable]
[--property <key=value>]
[--or-show]
[--immutable | --no-immutable]
[--tag <tag>]
<project-name>
- --domain <domain>¶
Domain owning the project (name or ID)
- --parent <project>¶
Parent of the project (name or ID)
- --description <description>¶
Project description
- --enable¶
Enable project
- --disable¶
Disable project
- --property <key=value>¶
Add a property to <name> (repeat option to set multiple properties)
- --or-show¶
Return existing project
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- --tag <tag>¶
Tag to be added to the project (repeat option to set multiple tags)
- project-name¶
New project name
project delete¶
Delete project(s). This command will remove specified existing project(s) if an active user is authorized to do this. If there are resources managed by other services (for example, Nova, Neutron, Cinder) associated with specified project(s), delete operation will proceed regardless.
openstack project delete [--domain <domain>] <project> [<project> ...]
- --domain <domain>¶
Domain owning <project> (name or ID)
- project¶
Project(s) to delete (name or ID)
project list¶
List projects
openstack project list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--domain <domain>]
[--parent <parent>]
[--user <user>]
[--my-projects]
[--long]
[--sort <key>[:<direction>]]
[--enabled]
[--disabled]
[--tags <tag>[,<tag>,...]]
[--tags-any <tag>[,<tag>,...]]
[--not-tags <tag>[,<tag>,...]]
[--not-tags-any <tag>[,<tag>,...]]
[--limit <limit>]
[--marker <marker>]
[--max-items <max-items>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --domain <domain>¶
Filter projects by <domain> (name or ID)
- --parent <parent>¶
Filter projects whose parent is <parent> (name or ID)
- --user <user>¶
Filter projects by <user> (name or ID)
- --my-projects¶
List projects for the authenticated user. Supersedes other filters.
- --long¶
List additional fields in output
- --sort <key>[:<direction>]¶
Sort output by selected keys and directions (asc or desc) (default: asc), repeat this option to specify multiple keys and directions.
- --enabled¶
List only enabled projects
- --disabled¶
List only disabled projects
- --tags <tag>[,<tag>,...]¶
List projects which have all given tag(s) (Comma-separated list of tags)
- --tags-any <tag>[,<tag>,...]¶
List projects which have any given tag(s) (Comma-separated list of tags)
- --not-tags <tag>[,<tag>,...]¶
Exclude projects which have all given tag(s) (Comma-separated list of tags)
- --not-tags-any <tag>[,<tag>,...]¶
Exclude projects which have any given tag(s) (Comma-separated list of tags)
- --limit <limit>¶
The maximum number of entries to return per page. If the value exceeds the server-defined maximum, then the server-defined value will be used. Note that this controls the page size, not the total number of entries returned. Use –max-items to limit the total number of entries returned.
- --marker <marker>¶
The first position in the collection to return results from. This should be a value that was returned in a previous request.
- --max-items <max-items>¶
The maximum number of entries to return in total, paging through multiple requests if needed. Use –limit to control the page size.
project set¶
Set project properties
openstack project set
[--name <name>]
[--domain <domain>]
[--description <description>]
[--enable | --disable]
[--property <key=value>]
[--immutable | --no-immutable]
[--tag <tag>]
[--clear-tags]
[--remove-tag <tag>]
<project>
- --name <name>¶
Set project name
- --domain <domain>¶
Domain owning <project> (name or ID)
- --description <description>¶
Set project description
- --enable¶
Enable project
- --disable¶
Disable project
- --property <key=value>¶
Set a property on <project> (repeat option to set multiple properties)
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- --tag <tag>¶
Tag to be added to the project (repeat option to set multiple tags)
- --clear-tags¶
Clear tags associated with the project. Specify both –tag and –clear-tags to overwrite current tags
- --remove-tag <tag>¶
Tag to be deleted from the project (repeat option to delete multiple tags)
- project¶
Project to modify (name or ID)
project show¶
Display project details
openstack project show
[--domain <domain>]
[--parents]
[--children]
<project>
- --domain <domain>¶
Domain owning <project> (name or ID)
- --parents¶
Show the project’s parents as a list
- --children¶
Show project’s subtree (children) as a list
- project¶
Project to display (name or ID)
region¶
A region is a general division of an OpenStack deployment. You can associate zero or more sub-regions with a region to create a tree-like structured hierarchy.
region create¶
Create new region
openstack region create
[--parent-region <region-id>]
[--description <description>]
<region-id>
- --parent-region <region-id>¶
Parent region ID
- --description <description>¶
New region description
- region-id¶
New region ID
region delete¶
Delete region(s)
openstack region delete <region-id> [<region-id> ...]
- region-id¶
Region ID(s) to delete
region list¶
List regions
openstack region list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--parent-region <region-id>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --parent-region <region-id>¶
Filter by parent region ID
region set¶
Set region properties
openstack region set
[--parent-region <region-id>]
[--description <description>]
<region-id>
- --parent-region <region-id>¶
New parent region ID
- --description <description>¶
New region description
- region-id¶
Region to modify
region show¶
Display region details
openstack region show <region-id>
- region-id¶
Region to display
registered limit¶
Registered limits are used to define default limits for resources within a deployment.
registered limit create¶
Create a registered limit
openstack registered limit create
[--description <description>]
[--region <region>]
--service <service>
--default-limit <default-limit>
<resource-name>
- --description <description>¶
Description of the registered limit
- --region <region>¶
Region for the registered limit to affect
- --service <service>¶
Service responsible for the resource to limit (required) (name or ID)
- --default-limit <default-limit>¶
The default limit for the resources to assume (required)
- resource-name¶
The name of the resource to limit
registered limit delete¶
Delete a registered limit
openstack registered limit delete
<registered-limits>
[<registered-limits> ...]
- registered-limits¶
Registered limit(s) to delete (ID) (repeat option to remove multiple registered limits)
registered limit list¶
List registered limits
openstack registered limit list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--service <service>]
[--resource-name <resource-name>]
[--region <region>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --service <service>¶
Service responsible for the resource to limit (name or ID)
- --resource-name <resource-name>¶
The name of the resource to limit
- --region <region>¶
Region for the limit to affect.
registered limit set¶
Update information about a registered limit
openstack registered limit set
[--service <service>]
[--resource-name <resource-name>]
[--default-limit <default-limit>]
[--description <description>]
[--region <region>]
<registered-limit-id>
- --service <service>¶
Service to be updated responsible for the resource to limit (name or ID). Either –service, –resource-name or –region must be different than existing value otherwise it will be duplicate entry
- --resource-name <resource-name>¶
Resource to be updated responsible for the resource to limit. Either –service, –resource-name or –region must be different than existing value otherwise it will be duplicate entry
- --default-limit <default-limit>¶
The default limit for the resources to assume
- --description <description>¶
Description to update of the registered limit
- --region <region>¶
Region for the registered limit to affect. Either –service, –resource-name or –region must be different than existing value otherwise it will be duplicate entry
- registered-limit-id¶
Registered limit to update (ID)
registered limit show¶
Display registered limit details
openstack registered limit show <registered-limit-id>
- registered-limit-id¶
Registered limit to display (ID)
request token¶
A request token is used by the Identity service’s OS-OAUTH1 extension. It is used by the consumer to request access tokens.
request token create¶
Create a request token
openstack request token create
--consumer-key <consumer-key>
--consumer-secret <consumer-secret>
--project <project>
[--domain <domain>]
- --consumer-key <consumer-key>¶
Consumer key (required)
- --consumer-secret <consumer-secret>¶
Consumer secret (required)
- --project <project>¶
Project that consumer wants to access (name or ID) (required)
- --domain <domain>¶
Domain owning <project> (name or ID)
role assignment¶
role assignment list¶
List role assignments
openstack role assignment list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--effective]
[--role <role>]
[--role-domain <role-domain>]
[--names]
[--user <user>]
[--user-domain <user-domain>]
[--group <group>]
[--group-domain <group-domain>]
[--domain <domain> | --project <project> | --system <system>]
[--project-domain <project-domain>]
[--inherited]
[--auth-user]
[--auth-project]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --effective¶
Returns only effective role assignments
- --role <role>¶
Role to filter (name or ID)
- --role-domain <role-domain>¶
Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
- --names¶
Display names instead of IDs
- --user <user>¶
User to filter (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --group <group>¶
Group to filter (name or ID)
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --domain <domain>¶
Domain to filter (name or ID)
- --project <project>¶
Project to filter (name or ID)
- --system <system>¶
Filter based on system role assignments
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --inherited¶
Specifies if the role grant is inheritable to the sub projects
- --auth-user¶
Only list assignments for the authenticated user
- --auth-project¶
Only list assignments for the project to which the authenticated user’s token is scoped
role (Identity v3)¶
role add¶
Adds a role assignment to a user or group on the system, a domain, or a project
openstack role add
[--system <system> | --domain <domain> | --project <project>]
[--user <user> | --group <group>]
[--group-domain <group-domain>]
[--project-domain <project-domain>]
[--user-domain <user-domain>]
[--inherited]
[--role-domain <role-domain>]
<role>
- --system <system>¶
Include <system> (all)
- --domain <domain>¶
Include <domain> (name or ID)
- --project <project>¶
Include <project> (name or ID)
- --user <user>¶
Include <user> (name or ID)
- --group <group>¶
Include <group> (name or ID)
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --inherited¶
Specifies if the role grant is inheritable to the sub projects
- --role-domain <role-domain>¶
Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
- role¶
Role to add to <user> (name or ID)
role assignment list¶
List role assignments
openstack role assignment list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--effective]
[--role <role>]
[--role-domain <role-domain>]
[--names]
[--user <user>]
[--user-domain <user-domain>]
[--group <group>]
[--group-domain <group-domain>]
[--domain <domain> | --project <project> | --system <system>]
[--project-domain <project-domain>]
[--inherited]
[--auth-user]
[--auth-project]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --effective¶
Returns only effective role assignments
- --role <role>¶
Role to filter (name or ID)
- --role-domain <role-domain>¶
Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
- --names¶
Display names instead of IDs
- --user <user>¶
User to filter (name or ID)
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --group <group>¶
Group to filter (name or ID)
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --domain <domain>¶
Domain to filter (name or ID)
- --project <project>¶
Project to filter (name or ID)
- --system <system>¶
Filter based on system role assignments
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --inherited¶
Specifies if the role grant is inheritable to the sub projects
- --auth-user¶
Only list assignments for the authenticated user
- --auth-project¶
Only list assignments for the project to which the authenticated user’s token is scoped
role create¶
Create new role
openstack role create
[--description <description>]
[--domain <domain>]
[--or-show]
[--immutable | --no-immutable]
<role-name>
- --description <description>¶
Add description about the role
- --domain <domain>¶
Domain the role belongs to (name or ID)
- --or-show¶
Return existing role
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- role-name¶
New role name
role delete¶
Delete role(s)
openstack role delete [--domain <domain>] <role> [<role> ...]
- --domain <domain>¶
Domain the role belongs to (name or ID)
- role¶
Role(s) to delete (name or ID)
role list¶
List roles
openstack role list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--domain <domain>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --domain <domain>¶
Include <domain> (name or ID)
role remove¶
Removes a role assignment from system/domain/project : user/group
openstack role remove
[--system <system> | --domain <domain> | --project <project>]
[--user <user> | --group <group>]
[--group-domain <group-domain>]
[--project-domain <project-domain>]
[--user-domain <user-domain>]
[--inherited]
[--role-domain <role-domain>]
<role>
- --system <system>¶
Include <system> (all)
- --domain <domain>¶
Include <domain> (name or ID)
- --project <project>¶
Include <project> (name or ID)
- --user <user>¶
Include <user> (name or ID)
- --group <group>¶
Include <group> (name or ID)
- --group-domain <group-domain>¶
Domain the group belongs to (name or ID). This can be used in case collisions between group names exist.
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --user-domain <user-domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --inherited¶
Specifies if the role grant is inheritable to the sub projects
- --role-domain <role-domain>¶
Domain the role belongs to (name or ID). This must be specified when the name of a domain specific role is used.
- role¶
Role to remove (name or ID)
role set¶
Set role properties
openstack role set
[--description <description>]
[--domain <domain>]
[--name <name>]
[--immutable | --no-immutable]
<role>
- --description <description>¶
Add description about the role
- --domain <domain>¶
Domain the role belongs to (name or ID)
- --name <name>¶
Set role name
- --immutable¶
Make resource immutable. An immutable project may not be deleted or modified except to remove the immutable flag
- --no-immutable¶
Make resource mutable (default)
- role¶
Role to modify (name or ID)
role show¶
Display role details
openstack role show [--domain <domain>] <role>
- --domain <domain>¶
Domain the role belongs to (name or ID)
- role¶
Role to display (name or ID)
service provider¶
A service provider is used by the Identity service’s OS-FEDERATION extension. It is used by to register another OpenStack Identity service.
service provider create¶
Create new service provider
openstack service provider create
--auth-url <auth-url>
[--description <description>]
--service-provider-url <sp-url>
[--enable | --disable]
<name>
- --auth-url <auth-url>¶
Authentication URL of remote federated service provider (required)
- --description <description>¶
New service provider description
- --service-provider-url <sp-url>¶
A service URL where SAML assertions are being sent (required)
- --enable¶
Enable the service provider (default)
- --disable¶
Disable the service provider
- name¶
New service provider name (must be unique)
service provider delete¶
Delete service provider(s)
openstack service provider delete
<service-provider>
[<service-provider> ...]
- service-provider¶
Service provider(s) to delete
service provider list¶
List service providers
openstack service provider list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
service provider set¶
Set service provider properties
openstack service provider set
[--auth-url <auth-url>]
[--description <description>]
[--service-provider-url <sp-url>]
[--enable | --disable]
<service-provider>
- --auth-url <auth-url>¶
New Authentication URL of remote federated service provider
- --description <description>¶
New service provider description
- --service-provider-url <sp-url>¶
New service provider URL, where SAML assertions are sent
- --enable¶
Enable the service provider
- --disable¶
Disable the service provider
- service-provider¶
Service provider to modify
service provider show¶
Display service provider details
openstack service provider show <service-provider>
- service-provider¶
Service provider to display
service (Identity v3)¶
service create¶
Create new service
openstack service create
[--name <name>]
[--description <description>]
[--enable | --disable]
<type>
- --name <name>¶
New service name
- --description <description>¶
New service description
- --enable¶
Enable service (default)
- --disable¶
Disable service
- type¶
New service type (compute, image, identity, volume, etc)
service delete¶
Delete service(s)
openstack service delete <service> [<service> ...]
- service¶
Service(s) to delete (type, name or ID)
service list¶
List services
openstack service list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--long]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --long¶
List additional fields in output
service show¶
Display service details
openstack service show <service>
- service¶
Service to display (type, name or ID)
service set¶
Set service properties
openstack service set
[--type <type>]
[--name <service-name>]
[--description <description>]
[--enable | --disable]
<service>
- --type <type>¶
New service type (compute, image, identity, volume, etc)
- --name <service-name>¶
New service name
- --description <description>¶
New service description
- --enable¶
Enable service
- --disable¶
Disable service
- service¶
Service to modify (type, name or ID)
token (Identity v3)¶
token issue¶
Issue new token
openstack token issue
token revoke¶
Revoke existing token
openstack token revoke <token>
- token¶
Token to be deleted
trust¶
A trust provide project-specific role delegation between users, with optional impersonation. Requires the OS-TRUST extension.
trust create¶
Create new trust
openstack trust create
--project <project>
--role <role>
[--impersonate]
[--expiration <expiration>]
[--project-domain <project-domain>]
[--trustor-domain <trustor-domain>]
[--trustee-domain <trustee-domain>]
<trustor-user>
<trustee-user>
- --project <project>¶
Project being delegated (name or ID) (required)
- --role <role>¶
Roles to authorize (name or ID) (repeat option to set multiple values, required)
- --impersonate¶
Tokens generated from the trust will represent <trustor> (defaults to False)
- --expiration <expiration>¶
Sets an expiration date for the trust (format of YYYY-mm-ddTHH:MM:SS)
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --trustor-domain <trustor-domain>¶
Domain that contains <trustor> (name or ID)
- --trustee-domain <trustee-domain>¶
Domain that contains <trustee> (name or ID)
- trustor-user¶
User that is delegating authorization (name or ID)
- trustee-user¶
User that is assuming authorization (name or ID)
trust delete¶
Delete trust(s)
openstack trust delete <trust> [<trust> ...]
- trust¶
Trust(s) to delete
trust list¶
List trusts
openstack trust list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--trustor <trustor-user>]
[--trustee <trustee-user>]
[--trustor-domain <trustor-domain>]
[--trustee-domain <trustee-domain>]
[--auth-user]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --trustor <trustor-user>¶
Trustor user to filter (name or ID)
- --trustee <trustee-user>¶
Trustee user to filter (name or ID)
- --trustor-domain <trustor-domain>¶
Domain that contains <trustor> (name or ID)
- --trustee-domain <trustee-domain>¶
Domain that contains <trustee> (name or ID)
- --auth-user¶
Only list trusts related to the authenticated user
trust show¶
Display trust details
openstack trust show <trust>
- trust¶
Trust to display
user (Identity v3)¶
user create¶
Create new user
openstack user create
[--domain <domain>]
[--project <project>]
[--project-domain <project-domain>]
[--password <password>]
[--password-prompt]
[--email <email-address>]
[--description <description>]
[--ignore-lockout-failure-attempts]
[--no-ignore-lockout-failure-attempts]
[--ignore-password-expiry]
[--no-ignore-password-expiry]
[--ignore-change-password-upon-first-use]
[--no-ignore-change-password-upon-first-use]
[--enable-lock-password]
[--disable-lock-password]
[--enable-multi-factor-auth]
[--disable-multi-factor-auth]
[--multi-factor-auth-rule <rule>]
[--enable | --disable]
[--or-show]
<name>
- --domain <domain>¶
Default domain (name or ID)
- --project <project>¶
Default project (name or ID)
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --password <password>¶
Set user password
- --password-prompt¶
Prompt interactively for password
- --email <email-address>¶
Set user email address
- --description <description>¶
User description
- --ignore-lockout-failure-attempts¶
Opt into ignoring the number of times a user has authenticated and locking out the user as a result
- --no-ignore-lockout-failure-attempts¶
Opt out of ignoring the number of times a user has authenticated and locking out the user as a result
- --ignore-password-expiry¶
Opt into allowing user to continue using passwords that may be expired
- --no-ignore-password-expiry¶
Opt out of allowing user to continue using passwords that may be expired
- --ignore-change-password-upon-first-use¶
Control if a user should be forced to change their password immediately after they log into keystone for the first time. Opt into ignoring the user to change their password during first time login in keystone
- --no-ignore-change-password-upon-first-use¶
Control if a user should be forced to change their password immediately after they log into keystone for the first time. Opt out of ignoring the user to change their password during first time login in keystone
- --enable-lock-password¶
Disables the ability for a user to change its password through self-service APIs
- --disable-lock-password¶
Enables the ability for a user to change its password through self-service APIs
- --enable-multi-factor-auth¶
Enables the MFA (Multi Factor Auth)
- --disable-multi-factor-auth¶
Disables the MFA (Multi Factor Auth)
- --multi-factor-auth-rule <rule>¶
Set multi-factor auth rules. For example, to set a rule requiring the “password” and “totp” auth methods to be provided, use: “–multi-factor-auth-rule password,totp”. May be provided multiple times to set different rule combinations.
- --enable¶
Enable user (default)
- --disable¶
Disable user
- --or-show¶
Return existing user
- name¶
New user name
user delete¶
Delete user(s)
openstack user delete [--domain <domain>] <user> [<user> ...]
- --domain <domain>¶
Domain owning <user> (name or ID)
- user¶
User(s) to delete (name or ID)
user list¶
List users
openstack user list
[--sort-column SORT_COLUMN]
[--sort-ascending | --sort-descending]
[--domain <domain>]
[--group <group> | --project <project>]
[--long]
[--enabled]
[--disabled]
[--limit <limit>]
[--marker <marker>]
[--max-items <max-items>]
- --sort-column SORT_COLUMN¶
specify the column(s) to sort the data (columns specified first have a priority, non-existing columns are ignored), can be repeated
- --sort-ascending¶
sort the column(s) in ascending order
- --sort-descending¶
sort the column(s) in descending order
- --domain <domain>¶
Filter users by <domain> (name or ID)
- --group <group>¶
Filter users by <group> membership (name or ID)
- --project <project>¶
Filter users by <project> (name or ID)
- --long¶
List additional fields in output
- --enabled¶
List only enabled users, does nothing with –project and –group
- --disabled¶
List only disabled users, does nothing with –project and –group
- --limit <limit>¶
The maximum number of entries to return per page. If the value exceeds the server-defined maximum, then the server-defined value will be used. Note that this controls the page size, not the total number of entries returned. Use –max-items to limit the total number of entries returned.
- --marker <marker>¶
The first position in the collection to return results from. This should be a value that was returned in a previous request.
- --max-items <max-items>¶
The maximum number of entries to return in total, paging through multiple requests if needed. Use –limit to control the page size.
user password set¶
Change current user password
openstack user password set
[--password <new-password>]
[--original-password <original-password>]
- --password <new-password>¶
New user password
- --original-password <original-password>¶
Original user password
user set¶
Set user properties
openstack user set
[--name <name>]
[--domain <domain>]
[--project <project>]
[--project-domain <project-domain>]
[--password <password>]
[--password-prompt]
[--email <email-address>]
[--description <description>]
[--ignore-lockout-failure-attempts]
[--no-ignore-lockout-failure-attempts]
[--ignore-password-expiry]
[--no-ignore-password-expiry]
[--ignore-change-password-upon-first-use]
[--no-ignore-change-password-upon-first-use]
[--enable-lock-password]
[--disable-lock-password]
[--enable-multi-factor-auth]
[--disable-multi-factor-auth]
[--multi-factor-auth-rule <rule>]
[--enable | --disable]
<user>
- --name <name>¶
Set user name
- --domain <domain>¶
Domain the user belongs to (name or ID). This can be used in case collisions between user names exist.
- --project <project>¶
Set default project (name or ID)
- --project-domain <project-domain>¶
Domain the project belongs to (name or ID). This can be used in case collisions between project names exist.
- --password <password>¶
Set user password
- --password-prompt¶
Prompt interactively for password
- --email <email-address>¶
Set user email address
- --description <description>¶
Set user description
- --ignore-lockout-failure-attempts¶
Opt into ignoring the number of times a user has authenticated and locking out the user as a result
- --no-ignore-lockout-failure-attempts¶
Opt out of ignoring the number of times a user has authenticated and locking out the user as a result
- --ignore-password-expiry¶
Opt into allowing user to continue using passwords that may be expired
- --no-ignore-password-expiry¶
Opt out of allowing user to continue using passwords that may be expired
- --ignore-change-password-upon-first-use¶
Control if a user should be forced to change their password immediately after they log into keystone for the first time. Opt into ignoring the user to change their password during first time login in keystone
- --no-ignore-change-password-upon-first-use¶
Control if a user should be forced to change their password immediately after they log into keystone for the first time. Opt out of ignoring the user to change their password during first time login in keystone
- --enable-lock-password¶
Disables the ability for a user to change its password through self-service APIs
- --disable-lock-password¶
Enables the ability for a user to change its password through self-service APIs
- --enable-multi-factor-auth¶
Enables the MFA (Multi Factor Auth)
- --disable-multi-factor-auth¶
Disables the MFA (Multi Factor Auth)
- --multi-factor-auth-rule <rule>¶
Set multi-factor auth rules. For example, to set a rule requiring the “password” and “totp” auth methods to be provided, use: “–multi-factor-auth-rule password,totp”. May be provided multiple times to set different rule combinations.
- --enable¶
Enable user (default)
- --disable¶
Disable user
- user¶
User to modify (name or ID)
user show¶
Display user details
openstack user show [--domain <domain>] <user>
- --domain <domain>¶
Domain owning <user> (name or ID)
- user¶
User to display (name or ID)
