Identity¶
Identity API provided by Keystone service
version¶
v3¶
auth¶
Get available project scopes¶
New in version 3.3
This call returns the list of projects that are available to be scoped to based on the X-Auth-Token provided in the request.
The structure of the response is exactly the same as listing projects for a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_projects
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"projects": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain for the project."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the project."
},
"name": {
"type": "string",
"description": "The name of the project."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"links": {
"type": "array",
"description": "The links for the `project` resource.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
},
"description": "The list of projects the authenticated user may scope to"
},
"links": {
"type": "array",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
projects |
body |
array |
The list of projects the authenticated user may scope to |
projects[].domain_id |
body |
string |
The ID of the domain for the project. |
projects[].id |
body |
string |
The ID for the project. |
projects[].name |
body |
string |
The name of the project. |
projects[].enabled |
body |
boolean |
If set to |
projects[].links |
body |
array |
The links for the |
projects[].links[].href |
body |
string |
|
projects[].links[].rel |
body |
string |
|
links |
body |
array |
Links to the resources in question. See API Guide / Links and References for more info. |
links[].href |
body |
string |
|
links[].rel |
body |
string |
403¶
Error
404¶
Error
Get available domain scopes¶
New in version 3.3
This call returns the list of domains that are available to be scoped to based on the X-Auth-Token provided in the request.
The structure is the same as listing domains.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_domains
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domains": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain."
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"links": {
"type": "array",
"description": "The links to the `domain` resource.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
},
"description": "The list of domains the authenticated user may scope to"
},
"links": {
"type": "array",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domains |
body |
array |
The list of domains the authenticated user may scope to |
domains[].id |
body |
string |
The ID of the domain. |
domains[].name |
body |
string |
The name of the domain. |
domains[].description |
body |
string |
The description of the domain. |
domains[].enabled |
body |
boolean |
If set to |
domains[].links |
body |
array |
The links to the |
domains[].links[].href |
body |
string |
|
domains[].links[].rel |
body |
string |
|
links |
body |
array |
Links to the resources in question. See API Guide / Links and References for more info. |
links[].href |
body |
string |
|
links[].rel |
body |
string |
403¶
Error
404¶
Error
Get available system scopes¶
New in version 3.10
This call returns the list of systems that are available to be scoped to based on the X-Auth-Token provided in the request.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_system
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"system": {
"type": "array",
"description": "A list of systems to access based on role assignments.",
"items": {
"type": "object",
"additionalProperties": {
"type": "boolean"
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
system |
body |
array |
A list of systems to access based on role assignments. |
403¶
Error
404¶
Error
Get service catalog¶
New in version 3.3
This call returns a service catalog for the X-Auth-Token provided in the request, even if the token does not contain a catalog itself (for example, if it was generated using ?nocatalog).
The structure of the catalog object is identical to that contained in a token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_catalog
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"catalog": {
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
catalog |
body |
array |
|
catalog[].endpoints |
body |
array |
A list of |
catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
catalog[].endpoints[].interface |
body |
string |
|
catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
catalog[].endpoints[].url |
body |
string |
The endpoint url |
catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
catalog[].name |
body |
string |
The service name. |
403¶
Error
404¶
Error
List revoked tokens¶
Check token¶
Validates a token.
This call is similar to GET /auth/tokens but no response body
is provided even in the X-Subject-Token header.
The Identity API returns the same response as when the subject
token was issued by POST /auth/tokens even if an error occurs
because the token is not valid. An HTTP 204 response code
indicates that the X-Subject-Token is valid.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens
Responses¶
200¶
Ok
403¶
Error
404¶
Error
Validate and show information for token¶
Validates and shows information for a token, including its expiration date and authorization scope.
Pass your own token in the X-Auth-Token request header.
Pass the token that you want to validate in the X-Subject-Token
request header.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a\nunique, randomly generated, URL\\-safe string that you can use to\ntrack a token. The first audit ID is the current audit ID for the\ntoken. The second audit ID is present for only re\\-scoped tokens\nand is the audit ID from the token before it was re\\-scoped. A re\\-\nscoped token is one that was exchanged for another token of the\nsame or different scope. You can use these audit IDs to track the\nuse of a token or chain of tokens across multiple requests and\nendpoints without exposing the token ID to non\\-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A `catalog` object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the user. Required if you do not\nspecify the user name."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
}
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API implemented by the service"
},
"name": {
"type": "string",
"description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires.\n\n\nThe date and time stamp format is [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601):\n\n\n\n```\nCCYY-MM-DDThh:mm:ss.sssZ\n\n```\n\n\nFor example, `2015-08-27T09:49:58.000000Z`.\n\n\nA `null` value indicates that the token never expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly `password`,\n`token`, or other methods. Indicates the accumulated set of\nauthentication methods that were used to obtain the token. For\nexample, if the token was obtained by password authentication, it\ncontains `password`. Later, if the token is exchanged by using\nthe token authentication method one or more times, the\nsubsequently created tokens contain both `password` and\n`token` in their `methods` attribute. Unlike multi\\-factor\nauthentication, the `methods` attribute merely indicates the\nmethods that were used to authenticate the user in exchange for a\ntoken. The client is responsible for determining the total number\nof authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A `user` object.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
},
"description": "A `domain` object including the `id` and `name` representing the\ndomain the token is scoped to. This is only included in tokens that are\nscoped to a domain."
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
},
"is_domain": {
"type": "boolean"
},
"domain": {
"type": "object",
"description": "A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A domain UUID"
},
"name": {
"type": "string",
"description": "A domain name"
}
}
},
"project": {
"type": "object",
"description": "A `project` object including the `id`, `name` and `domain` object\nrepresenting the project the token is scoped to. This is only included in\ntokens that are scoped to a project.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"roles": {
"type": "array",
"description": "A list of `role` objects",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A role UUID"
},
"name": {
"type": "string",
"description": "A role name"
}
}
}
},
"system": {
"type": "object",
"description": "A `system` object containing information about which parts of the system\nthe token is scoped to. If the token is scoped to the entire deployment\nsystem, the `system` object will consist of `{\"all\": true}`. This is\nonly included in tokens that are scoped to the system.",
"additionalProperties": {
"type": "boolean"
}
}
},
"description": "A `token` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
A |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A |
token.catalog[].endpoints |
body |
array |
|
token.catalog[].endpoints[].id |
body |
string |
The ID of the user. Required if you do not specify the user name. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API implemented by the service |
token.catalog[].name |
body |
string |
The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. |
token.expires_at |
body |
string |
The date and time when the token expires. The date and time stamp format is ISO 8601: CCYY-MM-DDThh:mm:ss.sssZ
For example, A |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly |
token.user |
body |
object |
A |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
A |
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
|
token.is_domain |
body |
boolean |
|
token.domain |
body |
object |
A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain. |
token.domain.id |
body |
string |
A domain UUID |
token.domain.name |
body |
string |
A domain name |
token.project |
body |
object |
A |
token.project.id |
body |
string |
A user domain UUID |
token.project.name |
body |
string |
A user domain name |
token.roles |
body |
array |
A list of |
token.roles[].id |
body |
string |
A role UUID |
token.roles[].name |
body |
string |
A role name |
token.system |
body |
object |
A |
403¶
Error
404¶
Error
Password authentication with unscoped authorization¶
Authenticates an identity and generates a token. Uses the password authentication method. Authorization is unscoped.
The request body must include a payload that specifies the
authentication method, which is password, and the user, by ID
or name, and password credentials.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
auth |
body |
object |
An |
auth.identity |
body |
object |
An |
auth.identity.methods |
body |
array |
The authentication method. For password
authentication, specify |
auth.identity.password |
body |
object |
The |
auth.identity.password.user |
body |
object |
A |
auth.identity.password.user.id |
body |
string |
The ID of the user. Required if you do not specify the user name. |
auth.identity.password.user.name |
body |
string |
The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. |
auth.identity.password.user.password |
body |
string |
User Password |
auth.identity.password.user.domain |
body |
object |
A |
auth.identity.password.user.domain.id |
body |
string |
User Domain ID |
auth.identity.password.user.domain.name |
body |
string |
User Domain Name |
auth.identity.token |
body |
object |
A |
auth.identity.token.id |
body |
string |
Authorization Token value |
auth.identity.totp |
body |
object |
Multi Factor Authentication information |
auth.identity.totp.user |
body |
object |
|
auth.identity.totp.user.id |
body |
string |
The user ID |
auth.identity.totp.user.name |
body |
string |
The user name |
auth.identity.totp.user.domain |
body |
object |
A |
auth.identity.totp.user.domain.id |
body |
string |
User Domain ID |
auth.identity.totp.user.domain.name |
body |
string |
User Domain Name |
auth.identity.totp.user.passcode |
body |
string |
MFA passcode |
auth.identity.application_credential |
body |
object |
An application credential object. |
auth.identity.application_credential.id |
body |
string |
|
auth.identity.application_credential.name |
body |
string |
|
auth.identity.application_credential.secret |
body |
string |
The secret for authenticating the application credential. |
auth.identity.application_credential.user |
body |
object |
A user object, required if an application credential is identified by name and not ID. |
auth.identity.application_credential.user.id |
body |
string |
The user ID |
auth.identity.application_credential.user.name |
body |
string |
The user name |
auth.identity.application_credential.user.domain |
body |
object |
A |
auth.identity.application_credential.user.domain.id |
body |
string |
User Domain ID |
auth.identity.application_credential.user.domain.name |
body |
string |
User Domain Name |
auth.scope |
body |
object |
The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results. |
auth.scope.project |
body |
object |
|
auth.scope.project.name |
body |
string |
Project Name |
auth.scope.project.id |
body |
string |
Project Id |
auth.scope.project.domain |
body |
object |
|
auth.scope.project.domain.id |
body |
string |
Project domain Id |
auth.scope.project.domain.name |
body |
string |
Project domain Name |
auth.scope.domain |
body |
object |
|
auth.scope.domain.id |
body |
string |
Domain id |
auth.scope.domain.name |
body |
string |
Domain name |
auth.scope.OS-TRUST:trust |
body |
object |
|
auth.scope.OS-TRUST:trust.id |
body |
string |
|
auth.scope.system |
body |
object |
|
auth.scope.system.all |
body |
boolean |
{
"type": "object",
"properties": {
"auth": {
"type": "object",
"description": "An `auth` object.",
"properties": {
"identity": {
"type": "object",
"description": "An `identity` object.",
"properties": {
"methods": {
"type": "array",
"description": "The authentication method. For password\nauthentication, specify `password`.",
"items": {
"type": "string",
"enum": [
"password",
"token",
"totp",
"application_credential"
]
}
},
"password": {
"type": "object",
"description": "The `password` object, contains the authentication information.",
"properties": {
"user": {
"type": "object",
"description": "A `user` object.",
"properties": {
"id": {
"type": "string",
"description": "The ID of the user. Required if you do not\nspecify the user name."
},
"name": {
"type": "string",
"description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
},
"password": {
"type": "string",
"format": "password",
"description": "User Password"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
}
},
"token": {
"type": "object",
"description": "A `token` object",
"properties": {
"id": {
"type": "string",
"format": "password",
"description": "Authorization Token value"
}
},
"required": [
"id"
]
},
"totp": {
"type": "object",
"description": "Multi Factor Authentication information",
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
},
"passcode": {
"type": "string",
"format": "password",
"description": "MFA passcode"
}
},
"required": [
"passcode"
]
}
},
"required": [
"user"
]
},
"application_credential": {
"type": "object",
"description": "An application credential object.",
"properties": {
"id": {
"type": "string",
"descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
},
"name": {
"type": "string",
"descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
},
"secret": {
"type": "string",
"format": "password",
"description": "The secret for authenticating the application credential."
},
"user": {
"type": "object",
"description": "A user object, required if an application credential is identified by name and not ID.",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
},
"required": [
"secret"
]
}
},
"required": [
"methods"
]
},
"scope": {
"type": "object",
"description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
"properties": {
"project": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Project Name"
},
"id": {
"type": "string",
"description": "Project Id"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Project domain Id"
},
"name": {
"type": "string",
"description": "Project domain Name"
}
}
}
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Domain id"
},
"name": {
"type": "string",
"description": "Domain name"
}
}
},
"OS-TRUST:trust": {
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
},
"system": {
"type": "object",
"properties": {
"all": {
"type": "boolean"
}
}
}
}
}
},
"required": [
"identity"
]
}
},
"definitions": {
"user_domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a\nunique, randomly generated, URL\\-safe string that you can use to\ntrack a token. The first audit ID is the current audit ID for the\ntoken. The second audit ID is present for only re\\-scoped tokens\nand is the audit ID from the token before it was re\\-scoped. A re\\-\nscoped token is one that was exchanged for another token of the\nsame or different scope. You can use these audit IDs to track the\nuse of a token or chain of tokens across multiple requests and\nendpoints without exposing the token ID to non\\-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A `catalog` object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the user. Required if you do not\nspecify the user name."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
}
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API implemented by the service"
},
"name": {
"type": "string",
"description": "The user name. Required if you do not specify\nthe ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires.\n\n\nThe date and time stamp format is [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601):\n\n\n\n```\nCCYY-MM-DDThh:mm:ss.sssZ\n\n```\n\n\nFor example, `2015-08-27T09:49:58.000000Z`.\n\n\nA `null` value indicates that the token never expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication method. For password\nauthentication, specify `password`.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A `user` object.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
},
"description": "A `domain` object"
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
},
"is_domain": {
"type": "boolean"
},
"domain": {
"type": "object",
"description": "A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A domain UUID"
},
"name": {
"type": "string",
"description": "A domain name"
}
}
},
"project": {
"type": "object",
"description": "A `project` object including the `id`, `name` and `domain` object\nrepresenting the project the token is scoped to. This is only included in\ntokens that are scoped to a project.",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"roles": {
"type": "array",
"description": "A list of `role` objects",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A role UUID"
},
"name": {
"type": "string",
"description": "A role name"
}
}
}
},
"system": {
"type": "object",
"description": "A `system` object containing information about which parts of the system\nthe token is scoped to. If the token is scoped to the entire deployment\nsystem, the `system` object will consist of `{\"all\": true}`. This is\nonly included in tokens that are scoped to the system.",
"additionalProperties": {
"type": "boolean"
}
}
},
"description": "A `token` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
A |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A |
token.catalog[].endpoints |
body |
array |
|
token.catalog[].endpoints[].id |
body |
string |
The ID of the user. Required if you do not specify the user name. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API implemented by the service |
token.catalog[].name |
body |
string |
The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. |
token.expires_at |
body |
string |
The date and time when the token expires. The date and time stamp format is ISO 8601: CCYY-MM-DDThh:mm:ss.sssZ
For example, A |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication method. For password
authentication, specify |
token.user |
body |
object |
A |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
A |
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
|
token.is_domain |
body |
boolean |
|
token.domain |
body |
object |
A domain object including the id and name representing the domain the token is scoped to. This is only included in tokens that are scoped to a domain. |
token.domain.id |
body |
string |
A domain UUID |
token.domain.name |
body |
string |
A domain name |
token.project |
body |
object |
A |
token.project.id |
body |
string |
A user domain UUID |
token.project.name |
body |
string |
A user domain name |
token.roles |
body |
array |
A list of |
token.roles[].id |
body |
string |
A role UUID |
token.roles[].name |
body |
string |
A role name |
token.system |
body |
object |
A |
401¶
Unauthorized
{
"type": "object",
"properties": {
"receipt": {
"type": "object",
"properties": {
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
}
},
"required_auth_methods": {
"type": "array",
"items": {
"type": "string"
},
"description": "A list of authentication rules that may be used with the auth receipt to complete the authentication process."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
receipt |
body |
object |
|
receipt.expires_at |
body |
string |
The date and time when the token expires. |
receipt.issues_at |
body |
string |
The date and time when the token was issued. |
receipt.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
receipt.user |
body |
object |
A user object |
receipt.user.id |
body |
string |
A user UUID |
receipt.user.name |
body |
string |
A user name |
receipt.user.domain |
body |
object |
|
receipt.user.domain.id |
body |
string |
A user domain UUID |
receipt.user.domain.name |
body |
string |
A user domain name |
receipt.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
receipt.user.OS-FEDERATION |
body |
object |
|
required_auth_methods |
body |
array |
A list of authentication rules that may be used with the auth receipt to complete the authentication process. |
403¶
Error
404¶
Error
Revoke token¶
Revokes a token.
This call is similar to the HEAD /auth/tokens call except that
the X-Subject-Token token is immediately not valid, regardless
of the expires_at attribute value. An additional
X-Auth-Token is not required.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens
Responses¶
204¶
Ok
403¶
Error
404¶
Error
Generate a SAML assertion¶
A user may generate a SAML assertion document based on the scoped token that is used in the request.
Request Parameters:
To generate a SAML assertion, a user must provides a scoped token ID and Service Provider ID in the request body.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
auth |
body |
object |
Auth data with user’s identity and Service Provider scope information |
auth.identity |
body |
object |
An |
auth.identity.methods |
body |
array |
The authentication method. For password
authentication, specify |
auth.identity.password |
body |
object |
The |
auth.identity.password.user |
body |
object |
A |
auth.identity.password.user.id |
body |
string |
The ID of the user. Required if you do not specify the user name. |
auth.identity.password.user.name |
body |
string |
The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. |
auth.identity.password.user.password |
body |
string |
User Password |
auth.identity.password.user.domain |
body |
object |
A |
auth.identity.password.user.domain.id |
body |
string |
User Domain ID |
auth.identity.password.user.domain.name |
body |
string |
User Domain Name |
auth.identity.token |
body |
object |
A |
auth.identity.token.id |
body |
string |
Authorization Token value |
auth.identity.totp |
body |
object |
Multi Factor Authentication information |
auth.identity.totp.user |
body |
object |
|
auth.identity.totp.user.id |
body |
string |
The user ID |
auth.identity.totp.user.name |
body |
string |
The user name |
auth.identity.totp.user.domain |
body |
object |
A |
auth.identity.totp.user.domain.id |
body |
string |
User Domain ID |
auth.identity.totp.user.domain.name |
body |
string |
User Domain Name |
auth.identity.totp.user.passcode |
body |
string |
MFA passcode |
auth.identity.application_credential |
body |
object |
An application credential object. |
auth.identity.application_credential.id |
body |
string |
|
auth.identity.application_credential.name |
body |
string |
|
auth.identity.application_credential.secret |
body |
string |
The secret for authenticating the application credential. |
auth.identity.application_credential.user |
body |
object |
A user object, required if an application credential is identified by name and not ID. |
auth.identity.application_credential.user.id |
body |
string |
The user ID |
auth.identity.application_credential.user.name |
body |
string |
The user name |
auth.identity.application_credential.user.domain |
body |
object |
A |
auth.identity.application_credential.user.domain.id |
body |
string |
User Domain ID |
auth.identity.application_credential.user.domain.name |
body |
string |
User Domain Name |
auth.scope |
body |
object |
The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results. |
auth.scope.project |
body |
object |
|
auth.scope.project.name |
body |
string |
Project Name |
auth.scope.project.id |
body |
string |
Project Id |
auth.scope.project.domain |
body |
object |
|
auth.scope.project.domain.id |
body |
string |
Project domain Id |
auth.scope.project.domain.name |
body |
string |
Project domain Name |
auth.scope.domain |
body |
object |
|
auth.scope.domain.id |
body |
string |
Domain id |
auth.scope.domain.name |
body |
string |
Domain name |
auth.scope.OS-TRUST:trust |
body |
object |
|
auth.scope.OS-TRUST:trust.id |
body |
string |
|
auth.scope.system |
body |
object |
|
auth.scope.system.all |
body |
boolean |
{
"type": "object",
"properties": {
"auth": {
"type": "object",
"description": "Auth data with user\u2019s identity and Service Provider scope information",
"properties": {
"identity": {
"type": "object",
"description": "An `identity` object.",
"properties": {
"methods": {
"type": "array",
"description": "The authentication method. For password\nauthentication, specify `password`.",
"items": {
"type": "string",
"enum": [
"password",
"token",
"totp",
"application_credential"
]
}
},
"password": {
"type": "object",
"description": "The `password` object, contains the authentication information.",
"properties": {
"user": {
"type": "object",
"description": "A `user` object.",
"properties": {
"id": {
"type": "string",
"description": "The ID of the user. Required if you do not\n specify the user name."
},
"name": {
"type": "string",
"description": "The user name. Required if you do not specify\n the ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
},
"password": {
"type": "string",
"format": "password",
"description": "User Password"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
}
},
"token": {
"type": "object",
"description": "A `token` object",
"properties": {
"id": {
"type": "string",
"format": "password",
"description": "Authorization Token value"
}
},
"required": [
"id"
]
},
"totp": {
"type": "object",
"description": "Multi Factor Authentication information",
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
},
"passcode": {
"type": "string",
"format": "password",
"description": "MFA passcode"
}
},
"required": [
"passcode"
]
}
},
"required": [
"user"
]
},
"application_credential": {
"type": "object",
"description": "An application credential object.",
"properties": {
"id": {
"type": "string",
"descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
},
"name": {
"type": "string",
"descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
},
"secret": {
"type": "string",
"format": "password",
"description": "The secret for authenticating the application credential."
},
"user": {
"type": "object",
"description": "A user object, required if an application credential is identified by name and not ID.",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
},
"required": [
"secret"
]
}
},
"required": [
"methods"
]
},
"scope": {
"type": "object",
"description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
"properties": {
"project": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Project Name"
},
"id": {
"type": "string",
"description": "Project Id"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Project domain Id"
},
"name": {
"type": "string",
"description": "Project domain Name"
}
}
}
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Domain id"
},
"name": {
"type": "string",
"description": "Domain name"
}
}
},
"OS-TRUST:trust": {
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
},
"system": {
"type": "object",
"properties": {
"all": {
"type": "boolean"
}
}
}
}
}
},
"required": [
"identity"
]
}
},
"definitions": {
"user_domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
Responses¶
200¶
Ok
403¶
Error
404¶
Error
Generate an ECP wrapped SAML assertion¶
A user may generate a SAML assertion document to work with the Enhanced Client or Proxy (ECP) profile based on the scoped token that is used in the request.
Request Parameters:
To generate an ECP wrapped SAML assertion, a user must provides a scoped token ID and Service Provider ID in the request body.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2/ecp
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
auth |
body |
object |
Auth data with user’s identity and Service Provider scope information |
auth.identity |
body |
object |
An |
auth.identity.methods |
body |
array |
The authentication method. For password
authentication, specify |
auth.identity.password |
body |
object |
The |
auth.identity.password.user |
body |
object |
A |
auth.identity.password.user.id |
body |
string |
The ID of the user. Required if you do not specify the user name. |
auth.identity.password.user.name |
body |
string |
The user name. Required if you do not specify the ID of the user. If you specify the user name, you must also specify the domain, by ID or name. |
auth.identity.password.user.password |
body |
string |
User Password |
auth.identity.password.user.domain |
body |
object |
A |
auth.identity.password.user.domain.id |
body |
string |
User Domain ID |
auth.identity.password.user.domain.name |
body |
string |
User Domain Name |
auth.identity.token |
body |
object |
A |
auth.identity.token.id |
body |
string |
Authorization Token value |
auth.identity.totp |
body |
object |
Multi Factor Authentication information |
auth.identity.totp.user |
body |
object |
|
auth.identity.totp.user.id |
body |
string |
The user ID |
auth.identity.totp.user.name |
body |
string |
The user name |
auth.identity.totp.user.domain |
body |
object |
A |
auth.identity.totp.user.domain.id |
body |
string |
User Domain ID |
auth.identity.totp.user.domain.name |
body |
string |
User Domain Name |
auth.identity.totp.user.passcode |
body |
string |
MFA passcode |
auth.identity.application_credential |
body |
object |
An application credential object. |
auth.identity.application_credential.id |
body |
string |
|
auth.identity.application_credential.name |
body |
string |
|
auth.identity.application_credential.secret |
body |
string |
The secret for authenticating the application credential. |
auth.identity.application_credential.user |
body |
object |
A user object, required if an application credential is identified by name and not ID. |
auth.identity.application_credential.user.id |
body |
string |
The user ID |
auth.identity.application_credential.user.name |
body |
string |
The user name |
auth.identity.application_credential.user.domain |
body |
object |
A |
auth.identity.application_credential.user.domain.id |
body |
string |
User Domain ID |
auth.identity.application_credential.user.domain.name |
body |
string |
User Domain Name |
auth.scope |
body |
object |
The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results. |
auth.scope.project |
body |
object |
|
auth.scope.project.name |
body |
string |
Project Name |
auth.scope.project.id |
body |
string |
Project Id |
auth.scope.project.domain |
body |
object |
|
auth.scope.project.domain.id |
body |
string |
Project domain Id |
auth.scope.project.domain.name |
body |
string |
Project domain Name |
auth.scope.domain |
body |
object |
|
auth.scope.domain.id |
body |
string |
Domain id |
auth.scope.domain.name |
body |
string |
Domain name |
auth.scope.OS-TRUST:trust |
body |
object |
|
auth.scope.OS-TRUST:trust.id |
body |
string |
|
auth.scope.system |
body |
object |
|
auth.scope.system.all |
body |
boolean |
{
"type": "object",
"properties": {
"auth": {
"type": "object",
"description": "Auth data with user\u2019s identity and Service Provider scope information",
"properties": {
"identity": {
"type": "object",
"description": "An `identity` object.",
"properties": {
"methods": {
"type": "array",
"description": "The authentication method. For password\nauthentication, specify `password`.",
"items": {
"type": "string",
"enum": [
"password",
"token",
"totp",
"application_credential"
]
}
},
"password": {
"type": "object",
"description": "The `password` object, contains the authentication information.",
"properties": {
"user": {
"type": "object",
"description": "A `user` object.",
"properties": {
"id": {
"type": "string",
"description": "The ID of the user. Required if you do not\n specify the user name."
},
"name": {
"type": "string",
"description": "The user name. Required if you do not specify\n the ID of the user. If you specify the user name, you must also\nspecify the domain, by ID or name."
},
"password": {
"type": "string",
"format": "password",
"description": "User Password"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
}
},
"token": {
"type": "object",
"description": "A `token` object",
"properties": {
"id": {
"type": "string",
"format": "password",
"description": "Authorization Token value"
}
},
"required": [
"id"
]
},
"totp": {
"type": "object",
"description": "Multi Factor Authentication information",
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
},
"passcode": {
"type": "string",
"format": "password",
"description": "MFA passcode"
}
},
"required": [
"passcode"
]
}
},
"required": [
"user"
]
},
"application_credential": {
"type": "object",
"description": "An application credential object.",
"properties": {
"id": {
"type": "string",
"descripion": "The ID of the application credential used for authentication. If not provided, the application credential must be identified by its name and its owning user."
},
"name": {
"type": "string",
"descripion": "The name of the application credential used for authentication. If provided, must be accompanied by a user object."
},
"secret": {
"type": "string",
"format": "password",
"description": "The secret for authenticating the application credential."
},
"user": {
"type": "object",
"description": "A user object, required if an application credential is identified by name and not ID.",
"properties": {
"id": {
"type": "string",
"description": "The user ID"
},
"name": {
"type": "string",
"description": "The user name"
},
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
},
"required": [
"secret"
]
}
},
"required": [
"methods"
]
},
"scope": {
"type": "object",
"description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
"properties": {
"project": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Project Name"
},
"id": {
"type": "string",
"description": "Project Id"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Project domain Id"
},
"name": {
"type": "string",
"description": "Project domain Name"
}
}
}
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Domain id"
},
"name": {
"type": "string",
"description": "Domain name"
}
}
},
"OS-TRUST:trust": {
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
},
"system": {
"type": "object",
"properties": {
"all": {
"type": "boolean"
}
}
}
}
}
},
"required": [
"identity"
]
}
},
"definitions": {
"user_domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"description": "User Domain ID"
},
"name": {
"type": "string",
"description": "User Domain Name"
}
}
}
}
}
Responses¶
200¶
Ok
403¶
Error
404¶
Error
GET operation on /v3/auth/OS-FEDERATION/websso/{protocol_id}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
POST operation on /v3/auth/OS-FEDERATION/websso/{protocol_id}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
GET operation on /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
POST operation on /v3/auth/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/websso
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
OS-FEDERATION¶
List projects a federated user can access¶
Deprecated in v1.1. Use core GET /auth/projects. This call has the same
response format.
Returns a collection of projects to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a project and request a scoped token. Note that only enabled projects will be returned.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"projects": {
"type": "array",
"items": {
"type": "object",
"properties": {
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain for the project."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the project."
},
"name": {
"type": "string",
"description": "The name of the project."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"links": {
"type": "array",
"description": "Link to the URI where the project collection is located",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
},
"description": "The list of projects the authenticated user may scope to"
},
"links": {
"type": "array",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
projects |
body |
array |
The list of projects the authenticated user may scope to |
projects[].domain_id |
body |
string |
The ID of the domain for the project. |
projects[].id |
body |
string |
The ID for the project. |
projects[].name |
body |
string |
The name of the project. |
projects[].enabled |
body |
boolean |
If set to |
projects[].links |
body |
array |
Link to the URI where the project collection is located |
projects[].links[].href |
body |
string |
|
projects[].links[].rel |
body |
string |
|
links |
body |
array |
Links to the resources in question. See API Guide / Links and References for more info. |
links[].href |
body |
string |
|
links[].rel |
body |
string |
403¶
Error
404¶
Error
List domains a federated user can access¶
Deprecated in v1.1. Use core GET /auth/domains. This call has the same
response format.
Returns a collection of domains to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a domain and request a scoped token. Note that only enabled domains will be returned.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domains": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain."
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"links": {
"type": "array",
"description": "Link to the URI where the domain collection is located",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
},
"description": "The list of domains the authenticated user may scope to"
},
"links": {
"type": "array",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domains |
body |
array |
The list of domains the authenticated user may scope to |
domains[].id |
body |
string |
The ID of the domain. |
domains[].name |
body |
string |
The name of the domain. |
domains[].description |
body |
string |
The description of the domain. |
domains[].enabled |
body |
boolean |
If set to |
domains[].links |
body |
array |
Link to the URI where the domain collection is located |
domains[].links[].href |
body |
string |
|
domains[].links[].rel |
body |
string |
|
links |
body |
array |
Links to the resources in question. See API Guide / Links and References for more info. |
links[].href |
body |
string |
|
links[].rel |
body |
string |
403¶
Error
404¶
Error
Retrieve Metadata properties¶
A user may retrieve Metadata about an Identity Service acting as an Identity Provider.
The response will be a full document with Metadata properties. Note that for readability, this example certificate has been truncated.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/metadata
Responses¶
200¶
Ok
403¶
Error
404¶
Error
Request an unscoped OS-FEDERATION token¶
A federated ephemeral user may request an unscoped token, which can be used to get a scoped token.
If the user is mapped directly (mapped to an existing user), a standard, unscoped token will be issued.
Due to the fact that this part of authentication is strictly connected with the SAML2 authentication workflow, a client should not send any data, as the content may be lost when a client is being redirected between Service Provider and Identity Provider. Both HTTP methods - GET and POST should be allowed as Web Single Sign-On (WebSSO) and Enhanced Client Proxy (ECP) mechanisms have different authentication workflows and use different HTTP methods while accessing protected endpoints.
The returned token will contain information about the groups to which the federated user belongs.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
Authenticate from dedicated uri endpoint.
POST /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/auth
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
idp_id |
path |
string |
idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth API |
protocol_id |
path |
string |
protocol_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}/auth API |
{
"type": "object",
"description": "Request of the OS-FEDERATION/identity_providers/idp_id/protocols/protocol_id/auth:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"token": {
"type": "object",
"properties": {
"audit_ids": {
"type": "array",
"description": "A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users.",
"items": {
"type": "string"
}
},
"catalog": {
"description": "A catalog object.",
"type": "array",
"items": {
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"interface": {
"type": "string",
"enum": [
"public",
"internal",
"admin"
]
},
"region": {
"type": "string",
"description": "Region name of the endpoint"
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint url"
}
}
},
"description": "A list of `endpoint` objects."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint belongs."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
},
"name": {
"type": "string",
"description": "The service name."
}
}
}
},
"expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token expires."
},
"issues_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the token was issued."
},
"methods": {
"type": "array",
"description": "The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors.",
"items": {
"type": "string"
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
},
"password_expires_at": {
"type": "string",
"format": "date-time",
"description": "DateTime of the user password expiration"
},
"OS-FEDERATION": {
"type": "object"
}
}
}
},
"description": "Federation unscoped token containing methods and user information"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
token |
body |
object |
Federation unscoped token containing methods and user information |
token.audit_ids |
body |
array |
A list of one or two audit IDs. An audit ID is a unique, randomly generated, URL-safe string that you can use to track a token. The first audit ID is the current audit ID for the token. The second audit ID is present for only re-scoped tokens and is the audit ID from the token before it was re-scoped. A re- scoped token is one that was exchanged for another token of the same or different scope. You can use these audit IDs to track the use of a token or chain of tokens across multiple requests and endpoints without exposing the token ID to non-privileged users. |
token.catalog |
body |
array |
A catalog object. |
token.catalog[].endpoints |
body |
array |
A list of |
token.catalog[].endpoints[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].endpoints[].interface |
body |
string |
|
token.catalog[].endpoints[].region |
body |
string |
Region name of the endpoint |
token.catalog[].endpoints[].url |
body |
string |
The endpoint url |
token.catalog[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
token.catalog[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
token.catalog[].name |
body |
string |
The service name. |
token.expires_at |
body |
string |
The date and time when the token expires. |
token.issues_at |
body |
string |
The date and time when the token was issued. |
token.methods |
body |
array |
The authentication methods, which are commonly password, token, or other methods. Indicates the accumulated set of authentication methods that were used to obtain the token. For example, if the token was obtained by password authentication, it contains password. Later, if the token is exchanged by using the token authentication method one or more times, the subsequently created tokens contain both password and token in their methods attribute. Unlike multi-factor authentication, the methods attribute merely indicates the methods that were used to authenticate the user in exchange for a token. The client is responsible for determining the total number of authentication factors. |
token.user |
body |
object |
A user object |
token.user.id |
body |
string |
A user UUID |
token.user.name |
body |
string |
A user name |
token.user.domain |
body |
object |
|
token.user.domain.id |
body |
string |
A user domain UUID |
token.user.domain.name |
body |
string |
A user domain name |
token.user.password_expires_at |
body |
string |
DateTime of the user password expiration |
token.user.OS-FEDERATION |
body |
object |
403¶
Error
404¶
Error
Get identity provider¶
Get registered identity providers.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"identity_provider": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Identity Provider unique ID"
},
"description": {
"type": "string",
"description": "The Identity Provider description"
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of a domain that is associated with the Identity Provider. Federated\nusers that authenticate with the Identity Provider will be created under\nthe domain specified."
},
"authorization_ttl": {
"type": "integer",
"description": "The length of validity in minutes for group memberships carried over\nthrough mapping and persisted in the database. If left unset, the\ndefault value configured in keystone will be used, if enabled."
},
"enabled": {
"type": "boolean",
"description": "Whether the Identity Provider is enabled or not"
},
"remote_ids": {
"type": "array",
"description": "List of the unique Identity Provider\u2019s remote IDs",
"items": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
identity_provider |
body |
object |
|
identity_provider.id |
body |
string |
The Identity Provider unique ID |
identity_provider.description |
body |
string |
The Identity Provider description |
identity_provider.domain_id |
body |
string |
The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified. |
identity_provider.authorization_ttl |
body |
integer |
The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled. |
identity_provider.enabled |
body |
boolean |
Whether the Identity Provider is enabled or not |
identity_provider.remote_ids |
body |
array |
List of the unique Identity Provider’s remote IDs |
403¶
Error
404¶
Error
Register an identity provider¶
Register an identity provider to be used to authenticate federated users.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
idp_id |
path |
string |
idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id} API |
identity_provider |
body |
object |
|
identity_provider.enabled |
body |
boolean |
Whether the Identity Provider is enabled or not |
identity_provider.description |
body |
[‘string’, ‘null’] |
The Identity Provider description |
identity_provider.domain_id |
body |
[‘string’, ‘null’] |
The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified. |
identity_provider.authorization_ttl |
body |
[‘integer’, ‘null’] |
The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled. |
identity_provider.remote_ids |
body |
[‘array’, ‘null’] |
List of the unique Identity Provider’s remote IDs |
{
"type": "object",
"properties": {
"identity_provider": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Whether the Identity Provider is enabled or not"
},
"description": {
"type": [
"string",
"null"
],
"description": "The Identity Provider description"
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of a domain that is associated with the Identity Provider. Federated\nusers that authenticate with the Identity Provider will be created under\nthe domain specified."
},
"authorization_ttl": {
"type": [
"integer",
"null"
],
"minimum": 0,
"description": "The length of validity in minutes for group memberships carried over\nthrough mapping and persisted in the database. If left unset, the\ndefault value configured in keystone will be used, if enabled."
},
"remote_ids": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"uniqueItems": true,
"description": "List of the unique Identity Provider\u2019s remote IDs"
}
},
"additionalProperties": false
}
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"identity_provider": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Identity Provider unique ID"
},
"description": {
"type": "string",
"description": "The Identity Provider description"
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of a domain that is associated with the Identity Provider. Federated\nusers that authenticate with the Identity Provider will be created under\nthe domain specified."
},
"authorization_ttl": {
"type": "integer",
"description": "The length of validity in minutes for group memberships carried over\nthrough mapping and persisted in the database. If left unset, the\ndefault value configured in keystone will be used, if enabled."
},
"enabled": {
"type": "boolean",
"description": "Whether the Identity Provider is enabled or not"
},
"remote_ids": {
"type": "array",
"description": "List of the unique Identity Provider\u2019s remote IDs",
"items": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
identity_provider |
body |
object |
|
identity_provider.id |
body |
string |
The Identity Provider unique ID |
identity_provider.description |
body |
string |
The Identity Provider description |
identity_provider.domain_id |
body |
string |
The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified. |
identity_provider.authorization_ttl |
body |
integer |
The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled. |
identity_provider.enabled |
body |
boolean |
Whether the Identity Provider is enabled or not |
identity_provider.remote_ids |
body |
array |
List of the unique Identity Provider’s remote IDs |
403¶
Error
404¶
Error
Update identity provider¶
When an identity provider is disabled, any tokens generated by that identity provider will be revoked.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
idp_id |
path |
string |
idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id} API |
identity_provider |
body |
object |
|
identity_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
identity_provider.description |
body |
[‘string’, ‘null’] |
|
identity_provider.authorization_ttl |
body |
[‘integer’, ‘null’] |
|
identity_provider.remote_ids |
body |
[‘array’, ‘null’] |
{
"type": "object",
"properties": {
"identity_provider": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Whether the Service Provider is enabled or not"
},
"description": {
"type": [
"string",
"null"
]
},
"authorization_ttl": {
"type": [
"integer",
"null"
],
"minimum": 0
},
"remote_ids": {
"type": [
"array",
"null"
],
"items": {
"type": "string"
},
"uniqueItems": true
}
},
"minProperties": 1,
"additionalProperties": false
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"identity_provider": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Identity Provider unique ID"
},
"description": {
"type": "string",
"description": "The Identity Provider description"
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of a domain that is associated with the Identity Provider. Federated\nusers that authenticate with the Identity Provider will be created under\nthe domain specified."
},
"authorization_ttl": {
"type": "integer",
"description": "The length of validity in minutes for group memberships carried over\nthrough mapping and persisted in the database. If left unset, the\ndefault value configured in keystone will be used, if enabled."
},
"enabled": {
"type": "boolean",
"description": "Whether the Identity Provider is enabled or not"
},
"remote_ids": {
"type": "array",
"description": "List of the unique Identity Provider\u2019s remote IDs",
"items": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
identity_provider |
body |
object |
|
identity_provider.id |
body |
string |
The Identity Provider unique ID |
identity_provider.description |
body |
string |
The Identity Provider description |
identity_provider.domain_id |
body |
string |
The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified. |
identity_provider.authorization_ttl |
body |
integer |
The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled. |
identity_provider.enabled |
body |
boolean |
Whether the Identity Provider is enabled or not |
identity_provider.remote_ids |
body |
array |
List of the unique Identity Provider’s remote IDs |
403¶
Error
404¶
Error
Delete identity provider¶
List identity providers¶
List registered identity providers.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_providers
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"identity_providers": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Identity Provider unique ID"
},
"description": {
"type": "string",
"description": "The Identity Provider description"
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of a domain that is associated with the Identity Provider. Federated\nusers that authenticate with the Identity Provider will be created under\nthe domain specified."
},
"authorization_ttl": {
"type": "integer",
"description": "The length of validity in minutes for group memberships carried over\nthrough mapping and persisted in the database. If left unset, the\ndefault value configured in keystone will be used, if enabled."
},
"enabled": {
"type": "boolean",
"description": "Whether the Identity Provider is enabled or not"
},
"remote_ids": {
"type": "array",
"description": "List of the unique Identity Provider\u2019s remote IDs",
"items": {
"type": "string"
}
}
}
},
"description": "List of Identity Providers"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
identity_providers |
body |
array |
List of Identity Providers |
identity_providers[].id |
body |
string |
The Identity Provider unique ID |
identity_providers[].description |
body |
string |
The Identity Provider description |
identity_providers[].domain_id |
body |
string |
The ID of a domain that is associated with the Identity Provider. Federated users that authenticate with the Identity Provider will be created under the domain specified. |
identity_providers[].authorization_ttl |
body |
integer |
The length of validity in minutes for group memberships carried over through mapping and persisted in the database. If left unset, the default value configured in keystone will be used, if enabled. |
identity_providers[].enabled |
body |
boolean |
Whether the Identity Provider is enabled or not |
identity_providers[].remote_ids |
body |
array |
List of the unique Identity Provider’s remote IDs |
403¶
Error
404¶
Error
Get protocol for identity provider¶
Get a protocol and attribute mapping for an identity provider.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"protocol": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The federation protocol ID"
},
"mapping_id": {
"type": "string"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"description": "The Federation Protocol object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
protocol |
body |
object |
The Federation Protocol object |
protocol.id |
body |
string |
The federation protocol ID |
protocol.mapping_id |
body |
string |
|
protocol.remote_id_attribute |
body |
string |
403¶
Error
404¶
Error
Add protocol to identity provider¶
Add a protocol and attribute mapping to an identity provider.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
idp_id |
path |
string |
idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols API |
protocol_id |
path |
string |
protocol_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} API |
protocol |
body |
object |
The Federation Protocol object |
protocol.mapping_id |
body |
string |
|
protocol.remote_id_attribute |
body |
string |
{
"type": "object",
"properties": {
"protocol": {
"type": "object",
"properties": {
"mapping_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-_]+$"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"required": [
"mapping_id"
],
"additionalProperties": false,
"description": "The Federation Protocol object"
}
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"protocol": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The federation protocol ID"
},
"mapping_id": {
"type": "string"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"description": "The Federation Protocol object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
protocol |
body |
object |
The Federation Protocol object |
protocol.id |
body |
string |
The federation protocol ID |
protocol.mapping_id |
body |
string |
|
protocol.remote_id_attribute |
body |
string |
403¶
Error
404¶
Error
Update attribute mapping for identity provider¶
Update the attribute mapping for an identity provider and protocol.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
idp_id |
path |
string |
idp_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols API |
protocol_id |
path |
string |
protocol_id parameter for /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} API |
protocol |
body |
object |
The Federation Protocol object |
protocol.mapping_id |
body |
string |
|
protocol.remote_id_attribute |
body |
string |
{
"type": "object",
"properties": {
"protocol": {
"type": "object",
"properties": {
"mapping_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-_]+$"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"minProperties": 1,
"additionalProperties": false,
"description": "The Federation Protocol object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"protocol": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The federation protocol ID"
},
"mapping_id": {
"type": "string"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"description": "The Federation Protocol object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
protocol |
body |
object |
The Federation Protocol object |
protocol.id |
body |
string |
The federation protocol ID |
protocol.mapping_id |
body |
string |
|
protocol.remote_id_attribute |
body |
string |
403¶
Error
404¶
Error
Delete a protocol from identity provider¶
List protocols of identity provider¶
List all protocol and attribute mappings of an identity provider.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocols
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The federation protocol ID"
},
"mapping_id": {
"type": "string"
},
"remote_id_attribute": {
"type": "string",
"maxLength": 64
}
},
"description": "The Federation Protocol object"
},
"description": "List of Federation Protocols"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
protocols |
body |
array |
List of Federation Protocols |
protocols[].id |
body |
string |
The federation protocol ID |
protocols[].mapping_id |
body |
string |
|
protocols[].remote_id_attribute |
body |
string |
403¶
Error
404¶
Error
Get a mapping¶
Get a specific federated mapping.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"mapping": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Federation Mapping unique ID"
},
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
mapping |
body |
object |
|
mapping.id |
body |
string |
The Federation Mapping unique ID |
mapping.rules |
body |
array |
The list of rules used to map remote users into local users |
mapping.rules[].local |
body |
array |
|
mapping.rules[].local[].user |
body |
object |
|
mapping.rules[].local[].user.id |
body |
string |
|
mapping.rules[].local[].user.name |
body |
string |
|
mapping.rules[].local[].user.email |
body |
string |
|
mapping.rules[].local[].user.domain |
body |
object |
|
mapping.rules[].local[].user.domain.id |
body |
string |
|
mapping.rules[].local[].user.domain.name |
body |
string |
|
mapping.rules[].local[].user.type |
body |
string |
|
mapping.rules[].local[].projects |
body |
array |
|
mapping.rules[].local[].projects[].name |
body |
string |
|
mapping.rules[].local[].projects[].roles |
body |
array |
|
mapping.rules[].local[].projects[].roles[].name |
body |
string |
|
mapping.rules[].local[].projects[].domain |
body |
object |
|
mapping.rules[].local[].projects[].domain.id |
body |
string |
|
mapping.rules[].local[].projects[].domain.name |
body |
string |
|
mapping.rules[].local[].group |
body |
object |
|
mapping.rules[].local[].groups |
body |
string |
|
mapping.rules[].local[].group_ids |
body |
string |
|
mapping.rules[].local[].domain |
body |
object |
|
mapping.rules[].local[].domain.id |
body |
string |
|
mapping.rules[].local[].domain.name |
body |
string |
|
mapping.rules[].remote |
body |
array |
|
mapping.schema_version |
body |
string |
Mapping schema version |
403¶
Error
404¶
Error
Create a mapping¶
Create a federated mapping.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
mapping_id |
path |
string |
mapping_id parameter for /v3/OS-FEDERATION/mappings/{mapping_id} API |
mapping |
body |
object |
|
mapping.rules |
body |
array |
The list of rules used to map remote users into local users |
mapping.rules[].local |
body |
array |
|
mapping.rules[].local[].user |
body |
object |
|
mapping.rules[].local[].user.id |
body |
string |
|
mapping.rules[].local[].user.name |
body |
string |
|
mapping.rules[].local[].user.email |
body |
string |
|
mapping.rules[].local[].user.domain |
body |
object |
|
mapping.rules[].local[].user.domain.id |
body |
string |
|
mapping.rules[].local[].user.domain.name |
body |
string |
|
mapping.rules[].local[].user.type |
body |
string |
|
mapping.rules[].local[].projects |
body |
array |
|
mapping.rules[].local[].projects[].name |
body |
string |
|
mapping.rules[].local[].projects[].roles |
body |
array |
|
mapping.rules[].local[].projects[].roles[].name |
body |
string |
|
mapping.rules[].local[].projects[].domain |
body |
object |
|
mapping.rules[].local[].projects[].domain.id |
body |
string |
|
mapping.rules[].local[].projects[].domain.name |
body |
string |
|
mapping.rules[].local[].group |
body |
object |
|
mapping.rules[].local[].groups |
body |
string |
|
mapping.rules[].local[].group_ids |
body |
string |
|
mapping.rules[].local[].domain |
body |
object |
|
mapping.rules[].local[].domain.id |
body |
string |
|
mapping.rules[].local[].domain.name |
body |
string |
|
mapping.rules[].remote |
body |
array |
|
mapping.schema_version |
body |
string |
Mapping schema version |
{
"type": "object",
"properties": {
"mapping": {
"type": "object",
"required": [
"rules"
],
"properties": {
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
}
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"mapping": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Federation Mapping unique ID"
},
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
mapping |
body |
object |
|
mapping.id |
body |
string |
The Federation Mapping unique ID |
mapping.rules |
body |
array |
The list of rules used to map remote users into local users |
mapping.rules[].local |
body |
array |
|
mapping.rules[].local[].user |
body |
object |
|
mapping.rules[].local[].user.id |
body |
string |
|
mapping.rules[].local[].user.name |
body |
string |
|
mapping.rules[].local[].user.email |
body |
string |
|
mapping.rules[].local[].user.domain |
body |
object |
|
mapping.rules[].local[].user.domain.id |
body |
string |
|
mapping.rules[].local[].user.domain.name |
body |
string |
|
mapping.rules[].local[].user.type |
body |
string |
|
mapping.rules[].local[].projects |
body |
array |
|
mapping.rules[].local[].projects[].name |
body |
string |
|
mapping.rules[].local[].projects[].roles |
body |
array |
|
mapping.rules[].local[].projects[].roles[].name |
body |
string |
|
mapping.rules[].local[].projects[].domain |
body |
object |
|
mapping.rules[].local[].projects[].domain.id |
body |
string |
|
mapping.rules[].local[].projects[].domain.name |
body |
string |
|
mapping.rules[].local[].group |
body |
object |
|
mapping.rules[].local[].groups |
body |
string |
|
mapping.rules[].local[].group_ids |
body |
string |
|
mapping.rules[].local[].domain |
body |
object |
|
mapping.rules[].local[].domain.id |
body |
string |
|
mapping.rules[].local[].domain.name |
body |
string |
|
mapping.rules[].remote |
body |
array |
|
mapping.schema_version |
body |
string |
Mapping schema version |
403¶
Error
404¶
Error
Update a mapping¶
Update a federated mapping.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
mapping_id |
path |
string |
mapping_id parameter for /v3/OS-FEDERATION/mappings/{mapping_id} API |
mapping |
body |
object |
|
mapping.rules |
body |
array |
The list of rules used to map remote users into local users |
mapping.rules[].local |
body |
array |
|
mapping.rules[].local[].user |
body |
object |
|
mapping.rules[].local[].user.id |
body |
string |
|
mapping.rules[].local[].user.name |
body |
string |
|
mapping.rules[].local[].user.email |
body |
string |
|
mapping.rules[].local[].user.domain |
body |
object |
|
mapping.rules[].local[].user.domain.id |
body |
string |
|
mapping.rules[].local[].user.domain.name |
body |
string |
|
mapping.rules[].local[].user.type |
body |
string |
|
mapping.rules[].local[].projects |
body |
array |
|
mapping.rules[].local[].projects[].name |
body |
string |
|
mapping.rules[].local[].projects[].roles |
body |
array |
|
mapping.rules[].local[].projects[].roles[].name |
body |
string |
|
mapping.rules[].local[].projects[].domain |
body |
object |
|
mapping.rules[].local[].projects[].domain.id |
body |
string |
|
mapping.rules[].local[].projects[].domain.name |
body |
string |
|
mapping.rules[].local[].group |
body |
object |
|
mapping.rules[].local[].groups |
body |
string |
|
mapping.rules[].local[].group_ids |
body |
string |
|
mapping.rules[].local[].domain |
body |
object |
|
mapping.rules[].local[].domain.id |
body |
string |
|
mapping.rules[].local[].domain.name |
body |
string |
|
mapping.rules[].remote |
body |
array |
|
mapping.schema_version |
body |
string |
Mapping schema version |
{
"type": "object",
"properties": {
"mapping": {
"type": "object",
"required": [
"rules"
],
"properties": {
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"mapping": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Federation Mapping unique ID"
},
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
mapping |
body |
object |
|
mapping.id |
body |
string |
The Federation Mapping unique ID |
mapping.rules |
body |
array |
The list of rules used to map remote users into local users |
mapping.rules[].local |
body |
array |
|
mapping.rules[].local[].user |
body |
object |
|
mapping.rules[].local[].user.id |
body |
string |
|
mapping.rules[].local[].user.name |
body |
string |
|
mapping.rules[].local[].user.email |
body |
string |
|
mapping.rules[].local[].user.domain |
body |
object |
|
mapping.rules[].local[].user.domain.id |
body |
string |
|
mapping.rules[].local[].user.domain.name |
body |
string |
|
mapping.rules[].local[].user.type |
body |
string |
|
mapping.rules[].local[].projects |
body |
array |
|
mapping.rules[].local[].projects[].name |
body |
string |
|
mapping.rules[].local[].projects[].roles |
body |
array |
|
mapping.rules[].local[].projects[].roles[].name |
body |
string |
|
mapping.rules[].local[].projects[].domain |
body |
object |
|
mapping.rules[].local[].projects[].domain.id |
body |
string |
|
mapping.rules[].local[].projects[].domain.name |
body |
string |
|
mapping.rules[].local[].group |
body |
object |
|
mapping.rules[].local[].groups |
body |
string |
|
mapping.rules[].local[].group_ids |
body |
string |
|
mapping.rules[].local[].domain |
body |
object |
|
mapping.rules[].local[].domain.id |
body |
string |
|
mapping.rules[].local[].domain.name |
body |
string |
|
mapping.rules[].remote |
body |
array |
|
mapping.schema_version |
body |
string |
Mapping schema version |
403¶
Error
404¶
Error
Delete a mapping¶
List mappings¶
List all federated mappings.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mappings
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"mappings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The Federation Mapping unique ID"
},
"rules": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"required": [
"local",
"remote"
],
"additionalProperties": false,
"properties": {
"local": {
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"email": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
},
"type": {
"type": "string",
"enum": [
"ephemeral",
"local"
]
}
},
"additionalProperties": false
},
"projects": {
"type": "array",
"items": {
"type": "object",
"required": [
"name",
"roles"
],
"additionalProperties": false,
"properties": {
"name": {
"type": "string"
},
"roles": {
"type": "array",
"items": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"group": {
"type": "object",
"oneOf": [
{
"type": "object",
"properties": {
"id": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"id"
]
},
{
"type": "object",
"properties": {
"name": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false,
"required": [
"name",
"domain"
]
}
]
},
"groups": {
"type": "string"
},
"group_ids": {
"type": "string"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
}
},
"additionalProperties": false
}
}
}
},
"remote": {
"minItems": 1,
"type": "array",
"items": {
"type": "object",
"oneOf": [
{
"type": "object",
"required": [
"type"
],
"properties": {
"type": {
"type": "string"
}
},
"additionalProperties": false
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"any_one_of"
],
"properties": {
"type": {
"type": "string"
},
"any_one_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"not_any_of"
],
"properties": {
"type": {
"type": "string"
},
"not_any_of": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"blacklist"
],
"properties": {
"type": {
"type": "string"
},
"blacklist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
},
{
"type": "object",
"additionalProperties": false,
"required": [
"type",
"whitelist"
],
"properties": {
"type": {
"type": "string"
},
"whitelist": {
"type": "array"
},
"regex": {
"type": "boolean"
}
}
}
]
}
}
}
},
"description": "The list of rules used to map remote users into local users"
},
"schema_version": {
"type": "string",
"description": "Mapping schema version"
}
}
},
"description": "The collection of Federation Mappings"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
mappings |
body |
array |
The collection of Federation Mappings |
mappings[].id |
body |
string |
The Federation Mapping unique ID |
mappings[].rules |
body |
array |
The list of rules used to map remote users into local users |
mappings[].rules[].local |
body |
array |
|
mappings[].rules[].local[].user |
body |
object |
|
mappings[].rules[].local[].user.id |
body |
string |
|
mappings[].rules[].local[].user.name |
body |
string |
|
mappings[].rules[].local[].user.email |
body |
string |
|
mappings[].rules[].local[].user.domain |
body |
object |
|
mappings[].rules[].local[].user.domain.id |
body |
string |
|
mappings[].rules[].local[].user.domain.name |
body |
string |
|
mappings[].rules[].local[].user.type |
body |
string |
|
mappings[].rules[].local[].projects |
body |
array |
|
mappings[].rules[].local[].projects[].name |
body |
string |
|
mappings[].rules[].local[].projects[].roles |
body |
array |
|
mappings[].rules[].local[].projects[].roles[].name |
body |
string |
|
mappings[].rules[].local[].projects[].domain |
body |
object |
|
mappings[].rules[].local[].projects[].domain.id |
body |
string |
|
mappings[].rules[].local[].projects[].domain.name |
body |
string |
|
mappings[].rules[].local[].group |
body |
object |
|
mappings[].rules[].local[].groups |
body |
string |
|
mappings[].rules[].local[].group_ids |
body |
string |
|
mappings[].rules[].local[].domain |
body |
object |
|
mappings[].rules[].local[].domain.id |
body |
string |
|
mappings[].rules[].local[].domain.name |
body |
string |
|
mappings[].rules[].remote |
body |
array |
|
mappings[].schema_version |
body |
string |
Mapping schema version |
403¶
Error
404¶
Error
Get service provider¶
Get a specific service provider reference.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service_provider": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"description": "The URL to authenticate against"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"id": {
"type": "string",
"description": "The Service Provider unique ID"
},
"enabled": {
"type": "boolean",
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
],
"description": "The prefix of the RelayState SAML attribute"
},
"sp_url": {
"type": "string",
"description": "The Service Provider\u2019s URL"
}
},
"required": [
"auth_url",
"sp_url"
]
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service_provider |
body |
object |
|
service_provider.auth_url |
body |
string |
The URL to authenticate against |
service_provider.description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_provider.id |
body |
string |
The Service Provider unique ID |
service_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_provider.relay_state_prefix |
body |
[‘string’, ‘null’] |
The prefix of the RelayState SAML attribute |
service_provider.sp_url |
body |
string |
The Service Provider’s URL |
403¶
Error
404¶
Error
Register a service provider¶
Create a service provider entity.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
sp_id |
path |
string |
sp_id parameter for /v3/OS-FEDERATION/service_providers/{sp_id} API |
service_provider |
body |
object |
|
service_provider.auth_url |
body |
string |
The URL to authenticate against |
service_provider.sp_url |
body |
string |
The Service Provider’s URL |
service_provider.description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_provider.relay_state_prefix |
body |
[‘string’, ‘null’] |
{
"type": "object",
"properties": {
"service_provider": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^[a-zA-Z0-9+.-]+:.+",
"description": "The URL to authenticate against"
},
"sp_url": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^[a-zA-Z0-9+.-]+:.+",
"description": "The Service Provider\u2019s URL"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
]
}
},
"required": [
"auth_url",
"sp_url"
],
"additionalProperties": false
}
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"service_provider": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"description": "The URL to authenticate against"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"id": {
"type": "string",
"description": "The Service Provider unique ID"
},
"enabled": {
"type": "boolean",
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
],
"description": "The prefix of the RelayState SAML attribute"
},
"sp_url": {
"type": "string",
"description": "The Service Provider\u2019s URL"
}
},
"required": [
"auth_url",
"sp_url"
]
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service_provider |
body |
object |
|
service_provider.auth_url |
body |
string |
The URL to authenticate against |
service_provider.description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_provider.id |
body |
string |
The Service Provider unique ID |
service_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_provider.relay_state_prefix |
body |
[‘string’, ‘null’] |
The prefix of the RelayState SAML attribute |
service_provider.sp_url |
body |
string |
The Service Provider’s URL |
403¶
Error
404¶
Error
Update service provider¶
Update a service provider’s attributes.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_provider
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
sp_id |
path |
string |
sp_id parameter for /v3/OS-FEDERATION/service_providers/{sp_id} API |
service_provider |
body |
object |
|
service_provider.auth_url |
body |
string |
The URL to authenticate against |
service_provider.sp_url |
body |
string |
The Service Provider’s URL |
service_provider.description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_provider.relay_state_prefix |
body |
[‘string’, ‘null’] |
{
"type": "object",
"properties": {
"service_provider": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^[a-zA-Z0-9+.-]+:.+",
"description": "The URL to authenticate against"
},
"sp_url": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^[a-zA-Z0-9+.-]+:.+",
"description": "The Service Provider\u2019s URL"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
]
}
},
"minProperties": 1,
"additionalProperties": false
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service_provider": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"description": "The URL to authenticate against"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"id": {
"type": "string",
"description": "The Service Provider unique ID"
},
"enabled": {
"type": "boolean",
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
],
"description": "The prefix of the RelayState SAML attribute"
},
"sp_url": {
"type": "string",
"description": "The Service Provider\u2019s URL"
}
},
"required": [
"auth_url",
"sp_url"
]
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service_provider |
body |
object |
|
service_provider.auth_url |
body |
string |
The URL to authenticate against |
service_provider.description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_provider.id |
body |
string |
The Service Provider unique ID |
service_provider.enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_provider.relay_state_prefix |
body |
[‘string’, ‘null’] |
The prefix of the RelayState SAML attribute |
service_provider.sp_url |
body |
string |
The Service Provider’s URL |
403¶
Error
404¶
Error
Delete service provider¶
List service providers¶
List all service providers.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/service_providers
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service_providers": {
"type": "array",
"items": {
"type": "object",
"properties": {
"auth_url": {
"type": "string",
"description": "The URL to authenticate against"
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the Service Provider"
},
"id": {
"type": "string",
"description": "The Service Provider unique ID"
},
"enabled": {
"type": "boolean",
"description": "Whether the Service Provider is enabled or not"
},
"relay_state_prefix": {
"type": [
"string",
"null"
],
"description": "The prefix of the RelayState SAML attribute"
},
"sp_url": {
"type": "string",
"description": "The Service Provider\u2019s URL"
}
},
"required": [
"auth_url",
"sp_url"
]
},
"description": "The list of Service Providers"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service_providers |
body |
array |
The list of Service Providers |
service_providers[].auth_url |
body |
string |
The URL to authenticate against |
service_providers[].description |
body |
[‘string’, ‘null’] |
The description of the Service Provider |
service_providers[].id |
body |
string |
The Service Provider unique ID |
service_providers[].enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
service_providers[].relay_state_prefix |
body |
[‘string’, ‘null’] |
The prefix of the RelayState SAML attribute |
service_providers[].sp_url |
body |
string |
The Service Provider’s URL |
403¶
Error
404¶
Error
credentials¶
Show credential details¶
Update credential¶
Updates a credential.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credential
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
credential_id |
path |
string |
credential_id parameter for /v3/credentials/{credential_id} API |
{
"type": "object",
"description": "Request of the credentials/credential_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the credentials/credential_id:patch operation"
}
403¶
Error
404¶
Error
Delete credential¶
List credentials¶
Lists all credentials.
Optionally, you can include the user_id or type query parameter in the
URI to filter the response by a user or credential type.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credentials
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the credentials:get operation"
}
403¶
Error
404¶
Error
Create credential¶
Creates a credential.
The following example shows how to create an EC2-style credential.
The credential blob is a string that contains a JSON-serialized
dictionary with the access and secret keys. This format is
required when you specify the ec2 type. To specify other
credentials, such as access_key, change the type and contents
of the data blob.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/credentials
Request¶
{
"type": "object",
"description": "Request of the credentials:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the credentials:post operation"
}
403¶
Error
404¶
Error
domains¶
Show domain details¶
Shows details for a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domain |
body |
object |
A |
domain.id |
body |
string |
The ID of the domain. |
domain.name |
body |
string |
The name of the domain. |
domain.description |
body |
string |
The description of the domain. |
domain.enabled |
body |
boolean |
If set to |
domain.tags |
body |
array |
|
domain.options |
body |
object |
The resource options for the role. Available resource options are
|
403¶
Error
404¶
Error
Update domain¶
Updates a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/domains/{domain_id} API |
domain |
body |
object |
A |
domain.id |
body |
string |
The ID of the domain. |
domain.name |
body |
string |
The name of the domain. |
domain.description |
body |
string |
The description of the domain. |
domain.enabled |
body |
boolean |
If set to |
domain.tags |
body |
array |
|
domain.options |
body |
object |
The resource options for the role. Available resource options are
|
{
"type": "object",
"properties": {
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domain |
body |
object |
A |
domain.id |
body |
string |
The ID of the domain. |
domain.name |
body |
string |
The name of the domain. |
domain.description |
body |
string |
The description of the domain. |
domain.enabled |
body |
boolean |
If set to |
domain.tags |
body |
array |
|
domain.options |
body |
object |
The resource options for the role. Available resource options are
|
403¶
Error
404¶
Error
Delete domain¶
Deletes a domain. To minimize the risk of accidentally deleting a domain, you must first disable the domain by using the update domain method.
When you delete a domain, this call also deletes all entities owned by it, such as users, groups, and projects, and any credentials and granted roles that relate to those entities.
If you try to delete an enabled domain, this call returns the
Forbidden (403) response code.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain
Responses¶
204¶
Ok
403¶
Error
404¶
Error
List domains¶
Lists all domains.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domains": {
"type": "array",
"items": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
},
"description": "A list of `domain` objects"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domains |
body |
array |
A list of |
domains[].id |
body |
string |
The ID of the domain. |
domains[].name |
body |
string |
The name of the domain. |
domains[].description |
body |
string |
The description of the domain. |
domains[].enabled |
body |
boolean |
If set to |
domains[].tags |
body |
array |
|
domains[].options |
body |
object |
The resource options for the role. Available resource options are
|
403¶
Error
404¶
Error
Create domain¶
Creates a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domains
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain |
body |
object |
A |
domain.id |
body |
string |
The ID of the domain. |
domain.name |
body |
string |
The name of the domain. |
domain.description |
body |
string |
The description of the domain. |
domain.enabled |
body |
boolean |
If set to |
domain.tags |
body |
array |
|
domain.options |
body |
object |
The resource options for the role. Available resource options are
|
{
"type": "object",
"properties": {
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"domain": {
"type": "object",
"description": "A `domain` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the domain."
},
"name": {
"type": "string",
"description": "The name of the domain.",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": "string",
"description": "The description of the domain."
},
"enabled": {
"type": "boolean",
"description": "If set to `true`, domain is enabled. If set to\n`false`, domain is disabled."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"pattern": "^[^,/]*$",
"minLength": 1,
"maxLength": 255
}
},
"options": {
"type": "object",
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
domain |
body |
object |
A |
domain.id |
body |
string |
The ID of the domain. |
domain.name |
body |
string |
The name of the domain. |
domain.description |
body |
string |
The description of the domain. |
domain.enabled |
body |
boolean |
If set to |
domain.tags |
body |
array |
|
domain.options |
body |
object |
The resource options for the role. Available resource options are
|
403¶
Error
404¶
Error
domain-configuration¶
Show domain configuration¶
Shows details for a domain configuration.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Create domain configuration¶
Creates a domain configuration.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
config |
body |
object |
A |
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Update domain configuration¶
Updates a domain configuration.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
config |
body |
object |
A |
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Delete domain configuration¶
Show domain group configuration¶
Shows details for a domain group configuration.
The API supports only the identity and ldap groups.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
},
"maxProperties": 1
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Update domain group configuration¶
Updates a domain group configuration.
The API supports only the identity and ldap groups. If you
try to set configuration options for other groups, this call fails
with the Forbidden (403) response code.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
group |
path |
string |
group parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
config |
body |
object |
A |
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
},
"maxProperties": 1
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
},
"maxProperties": 1
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Delete domain group configuration¶
Show domain group option configuration¶
Shows details for a domain group option configuration.
The API supports only the identity and ldap groups. For the
ldap group, a valid value is url or user_tree_dn. For
the identity group, a valid value is driver.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"additionalProperties": true,
"maxProperties": 1,
"description": "A `config` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Update domain group option configuration¶
Updates a domain group option configuration.
The API supports only the identity and ldap groups. For the
ldap group, a valid value is url or user_tree_dn. For
the identity group, a valid value is driver.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
group |
path |
string |
group parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
option |
path |
string |
option parameter for /v3/domains/{domain_id}/config/{group}/{option} API |
config |
body |
object |
A |
{
"type": "object",
"properties": {
"config": {
"type": "object",
"additionalProperties": true,
"maxProperties": 1,
"description": "A `config` object."
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"additionalProperties": true,
"maxProperties": 1,
"description": "A `config` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Delete domain group option configuration¶
Deletes a domain group option configuration.
The API supports only the identity and ldap groups. For the
ldap group, a valid value is url or user_tree_dn. For
the identity group, a valid value is driver.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
204¶
Ok
403¶
Error
404¶
Error
Show default configuration settings¶
The default configuration settings for the options that can be overridden can be retrieved.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Show default configuration for a group¶
Reads the default configuration settings for a specific group.
The API supports only the identity and ldap groups.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"description": "A `config` object.",
"additionalProperties": {
"type": "object",
"additionalProperties": true
},
"maxProperties": 1
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
Show default option for a group¶
Reads the default configuration setting for an option within a group.
The API supports only the identity and ldap groups. For the
ldap group, a valid value is url or user_tree_dn. For
the identity group, a valid value is driver.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/rel/domain_config_default
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"config": {
"type": "object",
"additionalProperties": true,
"maxProperties": 1,
"description": "A `config` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
config |
body |
object |
A |
403¶
Error
404¶
Error
roles¶
List role assignments for user on domain¶
Lists role assignments for a user on a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles
Responses¶
200¶
Ok
{
"type": "object",
"description": "List of roles assigned to the resource",
"properties": {
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "A list of `role` objects"
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
roles |
body |
array |
A list of |
roles[].id |
body |
string |
The role ID. |
roles[].name |
body |
string |
The role name. |
roles[].description |
body |
string |
The role description. |
roles[].links |
body |
object |
The link to the resources in question. |
roles[].links.self |
body |
string |
The link to the resource in question. |
links |
body |
object |
403¶
Error
404¶
Error
Check whether user has role assignment on domain¶
Assign role to user on domain¶
Unassigns role from user on domain¶
List role assignments for group on domain¶
Lists role assignments for a group on a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles
Responses¶
200¶
Ok
{
"type": "object",
"description": "List of roles assigned to the resource",
"properties": {
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "A list of `role` objects"
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
roles |
body |
array |
A list of |
roles[].id |
body |
string |
The role ID. |
roles[].name |
body |
string |
The role name. |
roles[].description |
body |
string |
The role description. |
roles[].links |
body |
object |
The link to the resources in question. |
roles[].links.self |
body |
string |
The link to the resource in question. |
links |
body |
object |
403¶
Error
404¶
Error
Check whether group has role assignment on domain¶
Assign role to group on domain¶
Unassign role from group on domain¶
Show role details¶
Shows details for a role.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/role
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role |
body |
object |
A |
role.id |
body |
string |
The role ID. |
role.links |
body |
object |
The link to the resources in question. |
role.name |
body |
string |
The role name. |
role.description |
body |
string |
The role description. |
role.options |
body |
object |
The resource options for the role. Available resource options are
|
role.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Update role¶
Updates a role.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/role
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
role_id |
path |
string |
role_id parameter for /v3/roles/{role_id} API |
role |
body |
object |
A |
role.id |
body |
string |
The role ID. |
role.links |
body |
object |
The link to the resources in question. |
role.name |
body |
string |
The role name. |
role.description |
body |
string |
The role description. |
role.options |
body |
object |
The resource options for the role. Available resource options are
|
role.options.immutable |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"role": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role |
body |
object |
A |
role.id |
body |
string |
The role ID. |
role.links |
body |
object |
The link to the resources in question. |
role.name |
body |
string |
The role name. |
role.description |
body |
string |
The role description. |
role.options |
body |
object |
The resource options for the role. Available resource options are
|
role.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Delete role¶
List roles¶
Lists roles.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/roles
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"roles": {
"type": "array",
"items": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
},
"description": "A list of `role` objects"
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
roles |
body |
array |
A list of |
roles[].id |
body |
string |
The role ID. |
roles[].links |
body |
object |
The link to the resources in question. |
roles[].name |
body |
string |
The role name. |
roles[].description |
body |
string |
The role description. |
roles[].options |
body |
object |
The resource options for the role. Available resource options are
|
roles[].options.immutable |
body |
[‘boolean’, ‘null’] |
|
links |
body |
object |
403¶
Error
404¶
Error
Create role¶
Creates a role.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/roles
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
role |
body |
object |
A |
role.id |
body |
string |
The role ID. |
role.links |
body |
object |
The link to the resources in question. |
role.name |
body |
string |
The role name. |
role.description |
body |
string |
The role description. |
role.options |
body |
object |
The resource options for the role. Available resource options are
|
role.options.immutable |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"role": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role": {
"type": "object",
"description": "A `role` object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID.",
"readOnly": true
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
},
"readOnly": true,
"description": "The link to the resources in question."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the role. Available resource options are\n`immutable`."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role |
body |
object |
A |
role.id |
body |
string |
The role ID. |
role.links |
body |
object |
The link to the resources in question. |
role.name |
body |
string |
The role name. |
role.description |
body |
string |
The role description. |
role.options |
body |
object |
The resource options for the role. Available resource options are
|
role.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
List implied (inference) roles for role¶
Lists implied (inference) roles for a role.
Relationship:
https://developer.openstack.org/api-ref/identity/v3/#list-implied-roles-for-role
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role_inference": {
"type": "object",
"properties": {
"prior_role": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"implies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "An array of implied role objects."
}
},
"description": "Role inference object that contains `prior_role` object\nand `implies` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role_inference |
body |
object |
Role inference object that contains |
role_inference.prior_role |
body |
object |
A prior role object. |
role_inference.prior_role.id |
body |
string |
The role ID. |
role_inference.prior_role.name |
body |
string |
The role name. |
role_inference.prior_role.description |
body |
string |
The role description. |
role_inference.prior_role.links |
body |
object |
The link to the resources in question. |
role_inference.prior_role.links.self |
body |
string |
The link to the resource in question. |
role_inference.implies |
body |
array |
An array of implied role objects. |
role_inference.implies[].id |
body |
string |
The role ID. |
role_inference.implies[].name |
body |
string |
The role name. |
role_inference.implies[].description |
body |
string |
The role description. |
role_inference.implies[].links |
body |
object |
The link to the resources in question. |
role_inference.implies[].links.self |
body |
string |
The link to the resource in question. |
403¶
Error
404¶
Error
Confirm role inference rule¶
Get role inference rule¶
Gets a role inference rule.
Relationship:
https://developer.openstack.org/api-ref/identity/v3/#get-role-inference-rule
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role_inference": {
"type": "object",
"properties": {
"prior_role": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"implies": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "An implied role object."
}
},
"description": "Role inference object that contains `prior_role` object\nand `implies` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role_inference |
body |
object |
Role inference object that contains |
role_inference.prior_role |
body |
object |
A prior role object. |
role_inference.prior_role.id |
body |
string |
The role ID. |
role_inference.prior_role.name |
body |
string |
The role name. |
role_inference.prior_role.description |
body |
string |
The role description. |
role_inference.prior_role.links |
body |
object |
The link to the resources in question. |
role_inference.prior_role.links.self |
body |
string |
The link to the resource in question. |
role_inference.implies |
body |
object |
An implied role object. |
role_inference.implies.id |
body |
string |
The role ID. |
role_inference.implies.name |
body |
string |
The role name. |
role_inference.implies.description |
body |
string |
The role description. |
role_inference.implies.links |
body |
object |
The link to the resources in question. |
role_inference.implies.links.self |
body |
string |
The link to the resource in question. |
403¶
Error
404¶
Error
Create role inference rule¶
Creates a role inference rule.
Relationship:
https://developer.openstack.org/api-ref/identity/v3/#create-role-inference-rule
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
prior_role_id |
path |
string |
prior_role_id parameter for /v3/roles/{prior_role_id}/implies/{implied_role_id} API |
implied_role_id |
path |
string |
implied_role_id parameter for /v3/roles/{prior_role_id}/implies/{implied_role_id} API |
{
"type": "object",
"description": "Request of the roles/prior_role_id/implies/implied_role_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"properties": {
"role_inference": {
"type": "object",
"properties": {
"prior_role": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"implies": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "An implied role object."
}
},
"description": "Role inference object that contains `prior_role` object\nand `implies` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role_inference |
body |
object |
Role inference object that contains |
role_inference.prior_role |
body |
object |
A prior role object. |
role_inference.prior_role.id |
body |
string |
The role ID. |
role_inference.prior_role.name |
body |
string |
The role name. |
role_inference.prior_role.description |
body |
string |
The role description. |
role_inference.prior_role.links |
body |
object |
The link to the resources in question. |
role_inference.prior_role.links.self |
body |
string |
The link to the resource in question. |
role_inference.implies |
body |
object |
An implied role object. |
role_inference.implies.id |
body |
string |
The role ID. |
role_inference.implies.name |
body |
string |
The role name. |
role_inference.implies.description |
body |
string |
The role description. |
role_inference.implies.links |
body |
object |
The link to the resources in question. |
role_inference.implies.links.self |
body |
string |
The link to the resource in question. |
403¶
Error
404¶
Error
Delete role inference rule¶
ec2tokens¶
endpoints¶
Show endpoint details¶
Shows details for an endpoint.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"endpoint": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Indicates whether the endpoint appears in the\nservice catalog: \\- `false`. The endpoint does not appear in the\nservice catalog. \\- `true`. The endpoint appears in the service\ncatalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The endpoint ID.",
"readOnly": true
},
"interface": {
"type": "string",
"enum": [
"internal",
"admin",
"public"
],
"description": "The interface type, which describes the\nvisibility of the endpoint. Value is: \\- `public`. Visible by\nend users on a publicly available network interface. \\-\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. \\- `admin`. Visible by administrative users\non a secure network interface."
},
"region": {
"type": "string",
"description": "(Deprecated in v3\\.2\\) The geographic location of\nthe service endpoint.",
"x-openstack": {
"max-ver": "3.2"
}
},
"region_id": {
"type": "string",
"format": "uuid",
"description": "(Since v3\\.2\\) The ID of the region that contains\nthe service endpoint.",
"x-openstack": {
"min-ver": "3.2"
}
},
"service_id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint URL."
}
},
"description": "An `endpoint` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint |
body |
object |
An |
endpoint.enabled |
body |
boolean |
Indicates whether the endpoint appears in the
service catalog: - |
endpoint.id |
body |
string |
The endpoint ID. |
endpoint.interface |
body |
string |
The interface type, which describes the
visibility of the endpoint. Value is: - |
endpoint.region |
body |
string |
(Deprecated in v3.2) The geographic location of
the service endpoint. |
endpoint.region_id |
body |
string |
(Since v3.2) The ID of the region that contains
the service endpoint. |
endpoint.service_id |
body |
string |
The UUID of the service to which the endpoint belongs. |
endpoint.url |
body |
string |
The endpoint URL. |
403¶
Error
404¶
Error
Update endpoint¶
Updates an endpoint.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoint
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint_id |
path |
string |
endpoint_id parameter for /v3/endpoints/{endpoint_id} API |
{
"type": "object",
"description": "Request of the endpoints/endpoint_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"endpoint": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Indicates whether the endpoint appears in the\nservice catalog: \\- `false`. The endpoint does not appear in the\nservice catalog. \\- `true`. The endpoint appears in the service\ncatalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The endpoint ID.",
"readOnly": true
},
"interface": {
"type": "string",
"enum": [
"internal",
"admin",
"public"
],
"description": "The interface type, which describes the\nvisibility of the endpoint. Value is: \\- `public`. Visible by\nend users on a publicly available network interface. \\-\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. \\- `admin`. Visible by administrative users\non a secure network interface."
},
"region": {
"type": "string",
"description": "(Deprecated in v3\\.2\\) The geographic location of\nthe service endpoint.",
"x-openstack": {
"max-ver": "3.2"
}
},
"region_id": {
"type": "string",
"format": "uuid",
"description": "(Since v3\\.2\\) The ID of the region that contains\nthe service endpoint.",
"x-openstack": {
"min-ver": "3.2"
}
},
"service_id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint URL."
}
},
"description": "An `endpoint` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint |
body |
object |
An |
endpoint.enabled |
body |
boolean |
Indicates whether the endpoint appears in the
service catalog: - |
endpoint.id |
body |
string |
The endpoint ID. |
endpoint.interface |
body |
string |
The interface type, which describes the
visibility of the endpoint. Value is: - |
endpoint.region |
body |
string |
(Deprecated in v3.2) The geographic location of
the service endpoint. |
endpoint.region_id |
body |
string |
(Since v3.2) The ID of the region that contains
the service endpoint. |
endpoint.service_id |
body |
string |
The UUID of the service to which the endpoint belongs. |
endpoint.url |
body |
string |
The endpoint URL. |
403¶
Error
404¶
Error
Delete endpoint¶
List endpoints¶
Lists all available endpoints.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"endpoints": {
"type": "array",
"items": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Indicates whether the endpoint appears in the\nservice catalog: \\- `false`. The endpoint does not appear in the\nservice catalog. \\- `true`. The endpoint appears in the service\ncatalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The endpoint ID.",
"readOnly": true
},
"interface": {
"type": "string",
"enum": [
"internal",
"admin",
"public"
],
"description": "The interface type, which describes the\nvisibility of the endpoint. Value is: \\- `public`. Visible by\nend users on a publicly available network interface. \\-\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. \\- `admin`. Visible by administrative users\non a secure network interface."
},
"region": {
"type": "string",
"description": "(Deprecated in v3\\.2\\) The geographic location of\nthe service endpoint.",
"x-openstack": {
"max-ver": "3.2"
}
},
"region_id": {
"type": "string",
"format": "uuid",
"description": "(Since v3\\.2\\) The ID of the region that contains\nthe service endpoint.",
"x-openstack": {
"min-ver": "3.2"
}
},
"service_id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint URL."
}
},
"description": "An `endpoint` object."
},
"description": "A list of `endpoint` objects."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoints |
body |
array |
A list of |
endpoints[].enabled |
body |
boolean |
Indicates whether the endpoint appears in the
service catalog: - |
endpoints[].id |
body |
string |
The endpoint ID. |
endpoints[].interface |
body |
string |
The interface type, which describes the
visibility of the endpoint. Value is: - |
endpoints[].region |
body |
string |
(Deprecated in v3.2) The geographic location of
the service endpoint. |
endpoints[].region_id |
body |
string |
(Since v3.2) The ID of the region that contains
the service endpoint. |
endpoints[].service_id |
body |
string |
The UUID of the service to which the endpoint belongs. |
endpoints[].url |
body |
string |
The endpoint URL. |
403¶
Error
404¶
Error
Create endpoint¶
Creates an endpoint.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/endpoints
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint |
body |
object |
An |
endpoint.enabled |
body |
boolean |
Indicates whether the endpoint appears in the
service catalog: - |
endpoint.id |
body |
string |
The endpoint ID. |
endpoint.interface |
body |
string |
The interface type, which describes the
visibility of the endpoint. Value is: - |
endpoint.region |
body |
string |
(Deprecated in v3.2) The geographic location of
the service endpoint. |
endpoint.region_id |
body |
string |
(Since v3.2) The ID of the region that contains
the service endpoint. |
endpoint.service_id |
body |
string |
The UUID of the service to which the endpoint belongs. |
endpoint.url |
body |
string |
The endpoint URL. |
{
"type": "object",
"properties": {
"endpoint": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Indicates whether the endpoint appears in the\nservice catalog: \\- `false`. The endpoint does not appear in the\nservice catalog. \\- `true`. The endpoint appears in the service\ncatalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The endpoint ID.",
"readOnly": true
},
"interface": {
"type": "string",
"enum": [
"internal",
"admin",
"public"
],
"description": "The interface type, which describes the\nvisibility of the endpoint. Value is: \\- `public`. Visible by\nend users on a publicly available network interface. \\-\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. \\- `admin`. Visible by administrative users\non a secure network interface."
},
"region": {
"type": "string",
"description": "(Deprecated in v3\\.2\\) The geographic location of\nthe service endpoint.",
"x-openstack": {
"max-ver": "3.2"
}
},
"region_id": {
"type": "string",
"format": "uuid",
"description": "(Since v3\\.2\\) The ID of the region that contains\nthe service endpoint.",
"x-openstack": {
"min-ver": "3.2"
}
},
"service_id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint URL."
}
},
"description": "An `endpoint` object."
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"endpoint": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"description": "Indicates whether the endpoint appears in the\nservice catalog: \\- `false`. The endpoint does not appear in the\nservice catalog. \\- `true`. The endpoint appears in the service\ncatalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The endpoint ID.",
"readOnly": true
},
"interface": {
"type": "string",
"enum": [
"internal",
"admin",
"public"
],
"description": "The interface type, which describes the\nvisibility of the endpoint. Value is: \\- `public`. Visible by\nend users on a publicly available network interface. \\-\n`internal`. Visible by end users on an unmetered internal\nnetwork interface. \\- `admin`. Visible by administrative users\non a secure network interface."
},
"region": {
"type": "string",
"description": "(Deprecated in v3\\.2\\) The geographic location of\nthe service endpoint.",
"x-openstack": {
"max-ver": "3.2"
}
},
"region_id": {
"type": "string",
"format": "uuid",
"description": "(Since v3\\.2\\) The ID of the region that contains\nthe service endpoint.",
"x-openstack": {
"min-ver": "3.2"
}
},
"service_id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs."
},
"url": {
"type": "string",
"format": "uri",
"description": "The endpoint URL."
}
},
"description": "An `endpoint` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint |
body |
object |
An |
endpoint.enabled |
body |
boolean |
Indicates whether the endpoint appears in the
service catalog: - |
endpoint.id |
body |
string |
The endpoint ID. |
endpoint.interface |
body |
string |
The interface type, which describes the
visibility of the endpoint. Value is: - |
endpoint.region |
body |
string |
(Deprecated in v3.2) The geographic location of
the service endpoint. |
endpoint.region_id |
body |
string |
(Since v3.2) The ID of the region that contains
the service endpoint. |
endpoint.service_id |
body |
string |
The UUID of the service to which the endpoint belongs. |
endpoint.url |
body |
string |
The endpoint URL. |
403¶
Error
404¶
Error
Show the effective policy associated with an endpoint¶
Returns the policy that is currently associated with the given endpoint, by working through the ordered sequence of methods of association. The first association that is found will be returned. If the region of the endpoint has a parent, then region associations will be examined up the region tree in ascending order.
A HEAD version of this API is also supported.
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the endpoints/endpoint_id/OS-ENDPOINT-POLICY/policy:get operation"
}
403¶
Error
404¶
Error
groups¶
Show group details¶
Shows details for a group.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
group |
body |
object |
A |
group.id |
body |
string |
The ID of the group. |
group.description |
body |
[‘string’, ‘null’] |
The description of the group. |
group.domain_id |
body |
string |
The ID of the domain of the group. |
group.name |
body |
string |
The name of the group. |
403¶
Error
404¶
Error
Update group¶
Updates a group.
If the back-end driver does not support this functionality, the
call returns the Not Implemented (501) response code.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
group_id |
path |
string |
group_id parameter for /v3/groups/{group_id} API |
group |
body |
object |
A |
group.id |
body |
string |
The ID of the group. |
group.description |
body |
[‘string’, ‘null’] |
The description of the group. |
group.domain_id |
body |
string |
The ID of the domain of the group. |
group.name |
body |
string |
The name of the group. |
{
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
group |
body |
object |
A |
group.id |
body |
string |
The ID of the group. |
group.description |
body |
[‘string’, ‘null’] |
The description of the group. |
group.domain_id |
body |
string |
The ID of the domain of the group. |
group.name |
body |
string |
The name of the group. |
403¶
Error
404¶
Error
Delete group¶
List groups¶
Lists groups.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/groups
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"groups": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
},
"description": "A list of `group` objects"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
groups |
body |
array |
A list of |
groups[].id |
body |
string |
The ID of the group. |
groups[].description |
body |
[‘string’, ‘null’] |
The description of the group. |
groups[].domain_id |
body |
string |
The ID of the domain of the group. |
groups[].name |
body |
string |
The name of the group. |
403¶
Error
404¶
Error
Create group¶
Creates a group.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/groups
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
group |
body |
object |
A |
group.id |
body |
string |
The ID of the group. |
group.description |
body |
[‘string’, ‘null’] |
The description of the group. |
group.domain_id |
body |
string |
The ID of the domain of the group. |
group.name |
body |
string |
The name of the group. |
{
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID of the group."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the group."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the group."
}
},
"description": "A `group` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
group |
body |
object |
A |
group.id |
body |
string |
The ID of the group. |
group.description |
body |
[‘string’, ‘null’] |
The description of the group. |
group.domain_id |
body |
string |
The ID of the domain of the group. |
group.name |
body |
string |
The name of the group. |
403¶
Error
404¶
Error
List users in group¶
Lists the users that belong to a group.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/group_users
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"users": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The user ID."
},
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the default project for the user."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Whether the Service Provider is enabled or not"
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": \"mapped\", \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The user name. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The new password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n `ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"description": "A `user` object"
},
"description": "A list of `user` objects"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
users |
body |
array |
A list of |
users[].id |
body |
string |
The user ID. |
users[].default_project_id |
body |
[‘string’, ‘null’] |
The ID of the default project for the user. |
users[].description |
body |
[‘string’, ‘null’] |
|
users[].domain_id |
body |
string |
The ID of the domain. |
users[].enabled |
body |
boolean |
Whether the Service Provider is enabled or not |
users[].federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": "mapped", "unique_id": "test@example.com"}
]
}
]
|
users[].federated[].idp_id |
body |
string |
|
users[].federated[].protocols |
body |
array |
|
users[].federated[].protocols[].protocol_id |
body |
string |
|
users[].federated[].protocols[].unique_id |
body |
string |
|
users[].name |
body |
string |
The user name. Must be unique within the owning domain. |
users[].password |
body |
[‘string’, ‘null’] |
The new password for the user. |
users[].options |
body |
object |
The resource options for the user. Available resource options are
|
users[].options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
users[].options.lock_password |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
users[].options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
users[].options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Check whether user belongs to group¶
Add user to group¶
Remove user from group¶
limits¶
Show Limit Details¶
Update Limit¶
Updates the specified limit. It only supports to update resource_limit or
description for the limit.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limit
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
limit_id |
path |
string |
limit_id parameter for /v3/limits/{limit_id} API |
{
"type": "object",
"description": "Request of the limits/limit_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the limits/limit_id:patch operation"
}
403¶
Error
404¶
Error
Delete Limit¶
List Limits¶
Create Limits¶
Creates limits. It supports to create more than one limit in one request.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/limits
Request¶
{
"type": "object",
"description": "Request of the limits:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the limits:post operation"
}
403¶
Error
404¶
Error
Get Enforcement Model¶
OS-EP-FILTER¶
Check Endpoint Group¶
Get Endpoint Group¶
Update Endpoint Group¶
Modify attributes of an endpoint group.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint_group_id |
path |
string |
endpoint_group_id parameter for /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} API |
{
"type": "object",
"description": "Request of the OS-EP-FILTER/endpoint_groups/endpoint_group_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups/endpoint_group_id:patch operation"
}
403¶
Error
404¶
Error
Delete Endpoint Group¶
List Endpoint Groups¶
Create Endpoint Group¶
Create a new endpoint group filter that represents a dynamic collection of service endpoints having the same characteristics
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups
Request¶
{
"type": "object",
"description": "Request of the OS-EP-FILTER/endpoint_groups:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups:post operation"
}
403¶
Error
404¶
Error
List Associations by Endpoint¶
Returns all projects that are currently associated with endpoint_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoints/endpoint_id/projects:get operation"
}
403¶
Error
404¶
Error
Check Association¶
Create Association¶
Creates a direct association between project_id and endpoint_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
project_id |
path |
string |
project_id parameter for /v3/OS-EP-FILTER/projects/{project_id}/endpoints API |
endpoint_id |
path |
string |
endpoint_id parameter for /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} API |
{
"type": "object",
"description": "Request of the OS-EP-FILTER/projects/project_id/endpoints/endpoint_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/projects/project_id/endpoints/endpoint_id:put operation"
}
403¶
Error
404¶
Error
Delete Association¶
List Associations by Project¶
Returns all endpoints that are currently associated with project_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/projects/project_id/endpoints:get operation"
}
403¶
Error
404¶
Error
List Endpoint Groups Associated with Project¶
Returns all the endpoint groups that are currently associated with project_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/projects/project_id/endpoint_groups:get operation"
}
403¶
Error
404¶
Error
List Endpoints Associated with Endpoint Group¶
Returns all the endpoints that are currently associated with endpoint_group_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups/endpoint_group_id/endpoints:get operation"
}
403¶
Error
404¶
Error
List Projects Associated with Endpoint Group¶
Returns all projects that are currently associated with endpoint_group_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups/endpoint_group_id/projects:get operation"
}
403¶
Error
404¶
Error
Check Endpoint Group to Project Association¶
Get Endpoint Group to Project Association¶
Verifies the existence of an association between project_id and endpoint_group_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups/endpoint_group_id/projects/project_id:get operation"
}
403¶
Error
404¶
Error
Create Endpoint Group to Project Association¶
Creates an association between endpoint_group_id and project_id.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
endpoint_group_id |
path |
string |
endpoint_group_id parameter for /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} API |
project_id |
path |
string |
project_id parameter for /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} API |
{
"type": "object",
"description": "Request of the OS-EP-FILTER/endpoint_groups/endpoint_group_id/projects/project_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-EP-FILTER/endpoint_groups/endpoint_group_id/projects/project_id:put operation"
}
403¶
Error
404¶
Error
Delete Endpoint Group to Project Association¶
OS-INHERIT¶
Check if group has an inherited project role on domain¶
Check for an inherited grant for a group on a domain.
GET/HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id} /roles/{role_id}/inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/groups/group_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Assign role to group on projects owned by a domain¶
The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects API |
group_id |
path |
string |
group_id parameter for /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects API |
role_id |
path |
string |
role_id parameter for /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects API |
{
"type": "object",
"description": "Request of the OS-INHERIT/domains/domain_id/groups/group_id/roles/role_id/inherited_to_projects:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/groups/group_id/roles/role_id/inherited_to_projects:put operation"
}
403¶
Error
404¶
Error
Revoke an inherited project role from group on domain¶
List group’s inherited project roles on domain¶
The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_roles_inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/groups/group_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Check if user has an inherited project role on domain¶
Check for an inherited grant for a user on a domain.
GET/HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles /{role_id}/inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/users/user_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Assign role to user on projects owned by domain¶
Assigns a role to a user in projects owned by a domain.
The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
domain_id |
path |
string |
domain_id parameter for /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects API |
user_id |
path |
string |
user_id parameter for /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects API |
role_id |
path |
string |
role_id parameter for /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects API |
{
"type": "object",
"description": "Request of the OS-INHERIT/domains/domain_id/users/user_id/roles/role_id/inherited_to_projects:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/users/user_id/roles/role_id/inherited_to_projects:put operation"
}
403¶
Error
404¶
Error
Revoke an inherited project role from user on domain¶
List user’s inherited project roles on a domain¶
The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain.
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_roles_inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/domains/domain_id/users/user_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Check if user has an inherited project role on project¶
Check for an inherited grant for a user on a project.
GET/HEAD /OS-INHERIT/projects/{project_id}/users/{user_id} /roles/{role_id}/inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/projects/project_id/users/user_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Assign role to user on projects in a subtree¶
The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects).
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
project_id |
path |
string |
project_id parameter for /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects API |
user_id |
path |
string |
user_id parameter for /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects API |
role_id |
path |
string |
role_id parameter for /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects API |
{
"type": "object",
"description": "Request of the OS-INHERIT/projects/project_id/users/user_id/roles/role_id/inherited_to_projects:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/projects/project_id/users/user_id/roles/role_id/inherited_to_projects:put operation"
}
403¶
Error
404¶
Error
Revoke an inherited project role from user on project¶
Check if group has an inherited project role on project¶
Check for an inherited grant for a group on a project.
GET/HEAD /OS-INHERIT/projects/{project_id}/groups/{group_id} /roles/{role_id}/inherited_to_projects
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/projects/project_id/groups/group_id/roles/role_id/inherited_to_projects:get operation"
}
403¶
Error
404¶
Error
Assign role to group on projects in a subtree¶
The inherited role assignment is anchored to a project and applied to its subtree in the projects hierarchy (both existing and future projects).
Relationship:
https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
project_id |
path |
string |
project_id parameter for /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects API |
group_id |
path |
string |
group_id parameter for /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects API |
role_id |
path |
string |
role_id parameter for /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects API |
{
"type": "object",
"description": "Request of the OS-INHERIT/projects/project_id/groups/group_id/roles/role_id/inherited_to_projects:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the OS-INHERIT/projects/project_id/groups/group_id/roles/role_id/inherited_to_projects:put operation"
}
403¶
Error
404¶
Error
Revoke an inherited project role from group on project¶
OS-OAUTH1¶
Show consumer details¶
Update consumer¶
Updates the description for a consumer.
If you try to update any attribute other than description, an HTTP
400 Bad Request error is returned.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
consumer_id |
path |
string |
consumer_id parameter for /v3/OS-OAUTH1/consumers/{consumer_id} API |
{
"type": "object",
"description": "Request of the OS-OAUTH1/consumers/consumer_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-OAUTH1/consumers/consumer_id:patch operation"
}
403¶
Error
404¶
Error
Delete consumer¶
List consumers¶
Create consumer¶
Enables a user to create a consumer.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers
Request¶
{
"type": "object",
"description": "Request of the OS-OAUTH1/consumers:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-OAUTH1/consumers:post operation"
}
403¶
Error
404¶
Error
Create request token¶
Enables a consumer to get an unauthorized request token.
Supported signature methods: HMAC-SHA1
The consumer must provide all required OAuth parameters in the request. See Consumer Obtains a Request Token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens
Request¶
{
"type": "object",
"description": "Request of the OS-OAUTH1/request_token:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-OAUTH1/request_token:post operation"
}
403¶
Error
404¶
Error
Create access token¶
Enables a consumer to obtain an access token by exchanging a request token.
After a user authorizes the request token, the consumer exchanges the authorized request token and OAuth verifier for an access token.
Supported signature methods: HMAC-SHA1
The consumer must provide all required OAuth parameters in the request. See Consumer Requests an Access Token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens
Request¶
{
"type": "object",
"description": "Request of the OS-OAUTH1/access_token:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-OAUTH1/access_token:post operation"
}
403¶
Error
404¶
Error
Authorize request token¶
To authorize the Request Token, the authorizing user must have access to the requested project. Upon successful authorization, an OAuth Verifier code is returned. The Consumer receives the OAuth Verifier from the User out-of-band.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token
OS-OAUTH2¶
Get an OAuth2.0 Access Token.
POST /v3/OS-OAUTH2/token
Request¶
{
"type": "object",
"description": "Request of the OS-OAUTH2/token:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-OAUTH2/token:post operation"
}
403¶
Error
404¶
Error
OS-REVOKE¶
List revocation events¶
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events
List revocation events.
The HTTP Date header returned in the response reflects the timestamp of the most recently issued revocation event. Clients can then use this value in the since query parameter to limit the list of events in subsequent requests.
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-REVOKE/events:get operation"
}
403¶
Error
404¶
Error
OS-SIMPLE-CERT¶
Show CA Certificate¶
Show Signing Certificate¶
policies¶
Show policy details¶
Update policy¶
Updates a policy.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policy
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
policy_id |
path |
string |
policy_id parameter for /v3/policies/{policy_id} API |
{
"type": "object",
"description": "Request of the policies/policy_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the policies/policy_id:patch operation"
}
403¶
Error
404¶
Error
Delete policy¶
List policies¶
Create policy¶
Creates a policy.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/policies
Request¶
{
"type": "object",
"description": "Request of the policies:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the policies:post operation"
}
403¶
Error
404¶
Error
List policy and service endpoint associations¶
Verify a policy and endpoint association¶
Associate policy and endpoint¶
Associates a policy and an endpoint.
If an association already exists between the endpoint and another policy, this call replaces that association.
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
policy_id |
path |
string |
policy_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} API |
endpoint_id |
path |
string |
endpoint_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} API |
{
"type": "object",
"description": "Request of the policies/policy_id/OS-ENDPOINT-POLICY/endpoints/endpoint_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the policies/policy_id/OS-ENDPOINT-POLICY/endpoints/endpoint_id:put operation"
}
403¶
Error
404¶
Error
Delete a policy and endpoint association¶
Verify a policy and service-type endpoint association¶
Associate policy and service-type endpoint¶
Associates a policy and any endpoint of a service type.
If an association already exists between the endpoint of a service type and another policy, this call replaces that association.
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
policy_id |
path |
string |
policy_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} API |
service_id |
path |
string |
service_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} API |
{
"type": "object",
"description": "Request of the policies/policy_id/OS-ENDPOINT-POLICY/services/service_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the policies/policy_id/OS-ENDPOINT-POLICY/services/service_id:put operation"
}
403¶
Error
404¶
Error
Delete a policy and service-type endpoint association¶
Verify a policy and service-type endpoint in a region association¶
Verifies an association between a policy and service-type endpoint in a region.
A HEAD version of this API is also supported.
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the policies/policy_id/OS-ENDPOINT-POLICY/services/service_id/regions/region_id:get operation"
}
403¶
Error
404¶
Error
Associate policy and service-type endpoint in a region¶
Associates a policy and an endpoint of a service type in a region.
If an association already exists between the service in a region and another policy, this call replaces that association.
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
policy_id |
path |
string |
policy_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} API |
service_id |
path |
string |
service_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} API |
region_id |
path |
string |
region_id parameter for /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} API |
{
"type": "object",
"description": "Request of the policies/policy_id/OS-ENDPOINT-POLICY/services/service_id/regions/region_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the policies/policy_id/OS-ENDPOINT-POLICY/services/service_id/regions/region_id:put operation"
}
403¶
Error
404¶
Error
Delete a policy and service-type endpoint in a region association¶
projects¶
Show project details¶
Shows details for a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project.\nTags can be used to classify projects into groups."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true,
"description": "A `project` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
project |
body |
object |
A |
project.id |
body |
string |
The ID for the project. |
project.description |
body |
[‘string’, ‘null’] |
The description of the project. |
project.domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
project.enabled |
body |
boolean |
If set to |
project.is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
project.parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
project.name |
body |
string |
The name of the project. |
project.tags |
body |
array |
A list of simple strings assigned to a project. Tags can be used to classify projects into groups. |
project.options |
body |
object |
The resource options for the project. Available resource options are
|
project.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Update project¶
Updates a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
project_id |
path |
string |
project_id parameter for /v3/projects/{project_id} API |
project |
body |
object |
A |
project.id |
body |
string |
The ID for the project. |
project.description |
body |
[‘string’, ‘null’] |
The description of the project. |
project.domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
project.enabled |
body |
boolean |
If set to |
project.is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
project.parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
project.name |
body |
string |
The name of the project. |
project.tags |
body |
array |
A list of simple strings assigned to a project. Tags can be used to classify projects into groups. |
project.options |
body |
object |
The resource options for the project. Available resource options are
|
project.options.immutable |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project.\nTags can be used to classify projects into groups."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true,
"description": "A `project` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project.\nTags can be used to classify projects into groups."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true,
"description": "A `project` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
project |
body |
object |
A |
project.id |
body |
string |
The ID for the project. |
project.description |
body |
[‘string’, ‘null’] |
The description of the project. |
project.domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
project.enabled |
body |
boolean |
If set to |
project.is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
project.parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
project.name |
body |
string |
The name of the project. |
project.tags |
body |
array |
A list of simple strings assigned to a project. Tags can be used to classify projects into groups. |
project.options |
body |
object |
The resource options for the project. Available resource options are
|
project.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Delete project¶
List projects¶
Lists projects.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"projects": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true
},
"description": "A list of `project` objects"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
projects |
body |
array |
A list of |
projects[].id |
body |
string |
The ID for the project. |
projects[].description |
body |
[‘string’, ‘null’] |
The description of the project. |
projects[].domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
projects[].enabled |
body |
boolean |
If set to |
projects[].is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
projects[].parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
projects[].name |
body |
string |
The name of the project. |
projects[].tags |
body |
array |
A list of simple strings assigned to a project. |
projects[].options |
body |
object |
The resource options for the project. Available resource options are
|
projects[].options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Create project¶
Creates a project, where the project may act as a domain.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
project |
body |
object |
A |
project.id |
body |
string |
The ID for the project. |
project.description |
body |
[‘string’, ‘null’] |
The description of the project. |
project.domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
project.enabled |
body |
boolean |
If set to |
project.is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
project.parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
project.name |
body |
string |
The name of the project. |
project.tags |
body |
array |
A list of simple strings assigned to a project. Tags can be used to classify projects into groups. |
project.options |
body |
object |
The resource options for the project. Available resource options are
|
project.options.immutable |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project.\nTags can be used to classify projects into groups."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true,
"description": "A `project` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"project": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The ID for the project."
},
"description": {
"type": [
"string",
"null"
],
"description": "The description of the project."
},
"domain_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain for the project."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If set to `true`, project is enabled. If set to\n`false`, project is disabled."
},
"is_domain": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Indicates whether the project also acts as a domain. If set to `true`,\nthis project acts as both a project and domain. As a domain, the project\nprovides a name space in which you can create users, groups, and other\nprojects. If set to `false`, this project behaves as a regular project\nthat contains only resources.\n\n\n**New in version 3\\.6**"
},
"parent_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the parent for the project.\n\n\n**New in version 3\\.4**"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "[\\S]+",
"description": "The name of the project."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "^[^,/]*$"
},
"required": [],
"maxItems": 80,
"uniqueItems": true,
"description": "A list of simple strings assigned to a project.\nTags can be used to classify projects into groups."
},
"options": {
"type": "object",
"properties": {
"immutable": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the project. Available resource options are\n`immutable`."
}
},
"additionalProperties": true,
"description": "A `project` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
project |
body |
object |
A |
project.id |
body |
string |
The ID for the project. |
project.description |
body |
[‘string’, ‘null’] |
The description of the project. |
project.domain_id |
body |
[‘string’, ‘null’] |
The ID of the domain for the project. |
project.enabled |
body |
boolean |
If set to |
project.is_domain |
body |
boolean |
Indicates whether the project also acts as a domain. If set to New in version 3.6 |
project.parent_id |
body |
[‘string’, ‘null’] |
The ID of the parent for the project. New in version 3.4 |
project.name |
body |
string |
The name of the project. |
project.tags |
body |
array |
A list of simple strings assigned to a project. Tags can be used to classify projects into groups. |
project.options |
body |
object |
The resource options for the project. Available resource options are
|
project.options.immutable |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
List tags associated with a given project.
GET /v3/projects/{project_id}/tags
List tags for a project¶
Lists all tags within a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Modify tag list for a project¶
Modifies the tags for a project. Any existing tags not specified will be deleted.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Remove all tags from a project¶
Remove all tags from a given project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Get information for a single tag associated with a given project.
GET /v3/projects/{project_id}/tags/{value}
Check if project contains tag¶
Checks if a project contains the specified tag.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Add single tag to a project¶
Creates the specified tag and adds it to the list of tags in the project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Delete single tag from project¶
Remove a single tag from a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/projects
Check whether user has role assignment on project¶
Assign role to user on project¶
Unassign role from user on project¶
List role assignments for user on project¶
Lists role assignments for a user on a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role
Responses¶
200¶
Ok
{
"type": "object",
"description": "List of roles assigned to the resource",
"properties": {
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "A list of `role` objects"
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
roles |
body |
array |
A list of |
roles[].id |
body |
string |
The role ID. |
roles[].name |
body |
string |
The role name. |
roles[].description |
body |
string |
The role description. |
roles[].links |
body |
object |
The link to the resources in question. |
roles[].links.self |
body |
string |
The link to the resource in question. |
links |
body |
object |
403¶
Error
404¶
Error
Check whether group has role assignment on project¶
Assign role to group on project¶
Unassign role from group on project¶
List role assignments for group on project¶
Lists role assignments for a group on a project.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role
Responses¶
200¶
Ok
{
"type": "object",
"description": "List of roles assigned to the resource",
"properties": {
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "A list of `role` objects"
},
"links": {
"type": "object",
"additionalProperties": {
"type": [
"string",
"null"
],
"format": "uri"
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
roles |
body |
array |
A list of |
roles[].id |
body |
string |
The role ID. |
roles[].name |
body |
string |
The role name. |
roles[].description |
body |
string |
The role description. |
roles[].links |
body |
object |
The link to the resources in question. |
roles[].links.self |
body |
string |
The link to the resource in question. |
links |
body |
object |
403¶
Error
404¶
Error
regions¶
Show region details¶
Shows details for a region, by ID.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"region": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
region |
body |
object |
A |
region.description |
body |
string |
The region description. |
region.id |
body |
string |
The ID for the region. |
region.parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
403¶
Error
404¶
Error
PUT operation on /v3/regions/{region_id}
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
region_id |
path |
string |
region_id parameter for /v3/regions/{region_id} API |
{
"type": "object",
"description": "Request of the regions/region_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the regions/region_id:put operation"
}
403¶
Error
404¶
Error
Update region¶
Updates a region.
You can update the description or parent region ID for a region. You cannot update the region ID.
The following error might occur:
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/region
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
region_id |
path |
string |
region_id parameter for /v3/regions/{region_id} API |
region |
body |
object |
A |
region.description |
body |
string |
The region description. |
region.id |
body |
string |
The ID for the region. |
region.parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
{
"type": "object",
"properties": {
"region": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"region": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
region |
body |
object |
A |
region.description |
body |
string |
The region description. |
region.id |
body |
string |
The ID for the region. |
region.parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
403¶
Error
404¶
Error
Delete region¶
List regions¶
Lists regions.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"regions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
},
"description": "A list of `region` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
regions |
body |
array |
A list of |
regions[].description |
body |
string |
The region description. |
regions[].id |
body |
string |
The ID for the region. |
regions[].parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
403¶
Error
404¶
Error
Create region¶
Creates a region.
When you create the region, you can optionally specify a region ID. If you include characters in the region ID that are not allowed in a URI, you must URL-encode the ID. If you omit an ID, the API assigns an ID to the region.
The following errors might occur:
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/regions
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
region |
body |
object |
A |
region.description |
body |
string |
The region description. |
region.id |
body |
string |
The ID for the region. |
region.parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
{
"type": "object",
"properties": {
"region": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"region": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The region description."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID for the region.",
"readOnly": true
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "To make this region a child of another region, set this parameter to the ID of the parent region."
}
},
"description": "A `region` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
region |
body |
object |
A |
region.description |
body |
string |
The region description. |
region.id |
body |
string |
The ID for the region. |
region.parent_id |
body |
string |
To make this region a child of another region, set this parameter to the ID of the parent region. |
403¶
Error
404¶
Error
registered_limits¶
Show Registered Limit Details¶
Update Registered Limit¶
Updates the specified registered limit.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limit
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
registered_limit_id |
path |
string |
registered_limit_id parameter for /v3/registered_limits/{registered_limit_id} API |
{
"type": "object",
"description": "Request of the registered_limits/registered_limit_id:patch operation",
"x-openstack": {
"action-name": "PATCH"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the registered_limits/registered_limit_id:patch operation"
}
403¶
Error
404¶
Error
Delete Registered Limit¶
List Registered Limits¶
Create Registered Limits¶
Creates registered limits. It supports to create more than one registered limit in one request.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/registered_limits
Request¶
{
"type": "object",
"description": "Request of the registered_limits:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the registered_limits:post operation"
}
403¶
Error
404¶
Error
role_assignments¶
List role assignments¶
Get a list of role assignments.
If no query parameters are specified, then this API will return a list of all role assignments.
Since this list is likely to be very long, this API would typically always be used with one of more of the filter queries. Some typical examples are:
GET /v3/role_assignments?user.id={user_id} would list all role assignments
involving the specified user.
GET /v3/role_assignments?scope.project.id={project_id} would list all role
assignments involving the specified project.
It is also possible to list all role assignments within
a tree of projects:
GET /v3/role_assignments?scope.project.id={project_id}&include_subtree=true
would list all role assignments involving the specified project and all
sub-projects. include_subtree=true can only be specified in conjunction
with scope.project.id, specifiying it without this will result in an
HTTP 400 Bad Request being returned.
Each role assignment entity in the collection contains a link to the assignment that gave rise to this entity.
The scope section in the list response is extended to allow the representation of role assignments that are inherited to projects.
The query filter scope.OS-INHERIT:inherited_to can be used to filter based
on role assignments that are inherited. The only value of
scope.OS-INHERIT:inherited_to that is currently supported is projects,
indicating that this role is inherited to all projects of the owning domain or
parent project.
If the query parameter effective is specified, rather than simply returning
a list of role assignments that have been made, the API returns a list of
effective assignments at the user, project and domain level, having allowed for
the effects of group membership, role inference rules as well as inheritance
from the parent domain or project. Since the effects of group membership have
already been allowed for, the group role assignment entities themselves will
not be returned in the collection. Likewise, since the effects of inheritance
have already been allowed for, the role assignment entities themselves that
specify the inheritance will also not be returned in the collection. This
represents the effective role assignments that would be included in a scoped
token. The same set of query parameters can also be used in combination with
the effective parameter.
For example:
GET /v3/role_assignments?user.id={user_id}&effective would, in other words,
answer the question “what can this user actually do?”.
GET /v3/role_assignments?user.id={user_id}&scope.project.id={project_id}&effective
would return the equivalent set of role assignments that would be included in
the token response of a project scoped token.
An example response for an API call with the query parameter effective
specified is given below:
The entity links section of a response using the effective query
parameter also contains, for entities that are included by virtue of group
membership, a url that can be used to access the membership of the group.
If the query parameter include_names is specified, rather than simply
returning the entity IDs in the role assignments, the collection will
additionally include the names of the entities. For example:
GET /v3/role_assignments?user.id={user_id}&effective&include_names=true
would return:
Relationship:
https://docs.openstack.org/api/openstack-identity/3/rel/role_assignments
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role_assignments": {
"type": "array",
"items": {
"type": "object",
"properties": {
"role": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"scope": {
"type": "object",
"description": "The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain\u2019s ID or name with equivalent results.",
"properties": {
"project": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Project Name"
},
"id": {
"type": "string",
"description": "Project Id"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Project domain Id"
},
"name": {
"type": "string",
"description": "Project domain Name"
}
}
}
}
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Domain id"
},
"name": {
"type": "string",
"description": "Domain name"
}
}
},
"OS-TRUST:trust": {
"type": "object",
"properties": {
"id": {
"type": "string"
}
}
},
"system": {
"type": "object",
"properties": {
"all": {
"type": "boolean"
}
}
}
}
},
"user": {
"type": "object",
"description": "A user object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user UUID"
},
"name": {
"type": "string",
"description": "A user name"
},
"domain": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user domain UUID"
},
"name": {
"type": "string",
"description": "A user domain name"
}
}
}
}
},
"group": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "A user ID"
},
"name": {
"type": "string",
"description": "A user name"
}
}
},
"links": {
"type": "object",
"properties": {
"assignment": {
"type": "string",
"format": "uri",
"description": "a link to the assignment that gave rise to this entity"
},
"membership": {
"type": "string",
"format": "uri"
}
}
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role_assignments |
body |
array |
|
role_assignments[].role |
body |
object |
A prior role object. |
role_assignments[].role.id |
body |
string |
The role ID. |
role_assignments[].role.name |
body |
string |
The role name. |
role_assignments[].role.description |
body |
string |
The role description. |
role_assignments[].role.links |
body |
object |
The link to the resources in question. |
role_assignments[].role.links.self |
body |
string |
The link to the resource in question. |
role_assignments[].scope |
body |
object |
The authorization scope, including the system (Since v3.10), a project, or a domain (Since v3.4). If multiple scopes are specified in the same request (e.g. project and domain or domain and system) an HTTP 400 Bad Request will be returned, as a token cannot be simultaneously scoped to multiple authorization targets. An ID is sufficient to uniquely identify a project but if a project is specified by name, then the domain of the project must also be specified in order to uniquely identify the project by name. A domain scope may be specified by either the domain’s ID or name with equivalent results. |
role_assignments[].scope.project |
body |
object |
|
role_assignments[].scope.project.name |
body |
string |
Project Name |
role_assignments[].scope.project.id |
body |
string |
Project Id |
role_assignments[].scope.project.domain |
body |
object |
|
role_assignments[].scope.project.domain.id |
body |
string |
Project domain Id |
role_assignments[].scope.project.domain.name |
body |
string |
Project domain Name |
role_assignments[].scope.domain |
body |
object |
|
role_assignments[].scope.domain.id |
body |
string |
Domain id |
role_assignments[].scope.domain.name |
body |
string |
Domain name |
role_assignments[].scope.OS-TRUST:trust |
body |
object |
|
role_assignments[].scope.OS-TRUST:trust.id |
body |
string |
|
role_assignments[].scope.system |
body |
object |
|
role_assignments[].scope.system.all |
body |
boolean |
|
role_assignments[].user |
body |
object |
A user object |
role_assignments[].user.id |
body |
string |
A user UUID |
role_assignments[].user.name |
body |
string |
A user name |
role_assignments[].user.domain |
body |
object |
|
role_assignments[].user.domain.id |
body |
string |
A user domain UUID |
role_assignments[].user.domain.name |
body |
string |
A user domain name |
role_assignments[].group |
body |
object |
|
role_assignments[].group.id |
body |
string |
A user ID |
role_assignments[].group.name |
body |
string |
A user name |
role_assignments[].links |
body |
object |
|
role_assignments[].links.assignment |
body |
string |
a link to the assignment that gave rise to this entity |
role_assignments[].links.membership |
body |
string |
403¶
Error
404¶
Error
role_inferences¶
List all role inference rules¶
Lists all role inference rules.
Relationship:
https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"role_inferences": {
"type": "array",
"items": {
"type": "object",
"properties": {
"prior_role": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"implies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The role ID."
},
"name": {
"type": "string",
"description": "The role name."
},
"description": {
"type": "string",
"description": "The role description."
},
"links": {
"type": "object",
"properties": {
"self": {
"type": "string",
"format": "uri",
"description": "The link to the resource in question."
}
},
"description": "The link to the resources in question."
}
},
"description": "A prior role object."
},
"description": "An implied role object."
}
}
},
"description": "An array of `role_inference` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
role_inferences |
body |
array |
An array of |
role_inferences[].prior_role |
body |
object |
A prior role object. |
role_inferences[].prior_role.id |
body |
string |
The role ID. |
role_inferences[].prior_role.name |
body |
string |
The role name. |
role_inferences[].prior_role.description |
body |
string |
The role description. |
role_inferences[].prior_role.links |
body |
object |
The link to the resources in question. |
role_inferences[].prior_role.links.self |
body |
string |
The link to the resource in question. |
role_inferences[].implies |
body |
array |
An implied role object. |
role_inferences[].implies[].id |
body |
string |
The role ID. |
role_inferences[].implies[].name |
body |
string |
The role name. |
role_inferences[].implies[].description |
body |
string |
The role description. |
role_inferences[].implies[].links |
body |
object |
The link to the resources in question. |
role_inferences[].implies[].links.self |
body |
string |
The link to the resource in question. |
403¶
Error
404¶
Error
s3tokens¶
services¶
Show service details¶
Shows details for a service.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/service
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service |
body |
object |
A |
service.description |
body |
string |
The service description. |
service.enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
service.id |
body |
string |
The UUID of the service to which the endpoint belongs. |
service.name |
body |
string |
The service name. |
service.type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
403¶
Error
404¶
Error
Update service¶
Updates a service.
The request body is the same as the create service request body, except that you include only those attributes that you want to update.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/services
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
service_id |
path |
string |
service_id parameter for /v3/services/{service_id} API |
service |
body |
object |
A |
service.description |
body |
string |
The service description. |
service.enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
service.id |
body |
string |
The UUID of the service to which the endpoint belongs. |
service.name |
body |
string |
The service name. |
service.type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
{
"type": "object",
"properties": {
"service": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service |
body |
object |
A |
service.description |
body |
string |
The service description. |
service.enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
service.id |
body |
string |
The UUID of the service to which the endpoint belongs. |
service.name |
body |
string |
The service name. |
service.type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
403¶
Error
404¶
Error
Delete service¶
List services¶
Lists all services.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/services
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"services": {
"type": "array",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
},
"description": "A list of `service` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
services |
body |
array |
A list of |
services[].description |
body |
string |
The service description. |
services[].enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
services[].id |
body |
string |
The UUID of the service to which the endpoint belongs. |
services[].name |
body |
string |
The service name. |
services[].type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
403¶
Error
404¶
Error
Create service¶
Creates a service.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/services
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
service |
body |
object |
A |
service.description |
body |
string |
The service description. |
service.enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
service.id |
body |
string |
The UUID of the service to which the endpoint belongs. |
service.name |
body |
string |
The service name. |
service.type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
{
"type": "object",
"properties": {
"service": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"service": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The service description."
},
"enabled": {
"type": "boolean",
"description": "Defines whether the service and its endpoints\nappear in the service catalog: \\- `false`. The service and its\nendpoints do not appear in the service catalog. \\- `true`. The\nservice and its endpoints appear in the service catalog.\nDefault is `true`."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The UUID of the service to which the endpoint\nbelongs.",
"readOnly": true
},
"name": {
"type": "string",
"description": "The service name."
},
"type": {
"type": "string",
"description": "The service type, which describes the API\nimplemented by the service. Value is `compute`, `ec2`,\n`identity`, `image`, `network`, or `volume`."
}
},
"description": "A `service` object."
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
service |
body |
object |
A |
service.description |
body |
string |
The service description. |
service.enabled |
body |
boolean |
Defines whether the service and its endpoints
appear in the service catalog: - |
service.id |
body |
string |
The UUID of the service to which the endpoint belongs. |
service.name |
body |
string |
The service name. |
service.type |
body |
string |
The service type, which describes the API
implemented by the service. Value is |
403¶
Error
404¶
Error
system¶
List system role assignments for a user¶
Check user for a system role assignment¶
Get system role assignment for a user¶
Get a specific system role assignment for a user. This is the same API as
HEAD /v3/system/users/{user_id}/roles/{role_id}.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the system/users/user_id/roles/role_id:get operation"
}
403¶
Error
404¶
Error
Assign a system role to a user¶
Grant a user a role on the system.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_user_role
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user_id |
path |
string |
user_id parameter for /v3/system/users/{user_id}/roles/{role_id} API |
role_id |
path |
string |
role_id parameter for /v3/system/users/{user_id}/roles/{role_id} API |
{
"type": "object",
"description": "Request of the system/users/user_id/roles/role_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the system/users/user_id/roles/role_id:put operation"
}
403¶
Error
404¶
Error
Delete a system role assignment from a user¶
List system role assignments for a group¶
Check group for a system role assignment¶
Get system role assignment for a group¶
Get a specific system role assignment for a group. This is the same API as
HEAD /v3/system/groups/{group_id}/roles/{role_id}.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the system/groups/group_id/roles/role_id:get operation"
}
403¶
Error
404¶
Error
Assign a system role to a group¶
Grant a group a role on the system.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/system_group_role
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
group_id |
path |
string |
group_id parameter for /v3/system/groups/{group_id}/roles/{role_id} API |
role_id |
path |
string |
role_id parameter for /v3/system/groups/{group_id}/roles/{role_id} API |
{
"type": "object",
"description": "Request of the system/groups/group_id/roles/role_id:put operation",
"x-openstack": {
"action-name": "PUT"
}
}
Responses¶
201¶
Ok
{
"type": "object",
"description": "Response of the system/groups/group_id/roles/role_id:put operation"
}
403¶
Error
404¶
Error
Delete a system role assignment from a group¶
OS-TRUST¶
Get trust¶
Delete trust¶
List trusts¶
Create trust¶
Creates a trust.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts
Request¶
{
"type": "object",
"description": "Request of the OS-TRUST/trusts:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the OS-TRUST/trusts:post operation"
}
403¶
Error
404¶
Error
List roles delegated by a trust¶
Check if a role is delegated by a trust¶
Get role delegated by a trust¶
users¶
Show user details¶
Shows details for a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The user ID."
},
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the default project for the user."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If the user is enabled, this value is `true`.\nIf the user is disabled, this value is `false`."
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": \"mapped\", \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The user name. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The new password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n `ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"description": "A `user` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
user |
body |
object |
A |
user.id |
body |
string |
The user ID. |
user.default_project_id |
body |
[‘string’, ‘null’] |
The ID of the default project for the user. |
user.description |
body |
[‘string’, ‘null’] |
|
user.domain_id |
body |
string |
The ID of the domain. |
user.enabled |
body |
boolean |
If the user is enabled, this value is |
user.federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": "mapped", "unique_id": "test@example.com"}
]
}
]
|
user.federated[].idp_id |
body |
string |
|
user.federated[].protocols |
body |
array |
|
user.federated[].protocols[].protocol_id |
body |
string |
|
user.federated[].protocols[].unique_id |
body |
string |
|
user.name |
body |
string |
The user name. Must be unique within the owning domain. |
user.password |
body |
[‘string’, ‘null’] |
The new password for the user. |
user.options |
body |
object |
The resource options for the user. Available resource options are
|
user.options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
user.options.lock_password |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
user.options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
user.options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Update user¶
Updates a user.
If the back-end driver does not support this functionality, this
call might return the HTTP Not Implemented (501) response code.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user_id |
path |
string |
user_id parameter for /v3/users/{user_id} API |
user |
body |
object |
A |
user.default_project_id |
body |
[‘string’, ‘null’] |
The new ID of the default project for the user. |
user.description |
body |
[‘string’, ‘null’] |
|
user.domain_id |
body |
string |
The ID of the new domain for the user. The ability to change the domain of a user is now deprecated, and will be removed in subequent release. It is already disabled by default in most Identity service implementations. |
user.enabled |
body |
boolean |
Enables or disables the user. An enabled user
can authenticate and receive authorization. A disabled user
cannot authenticate or receive authorization. Additionally, all
tokens that the user holds become no longer valid. If you reenable
this user, pre-existing tokens do not become valid. To enable the
user, set to |
user.federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": mapped, "unique_id": "test@example.com"}
]
}
]
|
user.federated[].idp_id |
body |
string |
|
user.federated[].protocols |
body |
array |
|
user.federated[].protocols[].protocol_id |
body |
string |
|
user.federated[].protocols[].unique_id |
body |
string |
|
user.name |
body |
string |
The new name for the user. Must be unique within the owning domain. |
user.password |
body |
[‘string’, ‘null’] |
The new password for the user. |
user.options |
body |
object |
The resource options for the user. Available resource options are
|
user.options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
user.options.lock_password |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
user.options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
user.options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The new ID of the default project for the user."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the new domain for the user. The ability to change the domain\nof a user is now deprecated, and will be removed in subequent release.\nIt is already disabled by default in most Identity service implementations."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "Enables or disables the user. An enabled user\ncan authenticate and receive authorization. A disabled user\ncannot authenticate or receive authorization. Additionally, all\ntokens that the user holds become no longer valid. If you reenable\nthis user, pre\\-existing tokens do not become valid. To enable the\nuser, set to `true`. To disable the user, set to `false`.\nDefault is `true`."
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": mapped, \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The new name for the user. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The new password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n`ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"minProperties": 1,
"options": {
"type": "object"
},
"additionalProperties": true,
"description": "A `user` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The user ID."
},
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the default project for the user."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If the user is enabled, this value is `true`.\nIf the user is disabled, this value is `false`."
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": \"mapped\", \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The user name. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The new password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n`ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"description": "A `user` object"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
user |
body |
object |
A |
user.id |
body |
string |
The user ID. |
user.default_project_id |
body |
[‘string’, ‘null’] |
The ID of the default project for the user. |
user.description |
body |
[‘string’, ‘null’] |
|
user.domain_id |
body |
string |
The ID of the domain. |
user.enabled |
body |
boolean |
If the user is enabled, this value is |
user.federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": "mapped", "unique_id": "test@example.com"}
]
}
]
|
user.federated[].idp_id |
body |
string |
|
user.federated[].protocols |
body |
array |
|
user.federated[].protocols[].protocol_id |
body |
string |
|
user.federated[].protocols[].unique_id |
body |
string |
|
user.name |
body |
string |
The user name. Must be unique within the owning domain. |
user.password |
body |
[‘string’, ‘null’] |
The new password for the user. |
user.options |
body |
object |
The resource options for the user. Available resource options are
|
user.options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
user.options.lock_password |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
user.options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
user.options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Delete user¶
List users¶
Lists users.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/users
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"users": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"readOnly": true,
"description": "The user ID."
},
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the default project for the user."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If the user is enabled, this value is `true`.\nIf the user is disabled, this value is `false`."
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": \"mapped\", \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The user name. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The new password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n `ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"description": "A `user` object"
},
"description": "A list of `user` objects"
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
users |
body |
array |
A list of |
users[].id |
body |
string |
The user ID. |
users[].default_project_id |
body |
[‘string’, ‘null’] |
The ID of the default project for the user. |
users[].description |
body |
[‘string’, ‘null’] |
|
users[].domain_id |
body |
string |
The ID of the domain. |
users[].enabled |
body |
boolean |
If the user is enabled, this value is |
users[].federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": "mapped", "unique_id": "test@example.com"}
]
}
]
|
users[].federated[].idp_id |
body |
string |
|
users[].federated[].protocols |
body |
array |
|
users[].federated[].protocols[].protocol_id |
body |
string |
|
users[].federated[].protocols[].unique_id |
body |
string |
|
users[].name |
body |
string |
The user name. Must be unique within the owning domain. |
users[].password |
body |
[‘string’, ‘null’] |
The new password for the user. |
users[].options |
body |
object |
The resource options for the user. Available resource options are
|
users[].options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
users[].options.lock_password |
body |
[‘boolean’, ‘null’] |
|
users[].options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
users[].options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
users[].options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
403¶
Error
404¶
Error
Create user¶
Creates a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/users
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user |
body |
object |
A |
user.default_project_id |
body |
[‘string’, ‘null’] |
The ID of the default project for the user. A user’s default project must not be a domain. Setting this attribute does not grant any actual authorization on the project, and is merely provided for convenience. Therefore, the referenced project does not need to exist within the user domain. (Since v3.1) If the user does not have authorization to their default project, the default project is ignored at token creation. (Since v3.1) Additionally, if your default project is not valid, a token is issued without an explicit scope of authorization. |
user.description |
body |
[‘string’, ‘null’] |
|
user.domain_id |
body |
string |
The ID of the domain of the user. If the domain ID is not provided in the request, the Identity service will attempt to pull the domain ID from the token used in the request. Note that this requires the use of a domain-scoped token. |
user.enabled |
body |
boolean |
If the user is enabled, this value is |
user.federated |
body |
array |
List of federated objects associated with a user. Each object in the list
contains the "federated": [
{
"idp_id": "efbab5a6acad4d108fec6c63d9609d83",
"protocols": [
{"protocol_id": mapped, "unique_id": "test@example.com"}
]
}
]
|
user.federated[].idp_id |
body |
string |
|
user.federated[].protocols |
body |
array |
|
user.federated[].protocols[].protocol_id |
body |
string |
|
user.federated[].protocols[].unique_id |
body |
string |
|
user.name |
body |
string |
The user name. Must be unique within the owning domain. |
user.password |
body |
[‘string’, ‘null’] |
The password for the user. |
user.options |
body |
object |
The resource options for the user. Available resource options are
|
user.options.ignore_change_password_upon_first_use |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_password_expiry |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_lockout_failure_attempts |
body |
[‘boolean’, ‘null’] |
|
user.options.lock_password |
body |
[‘boolean’, ‘null’] |
|
user.options.ignore_user_inactivity |
body |
[‘boolean’, ‘null’] |
|
user.options.multi_factor_auth_rules |
body |
[‘array’, ‘null’] |
|
user.options.multi_factor_auth_enabled |
body |
[‘boolean’, ‘null’] |
{
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"default_project_id": {
"type": [
"string",
"null"
],
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the default project for the user.\nA user\u2019s default project must not be a domain. Setting this\nattribute does not grant any actual authorization on the project,\nand is merely provided for convenience. Therefore, the referenced\nproject does not need to exist within the user domain. (Since v3\\.1\\)\nIf the user does not have authorization to their default project,\nthe default project is ignored at token creation. (Since v3\\.1\\)\nAdditionally, if your default project is not valid, a token is\nissued without an explicit scope of authorization."
},
"description": {
"type": [
"string",
"null"
]
},
"domain_id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$",
"description": "The ID of the domain of the user. If the domain ID is not\nprovided in the request, the Identity service will attempt to\npull the domain ID from the token used in the request. Note that\nthis requires the use of a domain\\-scoped token."
},
"enabled": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "If the user is enabled, this value is `true`.\nIf the user is disabled, this value is `false`."
},
"federated": {
"type": "array",
"items": {
"type": "object",
"properties": {
"idp_id": {
"type": "string"
},
"protocols": {
"type": "array",
"items": {
"type": "object",
"properties": {
"protocol_id": {
"type": "string"
},
"unique_id": {
"type": "string"
}
},
"required": [
"protocol_id",
"unique_id"
]
},
"minItems": 1
}
},
"required": [
"idp_id",
"protocols"
]
},
"description": "List of federated objects associated with a user. Each object in the list\ncontains the `idp_id` and `protocols`. `protocols` is a list of\nobjects, each of which contains `protocol_id` and `unique_id` of\nthe protocol and user respectively. For example:\n\n\n\n```\n\"federated\": [\n {\n \"idp_id\": \"efbab5a6acad4d108fec6c63d9609d83\",\n \"protocols\": [\n {\"protocol_id\": mapped, \"unique_id\": \"test@example.com\"}\n ]\n }\n]\n\n```"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The user name. Must be unique within the owning domain."
},
"password": {
"type": [
"string",
"null"
],
"description": "The password for the user."
},
"options": {
"type": "object",
"properties": {
"ignore_change_password_upon_first_use": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_password_expiry": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_lockout_failure_attempts": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"lock_password": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"ignore_user_inactivity": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
},
"multi_factor_auth_rules": {
"type": [
"array",
"null"
],
"items": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"uniqueItems": true
},
"multi_factor_auth_enabled": {
"type": [
"boolean",
"null"
],
"enum": [
true,
false,
null
]
}
},
"additionalProperties": false,
"description": "The resource options for the user. Available resource options are\n`ignore_change_password_upon_first_use`, `ignore_password_expiry`,\n`ignore_lockout_failure_attempts`, `lock_password`,\n`multi_factor_auth_enabled`, and `multi_factor_auth_rules`\n`ignore_user_inactivity`."
}
},
"required": [
"name"
],
"options": {
"type": "object"
},
"additionalProperties": true,
"description": "A `user` object"
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the users:post operation"
}
403¶
Error
404¶
Error
Change password for user¶
Changes the password for a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_change_password
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user_id |
path |
string |
user_id parameter for /v3/users/{user_id}/password API |
user |
body |
object |
A |
user.original_password |
body |
string |
The original password for the user. |
user.password |
body |
string |
The new password for the user. |
{
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"original_password": {
"type": "string",
"format": "password",
"description": "The original password for the user."
},
"password": {
"type": "string",
"format": "password",
"description": "The new password for the user."
}
},
"required": [
"original_password",
"password"
],
"additionalProperties": false,
"description": "A `user` object"
}
}
}
Responses¶
204¶
Ok
403¶
Error
404¶
Error
List groups to which a user belongs¶
Lists groups to which a user belongs.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_groups
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"groups": {
"type": "array",
"description": "A list of `group` objects",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The description of the group."
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain of the group."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the group."
},
"name": {
"type": "string",
"description": "The name of the group."
},
"membership_expires_at": {
"type": "string",
"format": "date-time",
"description": "The date and time when the group membership expires.\nA `null` value indicates that the membership never expires.\n\n\n**New in version 3\\.14**",
"x-openstack": {
"min-ver": "3.14"
}
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
groups |
body |
array |
A list of |
groups[].description |
body |
string |
The description of the group. |
groups[].domain_id |
body |
string |
The ID of the domain of the group. |
groups[].id |
body |
string |
The ID of the group. |
groups[].name |
body |
string |
The name of the group. |
groups[].membership_expires_at |
body |
string |
The date and time when the group membership expires.
A New in version 3.14 |
403¶
Error
404¶
Error
List projects for user¶
List projects to which the user has authorization to access.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/user_projects
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"projects": {
"type": "array",
"description": "A list of project objects",
"items": {
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "The description of the project."
},
"domain_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the domain of the project."
},
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the project."
},
"parent_id": {
"type": "string",
"format": "uuid",
"description": "The parent id of the project."
},
"name": {
"type": "string",
"description": "The name of the project."
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
projects |
body |
array |
A list of project objects |
projects[].description |
body |
string |
The description of the project. |
projects[].domain_id |
body |
string |
The ID of the domain of the project. |
projects[].id |
body |
string |
The ID of the project. |
projects[].parent_id |
body |
string |
The parent id of the project. |
projects[].name |
body |
string |
The name of the project. |
403¶
Error
404¶
Error
Create EC2 Credential for user.
POST /v3/users/{user_id}/credentials/OS-EC2
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user_id |
path |
string |
user_id parameter for /v3/users/{user_id}/credentials/OS-EC2/{credential_id} API |
{
"type": "object",
"description": "Request of the users/user_id/credentials/OS-EC2:post operation",
"x-openstack": {
"action-name": "POST"
}
}
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the users/user_id/credentials/OS-EC2:post operation"
}
403¶
Error
404¶
Error
List access tokens¶
Get access token¶
Revoke access token¶
Enables a user to revoke an access token, which prevents the consumer from requesting new Identity Service API tokens. Also, revokes any Identity Service API tokens that were issued to the consumer through that access token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token
Responses¶
204¶
Ok
403¶
Error
404¶
Error
List roles for an access token¶
Lists associated roles for an access token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the users/user_id/OS-OAUTH1/access_tokens/access_token_id/roles:get operation"
}
403¶
Error
404¶
Error
Show role details for an access token¶
Shows details for a role for an access token.
Relationship: https://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role
Responses¶
200¶
Ok
{
"type": "object",
"description": "Response of the users/user_id/OS-OAUTH1/access_tokens/access_token_id/roles/role_id:get operation"
}
403¶
Error
404¶
Error
List application credentials¶
List all application credentials for a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"application_credentials": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the application credential."
},
"project_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": [
"string",
"null"
]
},
"expires_at": {
"type": [
"null",
"string"
]
},
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
}
},
"minProperties": 1,
"maxProperties": 1,
"additionalProperties": false
}
},
"unrestricted": {
"type": "boolean",
"enum": [
true,
false,
null
]
},
"access_rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
}
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
application_credentials |
body |
array |
|
application_credentials[].id |
body |
string |
The ID of the application credential. |
application_credentials[].project_id |
body |
string |
The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to. |
application_credentials[].name |
body |
string |
|
application_credentials[].description |
body |
[‘string’, ‘null’] |
|
application_credentials[].expires_at |
body |
[‘null’, ‘string’] |
|
application_credentials[].roles |
body |
array |
|
application_credentials[].roles[].id |
body |
string |
|
application_credentials[].roles[].name |
body |
string |
|
application_credentials[].unrestricted |
body |
boolean |
|
application_credentials[].access_rules |
body |
array |
|
application_credentials[].access_rules[].path |
body |
string |
|
application_credentials[].access_rules[].method |
body |
string |
|
application_credentials[].access_rules[].service |
body |
string |
|
application_credentials[].access_rules[].id |
body |
string |
403¶
Error
404¶
Error
Create application credential¶
Creates an application credential for a user on the project to which the current token is scoped.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials
Request¶
Name |
Location |
Type |
Description |
|---|---|---|---|
user_id |
path |
string |
user_id parameter for /v3/users/{user_id}/application_credentials/{application_credential_id} API |
application_credential |
body |
object |
An application credential object. |
application_credential.name |
body |
string |
The name of the application credential. Must be unique to a user. |
application_credential.description |
body |
[‘string’, ‘null’] |
A description of the application credential’s purpose. |
application_credential.secret |
body |
[‘null’, ‘string’] |
The secret that the application credential will be created with. If not provided, one will be generated. |
application_credential.expires_at |
body |
[‘null’, ‘string’] |
An optional expiry time for the application credential. If unset, the application credential does not expire. |
application_credential.roles |
body |
array |
An optional list of role objects, identified by ID or name. The list may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token. |
application_credential.roles[].id |
body |
string |
|
application_credential.roles[].name |
body |
string |
The name of the application credential. Must be unique to a user. |
application_credential.unrestricted |
body |
boolean |
An optional flag to restrict whether the application credential may be used for the creation or destruction of other application credentials or trusts. Defaults to false. |
application_credential.access_rules |
body |
array |
A list of |
application_credential.access_rules[].path |
body |
string |
|
application_credential.access_rules[].method |
body |
string |
|
application_credential.access_rules[].service |
body |
string |
|
application_credential.access_rules[].id |
body |
string |
{
"type": "object",
"properties": {
"application_credential": {
"type": "object",
"properties": {
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the application credential. Must be unique to a user."
},
"description": {
"type": [
"string",
"null"
],
"description": "A description of the application credential\u2019s purpose."
},
"secret": {
"type": [
"null",
"string"
],
"description": "The secret that the application credential will be created with. If not\nprovided, one will be generated."
},
"expires_at": {
"type": [
"null",
"string"
],
"description": "An optional expiry time for the application credential. If unset, the\napplication credential does not expire."
},
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+",
"description": "The name of the application credential. Must be unique to a user."
}
},
"minProperties": 1,
"maxProperties": 1,
"additionalProperties": false
},
"description": "An optional list of role objects, identified by ID or name. The list\nmay only contain roles that the user has assigned on the project.\nIf not provided, the roles assigned to the application credential will\nbe the same as the roles in the current token."
},
"unrestricted": {
"type": "boolean",
"enum": [
true,
false,
null
],
"description": "An optional flag to restrict whether the application credential may be\nused for the creation or destruction of other application credentials or\ntrusts. Defaults to false."
},
"access_rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
},
"description": "A list of `access_rules` objects"
}
},
"required": [
"name"
],
"additionalProperties": true,
"description": "An application credential object."
}
}
}
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"application_credential": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the application credential."
},
"project_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": [
"string",
"null"
]
},
"expires_at": {
"type": [
"null",
"string"
]
},
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
}
},
"minProperties": 1,
"maxProperties": 1,
"additionalProperties": false
}
},
"unrestricted": {
"type": "boolean",
"enum": [
true,
false,
null
]
},
"access_rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
}
},
"secret": {
"type": "string",
"description": "The secret for the application credential, either generated by the server or provided by the user. This is only ever shown once in the response to a create request. It is not stored nor ever shown again. If the secret is lost, a new application credential must be created."
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
application_credential |
body |
object |
|
application_credential.id |
body |
string |
The ID of the application credential. |
application_credential.project_id |
body |
string |
The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to. |
application_credential.name |
body |
string |
|
application_credential.description |
body |
[‘string’, ‘null’] |
|
application_credential.expires_at |
body |
[‘null’, ‘string’] |
|
application_credential.roles |
body |
array |
|
application_credential.roles[].id |
body |
string |
|
application_credential.roles[].name |
body |
string |
|
application_credential.unrestricted |
body |
boolean |
|
application_credential.access_rules |
body |
array |
|
application_credential.access_rules[].path |
body |
string |
|
application_credential.access_rules[].method |
body |
string |
|
application_credential.access_rules[].service |
body |
string |
|
application_credential.access_rules[].id |
body |
string |
|
application_credential.secret |
body |
string |
The secret for the application credential, either generated by the server or provided by the user. This is only ever shown once in the response to a create request. It is not stored nor ever shown again. If the secret is lost, a new application credential must be created. |
403¶
Error
404¶
Error
Show application credential details¶
Show details of an application credential.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/application_credentials
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"application_credential": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "uuid",
"description": "The ID of the application credential."
},
"project_id": {
"type": "string",
"format": "uuid",
"description": "The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to."
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
},
"description": {
"type": [
"string",
"null"
]
},
"expires_at": {
"type": [
"null",
"string"
]
},
"roles": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"name": {
"type": "string",
"minLength": 1,
"maxLength": 255,
"pattern": "[\\S]+"
}
},
"minProperties": 1,
"maxProperties": 1,
"additionalProperties": false
}
},
"unrestricted": {
"type": "boolean",
"enum": [
true,
false,
null
]
},
"access_rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
application_credential |
body |
object |
|
application_credential.id |
body |
string |
The ID of the application credential. |
application_credential.project_id |
body |
string |
The ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to. |
application_credential.name |
body |
string |
|
application_credential.description |
body |
[‘string’, ‘null’] |
|
application_credential.expires_at |
body |
[‘null’, ‘string’] |
|
application_credential.roles |
body |
array |
|
application_credential.roles[].id |
body |
string |
|
application_credential.roles[].name |
body |
string |
|
application_credential.unrestricted |
body |
boolean |
|
application_credential.access_rules |
body |
array |
|
application_credential.access_rules[].path |
body |
string |
|
application_credential.access_rules[].method |
body |
string |
|
application_credential.access_rules[].service |
body |
string |
|
application_credential.access_rules[].id |
body |
string |
403¶
Error
404¶
Error
Delete application credential¶
List access rules¶
List all access rules for a user.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/access_rules
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"access_rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
}
},
"links": {
"type": "array",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"items": {
"type": "object",
"description": "Links to the resources in question. See [API Guide / Links and References](https://docs.openstack.org/api-guide/compute/links_and_references.html) for more info.",
"properties": {
"href": {
"type": "string",
"format": "uri"
},
"rel": {
"type": "string"
}
}
}
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
access_rules |
body |
array |
|
access_rules[].path |
body |
string |
|
access_rules[].method |
body |
string |
|
access_rules[].service |
body |
string |
|
access_rules[].id |
body |
string |
|
links |
body |
array |
Links to the resources in question. See API Guide / Links and References for more info. |
links[].href |
body |
string |
|
links[].rel |
body |
string |
403¶
Error
404¶
Error
Show access rule details¶
Show details of an access rule.
Relationship: https://docs.openstack.org/api/openstack-identity/3/rel/access_rules
Responses¶
200¶
Ok
{
"type": "object",
"properties": {
"access_rule": {
"type": "object",
"properties": {
"path": {
"type": "string",
"minLength": 0,
"maxLength": 225,
"pattern": "^\\/.*"
},
"method": {
"type": "string",
"pattern": "^(POST|GET|HEAD|PATCH|PUT|DELETE)$"
},
"service": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
},
"id": {
"type": "string",
"minLength": 1,
"maxLength": 64,
"pattern": "^[a-zA-Z0-9-]+$"
}
},
"additionalProperties": false
}
}
}
Name |
Location |
Type |
Description |
|---|---|---|---|
access_rule |
body |
object |
|
access_rule.path |
body |
string |
|
access_rule.method |
body |
string |
|
access_rule.service |
body |
string |
|
access_rule.id |
body |
string |
403¶
Error
404¶
Error
