1#"admin_required": "role:admin or is_admin:1" 2 3#"service_role": "role:service" 4 5#"service_or_admin": "rule:admin_required or rule:service_role" 6 7#"owner": "user_id:%(user_id)s" 8 9#"admin_or_owner": "rule:admin_required or rule:owner" 10 11#"token_subject": "user_id:%(target.token.user_id)s" 12 13#"admin_or_token_subject": "rule:admin_required or rule:token_subject" 14 15#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" 16 17# Show access rule details. 18# GET /v3/users/{user_id}/access_rules/{access_rule_id} 19# HEAD /v3/users/{user_id}/access_rules/{access_rule_id} 20# Intended scope(s): system, project 21#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" 22 23# List access rules for a user. 24# GET /v3/users/{user_id}/access_rules 25# HEAD /v3/users/{user_id}/access_rules 26# Intended scope(s): system, project 27#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" 28 29# Delete an access_rule. 30# DELETE /v3/users/{user_id}/access_rules/{access_rule_id} 31# Intended scope(s): system, project 32#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" 33 34# Authorize OAUTH1 request token. 35# PUT /v3/OS-OAUTH1/authorize/{request_token_id} 36# Intended scope(s): project 37#"identity:authorize_request_token": "rule:admin_required" 38 39# Get OAUTH1 access token for user by access token ID. 40# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} 41# Intended scope(s): project 42#"identity:get_access_token": "rule:admin_required" 43 44# Get role for user OAUTH1 access token. 45# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} 46# Intended scope(s): project 47#"identity:get_access_token_role": "rule:admin_required" 48 49# List OAUTH1 access tokens for user. 50# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens 51# Intended scope(s): project 52#"identity:list_access_tokens": "rule:admin_required" 53 54# List OAUTH1 access token roles. 55# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles 56# Intended scope(s): project 57#"identity:list_access_token_roles": "rule:admin_required" 58 59# Delete OAUTH1 access token. 60# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} 61# Intended scope(s): project 62#"identity:delete_access_token": "rule:admin_required" 63 64# Show application credential details. 65# GET /v3/users/{user_id}/application_credentials/{application_credential_id} 66# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} 67# Intended scope(s): system, project 68#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" 69 70# DEPRECATED 71# "identity:get_application_credentials":"rule:admin_or_owner" has 72# been deprecated since T in favor of 73# "identity:get_application_credential":"(role:reader and 74# system_scope:all) or rule:owner". 75# The application credential API is now aware of system scope and 76# default roles. 77#"identity:get_application_credentials": "rule:identity:get_application_credential" 78 79# List application credentials for a user. 80# GET /v3/users/{user_id}/application_credentials 81# HEAD /v3/users/{user_id}/application_credentials 82# Intended scope(s): system, project 83#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" 84 85# DEPRECATED 86# "identity:list_application_credentials":"rule:admin_or_owner" has 87# been deprecated since T in favor of 88# "identity:list_application_credentials":"(role:reader and 89# system_scope:all) or rule:owner". 90# The application credential API is now aware of system scope and 91# default roles. 92 93# Create an application credential. 94# POST /v3/users/{user_id}/application_credentials 95# Intended scope(s): project 96#"identity:create_application_credential": "user_id:%(user_id)s" 97 98# Delete an application credential. 99# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} 100# Intended scope(s): system, project 101#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" 102 103# DEPRECATED 104# "identity:delete_application_credentials":"rule:admin_or_owner" has 105# been deprecated since T in favor of 106# "identity:delete_application_credential":"(role:admin and 107# system_scope:all) or rule:owner". 108# The application credential API is now aware of system scope and 109# default roles. 110#"identity:delete_application_credentials": "rule:identity:delete_application_credential" 111 112# Get service catalog. 113# GET /v3/auth/catalog 114# HEAD /v3/auth/catalog 115#"identity:get_auth_catalog": "" 116 117# List all projects a user has access to via role assignments. 118# GET /v3/auth/projects 119# HEAD /v3/auth/projects 120#"identity:get_auth_projects": "" 121 122# List all domains a user has access to via role assignments. 123# GET /v3/auth/domains 124# HEAD /v3/auth/domains 125#"identity:get_auth_domains": "" 126 127# List systems a user has access to via role assignments. 128# GET /v3/auth/system 129# HEAD /v3/auth/system 130#"identity:get_auth_system": "" 131 132# Show OAUTH1 consumer details. 133# GET /v3/OS-OAUTH1/consumers/{consumer_id} 134# Intended scope(s): system 135#"identity:get_consumer": "role:reader and system_scope:all" 136 137# DEPRECATED 138# "identity:get_consumer":"rule:admin_required" has been deprecated 139# since T in favor of "identity:get_consumer":"role:reader and 140# system_scope:all". 141# The OAUTH1 consumer API is now aware of system scope and default 142# roles. 143 144# List OAUTH1 consumers. 145# GET /v3/OS-OAUTH1/consumers 146# Intended scope(s): system 147#"identity:list_consumers": "role:reader and system_scope:all" 148 149# DEPRECATED 150# "identity:list_consumers":"rule:admin_required" has been deprecated 151# since T in favor of "identity:list_consumers":"role:reader and 152# system_scope:all". 153# The OAUTH1 consumer API is now aware of system scope and default 154# roles. 155 156# Create OAUTH1 consumer. 157# POST /v3/OS-OAUTH1/consumers 158# Intended scope(s): system 159#"identity:create_consumer": "role:admin and system_scope:all" 160 161# DEPRECATED 162# "identity:create_consumer":"rule:admin_required" has been deprecated 163# since T in favor of "identity:create_consumer":"role:admin and 164# system_scope:all". 165# The OAUTH1 consumer API is now aware of system scope and default 166# roles. 167 168# Update OAUTH1 consumer. 169# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} 170# Intended scope(s): system 171#"identity:update_consumer": "role:admin and system_scope:all" 172 173# DEPRECATED 174# "identity:update_consumer":"rule:admin_required" has been deprecated 175# since T in favor of "identity:update_consumer":"role:admin and 176# system_scope:all". 177# The OAUTH1 consumer API is now aware of system scope and default 178# roles. 179 180# Delete OAUTH1 consumer. 181# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} 182# Intended scope(s): system 183#"identity:delete_consumer": "role:admin and system_scope:all" 184 185# DEPRECATED 186# "identity:delete_consumer":"rule:admin_required" has been deprecated 187# since T in favor of "identity:delete_consumer":"role:admin and 188# system_scope:all". 189# The OAUTH1 consumer API is now aware of system scope and default 190# roles. 191 192# Show credentials details. 193# GET /v3/credentials/{credential_id} 194# Intended scope(s): system, project 195#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" 196 197# DEPRECATED 198# "identity:get_credential":"rule:admin_required" has been deprecated 199# since S in favor of "identity:get_credential":"(role:reader and 200# system_scope:all) or user_id:%(target.credential.user_id)s". 201# The credential API is now aware of system scope and default roles. 202 203# List credentials. 204# GET /v3/credentials 205# Intended scope(s): system, project 206#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" 207 208# DEPRECATED 209# "identity:list_credentials":"rule:admin_required" has been 210# deprecated since S in favor of 211# "identity:list_credentials":"(role:reader and system_scope:all) or 212# user_id:%(target.credential.user_id)s". 213# The credential API is now aware of system scope and default roles. 214 215# Create credential. 216# POST /v3/credentials 217# Intended scope(s): system, project 218#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" 219 220# DEPRECATED 221# "identity:create_credential":"rule:admin_required" has been 222# deprecated since S in favor of 223# "identity:create_credential":"(role:admin and system_scope:all) or 224# user_id:%(target.credential.user_id)s". 225# The credential API is now aware of system scope and default roles. 226 227# Update credential. 228# PATCH /v3/credentials/{credential_id} 229# Intended scope(s): system, project 230#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" 231 232# DEPRECATED 233# "identity:update_credential":"rule:admin_required" has been 234# deprecated since S in favor of 235# "identity:update_credential":"(role:admin and system_scope:all) or 236# user_id:%(target.credential.user_id)s". 237# The credential API is now aware of system scope and default roles. 238 239# Delete credential. 240# DELETE /v3/credentials/{credential_id} 241# Intended scope(s): system, project 242#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" 243 244# DEPRECATED 245# "identity:delete_credential":"rule:admin_required" has been 246# deprecated since S in favor of 247# "identity:delete_credential":"(role:admin and system_scope:all) or 248# user_id:%(target.credential.user_id)s". 249# The credential API is now aware of system scope and default roles. 250 251# Show domain details. 252# GET /v3/domains/{domain_id} 253# Intended scope(s): system, domain, project 254#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" 255 256# DEPRECATED 257# "identity:get_domain":"rule:admin_required or 258# token.project.domain.id:%(target.domain.id)s" has been deprecated 259# since S in favor of "identity:get_domain":"(role:reader and 260# system_scope:all) or token.domain.id:%(target.domain.id)s or 261# token.project.domain.id:%(target.domain.id)s". 262# The domain API is now aware of system scope and default roles. 263 264# List domains. 265# GET /v3/domains 266# Intended scope(s): system 267#"identity:list_domains": "role:reader and system_scope:all" 268 269# DEPRECATED 270# "identity:list_domains":"rule:admin_required" has been deprecated 271# since S in favor of "identity:list_domains":"role:reader and 272# system_scope:all". 273# The domain API is now aware of system scope and default roles. 274 275# Create domain. 276# POST /v3/domains 277# Intended scope(s): system 278#"identity:create_domain": "role:admin and system_scope:all" 279 280# DEPRECATED 281# "identity:create_domain":"rule:admin_required" has been deprecated 282# since S in favor of "identity:create_domain":"role:admin and 283# system_scope:all". 284# The domain API is now aware of system scope and default roles. 285 286# Update domain. 287# PATCH /v3/domains/{domain_id} 288# Intended scope(s): system 289#"identity:update_domain": "role:admin and system_scope:all" 290 291# DEPRECATED 292# "identity:update_domain":"rule:admin_required" has been deprecated 293# since S in favor of "identity:update_domain":"role:admin and 294# system_scope:all". 295# The domain API is now aware of system scope and default roles. 296 297# Delete domain. 298# DELETE /v3/domains/{domain_id} 299# Intended scope(s): system 300#"identity:delete_domain": "role:admin and system_scope:all" 301 302# DEPRECATED 303# "identity:delete_domain":"rule:admin_required" has been deprecated 304# since S in favor of "identity:delete_domain":"role:admin and 305# system_scope:all". 306# The domain API is now aware of system scope and default roles. 307 308# Create domain configuration. 309# PUT /v3/domains/{domain_id}/config 310# Intended scope(s): system 311#"identity:create_domain_config": "role:admin and system_scope:all" 312 313# DEPRECATED 314# "identity:create_domain_config":"rule:admin_required" has been 315# deprecated since T in favor of 316# "identity:create_domain_config":"role:admin and system_scope:all". 317# The domain config API is now aware of system scope and default 318# roles. 319 320# Get the entire domain configuration for a domain, an option group 321# within a domain, or a specific configuration option within a group 322# for a domain. 323# GET /v3/domains/{domain_id}/config 324# HEAD /v3/domains/{domain_id}/config 325# GET /v3/domains/{domain_id}/config/{group} 326# HEAD /v3/domains/{domain_id}/config/{group} 327# GET /v3/domains/{domain_id}/config/{group}/{option} 328# HEAD /v3/domains/{domain_id}/config/{group}/{option} 329# Intended scope(s): system 330#"identity:get_domain_config": "role:reader and system_scope:all" 331 332# DEPRECATED 333# "identity:get_domain_config":"rule:admin_required" has been 334# deprecated since T in favor of 335# "identity:get_domain_config":"role:reader and system_scope:all". 336# The domain config API is now aware of system scope and default 337# roles. 338 339# Get security compliance domain configuration for either a domain or 340# a specific option in a domain. 341# GET /v3/domains/{domain_id}/config/security_compliance 342# HEAD /v3/domains/{domain_id}/config/security_compliance 343# GET v3/domains/{domain_id}/config/security_compliance/{option} 344# HEAD v3/domains/{domain_id}/config/security_compliance/{option} 345# Intended scope(s): system, domain, project 346#"identity:get_security_compliance_domain_config": "" 347 348# Update domain configuration for either a domain, specific group or a 349# specific option in a group. 350# PATCH /v3/domains/{domain_id}/config 351# PATCH /v3/domains/{domain_id}/config/{group} 352# PATCH /v3/domains/{domain_id}/config/{group}/{option} 353# Intended scope(s): system 354#"identity:update_domain_config": "role:admin and system_scope:all" 355 356# DEPRECATED 357# "identity:update_domain_config":"rule:admin_required" has been 358# deprecated since T in favor of 359# "identity:update_domain_config":"role:admin and system_scope:all". 360# The domain config API is now aware of system scope and default 361# roles. 362 363# Delete domain configuration for either a domain, specific group or a 364# specific option in a group. 365# DELETE /v3/domains/{domain_id}/config 366# DELETE /v3/domains/{domain_id}/config/{group} 367# DELETE /v3/domains/{domain_id}/config/{group}/{option} 368# Intended scope(s): system 369#"identity:delete_domain_config": "role:admin and system_scope:all" 370 371# DEPRECATED 372# "identity:delete_domain_config":"rule:admin_required" has been 373# deprecated since T in favor of 374# "identity:delete_domain_config":"role:admin and system_scope:all". 375# The domain config API is now aware of system scope and default 376# roles. 377 378# Get domain configuration default for either a domain, specific group 379# or a specific option in a group. 380# GET /v3/domains/config/default 381# HEAD /v3/domains/config/default 382# GET /v3/domains/config/{group}/default 383# HEAD /v3/domains/config/{group}/default 384# GET /v3/domains/config/{group}/{option}/default 385# HEAD /v3/domains/config/{group}/{option}/default 386# Intended scope(s): system 387#"identity:get_domain_config_default": "role:reader and system_scope:all" 388 389# DEPRECATED 390# "identity:get_domain_config_default":"rule:admin_required" has been 391# deprecated since T in favor of 392# "identity:get_domain_config_default":"role:reader and 393# system_scope:all". 394# The domain config API is now aware of system scope and default 395# roles. 396 397# Show ec2 credential details. 398# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} 399# Intended scope(s): system, project 400#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" 401 402# DEPRECATED 403# "identity:ec2_get_credential":"rule:admin_required or (rule:owner 404# and user_id:%(target.credential.user_id)s)" has been deprecated 405# since T in favor of "identity:ec2_get_credential":"(role:reader and 406# system_scope:all) or user_id:%(target.credential.user_id)s". 407# The EC2 credential API is now aware of system scope and default 408# roles. 409 410# List ec2 credentials. 411# GET /v3/users/{user_id}/credentials/OS-EC2 412# Intended scope(s): system, project 413#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" 414 415# DEPRECATED 416# "identity:ec2_list_credentials":"rule:admin_or_owner" has been 417# deprecated since T in favor of 418# "identity:ec2_list_credentials":"(role:reader and system_scope:all) 419# or rule:owner". 420# The EC2 credential API is now aware of system scope and default 421# roles. 422 423# Create ec2 credential. 424# POST /v3/users/{user_id}/credentials/OS-EC2 425# Intended scope(s): system, project 426#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" 427 428# DEPRECATED 429# "identity:ec2_create_credentials":"rule:admin_or_owner" has been 430# deprecated since T in favor of 431# "identity:ec2_create_credential":"(role:admin and system_scope:all) 432# or rule:owner". 433# The EC2 credential API is now aware of system scope and default 434# roles. 435#"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" 436 437# Delete ec2 credential. 438# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} 439# Intended scope(s): system, project 440#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" 441 442# DEPRECATED 443# "identity:ec2_delete_credentials":"rule:admin_required or 444# (rule:owner and user_id:%(target.credential.user_id)s)" has been 445# deprecated since T in favor of 446# "identity:ec2_delete_credential":"(role:admin and system_scope:all) 447# or user_id:%(target.credential.user_id)s". 448# The EC2 credential API is now aware of system scope and default 449# roles. 450#"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" 451 452# Show endpoint details. 453# GET /v3/endpoints/{endpoint_id} 454# Intended scope(s): system 455#"identity:get_endpoint": "role:reader and system_scope:all" 456 457# DEPRECATED 458# "identity:get_endpoint":"rule:admin_required" has been deprecated 459# since S in favor of "identity:get_endpoint":"role:reader and 460# system_scope:all". 461# The endpoint API is now aware of system scope and default roles. 462 463# List endpoints. 464# GET /v3/endpoints 465# Intended scope(s): system 466#"identity:list_endpoints": "role:reader and system_scope:all" 467 468# DEPRECATED 469# "identity:list_endpoints":"rule:admin_required" has been deprecated 470# since S in favor of "identity:list_endpoints":"role:reader and 471# system_scope:all". 472# The endpoint API is now aware of system scope and default roles. 473 474# Create endpoint. 475# POST /v3/endpoints 476# Intended scope(s): system 477#"identity:create_endpoint": "role:admin and system_scope:all" 478 479# DEPRECATED 480# "identity:create_endpoint":"rule:admin_required" has been deprecated 481# since S in favor of "identity:create_endpoint":"role:admin and 482# system_scope:all". 483# The endpoint API is now aware of system scope and default roles. 484 485# Update endpoint. 486# PATCH /v3/endpoints/{endpoint_id} 487# Intended scope(s): system 488#"identity:update_endpoint": "role:admin and system_scope:all" 489 490# DEPRECATED 491# "identity:update_endpoint":"rule:admin_required" has been deprecated 492# since S in favor of "identity:update_endpoint":"role:admin and 493# system_scope:all". 494# The endpoint API is now aware of system scope and default roles. 495 496# Delete endpoint. 497# DELETE /v3/endpoints/{endpoint_id} 498# Intended scope(s): system 499#"identity:delete_endpoint": "role:admin and system_scope:all" 500 501# DEPRECATED 502# "identity:delete_endpoint":"rule:admin_required" has been deprecated 503# since S in favor of "identity:delete_endpoint":"role:admin and 504# system_scope:all". 505# The endpoint API is now aware of system scope and default roles. 506 507# Create endpoint group. 508# POST /v3/OS-EP-FILTER/endpoint_groups 509# Intended scope(s): system 510#"identity:create_endpoint_group": "role:admin and system_scope:all" 511 512# DEPRECATED 513# "identity:create_endpoint_group":"rule:admin_required" has been 514# deprecated since T in favor of 515# "identity:create_endpoint_group":"role:admin and system_scope:all". 516# The endpoint groups API is now aware of system scope and default 517# roles. 518 519# List endpoint groups. 520# GET /v3/OS-EP-FILTER/endpoint_groups 521# Intended scope(s): system 522#"identity:list_endpoint_groups": "role:reader and system_scope:all" 523 524# DEPRECATED 525# "identity:list_endpoint_groups":"rule:admin_required" has been 526# deprecated since T in favor of 527# "identity:list_endpoint_groups":"role:reader and system_scope:all". 528# The endpoint groups API is now aware of system scope and default 529# roles. 530 531# Get endpoint group. 532# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} 533# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} 534# Intended scope(s): system 535#"identity:get_endpoint_group": "role:reader and system_scope:all" 536 537# DEPRECATED 538# "identity:get_endpoint_group":"rule:admin_required" has been 539# deprecated since T in favor of 540# "identity:get_endpoint_group":"role:reader and system_scope:all". 541# The endpoint groups API is now aware of system scope and default 542# roles. 543 544# Update endpoint group. 545# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} 546# Intended scope(s): system 547#"identity:update_endpoint_group": "role:admin and system_scope:all" 548 549# DEPRECATED 550# "identity:update_endpoint_group":"rule:admin_required" has been 551# deprecated since T in favor of 552# "identity:update_endpoint_group":"role:admin and system_scope:all". 553# The endpoint groups API is now aware of system scope and default 554# roles. 555 556# Delete endpoint group. 557# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} 558# Intended scope(s): system 559#"identity:delete_endpoint_group": "role:admin and system_scope:all" 560 561# DEPRECATED 562# "identity:delete_endpoint_group":"rule:admin_required" has been 563# deprecated since T in favor of 564# "identity:delete_endpoint_group":"role:admin and system_scope:all". 565# The endpoint groups API is now aware of system scope and default 566# roles. 567 568# List all projects associated with a specific endpoint group. 569# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects 570# Intended scope(s): system 571#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" 572 573# DEPRECATED 574# "identity:list_projects_associated_with_endpoint_group":"rule:admin_ 575# required" has been deprecated since T in favor of 576# "identity:list_projects_associated_with_endpoint_group":"role:reader 577# and system_scope:all". 578# The endpoint groups API is now aware of system scope and default 579# roles. 580 581# List all endpoints associated with an endpoint group. 582# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints 583# Intended scope(s): system 584#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" 585 586# DEPRECATED 587# "identity:list_endpoints_associated_with_endpoint_group":"rule:admin 588# _required" has been deprecated since T in favor of "identity:list_en 589# dpoints_associated_with_endpoint_group":"role:reader and 590# system_scope:all". 591# The endpoint groups API is now aware of system scope and default 592# roles. 593 594# Check if an endpoint group is associated with a project. 595# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} 596# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} 597# Intended scope(s): system 598#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" 599 600# DEPRECATED 601# "identity:get_endpoint_group_in_project":"rule:admin_required" has 602# been deprecated since T in favor of 603# "identity:get_endpoint_group_in_project":"role:reader and 604# system_scope:all". 605# The endpoint groups API is now aware of system scope and default 606# roles. 607 608# List endpoint groups associated with a specific project. 609# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups 610# Intended scope(s): system 611#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" 612 613# DEPRECATED 614# "identity:list_endpoint_groups_for_project":"rule:admin_required" 615# has been deprecated since T in favor of 616# "identity:list_endpoint_groups_for_project":"role:reader and 617# system_scope:all". 618# The endpoint groups API is now aware of system scope and default 619# roles. 620 621# Allow a project to access an endpoint group. 622# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} 623# Intended scope(s): system 624#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" 625 626# DEPRECATED 627# "identity:add_endpoint_group_to_project":"rule:admin_required" has 628# been deprecated since T in favor of 629# "identity:add_endpoint_group_to_project":"role:admin and 630# system_scope:all". 631# The endpoint groups API is now aware of system scope and default 632# roles. 633 634# Remove endpoint group from project. 635# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} 636# Intended scope(s): system 637#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" 638 639# DEPRECATED 640# "identity:remove_endpoint_group_from_project":"rule:admin_required" 641# has been deprecated since T in favor of 642# "identity:remove_endpoint_group_from_project":"role:admin and 643# system_scope:all". 644# The endpoint groups API is now aware of system scope and default 645# roles. 646 647# Check a role grant between a target and an actor. A target can be 648# either a domain or a project. An actor can be either a user or a 649# group. These terms also apply to the OS-INHERIT APIs, where grants 650# on the target are inherited to all projects in the subtree, if 651# applicable. 652# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} 653# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} 654# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} 655# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} 656# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} 657# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} 658# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} 659# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} 660# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 661# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 662# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 663# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 664# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 665# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 666# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 667# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 668# Intended scope(s): system, domain 669#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" 670 671# DEPRECATED 672# "identity:check_grant":"rule:admin_required" has been deprecated 673# since S in favor of "identity:check_grant":"(role:reader and 674# system_scope:all) or ((role:reader and 675# domain_id:%(target.user.domain_id)s and 676# domain_id:%(target.project.domain_id)s) or (role:reader and 677# domain_id:%(target.user.domain_id)s and 678# domain_id:%(target.domain.id)s) or (role:reader and 679# domain_id:%(target.group.domain_id)s and 680# domain_id:%(target.project.domain_id)s) or (role:reader and 681# domain_id:%(target.group.domain_id)s and 682# domain_id:%(target.domain.id)s)) and 683# (domain_id:%(target.role.domain_id)s or 684# None:%(target.role.domain_id)s)". 685# The assignment API is now aware of system scope and default roles. 686 687# List roles granted to an actor on a target. A target can be either a 688# domain or a project. An actor can be either a user or a group. For 689# the OS-INHERIT APIs, it is possible to list inherited role grants 690# for actors on domains, where grants are inherited to all projects in 691# the specified domain. 692# GET /v3/projects/{project_id}/users/{user_id}/roles 693# HEAD /v3/projects/{project_id}/users/{user_id}/roles 694# GET /v3/projects/{project_id}/groups/{group_id}/roles 695# HEAD /v3/projects/{project_id}/groups/{group_id}/roles 696# GET /v3/domains/{domain_id}/users/{user_id}/roles 697# HEAD /v3/domains/{domain_id}/users/{user_id}/roles 698# GET /v3/domains/{domain_id}/groups/{group_id}/roles 699# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles 700# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects 701# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects 702# Intended scope(s): system, domain 703#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" 704 705# DEPRECATED 706# "identity:list_grants":"rule:admin_required" has been deprecated 707# since S in favor of "identity:list_grants":"(role:reader and 708# system_scope:all) or (role:reader and 709# domain_id:%(target.user.domain_id)s and 710# domain_id:%(target.project.domain_id)s) or (role:reader and 711# domain_id:%(target.user.domain_id)s and 712# domain_id:%(target.domain.id)s) or (role:reader and 713# domain_id:%(target.group.domain_id)s and 714# domain_id:%(target.project.domain_id)s) or (role:reader and 715# domain_id:%(target.group.domain_id)s and 716# domain_id:%(target.domain.id)s)". 717# The assignment API is now aware of system scope and default roles. 718 719# Create a role grant between a target and an actor. A target can be 720# either a domain or a project. An actor can be either a user or a 721# group. These terms also apply to the OS-INHERIT APIs, where grants 722# on the target are inherited to all projects in the subtree, if 723# applicable. 724# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} 725# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} 726# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} 727# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} 728# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 729# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 730# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 731# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 732# Intended scope(s): system, domain 733#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" 734 735# DEPRECATED 736# "identity:create_grant":"rule:admin_required" has been deprecated 737# since S in favor of "identity:create_grant":"(role:admin and 738# system_scope:all) or ((role:admin and 739# domain_id:%(target.user.domain_id)s and 740# domain_id:%(target.project.domain_id)s) or (role:admin and 741# domain_id:%(target.user.domain_id)s and 742# domain_id:%(target.domain.id)s) or (role:admin and 743# domain_id:%(target.group.domain_id)s and 744# domain_id:%(target.project.domain_id)s) or (role:admin and 745# domain_id:%(target.group.domain_id)s and 746# domain_id:%(target.domain.id)s)) and 747# (domain_id:%(target.role.domain_id)s or 748# None:%(target.role.domain_id)s)". 749# The assignment API is now aware of system scope and default roles. 750 751# Revoke a role grant between a target and an actor. A target can be 752# either a domain or a project. An actor can be either a user or a 753# group. These terms also apply to the OS-INHERIT APIs, where grants 754# on the target are inherited to all projects in the subtree, if 755# applicable. In that case, revoking the role grant in the target 756# would remove the logical effect of inheriting it to the target's 757# projects subtree. 758# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} 759# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} 760# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} 761# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} 762# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 763# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 764# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects 765# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects 766# Intended scope(s): system, domain 767#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" 768 769# DEPRECATED 770# "identity:revoke_grant":"rule:admin_required" has been deprecated 771# since S in favor of "identity:revoke_grant":"(role:admin and 772# system_scope:all) or ((role:admin and 773# domain_id:%(target.user.domain_id)s and 774# domain_id:%(target.project.domain_id)s) or (role:admin and 775# domain_id:%(target.user.domain_id)s and 776# domain_id:%(target.domain.id)s) or (role:admin and 777# domain_id:%(target.group.domain_id)s and 778# domain_id:%(target.project.domain_id)s) or (role:admin and 779# domain_id:%(target.group.domain_id)s and 780# domain_id:%(target.domain.id)s)) and 781# (domain_id:%(target.role.domain_id)s or 782# None:%(target.role.domain_id)s)". 783# The assignment API is now aware of system scope and default roles. 784 785# List all grants a specific user has on the system. 786# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles 787# Intended scope(s): system 788#"identity:list_system_grants_for_user": "role:reader and system_scope:all" 789 790# DEPRECATED 791# "identity:list_system_grants_for_user":"rule:admin_required" has 792# been deprecated since S in favor of 793# "identity:list_system_grants_for_user":"role:reader and 794# system_scope:all". 795# The assignment API is now aware of system scope and default roles. 796 797# Check if a user has a role on the system. 798# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} 799# Intended scope(s): system 800#"identity:check_system_grant_for_user": "role:reader and system_scope:all" 801 802# DEPRECATED 803# "identity:check_system_grant_for_user":"rule:admin_required" has 804# been deprecated since S in favor of 805# "identity:check_system_grant_for_user":"role:reader and 806# system_scope:all". 807# The assignment API is now aware of system scope and default roles. 808 809# Grant a user a role on the system. 810# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} 811# Intended scope(s): system 812#"identity:create_system_grant_for_user": "role:admin and system_scope:all" 813 814# DEPRECATED 815# "identity:create_system_grant_for_user":"rule:admin_required" has 816# been deprecated since S in favor of 817# "identity:create_system_grant_for_user":"role:admin and 818# system_scope:all". 819# The assignment API is now aware of system scope and default roles. 820 821# Remove a role from a user on the system. 822# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} 823# Intended scope(s): system 824#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" 825 826# DEPRECATED 827# "identity:revoke_system_grant_for_user":"rule:admin_required" has 828# been deprecated since S in favor of 829# "identity:revoke_system_grant_for_user":"role:admin and 830# system_scope:all". 831# The assignment API is now aware of system scope and default roles. 832 833# List all grants a specific group has on the system. 834# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles 835# Intended scope(s): system 836#"identity:list_system_grants_for_group": "role:reader and system_scope:all" 837 838# DEPRECATED 839# "identity:list_system_grants_for_group":"rule:admin_required" has 840# been deprecated since S in favor of 841# "identity:list_system_grants_for_group":"role:reader and 842# system_scope:all". 843# The assignment API is now aware of system scope and default roles. 844 845# Check if a group has a role on the system. 846# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} 847# Intended scope(s): system 848#"identity:check_system_grant_for_group": "role:reader and system_scope:all" 849 850# DEPRECATED 851# "identity:check_system_grant_for_group":"rule:admin_required" has 852# been deprecated since S in favor of 853# "identity:check_system_grant_for_group":"role:reader and 854# system_scope:all". 855# The assignment API is now aware of system scope and default roles. 856 857# Grant a group a role on the system. 858# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} 859# Intended scope(s): system 860#"identity:create_system_grant_for_group": "role:admin and system_scope:all" 861 862# DEPRECATED 863# "identity:create_system_grant_for_group":"rule:admin_required" has 864# been deprecated since S in favor of 865# "identity:create_system_grant_for_group":"role:admin and 866# system_scope:all". 867# The assignment API is now aware of system scope and default roles. 868 869# Remove a role from a group on the system. 870# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} 871# Intended scope(s): system 872#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" 873 874# DEPRECATED 875# "identity:revoke_system_grant_for_group":"rule:admin_required" has 876# been deprecated since S in favor of 877# "identity:revoke_system_grant_for_group":"role:admin and 878# system_scope:all". 879# The assignment API is now aware of system scope and default roles. 880 881# Show group details. 882# GET /v3/groups/{group_id} 883# HEAD /v3/groups/{group_id} 884# Intended scope(s): system, domain 885#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" 886 887# DEPRECATED 888# "identity:get_group":"rule:admin_required" has been deprecated since 889# S in favor of "identity:get_group":"(role:reader and 890# system_scope:all) or (role:reader and 891# domain_id:%(target.group.domain_id)s)". 892# The group API is now aware of system scope and default roles. 893 894# List groups. 895# GET /v3/groups 896# HEAD /v3/groups 897# Intended scope(s): system, domain 898#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" 899 900# DEPRECATED 901# "identity:list_groups":"rule:admin_required" has been deprecated 902# since S in favor of "identity:list_groups":"(role:reader and 903# system_scope:all) or (role:reader and 904# domain_id:%(target.group.domain_id)s)". 905# The group API is now aware of system scope and default roles. 906 907# List groups to which a user belongs. 908# GET /v3/users/{user_id}/groups 909# HEAD /v3/users/{user_id}/groups 910# Intended scope(s): system, domain, project 911#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" 912 913# DEPRECATED 914# "identity:list_groups_for_user":"rule:admin_or_owner" has been 915# deprecated since S in favor of 916# "identity:list_groups_for_user":"(role:reader and system_scope:all) 917# or (role:reader and domain_id:%(target.user.domain_id)s) or 918# user_id:%(user_id)s". 919# The group API is now aware of system scope and default roles. 920 921# Create group. 922# POST /v3/groups 923# Intended scope(s): system, domain 924#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" 925 926# DEPRECATED 927# "identity:create_group":"rule:admin_required" has been deprecated 928# since S in favor of "identity:create_group":"(role:admin and 929# system_scope:all) or (role:admin and 930# domain_id:%(target.group.domain_id)s)". 931# The group API is now aware of system scope and default roles. 932 933# Update group. 934# PATCH /v3/groups/{group_id} 935# Intended scope(s): system, domain 936#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" 937 938# DEPRECATED 939# "identity:update_group":"rule:admin_required" has been deprecated 940# since S in favor of "identity:update_group":"(role:admin and 941# system_scope:all) or (role:admin and 942# domain_id:%(target.group.domain_id)s)". 943# The group API is now aware of system scope and default roles. 944 945# Delete group. 946# DELETE /v3/groups/{group_id} 947# Intended scope(s): system, domain 948#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" 949 950# DEPRECATED 951# "identity:delete_group":"rule:admin_required" has been deprecated 952# since S in favor of "identity:delete_group":"(role:admin and 953# system_scope:all) or (role:admin and 954# domain_id:%(target.group.domain_id)s)". 955# The group API is now aware of system scope and default roles. 956 957# List members of a specific group. 958# GET /v3/groups/{group_id}/users 959# HEAD /v3/groups/{group_id}/users 960# Intended scope(s): system, domain 961#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" 962 963# DEPRECATED 964# "identity:list_users_in_group":"rule:admin_required" has been 965# deprecated since S in favor of 966# "identity:list_users_in_group":"(role:reader and system_scope:all) 967# or (role:reader and domain_id:%(target.group.domain_id)s)". 968# The group API is now aware of system scope and default roles. 969 970# Remove user from group. 971# DELETE /v3/groups/{group_id}/users/{user_id} 972# Intended scope(s): system, domain 973#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" 974 975# DEPRECATED 976# "identity:remove_user_from_group":"rule:admin_required" has been 977# deprecated since S in favor of 978# "identity:remove_user_from_group":"(role:admin and system_scope:all) 979# or (role:admin and domain_id:%(target.group.domain_id)s and 980# domain_id:%(target.user.domain_id)s)". 981# The group API is now aware of system scope and default roles. 982 983# Check whether a user is a member of a group. 984# HEAD /v3/groups/{group_id}/users/{user_id} 985# GET /v3/groups/{group_id}/users/{user_id} 986# Intended scope(s): system, domain 987#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" 988 989# DEPRECATED 990# "identity:check_user_in_group":"rule:admin_required" has been 991# deprecated since S in favor of 992# "identity:check_user_in_group":"(role:reader and system_scope:all) 993# or (role:reader and domain_id:%(target.group.domain_id)s and 994# domain_id:%(target.user.domain_id)s)". 995# The group API is now aware of system scope and default roles. 996 997# Add user to group. 998# PUT /v3/groups/{group_id}/users/{user_id} 999# Intended scope(s): system, domain 1000#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" 1001 1002# DEPRECATED 1003# "identity:add_user_to_group":"rule:admin_required" has been 1004# deprecated since S in favor of 1005# "identity:add_user_to_group":"(role:admin and system_scope:all) or 1006# (role:admin and domain_id:%(target.group.domain_id)s and 1007# domain_id:%(target.user.domain_id)s)". 1008# The group API is now aware of system scope and default roles. 1009 1010# Create identity provider. 1011# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} 1012# Intended scope(s): system 1013#"identity:create_identity_provider": "role:admin and system_scope:all" 1014 1015# DEPRECATED 1016# "identity:create_identity_providers":"rule:admin_required" has been 1017# deprecated since S in favor of 1018# "identity:create_identity_provider":"role:admin and 1019# system_scope:all". 1020# The identity provider API is now aware of system scope and default 1021# roles. 1022#"identity:create_identity_providers": "rule:identity:create_identity_provider" 1023 1024# List identity providers. 1025# GET /v3/OS-FEDERATION/identity_providers 1026# HEAD /v3/OS-FEDERATION/identity_providers 1027# Intended scope(s): system 1028#"identity:list_identity_providers": "role:reader and system_scope:all" 1029 1030# DEPRECATED 1031# "identity:list_identity_providers":"rule:admin_required" has been 1032# deprecated since S in favor of 1033# "identity:list_identity_providers":"role:reader and 1034# system_scope:all". 1035# The identity provider API is now aware of system scope and default 1036# roles. 1037 1038# Get identity provider. 1039# GET /v3/OS-FEDERATION/identity_providers/{idp_id} 1040# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} 1041# Intended scope(s): system 1042#"identity:get_identity_provider": "role:reader and system_scope:all" 1043 1044# DEPRECATED 1045# "identity:get_identity_providers":"rule:admin_required" has been 1046# deprecated since S in favor of 1047# "identity:get_identity_provider":"role:reader and system_scope:all". 1048# The identity provider API is now aware of system scope and default 1049# roles. 1050#"identity:get_identity_providers": "rule:identity:get_identity_provider" 1051 1052# Update identity provider. 1053# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} 1054# Intended scope(s): system 1055#"identity:update_identity_provider": "role:admin and system_scope:all" 1056 1057# DEPRECATED 1058# "identity:update_identity_providers":"rule:admin_required" has been 1059# deprecated since S in favor of 1060# "identity:update_identity_provider":"role:admin and 1061# system_scope:all". 1062# The identity provider API is now aware of system scope and default 1063# roles. 1064#"identity:update_identity_providers": "rule:identity:update_identity_provider" 1065 1066# Delete identity provider. 1067# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} 1068# Intended scope(s): system 1069#"identity:delete_identity_provider": "role:admin and system_scope:all" 1070 1071# DEPRECATED 1072# "identity:delete_identity_providers":"rule:admin_required" has been 1073# deprecated since S in favor of 1074# "identity:delete_identity_provider":"role:admin and 1075# system_scope:all". 1076# The identity provider API is now aware of system scope and default 1077# roles. 1078#"identity:delete_identity_providers": "rule:identity:delete_identity_provider" 1079 1080# Get information about an association between two roles. When a 1081# relationship exists between a prior role and an implied role and the 1082# prior role is assigned to a user, the user also assumes the implied 1083# role. 1084# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} 1085# Intended scope(s): system 1086#"identity:get_implied_role": "role:reader and system_scope:all" 1087 1088# DEPRECATED 1089# "identity:get_implied_role":"rule:admin_required" has been 1090# deprecated since T in favor of 1091# "identity:get_implied_role":"role:reader and system_scope:all". 1092# The implied role API is now aware of system scope and default roles. 1093 1094# List associations between two roles. When a relationship exists 1095# between a prior role and an implied role and the prior role is 1096# assigned to a user, the user also assumes the implied role. This 1097# will return all the implied roles that would be assumed by the user 1098# who gets the specified prior role. 1099# GET /v3/roles/{prior_role_id}/implies 1100# HEAD /v3/roles/{prior_role_id}/implies 1101# Intended scope(s): system 1102#"identity:list_implied_roles": "role:reader and system_scope:all" 1103 1104# DEPRECATED 1105# "identity:list_implied_roles":"rule:admin_required" has been 1106# deprecated since T in favor of 1107# "identity:list_implied_roles":"role:reader and system_scope:all". 1108# The implied role API is now aware of system scope and default roles. 1109 1110# Create an association between two roles. When a relationship exists 1111# between a prior role and an implied role and the prior role is 1112# assigned to a user, the user also assumes the implied role. 1113# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} 1114# Intended scope(s): system 1115#"identity:create_implied_role": "role:admin and system_scope:all" 1116 1117# DEPRECATED 1118# "identity:create_implied_role":"rule:admin_required" has been 1119# deprecated since T in favor of 1120# "identity:create_implied_role":"role:admin and system_scope:all". 1121# The implied role API is now aware of system scope and default roles. 1122 1123# Delete the association between two roles. When a relationship exists 1124# between a prior role and an implied role and the prior role is 1125# assigned to a user, the user also assumes the implied role. Removing 1126# the association will cause that effect to be eliminated. 1127# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} 1128# Intended scope(s): system 1129#"identity:delete_implied_role": "role:admin and system_scope:all" 1130 1131# DEPRECATED 1132# "identity:delete_implied_role":"rule:admin_required" has been 1133# deprecated since T in favor of 1134# "identity:delete_implied_role":"role:admin and system_scope:all". 1135# The implied role API is now aware of system scope and default roles. 1136 1137# List all associations between two roles in the system. When a 1138# relationship exists between a prior role and an implied role and the 1139# prior role is assigned to a user, the user also assumes the implied 1140# role. 1141# GET /v3/role_inferences 1142# HEAD /v3/role_inferences 1143# Intended scope(s): system 1144#"identity:list_role_inference_rules": "role:reader and system_scope:all" 1145 1146# DEPRECATED 1147# "identity:list_role_inference_rules":"rule:admin_required" has been 1148# deprecated since T in favor of 1149# "identity:list_role_inference_rules":"role:reader and 1150# system_scope:all". 1151# The implied role API is now aware of system scope and default roles. 1152 1153# Check an association between two roles. When a relationship exists 1154# between a prior role and an implied role and the prior role is 1155# assigned to a user, the user also assumes the implied role. 1156# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} 1157# Intended scope(s): system 1158#"identity:check_implied_role": "role:reader and system_scope:all" 1159 1160# DEPRECATED 1161# "identity:check_implied_role":"rule:admin_required" has been 1162# deprecated since T in favor of 1163# "identity:check_implied_role":"role:reader and system_scope:all". 1164# The implied role API is now aware of system scope and default roles. 1165 1166# Get limit enforcement model. 1167# GET /v3/limits/model 1168# HEAD /v3/limits/model 1169# Intended scope(s): system, domain, project 1170#"identity:get_limit_model": "" 1171 1172# Show limit details. 1173# GET /v3/limits/{limit_id} 1174# HEAD /v3/limits/{limit_id} 1175# Intended scope(s): system, domain, project 1176#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" 1177 1178# List limits. 1179# GET /v3/limits 1180# HEAD /v3/limits 1181# Intended scope(s): system, domain, project 1182#"identity:list_limits": "" 1183 1184# Create limits. 1185# POST /v3/limits 1186# Intended scope(s): system 1187#"identity:create_limits": "role:admin and system_scope:all" 1188 1189# Update limit. 1190# PATCH /v3/limits/{limit_id} 1191# Intended scope(s): system 1192#"identity:update_limit": "role:admin and system_scope:all" 1193 1194# Delete limit. 1195# DELETE /v3/limits/{limit_id} 1196# Intended scope(s): system 1197#"identity:delete_limit": "role:admin and system_scope:all" 1198 1199# Create a new federated mapping containing one or more sets of rules. 1200# PUT /v3/OS-FEDERATION/mappings/{mapping_id} 1201# Intended scope(s): system 1202#"identity:create_mapping": "role:admin and system_scope:all" 1203 1204# DEPRECATED 1205# "identity:create_mapping":"rule:admin_required" has been deprecated 1206# since S in favor of "identity:create_mapping":"role:admin and 1207# system_scope:all". 1208# The federated mapping API is now aware of system scope and default 1209# roles. 1210 1211# Get a federated mapping. 1212# GET /v3/OS-FEDERATION/mappings/{mapping_id} 1213# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} 1214# Intended scope(s): system 1215#"identity:get_mapping": "role:reader and system_scope:all" 1216 1217# DEPRECATED 1218# "identity:get_mapping":"rule:admin_required" has been deprecated 1219# since S in favor of "identity:get_mapping":"role:reader and 1220# system_scope:all". 1221# The federated mapping API is now aware of system scope and default 1222# roles. 1223 1224# List federated mappings. 1225# GET /v3/OS-FEDERATION/mappings 1226# HEAD /v3/OS-FEDERATION/mappings 1227# Intended scope(s): system 1228#"identity:list_mappings": "role:reader and system_scope:all" 1229 1230# DEPRECATED 1231# "identity:list_mappings":"rule:admin_required" has been deprecated 1232# since S in favor of "identity:list_mappings":"role:reader and 1233# system_scope:all". 1234# The federated mapping API is now aware of system scope and default 1235# roles. 1236 1237# Delete a federated mapping. 1238# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} 1239# Intended scope(s): system 1240#"identity:delete_mapping": "role:admin and system_scope:all" 1241 1242# DEPRECATED 1243# "identity:delete_mapping":"rule:admin_required" has been deprecated 1244# since S in favor of "identity:delete_mapping":"role:admin and 1245# system_scope:all". 1246# The federated mapping API is now aware of system scope and default 1247# roles. 1248 1249# Update a federated mapping. 1250# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} 1251# Intended scope(s): system 1252#"identity:update_mapping": "role:admin and system_scope:all" 1253 1254# DEPRECATED 1255# "identity:update_mapping":"rule:admin_required" has been deprecated 1256# since S in favor of "identity:update_mapping":"role:admin and 1257# system_scope:all". 1258# The federated mapping API is now aware of system scope and default 1259# roles. 1260 1261# Show policy details. 1262# GET /v3/policies/{policy_id} 1263# Intended scope(s): system 1264#"identity:get_policy": "role:reader and system_scope:all" 1265 1266# DEPRECATED 1267# "identity:get_policy":"rule:admin_required" has been deprecated 1268# since T in favor of "identity:get_policy":"role:reader and 1269# system_scope:all". 1270# The policy API is now aware of system scope and default roles. 1271 1272# List policies. 1273# GET /v3/policies 1274# Intended scope(s): system 1275#"identity:list_policies": "role:reader and system_scope:all" 1276 1277# DEPRECATED 1278# "identity:list_policies":"rule:admin_required" has been deprecated 1279# since T in favor of "identity:list_policies":"role:reader and 1280# system_scope:all". 1281# The policy API is now aware of system scope and default roles. 1282 1283# Create policy. 1284# POST /v3/policies 1285# Intended scope(s): system 1286#"identity:create_policy": "role:admin and system_scope:all" 1287 1288# DEPRECATED 1289# "identity:create_policy":"rule:admin_required" has been deprecated 1290# since T in favor of "identity:create_policy":"role:admin and 1291# system_scope:all". 1292# The policy API is now aware of system scope and default roles. 1293 1294# Update policy. 1295# PATCH /v3/policies/{policy_id} 1296# Intended scope(s): system 1297#"identity:update_policy": "role:admin and system_scope:all" 1298 1299# DEPRECATED 1300# "identity:update_policy":"rule:admin_required" has been deprecated 1301# since T in favor of "identity:update_policy":"role:admin and 1302# system_scope:all". 1303# The policy API is now aware of system scope and default roles. 1304 1305# Delete policy. 1306# DELETE /v3/policies/{policy_id} 1307# Intended scope(s): system 1308#"identity:delete_policy": "role:admin and system_scope:all" 1309 1310# DEPRECATED 1311# "identity:delete_policy":"rule:admin_required" has been deprecated 1312# since T in favor of "identity:delete_policy":"role:admin and 1313# system_scope:all". 1314# The policy API is now aware of system scope and default roles. 1315 1316# Associate a policy to a specific endpoint. 1317# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} 1318# Intended scope(s): system 1319#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" 1320 1321# DEPRECATED 1322# "identity:create_policy_association_for_endpoint":"rule:admin_requir 1323# ed" has been deprecated since T in favor of 1324# "identity:create_policy_association_for_endpoint":"role:admin and 1325# system_scope:all". 1326# The policy association API is now aware of system scope and default 1327# roles. 1328 1329# Check policy association for endpoint. 1330# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} 1331# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} 1332# Intended scope(s): system 1333#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" 1334 1335# DEPRECATED 1336# "identity:check_policy_association_for_endpoint":"rule:admin_require 1337# d" has been deprecated since T in favor of 1338# "identity:check_policy_association_for_endpoint":"role:reader and 1339# system_scope:all". 1340# The policy association API is now aware of system scope and default 1341# roles. 1342 1343# Delete policy association for endpoint. 1344# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} 1345# Intended scope(s): system 1346#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" 1347 1348# DEPRECATED 1349# "identity:delete_policy_association_for_endpoint":"rule:admin_requir 1350# ed" has been deprecated since T in favor of 1351# "identity:delete_policy_association_for_endpoint":"role:admin and 1352# system_scope:all". 1353# The policy association API is now aware of system scope and default 1354# roles. 1355 1356# Associate a policy to a specific service. 1357# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} 1358# Intended scope(s): system 1359#"identity:create_policy_association_for_service": "role:admin and system_scope:all" 1360 1361# DEPRECATED 1362# "identity:create_policy_association_for_service":"rule:admin_require 1363# d" has been deprecated since T in favor of 1364# "identity:create_policy_association_for_service":"role:admin and 1365# system_scope:all". 1366# The policy association API is now aware of system scope and default 1367# roles. 1368 1369# Check policy association for service. 1370# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} 1371# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} 1372# Intended scope(s): system 1373#"identity:check_policy_association_for_service": "role:reader and system_scope:all" 1374 1375# DEPRECATED 1376# "identity:check_policy_association_for_service":"rule:admin_required 1377# " has been deprecated since T in favor of 1378# "identity:check_policy_association_for_service":"role:reader and 1379# system_scope:all". 1380# The policy association API is now aware of system scope and default 1381# roles. 1382 1383# Delete policy association for service. 1384# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} 1385# Intended scope(s): system 1386#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" 1387 1388# DEPRECATED 1389# "identity:delete_policy_association_for_service":"rule:admin_require 1390# d" has been deprecated since T in favor of 1391# "identity:delete_policy_association_for_service":"role:admin and 1392# system_scope:all". 1393# The policy association API is now aware of system scope and default 1394# roles. 1395 1396# Associate a policy to a specific region and service combination. 1397# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} 1398# Intended scope(s): system 1399#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" 1400 1401# DEPRECATED 1402# "identity:create_policy_association_for_region_and_service":"rule:ad 1403# min_required" has been deprecated since T in favor of "identity:crea 1404# te_policy_association_for_region_and_service":"role:admin and 1405# system_scope:all". 1406# The policy association API is now aware of system scope and default 1407# roles. 1408 1409# Check policy association for region and service. 1410# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} 1411# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} 1412# Intended scope(s): system 1413#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" 1414 1415# DEPRECATED 1416# "identity:check_policy_association_for_region_and_service":"rule:adm 1417# in_required" has been deprecated since T in favor of "identity:check 1418# _policy_association_for_region_and_service":"role:reader and 1419# system_scope:all". 1420# The policy association API is now aware of system scope and default 1421# roles. 1422 1423# Delete policy association for region and service. 1424# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} 1425# Intended scope(s): system 1426#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" 1427 1428# DEPRECATED 1429# "identity:delete_policy_association_for_region_and_service":"rule:ad 1430# min_required" has been deprecated since T in favor of "identity:dele 1431# te_policy_association_for_region_and_service":"role:admin and 1432# system_scope:all". 1433# The policy association API is now aware of system scope and default 1434# roles. 1435 1436# Get policy for endpoint. 1437# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy 1438# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy 1439# Intended scope(s): system 1440#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" 1441 1442# DEPRECATED 1443# "identity:get_policy_for_endpoint":"rule:admin_required" has been 1444# deprecated since T in favor of 1445# "identity:get_policy_for_endpoint":"role:reader and 1446# system_scope:all". 1447# The policy association API is now aware of system scope and default 1448# roles. 1449 1450# List endpoints for policy. 1451# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints 1452# Intended scope(s): system 1453#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" 1454 1455# DEPRECATED 1456# "identity:list_endpoints_for_policy":"rule:admin_required" has been 1457# deprecated since T in favor of 1458# "identity:list_endpoints_for_policy":"role:reader and 1459# system_scope:all". 1460# The policy association API is now aware of system scope and default 1461# roles. 1462 1463# Show project details. 1464# GET /v3/projects/{project_id} 1465# Intended scope(s): system, domain, project 1466#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" 1467 1468# DEPRECATED 1469# "identity:get_project":"rule:admin_required or 1470# project_id:%(target.project.id)s" has been deprecated since S in 1471# favor of "identity:get_project":"(role:reader and system_scope:all) 1472# or (role:reader and domain_id:%(target.project.domain_id)s) or 1473# project_id:%(target.project.id)s". 1474# The project API is now aware of system scope and default roles. 1475 1476# List projects. 1477# GET /v3/projects 1478# Intended scope(s): system, domain 1479#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" 1480 1481# DEPRECATED 1482# "identity:list_projects":"rule:admin_required" has been deprecated 1483# since S in favor of "identity:list_projects":"(role:reader and 1484# system_scope:all) or (role:reader and 1485# domain_id:%(target.domain_id)s)". 1486# The project API is now aware of system scope and default roles. 1487 1488# List projects for user. 1489# GET /v3/users/{user_id}/projects 1490# Intended scope(s): system, domain, project 1491#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" 1492 1493# DEPRECATED 1494# "identity:list_user_projects":"rule:admin_or_owner" has been 1495# deprecated since S in favor of 1496# "identity:list_user_projects":"(role:reader and system_scope:all) or 1497# (role:reader and domain_id:%(target.user.domain_id)s) or 1498# user_id:%(target.user.id)s". 1499# The project API is now aware of system scope and default roles. 1500 1501# Create project. 1502# POST /v3/projects 1503# Intended scope(s): system, domain 1504#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" 1505 1506# DEPRECATED 1507# "identity:create_project":"rule:admin_required" has been deprecated 1508# since S in favor of "identity:create_project":"(role:admin and 1509# system_scope:all) or (role:admin and 1510# domain_id:%(target.project.domain_id)s)". 1511# The project API is now aware of system scope and default roles. 1512 1513# Update project. 1514# PATCH /v3/projects/{project_id} 1515# Intended scope(s): system, domain 1516#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" 1517 1518# DEPRECATED 1519# "identity:update_project":"rule:admin_required" has been deprecated 1520# since S in favor of "identity:update_project":"(role:admin and 1521# system_scope:all) or (role:admin and 1522# domain_id:%(target.project.domain_id)s)". 1523# The project API is now aware of system scope and default roles. 1524 1525# Delete project. 1526# DELETE /v3/projects/{project_id} 1527# Intended scope(s): system, domain 1528#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" 1529 1530# DEPRECATED 1531# "identity:delete_project":"rule:admin_required" has been deprecated 1532# since S in favor of "identity:delete_project":"(role:admin and 1533# system_scope:all) or (role:admin and 1534# domain_id:%(target.project.domain_id)s)". 1535# The project API is now aware of system scope and default roles. 1536 1537# List tags for a project. 1538# GET /v3/projects/{project_id}/tags 1539# HEAD /v3/projects/{project_id}/tags 1540# Intended scope(s): system, domain, project 1541#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" 1542 1543# DEPRECATED 1544# "identity:list_project_tags":"rule:admin_required or 1545# project_id:%(target.project.id)s" has been deprecated since T in 1546# favor of "identity:list_project_tags":"(role:reader and 1547# system_scope:all) or (role:reader and 1548# domain_id:%(target.project.domain_id)s) or 1549# project_id:%(target.project.id)s". 1550# As of the Train release, the project tags API understands how to 1551# handle system-scoped tokens in addition to project and domain 1552# tokens, making the API more accessible to users without compromising 1553# security or manageability for administrators. The new default 1554# policies for this API account for these changes automatically. 1555 1556# Check if project contains a tag. 1557# GET /v3/projects/{project_id}/tags/{value} 1558# HEAD /v3/projects/{project_id}/tags/{value} 1559# Intended scope(s): system, domain, project 1560#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" 1561 1562# DEPRECATED 1563# "identity:get_project_tag":"rule:admin_required or 1564# project_id:%(target.project.id)s" has been deprecated since T in 1565# favor of "identity:get_project_tag":"(role:reader and 1566# system_scope:all) or (role:reader and 1567# domain_id:%(target.project.domain_id)s) or 1568# project_id:%(target.project.id)s". 1569# As of the Train release, the project tags API understands how to 1570# handle system-scoped tokens in addition to project and domain 1571# tokens, making the API more accessible to users without compromising 1572# security or manageability for administrators. The new default 1573# policies for this API account for these changes automatically. 1574 1575# Replace all tags on a project with the new set of tags. 1576# PUT /v3/projects/{project_id}/tags 1577# Intended scope(s): system, domain, project 1578#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" 1579 1580# DEPRECATED 1581# "identity:update_project_tags":"rule:admin_required" has been 1582# deprecated since T in favor of 1583# "identity:update_project_tags":"(role:admin and system_scope:all) or 1584# (role:admin and domain_id:%(target.project.domain_id)s) or 1585# (role:admin and project_id:%(target.project.id)s)". 1586# As of the Train release, the project tags API understands how to 1587# handle system-scoped tokens in addition to project and domain 1588# tokens, making the API more accessible to users without compromising 1589# security or manageability for administrators. The new default 1590# policies for this API account for these changes automatically. 1591 1592# Add a single tag to a project. 1593# PUT /v3/projects/{project_id}/tags/{value} 1594# Intended scope(s): system, domain, project 1595#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" 1596 1597# DEPRECATED 1598# "identity:create_project_tag":"rule:admin_required" has been 1599# deprecated since T in favor of 1600# "identity:create_project_tag":"(role:admin and system_scope:all) or 1601# (role:admin and domain_id:%(target.project.domain_id)s) or 1602# (role:admin and project_id:%(target.project.id)s)". 1603# As of the Train release, the project tags API understands how to 1604# handle system-scoped tokens in addition to project and domain 1605# tokens, making the API more accessible to users without compromising 1606# security or manageability for administrators. The new default 1607# policies for this API account for these changes automatically. 1608 1609# Remove all tags from a project. 1610# DELETE /v3/projects/{project_id}/tags 1611# Intended scope(s): system, domain, project 1612#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" 1613 1614# DEPRECATED 1615# "identity:delete_project_tags":"rule:admin_required" has been 1616# deprecated since T in favor of 1617# "identity:delete_project_tags":"(role:admin and system_scope:all) or 1618# (role:admin and domain_id:%(target.project.domain_id)s) or 1619# (role:admin and project_id:%(target.project.id)s)". 1620# As of the Train release, the project tags API understands how to 1621# handle system-scoped tokens in addition to project and domain 1622# tokens, making the API more accessible to users without compromising 1623# security or manageability for administrators. The new default 1624# policies for this API account for these changes automatically. 1625 1626# Delete a specified tag from project. 1627# DELETE /v3/projects/{project_id}/tags/{value} 1628# Intended scope(s): system, domain, project 1629#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" 1630 1631# DEPRECATED 1632# "identity:delete_project_tag":"rule:admin_required" has been 1633# deprecated since T in favor of 1634# "identity:delete_project_tag":"(role:admin and system_scope:all) or 1635# (role:admin and domain_id:%(target.project.domain_id)s) or 1636# (role:admin and project_id:%(target.project.id)s)". 1637# As of the Train release, the project tags API understands how to 1638# handle system-scoped tokens in addition to project and domain 1639# tokens, making the API more accessible to users without compromising 1640# security or manageability for administrators. The new default 1641# policies for this API account for these changes automatically. 1642 1643# List projects allowed to access an endpoint. 1644# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects 1645# Intended scope(s): system 1646#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" 1647 1648# DEPRECATED 1649# "identity:list_projects_for_endpoint":"rule:admin_required" has been 1650# deprecated since T in favor of 1651# "identity:list_projects_for_endpoint":"role:reader and 1652# system_scope:all". 1653# As of the Train release, the project endpoint API now understands 1654# default roles and system-scoped tokens, making the API more granular 1655# by default without compromising security. The new policy defaults 1656# account for these changes automatically. Be sure to take these new 1657# defaults into consideration if you are relying on overrides in your 1658# deployment for the project endpoint API. 1659 1660# Allow project to access an endpoint. 1661# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} 1662# Intended scope(s): system 1663#"identity:add_endpoint_to_project": "role:admin and system_scope:all" 1664 1665# DEPRECATED 1666# "identity:add_endpoint_to_project":"rule:admin_required" has been 1667# deprecated since T in favor of 1668# "identity:add_endpoint_to_project":"role:admin and 1669# system_scope:all". 1670# As of the Train release, the project endpoint API now understands 1671# default roles and system-scoped tokens, making the API more granular 1672# by default without compromising security. The new policy defaults 1673# account for these changes automatically. Be sure to take these new 1674# defaults into consideration if you are relying on overrides in your 1675# deployment for the project endpoint API. 1676 1677# Check if a project is allowed to access an endpoint. 1678# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} 1679# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} 1680# Intended scope(s): system 1681#"identity:check_endpoint_in_project": "role:reader and system_scope:all" 1682 1683# DEPRECATED 1684# "identity:check_endpoint_in_project":"rule:admin_required" has been 1685# deprecated since T in favor of 1686# "identity:check_endpoint_in_project":"role:reader and 1687# system_scope:all". 1688# As of the Train release, the project endpoint API now understands 1689# default roles and system-scoped tokens, making the API more granular 1690# by default without compromising security. The new policy defaults 1691# account for these changes automatically. Be sure to take these new 1692# defaults into consideration if you are relying on overrides in your 1693# deployment for the project endpoint API. 1694 1695# List the endpoints a project is allowed to access. 1696# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints 1697# Intended scope(s): system 1698#"identity:list_endpoints_for_project": "role:reader and system_scope:all" 1699 1700# DEPRECATED 1701# "identity:list_endpoints_for_project":"rule:admin_required" has been 1702# deprecated since T in favor of 1703# "identity:list_endpoints_for_project":"role:reader and 1704# system_scope:all". 1705# As of the Train release, the project endpoint API now understands 1706# default roles and system-scoped tokens, making the API more granular 1707# by default without compromising security. The new policy defaults 1708# account for these changes automatically. Be sure to take these new 1709# defaults into consideration if you are relying on overrides in your 1710# deployment for the project endpoint API. 1711 1712# Remove access to an endpoint from a project that has previously been 1713# given explicit access. 1714# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} 1715# Intended scope(s): system 1716#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" 1717 1718# DEPRECATED 1719# "identity:remove_endpoint_from_project":"rule:admin_required" has 1720# been deprecated since T in favor of 1721# "identity:remove_endpoint_from_project":"role:admin and 1722# system_scope:all". 1723# As of the Train release, the project endpoint API now understands 1724# default roles and system-scoped tokens, making the API more granular 1725# by default without compromising security. The new policy defaults 1726# account for these changes automatically. Be sure to take these new 1727# defaults into consideration if you are relying on overrides in your 1728# deployment for the project endpoint API. 1729 1730# Create federated protocol. 1731# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} 1732# Intended scope(s): system 1733#"identity:create_protocol": "role:admin and system_scope:all" 1734 1735# DEPRECATED 1736# "identity:create_protocol":"rule:admin_required" has been deprecated 1737# since S in favor of "identity:create_protocol":"role:admin and 1738# system_scope:all". 1739# The federated protocol API is now aware of system scope and default 1740# roles. 1741 1742# Update federated protocol. 1743# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} 1744# Intended scope(s): system 1745#"identity:update_protocol": "role:admin and system_scope:all" 1746 1747# DEPRECATED 1748# "identity:update_protocol":"rule:admin_required" has been deprecated 1749# since S in favor of "identity:update_protocol":"role:admin and 1750# system_scope:all". 1751# The federated protocol API is now aware of system scope and default 1752# roles. 1753 1754# Get federated protocol. 1755# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} 1756# Intended scope(s): system 1757#"identity:get_protocol": "role:reader and system_scope:all" 1758 1759# DEPRECATED 1760# "identity:get_protocol":"rule:admin_required" has been deprecated 1761# since S in favor of "identity:get_protocol":"role:reader and 1762# system_scope:all". 1763# The federated protocol API is now aware of system scope and default 1764# roles. 1765 1766# List federated protocols. 1767# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols 1768# Intended scope(s): system 1769#"identity:list_protocols": "role:reader and system_scope:all" 1770 1771# DEPRECATED 1772# "identity:list_protocols":"rule:admin_required" has been deprecated 1773# since S in favor of "identity:list_protocols":"role:reader and 1774# system_scope:all". 1775# The federated protocol API is now aware of system scope and default 1776# roles. 1777 1778# Delete federated protocol. 1779# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} 1780# Intended scope(s): system 1781#"identity:delete_protocol": "role:admin and system_scope:all" 1782 1783# DEPRECATED 1784# "identity:delete_protocol":"rule:admin_required" has been deprecated 1785# since S in favor of "identity:delete_protocol":"role:admin and 1786# system_scope:all". 1787# The federated protocol API is now aware of system scope and default 1788# roles. 1789 1790# Show region details. 1791# GET /v3/regions/{region_id} 1792# HEAD /v3/regions/{region_id} 1793# Intended scope(s): system, domain, project 1794#"identity:get_region": "" 1795 1796# List regions. 1797# GET /v3/regions 1798# HEAD /v3/regions 1799# Intended scope(s): system, domain, project 1800#"identity:list_regions": "" 1801 1802# Create region. 1803# POST /v3/regions 1804# PUT /v3/regions/{region_id} 1805# Intended scope(s): system 1806#"identity:create_region": "role:admin and system_scope:all" 1807 1808# DEPRECATED 1809# "identity:create_region":"rule:admin_required" has been deprecated 1810# since S in favor of "identity:create_region":"role:admin and 1811# system_scope:all". 1812# The region API is now aware of system scope and default roles. 1813 1814# Update region. 1815# PATCH /v3/regions/{region_id} 1816# Intended scope(s): system 1817#"identity:update_region": "role:admin and system_scope:all" 1818 1819# DEPRECATED 1820# "identity:update_region":"rule:admin_required" has been deprecated 1821# since S in favor of "identity:update_region":"role:admin and 1822# system_scope:all". 1823# The region API is now aware of system scope and default roles. 1824 1825# Delete region. 1826# DELETE /v3/regions/{region_id} 1827# Intended scope(s): system 1828#"identity:delete_region": "role:admin and system_scope:all" 1829 1830# DEPRECATED 1831# "identity:delete_region":"rule:admin_required" has been deprecated 1832# since S in favor of "identity:delete_region":"role:admin and 1833# system_scope:all". 1834# The region API is now aware of system scope and default roles. 1835 1836# Show registered limit details. 1837# GET /v3/registered_limits/{registered_limit_id} 1838# HEAD /v3/registered_limits/{registered_limit_id} 1839# Intended scope(s): system, domain, project 1840#"identity:get_registered_limit": "" 1841 1842# List registered limits. 1843# GET /v3/registered_limits 1844# HEAD /v3/registered_limits 1845# Intended scope(s): system, domain, project 1846#"identity:list_registered_limits": "" 1847 1848# Create registered limits. 1849# POST /v3/registered_limits 1850# Intended scope(s): system 1851#"identity:create_registered_limits": "role:admin and system_scope:all" 1852 1853# Update registered limit. 1854# PATCH /v3/registered_limits/{registered_limit_id} 1855# Intended scope(s): system 1856#"identity:update_registered_limit": "role:admin and system_scope:all" 1857 1858# Delete registered limit. 1859# DELETE /v3/registered_limits/{registered_limit_id} 1860# Intended scope(s): system 1861#"identity:delete_registered_limit": "role:admin and system_scope:all" 1862 1863# List revocation events. 1864# GET /v3/OS-REVOKE/events 1865# Intended scope(s): system 1866#"identity:list_revoke_events": "rule:service_or_admin" 1867 1868# Show role details. 1869# GET /v3/roles/{role_id} 1870# HEAD /v3/roles/{role_id} 1871# Intended scope(s): system 1872#"identity:get_role": "role:reader and system_scope:all" 1873 1874# DEPRECATED 1875# "identity:get_role":"rule:admin_required" has been deprecated since 1876# S in favor of "identity:get_role":"role:reader and 1877# system_scope:all". 1878# The role API is now aware of system scope and default roles. 1879 1880# List roles. 1881# GET /v3/roles 1882# HEAD /v3/roles 1883# Intended scope(s): system 1884#"identity:list_roles": "role:reader and system_scope:all" 1885 1886# DEPRECATED 1887# "identity:list_roles":"rule:admin_required" has been deprecated 1888# since S in favor of "identity:list_roles":"role:reader and 1889# system_scope:all". 1890# The role API is now aware of system scope and default roles. 1891 1892# Create role. 1893# POST /v3/roles 1894# Intended scope(s): system 1895#"identity:create_role": "role:admin and system_scope:all" 1896 1897# DEPRECATED 1898# "identity:create_role":"rule:admin_required" has been deprecated 1899# since S in favor of "identity:create_role":"role:admin and 1900# system_scope:all". 1901# The role API is now aware of system scope and default roles. 1902 1903# Update role. 1904# PATCH /v3/roles/{role_id} 1905# Intended scope(s): system 1906#"identity:update_role": "role:admin and system_scope:all" 1907 1908# DEPRECATED 1909# "identity:update_role":"rule:admin_required" has been deprecated 1910# since S in favor of "identity:update_role":"role:admin and 1911# system_scope:all". 1912# The role API is now aware of system scope and default roles. 1913 1914# Delete role. 1915# DELETE /v3/roles/{role_id} 1916# Intended scope(s): system 1917#"identity:delete_role": "role:admin and system_scope:all" 1918 1919# DEPRECATED 1920# "identity:delete_role":"rule:admin_required" has been deprecated 1921# since S in favor of "identity:delete_role":"role:admin and 1922# system_scope:all". 1923# The role API is now aware of system scope and default roles. 1924 1925# Show domain role. 1926# GET /v3/roles/{role_id} 1927# HEAD /v3/roles/{role_id} 1928# Intended scope(s): system 1929#"identity:get_domain_role": "role:reader and system_scope:all" 1930 1931# DEPRECATED 1932# "identity:get_domain_role":"rule:admin_required" has been deprecated 1933# since T in favor of "identity:get_domain_role":"role:reader and 1934# system_scope:all". 1935# The role API is now aware of system scope and default roles. 1936 1937# List domain roles. 1938# GET /v3/roles?domain_id={domain_id} 1939# HEAD /v3/roles?domain_id={domain_id} 1940# Intended scope(s): system 1941#"identity:list_domain_roles": "role:reader and system_scope:all" 1942 1943# DEPRECATED 1944# "identity:list_domain_roles":"rule:admin_required" has been 1945# deprecated since T in favor of 1946# "identity:list_domain_roles":"role:reader and system_scope:all". 1947# The role API is now aware of system scope and default roles. 1948 1949# Create domain role. 1950# POST /v3/roles 1951# Intended scope(s): system 1952#"identity:create_domain_role": "role:admin and system_scope:all" 1953 1954# DEPRECATED 1955# "identity:create_domain_role":"rule:admin_required" has been 1956# deprecated since T in favor of 1957# "identity:create_domain_role":"role:admin and system_scope:all". 1958# The role API is now aware of system scope and default roles. 1959 1960# Update domain role. 1961# PATCH /v3/roles/{role_id} 1962# Intended scope(s): system 1963#"identity:update_domain_role": "role:admin and system_scope:all" 1964 1965# DEPRECATED 1966# "identity:update_domain_role":"rule:admin_required" has been 1967# deprecated since T in favor of 1968# "identity:update_domain_role":"role:admin and system_scope:all". 1969# The role API is now aware of system scope and default roles. 1970 1971# Delete domain role. 1972# DELETE /v3/roles/{role_id} 1973# Intended scope(s): system 1974#"identity:delete_domain_role": "role:admin and system_scope:all" 1975 1976# DEPRECATED 1977# "identity:delete_domain_role":"rule:admin_required" has been 1978# deprecated since T in favor of 1979# "identity:delete_domain_role":"role:admin and system_scope:all". 1980# The role API is now aware of system scope and default roles. 1981 1982# List role assignments. 1983# GET /v3/role_assignments 1984# HEAD /v3/role_assignments 1985# Intended scope(s): system, domain 1986#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" 1987 1988# DEPRECATED 1989# "identity:list_role_assignments":"rule:admin_required" has been 1990# deprecated since S in favor of 1991# "identity:list_role_assignments":"(role:reader and system_scope:all) 1992# or (role:reader and domain_id:%(target.domain_id)s)". 1993# The assignment API is now aware of system scope and default roles. 1994 1995# List all role assignments for a given tree of hierarchical projects. 1996# GET /v3/role_assignments?include_subtree 1997# HEAD /v3/role_assignments?include_subtree 1998# Intended scope(s): system, domain, project 1999#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" 2000 2001# DEPRECATED 2002# "identity:list_role_assignments_for_tree":"rule:admin_required" has 2003# been deprecated since T in favor of 2004# "identity:list_role_assignments_for_tree":"(role:reader and 2005# system_scope:all) or (role:reader and 2006# domain_id:%(target.project.domain_id)s) or (role:admin and 2007# project_id:%(target.project.id)s)". 2008# The assignment API is now aware of system scope and default roles. 2009 2010# Show service details. 2011# GET /v3/services/{service_id} 2012# Intended scope(s): system 2013#"identity:get_service": "role:reader and system_scope:all" 2014 2015# DEPRECATED 2016# "identity:get_service":"rule:admin_required" has been deprecated 2017# since S in favor of "identity:get_service":"role:reader and 2018# system_scope:all". 2019# The service API is now aware of system scope and default roles. 2020 2021# List services. 2022# GET /v3/services 2023# Intended scope(s): system 2024#"identity:list_services": "role:reader and system_scope:all" 2025 2026# DEPRECATED 2027# "identity:list_services":"rule:admin_required" has been deprecated 2028# since S in favor of "identity:list_services":"role:reader and 2029# system_scope:all". 2030# The service API is now aware of system scope and default roles. 2031 2032# Create service. 2033# POST /v3/services 2034# Intended scope(s): system 2035#"identity:create_service": "role:admin and system_scope:all" 2036 2037# DEPRECATED 2038# "identity:create_service":"rule:admin_required" has been deprecated 2039# since S in favor of "identity:create_service":"role:admin and 2040# system_scope:all". 2041# The service API is now aware of system scope and default roles. 2042 2043# Update service. 2044# PATCH /v3/services/{service_id} 2045# Intended scope(s): system 2046#"identity:update_service": "role:admin and system_scope:all" 2047 2048# DEPRECATED 2049# "identity:update_service":"rule:admin_required" has been deprecated 2050# since S in favor of "identity:update_service":"role:admin and 2051# system_scope:all". 2052# The service API is now aware of system scope and default roles. 2053 2054# Delete service. 2055# DELETE /v3/services/{service_id} 2056# Intended scope(s): system 2057#"identity:delete_service": "role:admin and system_scope:all" 2058 2059# DEPRECATED 2060# "identity:delete_service":"rule:admin_required" has been deprecated 2061# since S in favor of "identity:delete_service":"role:admin and 2062# system_scope:all". 2063# The service API is now aware of system scope and default roles. 2064 2065# Create federated service provider. 2066# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} 2067# Intended scope(s): system 2068#"identity:create_service_provider": "role:admin and system_scope:all" 2069 2070# DEPRECATED 2071# "identity:create_service_provider":"rule:admin_required" has been 2072# deprecated since S in favor of 2073# "identity:create_service_provider":"role:admin and 2074# system_scope:all". 2075# The service provider API is now aware of system scope and default 2076# roles. 2077 2078# List federated service providers. 2079# GET /v3/OS-FEDERATION/service_providers 2080# HEAD /v3/OS-FEDERATION/service_providers 2081# Intended scope(s): system 2082#"identity:list_service_providers": "role:reader and system_scope:all" 2083 2084# DEPRECATED 2085# "identity:list_service_providers":"rule:admin_required" has been 2086# deprecated since S in favor of 2087# "identity:list_service_providers":"role:reader and 2088# system_scope:all". 2089# The service provider API is now aware of system scope and default 2090# roles. 2091 2092# Get federated service provider. 2093# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} 2094# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} 2095# Intended scope(s): system 2096#"identity:get_service_provider": "role:reader and system_scope:all" 2097 2098# DEPRECATED 2099# "identity:get_service_provider":"rule:admin_required" has been 2100# deprecated since S in favor of 2101# "identity:get_service_provider":"role:reader and system_scope:all". 2102# The service provider API is now aware of system scope and default 2103# roles. 2104 2105# Update federated service provider. 2106# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} 2107# Intended scope(s): system 2108#"identity:update_service_provider": "role:admin and system_scope:all" 2109 2110# DEPRECATED 2111# "identity:update_service_provider":"rule:admin_required" has been 2112# deprecated since S in favor of 2113# "identity:update_service_provider":"role:admin and 2114# system_scope:all". 2115# The service provider API is now aware of system scope and default 2116# roles. 2117 2118# Delete federated service provider. 2119# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} 2120# Intended scope(s): system 2121#"identity:delete_service_provider": "role:admin and system_scope:all" 2122 2123# DEPRECATED 2124# "identity:delete_service_provider":"rule:admin_required" has been 2125# deprecated since S in favor of 2126# "identity:delete_service_provider":"role:admin and 2127# system_scope:all". 2128# The service provider API is now aware of system scope and default 2129# roles. 2130 2131# DEPRECATED 2132# "identity:revocation_list" has been deprecated since T. 2133# The identity:revocation_list policy isn't used to protect any APIs 2134# in keystone now that the revocation list API has been deprecated and 2135# only returns a 410 or 403 depending on how keystone is configured. 2136# This policy can be safely removed from policy files. 2137# List revoked PKI tokens. 2138# GET /v3/auth/tokens/OS-PKI/revoked 2139# Intended scope(s): system, project 2140#"identity:revocation_list": "rule:service_or_admin" 2141 2142# Check a token. 2143# HEAD /v3/auth/tokens 2144# Intended scope(s): system, domain, project 2145#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" 2146 2147# DEPRECATED 2148# "identity:check_token":"rule:admin_or_token_subject" has been 2149# deprecated since T in favor of "identity:check_token":"(role:reader 2150# and system_scope:all) or rule:token_subject". 2151# The token API is now aware of system scope and default roles. 2152 2153# Validate a token. 2154# GET /v3/auth/tokens 2155# Intended scope(s): system, domain, project 2156#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" 2157 2158# DEPRECATED 2159# "identity:validate_token":"rule:service_admin_or_token_subject" has 2160# been deprecated since T in favor of 2161# "identity:validate_token":"(role:reader and system_scope:all) or 2162# rule:service_role or rule:token_subject". 2163# The token API is now aware of system scope and default roles. 2164 2165# Revoke a token. 2166# DELETE /v3/auth/tokens 2167# Intended scope(s): system, domain, project 2168#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" 2169 2170# DEPRECATED 2171# "identity:revoke_token":"rule:admin_or_token_subject" has been 2172# deprecated since T in favor of "identity:revoke_token":"(role:admin 2173# and system_scope:all) or rule:token_subject". 2174# The token API is now aware of system scope and default roles. 2175 2176# Create trust. 2177# POST /v3/OS-TRUST/trusts 2178# Intended scope(s): project 2179#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" 2180 2181# List trusts. 2182# GET /v3/OS-TRUST/trusts 2183# HEAD /v3/OS-TRUST/trusts 2184# Intended scope(s): system 2185#"identity:list_trusts": "role:reader and system_scope:all" 2186 2187# DEPRECATED 2188# "identity:list_trusts":"rule:admin_required" has been deprecated 2189# since T in favor of "identity:list_trusts":"role:reader and 2190# system_scope:all". 2191# The trust API is now aware of system scope and default roles. 2192 2193# List trusts for trustor. 2194# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} 2195# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} 2196# Intended scope(s): system, project 2197#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" 2198 2199# List trusts for trustee. 2200# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} 2201# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} 2202# Intended scope(s): system, project 2203#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" 2204 2205# List roles delegated by a trust. 2206# GET /v3/OS-TRUST/trusts/{trust_id}/roles 2207# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles 2208# Intended scope(s): system, project 2209#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" 2210 2211# DEPRECATED 2212# "identity:list_roles_for_trust":"user_id:%(target.trust.trustor_user 2213# _id)s or user_id:%(target.trust.trustee_user_id)s" has been 2214# deprecated since T in favor of 2215# "identity:list_roles_for_trust":"role:reader and system_scope:all or 2216# user_id:%(target.trust.trustor_user_id)s or 2217# user_id:%(target.trust.trustee_user_id)s". 2218# The trust API is now aware of system scope and default roles. 2219 2220# Check if trust delegates a particular role. 2221# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} 2222# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} 2223# Intended scope(s): system, project 2224#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" 2225 2226# DEPRECATED 2227# "identity:get_role_for_trust":"user_id:%(target.trust.trustor_user_i 2228# d)s or user_id:%(target.trust.trustee_user_id)s" has been deprecated 2229# since T in favor of "identity:get_role_for_trust":"role:reader and 2230# system_scope:all or user_id:%(target.trust.trustor_user_id)s or 2231# user_id:%(target.trust.trustee_user_id)s". 2232# The trust API is now aware of system scope and default roles. 2233 2234# Revoke trust. 2235# DELETE /v3/OS-TRUST/trusts/{trust_id} 2236# Intended scope(s): system, project 2237#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" 2238 2239# DEPRECATED 2240# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" 2241# has been deprecated since T in favor of 2242# "identity:delete_trust":"role:admin and system_scope:all or 2243# user_id:%(target.trust.trustor_user_id)s". 2244# The trust API is now aware of system scope and default roles. 2245 2246# Get trust. 2247# GET /v3/OS-TRUST/trusts/{trust_id} 2248# HEAD /v3/OS-TRUST/trusts/{trust_id} 2249# Intended scope(s): system, project 2250#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" 2251 2252# DEPRECATED 2253# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or 2254# user_id:%(target.trust.trustee_user_id)s" has been deprecated since 2255# T in favor of "identity:get_trust":"role:reader and system_scope:all 2256# or user_id:%(target.trust.trustor_user_id)s or 2257# user_id:%(target.trust.trustee_user_id)s". 2258# The trust API is now aware of system scope and default roles. 2259 2260# Show user details. 2261# GET /v3/users/{user_id} 2262# HEAD /v3/users/{user_id} 2263# Intended scope(s): system, domain, project 2264#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" 2265 2266# DEPRECATED 2267# "identity:get_user":"rule:admin_or_owner" has been deprecated since 2268# S in favor of "identity:get_user":"(role:reader and 2269# system_scope:all) or (role:reader and 2270# token.domain.id:%(target.user.domain_id)s) or 2271# user_id:%(target.user.id)s". 2272# The user API is now aware of system scope and default roles. 2273 2274# List users. 2275# GET /v3/users 2276# HEAD /v3/users 2277# Intended scope(s): system, domain 2278#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" 2279 2280# DEPRECATED 2281# "identity:list_users":"rule:admin_required" has been deprecated 2282# since S in favor of "identity:list_users":"(role:reader and 2283# system_scope:all) or (role:reader and 2284# domain_id:%(target.domain_id)s)". 2285# The user API is now aware of system scope and default roles. 2286 2287# List all projects a user has access to via role assignments. 2288# GET /v3/auth/projects 2289#"identity:list_projects_for_user": "" 2290 2291# List all domains a user has access to via role assignments. 2292# GET /v3/auth/domains 2293#"identity:list_domains_for_user": "" 2294 2295# Create a user. 2296# POST /v3/users 2297# Intended scope(s): system, domain 2298#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" 2299 2300# DEPRECATED 2301# "identity:create_user":"rule:admin_required" has been deprecated 2302# since S in favor of "identity:create_user":"(role:admin and 2303# system_scope:all) or (role:admin and 2304# token.domain.id:%(target.user.domain_id)s)". 2305# The user API is now aware of system scope and default roles. 2306 2307# Update a user, including administrative password resets. 2308# PATCH /v3/users/{user_id} 2309# Intended scope(s): system, domain 2310#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" 2311 2312# DEPRECATED 2313# "identity:update_user":"rule:admin_required" has been deprecated 2314# since S in favor of "identity:update_user":"(role:admin and 2315# system_scope:all) or (role:admin and 2316# token.domain.id:%(target.user.domain_id)s)". 2317# The user API is now aware of system scope and default roles. 2318 2319# Delete a user. 2320# DELETE /v3/users/{user_id} 2321# Intended scope(s): system, domain 2322#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" 2323 2324# DEPRECATED 2325# "identity:delete_user":"rule:admin_required" has been deprecated 2326# since S in favor of "identity:delete_user":"(role:admin and 2327# system_scope:all) or (role:admin and 2328# token.domain.id:%(target.user.domain_id)s)". 2329# The user API is now aware of system scope and default roles. 2330 2331