- check_str: role:admin or is_admin:1 description: null name: admin_required operations: [] scope_types: null - check_str: role:service description: null name: service_role operations: [] scope_types: null - check_str: rule:admin_required or rule:service_role description: null name: service_or_admin operations: [] scope_types: null - check_str: user_id:%(user_id)s description: null name: owner operations: [] scope_types: null - check_str: rule:admin_required or rule:owner description: null name: admin_or_owner operations: [] scope_types: null - check_str: user_id:%(target.token.user_id)s description: null name: token_subject operations: [] scope_types: null - check_str: rule:admin_required or rule:token_subject description: null name: admin_or_token_subject operations: [] scope_types: null - check_str: rule:service_or_admin or rule:token_subject description: null name: service_admin_or_token_subject operations: [] scope_types: null - check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s description: Show access rule details. name: identity:get_access_rule operations: - method: GET path: /v3/users/{user_id}/access_rules/{access_rule_id} - method: HEAD path: /v3/users/{user_id}/access_rules/{access_rule_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.user.id)s description: List access rules for a user. name: identity:list_access_rules operations: - method: GET path: /v3/users/{user_id}/access_rules - method: HEAD path: /v3/users/{user_id}/access_rules scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.user.id)s description: Delete an access_rule. name: identity:delete_access_rule operations: - method: DELETE path: /v3/users/{user_id}/access_rules/{access_rule_id} scope_types: - system - project - check_str: rule:admin_required description: Authorize OAUTH1 request token. name: identity:authorize_request_token operations: - method: PUT path: /v3/OS-OAUTH1/authorize/{request_token_id} scope_types: - project - check_str: rule:admin_required description: Get OAUTH1 access token for user by access token ID. name: identity:get_access_token operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} scope_types: - project - check_str: rule:admin_required description: Get role for user OAUTH1 access token. name: identity:get_access_token_role operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} scope_types: - project - check_str: rule:admin_required description: List OAUTH1 access tokens for user. name: identity:list_access_tokens operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens scope_types: - project - check_str: rule:admin_required description: List OAUTH1 access token roles. name: identity:list_access_token_roles operations: - method: GET path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles scope_types: - project - check_str: rule:admin_required description: Delete OAUTH1 access token. name: identity:delete_access_token operations: - method: DELETE path: /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} scope_types: - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The application credential API is now aware of system scope and default roles. deprecated_since: T name: identity:get_application_credential description: Show application credential details. name: identity:get_application_credential operations: - method: GET path: /v3/users/{user_id}/application_credentials/{application_credential_id} - method: HEAD path: /v3/users/{user_id}/application_credentials/{application_credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The application credential API is now aware of system scope and default roles. deprecated_since: T name: identity:list_application_credentials description: List application credentials for a user. name: identity:list_application_credentials operations: - method: GET path: /v3/users/{user_id}/application_credentials - method: HEAD path: /v3/users/{user_id}/application_credentials scope_types: - system - project - check_str: user_id:%(user_id)s description: Create an application credential. name: identity:create_application_credential operations: - method: POST path: /v3/users/{user_id}/application_credentials scope_types: - project - check_str: (role:admin and system_scope:all) or rule:owner deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The application credential API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_application_credential description: Delete an application credential. name: identity:delete_application_credential operations: - method: DELETE path: /v3/users/{user_id}/application_credentials/{application_credential_id} scope_types: - system - project - check_str: '' description: Get service catalog. name: identity:get_auth_catalog operations: - method: GET path: /v3/auth/catalog - method: HEAD path: /v3/auth/catalog scope_types: null - check_str: '' description: List all projects a user has access to via role assignments. name: identity:get_auth_projects operations: - method: GET path: /v3/auth/projects - method: HEAD path: /v3/auth/projects scope_types: null - check_str: '' description: List all domains a user has access to via role assignments. name: identity:get_auth_domains operations: - method: GET path: /v3/auth/domains - method: HEAD path: /v3/auth/domains scope_types: null - check_str: '' description: List systems a user has access to via role assignments. name: identity:get_auth_system operations: - method: GET path: /v3/auth/system - method: HEAD path: /v3/auth/system scope_types: null - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default roles. deprecated_since: T name: identity:get_consumer description: Show OAUTH1 consumer details. name: identity:get_consumer operations: - method: GET path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default roles. deprecated_since: T name: identity:list_consumers description: List OAUTH1 consumers. name: identity:list_consumers operations: - method: GET path: /v3/OS-OAUTH1/consumers scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default roles. deprecated_since: T name: identity:create_consumer description: Create OAUTH1 consumer. name: identity:create_consumer operations: - method: POST path: /v3/OS-OAUTH1/consumers scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default roles. deprecated_since: T name: identity:update_consumer description: Update OAUTH1 consumer. name: identity:update_consumer operations: - method: PATCH path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The OAUTH1 consumer API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_consumer description: Delete OAUTH1 consumer. name: identity:delete_consumer operations: - method: DELETE path: /v3/OS-OAUTH1/consumers/{consumer_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required deprecated_reason: The credential API is now aware of system scope and default roles. deprecated_since: S name: identity:get_credential description: Show credentials details. name: identity:get_credential operations: - method: GET path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required deprecated_reason: The credential API is now aware of system scope and default roles. deprecated_since: S name: identity:list_credentials description: List credentials. name: identity:list_credentials operations: - method: GET path: /v3/credentials scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required deprecated_reason: The credential API is now aware of system scope and default roles. deprecated_since: S name: identity:create_credential description: Create credential. name: identity:create_credential operations: - method: POST path: /v3/credentials scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required deprecated_reason: The credential API is now aware of system scope and default roles. deprecated_since: S name: identity:update_credential description: Update credential. name: identity:update_credential operations: - method: PATCH path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required deprecated_reason: The credential API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_credential description: Delete credential. name: identity:delete_credential operations: - method: DELETE path: /v3/credentials/{credential_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s deprecated_rule: check_str: rule:admin_required or token.project.domain.id:%(target.domain.id)s deprecated_reason: The domain API is now aware of system scope and default roles. deprecated_since: S name: identity:get_domain description: Show domain details. name: identity:get_domain operations: - method: GET path: /v3/domains/{domain_id} scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain.id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain API is now aware of system scope and default roles. deprecated_since: S name: identity:list_domains description: List domains. name: identity:list_domains operations: - method: GET path: /v3/domains scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain API is now aware of system scope and default roles. deprecated_since: S name: identity:create_domain description: Create domain. name: identity:create_domain operations: - method: POST path: /v3/domains scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain API is now aware of system scope and default roles. deprecated_since: S name: identity:update_domain description: Update domain. name: identity:update_domain operations: - method: PATCH path: /v3/domains/{domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_domain description: Delete domain. name: identity:delete_domain operations: - method: DELETE path: /v3/domains/{domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain config API is now aware of system scope and default roles. deprecated_since: T name: identity:create_domain_config description: Create domain configuration. name: identity:create_domain_config operations: - method: PUT path: /v3/domains/{domain_id}/config scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain config API is now aware of system scope and default roles. deprecated_since: T name: identity:get_domain_config description: Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain. name: identity:get_domain_config operations: - method: GET path: /v3/domains/{domain_id}/config - method: HEAD path: /v3/domains/{domain_id}/config - method: GET path: /v3/domains/{domain_id}/config/{group} - method: HEAD path: /v3/domains/{domain_id}/config/{group} - method: GET path: /v3/domains/{domain_id}/config/{group}/{option} - method: HEAD path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: '' description: Get security compliance domain configuration for either a domain or a specific option in a domain. name: identity:get_security_compliance_domain_config operations: - method: GET path: /v3/domains/{domain_id}/config/security_compliance - method: HEAD path: /v3/domains/{domain_id}/config/security_compliance - method: GET path: /v3/domains/{domain_id}/config/security_compliance/{option} - method: HEAD path: /v3/domains/{domain_id}/config/security_compliance/{option} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain config API is now aware of system scope and default roles. deprecated_since: T name: identity:update_domain_config description: Update domain configuration for either a domain, specific group or a specific option in a group. name: identity:update_domain_config operations: - method: PATCH path: /v3/domains/{domain_id}/config - method: PATCH path: /v3/domains/{domain_id}/config/{group} - method: PATCH path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain config API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_domain_config description: Delete domain configuration for either a domain, specific group or a specific option in a group. name: identity:delete_domain_config operations: - method: DELETE path: /v3/domains/{domain_id}/config - method: DELETE path: /v3/domains/{domain_id}/config/{group} - method: DELETE path: /v3/domains/{domain_id}/config/{group}/{option} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The domain config API is now aware of system scope and default roles. deprecated_since: T name: identity:get_domain_config_default description: Get domain configuration default for either a domain, specific group or a specific option in a group. name: identity:get_domain_config_default operations: - method: GET path: /v3/domains/config/default - method: HEAD path: /v3/domains/config/default - method: GET path: /v3/domains/config/{group}/default - method: HEAD path: /v3/domains/config/{group}/default - method: GET path: /v3/domains/config/{group}/{option}/default - method: HEAD path: /v3/domains/config/{group}/{option}/default scope_types: - system - project - check_str: (role:reader and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) deprecated_reason: The EC2 credential API is now aware of system scope and default roles. deprecated_since: T name: identity:ec2_get_credential description: Show ec2 credential details. name: identity:ec2_get_credential operations: - method: GET path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:owner deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The EC2 credential API is now aware of system scope and default roles. deprecated_since: T name: identity:ec2_list_credentials description: List ec2 credentials. name: identity:ec2_list_credentials operations: - method: GET path: /v3/users/{user_id}/credentials/OS-EC2 scope_types: - system - project - check_str: (role:admin and system_scope:all) or rule:owner deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The EC2 credential API is now aware of system scope and default roles. deprecated_since: T name: identity:ec2_create_credential description: Create ec2 credential. name: identity:ec2_create_credential operations: - method: POST path: /v3/users/{user_id}/credentials/OS-EC2 scope_types: - system - project - check_str: (role:admin and system_scope:all) or user_id:%(target.credential.user_id)s deprecated_rule: check_str: rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s) deprecated_reason: The EC2 credential API is now aware of system scope and default roles. deprecated_since: T name: identity:ec2_delete_credential description: Delete ec2 credential. name: identity:ec2_delete_credential operations: - method: DELETE path: /v3/users/{user_id}/credentials/OS-EC2/{credential_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint API is now aware of system scope and default roles. deprecated_since: S name: identity:get_endpoint description: Show endpoint details. name: identity:get_endpoint operations: - method: GET path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint API is now aware of system scope and default roles. deprecated_since: S name: identity:list_endpoints description: List endpoints. name: identity:list_endpoints operations: - method: GET path: /v3/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint API is now aware of system scope and default roles. deprecated_since: S name: identity:create_endpoint description: Create endpoint. name: identity:create_endpoint operations: - method: POST path: /v3/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint API is now aware of system scope and default roles. deprecated_since: S name: identity:update_endpoint description: Update endpoint. name: identity:update_endpoint operations: - method: PATCH path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_endpoint description: Delete endpoint. name: identity:delete_endpoint operations: - method: DELETE path: /v3/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:create_endpoint_group description: Create endpoint group. name: identity:create_endpoint_group operations: - method: POST path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:list_endpoint_groups description: List endpoint groups. name: identity:list_endpoint_groups operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:get_endpoint_group description: Get endpoint group. name: identity:get_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - method: HEAD path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:update_endpoint_group description: Update endpoint group. name: identity:update_endpoint_group operations: - method: PATCH path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_endpoint_group description: Delete endpoint group. name: identity:delete_endpoint_group operations: - method: DELETE path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:list_projects_associated_with_endpoint_group description: List all projects associated with a specific endpoint group. name: identity:list_projects_associated_with_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:list_endpoints_associated_with_endpoint_group description: List all endpoints associated with an endpoint group. name: identity:list_endpoints_associated_with_endpoint_group operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:get_endpoint_group_in_project description: Check if an endpoint group is associated with a project. name: identity:get_endpoint_group_in_project operations: - method: GET path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} - method: HEAD path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:list_endpoint_groups_for_project description: List endpoint groups associated with a specific project. name: identity:list_endpoint_groups_for_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:add_endpoint_group_to_project description: Allow a project to access an endpoint group. name: identity:add_endpoint_group_to_project operations: - method: PUT path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The endpoint groups API is now aware of system scope and default roles. deprecated_since: T name: identity:remove_endpoint_group_from_project description: Remove endpoint group from project. name: identity:remove_endpoint_group_from_project operations: - method: DELETE path: /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} scope_types: - system - project - check_str: (rule:admin_required) or ((role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:check_grant description: Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. name: identity:check_grant operations: - method: HEAD path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: GET path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: HEAD path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: GET path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: HEAD path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: GET path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: HEAD path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: GET path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: HEAD path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: HEAD path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:list_grants description: List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain. name: identity:list_grants operations: - method: GET path: /v3/projects/{project_id}/users/{user_id}/roles - method: HEAD path: /v3/projects/{project_id}/users/{user_id}/roles - method: GET path: /v3/projects/{project_id}/groups/{group_id}/roles - method: HEAD path: /v3/projects/{project_id}/groups/{group_id}/roles - method: GET path: /v3/domains/{domain_id}/users/{user_id}/roles - method: HEAD path: /v3/domains/{domain_id}/users/{user_id}/roles - method: GET path: /v3/domains/{domain_id}/groups/{group_id}/roles - method: HEAD path: /v3/domains/{domain_id}/groups/{group_id}/roles - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects - method: GET path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:create_grant description: Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. name: identity:create_grant operations: - method: PUT path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: PUT path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: PUT path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: PUT path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: PUT path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: PUT path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: (rule:admin_required) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:revoke_grant description: Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target's projects subtree. name: identity:revoke_grant operations: - method: DELETE path: /v3/projects/{project_id}/users/{user_id}/roles/{role_id} - method: DELETE path: /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} - method: DELETE path: /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} - method: DELETE path: /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} - method: DELETE path: /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects - method: DELETE path: /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:list_system_grants_for_user description: List all grants a specific user has on the system. name: identity:list_system_grants_for_user operations: - method: - HEAD - GET path: /v3/system/users/{user_id}/roles scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:check_system_grant_for_user description: Check if a user has a role on the system. name: identity:check_system_grant_for_user operations: - method: - HEAD - GET path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:create_system_grant_for_user description: Grant a user a role on the system. name: identity:create_system_grant_for_user operations: - method: - PUT path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:revoke_system_grant_for_user description: Remove a role from a user on the system. name: identity:revoke_system_grant_for_user operations: - method: - DELETE path: /v3/system/users/{user_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:list_system_grants_for_group description: List all grants a specific group has on the system. name: identity:list_system_grants_for_group operations: - method: - HEAD - GET path: /v3/system/groups/{group_id}/roles scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:check_system_grant_for_group description: Check if a group has a role on the system. name: identity:check_system_grant_for_group operations: - method: - HEAD - GET path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:create_system_grant_for_group description: Grant a group a role on the system. name: identity:create_system_grant_for_group operations: - method: - PUT path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:revoke_system_grant_for_group description: Remove a role from a group on the system. name: identity:revoke_system_grant_for_group operations: - method: - DELETE path: /v3/system/groups/{group_id}/roles/{role_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:get_group description: Show group details. name: identity:get_group operations: - method: GET path: /v3/groups/{group_id} - method: HEAD path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:list_groups description: List groups. name: identity:list_groups operations: - method: GET path: /v3/groups - method: HEAD path: /v3/groups scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:list_groups_for_user description: List groups to which a user belongs. name: identity:list_groups_for_user operations: - method: GET path: /v3/users/{user_id}/groups - method: HEAD path: /v3/users/{user_id}/groups scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:create_group description: Create group. name: identity:create_group operations: - method: POST path: /v3/groups scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:update_group description: Update group. name: identity:update_group operations: - method: PATCH path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_group description: Delete group. name: identity:delete_group operations: - method: DELETE path: /v3/groups/{group_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:list_users_in_group description: List members of a specific group. name: identity:list_users_in_group operations: - method: GET path: /v3/groups/{group_id}/users - method: HEAD path: /v3/groups/{group_id}/users scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:remove_user_from_group description: Remove user from group. name: identity:remove_user_from_group operations: - method: DELETE path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:check_user_in_group description: Check whether a user is a member of a group. name: identity:check_user_in_group operations: - method: HEAD path: /v3/groups/{group_id}/users/{user_id} - method: GET path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The group API is now aware of system scope and default roles. deprecated_since: S name: identity:add_user_to_group description: Add user to group. name: identity:add_user_to_group operations: - method: PUT path: /v3/groups/{group_id}/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The identity provider API is now aware of system scope and default roles. deprecated_since: S name: identity:create_identity_provider description: Create identity provider. name: identity:create_identity_provider operations: - method: PUT path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The identity provider API is now aware of system scope and default roles. deprecated_since: S name: identity:list_identity_providers description: List identity providers. name: identity:list_identity_providers operations: - method: GET path: /v3/OS-FEDERATION/identity_providers - method: HEAD path: /v3/OS-FEDERATION/identity_providers scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The identity provider API is now aware of system scope and default roles. deprecated_since: S name: identity:get_identity_provider description: Get identity provider. name: identity:get_identity_provider operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id} - method: HEAD path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The identity provider API is now aware of system scope and default roles. deprecated_since: S name: identity:update_identity_provider description: Update identity provider. name: identity:update_identity_provider operations: - method: PATCH path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The identity provider API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_identity_provider description: Delete identity provider. name: identity:delete_identity_provider operations: - method: DELETE path: /v3/OS-FEDERATION/identity_providers/{idp_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:get_implied_role description: Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:get_implied_role operations: - method: GET path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:list_implied_roles description: List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role. name: identity:list_implied_roles operations: - method: GET path: /v3/roles/{prior_role_id}/implies - method: HEAD path: /v3/roles/{prior_role_id}/implies scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:create_implied_role description: Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:create_implied_role operations: - method: PUT path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_implied_role description: Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated. name: identity:delete_implied_role operations: - method: DELETE path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:list_role_inference_rules description: List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:list_role_inference_rules operations: - method: GET path: /v3/role_inferences - method: HEAD path: /v3/role_inferences scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The implied role API is now aware of system scope and default roles. deprecated_since: T name: identity:check_implied_role description: Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. name: identity:check_implied_role operations: - method: HEAD path: /v3/roles/{prior_role_id}/implies/{implied_role_id} scope_types: - system - project - check_str: '' description: Get limit enforcement model. name: identity:get_limit_model operations: - method: GET path: /v3/limits/model - method: HEAD path: /v3/limits/model scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s) description: Show limit details. name: identity:get_limit operations: - method: GET path: /v3/limits/{limit_id} - method: HEAD path: /v3/limits/{limit_id} scope_types: - system - domain - project - check_str: '' description: List limits. name: identity:list_limits operations: - method: GET path: /v3/limits - method: HEAD path: /v3/limits scope_types: - system - domain - project - check_str: rule:admin_required description: Create limits. name: identity:create_limits operations: - method: POST path: /v3/limits scope_types: - system - project - check_str: rule:admin_required description: Update limit. name: identity:update_limit operations: - method: PATCH path: /v3/limits/{limit_id} scope_types: - system - project - check_str: rule:admin_required description: Delete limit. name: identity:delete_limit operations: - method: DELETE path: /v3/limits/{limit_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated mapping API is now aware of system scope and default roles. deprecated_since: S name: identity:create_mapping description: Create a new federated mapping containing one or more sets of rules. name: identity:create_mapping operations: - method: PUT path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated mapping API is now aware of system scope and default roles. deprecated_since: S name: identity:get_mapping description: Get a federated mapping. name: identity:get_mapping operations: - method: GET path: /v3/OS-FEDERATION/mappings/{mapping_id} - method: HEAD path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated mapping API is now aware of system scope and default roles. deprecated_since: S name: identity:list_mappings description: List federated mappings. name: identity:list_mappings operations: - method: GET path: /v3/OS-FEDERATION/mappings - method: HEAD path: /v3/OS-FEDERATION/mappings scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated mapping API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_mapping description: Delete a federated mapping. name: identity:delete_mapping operations: - method: DELETE path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated mapping API is now aware of system scope and default roles. deprecated_since: S name: identity:update_mapping description: Update a federated mapping. name: identity:update_mapping operations: - method: PATCH path: /v3/OS-FEDERATION/mappings/{mapping_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy API is now aware of system scope and default roles. deprecated_since: T name: identity:get_policy description: Show policy details. name: identity:get_policy operations: - method: GET path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy API is now aware of system scope and default roles. deprecated_since: T name: identity:list_policies description: List policies. name: identity:list_policies operations: - method: GET path: /v3/policies scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy API is now aware of system scope and default roles. deprecated_since: T name: identity:create_policy description: Create policy. name: identity:create_policy operations: - method: POST path: /v3/policies scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy API is now aware of system scope and default roles. deprecated_since: T name: identity:update_policy description: Update policy. name: identity:update_policy operations: - method: PATCH path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_policy description: Delete policy. name: identity:delete_policy operations: - method: DELETE path: /v3/policies/{policy_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:create_policy_association_for_endpoint description: Associate a policy to a specific endpoint. name: identity:create_policy_association_for_endpoint operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:check_policy_association_for_endpoint description: Check policy association for endpoint. name: identity:check_policy_association_for_endpoint operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_policy_association_for_endpoint description: Delete policy association for endpoint. name: identity:delete_policy_association_for_endpoint operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:create_policy_association_for_service description: Associate a policy to a specific service. name: identity:create_policy_association_for_service operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:check_policy_association_for_service description: Check policy association for service. name: identity:check_policy_association_for_service operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_policy_association_for_service description: Delete policy association for service. name: identity:delete_policy_association_for_service operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:create_policy_association_for_region_and_service description: Associate a policy to a specific region and service combination. name: identity:create_policy_association_for_region_and_service operations: - method: PUT path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:check_policy_association_for_region_and_service description: Check policy association for region and service. name: identity:check_policy_association_for_region_and_service operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} - method: HEAD path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_policy_association_for_region_and_service description: Delete policy association for region and service. name: identity:delete_policy_association_for_region_and_service operations: - method: DELETE path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:get_policy_for_endpoint description: Get policy for endpoint. name: identity:get_policy_for_endpoint operations: - method: GET path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy - method: HEAD path: /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The policy association API is now aware of system scope and default roles. deprecated_since: T name: identity:list_endpoints_for_policy description: List endpoints for policy. name: identity:list_endpoints_for_policy operations: - method: GET path: /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:get_project description: Show project details. name: identity:get_project operations: - method: GET path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:list_projects description: List projects. name: identity:list_projects operations: - method: GET path: /v3/projects scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:list_user_projects description: List projects for user. name: identity:list_user_projects operations: - method: GET path: /v3/users/{user_id}/projects scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:create_project description: Create project. name: identity:create_project operations: - method: POST path: /v3/projects scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:update_project description: Update project. name: identity:update_project operations: - method: PATCH path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_project description: Delete project. name: identity:delete_project operations: - method: DELETE path: /v3/projects/{project_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:list_project_tags description: List tags for a project. name: identity:list_project_tags operations: - method: GET path: /v3/projects/{project_id}/tags - method: HEAD path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s deprecated_rule: check_str: rule:admin_required or project_id:%(target.project.id)s deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:get_project_tag description: Check if project contains a tag. name: identity:get_project_tag operations: - method: GET path: /v3/projects/{project_id}/tags/{value} - method: HEAD path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:update_project_tags description: Replace all tags on a project with the new set of tags. name: identity:update_project_tags operations: - method: PUT path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:create_project_tag description: Add a single tag to a project. name: identity:create_project_tag operations: - method: PUT path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_project_tags description: Remove all tags from a project. name: identity:delete_project_tags operations: - method: DELETE path: /v3/projects/{project_id}/tags scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The project API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_project_tag description: Delete a specified tag from project. name: identity:delete_project_tag operations: - method: DELETE path: /v3/projects/{project_id}/tags/{value} scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: ' As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without compromising security. The new policy defaults account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. ' deprecated_since: T name: identity:list_projects_for_endpoint description: List projects allowed to access an endpoint. name: identity:list_projects_for_endpoint operations: - method: GET path: /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: ' As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without compromising security. The new policy defaults account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. ' deprecated_since: T name: identity:add_endpoint_to_project description: Allow project to access an endpoint. name: identity:add_endpoint_to_project operations: - method: PUT path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: ' As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without compromising security. The new policy defaults account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. ' deprecated_since: T name: identity:check_endpoint_in_project description: Check if a project is allowed to access an endpoint. name: identity:check_endpoint_in_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} - method: HEAD path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: ' As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without compromising security. The new policy defaults account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. ' deprecated_since: T name: identity:list_endpoints_for_project description: List the endpoints a project is allowed to access. name: identity:list_endpoints_for_project operations: - method: GET path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: ' As of the Train release, the project endpoint API now understands default roles and system-scoped tokens, making the API more granular by default without compromising security. The new policy defaults account for these changes automatically. Be sure to take these new defaults into consideration if you are relying on overrides in your deployment for the project endpoint API. ' deprecated_since: T name: identity:remove_endpoint_from_project description: Remove access to an endpoint from a project that has previously been given explicit access. name: identity:remove_endpoint_from_project operations: - method: DELETE path: /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated protocol API is now aware of system scope and default roles. deprecated_since: S name: identity:create_protocol description: Create federated protocol. name: identity:create_protocol operations: - method: PUT path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated protocol API is now aware of system scope and default roles. deprecated_since: S name: identity:update_protocol description: Update federated protocol. name: identity:update_protocol operations: - method: PATCH path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated protocol API is now aware of system scope and default roles. deprecated_since: S name: identity:get_protocol description: Get federated protocol. name: identity:get_protocol operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated protocol API is now aware of system scope and default roles. deprecated_since: S name: identity:list_protocols description: List federated protocols. name: identity:list_protocols operations: - method: GET path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The federated protocol API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_protocol description: Delete federated protocol. name: identity:delete_protocol operations: - method: DELETE path: /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} scope_types: - system - project - check_str: '' description: Show region details. name: identity:get_region operations: - method: GET path: /v3/regions/{region_id} - method: HEAD path: /v3/regions/{region_id} scope_types: - system - domain - project - check_str: '' description: List regions. name: identity:list_regions operations: - method: GET path: /v3/regions - method: HEAD path: /v3/regions scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The region API is now aware of system scope and default roles. deprecated_since: S name: identity:create_region description: Create region. name: identity:create_region operations: - method: POST path: /v3/regions - method: PUT path: /v3/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The region API is now aware of system scope and default roles. deprecated_since: S name: identity:update_region description: Update region. name: identity:update_region operations: - method: PATCH path: /v3/regions/{region_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The region API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_region description: Delete region. name: identity:delete_region operations: - method: DELETE path: /v3/regions/{region_id} scope_types: - system - project - check_str: '' description: Show registered limit details. name: identity:get_registered_limit operations: - method: GET path: /v3/registered_limits/{registered_limit_id} - method: HEAD path: /v3/registered_limits/{registered_limit_id} scope_types: - system - domain - project - check_str: '' description: List registered limits. name: identity:list_registered_limits operations: - method: GET path: /v3/registered_limits - method: HEAD path: /v3/registered_limits scope_types: - system - domain - project - check_str: rule:admin_required description: Create registered limits. name: identity:create_registered_limits operations: - method: POST path: /v3/registered_limits scope_types: - system - project - check_str: rule:admin_required description: Update registered limit. name: identity:update_registered_limit operations: - method: PATCH path: /v3/registered_limits/{registered_limit_id} scope_types: - system - project - check_str: rule:admin_required description: Delete registered limit. name: identity:delete_registered_limit operations: - method: DELETE path: /v3/registered_limits/{registered_limit_id} scope_types: - system - project - check_str: rule:service_or_admin description: List revocation events. name: identity:list_revoke_events operations: - method: GET path: /v3/OS-REVOKE/events scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: S name: identity:get_role description: Show role details. name: identity:get_role operations: - method: GET path: /v3/roles/{role_id} - method: HEAD path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: S name: identity:list_roles description: List roles. name: identity:list_roles operations: - method: GET path: /v3/roles - method: HEAD path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: S name: identity:create_role description: Create role. name: identity:create_role operations: - method: POST path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: S name: identity:update_role description: Update role. name: identity:update_role operations: - method: PATCH path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_role description: Delete role. name: identity:delete_role operations: - method: DELETE path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: T name: identity:get_domain_role description: Show domain role. name: identity:get_domain_role operations: - method: GET path: /v3/roles/{role_id} - method: HEAD path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: T name: identity:list_domain_roles description: List domain roles. name: identity:list_domain_roles operations: - method: GET path: /v3/roles?domain_id={domain_id} - method: HEAD path: /v3/roles?domain_id={domain_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: T name: identity:create_domain_role description: Create domain role. name: identity:create_domain_role operations: - method: POST path: /v3/roles scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: T name: identity:update_domain_role description: Update domain role. name: identity:update_domain_role operations: - method: PATCH path: /v3/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The role API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_domain_role description: Delete domain role. name: identity:delete_domain_role operations: - method: DELETE path: /v3/roles/{role_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: S name: identity:list_role_assignments description: List role assignments. name: identity:list_role_assignments operations: - method: GET path: /v3/role_assignments - method: HEAD path: /v3/role_assignments scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The assignment API is now aware of system scope and default roles. deprecated_since: T name: identity:list_role_assignments_for_tree description: List all role assignments for a given tree of hierarchical projects. name: identity:list_role_assignments_for_tree operations: - method: GET path: /v3/role_assignments?include_subtree - method: HEAD path: /v3/role_assignments?include_subtree scope_types: - system - domain - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The service API is now aware of system scope and default roles. deprecated_since: S name: identity:get_service description: Show service details. name: identity:get_service operations: - method: GET path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The service API is now aware of system scope and default roles. deprecated_since: S name: identity:list_services description: List services. name: identity:list_services operations: - method: GET path: /v3/services scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service API is now aware of system scope and default roles. deprecated_since: S name: identity:create_service description: Create service. name: identity:create_service operations: - method: POST path: /v3/services scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service API is now aware of system scope and default roles. deprecated_since: S name: identity:update_service description: Update service. name: identity:update_service operations: - method: PATCH path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_service description: Delete service. name: identity:delete_service operations: - method: DELETE path: /v3/services/{service_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service provider API is now aware of system scope and default roles. deprecated_since: S name: identity:create_service_provider description: Create federated service provider. name: identity:create_service_provider operations: - method: PUT path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The service provider API is now aware of system scope and default roles. deprecated_since: S name: identity:list_service_providers description: List federated service providers. name: identity:list_service_providers operations: - method: GET path: /v3/OS-FEDERATION/service_providers - method: HEAD path: /v3/OS-FEDERATION/service_providers scope_types: - system - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The service provider API is now aware of system scope and default roles. deprecated_since: S name: identity:get_service_provider description: Get federated service provider. name: identity:get_service_provider operations: - method: GET path: /v3/OS-FEDERATION/service_providers/{service_provider_id} - method: HEAD path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service provider API is now aware of system scope and default roles. deprecated_since: S name: identity:update_service_provider description: Update federated service provider. name: identity:update_service_provider operations: - method: PATCH path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The service provider API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_service_provider description: Delete federated service provider. name: identity:delete_service_provider operations: - method: DELETE path: /v3/OS-FEDERATION/service_providers/{service_provider_id} scope_types: - system - project - check_str: rule:service_or_admin deprecated_for_removal: true deprecated_reason: ' The identity:revocation_list policy isn''t used to protect any APIs in keystone now that the revocation list API has been deprecated and only returns a 410 or 403 depending on how keystone is configured. This policy can be safely removed from policy files. ' deprecated_since: T description: List revoked PKI tokens. name: identity:revocation_list operations: - method: GET path: /v3/auth/tokens/OS-PKI/revoked scope_types: - system - project - check_str: (role:reader and system_scope:all) or rule:token_subject deprecated_rule: check_str: rule:admin_or_token_subject deprecated_reason: The token API is now aware of system scope and default roles. deprecated_since: T name: identity:check_token description: Check a token. name: identity:check_token operations: - method: HEAD path: /v3/auth/tokens scope_types: - system - domain - project - check_str: (role:reader and system_scope:all) or rule:service_role or rule:token_subject deprecated_rule: check_str: rule:service_admin_or_token_subject deprecated_reason: The token API is now aware of system scope and default roles. deprecated_since: T name: identity:validate_token description: Validate a token. name: identity:validate_token operations: - method: GET path: /v3/auth/tokens scope_types: - system - domain - project - check_str: (role:admin and system_scope:all) or rule:token_subject deprecated_rule: check_str: rule:admin_or_token_subject deprecated_reason: The token API is now aware of system scope and default roles. deprecated_since: T name: identity:revoke_token description: Revoke a token. name: identity:revoke_token operations: - method: DELETE path: /v3/auth/tokens scope_types: - system - domain - project - check_str: user_id:%(trust.trustor_user_id)s description: Create trust. name: identity:create_trust operations: - method: POST path: /v3/OS-TRUST/trusts scope_types: - project - check_str: rule:admin_required or (role:reader and system_scope:all) deprecated_rule: check_str: rule:admin_required deprecated_reason: The trust API is now aware of system scope and default roles. deprecated_since: T name: identity:list_trusts description: List trusts. name: identity:list_trusts operations: - method: GET path: /v3/OS-TRUST/trusts - method: HEAD path: /v3/OS-TRUST/trusts scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s) description: List trusts for trustor. name: identity:list_trusts_for_trustor operations: - method: GET path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} - method: HEAD path: /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s) description: List trusts for trustee. name: identity:list_trusts_for_trustee operations: - method: GET path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} - method: HEAD path: /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s deprecated_reason: The trust API is now aware of system scope and default roles. deprecated_since: T name: identity:list_roles_for_trust description: List roles delegated by a trust. name: identity:list_roles_for_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id}/roles - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id}/roles scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s deprecated_reason: The trust API is now aware of system scope and default roles. deprecated_since: T name: identity:get_role_for_trust description: Check if trust delegates a particular role. name: identity:get_role_for_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} scope_types: - system - project - check_str: rule:admin_required or user_id:%(target.trust.trustor_user_id)s deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s deprecated_reason: The trust API is now aware of system scope and default roles. deprecated_since: T name: identity:delete_trust description: Revoke trust. name: identity:delete_trust operations: - method: DELETE path: /v3/OS-TRUST/trusts/{trust_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s) deprecated_rule: check_str: user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s deprecated_reason: The trust API is now aware of system scope and default roles. deprecated_since: T name: identity:get_trust description: Get trust. name: identity:get_trust operations: - method: GET path: /v3/OS-TRUST/trusts/{trust_id} - method: HEAD path: /v3/OS-TRUST/trusts/{trust_id} scope_types: - system - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s deprecated_rule: check_str: rule:admin_or_owner deprecated_reason: The user API is now aware of system scope and default roles. deprecated_since: S name: identity:get_user description: Show user details. name: identity:get_user operations: - method: GET path: /v3/users/{user_id} - method: HEAD path: /v3/users/{user_id} scope_types: - system - domain - project - check_str: (rule:admin_required) or (role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s) deprecated_rule: check_str: rule:admin_required deprecated_reason: The user API is now aware of system scope and default roles. deprecated_since: S name: identity:list_users description: List users. name: identity:list_users operations: - method: GET path: /v3/users - method: HEAD path: /v3/users scope_types: - system - domain - project - check_str: '' description: List all projects a user has access to via role assignments. name: identity:list_projects_for_user operations: - method: GET path: ' /v3/auth/projects' scope_types: null - check_str: '' description: List all domains a user has access to via role assignments. name: identity:list_domains_for_user operations: - method: GET path: /v3/auth/domains scope_types: null - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The user API is now aware of system scope and default roles. deprecated_since: S name: identity:create_user description: Create a user. name: identity:create_user operations: - method: POST path: /v3/users scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The user API is now aware of system scope and default roles. deprecated_since: S name: identity:update_user description: Update a user, including administrative password resets. name: identity:update_user operations: - method: PATCH path: /v3/users/{user_id} scope_types: - system - domain - project - check_str: rule:admin_required deprecated_rule: check_str: rule:admin_required deprecated_reason: The user API is now aware of system scope and default roles. deprecated_since: S name: identity:delete_user description: Delete a user. name: identity:delete_user operations: - method: DELETE path: /v3/users/{user_id} scope_types: - system - domain - project