openstack
/
keystone-specs
Code Issues Proposed changes

Fix RST formatting issues 

All of these issues were the results of the automated
markdown-to-restructuredtext conversion. This is mostly just whitespace
changes, so I did them all at once, but they affect the rendering of the
final document considerably.

Change-Id: I4031c50b76e759f445dc7dfdb08789de7c2abc5f
Closes-Bug: 1402824
This commit is contained in:
Dolph Mathews 2014-12-15 16:52:11 -06:00
parent 2408c6645f
commit 0b60632f8f
9 changed files with 1240 additions and 1270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
api/v3/identity-api-v3-os-endpoint-policy.rst
View File

@ -1,22 +1,22 @@
OpenStack Identity API v3 OS-ENDPOINT-POLICY Extension
======================================================
This extension provides associations between service endpoints and
policies that are already stored in the Identity server and referenced
by policy ID. Such associations enable an endpoint to request the
appropriate policy for itself. Three types of association are supported:
This extension provides associations between service endpoints and policies
that are already stored in the Identity server and referenced by policy ID.
Such associations enable an endpoint to request the appropriate policy for
itself. Three types of association are supported:
- A policy associated to a specific endpoint
- A policy associated to any endpoint of a given service type in a
given region
- A policy associated to any endpoint of a given service type
- A policy associated to a specific endpoint
When an endpoint requests the appropriate policy for itself, the
extension will look for an association *in the order given above* (which
is essentially in order from most specific to least specific) and select
the first one it finds. For region associations, any parent regions will
also be examined in ascending order. No combination of polices will
occur.
- A policy associated to any endpoint of a given service type in a given region
- A policy associated to any endpoint of a given service type
When an endpoint requests the appropriate policy for itself, the extension will
look for an association *in the order given above* (which is essentially in
order from most specific to least specific) and select the first one it finds.
For region associations, any parent regions will also be examined in ascending
order. No combination of polices will occur.
Policy-Endpoint Associations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -29,9 +29,8 @@ Create association with endpoint
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Creates an association between the policy and the endpoint. If another
association already existed for the specified endpoint, this will
replace that association. Any body supplied with this API will be
ignored.
association already existed for the specified endpoint, this will replace that
association. Any body supplied with this API will be ignored.
Response:
@ -46,8 +45,8 @@ Check association with endpoint
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Verifies the existence of an association between a policy and an
endpoint. A HEAD version of this API is also supported.
Verifies the existence of an association between a policy and an endpoint. A
HEAD version of this API is also supported.
Response:
@ -78,8 +77,8 @@ Create association with service
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Creates an association between the policy and the service. If another
association already existed for the specified service, this will replace
that association. Any body supplied with this API will be ignored.
association already existed for the specified service, this will replace that
association. Any body supplied with this API will be ignored.
Response:
@ -94,8 +93,8 @@ Check association with service
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Verifies the existence of an association between a policy and a service.
A HEAD version of this API is also supported.
Verifies the existence of an association between a policy and a service. A HEAD
version of this API is also supported.
Response:
@ -125,10 +124,10 @@ Create association with service in a region
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Creates an association between the policy and the service in the given
region. If another association already existed for the specified service
and region, this will replace that association. Any body supplied with
this API will be ignored.
Creates an association between the policy and the service in the given region.
If another association already existed for the specified service and region,
this will replace that association. Any body supplied with this API will be
ignored.
Response:
@ -143,8 +142,8 @@ Check association with service in a region
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Verifies the existence of an association between a policy and a service
in the given region. A HEAD version of this API is also supported.
Verifies the existence of an association between a policy and a service in the
given region. A HEAD version of this API is also supported.
Response:
@ -159,8 +158,7 @@ Delete association with service in a region
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Deletes an association between the policy and the service in the given
region.
Deletes an association between the policy and the service in the given region.
Response:
@ -175,8 +173,8 @@ List effective endpoint associations for policy
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
Returns all the endpoints that are currently associated with a specific
policy via any of the association methods.
Returns all the endpoints that are currently associated with a specific policy
via any of the association methods.
Response:
@ -221,11 +219,11 @@ Get effective policy associated with endpoint
GET /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Returns the policy that is currently associated with the given endpoint,
by working through the ordered sequence of methods of association. The
first association that is found will be returned. If the region of the
endpoint has a parent, then region associations will be examined up the
region tree in ascending order.
Returns the policy that is currently associated with the given endpoint, by
working through the ordered sequence of methods of association. The first
association that is found will be returned. If the region of the endpoint has a
parent, then region associations will be examined up the region tree in
ascending order.
Response:

51
api/v3/identity-api-v3-os-ep-filter-ext.rst
View File

@ -1,10 +1,10 @@
OpenStack Identity API v3 OS-EP-FILTER Extension
================================================
This extension enables creation of ad-hoc catalogs for each
project-scoped token request. To do so, this extension uses either
static project-endpoint associations or dynamic custom endpoints groups
to associate service endpoints with projects.
This extension enables creation of ad-hoc catalogs for each project-scoped
token request. To do so, this extension uses either static project-endpoint
associations or dynamic custom endpoints groups to associate service endpoints
with projects.
What's New in Version 1.1
-------------------------
@ -26,9 +26,9 @@ Represents a dynamic collection of service endpoints having the same
characteristics, such as service\_id, interface, or region. Indeed, any
endpoint attribute could be used as part of a filter.
A classic use case is to filter endpoints based on region. For example,
suppose a user wants to filter service endpoints returned in the service
catalog by region, the following endpoint group may be used:
A classic use case is to filter endpoints based on region. For example, suppose
a user wants to filter service endpoints returned in the service catalog by
region, the following endpoint group may be used:
::
@ -54,9 +54,8 @@ API
Project-Endpoint Associations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If a valid X-Auth-Token token in not present in the HTTP header and/or
the user does not have the right authorization a HTTP 401 Unauthorized
is returned.
If a valid X-Auth-Token token in not present in the HTTP header and/or the user
does not have the right authorization a HTTP 401 Unauthorized is returned.
Create Association
^^^^^^^^^^^^^^^^^^
@ -68,8 +67,8 @@ Create Association
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Modifies the endpoint resource adding an association between the project
and the endpoint.
Modifies the endpoint resource adding an association between the project and
the endpoint.
Response:
@ -87,8 +86,7 @@ Check Association
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Verifies the existence of an association between a project and an
endpoint.
Verifies the existence of an association between a project and an endpoint.
Response:
@ -154,8 +152,7 @@ Delete Association
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
Eliminates a previously created association between a project and an
endpoint.
Eliminates a previously created association between a project and an endpoint.
Response:
@ -220,23 +217,22 @@ Endpoint Groups
Required attributes:
- ``name`` (string)
- ``name`` (string)
User-facing name of the service.
- ``filters`` (object)
- ``filters`` (object)
Describes the filtering performed by the endpoint group. The filter used
must be an ``endpoint`` property, such as ``interface``, ``service_id``,
``region_id`` and ``enabled``. Note that if using ``interface`` as a
filter, the only available values are ``public``, ``internal`` and
``admin``.
Describes the filtering performed by the endpoint group. The filter used must
be an ``endpoint`` property, such as ``interface``, ``service_id``,
``region_id`` and ``enabled``. Note that if using ``interface`` as a filter,
the only available values are ``public``, ``internal`` and ``admin``.
Optional attributes:
- ``description`` (string)
- ``description`` (string)
User-facing description of the service.
User-facing description of the service.
Create Endpoint Group Filter
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -341,9 +337,8 @@ Update Endpoint Group
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
The request block is the same as the one for create endpoint group,
except that only the attributes that are being updated need to be
included.
The request block is the same as the one for create endpoint group, except that
only the attributes that are being updated need to be included.
Request:

267
api/v3/identity-api-v3-os-federation-ext.rst
View File

@ -1,44 +1,44 @@
OpenStack Identity API v3 OS-FEDERATION Extension
=================================================
Provide the ability for users to manage Identity Providers (IdPs) and
establish a set of rules to map federation protocol attributes to
Identity API attributes. This extension requires v3.0+ of the Identity
API.
Provide the ability for users to manage Identity Providers (IdPs) and establish
a set of rules to map federation protocol attributes to Identity API
attributes. This extension requires v3.0+ of the Identity API.
What's New in Version 1.1
-------------------------
These features are considered stable as of September 4th, 2014.
- Introduced a mechanism to exchange an Identity Token for a SAML
assertion.
- Introduced a mechanism to retrieve Identity Provider Metadata.
- Introduced a mechanism to exchange an Identity Token for a SAML assertion.
- Introduced a mechanism to retrieve Identity Provider Metadata.
Definitions
-----------
- *Trusted Identity Provider*: An identity provider set up within the
Identity API that is trusted to provide authenticated user
information.
- *Service Provider*: A system entity that provides services to
principals or other system entities, in this case, the OpenStack
Identity API is the Service Provider.
- *Attribute Mapping*: The user information passed by a federation
protocol for an already authenticated identity are called
``attributes``. Those ``attributes`` may not align 1:1 with the
Identity API concepts. To help overcome such mismatches, a mapping
can be done either on the sending side (third party identity
provider), on the consuming side (Identity API service), or both.
- *Trusted Identity Provider*: An identity provider set up within the Identity
API that is trusted to provide authenticated user information.
- *Service Provider*: A system entity that provides services to principals or
other system entities, in this case, the OpenStack Identity API is the
Service Provider.
- *Attribute Mapping*: The user information passed by a federation protocol for
an already authenticated identity are called ``attributes``. Those
``attributes`` may not align 1:1 with the Identity API concepts. To help
overcome such mismatches, a mapping can be done either on the sending side
(third party identity provider), on the consuming side (Identity API
service), or both.
What's New in Version 1.1
-------------------------
Corresponding to Identity API v3.3 release. These features are
considered stable as of September 4th, 2014.
Corresponding to Identity API v3.3 release. These features are considered
stable as of September 4th, 2014.
- Deprecate list projects and domains in favour of core functionality
available in Identity API v3.3.
- Deprecate list projects and domains in favour of core functionality available
in Identity API v3.3.
API Resources
-------------
@ -50,25 +50,25 @@ Identity Providers
/OS-FEDERATION/identity_providers
An Identity Provider is a third party service that is trusted by the
Identity API to authenticate identities.
An Identity Provider is a third party service that is trusted by the Identity
API to authenticate identities.
Optional attributes:
- ``description`` (string)
- ``description`` (string)
Describes the identity provider.
Describes the identity provider.
If a value is not specified by the client, the service may default this
value to either an empty string or ``null``.
If a value is not specified by the client, the service may default this value
to either an empty string or ``null``.
- ``enabled`` (boolean)
- ``enabled`` (boolean)
Indicates whether this identity provider should accept federated
authentication requests.
Indicates whether this identity provider should accept federated
authentication requests.
If a value is not specified by the client, the service may default this
to either ``true`` or ``false``.
If a value is not specified by the client, the service may default this to
either ``true`` or ``false``.
Protocols
~~~~~~~~~
@ -77,16 +77,15 @@ Protocols
/OS-FEDERATION/identity_providers/{idp_id}/protocols
A protocol entry contains information that dictates which mapping rules
to use for a given incoming request. An IdP may have multiple supported
protocols.
A protocol entry contains information that dictates which mapping rules to use
for a given incoming request. An IdP may have multiple supported protocols.
Required attributes:
- ``mapping_id`` (string)
- ``mapping_id`` (string)
Indicates which mapping should be used to process federated
authentication requests.
Indicates which mapping should be used to process federated authentication
requests.
Mappings
~~~~~~~~
@ -97,26 +96,26 @@ Mappings
A ``mapping`` is a set of rules to map federation protocol attributes to
Identity API objects. An Identity Provider can have a single ``mapping``
specified per protocol. A mapping is simply a list of ``rules``. The
only Identity API objects that will support mapping are: ``group``.
specified per protocol. A mapping is simply a list of ``rules``. The only
Identity API objects that will support mapping are: ``group``.
Required attributes::
Required attributes:
- ``rules`` (list of objects)
- ``rules`` (list of objects)
Each object contains a rule for mapping attributes to Identity API
concepts. A rule contains a ``remote`` attribute description and the
destination ``local`` attribute.
Each object contains a rule for mapping attributes to Identity API concepts.
A rule contains a ``remote`` attribute description and the destination
``local`` attribute.
- ``local`` (list of objects)
- ``local`` (list of objects)
References a local Identity API resource, such as a ``group`` or
``user`` to which the remote attributes will be mapped.
References a local Identity API resource, such as a ``group`` or ``user`` to
which the remote attributes will be mapped.
Each object has one of two structures, as follows.
To map a remote attribute value directly to a local attribute,
identify the local resource type and attribute:
To map a remote attribute value directly to a local attribute, identify the
local resource type and attribute:
::
@ -130,8 +129,8 @@ destination ``local`` attribute.
tries to directly map ``REMOTE_USER`` environment variable. If this variable
is also unavailable the server returns an HTTP 401 Unauthorized error.
For attribute type and value mapping, identify the local resource
type, attribute, and value:
For attribute type and value mapping, identify the local resource type,
attribute, and value:
::
@ -141,43 +140,42 @@ destination ``local`` attribute.
}
}
This assigns authorization attributes, by way of role assignments on
the specified group, to ephemeral users.
This assigns authorization attributes, by way of role assignments on the
specified group, to ephemeral users.
- ``remote`` (list of objects)
- ``remote`` (list of objects)
At least one object must be included.
At least one object must be included.
If more than one object is included, the local attribute is applied
only if all remote attributes match.
If more than one object is included, the local attribute is applied only if
all remote attributes match.
The value identified by ``type`` is always passed through unless a
constraint is specified using either ``any_one_of`` or
``not_one_of``.
The value identified by ``type`` is always passed through unless a constraint
is specified using either ``any_one_of`` or ``not_one_of``.
- ``type`` (string)
- ``type`` (string)
This represents an assertion type keyword.
This represents an assertion type keyword.
- ``any_one_of`` (list of strings)
- ``any_one_of`` (list of strings)
This is mutually exclusive with ``not_any_of``.
This is mutually exclusive with ``not_any_of``.
The rule is matched only if any of the specified strings appear in
the remote attribute ``type``.
The rule is matched only if any of the specified strings appear in the
remote attribute ``type``.
- ``not_any_of`` (list of strings)
- ``not_any_of`` (list of strings)
This is mutually exclusive with ``any_one_of``.
This is mutually exclusive with ``any_one_of``.
The rule is not matched if any of the specified strings appear in the
remote attribute ``type``.
The rule is not matched if any of the specified strings appear in the
remote attribute ``type``.
- ``regex`` (boolean)
- ``regex`` (boolean)
If ``true``, then each string will be evaluated as a `regular
expression <http://docs.python.org/2/library/re.html>`__ search
against the remote attribute ``type``.
If ``true``, then each string will be evaluated as a `regular expression
<http://docs.python.org/2/library/re.html>`__ search against the remote
attribute ``type``.
Identity Provider API
---------------------
@ -303,8 +301,8 @@ Delete identity provider
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider``
When an identity provider is deleted, any tokens generated by that
identity provider will be revoked.
When an identity provider is deleted, any tokens generated by that identity
provider will be revoked.
Response:
@ -350,8 +348,8 @@ Response:
}
}
When an identity provider is disabled, any tokens generated by that
identity provider will be revoked.
When an identity provider is disabled, any tokens generated by that identity
provider will be revoked.
Add a protocol and attribute mapping to an identity provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -819,8 +817,8 @@ Response:
Listing projects and domains
----------------------------
**Deprecated in v1.1**. This section is deprecated as the functionality
is available in the core Identity API.
**Deprecated in v1.1**. This section is deprecated as the functionality is
available in the core Identity API.
List projects a federated user can access
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -832,13 +830,13 @@ List projects a federated user can access
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects``
**Deprecated in v1.1**. Use core ``GET /auth/projects``. This call has
the same response format.
**Deprecated in v1.1**. Use core ``GET /auth/projects``. This call has the same
response format.
Returns a collection of projects to which the federated user has
authorization to access. To access this resource, an unscoped token is
used, the user can then select a project and request a scoped token.
Note that only enabled projects will be returned.
Returns a collection of projects to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a project and request a scoped token. Note that only enabled
projects will be returned.
Response:
@ -884,13 +882,13 @@ List domains a federated user can access
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains``
**Deprecated in v1.1**. Use core ``GET /auth/domains``. This call has
the same response format.
**Deprecated in v1.1**. Use core ``GET /auth/domains``. This call has the same
response format.
Returns a collection of domains to which the federated user has
authorization to access. To access this resource, an unscoped token is
used, the user can then select a domain and request a scoped token. Note
that only enabled domains will be returned.
Returns a collection of domains to which the federated user has authorization
to access. To access this resource, an unscoped token is used, the user can
then select a domain and request a scoped token. Note that only enabled domains
will be returned.
Response:
@ -923,9 +921,8 @@ Example Mapping Rules
Map identities to their own groups
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is an example of *Attribute type and value mappings*, where an
attribute type and value are mapped into an Identity API property and
value.
This is an example of *Attribute type and value mappings*, where an attribute
type and value are mapped into an Identity API property and value.
::
@ -987,8 +984,8 @@ value.
Find specific users, set them to admin group
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is an example that is similar to the previous, but displays how
multiple ``remote`` properties can be used to narrow down on a property.
This is an example that is similar to the previous, but displays how multiple
``remote`` properties can be used to narrow down on a property.
::
@ -1041,22 +1038,22 @@ Request an unscoped OS-FEDERATION token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth``
A federated user may request an unscoped token, which can be used to get
a scoped token.
A federated user may request an unscoped token, which can be used to get a
scoped token.
Due to the fact that this part of authentication is strictly connected
with the SAML2 authentication workflow, a client should not send any
data, as the content may be lost when a client is being redirected
between Service Provider and Identity Provider. Both HTTP methods - GET
and POST should be allowed as Web Single Sign-On (WebSSO) and Enhanced
Client Proxy (ECP) mechanisms have different authentication workflows
and use different HTTP methods while accessing protected endpoints.
Due to the fact that this part of authentication is strictly connected with the
SAML2 authentication workflow, a client should not send any data, as the
content may be lost when a client is being redirected between Service Provider
and Identity Provider. Both HTTP methods - GET and POST should be allowed as
Web Single Sign-On (WebSSO) and Enhanced Client Proxy (ECP) mechanisms have
different authentication workflows and use different HTTP methods while
accessing protected endpoints.
The returned token will contain information about the groups to which
the federated user belongs.
The returned token will contain information about the groups to which the
federated user belongs.
Example Identity API token response: `Various OpenStack token
responses <identity-api-v3.md#authentication-responses>`__
Example Identity API token response: `Various OpenStack token responses
<identity-api-v3.md#authentication-responses>`__
Example of an OS-FEDERATION token:
@ -1092,15 +1089,14 @@ Request a scoped OS-FEDERATION token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
A federated user may request a scoped token, by using the unscoped
token. A project or domain may be specified by either id or name. An id
is sufficient to uniquely identify a project or domain.
A federated user may request a scoped token, by using the unscoped token. A
project or domain may be specified by either id or name. An id is sufficient to
uniquely identify a project or domain.
Request Parameters:
To authenticate with the OS-FEDERATION extension, ``saml2`` must be
specified as an authentication method, and the unscoped token specified
in the id field.
To authenticate with the OS-FEDERATION extension, ``saml2`` must be specified
as an authentication method, and the unscoped token specified in the id field.
Example request:
@ -1124,9 +1120,8 @@ Example request:
}
}
Similarly to the returned unscoped token, the returned scoped token will
have an ``OS-FEDERATION`` section added to the ``user`` portion of the
token.
Similarly to the returned unscoped token, the returned scoped token will have
an ``OS-FEDERATION`` section added to the ``user`` portion of the token.
Example of an OS-FEDERATION token:
@ -1216,13 +1211,13 @@ Generate a SAML assertion
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2``
A user may generate a SAML assertion document based on the scoped token
that is used in the request.
A user may generate a SAML assertion document based on the scoped token that is
used in the request.
Request Parameters:
To generate a SAML assertion, a user must provides a scoped token ID and
region ID in the request body.
To generate a SAML assertion, a user must provides a scoped token ID and region
ID in the request body.
Example request:
@ -1246,8 +1241,8 @@ Example request:
}
}
The response will be a full SAML assertion. Note that for readability
the certificate has been truncated.
The response will be a full SAML assertion. Note that for readability the
certificate has been truncated.
Response:
@ -1343,8 +1338,8 @@ Response:
</saml:Assertion>
</samlp:Response>
For more information about how a SAML assertion is structured, refer to
the `specification <http://saml.xml.org/saml-specifications>`__.
For more information about how a SAML assertion is structured, refer to the
`specification <http://saml.xml.org/saml-specifications>`__.
Retrieve Metadata properties
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -1356,11 +1351,11 @@ Retrieve Metadata properties
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/metadata``
A user may retrieve Metadata about an Identity Service acting as an
Identity Provider.
A user may retrieve Metadata about an Identity Service acting as an Identity
Provider.
The response will be a full document with Metadata properties. Note that
for readability, this example certificate has been truncated.
The response will be a full document with Metadata properties. Note that for
readability, this example certificate has been truncated.
Response:
@ -1396,5 +1391,5 @@ Response:
</ns0:ContactPerson>
</ns0:EntityDescriptor>
For more information about how a SAML assertion is structured, refer to
the `specification <http://saml.xml.org/saml-specifications>`__.
For more information about how a SAML assertion is structured, refer to the
`specification <http://saml.xml.org/saml-specifications>`__.

55
api/v3/identity-api-v3-os-inherit-ext.rst
View File

@ -2,8 +2,8 @@ OpenStack Identity API v3 OS-INHERIT Extension
==============================================
Provide an ability for projects to inherit role assignments from their owning
domain, or from projects higher in the hierarchy. This extension
requires v3.4 of the Identity API.
domain, or from projects higher in the hierarchy. This extension requires v3.4
of the Identity API.
What's New in Version 1.1
-------------------------
@ -15,7 +15,6 @@ API
The following additional APIs are supported by this extension:
Projects
--------
@ -236,9 +235,8 @@ Assign role to user on projects owned by a domain
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
The inherited role is only applied to the owned projects (both existing
and future projects), and will not appear as a role in a domain scoped
token.
The inherited role is only applied to the owned projects (both existing and
future projects), and will not appear as a role in a domain scoped token.
Response:
@ -256,9 +254,8 @@ Assign role to group on projects owned by a domain
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
The inherited role is only applied to the owned projects (both existing
and future projects), and will not appear as a role in a domain scoped
token.
The inherited role is only applied to the owned projects (both existing and
future projects), and will not appear as a role in a domain scoped token.
Response:
@ -276,8 +273,8 @@ List user's inherited project roles on a domain
Relationship:
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects``
The list only contains those role assignments to the domain that were
specified as being inherited to projects within that domain.
The list only contains those role assignments to the domain that were specified
as being inherited to projects within that domain.
Response:
@ -320,8 +317,8 @@ List group's inherited project roles on domain
Relationship:
``'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects``
The list only contains those role assignments to the domain that were
specified as being inherited to projects within that domain.
The list only contains those role assignments to the domain that were specified
as being inherited to projects within that domain.
Response:
@ -433,8 +430,8 @@ List effective role assignments
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
The scope section in the list response is extended to allow the
representation of role assignments that are inherited to projects.
The scope section in the list response is extended to allow the representation
of role assignments that are inherited to projects.
Response:
@ -488,22 +485,21 @@ Response:
}
}
An additional query filter ``scope.OS-INHERIT:inherited_to`` is
supported to allow for filtering based on role assignments that are
inherited. The only value of ``scope.OS-INHERIT:inherited_to`` that is
currently supported is ``projects``, indicating that this role is
inherited to all projects of the owning domain or parent project.
An additional query filter ``scope.OS-INHERIT:inherited_to`` is supported to
allow for filtering based on role assignments that are inherited. The only
value of ``scope.OS-INHERIT:inherited_to`` that is currently supported is
``projects``, indicating that this role is inherited to all projects of the
owning domain or parent project.
If the query\_string ``effective`` is specified then the list of
effective assignments at the user, project and domain level allows for
the effects of both group membership as well as inheritance from the
parent domain or project (for role assignments that were made using OS-INHERIT
assignment APIs). Since, like group membership, the effects of
inheritance have already been allowed for, the role assignment entities
themselves that specify the inheritance will not be returned in the
collection.
If the query string ``effective`` is specified then the list of effective
assignments at the user, project and domain level allows for the effects of
both group membership as well as inheritance from the parent domain or project
(for role assignments that were made using OS-INHERIT assignment APIs). Since,
like group membership, the effects of inheritance have already been allowed
for, the role assignment entities themselves that specify the inheritance will
not be returned in the collection.
An example response for an API call with the query\_string ``effective``
An example response for an API call with the query string ``effective``
specified is given below:
Response:
@ -558,4 +554,3 @@ Response:
"next": null
}
}

182
api/v3/identity-api-v3-os-oauth1-ext.rst
View File

@ -2,46 +2,52 @@ OpenStack Identity API v3 OS-OAUTH1 Extension
=============================================
Provide the ability for identity users to delegate roles to third party
consumers via the `OAuth 1.0a
specification <http://oauth.net/core/1.0a/>`__. This extension requires
v3.0+ of the Identity API. An OAuth-derived token will provide a means
of acting on behalf of the authorizing user.
consumers via the `OAuth 1.0a specification <http://oauth.net/core/1.0a/>`__.
This extension requires v3.0+ of the Identity API. An OAuth-derived token will
provide a means of acting on behalf of the authorizing user.
Definitions
-----------
- *User:* An Identity API service user, the entity whose role(s) will
be delegated, and the entity that authorizes Request Tokens.
- *Request Token:* A token used by the Consumer to obtain authorization
from the User, and exchanged with an OAuth Verifier for an Access
Token.
- *Access Token:* A token used by the Consumer to request new Identity
API tokens on behalf of the authorizing User, instead of using the
Users credentials.
- *Token Key:* A key used by the token to identify itself. Both Request
Tokens and Access Tokens have Token Keys. For OpenStack purposes, the
Token Key is the Token ID.
- *Token Secret:* A secret used by the Consumer to establish ownership
of a given Token. Both Request Tokens and Access Tokens have Token
Secrets.
- *OAuth Verifier:* A string that must be provided with the
corresponding Request Token in exchange for an Access Token.
- *User:* An Identity API service user, the entity whose role(s) will be
delegated, and the entity that authorizes Request Tokens.
- *Request Token:* A token used by the Consumer to obtain authorization from
the User, and exchanged with an OAuth Verifier for an Access Token.
- *Access Token:* A token used by the Consumer to request new Identity API
tokens on behalf of the authorizing User, instead of using the Users
credentials.
- *Token Key:* A key used by the token to identify itself. Both Request Tokens
and Access Tokens have Token Keys. For OpenStack purposes, the Token Key is
the Token ID.
- *Token Secret:* A secret used by the Consumer to establish ownership of a
given Token. Both Request Tokens and Access Tokens have Token Secrets.
- *OAuth Verifier:* A string that must be provided with the corresponding
Request Token in exchange for an Access Token.
Delegated Authentication Flow
-----------------------------
Delegated Authentication via OAuth is done in five steps:
1. An Identity API service User `creates a
Consumer <#create-consumer-post-os-oauth1consumers>`__.
2. The Consumer `obtains an unauthorized Request
Token <#create-request-token-post-os-oauth1request_token>`__.
3. The User `authorizes the Request
Token <#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
4. The Consumer `exchanges the Request Token for an Access
Token <#create-access-token-post-os-oauth1access_token>`__.
5. The Consumer `uses the Access Token to request an Identity API
service Token <#request-an-identity-api-token-post-authtokens>`__.
#. An Identity API service User `creates a Consumer
<#create-consumer-post-os-oauth1consumers>`__.
#. The Consumer `obtains an unauthorized Request Token
<#create-request-token-post-os-oauth1request_token>`__.
#. The User `authorizes the Request Token
<#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
#. The Consumer `exchanges the Request Token for an Access Token
<#create-access-token-post-os-oauth1access_token>`__.
#. The Consumer `uses the Access Token to request an Identity API service Token
<#request-an-identity-api-token-post-authtokens>`__.
API Resources
-------------
@ -53,21 +59,20 @@ Consumers
/OS-OAUTH1/consumers
A Consumer is an application that uses OAuth to access a protected
resource.
A Consumer is an application that uses OAuth to access a protected resource.
Optional attributes:
- ``description`` (string)
- ``description`` (string)
Immutable attributes provided by the Identity service:
Immutable attributes provided by the Identity service:
- ``secret`` (string)
- ``secret`` (string)
A consumer's ``secret`` is only returned once, during consumer creation.
A consumer's ``secret`` is only returned once, during consumer creation.
The Consumer is given its key and secret, out-of-band. For OpenStack,
the ID of the Consumer is the Key.
The Consumer is given its key and secret, out-of-band. For OpenStack, the ID
of the Consumer is the Key.
Consumers API
-------------
@ -205,8 +210,8 @@ Update Consumer
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
Only a Consumer's ``description`` is mutable. Attempting to PATCH an
immutable attribute should result in a HTTP 400 Bad Request.
Only a Consumer's ``description`` is mutable. Attempting to PATCH an immutable
attribute should result in a HTTP 400 Bad Request.
Request:
@ -247,15 +252,14 @@ Create Request Token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens``
A Consumer uses the Consumer Key and Secret to obtain a Request Token.
The Request Token is used to initiate User authorization. The Request
Token, once authorized, can be exchanged along with the OAuth Verifier
for an Access Token. Note that there is one extra parameter,
``requested_project_id``. ``requested_project_id`` contains the ID of
the project upon which the Consumer would like authorization. The
Identity service may include an ``oauth_expires_at`` attribute in the
response. If no such attribute is included, or is null, then the token
may last indefinitely.
A Consumer uses the Consumer Key and Secret to obtain a Request Token. The
Request Token is used to initiate User authorization. The Request Token, once
authorized, can be exchanged along with the OAuth Verifier for an Access Token.
Note that there is one extra parameter, ``requested_project_id``.
``requested_project_id`` contains the ID of the project upon which the Consumer
would like authorization. The Identity service may include an
``oauth_expires_at`` attribute in the response. If no such attribute is
included, or is null, then the token may last indefinitely.
The authorizing User receives the Request Token Key from the Consumer
out-of-band.
@ -265,15 +269,15 @@ Supported signature methods: ``HMAC-SHA1``
Request Parameters:
- All required OAuth parameters must be provided.
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#auth_step1
Additional Request Parameters:
- ``requested_project_id``: IDs of requested project
- ``requested_project_id``: IDs of requested project
- Example: ``requested_project_id=b9fca3``
- Example: ``requested_project_id=b9fca3``
Response:
@ -281,10 +285,12 @@ Response:
Response Parameters:
- ``oauth_token``: The Request Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Request Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a
Request Token will expire.
- ``oauth_token``: The Request Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Request Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a Request
Token will expire.
Authorize Request Token
~~~~~~~~~~~~~~~~~~~~~~~
@ -296,10 +302,9 @@ Authorize Request Token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token``
To authorize the Request Token, the authorizing user must have access to
the requested project. Upon successful authorization, an OAuth Verifier
code is returned. The Consumer receives the OAuth Verifier from the User
out-of-band.
To authorize the Request Token, the authorizing user must have access to the
requested project. Upon successful authorization, an OAuth Verifier code is
returned. The Consumer receives the OAuth Verifier from the User out-of-band.
Request:
@ -337,17 +342,16 @@ Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens``
After the User authorizes the Request Token, the Consumer exchanges the
authorized Request Token and OAuth Verifier for an Access Token. The
Identity service may include an ``oauth_expires_at`` parameter in the
response. If no such parameter is included, then the token lasts
indefinitely.
authorized Request Token and OAuth Verifier for an Access Token. The Identity
service may include an ``oauth_expires_at`` parameter in the response. If no
such parameter is included, then the token lasts indefinitely.
Supported signature methods: ``HMAC-SHA1``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request Parameters:
- All required OAuth parameters must be provided.
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#auth_step3
@ -359,10 +363,12 @@ Response:
Response Parameters:
- ``oauth_token``: The Access Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Access Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an
Access Token expires.
- ``oauth_token``: The Access Token key that the Identity API returns.
- ``oauth_token_secret``: The secret associated with the Access Token.
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an Access Token
expires.
Request an Identity API Token
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -373,22 +379,22 @@ Request an Identity API Token
Relationship: ``http://docs.openstack.org/identity/rel/v3/auth_tokens``
The Consumer can now request valid Identity API service tokens
representing the authorizing User's delegated authorization and identity
(impersonation). The generated token's roles and scope will match that
which the Consumer initially requested.
The Consumer can now request valid Identity API service tokens representing the
authorizing User's delegated authorization and identity (impersonation). The
generated token's roles and scope will match that which the Consumer initially
requested.
Supported signature methods: ``HMAC-SHA1``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Request Parameters:
- All required OAuth parameters must be provided.
- All required OAuth parameters must be provided.
See: http://oauth.net/core/1.0a/#anchor12
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be
specified as an authentication method. Example request:
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be specified as
an authentication method. Example request:
::
@ -403,12 +409,12 @@ specified as an authentication method. Example request:
}
}
The returned token is scoped to the requested project and with the
delegated roles. In addition to the standard token response, as seen in
the link below, the token has an OAuth-specific object.
The returned token is scoped to the requested project and with the delegated
roles. In addition to the standard token response, as seen in the link below,
the token has an OAuth-specific object.
Example OpenStack token response: `Various OpenStack token
responses <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
Example OpenStack token response: `Various OpenStack token responses
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
Example OAuth-specific object in a token:
@ -495,8 +501,8 @@ List roles of an access token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles``
See ``GET /v3/roles`` for an
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
See ``GET /v3/roles`` for an `example
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
of this response format.
Get a role of an access token
@ -509,8 +515,8 @@ Get a role of an access token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role``
See ``GET /v3/roles/{role_id}`` for an
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
See ``GET /v3/roles/{role_id}`` for an `example
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
of this response format.
Revoke access token
@ -523,9 +529,9 @@ Revoke access token
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
A User can revoke an Access Token, preventing the Consumer from
requesting new Identity API service tokens. This also revokes any
Identity API tokens issued to the Consumer using that Access Token.
A User can revoke an Access Token, preventing the Consumer from requesting new
Identity API service tokens. This also revokes any Identity API tokens issued
to the Consumer using that Access Token.
Response:

126
api/v3/identity-api-v3-os-revoke-ext.rst
View File

@ -1,23 +1,22 @@
OpenStack Identity API v3 OS-REVOKE Extension
=============================================
This extension provides a list of token revocations. Each event
expresses a set of criteria which describes a set of tokens that are no
longer valid.
This extension provides a list of token revocations. Each event expresses a set
of criteria which describes a set of tokens that are no longer valid.
This extension requires v3.2+ of the Identity API.
What's New in v1.1
------------------
- Use of ``expires_at`` has been deprecated in favor of using
``audit_id`` and ``audit_chain_id``.
- Use of ``expires_at`` has been deprecated in favor of using ``audit_id`` and
``audit_chain_id``.
- Revocation events can use ``audit_id`` to revoke an individual token.
- Revocation events can use ``audit_id`` to revoke an individual token.
- Revocation events can use ``audit_chain_id`` to revoke all related
tokens. A related token is defined by the first (non-rescoped) token.
All tokens in the chain will have the same ``audit_chain_id``.
- Revocation events can use ``audit_chain_id`` to revoke all related tokens. A
related token is defined by the first (non-rescoped) token. All tokens in the
chain will have the same ``audit_chain_id``.
API Resources
-------------
@ -25,89 +24,87 @@ API Resources
Revocation Events
~~~~~~~~~~~~~~~~~
Revocation events are objects that contain criteria used to evaluate
token validity. Tokens that match all the criteria of a revocation event
are considered revoked, and should not be accepted as proof of
authorization for the user.
Revocation events are objects that contain criteria used to evaluate token
validity. Tokens that match all the criteria of a revocation event are
considered revoked, and should not be accepted as proof of authorization for
the user.
Revocation events do not have a unique identifier (``id``).
Required attributes:
- ``issued_before`` (string, ISO 8601 extended format date time with
microseconds)
- ``issued_before`` (string, ISO 8601 extended format date time with
microseconds)
Tokens issued before this time are considered revoked.
This attribute can be used to determine how long the expiration event is
valid. It can also be used in queries to filter events, so that only a
subset that have occurred since the last request are returned.
This attribute can be used to determine how long the expiration event is valid.
It can also be used in queries to filter events, so that only a subset that
have occurred since the last request are returned.
Optional attributes:
- ``domain_id`` (string)
- ``domain_id`` (string)
Revoke tokens scoped to a particular domain.
Revoke tokens scoped to a particular domain.
- ``project_id`` (string)
- ``project_id`` (string)
Revoke tokens scoped to a particular project.
Revoke tokens scoped to a particular project.
- ``user_id`` (string)
- ``user_id`` (string)
Revoke tokens expressing the identity of a particular user.
Revoke tokens expressing the identity of a particular user.
- ``role_id`` (string)
- ``role_id`` (string)
Revoke tokens issued with a specific role.
Revoke tokens issued with a specific role.
- ``OS-TRUST:trust_id`` (string)
- ``OS-TRUST:trust_id`` (string)
Revoke tokens issued as the result of a particular trust, as part of the
OS-TRUST API extension.
Revoke tokens issued as the result of a particular trust, as part of the
OS-TRUST API extension.
- ``OS-OAUTH1:consumer_id`` (string)
- ``OS-OAUTH1:consumer_id`` (string)
Revoke tokens issued to a specific OAuth consumer, as part of the
OS-OAUTH1 API extension.
Revoke tokens issued to a specific OAuth consumer, as part of the OS-OAUTH1
API extension.
- ``expires_at`` (string, ISO 8601 extended format date time with
microseconds)
- ``expires_at`` (string, ISO 8601 extended format date time with microseconds)
**Deprecated as of the Juno release in favor of ``audit_id`` and
``audit_chain_id``.** If ``expires_at`` exists in the revocation event,
it will be utilized to match tokens.
**Deprecated as of the Juno release in favor of ``audit_id`` and
``audit_chain_id``.** If ``expires_at`` exists in the revocation event, it
will be utilized to match tokens.
Specifies the exact expiration time of one or more tokens to be revoked.
Specifies the exact expiration time of one or more tokens to be revoked.
This attribute is useful for revoking chains of tokens, such as those
produced when re-scoping an existing token. When a token is issued based
on initial authentication, it is given an ``expires_at`` value. When a
token is used to get another token, the new token will have the same
``expires_at`` value as the original.
This attribute is useful for revoking chains of tokens, such as those
produced when re-scoping an existing token. When a token is issued based on
initial authentication, it is given an ``expires_at`` value. When a token is
used to get another token, the new token will have the same ``expires_at``
value as the original.
- ``audit_id`` (string)
- ``audit_id`` (string)
Specifies the unique identifier (UUID) assigned to the token itself.
Specifies the unique identifier (UUID) assigned to the token itself.
This will revoke a single token only. This attribute mirrors the use of
the ``Token Revocation List`` (the mechanism used prior to revocation
events) but does not utilize data that could convey authorization (the
``token id``).
This will revoke a single token only. This attribute mirrors the use of the
``Token Revocation List`` (the mechanism used prior to revocation events) but
does not utilize data that could convey authorization (the ``token id``).
If an event is issued for ``audit_id`` then the event cannot contain an
``audit_chain_id``.
If an event is issued for ``audit_id`` then the event cannot contain an
``audit_chain_id``.
- ``audit_chain_id`` (string)
- ``audit_chain_id`` (string)
Specifies a group of tokens based upon the ``audit_id`` of the first
token in the chain. If a revocation event specifies the
``audit_chain_id`` any token that is part of the token chain (based upon
the original token at the start of the chain) will be revoked, including
the original token at the start of the chain.
Specifies a group of tokens based upon the ``audit_id`` of the first token in
the chain. If a revocation event specifies the ``audit_chain_id`` any token
that is part of the token chain (based upon the original token at the start
of the chain) will be revoked, including the original token at the start of
the chain.
If an event is issued for ``audit_chain_id`` then the event cannot
contain an ``audit_id``.
If an event is issued for ``audit_chain_id`` then the event cannot contain an
``audit_id``.
The properties are additive: Only a token that meets all of the
specified criteria is considered revoked.
@ -135,13 +132,12 @@ Relationship:
Optional query parameters:
- ``since`` (RFC 1123 format date time): limit the list of results to
events that occurred on or after the specified time.
- ``since`` (RFC 1123 format date time): limit the list of results to events
that occurred on or after the specified time.
The HTTP Date header returned in the response reflects the timestamp of
the most recently issued revocation event. Clients can then use this
value in the ``since`` query parameter to limit the list of events in
subsequent requests.
The HTTP Date header returned in the response reflects the timestamp of the
most recently issued revocation event. Clients can then use this value in the
``since`` query parameter to limit the list of events in subsequent requests.
Response:

57
api/v3/identity-api-v3-os-simple-certs-ext.rst
View File

@ -1,11 +1,11 @@
OpenStack Identity API v3 OS-SIMPLE-CERT Extension
==================================================
When using Public Key Infrastructure (PKI) tokens with the identity
service, users must have access to the signing certificate and the
certificate authority's (CA) certificate for the token issuer in order
to validate tokens. This extension provides a simple means of retrieving
these certificates from an identity service.
When using Public Key Infrastructure (PKI) tokens with the identity service,
users must have access to the signing certificate and the certificate
authority's (CA) certificate for the token issuer in order to validate tokens.
This extension provides a simple means of retrieving these certificates from an
identity service.
API Resources
-------------
@ -13,19 +13,18 @@ API Resources
Certificates
------------
The identity server uses X.509 certificates to cryptographically sign
issued tokens. Certificates are a public resource and can be shared.
Typically when validating a certificate we would only require the
issuing certificate authority's certificate however PKI tokens are
distributed without including the original signing certificate in the
message so this must be retrievable as well.
The identity server uses X.509 certificates to cryptographically sign issued
tokens. Certificates are a public resource and can be shared. Typically when
validating a certificate we would only require the issuing certificate
authority's certificate however PKI tokens are distributed without including
the original signing certificate in the message so this must be retrievable as
well.
Certificates are provided in the Private Enchanced Mail (PEM) file
format. Certificates in PEM files can be represented with or without the
certificate data (examples shown). The represented certificate is for
informative purposes and the only required information is presented
between the ``-----BEGIN CERTIFICATE-----`` and
``-----END CERTIFICATE-----`` tags.
Certificates are provided in the Private Enchanced Mail (PEM) file format.
Certificates in PEM files can be represented with or without the certificate
data (examples shown). The represented certificate is for informative purposes
and the only required information is presented between the ``-----BEGIN
CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags.
API
---
@ -42,8 +41,8 @@ Relationship:
Fetches the certificate chain used to authenticate signed tokens.
It is possible that a chain of certificates (more than one) is returned.
In this case the chain should be used when validating a token.
It is possible that a chain of certificates (more than one) is returned. In
this case the chain should be used when validating a token.
::
@ -82,11 +81,11 @@ Retrieve signing certificates
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates``
Fetches the certificates containing the public key for the private key
that has been used to sign tokens.
Fetches the certificates containing the public key for the private key that has
been used to sign tokens.
In an environment with multiple token signers this call will return all
valid certificates.
In an environment with multiple token signers this call will return all valid
certificates.
::
@ -185,13 +184,13 @@ Certificates are successfully found and returned.
403 Forbidden
^^^^^^^^^^^^^
There are no certificates to be returned. This will typically indicate
that keystone is using UUID tokens and therefore there are no
certificates available.
There are no certificates to be returned. This will typically indicate that
keystone is using UUID tokens and therefore there are no certificates
available.
500 Internal Server Error
^^^^^^^^^^^^^^^^^^^^^^^^^
An Error was produced on the server. A typical example is that the
server is configured to use PKI tokens but is misconfigured and the
certificates were unable to be found.
An Error was produced on the server. A typical example is that the server is
configured to use PKI tokens but is misconfigured and the certificates were
unable to be found.

166
api/v3/identity-api-v3-os-trust-ext.rst
View File

@ -1,8 +1,8 @@
OpenStack Identity API v3 OS-TRUST Extension
============================================
Trusts provide project-specific role delegation between users, with
optional impersonation.
Trusts provide project-specific role delegation between users, with optional
impersonation.
API Resources
-------------
@ -10,93 +10,87 @@ API Resources
Trusts
~~~~~~
A trust represents a user's (the *trustor*) authorization to delegate
roles to another user (the *trustee*), and optionally allow the trustee
to impersonate the trustor. After the trustor has created a trust, the
trustee can specify the trust's ``id`` attribute as part of an
authentication request to then create a token representing the delegated
authority.
A trust represents a user's (the *trustor*) authorization to delegate roles to
another user (the *trustee*), and optionally allow the trustee to impersonate
the trustor. After the trustor has created a trust, the trustee can specify the
trust's ``id`` attribute as part of an authentication request to then create a
token representing the delegated authority.
The trust contains constraints on the delegated attributes. A token
created based on a trust will convey a subset of the trustor's roles on
the specified project. Optionally, the trust may only be valid for a
specified time period, as defined by ``expires_at``. If no
``expires_at`` is specified, then the trust is valid until it is
explicitly revoked.
The trust contains constraints on the delegated attributes. A token created
based on a trust will convey a subset of the trustor's roles on the specified
project. Optionally, the trust may only be valid for a specified time period,
as defined by ``expires_at``. If no ``expires_at`` is specified, then the trust
is valid until it is explicitly revoked.
The ``impersonation`` flag allows the trustor to optionally delegate
impersonation abilities to the trustee. To services validating the
token, the trustee will appear as the trustor, although the token will
also contain the ``impersonation`` flag to indicate that this behavior
is in effect.
impersonation abilities to the trustee. To services validating the token, the
trustee will appear as the trustor, although the token will also contain the
``impersonation`` flag to indicate that this behavior is in effect.
A ``project_id`` may not be specified without at least one role, and
vice versa. In other words, there is no way of implicitly delegating all
roles to a trustee, in order to prevent users accidentally creating
trust that are much more broad in scope than intended. A trust without a
``project_id`` or any delegated roles is unscoped, and therefore does
not represent authorization on a specific resource.
A ``project_id`` may not be specified without at least one role, and vice
versa. In other words, there is no way of implicitly delegating all roles to a
trustee, in order to prevent users accidentally creating trust that are much
more broad in scope than intended. A trust without a ``project_id`` or any
delegated roles is unscoped, and therefore does not represent authorization on
a specific resource.
Trusts are immutable. If the trustee wishes to modify the attributes of
the trust, they should create a new trust and delete the old trust. If a
trust is deleted, any tokens generated based on the trust are
immediately revoked.
Trusts are immutable. If the trustee wishes to modify the attributes of the
trust, they should create a new trust and delete the old trust. If a trust is
deleted, any tokens generated based on the trust are immediately revoked.
If the trustor loses access to any delegated attributes, the trust
becomes immediately invalid and any tokens generated based on the trust
are immediately revoked.
If the trustor loses access to any delegated attributes, the trust becomes
immediately invalid and any tokens generated based on the trust are immediately
revoked.
Additional required attributes:
- ``trustor_user_id`` (string)
- ``trustor_user_id`` (string)
Represents the user who created the trust, and who's authorization is
being delegated.
Represents the user who created the trust, and who's authorization is being
delegated.
- ``trustee_user_id`` (string)
- ``trustee_user_id`` (string)
Represents the user who is capable of consuming the trust.
Represents the user who is capable of consuming the trust.
- ``impersonation``: (boolean)
- ``impersonation``: (boolean)
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
tokens token's generated based on the trust will represent that of the
trustor rather than the trustee, thus allowing the trustee to
impersonate the trustor. If ``impersonation`` is set to ``false``, then
the token's ``user`` attribute will represent that of the trustee.
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
tokens token's generated based on the trust will represent that of the
trustor rather than the trustee, thus allowing the trustee to impersonate the
trustor. If ``impersonation`` is set to ``false``, then the token's ``user``
attribute will represent that of the trustee.
Optional attributes:
- ``project_id`` (string)
- ``project_id`` (string)
Identifies the project upon which the trustor is delegating
authorization.
Identifies the project upon which the trustor is delegating authorization.
- ``roles``: (list of objects)
- ``roles``: (list of objects)
Specifies the subset of the trustor's roles on the ``project_id`` to be
granted to the trustee when the token in consumed. The trustor must
already be granted these roles in the project referenced by the
``project_id`` attribute.
Specifies the subset of the trustor's roles on the ``project_id`` to be
granted to the trustee when the token in consumed. The trustor must already
be granted these roles in the project referenced by the ``project_id``
attribute.
Roles are only provided when the trust is created, and are subsequently
available as a separate read-only collection. Each role can be specified
by either ``id`` or ``name``.
Roles are only provided when the trust is created, and are subsequently
available as a separate read-only collection. Each role can be specified by
either ``id`` or ``name``.
- ``expires_at`` (string, ISO 8601 extended format date time with
microseconds)
- ``expires_at`` (string, ISO 8601 extended format date time with microseconds)
Specifies the expiration time of the trust. A trust may be revoked ahead
of expiration. If the value represents a time in the past, the trust is
deactivated.
Specifies the expiration time of the trust. A trust may be revoked ahead of
expiration. If the value represents a time in the past, the trust is
deactivated.
- ``remaining_uses`` (integer or null)
- ``remaining_uses`` (integer or null)
Specifies how many times the trust can be used to obtain a token. This
value is decreased each time a token is issued through the trust. Once
it reaches 0, no further tokens will be issued through the trust. The
default value is null, meaning there is no limit on the number of tokens
issued through the trust.
Specifies how many times the trust can be used to obtain a token. This value
is decreased each time a token is issued through the trust. Once it reaches
0, no further tokens will be issued through the trust. The default value is
null, meaning there is no limit on the number of tokens issued through the
trust.
Example entity:
@ -121,11 +115,11 @@ Tokens
Additional attributes:
- ``trust`` (object)
- ``trust`` (object)
If present, indicates that the token was created based on a trust. This
attribute identifies both the trustor and trustee, and indicates whether
the token represents the trustee impersonating the trustor.
If present, indicates that the token was created based on a trust. This
attribute identifies both the trustor and trustee, and indicates whether the
token represents the trustee impersonating the trustor.
API
---
@ -137,15 +131,15 @@ Consuming a trust
POST /auth/tokens
Consuming a trust effectively assumes the scope as delegated in the
trust. No other scope attributes may be specified.
Consuming a trust effectively assumes the scope as delegated in the trust. No
other scope attributes may be specified.
The user specified by ``authentication`` must match the trust's
``trustee_user_id`` attribute.
If the trust has the ``impersonation`` attribute set to ``true``, then
the resulting token's ``user`` attribute will also represent the
trustor, rather than the authenticating user (the trustee).
If the trust has the ``impersonation`` attribute set to ``true``, then the
resulting token's ``user`` attribute will also represent the trustor, rather
than the authenticating user (the trustee).
::
@ -167,9 +161,9 @@ trustor, rather than the authenticating user (the trustee).
}
}
A token created from a trust will have a ``trust`` section containing
the ``id`` of the trust, the ``impersonation`` flag, the
``trustee_user_id`` and the ``trustor_user_id``. Example response:
A token created from a trust will have a ``trust`` section containing the
``id`` of the trust, the ``impersonation`` flag, the ``trustee_user_id`` and
the ``trustor_user_id``. Example response:
::
@ -295,9 +289,15 @@ List trusts
Relationship:
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
query\_string: page (optional) query\_string: per\_page (optional,
default 30) query filter for "trustee\_user\_id", "trustor\_user\_id"
(optional)
Optional query strings:
- ``page``
- ``per_page`` (default 30)
- ``trustee_user_id``
- ``trustor_user_id``
Response:
@ -331,8 +331,8 @@ Response:
]
}
In order to list trusts for a given trustor, filter the collection using
a query string (e.g., ``?trustor_user_id={user_id}``).
In order to list trusts for a given trustor, filter the collection using a
query string (e.g., ``?trustor_user_id={user_id}``).
Request:
@ -362,8 +362,8 @@ Response:
]
}
In order to list trusts for a given trustee, filter the collection using
a query string (e.g., ``?trustee_user_id={user_id}``).
In order to list trusts for a given trustee, filter the collection using a
query string (e.g., ``?trustee_user_id={user_id}``).
Request:

1532
api/v3/identity-api-v3.rst
View File

File diff suppressed because it is too large Load Diff