Fix RST formatting issues
All of these issues were the results of the automated markdown-to-restructuredtext conversion. This is mostly just whitespace changes, so I did them all at once, but they affect the rendering of the final document considerably. Change-Id: I4031c50b76e759f445dc7dfdb08789de7c2abc5f Closes-Bug: 1402824
This commit is contained in:
parent
2408c6645f
commit
0b60632f8f
|
@ -1,22 +1,22 @@
|
|||
OpenStack Identity API v3 OS-ENDPOINT-POLICY Extension
|
||||
======================================================
|
||||
|
||||
This extension provides associations between service endpoints and
|
||||
policies that are already stored in the Identity server and referenced
|
||||
by policy ID. Such associations enable an endpoint to request the
|
||||
appropriate policy for itself. Three types of association are supported:
|
||||
This extension provides associations between service endpoints and policies
|
||||
that are already stored in the Identity server and referenced by policy ID.
|
||||
Such associations enable an endpoint to request the appropriate policy for
|
||||
itself. Three types of association are supported:
|
||||
|
||||
- A policy associated to a specific endpoint
|
||||
- A policy associated to any endpoint of a given service type in a
|
||||
given region
|
||||
- A policy associated to any endpoint of a given service type
|
||||
- A policy associated to a specific endpoint
|
||||
|
||||
When an endpoint requests the appropriate policy for itself, the
|
||||
extension will look for an association *in the order given above* (which
|
||||
is essentially in order from most specific to least specific) and select
|
||||
the first one it finds. For region associations, any parent regions will
|
||||
also be examined in ascending order. No combination of polices will
|
||||
occur.
|
||||
- A policy associated to any endpoint of a given service type in a given region
|
||||
|
||||
- A policy associated to any endpoint of a given service type
|
||||
|
||||
When an endpoint requests the appropriate policy for itself, the extension will
|
||||
look for an association *in the order given above* (which is essentially in
|
||||
order from most specific to least specific) and select the first one it finds.
|
||||
For region associations, any parent regions will also be examined in ascending
|
||||
order. No combination of polices will occur.
|
||||
|
||||
Policy-Endpoint Associations
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -29,9 +29,8 @@ Create association with endpoint
|
|||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
||||
|
||||
Creates an association between the policy and the endpoint. If another
|
||||
association already existed for the specified endpoint, this will
|
||||
replace that association. Any body supplied with this API will be
|
||||
ignored.
|
||||
association already existed for the specified endpoint, this will replace that
|
||||
association. Any body supplied with this API will be ignored.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -46,8 +45,8 @@ Check association with endpoint
|
|||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
|
||||
|
||||
Verifies the existence of an association between a policy and an
|
||||
endpoint. A HEAD version of this API is also supported.
|
||||
Verifies the existence of an association between a policy and an endpoint. A
|
||||
HEAD version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -78,8 +77,8 @@ Create association with service
|
|||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
||||
|
||||
Creates an association between the policy and the service. If another
|
||||
association already existed for the specified service, this will replace
|
||||
that association. Any body supplied with this API will be ignored.
|
||||
association already existed for the specified service, this will replace that
|
||||
association. Any body supplied with this API will be ignored.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -94,8 +93,8 @@ Check association with service
|
|||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
|
||||
|
||||
Verifies the existence of an association between a policy and a service.
|
||||
A HEAD version of this API is also supported.
|
||||
Verifies the existence of an association between a policy and a service. A HEAD
|
||||
version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -125,10 +124,10 @@ Create association with service in a region
|
|||
|
||||
PUT /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Creates an association between the policy and the service in the given
|
||||
region. If another association already existed for the specified service
|
||||
and region, this will replace that association. Any body supplied with
|
||||
this API will be ignored.
|
||||
Creates an association between the policy and the service in the given region.
|
||||
If another association already existed for the specified service and region,
|
||||
this will replace that association. Any body supplied with this API will be
|
||||
ignored.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -143,8 +142,8 @@ Check association with service in a region
|
|||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Verifies the existence of an association between a policy and a service
|
||||
in the given region. A HEAD version of this API is also supported.
|
||||
Verifies the existence of an association between a policy and a service in the
|
||||
given region. A HEAD version of this API is also supported.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -159,8 +158,7 @@ Delete association with service in a region
|
|||
|
||||
DELETE /policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
|
||||
|
||||
Deletes an association between the policy and the service in the given
|
||||
region.
|
||||
Deletes an association between the policy and the service in the given region.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -175,8 +173,8 @@ List effective endpoint associations for policy
|
|||
|
||||
GET /policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
|
||||
|
||||
Returns all the endpoints that are currently associated with a specific
|
||||
policy via any of the association methods.
|
||||
Returns all the endpoints that are currently associated with a specific policy
|
||||
via any of the association methods.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -221,11 +219,11 @@ Get effective policy associated with endpoint
|
|||
|
||||
GET /endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
|
||||
|
||||
Returns the policy that is currently associated with the given endpoint,
|
||||
by working through the ordered sequence of methods of association. The
|
||||
first association that is found will be returned. If the region of the
|
||||
endpoint has a parent, then region associations will be examined up the
|
||||
region tree in ascending order.
|
||||
Returns the policy that is currently associated with the given endpoint, by
|
||||
working through the ordered sequence of methods of association. The first
|
||||
association that is found will be returned. If the region of the endpoint has a
|
||||
parent, then region associations will be examined up the region tree in
|
||||
ascending order.
|
||||
|
||||
Response:
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
OpenStack Identity API v3 OS-EP-FILTER Extension
|
||||
================================================
|
||||
|
||||
This extension enables creation of ad-hoc catalogs for each
|
||||
project-scoped token request. To do so, this extension uses either
|
||||
static project-endpoint associations or dynamic custom endpoints groups
|
||||
to associate service endpoints with projects.
|
||||
This extension enables creation of ad-hoc catalogs for each project-scoped
|
||||
token request. To do so, this extension uses either static project-endpoint
|
||||
associations or dynamic custom endpoints groups to associate service endpoints
|
||||
with projects.
|
||||
|
||||
What's New in Version 1.1
|
||||
-------------------------
|
||||
|
@ -26,9 +26,9 @@ Represents a dynamic collection of service endpoints having the same
|
|||
characteristics, such as service\_id, interface, or region. Indeed, any
|
||||
endpoint attribute could be used as part of a filter.
|
||||
|
||||
A classic use case is to filter endpoints based on region. For example,
|
||||
suppose a user wants to filter service endpoints returned in the service
|
||||
catalog by region, the following endpoint group may be used:
|
||||
A classic use case is to filter endpoints based on region. For example, suppose
|
||||
a user wants to filter service endpoints returned in the service catalog by
|
||||
region, the following endpoint group may be used:
|
||||
|
||||
::
|
||||
|
||||
|
@ -54,9 +54,8 @@ API
|
|||
Project-Endpoint Associations
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If a valid X-Auth-Token token in not present in the HTTP header and/or
|
||||
the user does not have the right authorization a HTTP 401 Unauthorized
|
||||
is returned.
|
||||
If a valid X-Auth-Token token in not present in the HTTP header and/or the user
|
||||
does not have the right authorization a HTTP 401 Unauthorized is returned.
|
||||
|
||||
Create Association
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
@ -68,8 +67,8 @@ Create Association
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Modifies the endpoint resource adding an association between the project
|
||||
and the endpoint.
|
||||
Modifies the endpoint resource adding an association between the project and
|
||||
the endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -87,8 +86,7 @@ Check Association
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Verifies the existence of an association between a project and an
|
||||
endpoint.
|
||||
Verifies the existence of an association between a project and an endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -154,8 +152,7 @@ Delete Association
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint``
|
||||
|
||||
Eliminates a previously created association between a project and an
|
||||
endpoint.
|
||||
Eliminates a previously created association between a project and an endpoint.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -220,23 +217,22 @@ Endpoint Groups
|
|||
|
||||
Required attributes:
|
||||
|
||||
- ``name`` (string)
|
||||
- ``name`` (string)
|
||||
|
||||
User-facing name of the service.
|
||||
|
||||
- ``filters`` (object)
|
||||
- ``filters`` (object)
|
||||
|
||||
Describes the filtering performed by the endpoint group. The filter used
|
||||
must be an ``endpoint`` property, such as ``interface``, ``service_id``,
|
||||
``region_id`` and ``enabled``. Note that if using ``interface`` as a
|
||||
filter, the only available values are ``public``, ``internal`` and
|
||||
``admin``.
|
||||
Describes the filtering performed by the endpoint group. The filter used must
|
||||
be an ``endpoint`` property, such as ``interface``, ``service_id``,
|
||||
``region_id`` and ``enabled``. Note that if using ``interface`` as a filter,
|
||||
the only available values are ``public``, ``internal`` and ``admin``.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``description`` (string)
|
||||
- ``description`` (string)
|
||||
|
||||
User-facing description of the service.
|
||||
User-facing description of the service.
|
||||
|
||||
Create Endpoint Group Filter
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
@ -341,9 +337,8 @@ Update Endpoint Group
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group``
|
||||
|
||||
The request block is the same as the one for create endpoint group,
|
||||
except that only the attributes that are being updated need to be
|
||||
included.
|
||||
The request block is the same as the one for create endpoint group, except that
|
||||
only the attributes that are being updated need to be included.
|
||||
|
||||
Request:
|
||||
|
||||
|
|
|
@ -1,44 +1,44 @@
|
|||
OpenStack Identity API v3 OS-FEDERATION Extension
|
||||
=================================================
|
||||
|
||||
Provide the ability for users to manage Identity Providers (IdPs) and
|
||||
establish a set of rules to map federation protocol attributes to
|
||||
Identity API attributes. This extension requires v3.0+ of the Identity
|
||||
API.
|
||||
Provide the ability for users to manage Identity Providers (IdPs) and establish
|
||||
a set of rules to map federation protocol attributes to Identity API
|
||||
attributes. This extension requires v3.0+ of the Identity API.
|
||||
|
||||
What's New in Version 1.1
|
||||
-------------------------
|
||||
|
||||
These features are considered stable as of September 4th, 2014.
|
||||
|
||||
- Introduced a mechanism to exchange an Identity Token for a SAML
|
||||
assertion.
|
||||
- Introduced a mechanism to retrieve Identity Provider Metadata.
|
||||
- Introduced a mechanism to exchange an Identity Token for a SAML assertion.
|
||||
|
||||
- Introduced a mechanism to retrieve Identity Provider Metadata.
|
||||
|
||||
Definitions
|
||||
-----------
|
||||
|
||||
- *Trusted Identity Provider*: An identity provider set up within the
|
||||
Identity API that is trusted to provide authenticated user
|
||||
information.
|
||||
- *Service Provider*: A system entity that provides services to
|
||||
principals or other system entities, in this case, the OpenStack
|
||||
Identity API is the Service Provider.
|
||||
- *Attribute Mapping*: The user information passed by a federation
|
||||
protocol for an already authenticated identity are called
|
||||
``attributes``. Those ``attributes`` may not align 1:1 with the
|
||||
Identity API concepts. To help overcome such mismatches, a mapping
|
||||
can be done either on the sending side (third party identity
|
||||
provider), on the consuming side (Identity API service), or both.
|
||||
- *Trusted Identity Provider*: An identity provider set up within the Identity
|
||||
API that is trusted to provide authenticated user information.
|
||||
|
||||
- *Service Provider*: A system entity that provides services to principals or
|
||||
other system entities, in this case, the OpenStack Identity API is the
|
||||
Service Provider.
|
||||
|
||||
- *Attribute Mapping*: The user information passed by a federation protocol for
|
||||
an already authenticated identity are called ``attributes``. Those
|
||||
``attributes`` may not align 1:1 with the Identity API concepts. To help
|
||||
overcome such mismatches, a mapping can be done either on the sending side
|
||||
(third party identity provider), on the consuming side (Identity API
|
||||
service), or both.
|
||||
|
||||
What's New in Version 1.1
|
||||
-------------------------
|
||||
|
||||
Corresponding to Identity API v3.3 release. These features are
|
||||
considered stable as of September 4th, 2014.
|
||||
Corresponding to Identity API v3.3 release. These features are considered
|
||||
stable as of September 4th, 2014.
|
||||
|
||||
- Deprecate list projects and domains in favour of core functionality
|
||||
available in Identity API v3.3.
|
||||
- Deprecate list projects and domains in favour of core functionality available
|
||||
in Identity API v3.3.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
@ -50,25 +50,25 @@ Identity Providers
|
|||
|
||||
/OS-FEDERATION/identity_providers
|
||||
|
||||
An Identity Provider is a third party service that is trusted by the
|
||||
Identity API to authenticate identities.
|
||||
An Identity Provider is a third party service that is trusted by the Identity
|
||||
API to authenticate identities.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``description`` (string)
|
||||
- ``description`` (string)
|
||||
|
||||
Describes the identity provider.
|
||||
Describes the identity provider.
|
||||
|
||||
If a value is not specified by the client, the service may default this
|
||||
value to either an empty string or ``null``.
|
||||
If a value is not specified by the client, the service may default this value
|
||||
to either an empty string or ``null``.
|
||||
|
||||
- ``enabled`` (boolean)
|
||||
- ``enabled`` (boolean)
|
||||
|
||||
Indicates whether this identity provider should accept federated
|
||||
authentication requests.
|
||||
Indicates whether this identity provider should accept federated
|
||||
authentication requests.
|
||||
|
||||
If a value is not specified by the client, the service may default this
|
||||
to either ``true`` or ``false``.
|
||||
If a value is not specified by the client, the service may default this to
|
||||
either ``true`` or ``false``.
|
||||
|
||||
Protocols
|
||||
~~~~~~~~~
|
||||
|
@ -77,16 +77,15 @@ Protocols
|
|||
|
||||
/OS-FEDERATION/identity_providers/{idp_id}/protocols
|
||||
|
||||
A protocol entry contains information that dictates which mapping rules
|
||||
to use for a given incoming request. An IdP may have multiple supported
|
||||
protocols.
|
||||
A protocol entry contains information that dictates which mapping rules to use
|
||||
for a given incoming request. An IdP may have multiple supported protocols.
|
||||
|
||||
Required attributes:
|
||||
|
||||
- ``mapping_id`` (string)
|
||||
- ``mapping_id`` (string)
|
||||
|
||||
Indicates which mapping should be used to process federated
|
||||
authentication requests.
|
||||
Indicates which mapping should be used to process federated authentication
|
||||
requests.
|
||||
|
||||
Mappings
|
||||
~~~~~~~~
|
||||
|
@ -97,26 +96,26 @@ Mappings
|
|||
|
||||
A ``mapping`` is a set of rules to map federation protocol attributes to
|
||||
Identity API objects. An Identity Provider can have a single ``mapping``
|
||||
specified per protocol. A mapping is simply a list of ``rules``. The
|
||||
only Identity API objects that will support mapping are: ``group``.
|
||||
specified per protocol. A mapping is simply a list of ``rules``. The only
|
||||
Identity API objects that will support mapping are: ``group``.
|
||||
|
||||
Required attributes::
|
||||
Required attributes:
|
||||
|
||||
- ``rules`` (list of objects)
|
||||
- ``rules`` (list of objects)
|
||||
|
||||
Each object contains a rule for mapping attributes to Identity API
|
||||
concepts. A rule contains a ``remote`` attribute description and the
|
||||
destination ``local`` attribute.
|
||||
Each object contains a rule for mapping attributes to Identity API concepts.
|
||||
A rule contains a ``remote`` attribute description and the destination
|
||||
``local`` attribute.
|
||||
|
||||
- ``local`` (list of objects)
|
||||
- ``local`` (list of objects)
|
||||
|
||||
References a local Identity API resource, such as a ``group`` or
|
||||
``user`` to which the remote attributes will be mapped.
|
||||
References a local Identity API resource, such as a ``group`` or ``user`` to
|
||||
which the remote attributes will be mapped.
|
||||
|
||||
Each object has one of two structures, as follows.
|
||||
|
||||
To map a remote attribute value directly to a local attribute,
|
||||
identify the local resource type and attribute:
|
||||
To map a remote attribute value directly to a local attribute, identify the
|
||||
local resource type and attribute:
|
||||
|
||||
::
|
||||
|
||||
|
@ -130,8 +129,8 @@ destination ``local`` attribute.
|
|||
tries to directly map ``REMOTE_USER`` environment variable. If this variable
|
||||
is also unavailable the server returns an HTTP 401 Unauthorized error.
|
||||
|
||||
For attribute type and value mapping, identify the local resource
|
||||
type, attribute, and value:
|
||||
For attribute type and value mapping, identify the local resource type,
|
||||
attribute, and value:
|
||||
|
||||
::
|
||||
|
||||
|
@ -141,43 +140,42 @@ destination ``local`` attribute.
|
|||
}
|
||||
}
|
||||
|
||||
This assigns authorization attributes, by way of role assignments on
|
||||
the specified group, to ephemeral users.
|
||||
This assigns authorization attributes, by way of role assignments on the
|
||||
specified group, to ephemeral users.
|
||||
|
||||
- ``remote`` (list of objects)
|
||||
- ``remote`` (list of objects)
|
||||
|
||||
At least one object must be included.
|
||||
At least one object must be included.
|
||||
|
||||
If more than one object is included, the local attribute is applied
|
||||
only if all remote attributes match.
|
||||
If more than one object is included, the local attribute is applied only if
|
||||
all remote attributes match.
|
||||
|
||||
The value identified by ``type`` is always passed through unless a
|
||||
constraint is specified using either ``any_one_of`` or
|
||||
``not_one_of``.
|
||||
The value identified by ``type`` is always passed through unless a constraint
|
||||
is specified using either ``any_one_of`` or ``not_one_of``.
|
||||
|
||||
- ``type`` (string)
|
||||
- ``type`` (string)
|
||||
|
||||
This represents an assertion type keyword.
|
||||
This represents an assertion type keyword.
|
||||
|
||||
- ``any_one_of`` (list of strings)
|
||||
- ``any_one_of`` (list of strings)
|
||||
|
||||
This is mutually exclusive with ``not_any_of``.
|
||||
This is mutually exclusive with ``not_any_of``.
|
||||
|
||||
The rule is matched only if any of the specified strings appear in
|
||||
the remote attribute ``type``.
|
||||
The rule is matched only if any of the specified strings appear in the
|
||||
remote attribute ``type``.
|
||||
|
||||
- ``not_any_of`` (list of strings)
|
||||
- ``not_any_of`` (list of strings)
|
||||
|
||||
This is mutually exclusive with ``any_one_of``.
|
||||
This is mutually exclusive with ``any_one_of``.
|
||||
|
||||
The rule is not matched if any of the specified strings appear in the
|
||||
remote attribute ``type``.
|
||||
The rule is not matched if any of the specified strings appear in the
|
||||
remote attribute ``type``.
|
||||
|
||||
- ``regex`` (boolean)
|
||||
- ``regex`` (boolean)
|
||||
|
||||
If ``true``, then each string will be evaluated as a `regular
|
||||
expression <http://docs.python.org/2/library/re.html>`__ search
|
||||
against the remote attribute ``type``.
|
||||
If ``true``, then each string will be evaluated as a `regular expression
|
||||
<http://docs.python.org/2/library/re.html>`__ search against the remote
|
||||
attribute ``type``.
|
||||
|
||||
Identity Provider API
|
||||
---------------------
|
||||
|
@ -303,8 +301,8 @@ Delete identity provider
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider``
|
||||
|
||||
When an identity provider is deleted, any tokens generated by that
|
||||
identity provider will be revoked.
|
||||
When an identity provider is deleted, any tokens generated by that identity
|
||||
provider will be revoked.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -350,8 +348,8 @@ Response:
|
|||
}
|
||||
}
|
||||
|
||||
When an identity provider is disabled, any tokens generated by that
|
||||
identity provider will be revoked.
|
||||
When an identity provider is disabled, any tokens generated by that identity
|
||||
provider will be revoked.
|
||||
|
||||
Add a protocol and attribute mapping to an identity provider
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -819,8 +817,8 @@ Response:
|
|||
Listing projects and domains
|
||||
----------------------------
|
||||
|
||||
**Deprecated in v1.1**. This section is deprecated as the functionality
|
||||
is available in the core Identity API.
|
||||
**Deprecated in v1.1**. This section is deprecated as the functionality is
|
||||
available in the core Identity API.
|
||||
|
||||
List projects a federated user can access
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -832,13 +830,13 @@ List projects a federated user can access
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects``
|
||||
|
||||
**Deprecated in v1.1**. Use core ``GET /auth/projects``. This call has
|
||||
the same response format.
|
||||
**Deprecated in v1.1**. Use core ``GET /auth/projects``. This call has the same
|
||||
response format.
|
||||
|
||||
Returns a collection of projects to which the federated user has
|
||||
authorization to access. To access this resource, an unscoped token is
|
||||
used, the user can then select a project and request a scoped token.
|
||||
Note that only enabled projects will be returned.
|
||||
Returns a collection of projects to which the federated user has authorization
|
||||
to access. To access this resource, an unscoped token is used, the user can
|
||||
then select a project and request a scoped token. Note that only enabled
|
||||
projects will be returned.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -884,13 +882,13 @@ List domains a federated user can access
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains``
|
||||
|
||||
**Deprecated in v1.1**. Use core ``GET /auth/domains``. This call has
|
||||
the same response format.
|
||||
**Deprecated in v1.1**. Use core ``GET /auth/domains``. This call has the same
|
||||
response format.
|
||||
|
||||
Returns a collection of domains to which the federated user has
|
||||
authorization to access. To access this resource, an unscoped token is
|
||||
used, the user can then select a domain and request a scoped token. Note
|
||||
that only enabled domains will be returned.
|
||||
Returns a collection of domains to which the federated user has authorization
|
||||
to access. To access this resource, an unscoped token is used, the user can
|
||||
then select a domain and request a scoped token. Note that only enabled domains
|
||||
will be returned.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -923,9 +921,8 @@ Example Mapping Rules
|
|||
Map identities to their own groups
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This is an example of *Attribute type and value mappings*, where an
|
||||
attribute type and value are mapped into an Identity API property and
|
||||
value.
|
||||
This is an example of *Attribute type and value mappings*, where an attribute
|
||||
type and value are mapped into an Identity API property and value.
|
||||
|
||||
::
|
||||
|
||||
|
@ -987,8 +984,8 @@ value.
|
|||
Find specific users, set them to admin group
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This is an example that is similar to the previous, but displays how
|
||||
multiple ``remote`` properties can be used to narrow down on a property.
|
||||
This is an example that is similar to the previous, but displays how multiple
|
||||
``remote`` properties can be used to narrow down on a property.
|
||||
|
||||
::
|
||||
|
||||
|
@ -1041,22 +1038,22 @@ Request an unscoped OS-FEDERATION token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth``
|
||||
|
||||
A federated user may request an unscoped token, which can be used to get
|
||||
a scoped token.
|
||||
A federated user may request an unscoped token, which can be used to get a
|
||||
scoped token.
|
||||
|
||||
Due to the fact that this part of authentication is strictly connected
|
||||
with the SAML2 authentication workflow, a client should not send any
|
||||
data, as the content may be lost when a client is being redirected
|
||||
between Service Provider and Identity Provider. Both HTTP methods - GET
|
||||
and POST should be allowed as Web Single Sign-On (WebSSO) and Enhanced
|
||||
Client Proxy (ECP) mechanisms have different authentication workflows
|
||||
and use different HTTP methods while accessing protected endpoints.
|
||||
Due to the fact that this part of authentication is strictly connected with the
|
||||
SAML2 authentication workflow, a client should not send any data, as the
|
||||
content may be lost when a client is being redirected between Service Provider
|
||||
and Identity Provider. Both HTTP methods - GET and POST should be allowed as
|
||||
Web Single Sign-On (WebSSO) and Enhanced Client Proxy (ECP) mechanisms have
|
||||
different authentication workflows and use different HTTP methods while
|
||||
accessing protected endpoints.
|
||||
|
||||
The returned token will contain information about the groups to which
|
||||
the federated user belongs.
|
||||
The returned token will contain information about the groups to which the
|
||||
federated user belongs.
|
||||
|
||||
Example Identity API token response: `Various OpenStack token
|
||||
responses <identity-api-v3.md#authentication-responses>`__
|
||||
Example Identity API token response: `Various OpenStack token responses
|
||||
<identity-api-v3.md#authentication-responses>`__
|
||||
|
||||
Example of an OS-FEDERATION token:
|
||||
|
||||
|
@ -1092,15 +1089,14 @@ Request a scoped OS-FEDERATION token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens``
|
||||
|
||||
A federated user may request a scoped token, by using the unscoped
|
||||
token. A project or domain may be specified by either id or name. An id
|
||||
is sufficient to uniquely identify a project or domain.
|
||||
A federated user may request a scoped token, by using the unscoped token. A
|
||||
project or domain may be specified by either id or name. An id is sufficient to
|
||||
uniquely identify a project or domain.
|
||||
|
||||
Request Parameters:
|
||||
|
||||
To authenticate with the OS-FEDERATION extension, ``saml2`` must be
|
||||
specified as an authentication method, and the unscoped token specified
|
||||
in the id field.
|
||||
To authenticate with the OS-FEDERATION extension, ``saml2`` must be specified
|
||||
as an authentication method, and the unscoped token specified in the id field.
|
||||
|
||||
Example request:
|
||||
|
||||
|
@ -1124,9 +1120,8 @@ Example request:
|
|||
}
|
||||
}
|
||||
|
||||
Similarly to the returned unscoped token, the returned scoped token will
|
||||
have an ``OS-FEDERATION`` section added to the ``user`` portion of the
|
||||
token.
|
||||
Similarly to the returned unscoped token, the returned scoped token will have
|
||||
an ``OS-FEDERATION`` section added to the ``user`` portion of the token.
|
||||
|
||||
Example of an OS-FEDERATION token:
|
||||
|
||||
|
@ -1216,13 +1211,13 @@ Generate a SAML assertion
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/saml2``
|
||||
|
||||
A user may generate a SAML assertion document based on the scoped token
|
||||
that is used in the request.
|
||||
A user may generate a SAML assertion document based on the scoped token that is
|
||||
used in the request.
|
||||
|
||||
Request Parameters:
|
||||
|
||||
To generate a SAML assertion, a user must provides a scoped token ID and
|
||||
region ID in the request body.
|
||||
To generate a SAML assertion, a user must provides a scoped token ID and region
|
||||
ID in the request body.
|
||||
|
||||
Example request:
|
||||
|
||||
|
@ -1246,8 +1241,8 @@ Example request:
|
|||
}
|
||||
}
|
||||
|
||||
The response will be a full SAML assertion. Note that for readability
|
||||
the certificate has been truncated.
|
||||
The response will be a full SAML assertion. Note that for readability the
|
||||
certificate has been truncated.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -1343,8 +1338,8 @@ Response:
|
|||
</saml:Assertion>
|
||||
</samlp:Response>
|
||||
|
||||
For more information about how a SAML assertion is structured, refer to
|
||||
the `specification <http://saml.xml.org/saml-specifications>`__.
|
||||
For more information about how a SAML assertion is structured, refer to the
|
||||
`specification <http://saml.xml.org/saml-specifications>`__.
|
||||
|
||||
Retrieve Metadata properties
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -1356,11 +1351,11 @@ Retrieve Metadata properties
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/metadata``
|
||||
|
||||
A user may retrieve Metadata about an Identity Service acting as an
|
||||
Identity Provider.
|
||||
A user may retrieve Metadata about an Identity Service acting as an Identity
|
||||
Provider.
|
||||
|
||||
The response will be a full document with Metadata properties. Note that
|
||||
for readability, this example certificate has been truncated.
|
||||
The response will be a full document with Metadata properties. Note that for
|
||||
readability, this example certificate has been truncated.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -1396,5 +1391,5 @@ Response:
|
|||
</ns0:ContactPerson>
|
||||
</ns0:EntityDescriptor>
|
||||
|
||||
For more information about how a SAML assertion is structured, refer to
|
||||
the `specification <http://saml.xml.org/saml-specifications>`__.
|
||||
For more information about how a SAML assertion is structured, refer to the
|
||||
`specification <http://saml.xml.org/saml-specifications>`__.
|
||||
|
|
|
@ -2,8 +2,8 @@ OpenStack Identity API v3 OS-INHERIT Extension
|
|||
==============================================
|
||||
|
||||
Provide an ability for projects to inherit role assignments from their owning
|
||||
domain, or from projects higher in the hierarchy. This extension
|
||||
requires v3.4 of the Identity API.
|
||||
domain, or from projects higher in the hierarchy. This extension requires v3.4
|
||||
of the Identity API.
|
||||
|
||||
What's New in Version 1.1
|
||||
-------------------------
|
||||
|
@ -15,7 +15,6 @@ API
|
|||
|
||||
The following additional APIs are supported by this extension:
|
||||
|
||||
|
||||
Projects
|
||||
--------
|
||||
|
||||
|
@ -236,9 +235,8 @@ Assign role to user on projects owned by a domain
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
|
||||
|
||||
The inherited role is only applied to the owned projects (both existing
|
||||
and future projects), and will not appear as a role in a domain scoped
|
||||
token.
|
||||
The inherited role is only applied to the owned projects (both existing and
|
||||
future projects), and will not appear as a role in a domain scoped token.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -256,9 +254,8 @@ Assign role to group on projects owned by a domain
|
|||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects``
|
||||
|
||||
The inherited role is only applied to the owned projects (both existing
|
||||
and future projects), and will not appear as a role in a domain scoped
|
||||
token.
|
||||
The inherited role is only applied to the owned projects (both existing and
|
||||
future projects), and will not appear as a role in a domain scoped token.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -276,8 +273,8 @@ List user's inherited project roles on a domain
|
|||
Relationship:
|
||||
``http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects``
|
||||
|
||||
The list only contains those role assignments to the domain that were
|
||||
specified as being inherited to projects within that domain.
|
||||
The list only contains those role assignments to the domain that were specified
|
||||
as being inherited to projects within that domain.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -320,8 +317,8 @@ List group's inherited project roles on domain
|
|||
Relationship:
|
||||
``'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects``
|
||||
|
||||
The list only contains those role assignments to the domain that were
|
||||
specified as being inherited to projects within that domain.
|
||||
The list only contains those role assignments to the domain that were specified
|
||||
as being inherited to projects within that domain.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -433,8 +430,8 @@ List effective role assignments
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
|
||||
|
||||
The scope section in the list response is extended to allow the
|
||||
representation of role assignments that are inherited to projects.
|
||||
The scope section in the list response is extended to allow the representation
|
||||
of role assignments that are inherited to projects.
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -488,22 +485,21 @@ Response:
|
|||
}
|
||||
}
|
||||
|
||||
An additional query filter ``scope.OS-INHERIT:inherited_to`` is
|
||||
supported to allow for filtering based on role assignments that are
|
||||
inherited. The only value of ``scope.OS-INHERIT:inherited_to`` that is
|
||||
currently supported is ``projects``, indicating that this role is
|
||||
inherited to all projects of the owning domain or parent project.
|
||||
An additional query filter ``scope.OS-INHERIT:inherited_to`` is supported to
|
||||
allow for filtering based on role assignments that are inherited. The only
|
||||
value of ``scope.OS-INHERIT:inherited_to`` that is currently supported is
|
||||
``projects``, indicating that this role is inherited to all projects of the
|
||||
owning domain or parent project.
|
||||
|
||||
If the query\_string ``effective`` is specified then the list of
|
||||
effective assignments at the user, project and domain level allows for
|
||||
the effects of both group membership as well as inheritance from the
|
||||
parent domain or project (for role assignments that were made using OS-INHERIT
|
||||
assignment APIs). Since, like group membership, the effects of
|
||||
inheritance have already been allowed for, the role assignment entities
|
||||
themselves that specify the inheritance will not be returned in the
|
||||
collection.
|
||||
If the query string ``effective`` is specified then the list of effective
|
||||
assignments at the user, project and domain level allows for the effects of
|
||||
both group membership as well as inheritance from the parent domain or project
|
||||
(for role assignments that were made using OS-INHERIT assignment APIs). Since,
|
||||
like group membership, the effects of inheritance have already been allowed
|
||||
for, the role assignment entities themselves that specify the inheritance will
|
||||
not be returned in the collection.
|
||||
|
||||
An example response for an API call with the query\_string ``effective``
|
||||
An example response for an API call with the query string ``effective``
|
||||
specified is given below:
|
||||
|
||||
Response:
|
||||
|
@ -558,4 +554,3 @@ Response:
|
|||
"next": null
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2,46 +2,52 @@ OpenStack Identity API v3 OS-OAUTH1 Extension
|
|||
=============================================
|
||||
|
||||
Provide the ability for identity users to delegate roles to third party
|
||||
consumers via the `OAuth 1.0a
|
||||
specification <http://oauth.net/core/1.0a/>`__. This extension requires
|
||||
v3.0+ of the Identity API. An OAuth-derived token will provide a means
|
||||
of acting on behalf of the authorizing user.
|
||||
consumers via the `OAuth 1.0a specification <http://oauth.net/core/1.0a/>`__.
|
||||
This extension requires v3.0+ of the Identity API. An OAuth-derived token will
|
||||
provide a means of acting on behalf of the authorizing user.
|
||||
|
||||
Definitions
|
||||
-----------
|
||||
|
||||
- *User:* An Identity API service user, the entity whose role(s) will
|
||||
be delegated, and the entity that authorizes Request Tokens.
|
||||
- *Request Token:* A token used by the Consumer to obtain authorization
|
||||
from the User, and exchanged with an OAuth Verifier for an Access
|
||||
Token.
|
||||
- *Access Token:* A token used by the Consumer to request new Identity
|
||||
API tokens on behalf of the authorizing User, instead of using the
|
||||
User’s credentials.
|
||||
- *Token Key:* A key used by the token to identify itself. Both Request
|
||||
Tokens and Access Tokens have Token Keys. For OpenStack purposes, the
|
||||
Token Key is the Token ID.
|
||||
- *Token Secret:* A secret used by the Consumer to establish ownership
|
||||
of a given Token. Both Request Tokens and Access Tokens have Token
|
||||
Secrets.
|
||||
- *OAuth Verifier:* A string that must be provided with the
|
||||
corresponding Request Token in exchange for an Access Token.
|
||||
- *User:* An Identity API service user, the entity whose role(s) will be
|
||||
delegated, and the entity that authorizes Request Tokens.
|
||||
|
||||
- *Request Token:* A token used by the Consumer to obtain authorization from
|
||||
the User, and exchanged with an OAuth Verifier for an Access Token.
|
||||
|
||||
- *Access Token:* A token used by the Consumer to request new Identity API
|
||||
tokens on behalf of the authorizing User, instead of using the User’s
|
||||
credentials.
|
||||
|
||||
- *Token Key:* A key used by the token to identify itself. Both Request Tokens
|
||||
and Access Tokens have Token Keys. For OpenStack purposes, the Token Key is
|
||||
the Token ID.
|
||||
|
||||
- *Token Secret:* A secret used by the Consumer to establish ownership of a
|
||||
given Token. Both Request Tokens and Access Tokens have Token Secrets.
|
||||
|
||||
- *OAuth Verifier:* A string that must be provided with the corresponding
|
||||
Request Token in exchange for an Access Token.
|
||||
|
||||
Delegated Authentication Flow
|
||||
-----------------------------
|
||||
|
||||
Delegated Authentication via OAuth is done in five steps:
|
||||
|
||||
1. An Identity API service User `creates a
|
||||
Consumer <#create-consumer-post-os-oauth1consumers>`__.
|
||||
2. The Consumer `obtains an unauthorized Request
|
||||
Token <#create-request-token-post-os-oauth1request_token>`__.
|
||||
3. The User `authorizes the Request
|
||||
Token <#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
|
||||
4. The Consumer `exchanges the Request Token for an Access
|
||||
Token <#create-access-token-post-os-oauth1access_token>`__.
|
||||
5. The Consumer `uses the Access Token to request an Identity API
|
||||
service Token <#request-an-identity-api-token-post-authtokens>`__.
|
||||
#. An Identity API service User `creates a Consumer
|
||||
<#create-consumer-post-os-oauth1consumers>`__.
|
||||
|
||||
#. The Consumer `obtains an unauthorized Request Token
|
||||
<#create-request-token-post-os-oauth1request_token>`__.
|
||||
|
||||
#. The User `authorizes the Request Token
|
||||
<#authorize-request-token-put-os-oauth1authorizerequest_token_id>`__.
|
||||
|
||||
#. The Consumer `exchanges the Request Token for an Access Token
|
||||
<#create-access-token-post-os-oauth1access_token>`__.
|
||||
|
||||
#. The Consumer `uses the Access Token to request an Identity API service Token
|
||||
<#request-an-identity-api-token-post-authtokens>`__.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
@ -53,21 +59,20 @@ Consumers
|
|||
|
||||
/OS-OAUTH1/consumers
|
||||
|
||||
A Consumer is an application that uses OAuth to access a protected
|
||||
resource.
|
||||
A Consumer is an application that uses OAuth to access a protected resource.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``description`` (string)
|
||||
- ``description`` (string)
|
||||
|
||||
Immutable attributes provided by the Identity service:
|
||||
Immutable attributes provided by the Identity service:
|
||||
|
||||
- ``secret`` (string)
|
||||
- ``secret`` (string)
|
||||
|
||||
A consumer's ``secret`` is only returned once, during consumer creation.
|
||||
A consumer's ``secret`` is only returned once, during consumer creation.
|
||||
|
||||
The Consumer is given its key and secret, out-of-band. For OpenStack,
|
||||
the ID of the Consumer is the Key.
|
||||
The Consumer is given its key and secret, out-of-band. For OpenStack, the ID
|
||||
of the Consumer is the Key.
|
||||
|
||||
Consumers API
|
||||
-------------
|
||||
|
@ -205,8 +210,8 @@ Update Consumer
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer``
|
||||
|
||||
Only a Consumer's ``description`` is mutable. Attempting to PATCH an
|
||||
immutable attribute should result in a HTTP 400 Bad Request.
|
||||
Only a Consumer's ``description`` is mutable. Attempting to PATCH an immutable
|
||||
attribute should result in a HTTP 400 Bad Request.
|
||||
|
||||
Request:
|
||||
|
||||
|
@ -247,15 +252,14 @@ Create Request Token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens``
|
||||
|
||||
A Consumer uses the Consumer Key and Secret to obtain a Request Token.
|
||||
The Request Token is used to initiate User authorization. The Request
|
||||
Token, once authorized, can be exchanged along with the OAuth Verifier
|
||||
for an Access Token. Note that there is one extra parameter,
|
||||
``requested_project_id``. ``requested_project_id`` contains the ID of
|
||||
the project upon which the Consumer would like authorization. The
|
||||
Identity service may include an ``oauth_expires_at`` attribute in the
|
||||
response. If no such attribute is included, or is null, then the token
|
||||
may last indefinitely.
|
||||
A Consumer uses the Consumer Key and Secret to obtain a Request Token. The
|
||||
Request Token is used to initiate User authorization. The Request Token, once
|
||||
authorized, can be exchanged along with the OAuth Verifier for an Access Token.
|
||||
Note that there is one extra parameter, ``requested_project_id``.
|
||||
``requested_project_id`` contains the ID of the project upon which the Consumer
|
||||
would like authorization. The Identity service may include an
|
||||
``oauth_expires_at`` attribute in the response. If no such attribute is
|
||||
included, or is null, then the token may last indefinitely.
|
||||
|
||||
The authorizing User receives the Request Token Key from the Consumer
|
||||
out-of-band.
|
||||
|
@ -265,15 +269,15 @@ Supported signature methods: ``HMAC-SHA1``
|
|||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#auth_step1
|
||||
|
||||
Additional Request Parameters:
|
||||
|
||||
- ``requested_project_id``: IDs of requested project
|
||||
- ``requested_project_id``: IDs of requested project
|
||||
|
||||
- Example: ``requested_project_id=b9fca3``
|
||||
- Example: ``requested_project_id=b9fca3``
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -281,10 +285,12 @@ Response:
|
|||
|
||||
Response Parameters:
|
||||
|
||||
- ``oauth_token``: The Request Token key that the Identity API returns.
|
||||
- ``oauth_token_secret``: The secret associated with the Request Token.
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a
|
||||
Request Token will expire.
|
||||
- ``oauth_token``: The Request Token key that the Identity API returns.
|
||||
|
||||
- ``oauth_token_secret``: The secret associated with the Request Token.
|
||||
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time at which a Request
|
||||
Token will expire.
|
||||
|
||||
Authorize Request Token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -296,10 +302,9 @@ Authorize Request Token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token``
|
||||
|
||||
To authorize the Request Token, the authorizing user must have access to
|
||||
the requested project. Upon successful authorization, an OAuth Verifier
|
||||
code is returned. The Consumer receives the OAuth Verifier from the User
|
||||
out-of-band.
|
||||
To authorize the Request Token, the authorizing user must have access to the
|
||||
requested project. Upon successful authorization, an OAuth Verifier code is
|
||||
returned. The Consumer receives the OAuth Verifier from the User out-of-band.
|
||||
|
||||
Request:
|
||||
|
||||
|
@ -337,17 +342,16 @@ Relationship:
|
|||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens``
|
||||
|
||||
After the User authorizes the Request Token, the Consumer exchanges the
|
||||
authorized Request Token and OAuth Verifier for an Access Token. The
|
||||
Identity service may include an ``oauth_expires_at`` parameter in the
|
||||
response. If no such parameter is included, then the token lasts
|
||||
indefinitely.
|
||||
authorized Request Token and OAuth Verifier for an Access Token. The Identity
|
||||
service may include an ``oauth_expires_at`` parameter in the response. If no
|
||||
such parameter is included, then the token lasts indefinitely.
|
||||
|
||||
Supported signature methods: ``HMAC-SHA1``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#auth_step3
|
||||
|
||||
|
@ -359,10 +363,12 @@ Response:
|
|||
|
||||
Response Parameters:
|
||||
|
||||
- ``oauth_token``: The Access Token key that the Identity API returns.
|
||||
- ``oauth_token_secret``: The secret associated with the Access Token.
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an
|
||||
Access Token expires.
|
||||
- ``oauth_token``: The Access Token key that the Identity API returns.
|
||||
|
||||
- ``oauth_token_secret``: The secret associated with the Access Token.
|
||||
|
||||
- ``oauth_expires_at`` (optional): The ISO 8601 date time when an Access Token
|
||||
expires.
|
||||
|
||||
Request an Identity API Token
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -373,22 +379,22 @@ Request an Identity API Token
|
|||
|
||||
Relationship: ``http://docs.openstack.org/identity/rel/v3/auth_tokens``
|
||||
|
||||
The Consumer can now request valid Identity API service tokens
|
||||
representing the authorizing User's delegated authorization and identity
|
||||
(impersonation). The generated token's roles and scope will match that
|
||||
which the Consumer initially requested.
|
||||
The Consumer can now request valid Identity API service tokens representing the
|
||||
authorizing User's delegated authorization and identity (impersonation). The
|
||||
generated token's roles and scope will match that which the Consumer initially
|
||||
requested.
|
||||
|
||||
Supported signature methods: ``HMAC-SHA1``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Request Parameters:
|
||||
|
||||
- All required OAuth parameters must be provided.
|
||||
- All required OAuth parameters must be provided.
|
||||
|
||||
See: http://oauth.net/core/1.0a/#anchor12
|
||||
|
||||
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be
|
||||
specified as an authentication method. Example request:
|
||||
To authenticate with the OS-OAUTH1 extension, ``oauth1`` must be specified as
|
||||
an authentication method. Example request:
|
||||
|
||||
::
|
||||
|
||||
|
@ -403,12 +409,12 @@ specified as an authentication method. Example request:
|
|||
}
|
||||
}
|
||||
|
||||
The returned token is scoped to the requested project and with the
|
||||
delegated roles. In addition to the standard token response, as seen in
|
||||
the link below, the token has an OAuth-specific object.
|
||||
The returned token is scoped to the requested project and with the delegated
|
||||
roles. In addition to the standard token response, as seen in the link below,
|
||||
the token has an OAuth-specific object.
|
||||
|
||||
Example OpenStack token response: `Various OpenStack token
|
||||
responses <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
|
||||
Example OpenStack token response: `Various OpenStack token responses
|
||||
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#authentication-responses>`__
|
||||
|
||||
Example OAuth-specific object in a token:
|
||||
|
||||
|
@ -495,8 +501,8 @@ List roles of an access token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles``
|
||||
|
||||
See ``GET /v3/roles`` for an
|
||||
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
|
||||
See ``GET /v3/roles`` for an `example
|
||||
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles>`__
|
||||
of this response format.
|
||||
|
||||
Get a role of an access token
|
||||
|
@ -509,8 +515,8 @@ Get a role of an access token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role``
|
||||
|
||||
See ``GET /v3/roles/{role_id}`` for an
|
||||
`example <https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
|
||||
See ``GET /v3/roles/{role_id}`` for an `example
|
||||
<https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id>`__
|
||||
of this response format.
|
||||
|
||||
Revoke access token
|
||||
|
@ -523,9 +529,9 @@ Revoke access token
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token``
|
||||
|
||||
A User can revoke an Access Token, preventing the Consumer from
|
||||
requesting new Identity API service tokens. This also revokes any
|
||||
Identity API tokens issued to the Consumer using that Access Token.
|
||||
A User can revoke an Access Token, preventing the Consumer from requesting new
|
||||
Identity API service tokens. This also revokes any Identity API tokens issued
|
||||
to the Consumer using that Access Token.
|
||||
|
||||
Response:
|
||||
|
||||
|
|
|
@ -1,23 +1,22 @@
|
|||
OpenStack Identity API v3 OS-REVOKE Extension
|
||||
=============================================
|
||||
|
||||
This extension provides a list of token revocations. Each event
|
||||
expresses a set of criteria which describes a set of tokens that are no
|
||||
longer valid.
|
||||
This extension provides a list of token revocations. Each event expresses a set
|
||||
of criteria which describes a set of tokens that are no longer valid.
|
||||
|
||||
This extension requires v3.2+ of the Identity API.
|
||||
|
||||
What's New in v1.1
|
||||
------------------
|
||||
|
||||
- Use of ``expires_at`` has been deprecated in favor of using
|
||||
``audit_id`` and ``audit_chain_id``.
|
||||
- Use of ``expires_at`` has been deprecated in favor of using ``audit_id`` and
|
||||
``audit_chain_id``.
|
||||
|
||||
- Revocation events can use ``audit_id`` to revoke an individual token.
|
||||
- Revocation events can use ``audit_id`` to revoke an individual token.
|
||||
|
||||
- Revocation events can use ``audit_chain_id`` to revoke all related
|
||||
tokens. A related token is defined by the first (non-rescoped) token.
|
||||
All tokens in the chain will have the same ``audit_chain_id``.
|
||||
- Revocation events can use ``audit_chain_id`` to revoke all related tokens. A
|
||||
related token is defined by the first (non-rescoped) token. All tokens in the
|
||||
chain will have the same ``audit_chain_id``.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
@ -25,89 +24,87 @@ API Resources
|
|||
Revocation Events
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
Revocation events are objects that contain criteria used to evaluate
|
||||
token validity. Tokens that match all the criteria of a revocation event
|
||||
are considered revoked, and should not be accepted as proof of
|
||||
authorization for the user.
|
||||
Revocation events are objects that contain criteria used to evaluate token
|
||||
validity. Tokens that match all the criteria of a revocation event are
|
||||
considered revoked, and should not be accepted as proof of authorization for
|
||||
the user.
|
||||
|
||||
Revocation events do not have a unique identifier (``id``).
|
||||
|
||||
Required attributes:
|
||||
|
||||
- ``issued_before`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
- ``issued_before`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
|
||||
Tokens issued before this time are considered revoked.
|
||||
|
||||
This attribute can be used to determine how long the expiration event is
|
||||
valid. It can also be used in queries to filter events, so that only a
|
||||
subset that have occurred since the last request are returned.
|
||||
This attribute can be used to determine how long the expiration event is valid.
|
||||
It can also be used in queries to filter events, so that only a subset that
|
||||
have occurred since the last request are returned.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``domain_id`` (string)
|
||||
- ``domain_id`` (string)
|
||||
|
||||
Revoke tokens scoped to a particular domain.
|
||||
Revoke tokens scoped to a particular domain.
|
||||
|
||||
- ``project_id`` (string)
|
||||
- ``project_id`` (string)
|
||||
|
||||
Revoke tokens scoped to a particular project.
|
||||
Revoke tokens scoped to a particular project.
|
||||
|
||||
- ``user_id`` (string)
|
||||
- ``user_id`` (string)
|
||||
|
||||
Revoke tokens expressing the identity of a particular user.
|
||||
Revoke tokens expressing the identity of a particular user.
|
||||
|
||||
- ``role_id`` (string)
|
||||
- ``role_id`` (string)
|
||||
|
||||
Revoke tokens issued with a specific role.
|
||||
Revoke tokens issued with a specific role.
|
||||
|
||||
- ``OS-TRUST:trust_id`` (string)
|
||||
- ``OS-TRUST:trust_id`` (string)
|
||||
|
||||
Revoke tokens issued as the result of a particular trust, as part of the
|
||||
OS-TRUST API extension.
|
||||
Revoke tokens issued as the result of a particular trust, as part of the
|
||||
OS-TRUST API extension.
|
||||
|
||||
- ``OS-OAUTH1:consumer_id`` (string)
|
||||
- ``OS-OAUTH1:consumer_id`` (string)
|
||||
|
||||
Revoke tokens issued to a specific OAuth consumer, as part of the
|
||||
OS-OAUTH1 API extension.
|
||||
Revoke tokens issued to a specific OAuth consumer, as part of the OS-OAUTH1
|
||||
API extension.
|
||||
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with microseconds)
|
||||
|
||||
**Deprecated as of the Juno release in favor of ``audit_id`` and
|
||||
``audit_chain_id``.** If ``expires_at`` exists in the revocation event,
|
||||
it will be utilized to match tokens.
|
||||
**Deprecated as of the Juno release in favor of ``audit_id`` and
|
||||
``audit_chain_id``.** If ``expires_at`` exists in the revocation event, it
|
||||
will be utilized to match tokens.
|
||||
|
||||
Specifies the exact expiration time of one or more tokens to be revoked.
|
||||
Specifies the exact expiration time of one or more tokens to be revoked.
|
||||
|
||||
This attribute is useful for revoking chains of tokens, such as those
|
||||
produced when re-scoping an existing token. When a token is issued based
|
||||
on initial authentication, it is given an ``expires_at`` value. When a
|
||||
token is used to get another token, the new token will have the same
|
||||
``expires_at`` value as the original.
|
||||
This attribute is useful for revoking chains of tokens, such as those
|
||||
produced when re-scoping an existing token. When a token is issued based on
|
||||
initial authentication, it is given an ``expires_at`` value. When a token is
|
||||
used to get another token, the new token will have the same ``expires_at``
|
||||
value as the original.
|
||||
|
||||
- ``audit_id`` (string)
|
||||
- ``audit_id`` (string)
|
||||
|
||||
Specifies the unique identifier (UUID) assigned to the token itself.
|
||||
Specifies the unique identifier (UUID) assigned to the token itself.
|
||||
|
||||
This will revoke a single token only. This attribute mirrors the use of
|
||||
the ``Token Revocation List`` (the mechanism used prior to revocation
|
||||
events) but does not utilize data that could convey authorization (the
|
||||
``token id``).
|
||||
This will revoke a single token only. This attribute mirrors the use of the
|
||||
``Token Revocation List`` (the mechanism used prior to revocation events) but
|
||||
does not utilize data that could convey authorization (the ``token id``).
|
||||
|
||||
If an event is issued for ``audit_id`` then the event cannot contain an
|
||||
``audit_chain_id``.
|
||||
If an event is issued for ``audit_id`` then the event cannot contain an
|
||||
``audit_chain_id``.
|
||||
|
||||
- ``audit_chain_id`` (string)
|
||||
- ``audit_chain_id`` (string)
|
||||
|
||||
Specifies a group of tokens based upon the ``audit_id`` of the first
|
||||
token in the chain. If a revocation event specifies the
|
||||
``audit_chain_id`` any token that is part of the token chain (based upon
|
||||
the original token at the start of the chain) will be revoked, including
|
||||
the original token at the start of the chain.
|
||||
Specifies a group of tokens based upon the ``audit_id`` of the first token in
|
||||
the chain. If a revocation event specifies the ``audit_chain_id`` any token
|
||||
that is part of the token chain (based upon the original token at the start
|
||||
of the chain) will be revoked, including the original token at the start of
|
||||
the chain.
|
||||
|
||||
If an event is issued for ``audit_chain_id`` then the event cannot
|
||||
contain an ``audit_id``.
|
||||
If an event is issued for ``audit_chain_id`` then the event cannot contain an
|
||||
``audit_id``.
|
||||
|
||||
The properties are additive: Only a token that meets all of the
|
||||
specified criteria is considered revoked.
|
||||
|
@ -135,13 +132,12 @@ Relationship:
|
|||
|
||||
Optional query parameters:
|
||||
|
||||
- ``since`` (RFC 1123 format date time): limit the list of results to
|
||||
events that occurred on or after the specified time.
|
||||
- ``since`` (RFC 1123 format date time): limit the list of results to events
|
||||
that occurred on or after the specified time.
|
||||
|
||||
The HTTP Date header returned in the response reflects the timestamp of
|
||||
the most recently issued revocation event. Clients can then use this
|
||||
value in the ``since`` query parameter to limit the list of events in
|
||||
subsequent requests.
|
||||
The HTTP Date header returned in the response reflects the timestamp of the
|
||||
most recently issued revocation event. Clients can then use this value in the
|
||||
``since`` query parameter to limit the list of events in subsequent requests.
|
||||
|
||||
Response:
|
||||
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
OpenStack Identity API v3 OS-SIMPLE-CERT Extension
|
||||
==================================================
|
||||
|
||||
When using Public Key Infrastructure (PKI) tokens with the identity
|
||||
service, users must have access to the signing certificate and the
|
||||
certificate authority's (CA) certificate for the token issuer in order
|
||||
to validate tokens. This extension provides a simple means of retrieving
|
||||
these certificates from an identity service.
|
||||
When using Public Key Infrastructure (PKI) tokens with the identity service,
|
||||
users must have access to the signing certificate and the certificate
|
||||
authority's (CA) certificate for the token issuer in order to validate tokens.
|
||||
This extension provides a simple means of retrieving these certificates from an
|
||||
identity service.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
@ -13,19 +13,18 @@ API Resources
|
|||
Certificates
|
||||
------------
|
||||
|
||||
The identity server uses X.509 certificates to cryptographically sign
|
||||
issued tokens. Certificates are a public resource and can be shared.
|
||||
Typically when validating a certificate we would only require the
|
||||
issuing certificate authority's certificate however PKI tokens are
|
||||
distributed without including the original signing certificate in the
|
||||
message so this must be retrievable as well.
|
||||
The identity server uses X.509 certificates to cryptographically sign issued
|
||||
tokens. Certificates are a public resource and can be shared. Typically when
|
||||
validating a certificate we would only require the issuing certificate
|
||||
authority's certificate however PKI tokens are distributed without including
|
||||
the original signing certificate in the message so this must be retrievable as
|
||||
well.
|
||||
|
||||
Certificates are provided in the Private Enchanced Mail (PEM) file
|
||||
format. Certificates in PEM files can be represented with or without the
|
||||
certificate data (examples shown). The represented certificate is for
|
||||
informative purposes and the only required information is presented
|
||||
between the ``-----BEGIN CERTIFICATE-----`` and
|
||||
``-----END CERTIFICATE-----`` tags.
|
||||
Certificates are provided in the Private Enchanced Mail (PEM) file format.
|
||||
Certificates in PEM files can be represented with or without the certificate
|
||||
data (examples shown). The represented certificate is for informative purposes
|
||||
and the only required information is presented between the ``-----BEGIN
|
||||
CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` tags.
|
||||
|
||||
API
|
||||
---
|
||||
|
@ -42,8 +41,8 @@ Relationship:
|
|||
|
||||
Fetches the certificate chain used to authenticate signed tokens.
|
||||
|
||||
It is possible that a chain of certificates (more than one) is returned.
|
||||
In this case the chain should be used when validating a token.
|
||||
It is possible that a chain of certificates (more than one) is returned. In
|
||||
this case the chain should be used when validating a token.
|
||||
|
||||
::
|
||||
|
||||
|
@ -82,11 +81,11 @@ Retrieve signing certificates
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates``
|
||||
|
||||
Fetches the certificates containing the public key for the private key
|
||||
that has been used to sign tokens.
|
||||
Fetches the certificates containing the public key for the private key that has
|
||||
been used to sign tokens.
|
||||
|
||||
In an environment with multiple token signers this call will return all
|
||||
valid certificates.
|
||||
In an environment with multiple token signers this call will return all valid
|
||||
certificates.
|
||||
|
||||
::
|
||||
|
||||
|
@ -185,13 +184,13 @@ Certificates are successfully found and returned.
|
|||
403 Forbidden
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
There are no certificates to be returned. This will typically indicate
|
||||
that keystone is using UUID tokens and therefore there are no
|
||||
certificates available.
|
||||
There are no certificates to be returned. This will typically indicate that
|
||||
keystone is using UUID tokens and therefore there are no certificates
|
||||
available.
|
||||
|
||||
500 Internal Server Error
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
An Error was produced on the server. A typical example is that the
|
||||
server is configured to use PKI tokens but is misconfigured and the
|
||||
certificates were unable to be found.
|
||||
An Error was produced on the server. A typical example is that the server is
|
||||
configured to use PKI tokens but is misconfigured and the certificates were
|
||||
unable to be found.
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
OpenStack Identity API v3 OS-TRUST Extension
|
||||
============================================
|
||||
|
||||
Trusts provide project-specific role delegation between users, with
|
||||
optional impersonation.
|
||||
Trusts provide project-specific role delegation between users, with optional
|
||||
impersonation.
|
||||
|
||||
API Resources
|
||||
-------------
|
||||
|
@ -10,93 +10,87 @@ API Resources
|
|||
Trusts
|
||||
~~~~~~
|
||||
|
||||
A trust represents a user's (the *trustor*) authorization to delegate
|
||||
roles to another user (the *trustee*), and optionally allow the trustee
|
||||
to impersonate the trustor. After the trustor has created a trust, the
|
||||
trustee can specify the trust's ``id`` attribute as part of an
|
||||
authentication request to then create a token representing the delegated
|
||||
authority.
|
||||
A trust represents a user's (the *trustor*) authorization to delegate roles to
|
||||
another user (the *trustee*), and optionally allow the trustee to impersonate
|
||||
the trustor. After the trustor has created a trust, the trustee can specify the
|
||||
trust's ``id`` attribute as part of an authentication request to then create a
|
||||
token representing the delegated authority.
|
||||
|
||||
The trust contains constraints on the delegated attributes. A token
|
||||
created based on a trust will convey a subset of the trustor's roles on
|
||||
the specified project. Optionally, the trust may only be valid for a
|
||||
specified time period, as defined by ``expires_at``. If no
|
||||
``expires_at`` is specified, then the trust is valid until it is
|
||||
explicitly revoked.
|
||||
The trust contains constraints on the delegated attributes. A token created
|
||||
based on a trust will convey a subset of the trustor's roles on the specified
|
||||
project. Optionally, the trust may only be valid for a specified time period,
|
||||
as defined by ``expires_at``. If no ``expires_at`` is specified, then the trust
|
||||
is valid until it is explicitly revoked.
|
||||
|
||||
The ``impersonation`` flag allows the trustor to optionally delegate
|
||||
impersonation abilities to the trustee. To services validating the
|
||||
token, the trustee will appear as the trustor, although the token will
|
||||
also contain the ``impersonation`` flag to indicate that this behavior
|
||||
is in effect.
|
||||
impersonation abilities to the trustee. To services validating the token, the
|
||||
trustee will appear as the trustor, although the token will also contain the
|
||||
``impersonation`` flag to indicate that this behavior is in effect.
|
||||
|
||||
A ``project_id`` may not be specified without at least one role, and
|
||||
vice versa. In other words, there is no way of implicitly delegating all
|
||||
roles to a trustee, in order to prevent users accidentally creating
|
||||
trust that are much more broad in scope than intended. A trust without a
|
||||
``project_id`` or any delegated roles is unscoped, and therefore does
|
||||
not represent authorization on a specific resource.
|
||||
A ``project_id`` may not be specified without at least one role, and vice
|
||||
versa. In other words, there is no way of implicitly delegating all roles to a
|
||||
trustee, in order to prevent users accidentally creating trust that are much
|
||||
more broad in scope than intended. A trust without a ``project_id`` or any
|
||||
delegated roles is unscoped, and therefore does not represent authorization on
|
||||
a specific resource.
|
||||
|
||||
Trusts are immutable. If the trustee wishes to modify the attributes of
|
||||
the trust, they should create a new trust and delete the old trust. If a
|
||||
trust is deleted, any tokens generated based on the trust are
|
||||
immediately revoked.
|
||||
Trusts are immutable. If the trustee wishes to modify the attributes of the
|
||||
trust, they should create a new trust and delete the old trust. If a trust is
|
||||
deleted, any tokens generated based on the trust are immediately revoked.
|
||||
|
||||
If the trustor loses access to any delegated attributes, the trust
|
||||
becomes immediately invalid and any tokens generated based on the trust
|
||||
are immediately revoked.
|
||||
If the trustor loses access to any delegated attributes, the trust becomes
|
||||
immediately invalid and any tokens generated based on the trust are immediately
|
||||
revoked.
|
||||
|
||||
Additional required attributes:
|
||||
|
||||
- ``trustor_user_id`` (string)
|
||||
- ``trustor_user_id`` (string)
|
||||
|
||||
Represents the user who created the trust, and who's authorization is
|
||||
being delegated.
|
||||
Represents the user who created the trust, and who's authorization is being
|
||||
delegated.
|
||||
|
||||
- ``trustee_user_id`` (string)
|
||||
- ``trustee_user_id`` (string)
|
||||
|
||||
Represents the user who is capable of consuming the trust.
|
||||
Represents the user who is capable of consuming the trust.
|
||||
|
||||
- ``impersonation``: (boolean)
|
||||
- ``impersonation``: (boolean)
|
||||
|
||||
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
|
||||
tokens token's generated based on the trust will represent that of the
|
||||
trustor rather than the trustee, thus allowing the trustee to
|
||||
impersonate the trustor. If ``impersonation`` is set to ``false``, then
|
||||
the token's ``user`` attribute will represent that of the trustee.
|
||||
If ``impersonation`` is set to ``true``, then the ``user`` attribute of
|
||||
tokens token's generated based on the trust will represent that of the
|
||||
trustor rather than the trustee, thus allowing the trustee to impersonate the
|
||||
trustor. If ``impersonation`` is set to ``false``, then the token's ``user``
|
||||
attribute will represent that of the trustee.
|
||||
|
||||
Optional attributes:
|
||||
|
||||
- ``project_id`` (string)
|
||||
- ``project_id`` (string)
|
||||
|
||||
Identifies the project upon which the trustor is delegating
|
||||
authorization.
|
||||
Identifies the project upon which the trustor is delegating authorization.
|
||||
|
||||
- ``roles``: (list of objects)
|
||||
- ``roles``: (list of objects)
|
||||
|
||||
Specifies the subset of the trustor's roles on the ``project_id`` to be
|
||||
granted to the trustee when the token in consumed. The trustor must
|
||||
already be granted these roles in the project referenced by the
|
||||
``project_id`` attribute.
|
||||
Specifies the subset of the trustor's roles on the ``project_id`` to be
|
||||
granted to the trustee when the token in consumed. The trustor must already
|
||||
be granted these roles in the project referenced by the ``project_id``
|
||||
attribute.
|
||||
|
||||
Roles are only provided when the trust is created, and are subsequently
|
||||
available as a separate read-only collection. Each role can be specified
|
||||
by either ``id`` or ``name``.
|
||||
Roles are only provided when the trust is created, and are subsequently
|
||||
available as a separate read-only collection. Each role can be specified by
|
||||
either ``id`` or ``name``.
|
||||
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with
|
||||
microseconds)
|
||||
- ``expires_at`` (string, ISO 8601 extended format date time with microseconds)
|
||||
|
||||
Specifies the expiration time of the trust. A trust may be revoked ahead
|
||||
of expiration. If the value represents a time in the past, the trust is
|
||||
deactivated.
|
||||
Specifies the expiration time of the trust. A trust may be revoked ahead of
|
||||
expiration. If the value represents a time in the past, the trust is
|
||||
deactivated.
|
||||
|
||||
- ``remaining_uses`` (integer or null)
|
||||
- ``remaining_uses`` (integer or null)
|
||||
|
||||
Specifies how many times the trust can be used to obtain a token. This
|
||||
value is decreased each time a token is issued through the trust. Once
|
||||
it reaches 0, no further tokens will be issued through the trust. The
|
||||
default value is null, meaning there is no limit on the number of tokens
|
||||
issued through the trust.
|
||||
Specifies how many times the trust can be used to obtain a token. This value
|
||||
is decreased each time a token is issued through the trust. Once it reaches
|
||||
0, no further tokens will be issued through the trust. The default value is
|
||||
null, meaning there is no limit on the number of tokens issued through the
|
||||
trust.
|
||||
|
||||
Example entity:
|
||||
|
||||
|
@ -121,11 +115,11 @@ Tokens
|
|||
|
||||
Additional attributes:
|
||||
|
||||
- ``trust`` (object)
|
||||
- ``trust`` (object)
|
||||
|
||||
If present, indicates that the token was created based on a trust. This
|
||||
attribute identifies both the trustor and trustee, and indicates whether
|
||||
the token represents the trustee impersonating the trustor.
|
||||
If present, indicates that the token was created based on a trust. This
|
||||
attribute identifies both the trustor and trustee, and indicates whether the
|
||||
token represents the trustee impersonating the trustor.
|
||||
|
||||
API
|
||||
---
|
||||
|
@ -137,15 +131,15 @@ Consuming a trust
|
|||
|
||||
POST /auth/tokens
|
||||
|
||||
Consuming a trust effectively assumes the scope as delegated in the
|
||||
trust. No other scope attributes may be specified.
|
||||
Consuming a trust effectively assumes the scope as delegated in the trust. No
|
||||
other scope attributes may be specified.
|
||||
|
||||
The user specified by ``authentication`` must match the trust's
|
||||
``trustee_user_id`` attribute.
|
||||
|
||||
If the trust has the ``impersonation`` attribute set to ``true``, then
|
||||
the resulting token's ``user`` attribute will also represent the
|
||||
trustor, rather than the authenticating user (the trustee).
|
||||
If the trust has the ``impersonation`` attribute set to ``true``, then the
|
||||
resulting token's ``user`` attribute will also represent the trustor, rather
|
||||
than the authenticating user (the trustee).
|
||||
|
||||
::
|
||||
|
||||
|
@ -167,9 +161,9 @@ trustor, rather than the authenticating user (the trustee).
|
|||
}
|
||||
}
|
||||
|
||||
A token created from a trust will have a ``trust`` section containing
|
||||
the ``id`` of the trust, the ``impersonation`` flag, the
|
||||
``trustee_user_id`` and the ``trustor_user_id``. Example response:
|
||||
A token created from a trust will have a ``trust`` section containing the
|
||||
``id`` of the trust, the ``impersonation`` flag, the ``trustee_user_id`` and
|
||||
the ``trustor_user_id``. Example response:
|
||||
|
||||
::
|
||||
|
||||
|
@ -295,9 +289,15 @@ List trusts
|
|||
Relationship:
|
||||
``http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts``
|
||||
|
||||
query\_string: page (optional) query\_string: per\_page (optional,
|
||||
default 30) query filter for "trustee\_user\_id", "trustor\_user\_id"
|
||||
(optional)
|
||||
Optional query strings:
|
||||
|
||||
- ``page``
|
||||
|
||||
- ``per_page`` (default 30)
|
||||
|
||||
- ``trustee_user_id``
|
||||
|
||||
- ``trustor_user_id``
|
||||
|
||||
Response:
|
||||
|
||||
|
@ -331,8 +331,8 @@ Response:
|
|||
]
|
||||
}
|
||||
|
||||
In order to list trusts for a given trustor, filter the collection using
|
||||
a query string (e.g., ``?trustor_user_id={user_id}``).
|
||||
In order to list trusts for a given trustor, filter the collection using a
|
||||
query string (e.g., ``?trustor_user_id={user_id}``).
|
||||
|
||||
Request:
|
||||
|
||||
|
@ -362,8 +362,8 @@ Response:
|
|||
]
|
||||
}
|
||||
|
||||
In order to list trusts for a given trustee, filter the collection using
|
||||
a query string (e.g., ``?trustee_user_id={user_id}``).
|
||||
In order to list trusts for a given trustee, filter the collection using a
|
||||
query string (e.g., ``?trustee_user_id={user_id}``).
|
||||
|
||||
Request:
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue