Policy configuration

Policy configuration

Configuration

The following is an overview of all available policies in Keystone. For a sample configuration file, refer to policy.yaml.

keystone

admin_required
Default:role:admin or is_admin:1

(no description provided)

service_role
Default:role:service

(no description provided)

service_or_admin
Default:rule:admin_required or rule:service_role

(no description provided)

owner
Default:user_id:%(user_id)s

(no description provided)

admin_or_owner
Default:rule:admin_required or rule:owner

(no description provided)

token_subject
Default:user_id:%(target.token.user_id)s

(no description provided)

admin_or_token_subject
Default:rule:admin_required or rule:token_subject

(no description provided)

service_admin_or_token_subject
Default:rule:service_or_admin or rule:token_subject

(no description provided)

identity:get_application_credential
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/application_credentials/{application_credential_id}
  • HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}

Show application credential details.

identity:list_application_credentials
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/application_credentials
  • HEAD /v3/users/{user_id}/application_credentials

List application credentials for a user.

identity:create_application_credential
Default:

rule:admin_or_owner

Operations:
  • POST /v3/users/{user_id}/application_credentials

Create an application credential.

identity:delete_application_credential
Default:

rule:admin_or_owner

Operations:
  • DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}

Delete an application credential.

identity:authorize_request_token
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-OAUTH1/authorize/{request_token_id}
Scope Types:
  • project

Authorize OAUTH1 request token.

identity:get_access_token
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Scope Types:
  • project

Get OAUTH1 access token for user by access token ID.

identity:get_access_token_role
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
Scope Types:
  • project

Get role for user OAUTH1 access token.

identity:list_access_tokens
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
Scope Types:
  • project

List OAUTH1 access tokens for user.

identity:list_access_token_roles
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
Scope Types:
  • project

List OAUTH1 access token roles.

identity:delete_access_token
Default:

rule:admin_required

Operations:
  • DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
Scope Types:
  • project

Delete OAUTH1 access token.

identity:get_auth_catalog
Default:

<empty string>

Operations:
  • GET /v3/auth/catalog
  • HEAD /v3/auth/catalog

Get service catalog.

identity:get_auth_projects
Default:

<empty string>

Operations:
  • GET /v3/auth/projects
  • HEAD /v3/auth/projects

List all projects a user has access to via role assignments.

identity:get_auth_domains
Default:

<empty string>

Operations:
  • GET /v3/auth/domains
  • HEAD /v3/auth/domains

List all domains a user has access to via role assignments.

identity:get_auth_system
Default:

<empty string>

Operations:
  • GET /v3/auth/system
  • HEAD /v3/auth/system

List systems a user has access to via role assignments.

identity:get_consumer
Default:

rule:admin_required

Operations:
  • GET /v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types:
  • system

Show OAUTH1 consumer details.

identity:list_consumers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-OAUTH1/consumers
Scope Types:
  • system

List OAUTH1 consumers.

identity:create_consumer
Default:

rule:admin_required

Operations:
  • POST /v3/OS-OAUTH1/consumers
Scope Types:
  • system

Create OAUTH1 consumer.

identity:update_consumer
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types:
  • system

Update OAUTH1 consumer.

identity:delete_consumer
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
Scope Types:
  • system

Delete OAUTH1 consumer.

identity:get_credential
Default:

rule:admin_required

Operations:
  • GET /v3/credentials/{credential_id}

Show credentials details.

identity:list_credentials
Default:

rule:admin_required

Operations:
  • GET /v3/credentials

List credentials.

identity:create_credential
Default:

rule:admin_required

Operations:
  • POST /v3/credentials

Create credential.

identity:update_credential
Default:

rule:admin_required

Operations:
  • PATCH /v3/credentials/{credential_id}

Update credential.

identity:delete_credential
Default:

rule:admin_required

Operations:
  • DELETE /v3/credentials/{credential_id}

Delete credential.

identity:get_domain
Default:

rule:admin_required or project_domain_id:%(target.domain.id)s

Operations:
  • GET /v3/domains/{domain_id}
Scope Types:
  • system

Show domain details.

identity:list_domains
Default:

rule:admin_required

Operations:
  • GET /v3/domains
Scope Types:
  • system

List domains.

identity:create_domain
Default:

rule:admin_required

Operations:
  • POST /v3/domains
Scope Types:
  • system

Create domain.

identity:update_domain
Default:

rule:admin_required

Operations:
  • PATCH /v3/domains/{domain_id}
Scope Types:
  • system

Update domain.

identity:delete_domain
Default:

rule:admin_required

Operations:
  • DELETE /v3/domains/{domain_id}
Scope Types:
  • system

Delete domain.

identity:create_domain_config
Default:

rule:admin_required

Operations:
  • PUT /v3/domains/{domain_id}/config
Scope Types:
  • system

Create domain configuration.

identity:get_domain_config
Default:

rule:admin_required

Operations:
  • GET /v3/domains/{domain_id}/config
  • HEAD /v3/domains/{domain_id}/config
  • GET /v3/domains/{domain_id}/config/{group}
  • HEAD /v3/domains/{domain_id}/config/{group}
  • GET /v3/domains/{domain_id}/config/{group}/{option}
  • HEAD /v3/domains/{domain_id}/config/{group}/{option}
Scope Types:
  • system

Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.

identity:get_security_compliance_domain_config
Default:

<empty string>

Operations:
  • GET /v3/domains/{domain_id}/config/security_compliance
  • HEAD /v3/domains/{domain_id}/config/security_compliance
  • GET v3/domains/{domain_id}/config/security_compliance/{option}
  • HEAD v3/domains/{domain_id}/config/security_compliance/{option}
Scope Types:
  • system
  • project

Get security compliance domain configuration for either a domain or a specific option in a domain.

identity:update_domain_config
Default:

rule:admin_required

Operations:
  • PATCH /v3/domains/{domain_id}/config
  • PATCH /v3/domains/{domain_id}/config/{group}
  • PATCH /v3/domains/{domain_id}/config/{group}/{option}
Scope Types:
  • system

Update domain configuration for either a domain, specific group or a specific option in a group.

identity:delete_domain_config
Default:

rule:admin_required

Operations:
  • DELETE /v3/domains/{domain_id}/config
  • DELETE /v3/domains/{domain_id}/config/{group}
  • DELETE /v3/domains/{domain_id}/config/{group}/{option}
Scope Types:
  • system

Delete domain configuration for either a domain, specific group or a specific option in a group.

identity:get_domain_config_default
Default:

rule:admin_required

Operations:
  • GET /v3/domains/config/default
  • HEAD /v3/domains/config/default
  • GET /v3/domains/config/{group}/default
  • HEAD /v3/domains/config/{group}/default
  • GET /v3/domains/config/{group}/{option}/default
  • HEAD /v3/domains/config/{group}/{option}/default
Scope Types:
  • system

Get domain configuration default for either a domain, specific group or a specific option in a group.

identity:ec2_get_credential
Default:

rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)

Operations:
  • GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Show ec2 credential details.

identity:ec2_list_credentials
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/credentials/OS-EC2

List ec2 credentials.

identity:ec2_create_credential
Default:

rule:admin_or_owner

Operations:
  • POST /v3/users/{user_id}/credentials/OS-EC2

Create ec2 credential.

identity:ec2_delete_credential
Default:

rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)

Operations:
  • DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Delete ec2 credential.

identity:get_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints/{endpoint_id}
Scope Types:
  • system

Show endpoint details.

identity:list_endpoints
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints
Scope Types:
  • system

List endpoints.

identity:create_endpoint
Default:

rule:admin_required

Operations:
  • POST /v3/endpoints
Scope Types:
  • system

Create endpoint.

identity:update_endpoint
Default:

rule:admin_required

Operations:
  • PATCH /v3/endpoints/{endpoint_id}
Scope Types:
  • system

Update endpoint.

identity:delete_endpoint
Default:

rule:admin_required

Operations:
  • DELETE /v3/endpoints/{endpoint_id}
Scope Types:
  • system

Delete endpoint.

identity:create_endpoint_group
Default:

rule:admin_required

Operations:
  • POST /v3/OS-EP-FILTER/endpoint_groups
Scope Types:
  • system

Create endpoint group.

identity:list_endpoint_groups
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups
Scope Types:
  • system

List endpoint groups.

identity:get_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types:
  • system

Get endpoint group.

identity:update_endpoint_group
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types:
  • system

Update endpoint group.

identity:delete_endpoint_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
Scope Types:
  • system

Delete endpoint group.

identity:list_projects_associated_with_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
Scope Types:
  • system

List all projects associated with a specific endpoint group.

identity:list_endpoints_associated_with_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
Scope Types:
  • system

List all endpoints associated with an endpoint group.

identity:get_endpoint_group_in_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types:
  • system

Check if an endpoint group is associated with a project.

identity:list_endpoint_groups_for_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
Scope Types:
  • system

List endpoint groups associated with a specific project.

identity:add_endpoint_group_to_project
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types:
  • system

Allow a project to access an endpoint group.

identity:remove_endpoint_group_from_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
Scope Types:
  • system

Remove endpoint group from project.

identity:check_grant
Default:

rule:admin_required

Operations:
  • HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types:
  • system

Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:list_grants
Default:

rule:admin_required

Operations:
  • GET /v3/projects/{project_id}/users/{user_id}/roles
  • HEAD /v3/projects/{project_id}/users/{user_id}/roles
  • GET /v3/projects/{project_id}/groups/{group_id}/roles
  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles
  • GET /v3/domains/{domain_id}/users/{user_id}/roles
  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles
  • GET /v3/domains/{domain_id}/groups/{group_id}/roles
  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
Scope Types:
  • system

List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.

identity:create_grant
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types:
  • system

Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:revoke_grant
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
Scope Types:
  • system

Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.

identity:list_system_grants_for_user
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles
Scope Types:
  • system

List all grants a specific user has on the system.

identity:check_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles/{role_id}
Scope Types:
  • system

Check if a user has a role on the system.

identity:create_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘PUT’] /v3/system/users/{user_id}/roles/{role_id}
Scope Types:
  • system

Grant a user a role on the system.

identity:revoke_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘DELETE’] /v3/system/users/{user_id}/roles/{role_id}
Scope Types:
  • system

Remove a role from a user on the system.

identity:list_system_grants_for_group
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles
Scope Types:
  • system

List all grants a specific group has on the system.

identity:check_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles/{role_id}
Scope Types:
  • system

Check if a group has a role on the system.

identity:create_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘PUT’] /v3/system/groups/{group_id}/roles/{role_id}
Scope Types:
  • system

Grant a group a role on the system.

identity:revoke_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘DELETE’] /v3/system/groups/{group_id}/roles/{role_id}
Scope Types:
  • system

Remove a role from a group on the system.

identity:get_group
Default:

rule:admin_required

Operations:
  • GET /v3/groups/{group_id}
  • HEAD /v3/groups/{group_id}
Scope Types:
  • system

Show group details.

identity:list_groups
Default:

rule:admin_required

Operations:
  • GET /v3/groups
  • HEAD /v3/groups
Scope Types:
  • system

List groups.

identity:list_groups_for_user
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/groups
  • HEAD /v3/users/{user_id}/groups
Scope Types:
  • system

List groups to which a user belongs.

identity:create_group
Default:

rule:admin_required

Operations:
  • POST /v3/groups
Scope Types:
  • system

Create group.

identity:update_group
Default:

rule:admin_required

Operations:
  • PATCH /v3/groups/{group_id}
Scope Types:
  • system

Update group.

identity:delete_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/groups/{group_id}
Scope Types:
  • system

Delete group.

identity:list_users_in_group
Default:

rule:admin_required

Operations:
  • GET /v3/groups/{group_id}/users
  • HEAD /v3/groups/{group_id}/users
Scope Types:
  • system

List members of a specific group.

identity:remove_user_from_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/groups/{group_id}/users/{user_id}
Scope Types:
  • system

Remove user from group.

identity:check_user_in_group
Default:

rule:admin_required

Operations:
  • HEAD /v3/groups/{group_id}/users/{user_id}
  • GET /v3/groups/{group_id}/users/{user_id}
Scope Types:
  • system

Check whether a user is a member of a group.

identity:add_user_to_group
Default:

rule:admin_required

Operations:
  • PUT /v3/groups/{group_id}/users/{user_id}
Scope Types:
  • system

Add user to group.

identity:create_identity_provider
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types:
  • system

Create identity provider.

identity:list_identity_providers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers
  • HEAD /v3/OS-FEDERATION/identity_providers
Scope Types:
  • system

List identity providers.

identity:get_identity_provider
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}
  • HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types:
  • system

Get identity provider.

identity:update_identity_provider
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types:
  • system

Update identity provider.

identity:delete_identity_provider
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
Scope Types:
  • system

Delete identity provider.

identity:get_implied_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types:
  • system

Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:list_implied_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{prior_role_id}/implies
  • HEAD /v3/roles/{prior_role_id}/implies
Scope Types:
  • system

List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.

identity:create_implied_role
Default:

rule:admin_required

Operations:
  • PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types:
  • system

Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:delete_implied_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types:
  • system

Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.

identity:list_role_inference_rules
Default:

rule:admin_required

Operations:
  • GET /v3/role_inferences
  • HEAD /v3/role_inferences
Scope Types:
  • system

List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:check_implied_role
Default:

rule:admin_required

Operations:
  • HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
Scope Types:
  • system

Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:get_limit_model
Default:

<empty string>

Operations:
  • GET /v3/limits/model
  • HEAD /v3/limits/model
Scope Types:
  • system
  • project

Get limit enforcement model.

identity:get_limit
Default:

<empty string>

Operations:
  • GET /v3/limits/{limit_id}
  • HEAD /v3/limits/{limit_id}
Scope Types:
  • system
  • project

Show limit details.

identity:list_limits
Default:

<empty string>

Operations:
  • GET /v3/limits
  • HEAD /v3/limits
Scope Types:
  • system
  • project

List limits.

identity:create_limits
Default:

rule:admin_required

Operations:
  • POST /v3/limits
Scope Types:
  • system

Create limits.

identity:update_limit
Default:

rule:admin_required

Operations:
  • PATCH /v3/limits/{limit_id}
Scope Types:
  • system

Update limit.

identity:delete_limit
Default:

rule:admin_required

Operations:
  • DELETE /v3/limits/{limit_id}
Scope Types:
  • system

Delete limit.

identity:create_mapping
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types:
  • system

Create a new federated mapping containing one or more sets of rules.

identity:get_mapping
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/mappings/{mapping_id}
  • HEAD /v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types:
  • system

Get a federated mapping.

identity:list_mappings
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/mappings
  • HEAD /v3/OS-FEDERATION/mappings
Scope Types:
  • system

List federated mappings.

identity:delete_mapping
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types:
  • system

Delete a federated mapping.

identity:update_mapping
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
Scope Types:
  • system

Update a federated mapping.

identity:get_policy
Default:

rule:admin_required

Operations:
  • GET /v3/policy/{policy_id}
Scope Types:
  • system

Show policy details.

identity:list_policies
Default:

rule:admin_required

Operations:
  • GET /v3/policies
Scope Types:
  • system

List policies.

identity:create_policy
Default:

rule:admin_required

Operations:
  • POST /v3/policies
Scope Types:
  • system

Create policy.

identity:update_policy
Default:

rule:admin_required

Operations:
  • PATCH /v3/policies/{policy_id}
Scope Types:
  • system

Update policy.

identity:delete_policy
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}
Scope Types:
  • system

Delete policy.

identity:create_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types:
  • system

Associate a policy to a specific endpoint.

identity:check_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types:
  • system

Check policy association for endpoint.

identity:delete_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
Scope Types:
  • system

Delete policy association for endpoint.

identity:create_policy_association_for_service
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types:
  • system

Associate a policy to a specific service.

identity:check_policy_association_for_service
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types:
  • system

Check policy association for service.

identity:delete_policy_association_for_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
Scope Types:
  • system

Delete policy association for service.

identity:create_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types:
  • system

Associate a policy to a specific region and service combination.

identity:check_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types:
  • system

Check policy association for region and service.

identity:delete_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
Scope Types:
  • system

Delete policy association for region and service.

identity:get_policy_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
  • HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
Scope Types:
  • system

Get policy for endpoint.

identity:list_endpoints_for_policy
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
Scope Types:
  • system

List endpoints for policy.

identity:get_project
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}

Show project details.

identity:list_projects
Default:

rule:admin_required

Operations:
  • GET /v3/projects
Scope Types:
  • system

List projects.

identity:list_user_projects
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/projects

List projects for user.

identity:create_project
Default:

rule:admin_required

Operations:
  • POST /v3/projects
Scope Types:
  • system

Create project.

identity:update_project
Default:

rule:admin_required

Operations:
  • PATCH /v3/projects/{project_id}
Scope Types:
  • system

Update project.

identity:delete_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}
Scope Types:
  • system

Delete project.

identity:list_project_tags
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}/tags
  • HEAD /v3/projects/{project_id}/tags

List tags for a project.

identity:get_project_tag
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}/tags/{value}
  • HEAD /v3/projects/{project_id}/tags/{value}

Check if project contains a tag.

identity:update_project_tags
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/tags
Scope Types:
  • system

Replace all tags on a project with the new set of tags.

identity:create_project_tag
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/tags/{value}
Scope Types:
  • system

Add a single tag to a project.

identity:delete_project_tags
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/tags
Scope Types:
  • system

Remove all tags from a project.

identity:delete_project_tag
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/tags/{value}
Scope Types:
  • system

Delete a specified tag from project.

identity:list_projects_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
Scope Types:
  • system

List projects allowed to access an endpoint.

identity:add_endpoint_to_project
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types:
  • system

Allow project to access an endpoint.

identity:check_endpoint_in_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
  • HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types:
  • system

Check if a project is allowed to access an endpoint.

identity:list_endpoints_for_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
Scope Types:
  • system

List the endpoints a project is allowed to access.

identity:remove_endpoint_from_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
Scope Types:
  • system

Remove access to an endpoint from a project that has previously been given explicit access.

identity:create_protocol
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types:
  • system

Create federated protocol.

identity:update_protocol
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types:
  • system

Update federated protocol.

identity:get_protocol
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types:
  • system

Get federated protocol.

identity:list_protocols
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
Scope Types:
  • system

List federated protocols.

identity:delete_protocol
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
Scope Types:
  • system

Delete federated protocol.

identity:get_region
Default:

<empty string>

Operations:
  • GET /v3/regions/{region_id}
  • HEAD /v3/regions/{region_id}
Scope Types:
  • system
  • project

Show region details.

identity:list_regions
Default:

<empty string>

Operations:
  • GET /v3/regions
  • HEAD /v3/regions
Scope Types:
  • system
  • project

List regions.

identity:create_region
Default:

rule:admin_required

Operations:
  • POST /v3/regions
  • PUT /v3/regions/{region_id}
Scope Types:
  • system

Create region.

identity:update_region
Default:

rule:admin_required

Operations:
  • PATCH /v3/regions/{region_id}
Scope Types:
  • system

Update region.

identity:delete_region
Default:

rule:admin_required

Operations:
  • DELETE /v3/regions/{region_id}
Scope Types:
  • system

Delete region.

identity:get_registered_limit
Default:

<empty string>

Operations:
  • GET /v3/registered_limits/{registered_limit_id}
  • HEAD /v3/registered_limits/{registered_limit_id}
Scope Types:
  • system
  • project

Show registered limit details.

identity:list_registered_limits
Default:

<empty string>

Operations:
  • GET /v3/registered_limits
  • HEAD /v3/registered_limits
Scope Types:
  • system
  • project

List registered limits.

identity:create_registered_limits
Default:

rule:admin_required

Operations:
  • POST /v3/registered_limits
Scope Types:
  • system

Create registered limits.

identity:update_registered_limit
Default:

rule:admin_required

Operations:
  • PATCH /v3/registered_limits/{registered_limit_id}
Scope Types:
  • system

Update registered limit.

identity:delete_registered_limit
Default:

rule:admin_required

Operations:
  • DELETE /v3/registered_limits/{registered_limit_id}
Scope Types:
  • system

Delete registered limit.

identity:list_revoke_events
Default:

rule:service_or_admin

Operations:
  • GET /v3/OS-REVOKE/events
Scope Types:
  • system

List revocation events.

identity:get_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{role_id}
  • HEAD /v3/roles/{role_id}
Scope Types:
  • system

Show role details.

identity:list_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles
  • HEAD /v3/roles
Scope Types:
  • system

List roles.

identity:create_role
Default:

rule:admin_required

Operations:
  • POST /v3/roles
Scope Types:
  • system

Create role.

identity:update_role
Default:

rule:admin_required

Operations:
  • PATCH /v3/roles/{role_id}
Scope Types:
  • system

Update role.

identity:delete_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{role_id}
Scope Types:
  • system

Delete role.

identity:get_domain_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{role_id}
  • HEAD /v3/roles/{role_id}
Scope Types:
  • system

Show domain role.

identity:list_domain_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles?domain_id={domain_id}
  • HEAD /v3/roles?domain_id={domain_id}
Scope Types:
  • system

List domain roles.

identity:create_domain_role
Default:

rule:admin_required

Operations:
  • POST /v3/roles
Scope Types:
  • system

Create domain role.

identity:update_domain_role
Default:

rule:admin_required

Operations:
  • PATCH /v3/roles/{role_id}
Scope Types:
  • system

Update domain role.

identity:delete_domain_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{role_id}
Scope Types:
  • system

Delete domain role.

identity:list_role_assignments
Default:

rule:admin_required

Operations:
  • GET /v3/role_assignments
  • HEAD /v3/role_assignments
Scope Types:
  • system

List role assignments.

identity:list_role_assignments_for_tree
Default:

rule:admin_required

Operations:
  • GET /v3/role_assignments?include_subtree
  • HEAD /v3/role_assignments?include_subtree
Scope Types:
  • project

List all role assignments for a given tree of hierarchical projects.

identity:get_service
Default:

rule:admin_required

Operations:
  • GET /v3/services/{service_id}
Scope Types:
  • system

Show service details.

identity:list_services
Default:

rule:admin_required

Operations:
  • GET /v3/services
Scope Types:
  • system

List services.

identity:create_service
Default:

rule:admin_required

Operations:
  • POST /v3/services
Scope Types:
  • system

Create service.

identity:update_service
Default:

rule:admin_required

Operations:
  • PATCH /v3/services/{service_id}
Scope Types:
  • system

Update service.

identity:delete_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/services/{service_id}
Scope Types:
  • system

Delete service.

identity:create_service_provider
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types:
  • system

Create federated service provider.

identity:list_service_providers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/service_providers
  • HEAD /v3/OS-FEDERATION/service_providers
Scope Types:
  • system

List federated service providers.

identity:get_service_provider
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
  • HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types:
  • system

Get federated service provider.

identity:update_service_provider
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types:
  • system

Update federated service provider.

identity:delete_service_provider
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}
Scope Types:
  • system

Delete federated service provider.

identity:revocation_list
Default:

rule:service_or_admin

Operations:
  • GET /v3/auth/tokens/OS-PKI/revoked
Scope Types:
  • system
  • project

List revoked PKI tokens.

identity:check_token
Default:

rule:admin_or_token_subject

Operations:
  • HEAD /v3/auth/tokens

Check a token.

identity:validate_token
Default:

rule:service_admin_or_token_subject

Operations:
  • GET /v3/auth/tokens

Validate a token.

identity:revoke_token
Default:

rule:admin_or_token_subject

Operations:
  • DELETE /v3/auth/tokens

Revoke a token.

identity:create_trust
Default:

user_id:%(trust.trustor_user_id)s

Operations:
  • POST /v3/OS-TRUST/trusts
Scope Types:
  • project

Create trust.

identity:list_trusts
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts
  • HEAD /v3/OS-TRUST/trusts
Scope Types:
  • project

List trusts.

identity:list_roles_for_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}/roles
  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles
Scope Types:
  • project

List roles delegated by a trust.

identity:get_role_for_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
Scope Types:
  • project

Check if trust delegates a particular role.

identity:delete_trust
Default:

<empty string>

Operations:
  • DELETE /v3/OS-TRUST/trusts/{trust_id}
Scope Types:
  • project

Revoke trust.

identity:get_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}
  • HEAD /v3/OS-TRUST/trusts/{trust_id}
Scope Types:
  • project

Get trust.

identity:get_user
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}
  • HEAD /v3/users/{user_id}

Show user details.

identity:list_users
Default:

rule:admin_required

Operations:
  • GET /v3/users
  • HEAD /v3/users
Scope Types:
  • system

List users.

identity:list_projects_for_user
Default:

<empty string>

Operations:
  • GET `` /v3/auth/projects``

List all projects a user has access to via role assignments.

identity:list_domains_for_user
Default:

<empty string>

Operations:
  • GET /v3/auth/domains

List all domains a user has access to via role assignments.

identity:create_user
Default:

rule:admin_required

Operations:
  • POST /v3/users
Scope Types:
  • system

Create a user.

identity:update_user
Default:

rule:admin_required

Operations:
  • PATCH /v3/users/{user_id}
Scope Types:
  • system

Update a user, including administrative password resets.

identity:delete_user
Default:

rule:admin_required

Operations:
  • DELETE /v3/users/{user_id}
Scope Types:
  • system

Delete a user.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.