The following is an overview of all available policies in Keystone. For a sample configuration file, refer to policy.yaml.
admin_required
Default: | role:admin or is_admin:1 |
---|
(no description provided)
service_role
Default: | role:service |
---|
(no description provided)
service_or_admin
Default: | rule:admin_required or rule:service_role |
---|
(no description provided)
owner
Default: | user_id:%(user_id)s |
---|
(no description provided)
admin_or_owner
Default: | rule:admin_required or rule:owner |
---|
(no description provided)
token_subject
Default: | user_id:%(target.token.user_id)s |
---|
(no description provided)
admin_or_token_subject
Default: | rule:admin_required or rule:token_subject |
---|
(no description provided)
service_admin_or_token_subject
Default: | rule:service_or_admin or rule:token_subject |
---|
(no description provided)
identity:authorize_request_token
Default: |
|
---|---|
Operations: |
|
Authorize OAUTH1 request token.
identity:get_access_token
Default: |
|
---|---|
Operations: |
|
Get OAUTH1 access token for user by access token ID.
identity:get_access_token_role
Default: |
|
---|---|
Operations: |
|
Get role for user OAUTH1 access token.
identity:list_access_tokens
Default: |
|
---|---|
Operations: |
|
List OAUTH1 access tokens for user.
identity:list_access_token_roles
Default: |
|
---|---|
Operations: |
|
List OAUTH1 access token roles.
identity:delete_access_token
Default: |
|
---|---|
Operations: |
|
Delete OAUTH1 access token.
identity:get_auth_catalog
Default: | <empty string> |
---|---|
Operations: |
|
Get service catalog.
identity:get_auth_projects
Default: | <empty string> |
---|---|
Operations: |
|
List all projects a user has access to via role assignments.
identity:get_auth_domains
Default: | <empty string> |
---|---|
Operations: |
|
List all domains a user has access to via role assignments.
identity:get_consumer
Default: |
|
---|---|
Operations: |
|
Show OAUTH1 consumer details.
identity:list_consumers
Default: |
|
---|---|
Operations: |
|
List OAUTH1 consumers.
identity:create_consumer
Default: |
|
---|---|
Operations: |
|
Create OAUTH1 consumer.
identity:update_consumer
Default: |
|
---|---|
Operations: |
|
Update OAUTH1 consumer.
identity:delete_consumer
Default: |
|
---|---|
Operations: |
|
Delete OAUTH1 consumer.
identity:get_credential
Default: |
|
---|---|
Operations: |
|
Show credentials details.
identity:list_credentials
Default: |
|
---|---|
Operations: |
|
List credentials.
identity:create_credential
Default: |
|
---|---|
Operations: |
|
Create credential.
identity:update_credential
Default: |
|
---|---|
Operations: |
|
Update credential.
identity:delete_credential
Default: |
|
---|---|
Operations: |
|
Delete credential.
identity:get_domain
Default: |
|
---|---|
Operations: |
|
Show domain details.
identity:list_domains
Default: |
|
---|---|
Operations: |
|
List domains.
identity:create_domain
Default: |
|
---|---|
Operations: |
|
Create domain.
identity:update_domain
Default: |
|
---|---|
Operations: |
|
Update domain.
identity:delete_domain
Default: |
|
---|---|
Operations: |
|
Delete domain.
identity:create_domain_config
Default: |
|
---|---|
Operations: |
|
Create domain configuration.
identity:get_domain_config
Default: |
|
---|---|
Operations: |
|
Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.
identity:get_security_compliance_domain_config
Default: | <empty string> |
---|---|
Operations: |
|
Get security compliance domain configuration for either a domain or a specific option in a domain.
identity:update_domain_config
Default: |
|
---|---|
Operations: |
|
Update domain configuration for either a domain, specific group or a specific option in a group.
identity:delete_domain_config
Default: |
|
---|---|
Operations: |
|
Delete domain configuration for either a domain, specific group or a specific option in a group.
identity:get_domain_config_default
Default: |
|
---|---|
Operations: |
|
Get domain configuration default for either a domain, specific group or a specific option in a group.
identity:ec2_get_credential
Default: |
|
---|---|
Operations: |
|
Show ec2 credential details.
identity:ec2_list_credentials
Default: |
|
---|---|
Operations: |
|
List ec2 credentials.
identity:ec2_create_credential
Default: |
|
---|---|
Operations: |
|
Create ec2 credential.
identity:ec2_delete_credential
Default: |
|
---|---|
Operations: |
|
Delete ec2 credential.
identity:get_endpoint
Default: |
|
---|---|
Operations: |
|
Show endpoint details.
identity:list_endpoints
Default: |
|
---|---|
Operations: |
|
List endpoints.
identity:create_endpoint
Default: |
|
---|---|
Operations: |
|
Create endpoint.
identity:update_endpoint
Default: |
|
---|---|
Operations: |
|
Update endpoint.
identity:delete_endpoint
Default: |
|
---|---|
Operations: |
|
Delete endpoint.
identity:create_endpoint_group
Default: |
|
---|---|
Operations: |
|
Create endpoint group.
identity:list_endpoint_groups
Default: |
|
---|---|
Operations: |
|
List endpoint groups.
identity:get_endpoint_group
Default: |
|
---|---|
Operations: |
|
Get endpoint group.
identity:update_endpoint_group
Default: |
|
---|---|
Operations: |
|
Update endpoint group.
identity:delete_endpoint_group
Default: |
|
---|---|
Operations: |
|
Delete endpoint group.
identity:list_projects_associated_with_endpoint_group
Default: |
|
---|---|
Operations: |
|
List all projects associated with a specific endpoint group.
identity:list_endpoints_associated_with_endpoint_group
Default: |
|
---|---|
Operations: |
|
List all endpoints associated with an endpoint group.
identity:get_endpoint_group_in_project
Default: |
|
---|---|
Operations: |
|
Check if an endpoint group is associated with a project.
identity:list_endpoint_groups_for_project
Default: |
|
---|---|
Operations: |
|
List endpoint groups associated with a specific project.
identity:add_endpoint_group_to_project
Default: |
|
---|---|
Operations: |
|
Allow a project to access an endpoint group.
identity:remove_endpoint_group_from_project
Default: |
|
---|---|
Operations: |
|
Remove endpoint group from project.
identity:check_grant
Default: |
|
---|---|
Operations: |
|
Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:list_grants
Default: |
|
---|---|
Operations: |
|
List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.
identity:create_grant
Default: |
|
---|---|
Operations: |
|
Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.
identity:revoke_grant
Default: |
|
---|---|
Operations: |
|
Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.
identity:get_group
Default: |
|
---|---|
Operations: |
|
Show group details.
identity:list_groups
Default: |
|
---|---|
Operations: |
|
List groups.
identity:list_groups_for_user
Default: |
|
---|---|
Operations: |
|
List groups to which a user belongs.
identity:create_group
Default: |
|
---|---|
Operations: |
|
Create group.
identity:update_group
Default: |
|
---|---|
Operations: |
|
Update group.
identity:delete_group
Default: |
|
---|---|
Operations: |
|
Delete group.
identity:list_users_in_group
Default: |
|
---|---|
Operations: |
|
List members of a specific group.
identity:remove_user_from_group
Default: |
|
---|---|
Operations: |
|
Remove user from group.
identity:check_user_in_group
Default: |
|
---|---|
Operations: |
|
Check whether a user is a member of a group.
identity:add_user_to_group
Default: |
|
---|---|
Operations: |
|
Add user to group.
identity:create_identity_provider
Default: |
|
---|---|
Operations: |
|
Create identity provider.
identity:list_identity_providers
Default: |
|
---|---|
Operations: |
|
List identity providers.
identity:get_identity_provider
Default: |
|
---|---|
Operations: |
|
Get identity provider.
identity:update_identity_provider
Default: |
|
---|---|
Operations: |
|
Update identity provider.
identity:delete_identity_provider
Default: |
|
---|---|
Operations: |
|
Delete identity provider.
identity:get_implied_role
Default: |
|
---|---|
Operations: |
|
Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:list_implied_roles
Default: |
|
---|---|
Operations: |
|
List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.
identity:create_implied_role
Default: |
|
---|---|
Operations: |
|
Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:delete_implied_role
Default: |
|
---|---|
Operations: |
|
Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.
identity:list_role_inference_rules
Default: |
|
---|---|
Operations: |
|
List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:check_implied_role
Default: |
|
---|---|
Operations: |
|
Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.
identity:create_mapping
Default: |
|
---|---|
Operations: |
|
Create a new federated mapping containing one or more sets of rules.
identity:get_mapping
Default: |
|
---|---|
Operations: |
|
Get a federated mapping.
identity:list_mappings
Default: |
|
---|---|
Operations: |
|
List federated mappings.
identity:delete_mapping
Default: |
|
---|---|
Operations: |
|
Delete a federated mapping.
identity:update_mapping
Default: |
|
---|---|
Operations: |
|
Update a federated mapping.
identity:get_policy
Default: |
|
---|---|
Operations: |
|
Show policy details.
identity:list_policies
Default: |
|
---|---|
Operations: |
|
List policies.
identity:create_policy
Default: |
|
---|---|
Operations: |
|
Create policy.
identity:update_policy
Default: |
|
---|---|
Operations: |
|
Update policy.
identity:delete_policy
Default: |
|
---|---|
Operations: |
|
Delete policy.
identity:create_policy_association_for_endpoint
Default: |
|
---|---|
Operations: |
|
Associate a policy to a specific endpoint.
identity:check_policy_association_for_endpoint
Default: |
|
---|---|
Operations: |
|
Check policy association for endpoint.
identity:delete_policy_association_for_endpoint
Default: |
|
---|---|
Operations: |
|
Delete policy association for endpoint.
identity:create_policy_association_for_service
Default: |
|
---|---|
Operations: |
|
Associate a policy to a specific service.
identity:check_policy_association_for_service
Default: |
|
---|---|
Operations: |
|
Check policy association for service.
identity:delete_policy_association_for_service
Default: |
|
---|---|
Operations: |
|
Delete policy association for service.
identity:create_policy_association_for_region_and_service
Default: |
|
---|---|
Operations: |
|
Associate a policy to a specific region and service combination.
identity:check_policy_association_for_region_and_service
Default: |
|
---|---|
Operations: |
|
Check policy association for region and service.
identity:delete_policy_association_for_region_and_service
Default: |
|
---|---|
Operations: |
|
Delete policy association for region and service.
identity:get_policy_for_endpoint
Default: |
|
---|---|
Operations: |
|
Get policy for endpoint.
identity:list_endpoints_for_policy
Default: |
|
---|---|
Operations: |
|
List endpoints for policy.
identity:get_project
Default: |
|
---|---|
Operations: |
|
Show project details.
identity:list_projects
Default: |
|
---|---|
Operations: |
|
List projects.
identity:list_user_projects
Default: |
|
---|---|
Operations: |
|
List projects for user.
identity:create_project
Default: |
|
---|---|
Operations: |
|
Create project.
identity:update_project
Default: |
|
---|---|
Operations: |
|
Update project.
identity:delete_project
Default: |
|
---|---|
Operations: |
|
Delete project.
identity:list_projects_for_endpoint
Default: |
|
---|---|
Operations: |
|
List projects allowed to access an endpoint.
identity:add_endpoint_to_project
Default: |
|
---|---|
Operations: |
|
Allow project to access an endpoint.
identity:check_endpoint_in_project
Default: |
|
---|---|
Operations: |
|
Check if a project is allowed to access an endpoint.
identity:list_endpoints_for_project
Default: |
|
---|---|
Operations: |
|
List the endpoints a project is allowed to access.
identity:remove_endpoint_from_project
Default: |
|
---|---|
Operations: |
|
Remove access to an endpoint from a project that has previously been given explicit access.
identity:create_protocol
Default: |
|
---|---|
Operations: |
|
Create federated protocol.
identity:update_protocol
Default: |
|
---|---|
Operations: |
|
Update federated protocol.
identity:get_protocol
Default: |
|
---|---|
Operations: |
|
Get federated protocol.
identity:list_protocols
Default: |
|
---|---|
Operations: |
|
List federated protocols.
identity:delete_protocol
Default: |
|
---|---|
Operations: |
|
Delete federated protocol.
identity:get_region
Default: | <empty string> |
---|---|
Operations: |
|
Show region details.
identity:list_regions
Default: | <empty string> |
---|---|
Operations: |
|
List regions.
identity:create_region
Default: |
|
---|---|
Operations: |
|
Create region.
identity:update_region
Default: |
|
---|---|
Operations: |
|
Update region.
identity:delete_region
Default: |
|
---|---|
Operations: |
|
Delete region.
identity:list_revoke_events
Default: |
|
---|---|
Operations: |
|
List revocation events.
identity:get_role
Default: |
|
---|---|
Operations: |
|
Show role details.
identity:list_roles
Default: |
|
---|---|
Operations: |
|
List roles.
identity:create_role
Default: |
|
---|---|
Operations: |
|
Create role.
identity:update_role
Default: |
|
---|---|
Operations: |
|
Update role.
identity:delete_role
Default: |
|
---|---|
Operations: |
|
Delete role.
identity:get_domain_role
Default: |
|
---|---|
Operations: |
|
Show domain role.
identity:list_domain_roles
Default: |
|
---|---|
Operations: |
|
List domain roles.
identity:create_domain_role
Default: |
|
---|---|
Operations: |
|
Create domain role.
identity:update_domain_role
Default: |
|
---|---|
Operations: |
|
Update domain role.
identity:delete_domain_role
Default: |
|
---|---|
Operations: |
|
Delete domain role.
identity:list_role_assignments
Default: |
|
---|---|
Operations: |
|
List role assignments.
identity:list_role_assignments_for_tree
Default: |
|
---|---|
Operations: |
|
List all role assignments for a given tree of hierarchical projects.
identity:get_service
Default: |
|
---|---|
Operations: |
|
Show service details.
identity:list_services
Default: |
|
---|---|
Operations: |
|
List services.
identity:create_service
Default: |
|
---|---|
Operations: |
|
Create service.
identity:update_service
Default: |
|
---|---|
Operations: |
|
Update service.
identity:delete_service
Default: |
|
---|---|
Operations: |
|
Delete service.
identity:create_service_provider
Default: |
|
---|---|
Operations: |
|
Create federated service provider.
identity:list_service_providers
Default: |
|
---|---|
Operations: |
|
List federated service providers.
identity:get_service_provider
Default: |
|
---|---|
Operations: |
|
Get federated service provider.
identity:update_service_provider
Default: |
|
---|---|
Operations: |
|
Update federated service provider.
identity:delete_service_provider
Default: |
|
---|---|
Operations: |
|
Delete federated service provider.
identity:revocation_list
Default: |
|
---|---|
Operations: |
|
List revoked PKI tokens.
identity:check_token
Default: |
|
---|---|
Operations: |
|
Check a token.
identity:validate_token
Default: |
|
---|---|
Operations: |
|
Validate a token.
identity:validate_token_head
Default: |
|
---|---|
Operations: |
|
Validate a token.
identity:revoke_token
Default: |
|
---|---|
Operations: |
|
Revoke a token.
identity:create_trust
Default: |
|
---|---|
Operations: |
|
Create trust.
identity:list_trusts
Default: | <empty string> |
---|---|
Operations: |
|
List trusts.
identity:list_roles_for_trust
Default: | <empty string> |
---|---|
Operations: |
|
List roles delegated by a trust.
identity:get_role_for_trust
Default: | <empty string> |
---|---|
Operations: |
|
Check if trust delegates a particular role.
identity:delete_trust
Default: | <empty string> |
---|---|
Operations: |
|
Revoke trust.
identity:get_trust
Default: | <empty string> |
---|---|
Operations: |
|
Get trust.
identity:get_user
Default: |
|
---|---|
Operations: |
|
Show user details.
identity:list_users
Default: |
|
---|---|
Operations: |
|
List users.
identity:list_projects_for_user
Default: | <empty string> |
---|---|
Operations: |
|
List all projects a user has access to via role assignments.
identity:list_domains_for_user
Default: | <empty string> |
---|---|
Operations: |
|
List all domains a user has access to via role assignments.
identity:create_user
Default: |
|
---|---|
Operations: |
|
Create a user.
identity:update_user
Default: |
|
---|---|
Operations: |
|
Update a user, including administrative password resets.
identity:delete_user
Default: |
|
---|---|
Operations: |
|
Delete a user.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.