Policy configuration

Policy configuration

Configuration

The following is an overview of all available policies in Keystone. For a sample configuration file, refer to policy.yaml.

keystone

admin_required
Default:role:admin or is_admin:1

(no description provided)

service_role
Default:role:service

(no description provided)

service_or_admin
Default:rule:admin_required or rule:service_role

(no description provided)

owner
Default:user_id:%(user_id)s

(no description provided)

admin_or_owner
Default:rule:admin_required or rule:owner

(no description provided)

token_subject
Default:user_id:%(target.token.user_id)s

(no description provided)

admin_or_token_subject
Default:rule:admin_required or rule:token_subject

(no description provided)

service_admin_or_token_subject
Default:rule:service_or_admin or rule:token_subject

(no description provided)

identity:get_application_credential
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/application_credentials/{application_credential_id}
  • HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}

Show application credential details.

identity:list_application_credentials
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/application_credentials
  • HEAD /v3/users/{user_id}/application_credentials

List application credentials for a user.

identity:create_application_credential
Default:

rule:admin_or_owner

Operations:
  • POST /v3/users/{user_id}/application_credentials

Create an application credential.

identity:delete_application_credential
Default:

rule:admin_or_owner

Operations:
  • DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}

Delete an application credential.

identity:authorize_request_token
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-OAUTH1/authorize/{request_token_id}

Authorize OAUTH1 request token.

identity:get_access_token
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Get OAUTH1 access token for user by access token ID.

identity:get_access_token_role
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}

Get role for user OAUTH1 access token.

identity:list_access_tokens
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens

List OAUTH1 access tokens for user.

identity:list_access_token_roles
Default:

rule:admin_required

Operations:
  • GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles

List OAUTH1 access token roles.

identity:delete_access_token
Default:

rule:admin_required

Operations:
  • DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

Delete OAUTH1 access token.

identity:get_auth_catalog
Default:

<empty string>

Operations:
  • GET /v3/auth/catalog
  • HEAD /v3/auth/catalog

Get service catalog.

identity:get_auth_projects
Default:

<empty string>

Operations:
  • GET /v3/auth/projects
  • HEAD /v3/auth/projects

List all projects a user has access to via role assignments.

identity:get_auth_domains
Default:

<empty string>

Operations:
  • GET /v3/auth/domains
  • HEAD /v3/auth/domains

List all domains a user has access to via role assignments.

identity:get_auth_system
Default:

<empty string>

Operations:
  • GET /v3/auth/system
  • HEAD /v3/auth/system

List systems a user has access to via role assignments.

identity:get_consumer
Default:

rule:admin_required

Operations:
  • GET /v3/OS-OAUTH1/consumers/{consumer_id}

Show OAUTH1 consumer details.

identity:list_consumers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-OAUTH1/consumers

List OAUTH1 consumers.

identity:create_consumer
Default:

rule:admin_required

Operations:
  • POST /v3/OS-OAUTH1/consumers

Create OAUTH1 consumer.

identity:update_consumer
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-OAUTH1/consumers/{consumer_id}

Update OAUTH1 consumer.

identity:delete_consumer
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-OAUTH1/consumers/{consumer_id}

Delete OAUTH1 consumer.

identity:get_credential
Default:

rule:admin_required

Operations:
  • GET /v3/credentials/{credential_id}

Show credentials details.

identity:list_credentials
Default:

rule:admin_required

Operations:
  • GET /v3/credentials

List credentials.

identity:create_credential
Default:

rule:admin_required

Operations:
  • POST /v3/credentials

Create credential.

identity:update_credential
Default:

rule:admin_required

Operations:
  • PATCH /v3/credentials/{credential_id}

Update credential.

identity:delete_credential
Default:

rule:admin_required

Operations:
  • DELETE /v3/credentials/{credential_id}

Delete credential.

identity:get_domain
Default:

rule:admin_required or token.project.domain.id:%(target.domain.id)s

Operations:
  • GET /v3/domains/{domain_id}

Show domain details.

identity:list_domains
Default:

rule:admin_required

Operations:
  • GET /v3/domains

List domains.

identity:create_domain
Default:

rule:admin_required

Operations:
  • POST /v3/domains

Create domain.

identity:update_domain
Default:

rule:admin_required

Operations:
  • PATCH /v3/domains/{domain_id}

Update domain.

identity:delete_domain
Default:

rule:admin_required

Operations:
  • DELETE /v3/domains/{domain_id}

Delete domain.

identity:create_domain_config
Default:

rule:admin_required

Operations:
  • PUT /v3/domains/{domain_id}/config

Create domain configuration.

identity:get_domain_config
Default:

rule:admin_required

Operations:
  • GET /v3/domains/{domain_id}/config
  • HEAD /v3/domains/{domain_id}/config
  • GET /v3/domains/{domain_id}/config/{group}
  • HEAD /v3/domains/{domain_id}/config/{group}
  • GET /v3/domains/{domain_id}/config/{group}/{option}
  • HEAD /v3/domains/{domain_id}/config/{group}/{option}

Get the entire domain configuration for a domain, an option group within a domain, or a specific configuration option within a group for a domain.

identity:get_security_compliance_domain_config
Default:

<empty string>

Operations:
  • GET /v3/domains/{domain_id}/config/security_compliance
  • HEAD /v3/domains/{domain_id}/config/security_compliance
  • GET v3/domains/{domain_id}/config/security_compliance/{option}
  • HEAD v3/domains/{domain_id}/config/security_compliance/{option}

Get security compliance domain configuration for either a domain or a specific option in a domain.

identity:update_domain_config
Default:

rule:admin_required

Operations:
  • PATCH /v3/domains/{domain_id}/config
  • PATCH /v3/domains/{domain_id}/config/{group}
  • PATCH /v3/domains/{domain_id}/config/{group}/{option}

Update domain configuration for either a domain, specific group or a specific option in a group.

identity:delete_domain_config
Default:

rule:admin_required

Operations:
  • DELETE /v3/domains/{domain_id}/config
  • DELETE /v3/domains/{domain_id}/config/{group}
  • DELETE /v3/domains/{domain_id}/config/{group}/{option}

Delete domain configuration for either a domain, specific group or a specific option in a group.

identity:get_domain_config_default
Default:

rule:admin_required

Operations:
  • GET /v3/domains/config/default
  • HEAD /v3/domains/config/default
  • GET /v3/domains/config/{group}/default
  • HEAD /v3/domains/config/{group}/default
  • GET /v3/domains/config/{group}/{option}/default
  • HEAD /v3/domains/config/{group}/{option}/default

Get domain configuration default for either a domain, specific group or a specific option in a group.

identity:ec2_get_credential
Default:

rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)

Operations:
  • GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Show ec2 credential details.

identity:ec2_list_credentials
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/credentials/OS-EC2

List ec2 credentials.

identity:ec2_create_credential
Default:

rule:admin_or_owner

Operations:
  • POST /v3/users/{user_id}/credentials/OS-EC2

Create ec2 credential.

identity:ec2_delete_credential
Default:

rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)

Operations:
  • DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

Delete ec2 credential.

identity:get_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints/{endpoint_id}

Show endpoint details.

identity:list_endpoints
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints

List endpoints.

identity:create_endpoint
Default:

rule:admin_required

Operations:
  • POST /v3/endpoints

Create endpoint.

identity:update_endpoint
Default:

rule:admin_required

Operations:
  • PATCH /v3/endpoints/{endpoint_id}

Update endpoint.

identity:delete_endpoint
Default:

rule:admin_required

Operations:
  • DELETE /v3/endpoints/{endpoint_id}

Delete endpoint.

identity:create_endpoint_group
Default:

rule:admin_required

Operations:
  • POST /v3/OS-EP-FILTER/endpoint_groups

Create endpoint group.

identity:list_endpoint_groups
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups

List endpoint groups.

identity:get_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Get endpoint group.

identity:update_endpoint_group
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Update endpoint group.

identity:delete_endpoint_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

Delete endpoint group.

identity:list_projects_associated_with_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

List all projects associated with a specific endpoint group.

identity:list_endpoints_associated_with_endpoint_group
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

List all endpoints associated with an endpoint group.

identity:get_endpoint_group_in_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
  • HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Check if an endpoint group is associated with a project.

identity:list_endpoint_groups_for_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

List endpoint groups associated with a specific project.

identity:add_endpoint_group_to_project
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Allow a project to access an endpoint group.

identity:remove_endpoint_group_from_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

Remove endpoint group from project.

identity:check_grant
Default:

rule:admin_required

Operations:
  • HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Check a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:list_grants
Default:

rule:admin_required

Operations:
  • GET /v3/projects/{project_id}/users/{user_id}/roles
  • HEAD /v3/projects/{project_id}/users/{user_id}/roles
  • GET /v3/projects/{project_id}/groups/{group_id}/roles
  • HEAD /v3/projects/{project_id}/groups/{group_id}/roles
  • GET /v3/domains/{domain_id}/users/{user_id}/roles
  • HEAD /v3/domains/{domain_id}/users/{user_id}/roles
  • GET /v3/domains/{domain_id}/groups/{group_id}/roles
  • HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
  • GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
  • GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects

List roles granted to an actor on a target. A target can be either a domain or a project. An actor can be either a user or a group. For the OS-INHERIT APIs, it is possible to list inherited role grants for actors on domains, where grants are inherited to all projects in the specified domain.

identity:create_grant
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Create a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable.

identity:revoke_grant
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  • DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  • DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  • DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  • DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
  • DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

Revoke a role grant between a target and an actor. A target can be either a domain or a project. An actor can be either a user or a group. These terms also apply to the OS-INHERIT APIs, where grants on the target are inherited to all projects in the subtree, if applicable. In that case, revoking the role grant in the target would remove the logical effect of inheriting it to the target’s projects subtree.

identity:list_system_grants_for_user
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles

List all grants a specific user has on the system.

identity:check_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles/{role_id}

Check if a user has a role on the system.

identity:create_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘PUT’] /v3/system/users/{user_id}/roles/{role_id}

Grant a user a role on the system.

identity:revoke_system_grant_for_user
Default:

rule:admin_required

Operations:
  • [‘DELETE’] /v3/system/users/{user_id}/roles/{role_id}

Remove a role from a user on the system.

identity:list_system_grants_for_group
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles

List all grants a specific group has on the system.

identity:check_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles/{role_id}

Check if a group has a role on the system.

identity:create_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘PUT’] /v3/system/groups/{group_id}/roles/{role_id}

Grant a group a role on the system.

identity:revoke_system_grant_for_group
Default:

rule:admin_required

Operations:
  • [‘DELETE’] /v3/system/groups/{group_id}/roles/{role_id}

Remove a role from a group on the system.

identity:get_group
Default:

rule:admin_required

Operations:
  • GET /v3/groups/{group_id}
  • HEAD /v3/groups/{group_id}

Show group details.

identity:list_groups
Default:

rule:admin_required

Operations:
  • GET /v3/groups
  • HEAD /v3/groups

List groups.

identity:list_groups_for_user
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/groups
  • HEAD /v3/users/{user_id}/groups

List groups to which a user belongs.

identity:create_group
Default:

rule:admin_required

Operations:
  • POST /v3/groups

Create group.

identity:update_group
Default:

rule:admin_required

Operations:
  • PATCH /v3/groups/{group_id}

Update group.

identity:delete_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/groups/{group_id}

Delete group.

identity:list_users_in_group
Default:

rule:admin_required

Operations:
  • GET /v3/groups/{group_id}/users
  • HEAD /v3/groups/{group_id}/users

List members of a specific group.

identity:remove_user_from_group
Default:

rule:admin_required

Operations:
  • DELETE /v3/groups/{group_id}/users/{user_id}

Remove user from group.

identity:check_user_in_group
Default:

rule:admin_required

Operations:
  • HEAD /v3/groups/{group_id}/users/{user_id}
  • GET /v3/groups/{group_id}/users/{user_id}

Check whether a user is a member of a group.

identity:add_user_to_group
Default:

rule:admin_required

Operations:
  • PUT /v3/groups/{group_id}/users/{user_id}

Add user to group.

identity:create_identity_provider
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}

Create identity provider.

identity:list_identity_providers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers
  • HEAD /v3/OS-FEDERATION/identity_providers

List identity providers.

identity:get_identity_provider
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}
  • HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}

Get identity provider.

identity:update_identity_provider
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}

Update identity provider.

identity:delete_identity_provider
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

Delete identity provider.

identity:get_implied_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{prior_role_id}/implies/{implied_role_id}

Get information about an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:list_implied_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{prior_role_id}/implies
  • HEAD /v3/roles/{prior_role_id}/implies

List associations between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. This will return all the implied roles that would be assumed by the user who gets the specified prior role.

identity:create_implied_role
Default:

rule:admin_required

Operations:
  • PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}

Create an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:delete_implied_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}

Delete the association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role. Removing the association will cause that effect to be eliminated.

identity:list_role_inference_rules
Default:

rule:admin_required

Operations:
  • GET /v3/role_inferences
  • HEAD /v3/role_inferences

List all associations between two roles in the system. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:check_implied_role
Default:

rule:admin_required

Operations:
  • HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}

Check an association between two roles. When a relationship exists between a prior role and an implied role and the prior role is assigned to a user, the user also assumes the implied role.

identity:get_limit
Default:

<empty string>

Operations:
  • GET /v3/limits/{limit_id}
  • HEAD /v3/limits/{limit_id}

Show limit details.

identity:list_limits
Default:

<empty string>

Operations:
  • GET /v3/limits
  • HEAD /v3/limits

List limits.

identity:create_limits
Default:

rule:admin_required

Operations:
  • POST /v3/limits

Create limits.

identity:update_limits
Default:

rule:admin_required

Operations:
  • PUT /v3/limits/{limit_id}

Update limits.

identity:delete_limit
Default:

rule:admin_required

Operations:
  • DELETE /v3/limits/{limit_id}

Delete limit.

identity:create_mapping
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/mappings/{mapping_id}

Create a new federated mapping containing one or more sets of rules.

identity:get_mapping
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/mappings/{mapping_id}
  • HEAD /v3/OS-FEDERATION/mappings/{mapping_id}

Get a federated mapping.

identity:list_mappings
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/mappings
  • HEAD /v3/OS-FEDERATION/mappings

List federated mappings.

identity:delete_mapping
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/mappings/{mapping_id}

Delete a federated mapping.

identity:update_mapping
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/mappings/{mapping_id}

Update a federated mapping.

identity:get_policy
Default:

rule:admin_required

Operations:
  • GET /v3/policy/{policy_id}

Show policy details.

identity:list_policies
Default:

rule:admin_required

Operations:
  • GET /v3/policies

List policies.

identity:create_policy
Default:

rule:admin_required

Operations:
  • POST /v3/policies

Create policy.

identity:update_policy
Default:

rule:admin_required

Operations:
  • PATCH /v3/policies/{policy_id}

Update policy.

identity:delete_policy
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}

Delete policy.

identity:create_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Associate a policy to a specific endpoint.

identity:check_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Check policy association for endpoint.

identity:delete_policy_association_for_endpoint
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

Delete policy association for endpoint.

identity:create_policy_association_for_service
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Associate a policy to a specific service.

identity:check_policy_association_for_service
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Check policy association for service.

identity:delete_policy_association_for_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

Delete policy association for service.

identity:create_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Associate a policy to a specific region and service combination.

identity:check_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
  • HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Check policy association for region and service.

identity:delete_policy_association_for_region_and_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

Delete policy association for region and service.

identity:get_policy_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
  • HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

Get policy for endpoint.

identity:list_endpoints_for_policy
Default:

rule:admin_required

Operations:
  • GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

List endpoints for policy.

identity:get_project
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}

Show project details.

identity:list_projects
Default:

rule:admin_required

Operations:
  • GET /v3/projects

List projects.

identity:list_user_projects
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}/projects

List projects for user.

identity:create_project
Default:

rule:admin_required

Operations:
  • POST /v3/projects

Create project.

identity:update_project
Default:

rule:admin_required

Operations:
  • PATCH /v3/projects/{project_id}

Update project.

identity:delete_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}

Delete project.

identity:list_project_tags
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}/tags
  • HEAD /v3/projects/{project_id}/tags

List tags for a project.

identity:get_project_tag
Default:

rule:admin_required or project_id:%(target.project.id)s

Operations:
  • GET /v3/projects/{project_id}/tags/{value}
  • HEAD /v3/projects/{project_id}/tags/{value}

Check if project contains a tag.

identity:update_project_tags
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/tags

Replace all tags on a project with the new set of tags.

identity:create_project_tag
Default:

rule:admin_required

Operations:
  • PUT /v3/projects/{project_id}/tags/{value}

Add a single tag to a project.

identity:delete_project_tags
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/tags

Remove all tags from a project.

identity:delete_project_tag
Default:

rule:admin_required

Operations:
  • DELETE /v3/projects/{project_id}/tags/{value}

Delete a specified tag from project.

identity:list_projects_for_endpoint
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

List projects allowed to access an endpoint.

identity:add_endpoint_to_project
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Allow project to access an endpoint.

identity:check_endpoint_in_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
  • HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Check if a project is allowed to access an endpoint.

identity:list_endpoints_for_project
Default:

rule:admin_required

Operations:
  • GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints

List the endpoints a project is allowed to access.

identity:remove_endpoint_from_project
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

Remove access to an endpoint from a project that has previously been given explicit access.

identity:create_protocol
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Create federated protocol.

identity:update_protocol
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Update federated protocol.

identity:get_protocol
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Get federated protocol.

identity:list_protocols
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

List federated protocols.

identity:delete_protocol
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

Delete federated protocol.

identity:get_region
Default:

<empty string>

Operations:
  • GET /v3/regions/{region_id}
  • HEAD /v3/regions/{region_id}

Show region details.

identity:list_regions
Default:

<empty string>

Operations:
  • GET /v3/regions
  • HEAD /v3/regions

List regions.

identity:create_region
Default:

rule:admin_required

Operations:
  • POST /v3/regions
  • PUT /v3/regions/{region_id}

Create region.

identity:update_region
Default:

rule:admin_required

Operations:
  • PATCH /v3/regions/{region_id}

Update region.

identity:delete_region
Default:

rule:admin_required

Operations:
  • DELETE /v3/regions/{region_id}

Delete region.

identity:get_registered_limit
Default:

<empty string>

Operations:
  • GET /v3/registered_limits/{registered_limit_id}
  • HEAD /v3/registered_limits/{registered_limit_id}

Show registered limit details.

identity:list_registered_limits
Default:

<empty string>

Operations:
  • GET /v3/registered_limits
  • HEAD /v3/registered_limits

List registered limits.

identity:create_registered_limits
Default:

rule:admin_required

Operations:
  • POST /v3/registered_limits

Create registered limits.

identity:update_registered_limits
Default:

rule:admin_required

Operations:
  • PUT /v3/registered_limits/{registered_limit_id}

Update registered limits.

identity:delete_registered_limit
Default:

rule:admin_required

Operations:
  • DELETE /v3/registered_limits/{registered_limit_id}

Delete registered limit.

identity:list_revoke_events
Default:

rule:service_or_admin

Operations:
  • GET /v3/OS-REVOKE/events

List revocation events.

identity:get_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{role_id}
  • HEAD /v3/roles/{role_id}

Show role details.

identity:list_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles
  • HEAD /v3/roles

List roles.

identity:create_role
Default:

rule:admin_required

Operations:
  • POST /v3/roles

Create role.

identity:update_role
Default:

rule:admin_required

Operations:
  • PATCH /v3/roles/{role_id}

Update role.

identity:delete_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{role_id}

Delete role.

identity:get_domain_role
Default:

rule:admin_required

Operations:
  • GET /v3/roles/{role_id}
  • HEAD /v3/roles/{role_id}

Show domain role.

identity:list_domain_roles
Default:

rule:admin_required

Operations:
  • GET /v3/roles?domain_id={domain_id}
  • HEAD /v3/roles?domain_id={domain_id}

List domain roles.

identity:create_domain_role
Default:

rule:admin_required

Operations:
  • POST /v3/roles

Create domain role.

identity:update_domain_role
Default:

rule:admin_required

Operations:
  • PATCH /v3/roles/{role_id}

Update domain role.

identity:delete_domain_role
Default:

rule:admin_required

Operations:
  • DELETE /v3/roles/{role_id}

Delete domain role.

identity:list_role_assignments
Default:

rule:admin_required

Operations:
  • GET /v3/role_assignments
  • HEAD /v3/role_assignments

List role assignments.

identity:list_role_assignments_for_tree
Default:

rule:admin_required

Operations:
  • GET /v3/role_assignments?include_subtree
  • HEAD /v3/role_assignments?include_subtree

List all role assignments for a given tree of hierarchical projects.

identity:get_service
Default:

rule:admin_required

Operations:
  • GET /v3/services/{service_id}

Show service details.

identity:list_services
Default:

rule:admin_required

Operations:
  • GET /v3/services

List services.

identity:create_service
Default:

rule:admin_required

Operations:
  • POST /v3/services

Create service.

identity:update_service
Default:

rule:admin_required

Operations:
  • PATCH /v3/services/{service_id}

Update service.

identity:delete_service
Default:

rule:admin_required

Operations:
  • DELETE /v3/services/{service_id}

Delete service.

identity:create_service_provider
Default:

rule:admin_required

Operations:
  • PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}

Create federated service provider.

identity:list_service_providers
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/service_providers
  • HEAD /v3/OS-FEDERATION/service_providers

List federated service providers.

identity:get_service_provider
Default:

rule:admin_required

Operations:
  • GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
  • HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}

Get federated service provider.

identity:update_service_provider
Default:

rule:admin_required

Operations:
  • PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}

Update federated service provider.

identity:delete_service_provider
Default:

rule:admin_required

Operations:
  • DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}

Delete federated service provider.

identity:revocation_list
Default:

rule:service_or_admin

Operations:
  • GET /v3/auth/tokens/OS-PKI/revoked

List revoked PKI tokens.

identity:check_token
Default:

rule:admin_or_token_subject

Operations:
  • HEAD /v3/auth/tokens

Check a token.

identity:validate_token
Default:

rule:service_admin_or_token_subject

Operations:
  • GET /v3/auth/tokens

Validate a token.

identity:revoke_token
Default:

rule:admin_or_token_subject

Operations:
  • DELETE /v3/auth/tokens

Revoke a token.

identity:create_trust
Default:

user_id:%(trust.trustor_user_id)s

Operations:
  • POST /v3/OS-TRUST/trusts

Create trust.

identity:list_trusts
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts
  • HEAD /v3/OS-TRUST/trusts

List trusts.

identity:list_roles_for_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}/roles
  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles

List roles delegated by a trust.

identity:get_role_for_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
  • HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

Check if trust delegates a particular role.

identity:delete_trust
Default:

<empty string>

Operations:
  • DELETE /v3/OS-TRUST/trusts/{trust_id}

Revoke trust.

identity:get_trust
Default:

<empty string>

Operations:
  • GET /v3/OS-TRUST/trusts/{trust_id}
  • HEAD /v3/OS-TRUST/trusts/{trust_id}

Get trust.

identity:get_user
Default:

rule:admin_or_owner

Operations:
  • GET /v3/users/{user_id}
  • HEAD /v3/users/{user_id}

Show user details.

identity:list_users
Default:

rule:admin_required

Operations:
  • GET /v3/users
  • HEAD /v3/users

List users.

identity:list_projects_for_user
Default:

<empty string>

Operations:
  • GET `` /v3/auth/projects``

List all projects a user has access to via role assignments.

identity:list_domains_for_user
Default:

<empty string>

Operations:
  • GET /v3/auth/domains

List all domains a user has access to via role assignments.

identity:create_user
Default:

rule:admin_required

Operations:
  • POST /v3/users

Create a user.

identity:update_user
Default:

rule:admin_required

Operations:
  • PATCH /v3/users/{user_id}

Update a user, including administrative password resets.

identity:delete_user
Default:

rule:admin_required

Operations:
  • DELETE /v3/users/{user_id}

Delete a user.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.