keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

inherit.inc
Go to the documentation of this file.
1 .. -*- rst -*-
2 
3 ================
4  OS-INHERIT
5 ================
6 
7 Enables projects to inherit role assignments from either their
8 owning domain or projects that are higher in the hierarchy.
9 
10 (Since API v3.4) The OS-INHERIT extension allows inheritance from
11 both projects and domains. To access project inheritance, the
12 Identity service server must run at least API v3.4.
13 
14 
15 Assign role to user on projects owned by domain
16 ===============================================
17 
18 .. rest_method:: PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
19 
20 Assigns a role to a user in projects owned by a domain.
21 
22 The inherited role is only applied to the owned projects (both existing and
23 future projects), and will not appear as a role in a domain scoped token.
24 
25 Relationship:
26 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
27 
28 Request
29 -------
30 
31 Parameters
32 ~~~~~~~~~~
33 
34 .. rest_parameters:: parameters.yaml
35 
36  - domain_id: domain_id_path
37  - role_id: role_id_path
38  - user_id: user_id_path
39 
40 Response
41 --------
42 
43 Status Codes
44 ~~~~~~~~~~~~~
45 
46 .. rest_status_code:: success status.yaml
47 
48  - 204
49 
50 Assign role to group on projects owned by a domain
51 ==================================================
52 
53 .. rest_method:: PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
54 
55 The inherited role is only applied to the owned projects (both existing and
56 future projects), and will not appear as a role in a domain scoped token.
57 
58 Relationship:
59 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects``
60 
61 Request
62 -------
63 
64 Parameters
65 ~~~~~~~~~~
66 
67 .. rest_parameters:: parameters.yaml
68 
69  - domain_id: domain_id_path
70  - group_id: role_id_path
71  - role_id: user_id_path
72 
73 Response
74 --------
75 
76 Status Codes
77 ~~~~~~~~~~~~
78 
79 .. rest_status_code:: success status.yaml
80 
81  - 204
82 
83 List user's inherited project roles on a domain
84 ===============================================
85 
86 .. rest_method:: GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
87 
88 The list only contains those role assignments to the domain that were specified
89 as being inherited to projects within that domain.
90 
91 Relationship:
92 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_roles_inherited_to_projects``
93 
94 Request
95 -------
96 
97 Parameters
98 ~~~~~~~~~~
99 
100 .. rest_parameters:: parameters.yaml
101 
102  - domain_id: domain_id_path
103  - user_id: user_id_path
104 
105 Response
106 --------
107 
108 Status Codes
109 ~~~~~~~~~~~~
110 
111 .. rest_status_code:: success status.yaml
112 
113  - 200
114 
115 Example
116 ~~~~~~~
117 
118 .. literalinclude:: samples/admin/user-roles-domain-list-response.json
119  :language: javascript
120 
121 
122 List group's inherited project roles on domain
123 ==============================================
124 
125 .. rest_method:: GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
126 
127 The list only contains those role assignments to the domain that were specified
128 as being inherited to projects within that domain.
129 
130 Relationship:
131 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_roles_inherited_to_projects``
132 
133 Request
134 -------
135 
136 Parameters
137 ~~~~~~~~~~
138 
139 .. rest_parameters:: parameters.yaml
140 
141  - domain_id: domain_id_path
142  - group_id: group_id_path
143 
144 Response
145 --------
146 
147 Status Codes
148 ~~~~~~~~~~~~
149 
150 .. rest_status_code:: success status.yaml
151 
152  - 200
153 
154 Example
155 -------
156 
157 .. literalinclude:: samples/admin/group-roles-domain-list-response.json
158  :language: javascript
159 
160 
161 Check if user has an inherited project role on domain
162 =====================================================
163 
164 .. rest_method:: HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
165 
166 Checks whether a user has an inherited project role in a domain.
167 
168 Relationship:
169 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
170 
171 Request
172 -------
173 
174 Parameters
175 ~~~~~~~~~~
176 
177 .. rest_parameters:: parameters.yaml
178 
179  - domain_id: domain_id_path
180  - role_id: role_id_path
181  - user_id: user_id_path
182 
183 Response
184 --------
185 
186 Status Codes
187 ~~~~~~~~~~~~
188 .. rest_status_code:: success status.yaml
189 
190  - 204
191 
192 Check if group has an inherited project role on domain
193 ======================================================
194 
195 .. rest_method:: HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
196 
197 Checks whether a group has an inherited project role in a domain.
198 
199 Relationship:
200 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects``
201 
202 Request
203 -------
204 
205 Parameters
206 ~~~~~~~~~~
207 
208 .. rest_parameters:: parameters.yaml
209 
210  - domain_id: domain_id_path
211  - group_id: group_id_path
212  - role_id: role_id_path
213 
214 Response
215 --------
216 
217 Status Codes
218 ~~~~~~~~~~~~
219 
220 .. rest_status_code:: success status.yaml
221 
222  - 204
223 
224 Revoke an inherited project role from user on domain
225 ====================================================
226 
227 .. rest_method:: DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
228 
229 Revokes an inherited project role from a user in a domain.
230 
231 Relationship:
232 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects``
233 
234 Request
235 -------
236 
237 Parameters
238 ~~~~~~~~~~
239 
240 .. rest_parameters:: parameters.yaml
241 
242  - domain_id: domain_id_path
243  - role_id: role_id_path
244  - user_id: user_id_path
245 
246 Response
247 --------
248 
249 Status Codes
250 ~~~~~~~~~~~~
251 
252 .. rest_status_code:: success status.yaml
253 
254  - 204
255 
256 Revoke an inherited project role from group on domain
257 =====================================================
258 
259 .. rest_method:: DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
260 
261 Revokes an inherited project role from a group in a domain.
262 
263 Relationship:
264 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_group_role_inherited_to_projects``
265 
266 Request
267 -------
268 
269 Parameters
270 ~~~~~~~~~~
271 
272 .. rest_parameters:: parameters.yaml
273 
274  - domain_id: domain_id_path
275  - group_id: group_id_path
276  - role_id: role_id_path
277 
278 Response
279 --------
280 
281 Status Codes
282 ~~~~~~~~~~~~
283 
284 .. rest_status_code:: success status.yaml
285 
286  - 204
287 
288 Assign role to user on projects in a subtree
289 ============================================
290 
291 .. rest_method:: PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
292 
293 The inherited role assignment is anchored to a project and applied to its
294 subtree in the projects hierarchy (both existing and future projects).
295 
296 * Note: The inherited role is not applied to the project itself, and only
297  applied to its subtree projects.
298 * Note: It is possible for a user to have both a regular (non-inherited) and an
299  inherited role assignment on the same project.
300 * Note: The request doesn't require a body, which will be ignored if provided.
301 
302 Relationship:
303 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects``
304 
305 Request
306 -------
307 
308 Parameters
309 ~~~~~~~~~~
310 
311 .. rest_parameters:: parameters.yaml
312 
313  - project_id: project_id
314  - role_id: role_id_path
315  - user_id: user_id_path
316 
317 Response
318 --------
319 
320 Status Codes
321 ~~~~~~~~~~~~
322 
323 .. rest_status_code:: success status.yaml
324 
325  - 204
326 
327 Assign role to group on projects in a subtree
328 =============================================
329 
330 .. rest_method:: PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
331 
332 The inherited role assignment is anchored to a project and applied to its
333 subtree in the projects hierarchy (both existing and future projects).
334 
335 * Note: The inherited role is not applied to the project itself, and only
336  applied to its subtree projects.
337 * Note: It is possible for a group to have both a regular (non-inherited) and
338  an inherited role assignment on the same project.
339 * Note: The request doesn't require a body, which will be ignored if provided.
340 
341 Relationship:
342 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects``
343 
344 Request
345 -------
346 
347 Parameters
348 ~~~~~~~~~~
349 
350 .. rest_parameters:: parameters.yaml
351 
352  - group_id: group_id_path
353  - project_id: project_id_path
354  - role_id: role_id_path
355 
356 Response
357 --------
358 
359 Status Codes
360 ~~~~~~~~~~~~
361 
362 .. rest_status_code:: success status.yaml
363 
364  - 204
365 
366 Check if user has an inherited project role on project
367 ======================================================
368 
369 .. rest_method:: HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
370 
371 Checks whether a user has a role assignment with the ``inherited_to_projects`` flag in a project.
372 
373 Relationship:
374 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects``
375 
376 Request
377 -------
378 
379 Parameters
380 ~~~~~~~~~~
381 
382 .. rest_parameters:: parameters.yaml
383 
384  - project_id: project_id_path
385  - role_id: role_id_path
386  - user_id: user_id_path
387 
388 Response
389 --------
390 
391 Status Codes
392 ~~~~~~~~~~~~
393 
394 .. rest_status_code:: success status.yaml
395 
396  - 204
397 
398 Check if group has an inherited project role on project
399 =======================================================
400 
401 .. rest_method:: HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
402 
403 Checks whether a group has a role assignment with the ``inherited_to_projects`` flag in a project.
404 
405 Relationship:
406 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects``
407 
408 Request
409 -------
410 
411 Parameters
412 ~~~~~~~~~~
413 
414 .. rest_parameters:: parameters.yaml
415 
416  - group_id: group_id_path
417  - project_id: project_id_path
418  - role_id: role_id_path
419 
420 Response
421 --------
422 
423 Status Codes
424 ~~~~~~~~~~~~
425 
426 .. rest_status_code:: success status.yaml
427 
428  - 204
429 
430 Revoke an inherited project role from user on project
431 =====================================================
432 
433 .. rest_method:: DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
434 
435 Relationship:
436 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_user_role_inherited_to_projects``
437 
438 Request
439 -------
440 
441 Parameters
442 ~~~~~~~~~~
443 
444 .. rest_parameters:: parameters.yaml
445 
446  - project_id: project_id_path
447  - role_id: role_id_path
448  - user_id: user_id_path
449 
450 Response
451 --------
452 
453 Status Codes
454 ~~~~~~~~~~~~
455 
456 .. rest_status_code:: success status.yaml
457 
458  - 204
459 
460 Revoke an inherited project role from group on project
461 ======================================================
462 
463 .. rest_method:: DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
464 
465 Relationship:
466 ``https://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/project_group_role_inherited_to_projects``
467 
468 Request
469 -------
470 
471 Parameters
472 ~~~~~~~~~~
473 
474 .. rest_parameters:: parameters.yaml
475 
476  - group_id: group_id_path
477  - project_id: project_id_path
478  - role_id: role_id_path
479 
480 Response
481 --------
482 
483 Status Codes
484 ~~~~~~~~~~~~
485 
486 .. rest_status_code:: success status.yaml
487 
488  - 204
489 
490 List role assignments
491 =====================
492 
493 .. rest_method:: GET /v3/role_assignments
494 
495 Get a list of role assignments.
496 
497 If no query parameters are specified, then this API will return a list of all
498 role assignments.
499 
500 .. literalinclude:: samples/admin/role-assignments-list-response.json
501  :language: javascript
502 
503 Since this list is likely to be very long, this API would typically always be
504 used with one of more of the filter queries. Some typical examples are:
505 
506 ``GET /v3/role_assignments?user.id={user_id}`` would list all role assignments
507 involving the specified user.
508 
509 ``GET /v3/role_assignments?scope.project.id={project_id}`` would list all role
510 assignments involving the specified project.
511 
512 It is also possible to list all role assignments within
513 a tree of projects:
514 ``GET /v3/role_assignments?scope.project.id={project_id}&include_subtree=true``
515 would list all role assignments involving the specified project and all
516 sub-projects. ``include_subtree=true`` can only be specified in conjunction
517 with ``scope.project.id``, specifiying it without this will result in an
518 HTTP 400 Bad Request being returned.
519 
520 Each role assignment entity in the collection contains a link to the assignment
521 that gave rise to this entity.
522 
523 The scope section in the list response is extended to allow the representation
524 of role assignments that are inherited to projects.
525 
526 .. literalinclude:: samples/admin/role-assignments-list-include-subtree-response.json
527  :language: javascript
528 
529 The query filter ``scope.OS-INHERIT:inherited_to`` can be used to filter based
530 on role assignments that are inherited. The only value of
531 ``scope.OS-INHERIT:inherited_to`` that is currently supported is ``projects``,
532 indicating that this role is inherited to all projects of the owning domain or
533 parent project.
534 
535 If the query parameter ``effective`` is specified, rather than simply returning
536 a list of role assignments that have been made, the API returns a list of
537 effective assignments at the user, project and domain level, having allowed for
538 the effects of group membership, role inference rules as well as inheritance
539 from the parent domain or project. Since the effects of group membership have
540 already been allowed for, the group role assignment entities themselves will
541 not be returned in the collection. Likewise, since the effects of inheritance
542 have already been allowed for, the role assignment entities themselves that
543 specify the inheritance will also not be returned in the collection. This
544 represents the effective role assignments that would be included in a scoped
545 token. The same set of query parameters can also be used in combination with
546 the ``effective`` parameter.
547 
548 For example:
549 
550 ``GET /v3/role_assignments?user.id={user_id}&effective`` would, in other words,
551 answer the question "what can this user actually do?".
552 
553 ``GET
554 /v3/role_assignments?user.id={user_id}&scope.project.id={project_id}&effective``
555 would return the equivalent set of role assignments that would be included in
556 the token response of a project scoped token.
557 
558 An example response for an API call with the query parameter ``effective``
559 specified is given below:
560 
561 .. literalinclude:: samples/admin/role-assignments-effective-list-response.json
562  :language: javascript
563 
564 The entity ``links`` section of a response using the ``effective`` query
565 parameter also contains, for entities that are included by virtue of group
566 membership, a url that can be used to access the membership of the group.
567 
568 If the query parameter ``include_names`` is specified, rather than simply
569 returning the entity IDs in the role assignments, the collection will
570 additionally include the names of the entities. For example:
571 
572 ``GET /v3/role_assignments?user.id={user_id}&effective&include_names=true``
573 would return:
574 
575 .. literalinclude:: samples/admin/role-assignments-effective-list-include-names-response.json
576  :language: javascript
577 
578 Relationship:
579 ``https://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
580 
581 Request
582 -------
583 
584 Parameters
585 ~~~~~~~~~~
586 
587 Optional query parameters:
588 
589 .. rest_parameters:: parameters.yaml
590 
591  - effective: effective_query
592  - include_names: include_names_query
593  - include_subtree: include_subtree_query
594  - group.id: group_id_query
595  - role.id: role_id_query
596  - scope.domain.id: scope_domain_id_query
597  - scope.OS-INHERIT:inherited_to: scope_os_inherit_inherited_to
598  - scope.project.id: scope_project_id_query
599  - user.id: user_id_query
600 
601 Response
602 --------
603 
604 Status Codes
605 ~~~~~~~~~~~~
606 
607 .. rest_status_code:: success status.yaml
608 
609  - 200
610 
611 .. rest_status_code:: error status.yaml
612 
613  - 400
614  - 401
615  - 403
616  - 404
617  - 405
618  - 413
619  - 503
conf.project
string project
Definition: conf.py:57
keystone.conf.auth.token
token
Definition: auth.py:38
keystone.common.validation.parameter_types.url
dictionary url
Definition: parameter_types.py:58
keystone.conf.ldap.user
user
Definition: ldap.py:27
keystone.common.policies.base.rules
list rules
Definition: base.py:63