keystone  18.0.0
About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (maintained release).
  Fossies Dox: keystone-18.0.0.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

roles.inc
Go to the documentation of this file.
1 .. -*- rst -*-
2 
3 =====
4 Roles
5 =====
6 
7 OpenStack services typically determine whether a user's API request should be
8 allowed using Role Based Access Control (RBAC). For OpenStack this means the
9 service compares the roles that user has on the project (as indicated by the
10 roles in the token), against the roles required for the API in question
11 (as defined in the service's policy file). A user obtains roles on a project by
12 having these assigned to them via the Identity service API.
13 
14 Roles must initially be created as entities via the Identity services API and,
15 once created, can then be assigned. You can assign roles to a user or group on a
16 project, including projects owned by other domains. You can also assign roles
17 to a user or group on a domain, although this is only currently relevant for
18 using a domain scoped token to execute domain-level Identity service API
19 requests.
20 
21 The creation, checking and deletion of role assignments is done with each of
22 the attributes being specified in the URL. For example to assign a role to a
23 user on a project::
24 
25  PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
26 
27 You can also list roles assigned to the system, or to a specified domain,
28 project, or user using this form of API, however a more generalized API for
29 list assignments is provided where query parameters are used to filter the set
30 of assignments returned in the collection. For example:
31 
32 - List role assignments for the specified user::
33 
34  GET /role_assignments?user.id={user_id}
35 
36 - List role assignments for the specified project::
37 
38  GET /role_assignments?scope.project.id={project_id}
39 
40 - List system role assignments for a specific user::
41 
42  GET /role_assignments?scope.system=all?user.id={user_id}
43 
44 - List system role assignments for all users and groups::
45 
46  GET /role_assignments?scope.system=all
47 
48 Since Identity API v3.10, you can grant role assignments to users and groups on
49 an entity called the ``system``. The role assignment API also supports listing
50 and filtering role assignments on the system.
51 
52 Since Identity API v3.6, you can also list all role assignments within a tree of projects,
53 for example the following would list all role assignments for a specified
54 project and its sub-projects::
55 
56  GET /role_assignments?scope.project.id={project_id}&include_subtree=true
57 
58 If you specify ``include_subtree=true``, you must also specify the
59 ``scope.project.id``. Otherwise, this call returns the ``Bad Request (400)``
60 response code.
61 
62 Each role assignment entity in the collection contains a link to
63 the assignment that created the entity.
64 
65 As mentioned earlier, role assignments can be made to a user or a group on a
66 particular project, domain, or the entire system. A user who is a member of a
67 group that has a role assignment, will also be treated as having that role
68 assignment by virtue of their group membership. The *effective* role
69 assignments of a user (on a given project or domain) therefore consists of any
70 direct assignments they have, plus any they gain by virtue of membership of
71 groups that also have assignments on the given project or domain. This set of
72 effective role assignments is what is placed in the token for reference by
73 services wishing to check policy. You can list the effective role assignments
74 using the ``effective`` query parameter at the user, project, and domain level:
75 
76 - Determine what a user can actually do::
77 
78  GET /role_assignments?user.id={user_id}&effective
79 
80 - Get the equivalent set of role assignments that are included in a
81  project-scoped token response::
82 
83  GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective
84 
85 When listing in effective mode, since the group assignments have been
86 effectively expanded out into assignments for each user, the group role
87 assignment entities themselves are not returned in the collection. However,
88 in the response, the ``links`` entity section for each assignment gained by
89 virtue of group membership will contain a URL that enables access to the
90 membership of the group.
91 
92 By default only the IDs of entities are returned in collections from the
93 role_assignment API calls. The names of entities may also be returned,
94 in addition to the IDs, by using the ``include_names`` query parameter
95 on any of these calls, for example:
96 
97 - List role assignments including names::
98 
99  GET /role_assignments?include_names
100 
101 
102 List roles
103 ==========
104 
105 .. rest_method:: GET /v3/roles
106 
107 Lists roles.
108 
109 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/roles``
110 
111 Request
112 -------
113 
114 Parameters
115 ~~~~~~~~~~
116 
117 .. rest_parameters:: parameters.yaml
118 
119  - name: role_name_query
120  - domain_id: domain_id_query
121 
122 Response
123 --------
124 
125 Parameters
126 ~~~~~~~~~~
127 
128 .. rest_parameters:: parameters.yaml
129 
130  - links: link_collection
131  - roles: roles
132  - domain_id: domain_id_response_body
133  - id: role_id_response_body
134  - links: link_response_body
135  - name: role_name_response_body
136  - description: role_description_response_body_required
137 
138 Status Codes
139 ~~~~~~~~~~~~
140 
141 .. rest_status_code:: success status.yaml
142 
143  - 200
144 
145 .. rest_status_code:: error status.yaml
146 
147  - 400
148  - 401
149  - 403
150 
151 Example
152 ~~~~~~~
153 
154 .. literalinclude:: ./samples/admin/roles-list-response.json
155  :language: javascript
156 
157 
158 Create role
159 ===========
160 
161 .. rest_method:: POST /v3/roles
162 
163 Creates a role.
164 
165 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/roles``
166 
167 Request
168 -------
169 
170 Parameters
171 ~~~~~~~~~~
172 
173 .. rest_parameters:: parameters.yaml
174 
175  - role: role
176  - name: role_name_create_body
177  - domain_id: role_domain_id_request_body
178  - description: role_description_create_body
179  - options: request_role_options_body_not_required
180 
181 Example
182 ~~~~~~~
183 
184 .. literalinclude:: ./samples/admin/role-create-request.json
185  :language: javascript
186 
187 Example for Domain Specific Role
188 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
189 
190 .. literalinclude:: ./samples/admin/domain-specific-role-create-request.json
191  :language: javascript
192 
193 Response
194 --------
195 
196 Parameters
197 ~~~~~~~~~~
198 
199 .. rest_parameters:: parameters.yaml
200 
201  - role: role
202  - domain_id: domain_id_response_body
203  - id: role_id_response_body
204  - links: link_response_body
205  - name: role_name_response_body
206  - description: role_description_response_body_required
207  - options: response_role_options_body_required
208 
209 Status Codes
210 ~~~~~~~~~~~~
211 
212 .. rest_status_code:: success status.yaml
213 
214  - 201
215 
216 .. rest_status_code:: error status.yaml
217 
218  - 400
219  - 401
220  - 403
221  - 409
222 
223 
224 Show role details
225 =================
226 
227 .. rest_method:: GET /v3/roles/{role_id}
228 
229 Shows details for a role.
230 
231 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
232 
233 Request
234 -------
235 
236 Parameters
237 ~~~~~~~~~~
238 
239 .. rest_parameters:: parameters.yaml
240 
241  - role_id: role_id_path
242 
243 Response
244 --------
245 
246 Parameters
247 ~~~~~~~~~~
248 
249 .. rest_parameters:: parameters.yaml
250 
251  - role: role
252  - domain_id: domain_id_response_body
253  - id: role_id_response_body
254  - links: link_response_body
255  - name: role_name_response_body
256  - description: role_description_response_body_required
257  - options: response_role_options_body_required
258 
259 Status Codes
260 ~~~~~~~~~~~~
261 
262 .. rest_status_code:: success status.yaml
263 
264  - 200
265 
266 .. rest_status_code:: error status.yaml
267 
268  - 400
269  - 401
270  - 403
271  - 404
272 
273 Example
274 ~~~~~~~
275 
276 .. literalinclude:: ./samples/admin/role-show-response.json
277  :language: javascript
278 
279 
280 Update role
281 ===========
282 
283 .. rest_method:: PATCH /v3/roles/{role_id}
284 
285 Updates a role.
286 
287 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
288 
289 Request
290 -------
291 
292 Parameters
293 ~~~~~~~~~~
294 
295 .. rest_parameters:: parameters.yaml
296 
297  - role_id: role_id_path
298  - role: role
299  - name: role_name_update_body
300  - description: role_description_update_body
301  - options: request_role_options_body_not_required
302 
303 Example
304 ~~~~~~~
305 
306 .. literalinclude:: ./samples/admin/role-update-request.json
307  :language: javascript
308 
309 Response
310 --------
311 
312 Parameters
313 ~~~~~~~~~~
314 
315 .. rest_parameters:: parameters.yaml
316 
317  - role: role
318  - domain_id: domain_id_response_body
319  - id: role_id_response_body
320  - links: link_response_body
321  - name: role_name_response_body
322  - description: role_description_response_body_required
323  - options: response_role_options_body_required
324 
325 Status Codes
326 ~~~~~~~~~~~~
327 
328 .. rest_status_code:: success status.yaml
329 
330  - 200
331 
332 .. rest_status_code:: error status.yaml
333 
334  - 400
335  - 401
336  - 403
337  - 404
338  - 409
339 
340 Example
341 ~~~~~~~
342 
343 .. literalinclude:: ./samples/admin/role-update-response.json
344  :language: javascript
345 
346 
347 Delete role
348 ===========
349 
350 .. rest_method:: DELETE /v3/roles/{role_id}
351 
352 Deletes a role.
353 
354 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
355 
356 Request
357 -------
358 
359 Parameters
360 ~~~~~~~~~~
361 .. rest_parameters:: parameters.yaml
362 
363  - role_id: role_id_path
364 
365 Response
366 --------
367 
368 Status Codes
369 ~~~~~~~~~~~~
370 
371 .. rest_status_code:: success status.yaml
372 
373  - 204
374 
375 .. rest_status_code:: error status.yaml
376 
377  - 400
378  - 401
379  - 403
380  - 404
381 
382 
383 List role assignments for group on domain
384 =========================================
385 
386 .. rest_method:: GET /v3/domains/{domain_id}/groups/{group_id}/roles
387 
388 Lists role assignments for a group on a domain.
389 
390 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles``
391 
392 Request
393 -------
394 
395 Parameters
396 ~~~~~~~~~~
397 
398 .. rest_parameters:: parameters.yaml
399 
400  - domain_id: domain_id_path
401  - group_id: group_id_path
402 
403 Response
404 --------
405 
406 Status Codes
407 ~~~~~~~~~~~~
408 
409 .. rest_status_code:: success status.yaml
410 
411  - 200
412 
413 .. rest_status_code:: error status.yaml
414 
415  - 400
416  - 401
417  - 403
418 
419 Example
420 ~~~~~~~
421 
422 .. literalinclude:: ./samples/admin/domain-group-roles-list-response.json
423  :language: javascript
424 
425 The functionality of this request can also be achieved using the generalized
426 list assignments API::
427 
428  GET /role_assignments?group.id={group_id}&scope.domain.id={domain_id}
429 
430 
431 Assign role to group on domain
432 ==============================
433 
434 .. rest_method:: PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
435 
436 Assigns a role to a group on a domain.
437 
438 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
439 
440 Request
441 -------
442 
443 Parameters
444 ~~~~~~~~~~
445 
446 .. rest_parameters:: parameters.yaml
447 
448  - domain_id: domain_id_path
449  - group_id: group_id_path
450  - role_id: role_id_path
451 
452 Response
453 --------
454 
455 Status Codes
456 ~~~~~~~~~~~~
457 
458 .. rest_status_code:: success status.yaml
459 
460  - 204
461 
462 .. rest_status_code:: error status.yaml
463 
464  - 400
465  - 401
466  - 403
467  - 404
468  - 409
469 
470 Check whether group has role assignment on domain
471 =================================================
472 
473 .. rest_method:: HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
474 
475 Validates that a group has a role assignment on a domain.
476 
477 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
478 
479 Request
480 -------
481 
482 Parameters
483 ~~~~~~~~~~
484 
485 .. rest_parameters:: parameters.yaml
486 
487  - domain_id: domain_id_path
488  - group_id: group_id_path
489  - role_id: role_id_path
490 
491 Response
492 --------
493 
494 Status Codes
495 ~~~~~~~~~~~~
496 
497 .. rest_status_code:: success status.yaml
498 
499  - 204
500 
501 .. rest_status_code:: error status.yaml
502 
503  - 400
504  - 401
505  - 403
506  - 404
507 
508 
509 Unassign role from group on domain
510 ==================================
511 
512 .. rest_method:: DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
513 
514 Unassigns a role from a group on a domain.
515 
516 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
517 
518 Request
519 -------
520 
521 Parameters
522 ~~~~~~~~~~
523 
524 .. rest_parameters:: parameters.yaml
525 
526  - domain_id: domain_id_path
527  - group_id: group_id_path
528  - role_id: role_id_path
529 
530 Response
531 --------
532 
533 Status Codes
534 ~~~~~~~~~~~~
535 
536 .. rest_status_code:: success status.yaml
537 
538  - 204
539 
540 .. rest_status_code:: error status.yaml
541 
542  - 400
543  - 401
544  - 403
545  - 404
546 
547 
548 List role assignments for user on domain
549 ========================================
550 
551 .. rest_method:: GET /v3/domains/{domain_id}/users/{user_id}/roles
552 
553 Lists role assignments for a user on a domain.
554 
555 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles``
556 
557 Request
558 -------
559 
560 Parameters
561 ~~~~~~~~~~
562 
563 .. rest_parameters:: parameters.yaml
564 
565  - domain_id: domain_id_path
566  - user_id: user_id_path
567 
568 Response
569 --------
570 
571 Parameters
572 ~~~~~~~~~~
573 
574 .. rest_parameters:: parameters.yaml
575 
576  - roles: roles
577  - id: role_id_response_body
578  - links: link_response_body
579  - name: role_name_response_body
580 
581 Status Codes
582 ~~~~~~~~~~~~~~
583 
584 .. rest_status_code:: success status.yaml
585 
586  - 200
587 
588 .. rest_status_code:: error status.yaml
589 
590  - 400
591  - 401
592  - 403
593 
594 Example
595 ~~~~~~~
596 
597 .. literalinclude:: ./samples/admin/domain-user-roles-list-response.json
598  :language: javascript
599 
600 The functionality of this request can also be achieved using the generalized
601 list assignments API::
602 
603  GET /role_assignments?user.id={user_id}&scope.domain.id={domain_id}
604 
605 
606 Assign role to user on domain
607 =============================
608 
609 .. rest_method:: PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
610 
611 Assigns a role to a user on a domain.
612 
613 Relationship: ``https://developer.openstack.org/api-ref/identity/v3/index.html#assign-role-to-user-on-domain``
614 
615 Request
616 -------
617 
618 Parameters
619 ~~~~~~~~~~
620 
621 .. rest_parameters:: parameters.yaml
622 
623  - domain_id: domain_id_path
624  - user_id: user_id_path
625  - role_id: role_id_path
626 
627 Response
628 --------
629 
630 Status Codes
631 ~~~~~~~~~~~~
632 
633 .. rest_status_code:: success status.yaml
634 
635  - 200
636 
637 .. rest_status_code:: error status.yaml
638 
639  - 400
640  - 401
641  - 403
642 
643 Check whether user has role assignment on domain
644 ================================================
645 
646 .. rest_method:: HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
647 
648 Validates that a user has a role assignment on a domain.
649 
650 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role``
651 
652 Request
653 -------
654 
655 Parameters
656 ~~~~~~~~~~
657 
658 .. rest_parameters:: parameters.yaml
659 
660  - domain_id: domain_id_path
661  - user_id: user_id_path
662  - role_id: role_id_path
663 
664 Response
665 --------
666 
667 Status Codes
668 ~~~~~~~~~~~~~
669 
670 .. rest_status_code:: success status.yaml
671 
672  - 204
673 
674 .. rest_status_code:: error status.yaml
675 
676  - 400
677  - 401
678  - 403
679  - 404
680 
681 
682 Unassigns role from user on domain
683 ==================================
684 
685 .. rest_method:: DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
686 
687 Unassigns a role from a user on a domain.
688 
689 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role``
690 
691 Request
692 -------
693 
694 Parameters
695 ~~~~~~~~~~
696 
697 .. rest_parameters:: parameters.yaml
698 
699  - domain_id: domain_id_path
700  - user_id: user_id_path
701  - role_id: role_id_path
702 
703 Response
704 --------
705 
706 Status Codes
707 ~~~~~~~~~~~~
708 
709 .. rest_status_code:: success status.yaml
710 
711  - 204
712 
713 .. rest_status_code:: error status.yaml
714 
715  - 400
716  - 401
717  - 403
718  - 404
719  - 409
720 
721 
722 List role assignments for group on project
723 ==========================================
724 
725 .. rest_method:: GET /v3/projects/{project_id}/groups/{group_id}/roles
726 
727 Lists role assignments for a group on a project.
728 
729 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
730 
731 Request
732 -------
733 
734 Parameters
735 ~~~~~~~~~~
736 
737 .. rest_parameters:: parameters.yaml
738 
739  - project_id: project_id_path
740  - group_id: group_id_path
741 
742 Response
743 --------
744 
745 Status Codes
746 ~~~~~~~~~~~~
747 
748 .. rest_status_code:: success status.yaml
749 
750  - 200
751 
752 .. rest_status_code:: error status.yaml
753 
754  - 400
755  - 401
756  - 403
757 
758 Example
759 ~~~~~~~
760 
761 .. literalinclude:: ./samples/admin/project-group-roles-list-response.json
762  :language: javascript
763 
764 The functionality of this request can also be achieved using the generalized
765 list assignments API::
766 
767  GET /role_assignments?group.id={group_id}&scope.project.id={project_id}
768 
769 
770 Assign role to group on project
771 ===============================
772 
773 .. rest_method:: PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
774 
775 Assigns a role to a group on a project.
776 
777 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
778 
779 Request
780 -------
781 
782 Parameters
783 ~~~~~~~~~~
784 
785 .. rest_parameters:: parameters.yaml
786 
787  - project_id: project_id_path
788  - group_id: group_id_path
789  - role_id: role_id_path
790 
791 Response
792 --------
793 
794 Status Codes
795 ~~~~~~~~~~~~
796 
797 .. rest_status_code:: success status.yaml
798 
799  - 204
800 
801 .. rest_status_code:: error status.yaml
802 
803  - 400
804  - 401
805  - 403
806  - 404
807  - 409
808 
809 
810 Check whether group has role assignment on project
811 ==================================================
812 
813 .. rest_method:: HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
814 
815 Validates that a group has a role assignment on a project.
816 
817 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
818 
819 Request
820 -------
821 
822 Parameters
823 ~~~~~~~~~~
824 
825 .. rest_parameters:: parameters.yaml
826 
827  - project_id: project_id_path
828  - group_id: group_id_path
829  - role_id: role_id_path
830 
831 Response
832 --------
833 
834 Status Codes
835 ~~~~~~~~~~~~
836 
837 .. rest_status_code:: success status.yaml
838 
839  - 204
840 
841 .. rest_status_code:: error status.yaml
842 
843  - 400
844  - 401
845  - 403
846  - 404
847 
848 
849 Unassign role from group on project
850 ===================================
851 
852 .. rest_method:: DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
853 
854 Unassigns a role from a group on a project.
855 
856 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
857 
858 Request
859 -------
860 
861 Parameters
862 ~~~~~~~~~~
863 
864 .. rest_parameters:: parameters.yaml
865 
866  - project_id: project_id_path
867  - group_id: group_id_path
868  - role_id: role_id_path
869 
870 Response
871 --------
872 
873 Status Codes
874 ~~~~~~~~~~~~
875 
876 .. rest_status_code:: success status.yaml
877 
878  - 204
879 
880 .. rest_status_code:: error status.yaml
881 
882  - 400
883  - 401
884  - 403
885  - 404
886 
887 
888 List role assignments for user on project
889 =========================================
890 
891 .. rest_method:: GET /v3/projects/{project_id}/users/{user_id}/roles
892 
893 Lists role assignments for a user on a project.
894 
895 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
896 
897 Request
898 -------
899 
900 Parameters
901 ~~~~~~~~~~
902 
903 .. rest_parameters:: parameters.yaml
904 
905  - project_id: project_id_path
906  - user_id: user_id_path
907 
908 Response
909 --------
910 
911 Status Codes
912 ~~~~~~~~~~~~
913 
914 .. rest_status_code:: success status.yaml
915 
916  - 200
917 
918 .. rest_status_code:: error status.yaml
919 
920  - 400
921  - 401
922  - 403
923 
924 Example
925 ~~~~~~~
926 
927 .. literalinclude:: ./samples/admin/project-user-roles-list-response.json
928  :language: javascript
929 
930 The functionality of this request can also be achieved using the generalized
931 list assignments API::
932 
933  GET /role_assignments?user.id={user_id}&scope.project.id={project_id}
934 
935 
936 Assign role to user on project
937 ==============================
938 
939 .. rest_method:: PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
940 
941 Assigns a role to a user on a project.
942 
943 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
944 
945 Request
946 -------
947 
948 Parameters
949 ~~~~~~~~~~
950 
951 .. rest_parameters:: parameters.yaml
952 
953  - project_id: project_id_path
954  - user_id: user_id_path
955  - role_id: role_id_path
956 
957 Response
958 --------
959 
960 Status Codes
961 ~~~~~~~~~~~~
962 
963 .. rest_status_code:: success status.yaml
964 
965  - 204
966 
967 .. rest_status_code:: error status.yaml
968 
969  - 400
970  - 401
971  - 403
972  - 404
973  - 409
974 
975 
976 Check whether user has role assignment on project
977 =================================================
978 
979 .. rest_method:: HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
980 
981 Validates that a user has a role on a project.
982 
983 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
984 
985 Request
986 -------
987 
988 Parameters
989 ~~~~~~~~~~
990 
991 .. rest_parameters:: parameters.yaml
992 
993  - project_id: project_id_path
994  - user_id: user_id_path
995  - role_id: role_id_path
996 
997 Response
998 --------
999 
1000 Status Codes
1001 ~~~~~~~~~~~~
1002 
1003 .. rest_status_code:: success status.yaml
1004 
1005  - 201
1006 
1007 .. rest_status_code:: error status.yaml
1008 
1009  - 400
1010  - 401
1011  - 403
1012  - 404
1013 
1014 
1015 Unassign role from user on project
1016 ==================================
1017 
1018 .. rest_method:: DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
1019 
1020 Unassigns a role from a user on a project.
1021 
1022 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
1023 
1024 Request
1025 -------
1026 
1027 Parameters
1028 ~~~~~~~~~~
1029 .. rest_parameters:: parameters.yaml
1030 
1031  - project_id: project_id_path
1032  - user_id: user_id_path
1033  - role_id: role_id_path
1034 
1035 Response
1036 --------
1037 
1038 Status Codes
1039 ~~~~~~~~~~~~
1040 
1041 .. rest_status_code:: success status.yaml
1042 
1043  - 204
1044 
1045 .. rest_status_code:: error status.yaml
1046 
1047  - 400
1048  - 401
1049  - 403
1050  - 404
1051 
1052 
1053 List implied (inference) roles for role
1054 =======================================
1055 
1056 .. rest_method:: GET /v3/roles/{prior_role_id}/implies
1057 
1058 Lists implied (inference) roles for a role.
1059 
1060 Relationship:
1061 ``https://developer.openstack.org/api-ref/identity/v3/#list-implied-roles-for-role``
1062 
1063 Request
1064 -------
1065 
1066 Parameters
1067 ~~~~~~~~~~
1068 .. rest_parameters:: parameters.yaml
1069 
1070  - prior_role_id: prior_role_id
1071 
1072 Response
1073 --------
1074 
1075 Parameters
1076 ~~~~~~~~~~
1077 
1078 .. rest_parameters:: parameters.yaml
1079 
1080  - role_inference: role_inference_body
1081  - prior_role: prior_role_body
1082  - implies: implies_role_array_body
1083  - id: role_id_response_body
1084  - links: link_response_body
1085  - name: role_name_response_body
1086 
1087 Status Codes
1088 ~~~~~~~~~~~~
1089 
1090 .. rest_status_code:: success status.yaml
1091 
1092  - 200
1093 
1094 .. rest_status_code:: error status.yaml
1095 
1096  - 401
1097  - 404
1098 
1099 Example
1100 ~~~~~~~
1101 
1102 .. literalinclude:: ./samples/admin/list-implied-roles-for-role-response.json
1103  :language: javascript
1104 
1105 
1106 Create role inference rule
1107 ==========================
1108 
1109 .. rest_method:: PUT /v3/roles/{prior_role_id}/implies/{implies_role_id}
1110 
1111 Creates a role inference rule.
1112 
1113 Relationship:
1114 ``https://developer.openstack.org/api-ref/identity/v3/#create-role-inference-rule``
1115 
1116 Request
1117 -------
1118 
1119 Parameters
1120 ~~~~~~~~~~
1121 
1122 .. rest_parameters:: parameters.yaml
1123 
1124  - prior_role_id: prior_role_id
1125  - implies_role_id: implies_role_id
1126 
1127 Response
1128 --------
1129 
1130 Parameters
1131 ~~~~~~~~~~
1132 
1133 .. rest_parameters:: parameters.yaml
1134 
1135  - role_inference: role_inference_body
1136  - prior_role: prior_role_body
1137  - implies: implies_role_object_body
1138  - id: role_id_response_body
1139  - links: link_response_body
1140  - name: role_name_response_body
1141 
1142 Status Codes
1143 ~~~~~~~~~~~~
1144 
1145 .. rest_status_code:: success status.yaml
1146 
1147  - 201
1148 
1149 .. rest_status_code:: error status.yaml
1150 
1151  - 401
1152  - 404
1153 
1154 Example
1155 ~~~~~~~
1156 
1157 .. literalinclude:: ./samples/admin/create-role-inferences-response.json
1158  :language: javascript
1159 
1160 
1161 Get role inference rule
1162 =======================
1163 
1164 .. rest_method:: GET /v3/roles/{prior_role_id}/implies/{implies_role_id}
1165 
1166 Gets a role inference rule.
1167 
1168 Relationship:
1169 ``https://developer.openstack.org/api-ref/identity/v3/#get-role-inference-rule``
1170 
1171 Request
1172 -------
1173 
1174 Parameters
1175 ~~~~~~~~~~
1176 
1177 .. rest_parameters:: parameters.yaml
1178 
1179  - prior_role_id: prior_role_id
1180  - implies_role_id: implies_role_id
1181 
1182 Response
1183 --------
1184 
1185 Parameters
1186 ~~~~~~~~~~
1187 
1188 .. rest_parameters:: parameters.yaml
1189 
1190  - role_inference: role_inference_body
1191  - prior_role: prior_role_body
1192  - implies: implies_role_object_body
1193  - id: role_id_response_body
1194  - links: link_response_body
1195  - name: role_name_response_body
1196 
1197 Status Codes
1198 ~~~~~~~~~~~~
1199 
1200 .. rest_status_code:: success status.yaml
1201 
1202  - 200
1203 
1204 .. rest_status_code:: error status.yaml
1205 
1206  - 401
1207  - 404
1208 
1209 Example
1210 ~~~~~~~
1211 
1212 .. literalinclude:: ./samples/admin/get-role-inferences-response.json
1213  :language: javascript
1214 
1215 
1216 Confirm role inference rule
1217 ===========================
1218 
1219 .. rest_method:: HEAD /v3/roles/{prior_role_id}/implies/{implies_role_id}
1220 
1221 Checks a role role inference rule.
1222 
1223 Relationship:
1224 ``https://developer.openstack.org/api-ref/identity/v3/#confirm-role-inference-rule``
1225 
1226 Request
1227 -------
1228 
1229 Parameters
1230 ~~~~~~~~~~
1231 
1232 .. rest_parameters:: parameters.yaml
1233 
1234  - prior_role_id: prior_role_id
1235  - implies_role_id: implies_role_id
1236 
1237 Response
1238 --------
1239 
1240 Status Codes
1241 ~~~~~~~~~~~~
1242 
1243 .. rest_status_code:: success status.yaml
1244 
1245  - 204
1246 
1247 .. rest_status_code:: error status.yaml
1248 
1249  - 401
1250  - 404
1251 
1252 Example
1253 ~~~~~~~
1254 
1255 Status: 204 No Content
1256 
1257 
1258 Delete role inference rule
1259 ==========================
1260 
1261 .. rest_method:: DELETE /v3/roles/{prior_role_id}/implies/{implies_role_id}
1262 
1263 Deletes a role inference rule.
1264 
1265 Relationship:
1266 ``https://developer.openstack.org/api-ref/identity/v3/#delete-role-inference-rule``
1267 
1268 Request
1269 -------
1270 
1271 Parameters
1272 ~~~~~~~~~~
1273 .. rest_parameters:: parameters.yaml
1274 
1275  - prior_role_id: prior_role_id
1276  - implies_role_id: implies_role_id
1277 
1278 Response
1279 --------
1280 
1281 Status Codes
1282 ~~~~~~~~~~~~
1283 
1284 .. rest_status_code:: success status.yaml
1285 
1286  - 204
1287 
1288 .. rest_status_code:: error status.yaml
1289 
1290  - 401
1291  - 404
1292 
1293 Example
1294 ~~~~~~~
1295 
1296 Status: 204 No Content
1297 
1298 
1299 List role assignments
1300 =====================
1301 
1302 .. rest_method:: GET /v3/role_assignments
1303 
1304 Lists role assignments.
1305 
1306 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
1307 
1308 Request
1309 -------
1310 
1311 Parameters
1312 ~~~~~~~~~~
1313 
1314 .. rest_parameters:: parameters.yaml
1315 
1316  - effective: effective_query
1317  - include_names: include_names_query
1318  - include_subtree: include_subtree_query
1319  - group.id: group_id_query
1320  - role.id: role_id_query
1321  - scope.system: scope_system_query
1322  - scope.domain.id: scope_domain_id_query
1323  - scope.project.id: scope_project_id_query
1324  - user.id: user_id_query
1325 
1326 Response
1327 --------
1328 
1329 Parameters
1330 ~~~~~~~~~~
1331 
1332 .. rest_parameters:: parameters.yaml
1333 
1334  - role_assignments: role_assignments
1335 
1336 Status Codes
1337 ~~~~~~~~~~~~
1338 
1339 .. rest_status_code:: success status.yaml
1340 
1341  - 200
1342 
1343 .. rest_status_code:: error status.yaml
1344 
1345  - 400
1346  - 401
1347  - 403
1348 
1349 Example
1350 ~~~~~~~
1351 
1352 .. literalinclude:: ./samples/admin/role-assignments-list-response.json
1353  :language: javascript
1354 
1355 
1356 List all role inference rules
1357 =============================
1358 
1359 .. rest_method:: GET /v3/role_inferences
1360 
1361 Lists all role inference rules.
1362 
1363 Relationship:
1364 ``https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules``
1365 
1366 Response
1367 --------
1368 
1369 Parameters
1370 ~~~~~~~~~~
1371 
1372 .. rest_parameters:: parameters.yaml
1373 
1374  - role_inferences: role_inference_array_body
1375  - prior_role: prior_role_body
1376  - implies: implies_role_object_body
1377  - id: role_id_response_body
1378  - links: link_response_body
1379  - name: role_name_response_body
1380 
1381 Status Codes
1382 ~~~~~~~~~~~~
1383 
1384 .. rest_status_code:: success status.yaml
1385 
1386  - 200
1387 
1388 .. rest_status_code:: error status.yaml
1389 
1390  - 401
1391  - 404
1392 
1393 Example
1394 ~~~~~~~
1395 
1396 .. literalinclude:: ./samples/admin/role-inferences-response.json
1397  :language: javascript
conf.project
string project
Definition: conf.py:57
keystone.conf.auth.token
token
Definition: auth.py:38
keystone.conf.ldap.user
user
Definition: ldap.py:27
keystone.notifications.role_assignment
role_assignment
Definition: notifications.py:845
keystone.common.validation.parameter_types.name
dictionary name
Definition: parameter_types.py:25
keystone.common.validation.parameter_types.description
dictionary description
Definition: parameter_types.py:54
keystone.common.policies.base.rules
list rules
Definition: base.py:63