"Fossies" - the Fresh Open Source Software Archive

Member "keystone-17.0.0/api-ref/source/v3/roles.inc" (13 May 2020, 26330 Bytes) of package /linux/misc/openstack/keystone-17.0.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) fasm source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. For more information about "roles.inc" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 16.0.1_vs_17.0.0.

    1 .. -*- rst -*-
    2 
    3 =====
    4 Roles
    5 =====
    6 
    7 OpenStack services typically determine whether a user's API request should be
    8 allowed using Role Based Access Control (RBAC). For OpenStack this means the
    9 service compares the roles that user has on the project (as indicated by the
   10 roles in the token), against the roles required for the API in question
   11 (as defined in the service's policy file). A user obtains roles on a project by
   12 having these assigned to them via the Identity service API.
   13 
   14 Roles must initially be created as entities via the Identity services API and,
   15 once created, can then be assigned. You can assign roles to a user or group on a
   16 project, including projects owned by other domains. You can also assign roles
   17 to a user or group on a domain, although this is only currently relevant for
   18 using a domain scoped token to execute domain-level Identity service API
   19 requests.
   20 
   21 The creation, checking and deletion of role assignments is done with each of
   22 the attributes being specified in the URL. For example to assign a role to a
   23 user on a project::
   24 
   25   PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
   26 
   27 You can also list roles assigned to the system, or to a specified domain,
   28 project, or user using this form of API, however a more generalized API for
   29 list assignments is provided where query parameters are used to filter the set
   30 of assignments returned in the collection. For example:
   31 
   32 - List role assignments for the specified user::
   33 
   34     GET /role_assignments?user.id={user_id}
   35 
   36 - List role assignments for the specified project::
   37 
   38     GET /role_assignments?scope.project.id={project_id}
   39 
   40 - List system role assignments for a specific user::
   41 
   42     GET /role_assignments?scope.system=all?user.id={user_id}
   43 
   44 - List system role assignments for all users and groups::
   45 
   46     GET /role_assignments?scope.system=all
   47 
   48 Since Identity API v3.10, you can grant role assignments to users and groups on
   49 an entity called the ``system``. The role assignment API also supports listing
   50 and filtering role assignments on the system.
   51 
   52 Since Identity API v3.6, you can also list all role assignments within a tree of projects,
   53 for example the following would list all role assignments for a specified
   54 project and its sub-projects::
   55 
   56   GET /role_assignments?scope.project.id={project_id}&include_subtree=true
   57 
   58 If you specify ``include_subtree=true``, you must also specify the
   59 ``scope.project.id``. Otherwise, this call returns the ``Bad Request (400)``
   60 response code.
   61 
   62 Each role assignment entity in the collection contains a link to
   63 the assignment that created the entity.
   64 
   65 As mentioned earlier, role assignments can be made to a user or a group on a
   66 particular project, domain, or the entire system. A user who is a member of a
   67 group that has a role assignment, will also be treated as having that role
   68 assignment by virtue of their group membership. The *effective* role
   69 assignments of a user (on a given project or domain) therefore consists of any
   70 direct assignments they have, plus any they gain by virtue of membership of
   71 groups that also have assignments on the given project or domain. This set of
   72 effective role assignments is what is placed in the token for reference by
   73 services wishing to check policy. You can list the effective role assignments
   74 using the ``effective`` query parameter at the user, project, and domain level:
   75 
   76 - Determine what a user can actually do::
   77 
   78     GET /role_assignments?user.id={user_id}&effective
   79 
   80 - Get the equivalent set of role assignments that are included in a
   81   project-scoped token response::
   82 
   83     GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective
   84 
   85 When listing in effective mode, since the group assignments have been
   86 effectively expanded out into assignments for each user, the group role
   87 assignment entities themselves are not returned in the collection. However,
   88 in the response, the ``links`` entity section for each assignment gained by
   89 virtue of group membership will contain a URL that enables access to the
   90 membership of the group.
   91 
   92 By default only the IDs of entities are returned in collections from the
   93 role_assignment API calls. The names of entities may also be returned,
   94 in addition to the IDs, by using the ``include_names`` query parameter
   95 on any of these calls, for example:
   96 
   97 - List role assignments including names::
   98 
   99     GET /role_assignments?include_names
  100 
  101 
  102 List roles
  103 ==========
  104 
  105 .. rest_method::  GET /v3/roles
  106 
  107 Lists roles.
  108 
  109 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/roles``
  110 
  111 Request
  112 -------
  113 
  114 Parameters
  115 ~~~~~~~~~~
  116 
  117 .. rest_parameters:: parameters.yaml
  118 
  119    - name: role_name_query
  120    - domain_id: domain_id_query
  121 
  122 Response
  123 --------
  124 
  125 Parameters
  126 ~~~~~~~~~~
  127 
  128 .. rest_parameters:: parameters.yaml
  129 
  130    - links: link_collection
  131    - roles: roles
  132    - domain_id: domain_id_response_body
  133    - id: role_id_response_body
  134    - links: link_response_body
  135    - name: role_name_response_body
  136    - description: role_description_response_body_required
  137 
  138 Status Codes
  139 ~~~~~~~~~~~~
  140 
  141 .. rest_status_code:: success status.yaml
  142 
  143    - 200
  144 
  145 .. rest_status_code:: error status.yaml
  146 
  147    - 400
  148    - 401
  149    - 403
  150 
  151 Example
  152 ~~~~~~~
  153 
  154 .. literalinclude:: ./samples/admin/roles-list-response.json
  155    :language: javascript
  156 
  157 
  158 Create role
  159 ===========
  160 
  161 .. rest_method::  POST /v3/roles
  162 
  163 Creates a role.
  164 
  165 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/roles``
  166 
  167 Request
  168 -------
  169 
  170 Parameters
  171 ~~~~~~~~~~
  172 
  173 .. rest_parameters:: parameters.yaml
  174 
  175    - role: role
  176    - name: role_name_create_body
  177    - domain_id: role_domain_id_request_body
  178    - description: role_description_create_body
  179    - options: request_role_options_body_not_required
  180 
  181 Example
  182 ~~~~~~~
  183 
  184 .. literalinclude:: ./samples/admin/role-create-request.json
  185    :language: javascript
  186 
  187 Example for Domain Specific Role
  188 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  189 
  190 .. literalinclude:: ./samples/admin/domain-specific-role-create-request.json
  191    :language: javascript
  192 
  193 Response
  194 --------
  195 
  196 Parameters
  197 ~~~~~~~~~~
  198 
  199 .. rest_parameters:: parameters.yaml
  200 
  201    - role: role
  202    - domain_id: domain_id_response_body
  203    - id: role_id_response_body
  204    - links: link_response_body
  205    - name: role_name_response_body
  206    - description: role_description_response_body_required
  207    - options: response_role_options_body_required
  208 
  209 Status Codes
  210 ~~~~~~~~~~~~
  211 
  212 .. rest_status_code:: success status.yaml
  213 
  214    - 201
  215 
  216 .. rest_status_code:: error status.yaml
  217 
  218    - 400
  219    - 401
  220    - 403
  221    - 409
  222 
  223 
  224 Show role details
  225 =================
  226 
  227 .. rest_method::  GET /v3/roles/{role_id}
  228 
  229 Shows details for a role.
  230 
  231 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
  232 
  233 Request
  234 -------
  235 
  236 Parameters
  237 ~~~~~~~~~~
  238 
  239 .. rest_parameters:: parameters.yaml
  240 
  241    - role_id: role_id_path
  242 
  243 Response
  244 --------
  245 
  246 Parameters
  247 ~~~~~~~~~~
  248 
  249 .. rest_parameters:: parameters.yaml
  250 
  251    - role: role
  252    - domain_id: domain_id_response_body
  253    - id: role_id_response_body
  254    - links: link_response_body
  255    - name: role_name_response_body
  256    - description: role_description_response_body_required
  257    - options: response_role_options_body_required
  258 
  259 Status Codes
  260 ~~~~~~~~~~~~
  261 
  262 .. rest_status_code:: success status.yaml
  263 
  264    - 200
  265 
  266 .. rest_status_code:: error status.yaml
  267 
  268    - 400
  269    - 401
  270    - 403
  271    - 404
  272 
  273 Example
  274 ~~~~~~~
  275 
  276 .. literalinclude:: ./samples/admin/role-show-response.json
  277    :language: javascript
  278 
  279 
  280 Update role
  281 ===========
  282 
  283 .. rest_method::  PATCH /v3/roles/{role_id}
  284 
  285 Updates a role.
  286 
  287 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
  288 
  289 Request
  290 -------
  291 
  292 Parameters
  293 ~~~~~~~~~~
  294 
  295 .. rest_parameters:: parameters.yaml
  296 
  297    - role_id: role_id_path
  298    - role: role
  299    - name: role_name_update_body
  300    - description: role_description_update_body
  301    - options: request_role_options_body_not_required
  302 
  303 Example
  304 ~~~~~~~
  305 
  306 .. literalinclude:: ./samples/admin/role-update-request.json
  307    :language: javascript
  308 
  309 Response
  310 --------
  311 
  312 Parameters
  313 ~~~~~~~~~~
  314 
  315 .. rest_parameters:: parameters.yaml
  316 
  317    - role: role
  318    - domain_id: domain_id_response_body
  319    - id: role_id_response_body
  320    - links: link_response_body
  321    - name: role_name_response_body
  322    - description: role_description_response_body_required
  323    - options: response_role_options_body_required
  324 
  325 Status Codes
  326 ~~~~~~~~~~~~
  327 
  328 .. rest_status_code:: success status.yaml
  329 
  330    - 200
  331 
  332 .. rest_status_code:: error status.yaml
  333 
  334    - 400
  335    - 401
  336    - 403
  337    - 404
  338    - 409
  339 
  340 Example
  341 ~~~~~~~
  342 
  343 .. literalinclude:: ./samples/admin/role-update-response.json
  344    :language: javascript
  345 
  346 
  347 Delete role
  348 ===========
  349 
  350 .. rest_method::  DELETE /v3/roles/{role_id}
  351 
  352 Deletes a role.
  353 
  354 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role``
  355 
  356 Request
  357 -------
  358 
  359 Parameters
  360 ~~~~~~~~~~
  361 .. rest_parameters:: parameters.yaml
  362 
  363    - role_id: role_id_path
  364 
  365 Response
  366 --------
  367 
  368 Status Codes
  369 ~~~~~~~~~~~~
  370 
  371 .. rest_status_code:: success status.yaml
  372 
  373    - 204
  374 
  375 .. rest_status_code:: error status.yaml
  376 
  377    - 400
  378    - 401
  379    - 403
  380    - 404
  381 
  382 
  383 List role assignments for group on domain
  384 =========================================
  385 
  386 .. rest_method::  GET /v3/domains/{domain_id}/groups/{group_id}/roles
  387 
  388 Lists role assignments for a group on a domain.
  389 
  390 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles``
  391 
  392 Request
  393 -------
  394 
  395 Parameters
  396 ~~~~~~~~~~
  397 
  398 .. rest_parameters:: parameters.yaml
  399 
  400    - domain_id: domain_id_path
  401    - group_id: group_id_path
  402 
  403 Response
  404 --------
  405 
  406 Status Codes
  407 ~~~~~~~~~~~~
  408 
  409 .. rest_status_code:: success status.yaml
  410 
  411    - 200
  412 
  413 .. rest_status_code:: error status.yaml
  414 
  415    - 400
  416    - 401
  417    - 403
  418 
  419 Example
  420 ~~~~~~~
  421 
  422 .. literalinclude:: ./samples/admin/domain-group-roles-list-response.json
  423    :language: javascript
  424 
  425 The functionality of this request can also be achieved using the generalized
  426 list assignments API::
  427 
  428   GET /role_assignments?group.id={group_id}&scope.domain.id={domain_id}
  429 
  430 
  431 Assign role to group on domain
  432 ==============================
  433 
  434 .. rest_method::  PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  435 
  436 Assigns a role to a group on a domain.
  437 
  438 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
  439 
  440 Request
  441 -------
  442 
  443 Parameters
  444 ~~~~~~~~~~
  445 
  446 .. rest_parameters:: parameters.yaml
  447 
  448    - domain_id: domain_id_path
  449    - group_id: group_id_path
  450    - role_id: role_id_path
  451 
  452 Response
  453 --------
  454 
  455 Status Codes
  456 ~~~~~~~~~~~~
  457 
  458 .. rest_status_code:: success status.yaml
  459 
  460    - 204
  461 
  462 .. rest_status_code:: error status.yaml
  463 
  464    - 400
  465    - 401
  466    - 403
  467    - 404
  468    - 409
  469 
  470 Check whether group has role assignment on domain
  471 =================================================
  472 
  473 .. rest_method::  HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  474 
  475 Validates that a group has a role assignment on a domain.
  476 
  477 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
  478 
  479 Request
  480 -------
  481 
  482 Parameters
  483 ~~~~~~~~~~
  484 
  485 .. rest_parameters:: parameters.yaml
  486 
  487    - domain_id: domain_id_path
  488    - group_id: group_id_path
  489    - role_id: role_id_path
  490 
  491 Response
  492 --------
  493 
  494 Status Codes
  495 ~~~~~~~~~~~~
  496 
  497 .. rest_status_code:: success status.yaml
  498 
  499    - 204
  500 
  501 .. rest_status_code:: error status.yaml
  502 
  503    - 400
  504    - 401
  505    - 403
  506    - 404
  507 
  508 
  509 Unassign role from group on domain
  510 ==================================
  511 
  512 .. rest_method::  DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
  513 
  514 Unassigns a role from a group on a domain.
  515 
  516 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role``
  517 
  518 Request
  519 -------
  520 
  521 Parameters
  522 ~~~~~~~~~~
  523 
  524 .. rest_parameters:: parameters.yaml
  525 
  526    - domain_id: domain_id_path
  527    - group_id: group_id_path
  528    - role_id: role_id_path
  529 
  530 Response
  531 --------
  532 
  533 Status Codes
  534 ~~~~~~~~~~~~
  535 
  536 .. rest_status_code:: success status.yaml
  537 
  538    - 204
  539 
  540 .. rest_status_code:: error status.yaml
  541 
  542    - 400
  543    - 401
  544    - 403
  545    - 404
  546 
  547 
  548 List role assignments for user on domain
  549 ========================================
  550 
  551 .. rest_method::  GET /v3/domains/{domain_id}/users/{user_id}/roles
  552 
  553 Lists role assignments for a user on a domain.
  554 
  555 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles``
  556 
  557 Request
  558 -------
  559 
  560 Parameters
  561 ~~~~~~~~~~
  562 
  563 .. rest_parameters:: parameters.yaml
  564 
  565    - domain_id: domain_id_path
  566    - user_id: user_id_path
  567 
  568 Response
  569 --------
  570 
  571 Parameters
  572 ~~~~~~~~~~
  573 
  574 .. rest_parameters:: parameters.yaml
  575 
  576    - roles: roles
  577    - id: role_id_response_body
  578    - links: link_response_body
  579    - name: role_name_response_body
  580 
  581 Status Codes
  582 ~~~~~~~~~~~~~~
  583 
  584 .. rest_status_code:: success status.yaml
  585 
  586    - 200
  587 
  588 .. rest_status_code:: error status.yaml
  589 
  590    - 400
  591    - 401
  592    - 403
  593 
  594 Example
  595 ~~~~~~~
  596 
  597 .. literalinclude:: ./samples/admin/domain-user-roles-list-response.json
  598    :language: javascript
  599 
  600 The functionality of this request can also be achieved using the generalized
  601 list assignments API::
  602 
  603   GET /role_assignments?user.id={user_id}&scope.domain.id={domain_id}
  604 
  605 
  606 Assign role to user on domain
  607 =============================
  608 
  609 .. rest_method::  PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  610 
  611 Assigns a role to a user on a domain.
  612 
  613 Relationship: ``https://developer.openstack.org/api-ref/identity/v3/index.html#assign-role-to-user-on-domain``
  614 
  615 Request
  616 -------
  617 
  618 Parameters
  619 ~~~~~~~~~~
  620 
  621 .. rest_parameters:: parameters.yaml
  622 
  623    - domain_id: domain_id_path
  624    - user_id: user_id_path
  625    - role_id: role_id_path
  626 
  627 Response
  628 --------
  629 
  630 Status Codes
  631 ~~~~~~~~~~~~
  632 
  633 .. rest_status_code:: success status.yaml
  634 
  635    - 200
  636 
  637 .. rest_status_code:: error status.yaml
  638 
  639    - 400
  640    - 401
  641    - 403
  642 
  643 Check whether user has role assignment on domain
  644 ================================================
  645 
  646 .. rest_method::  HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  647 
  648 Validates that a user has a role assignment on a domain.
  649 
  650 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role``
  651 
  652 Request
  653 -------
  654 
  655 Parameters
  656 ~~~~~~~~~~
  657 
  658 .. rest_parameters:: parameters.yaml
  659 
  660    - domain_id: domain_id_path
  661    - user_id: user_id_path
  662    - role_id: role_id_path
  663 
  664 Response
  665 --------
  666 
  667 Status Codes
  668 ~~~~~~~~~~~~~
  669 
  670 .. rest_status_code:: success status.yaml
  671 
  672    - 204
  673 
  674 .. rest_status_code:: error status.yaml
  675 
  676    - 400
  677    - 401
  678    - 403
  679    - 404
  680 
  681 
  682 Unassigns role from user on domain
  683 ==================================
  684 
  685 .. rest_method::  DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
  686 
  687 Unassigns a role from a user on a domain.
  688 
  689 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role``
  690 
  691 Request
  692 -------
  693 
  694 Parameters
  695 ~~~~~~~~~~
  696 
  697 .. rest_parameters:: parameters.yaml
  698 
  699    - domain_id: domain_id_path
  700    - user_id: user_id_path
  701    - role_id: role_id_path
  702 
  703 Response
  704 --------
  705 
  706 Status Codes
  707 ~~~~~~~~~~~~
  708 
  709 .. rest_status_code:: success status.yaml
  710 
  711    - 204
  712 
  713 .. rest_status_code:: error status.yaml
  714 
  715    - 400
  716    - 401
  717    - 403
  718    - 404
  719    - 409
  720 
  721 
  722 List role assignments for group on project
  723 ==========================================
  724 
  725 .. rest_method::  GET /v3/projects/{project_id}/groups/{group_id}/roles
  726 
  727 Lists role assignments for a group on a project.
  728 
  729 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
  730 
  731 Request
  732 -------
  733 
  734 Parameters
  735 ~~~~~~~~~~
  736 
  737 .. rest_parameters:: parameters.yaml
  738 
  739    - project_id: project_id_path
  740    - group_id: group_id_path
  741 
  742 Response
  743 --------
  744 
  745 Status Codes
  746 ~~~~~~~~~~~~
  747 
  748 .. rest_status_code:: success status.yaml
  749 
  750    - 200
  751 
  752 .. rest_status_code:: error status.yaml
  753 
  754    - 400
  755    - 401
  756    - 403
  757 
  758 Example
  759 ~~~~~~~
  760 
  761 .. literalinclude:: ./samples/admin/project-group-roles-list-response.json
  762    :language: javascript
  763 
  764 The functionality of this request can also be achieved using the generalized
  765 list assignments API::
  766 
  767   GET /role_assignments?group.id={group_id}&scope.project.id={project_id}
  768 
  769 
  770 Assign role to group on project
  771 ===============================
  772 
  773 .. rest_method::  PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  774 
  775 Assigns a role to a group on a project.
  776 
  777 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
  778 
  779 Request
  780 -------
  781 
  782 Parameters
  783 ~~~~~~~~~~
  784 
  785 .. rest_parameters:: parameters.yaml
  786 
  787    - project_id: project_id_path
  788    - group_id: group_id_path
  789    - role_id: role_id_path
  790 
  791 Response
  792 --------
  793 
  794 Status Codes
  795 ~~~~~~~~~~~~
  796 
  797 .. rest_status_code:: success status.yaml
  798 
  799    - 204
  800 
  801 .. rest_status_code:: error status.yaml
  802 
  803    - 400
  804    - 401
  805    - 403
  806    - 404
  807    - 409
  808 
  809 
  810 Check whether group has role assignment on project
  811 ==================================================
  812 
  813 .. rest_method::  HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  814 
  815 Validates that a group has a role assignment on a project.
  816 
  817 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
  818 
  819 Request
  820 -------
  821 
  822 Parameters
  823 ~~~~~~~~~~
  824 
  825 .. rest_parameters:: parameters.yaml
  826 
  827    - project_id: project_id_path
  828    - group_id: group_id_path
  829    - role_id: role_id_path
  830 
  831 Response
  832 --------
  833 
  834 Status Codes
  835 ~~~~~~~~~~~~
  836 
  837 .. rest_status_code:: success status.yaml
  838 
  839    - 204
  840 
  841 .. rest_status_code:: error status.yaml
  842 
  843    - 400
  844    - 401
  845    - 403
  846    - 404
  847 
  848 
  849 Unassign role from group on project
  850 ===================================
  851 
  852 .. rest_method::  DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
  853 
  854 Unassigns a role from a group on a project.
  855 
  856 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_group_role``
  857 
  858 Request
  859 -------
  860 
  861 Parameters
  862 ~~~~~~~~~~
  863 
  864 .. rest_parameters:: parameters.yaml
  865 
  866    - project_id: project_id_path
  867    - group_id: group_id_path
  868    - role_id: role_id_path
  869 
  870 Response
  871 --------
  872 
  873 Status Codes
  874 ~~~~~~~~~~~~
  875 
  876 .. rest_status_code:: success status.yaml
  877 
  878    - 204
  879 
  880 .. rest_status_code:: error status.yaml
  881 
  882    - 400
  883    - 401
  884    - 403
  885    - 404
  886 
  887 
  888 List role assignments for user on project
  889 =========================================
  890 
  891 .. rest_method::  GET /v3/projects/{project_id}/users/{user_id}/roles
  892 
  893 Lists role assignments for a user on a project.
  894 
  895 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
  896 
  897 Request
  898 -------
  899 
  900 Parameters
  901 ~~~~~~~~~~
  902 
  903 .. rest_parameters:: parameters.yaml
  904 
  905    - project_id: project_id_path
  906    - user_id: user_id_path
  907 
  908 Response
  909 --------
  910 
  911 Status Codes
  912 ~~~~~~~~~~~~
  913 
  914 .. rest_status_code:: success status.yaml
  915 
  916    - 200
  917 
  918 .. rest_status_code:: error status.yaml
  919 
  920    - 400
  921    - 401
  922    - 403
  923 
  924 Example
  925 ~~~~~~~
  926 
  927 .. literalinclude:: ./samples/admin/project-user-roles-list-response.json
  928    :language: javascript
  929 
  930 The functionality of this request can also be achieved using the generalized
  931 list assignments API::
  932 
  933   GET /role_assignments?user.id={user_id}&scope.project.id={project_id}
  934 
  935 
  936 Assign role to user on project
  937 ==============================
  938 
  939 .. rest_method::  PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  940 
  941 Assigns a role to a user on a project.
  942 
  943 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
  944 
  945 Request
  946 -------
  947 
  948 Parameters
  949 ~~~~~~~~~~
  950 
  951 .. rest_parameters:: parameters.yaml
  952 
  953    - project_id: project_id_path
  954    - user_id: user_id_path
  955    - role_id: role_id_path
  956 
  957 Response
  958 --------
  959 
  960 Status Codes
  961 ~~~~~~~~~~~~
  962 
  963 .. rest_status_code:: success status.yaml
  964 
  965    - 204
  966 
  967 .. rest_status_code:: error status.yaml
  968 
  969    - 400
  970    - 401
  971    - 403
  972    - 404
  973    - 409
  974 
  975 
  976 Check whether user has role assignment on project
  977 =================================================
  978 
  979 .. rest_method::  HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
  980 
  981 Validates that a user has a role on a project.
  982 
  983 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
  984 
  985 Request
  986 -------
  987 
  988 Parameters
  989 ~~~~~~~~~~
  990 
  991 .. rest_parameters:: parameters.yaml
  992 
  993    - project_id: project_id_path
  994    - user_id: user_id_path
  995    - role_id: role_id_path
  996 
  997 Response
  998 --------
  999 
 1000 Status Codes
 1001 ~~~~~~~~~~~~
 1002 
 1003 .. rest_status_code:: success status.yaml
 1004 
 1005    - 201
 1006 
 1007 .. rest_status_code:: error status.yaml
 1008 
 1009    - 400
 1010    - 401
 1011    - 403
 1012    - 404
 1013 
 1014 
 1015 Unassign role from user on project
 1016 ==================================
 1017 
 1018 .. rest_method::  DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
 1019 
 1020 Unassigns a role from a user on a project.
 1021 
 1022 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/project_user_role``
 1023 
 1024 Request
 1025 -------
 1026 
 1027 Parameters
 1028 ~~~~~~~~~~
 1029 .. rest_parameters:: parameters.yaml
 1030 
 1031    - project_id: project_id_path
 1032    - user_id: user_id_path
 1033    - role_id: role_id_path
 1034 
 1035 Response
 1036 --------
 1037 
 1038 Status Codes
 1039 ~~~~~~~~~~~~
 1040 
 1041 .. rest_status_code:: success status.yaml
 1042 
 1043    - 204
 1044 
 1045 .. rest_status_code:: error status.yaml
 1046 
 1047    - 400
 1048    - 401
 1049    - 403
 1050    - 404
 1051 
 1052 
 1053 List implied (inference) roles for role
 1054 =======================================
 1055 
 1056 .. rest_method:: GET /v3/roles/{prior_role_id}/implies
 1057 
 1058 Lists implied (inference) roles for a role.
 1059 
 1060 Relationship:
 1061 ``https://developer.openstack.org/api-ref/identity/v3/#list-implied-roles-for-role``
 1062 
 1063 Request
 1064 -------
 1065 
 1066 Parameters
 1067 ~~~~~~~~~~
 1068 .. rest_parameters:: parameters.yaml
 1069 
 1070    - prior_role_id: prior_role_id
 1071 
 1072 Response
 1073 --------
 1074 
 1075 Parameters
 1076 ~~~~~~~~~~
 1077 
 1078 .. rest_parameters:: parameters.yaml
 1079 
 1080    - role_inference: role_inference_body
 1081    - prior_role: prior_role_body
 1082    - implies: implies_role_array_body
 1083    - id: role_id_response_body
 1084    - links: link_response_body
 1085    - name: role_name_response_body
 1086 
 1087 Status Codes
 1088 ~~~~~~~~~~~~
 1089 
 1090 .. rest_status_code:: success status.yaml
 1091 
 1092    - 200
 1093 
 1094 .. rest_status_code:: error status.yaml
 1095 
 1096    - 401
 1097    - 404
 1098 
 1099 Example
 1100 ~~~~~~~
 1101 
 1102 .. literalinclude:: ./samples/admin/list-implied-roles-for-role-response.json
 1103    :language: javascript
 1104 
 1105 
 1106 Create role inference rule
 1107 ==========================
 1108 
 1109 .. rest_method:: PUT /v3/roles/{prior_role_id}/implies/{implies_role_id}
 1110 
 1111 Creates a role inference rule.
 1112 
 1113 Relationship:
 1114 ``https://developer.openstack.org/api-ref/identity/v3/#create-role-inference-rule``
 1115 
 1116 Request
 1117 -------
 1118 
 1119 Parameters
 1120 ~~~~~~~~~~
 1121 
 1122 .. rest_parameters:: parameters.yaml
 1123 
 1124    - prior_role_id: prior_role_id
 1125    - implies_role_id: implies_role_id
 1126 
 1127 Response
 1128 --------
 1129 
 1130 Parameters
 1131 ~~~~~~~~~~
 1132 
 1133 .. rest_parameters:: parameters.yaml
 1134 
 1135    - role_inference: role_inference_body
 1136    - prior_role: prior_role_body
 1137    - implies: implies_role_object_body
 1138    - id: role_id_response_body
 1139    - links: link_response_body
 1140    - name: role_name_response_body
 1141 
 1142 Status Codes
 1143 ~~~~~~~~~~~~
 1144 
 1145 .. rest_status_code:: success status.yaml
 1146 
 1147    - 201
 1148 
 1149 .. rest_status_code:: error status.yaml
 1150 
 1151    - 401
 1152    - 404
 1153 
 1154 Example
 1155 ~~~~~~~
 1156 
 1157 .. literalinclude:: ./samples/admin/create-role-inferences-response.json
 1158    :language: javascript
 1159 
 1160 
 1161 Get role inference rule
 1162 =======================
 1163 
 1164 .. rest_method:: GET /v3/roles/{prior_role_id}/implies/{implies_role_id}
 1165 
 1166 Gets a role inference rule.
 1167 
 1168 Relationship:
 1169 ``https://developer.openstack.org/api-ref/identity/v3/#get-role-inference-rule``
 1170 
 1171 Request
 1172 -------
 1173 
 1174 Parameters
 1175 ~~~~~~~~~~
 1176 
 1177 .. rest_parameters:: parameters.yaml
 1178 
 1179    - prior_role_id: prior_role_id
 1180    - implies_role_id: implies_role_id
 1181 
 1182 Response
 1183 --------
 1184 
 1185 Parameters
 1186 ~~~~~~~~~~
 1187 
 1188 .. rest_parameters:: parameters.yaml
 1189 
 1190    - role_inference: role_inference_body
 1191    - prior_role: prior_role_body
 1192    - implies: implies_role_object_body
 1193    - id: role_id_response_body
 1194    - links: link_response_body
 1195    - name: role_name_response_body
 1196 
 1197 Status Codes
 1198 ~~~~~~~~~~~~
 1199 
 1200 .. rest_status_code:: success status.yaml
 1201 
 1202    - 200
 1203 
 1204 .. rest_status_code:: error status.yaml
 1205 
 1206    - 401
 1207    - 404
 1208 
 1209 Example
 1210 ~~~~~~~
 1211 
 1212 .. literalinclude:: ./samples/admin/get-role-inferences-response.json
 1213    :language: javascript
 1214 
 1215 
 1216 Confirm role inference rule
 1217 ===========================
 1218 
 1219 .. rest_method:: HEAD /v3/roles/{prior_role_id}/implies/{implies_role_id}
 1220 
 1221 Checks a role role inference rule.
 1222 
 1223 Relationship:
 1224 ``https://developer.openstack.org/api-ref/identity/v3/#confirm-role-inference-rule``
 1225 
 1226 Request
 1227 -------
 1228 
 1229 Parameters
 1230 ~~~~~~~~~~
 1231 
 1232 .. rest_parameters:: parameters.yaml
 1233 
 1234    - prior_role_id: prior_role_id
 1235    - implies_role_id: implies_role_id
 1236 
 1237 Response
 1238 --------
 1239 
 1240 Status Codes
 1241 ~~~~~~~~~~~~
 1242 
 1243 .. rest_status_code:: success status.yaml
 1244 
 1245    - 204
 1246 
 1247 .. rest_status_code:: error status.yaml
 1248 
 1249    - 401
 1250    - 404
 1251 
 1252 Example
 1253 ~~~~~~~
 1254 
 1255 Status: 204 No Content
 1256 
 1257 
 1258 Delete role inference rule
 1259 ==========================
 1260 
 1261 .. rest_method:: DELETE /v3/roles/{prior_role_id}/implies/{implies_role_id}
 1262 
 1263 Deletes a role inference rule.
 1264 
 1265 Relationship:
 1266 ``https://developer.openstack.org/api-ref/identity/v3/#delete-role-inference-rule``
 1267 
 1268 Request
 1269 -------
 1270 
 1271 Parameters
 1272 ~~~~~~~~~~
 1273 .. rest_parameters:: parameters.yaml
 1274 
 1275    - prior_role_id: prior_role_id
 1276    - implies_role_id: implies_role_id
 1277 
 1278 Response
 1279 --------
 1280 
 1281 Status Codes
 1282 ~~~~~~~~~~~~
 1283 
 1284 .. rest_status_code:: success status.yaml
 1285 
 1286    - 204
 1287 
 1288 .. rest_status_code:: error status.yaml
 1289 
 1290    - 401
 1291    - 404
 1292 
 1293 Example
 1294 ~~~~~~~
 1295 
 1296 Status: 204 No Content
 1297 
 1298 
 1299 List role assignments
 1300 =====================
 1301 
 1302 .. rest_method::  GET /v3/role_assignments
 1303 
 1304 Lists role assignments.
 1305 
 1306 Relationship: ``https://docs.openstack.org/api/openstack-identity/3/rel/role_assignments``
 1307 
 1308 Request
 1309 -------
 1310 
 1311 Parameters
 1312 ~~~~~~~~~~
 1313 
 1314 .. rest_parameters:: parameters.yaml
 1315 
 1316    - effective: effective_query
 1317    - include_names: include_names_query
 1318    - include_subtree: include_subtree_query
 1319    - group.id: group_id_query
 1320    - role.id: role_id_query
 1321    - scope.system: scope_system_query
 1322    - scope.domain.id: scope_domain_id_query
 1323    - scope.project.id: scope_project_id_query
 1324    - user.id: user_id_query
 1325 
 1326 Response
 1327 --------
 1328 
 1329 Parameters
 1330 ~~~~~~~~~~
 1331 
 1332 .. rest_parameters:: parameters.yaml
 1333 
 1334    - role_assignments: role_assignments
 1335 
 1336 Status Codes
 1337 ~~~~~~~~~~~~
 1338 
 1339 .. rest_status_code:: success status.yaml
 1340 
 1341    - 200
 1342 
 1343 .. rest_status_code:: error status.yaml
 1344 
 1345    - 400
 1346    - 401
 1347    - 403
 1348 
 1349 Example
 1350 ~~~~~~~
 1351 
 1352 .. literalinclude:: ./samples/admin/role-assignments-list-response.json
 1353    :language: javascript
 1354 
 1355 
 1356 List all role inference rules
 1357 =============================
 1358 
 1359 .. rest_method:: GET /v3/role_inferences
 1360 
 1361 Lists all role inference rules.
 1362 
 1363 Relationship:
 1364 ``https://developer.openstack.org/api-ref/identity/v3/#list-all-role-inference-rules``
 1365 
 1366 Response
 1367 --------
 1368 
 1369 Parameters
 1370 ~~~~~~~~~~
 1371 
 1372 .. rest_parameters:: parameters.yaml
 1373 
 1374    - role_inferences: role_inference_array_body
 1375    - prior_role: prior_role_body
 1376    - implies: implies_role_object_body
 1377    - id: role_id_response_body
 1378    - links: link_response_body
 1379    - name: role_name_response_body
 1380 
 1381 Status Codes
 1382 ~~~~~~~~~~~~
 1383 
 1384 .. rest_status_code:: success status.yaml
 1385 
 1386    - 200
 1387 
 1388 .. rest_status_code:: error status.yaml
 1389 
 1390    - 401
 1391    - 404
 1392 
 1393 Example
 1394 ~~~~~~~
 1395 
 1396 .. literalinclude:: ./samples/admin/role-inferences-response.json
 1397    :language: javascript