aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/doc/source/policy_mapping.rst
blob: 2d3cd60a3fbee56b4f3d9ebfe235b3ef23711003 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
===============================
Mapping of policy target to API
===============================

The following table shows the target in the policy.json file for each API.

=========================================================  ===
Target                                                     API
=========================================================  ===
identity:get_region                                        GET /v3/regions/{region_id}
identity:list_regions                                      GET /v3/regions
identity:create_region                                     POST /v3/regions
identity:update_region                                     PATCH /v3/regions/{region_id}
identity:delete_region                                     DELETE /v3/regions/{region_id}

identity:get_service                                       GET /v3/services/{service_id}
identity:list_services                                     GET /v3/services
identity:create_service                                    POST /v3/services
identity:update_service                                    PATCH /v3/services/{service__id}
identity:delete_service                                    DELETE /v3/services/{service__id}

identity:get_endpoint                                      GET /v3/endpoints/{endpoint_id}
identity:list_endpoints                                    GET /v3/endpoints
identity:create_endpoint                                   POST /v3/endpoints
identity:update_endpoint                                   PATCH /v3/endpoints/{endpoint_id}
identity:delete_endpoint                                   DELETE /v3/endpoints/{endpoint_id}

identity:get_domain                                        GET /v3/domains/{domain_id}
identity:list_domains                                      GET /v3/domains
identity:create_domain                                     POST /v3/domains
identity:update_domain                                     PATCH /v3/domains/{domain_id}
identity:delete_domain                                     DELETE /v3/domains/{domain_id}

identity:get_project                                       GET /v3/projects/{project_id}
identity:list_projects                                     GET /v3/projects
identity:list_user_projects                                GET /v3/users/{user_id}/projects
identity:create_project                                    POST /v3/projects
identity:update_project                                    PATCH /v3/projects/{project_id}
identity:delete_project                                    DELETE /v3/projects/{project_id}

identity:get_user                                          GET /v3/users/{user_id}
identity:list_users                                        GET /v3/users
identity:create_user                                       POST /v3/users
identity:update_user                                       PATCH /v3/users/{user_id}
identity:delete_user                                       DELETE /v3/users/{user_id}
identity:change_password                                   POST /v3/users/{user_id}/password

identity:get_group                                         GET /v3/groups/{group_id}
identity:list_groups                                       GET /v3/groups
identity:list_groups_for_user                              GET /v3/users/{user_id}/groups
identity:create_group                                      POST /v3/groups
identity:update_group                                      PATCH /v3/groups/{group_id}
identity:delete_group                                      DELETE /v3/groups/{group_id}
identity:list_users_in_group                               GET /v3/groups/{group_id}/users
identity:remove_user_from_group                            DELETE /v3/groups/{group_id}/users/{user_id}
identity:check_user_in_group                               GET /v3/groups/{group_id}/users/{user_id}
identity:add_user_to_group                                 PUT /v3/groups/{group_id}/users/{user_id}

identity:get_credential                                    GET /v3/credentials/{credential_id}
identity:list_credentials                                  GET /v3/credentials
identity:create_credential                                 POST /v3/credentials
identity:update_credential                                 PATCH /v3/credentials/{credential_id}
identity:delete_credential                                 DELETE /v3/credentials/{credential_id}

identity:ec2_get_credential                                GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
identity:ec2_list_credentials                              GET /v3/users/{user_id}/credentials/OS-EC2
identity:ec2_create_credential                             POST /v3/users/{user_id}/credentials/OS-EC2
identity:ec2_delete_credential                             DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

identity:get_role                                          GET /v3/roles/{role_id}
identity:list_roles                                        GET /v3/roles
identity:create_role                                       POST /v3/roles
identity:update_role                                       PATCH /v3/roles/{role_id}
identity:delete_role                                       DELETE /v3/roles/{role_id}

identity:get_domain_role                                   GET /v3/roles/{role_id} where role.domain_id is not null
identity:list_domain_roles                                 GET /v3/roles?domain_id where role.domain_id is not null
identity:create_domain_role                                POST /v3/roles where role.domain_id is not null
identity:update_domain_role                                PATCH /v3/roles/{role_id} where role.domain_id is not null
identity:delete_domain_role                                DELETE /v3/roles/{role_id} where role.domain_id is not null

identity:get_implied_role                                  GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_implied_roles                                GET /v3/roles/{prior_role_id}/implies
identity:create_implied_role                               PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:delete_implied_role                               DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
identity:list_role_inference_rules                         GET /v3/role_inferences
identity:check_implied_role                                HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}

identity:check_grant                                       GET `grant_resources`_
identity:list_grants                                       GET `grant_collections`_
identity:create_grant                                      PUT `grant_resources`_
identity:revoke_grant                                      DELETE `grant_resources`_

identity:list_role_assignments                             GET /v3/role_assignments
identity:list_role_assignments_for_tree                    GET /v3/role_assignments?include_subtree

identity:get_policy                                        GET /v3/policy/{policy_id}
identity:list_policies                                     GET /v3/policy
identity:create_policy                                     POST /v3/policy
identity:update_policy                                     PATCH /v3/policy/{policy_id}
identity:delete_policy                                     DELETE /v3/policy/{policy_id}

identity:check_token                                       HEAD /v3/auth/tokens
identity:validate_token                                    - GET /v2.0/tokens/{token_id}
                                                           - GET /v3/auth/tokens
identity:validate_token_head                               HEAD /v2.0/tokens/{token_id}
identity:revocation_list                                   - GET /v2.0/tokens/revoked
                                                           - GET /v3/auth/tokens/OS-PKI/revoked
identity:revoke_token                                      DELETE /v3/auth/tokens
identity:create_trust                                      POST /v3/OS-TRUST/trusts
identity:list_trusts                                       GET /v3/OS-TRUST/trusts
identity:list_roles_for_trust                              GET /v3/OS-TRUST/trusts/{trust_id}/roles
identity:get_role_for_trust                                GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
identity:delete_trust                                      DELETE /v3/OS-TRUST/trusts/{trust_id}

identity:create_consumer                                   POST /v3/OS-OAUTH1/consumers
identity:get_consumer                                      GET /v3/OS-OAUTH1/consumers/{consumer_id}
identity:list_consumers                                    GET /v3/OS-OAUTH1/consumers
identity:delete_consumer                                   DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
identity:update_consumer                                   PATCH /v3/OS-OAUTH1/consumers/{consumer_id}

identity:authorize_request_token                           PUT /v3/OS-OAUTH1/authorize/{request_token_id}
identity:list_access_token_roles                           GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
identity:get_access_token_role                             GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
identity:list_access_tokens                                GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
identity:get_access_token                                  GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
identity:delete_access_token                               DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

identity:list_projects_for_endpoint                        GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
identity:add_endpoint_to_project                           PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:check_endpoint_in_project                         GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
identity:list_endpoints_for_project                        GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
identity:remove_endpoint_from_project                      DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

identity:create_endpoint_group                             POST /v3/OS-EP-FILTER/endpoint_groups
identity:list_endpoint_groups                              GET /v3/OS-EP-FILTER/endpoint_groups
identity:get_endpoint_group                                GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:update_endpoint_group                             PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:delete_endpoint_group                             DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
identity:list_projects_associated_with_endpoint_group      GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
identity:list_endpoints_associated_with_endpoint_group     GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
identity:get_endpoint_group_in_project                     GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:list_endpoint_groups_for_project                  GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
identity:add_endpoint_group_to_project                     PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
identity:remove_endpoint_group_from_project                DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

identity:create_identity_provider                          PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:list_identity_providers                           GET /v3/OS-FEDERATION/identity_providers
identity:get_identity_providers                            GET /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:update_identity_provider                          PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
identity:delete_identity_provider                          DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

identity:create_protocol                                   PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:update_protocol                                   PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:get_protocol                                      GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
identity:list_protocols                                    GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
identity:delete_protocol                                   DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

identity:create_mapping                                    PUT /v3/OS-FEDERATION/mappings/{mapping_id}
identity:get_mapping                                       GET /v3/OS-FEDERATION/mappings/{mapping_id}
identity:list_mappings                                     GET /v3/OS-FEDERATION/mappings
identity:delete_mapping                                    DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
identity:update_mapping                                    PATCH /v3/OS-FEDERATION/mappings/{mapping_id}

identity:create_service_provider                           PUT /v3/OS-FEDERATION/service_providers/{sp_id}
identity:list_service_providers                            GET /v3/OS-FEDERATION/service_providers
identity:get_service_provider                              GET /v3/OS-FEDERATION/service_providers/{sp_id}
identity:update_service_provider                           PATCH /v3/OS-FEDERATION/service_providers/{sp_id}
identity:delete_service_provider                           DELETE /v3/OS-FEDERATION/service_providers/{sp_id}

identity:get_auth_catalog                                  GET /v3/auth/catalog
identity:get_auth_projects                                 GET /v3/auth/projects
identity:get_auth_domains                                  GET /v3/auth/domains

identity:list_projects_for_groups                          GET /v3/OS-FEDERATION/projects
identity:list_domains_for_groups                           GET /v3/OS-FEDERATION/domains

identity:list_revoke_events                                GET /v3/OS-REVOKE/events

identity:create_policy_association_for_endpoint            PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:check_policy_association_for_endpoint             GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:delete_policy_association_for_endpoint            DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
identity:create_policy_association_for_service             PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:check_policy_association_for_service              GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:delete_policy_association_for_service             DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
identity:create_policy_association_for_region_and_service  PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:check_policy_association_for_region_and_service   GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:delete_policy_association_for_region_and_service  DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
identity:get_policy_for_endpoint                           GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
identity:list_endpoints_for_policy                         GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

identity:create_domain_config                              PUT /v3/domains/{domain_id}/config
identity:get_domain_config                                 - GET /v3/domains/{domain_id}/config
                                                           - GET /v3/domains/{domain_id}/config/{group}
                                                           - GET /v3/domains/{domain_id}/config/{group}/{option}
identity:update_domain_config                              - PATCH /v3/domains/{domain_id}/config
                                                           - PATCH /v3/domains/{domain_id}/config/{group}
                                                           - PATCH /v3/domains/{domain_id}/config/{group}/{option}
identity:delete_domain_config                              - DELETE /v3/domains/{domain_id}/config
                                                           - DELETE /v3/domains/{domain_id}/config/{group}
                                                           - DELETE /v3/domains/{domain_id}/config/{group}/{option}
identity:get_domain_config_default                         - GET /v3/domains/config/default
                                                           - GET /v3/domains/config/{group}/default
                                                           - GET /v3/domains/config/{group}/{option}/default
=========================================================  ===

.. _grant_resources:

*grant_resources* are:

- /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
- /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
- /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
- /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
- /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
- /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

.. _grant_collections:

*grant_collections* are:

- /v3/projects/{project_id}/users/{user_id}/roles
- /v3/projects/{project_id}/groups/{group_id}/roles
- /v3/domains/{domain_id}/users/{user_id}/roles
- /v3/domains/{domain_id}/groups/{group_id}/role
- /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
- /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects