OpenStack API Documentation

Identity API v3 (CURRENT)

Gets an authentication token that permits access to the OpenStack services REST API.

Like most OpenStack projects, OpenStack Identity protects its APIs by defining policy rules based on a role-based access control (RBAC) approach. These rules are stored in a JSON policy file. The Identity service configuration file, keystone.conf, sets the name and location of this policy file. For information about Identity API protection, see Identity API protection with role-based access control (RBAC) in the OpenStack Cloud Administrator Guide.

API versions

GET

List versions

Lists information about all Identity API versions.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

{
    "versions": {
        "values": [
            {
                "id": "v3.4",
                "links": [
                    {
                        "href": "http://localhost:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2015-03-30T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://localhost:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "http://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}

This operation does not accept a request body.

GET

/v3

Show API version details

Shows details for the Identity API v3.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404),

Response parameters

Parameter	Style	Type	Description
version	plain	xsd:string	A `version` object.
status	plain	xsd:string	The status of the version. For example, `experimental` or `stable`.
updated	plain	xsd:string	The date and time stamp for the last update.
media-types	plain	xsd:string	A `media-types` object, which shows the supported media types.
id	plain	xsd:string	The version ID, such as `v3.0`.
links	plain	xsd:string	The version links.

{
    "version": {
        "id": "v3.4",
        "links": [
            {
                "href": "http://localhost:35357/v3/",
                "rel": "self"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v3+json"
            }
        ],
        "status": "stable",
        "updated": "2015-03-30T00:00:00Z"
    }
}

This operation does not accept a request body.

Tokens

Manages tokens.

POST

/v3/auth/tokens

Authenticate

Authenticates and generates a token.

Each REST request against the Identity Service requires the X-Auth-Token header. Clients obtain this token and the URL endpoints for other service APIs by supplying their valid credentials to the authentication service.

A REST interface provides client authentication by using the POST method with auth/tokens the path. The body of the request must include a payload of credentials including the authentication method and, optionally, the authorization scope. The scope includes either a project or domain. If you include both project and domain, this call returns the HTTP Bad Request (400) status code because a token cannot be simultaneously scoped as both a project and domain.

If you do not include the optional scope and the authenticating user has a defined default project (the default_project_id attribute for the user), that default project is treated as the preferred authorization scope.

If no default project is defined, the token is issued without an explicit scope of authorization.

Provide one of the following sets of credentials to authenticate: User ID and password, user name and password scoped by domain ID or name, user ID and password scoped by project ID or name with or without domain scope, or token.

The following examples demonstrate authentication requests with different types of credentials.

If scope is included, project id uniquely identifies the project. However, project name uniquely identifies the project only when used in conjunction with a domain ID or a domain name.

If the authentication token has expired, this call returns the HTTP 401 status code.

If the subject token has expired, this call returns the HTTP 404 status code.

The Identity API treats expired tokens as no longer valid tokens.

The deployment determines how long expired tokens are stored.

As the following example responses show, the response to an authentication request returns the token ID in the X-Subject-Token header instead of in the token data.

If the call has no explicit authorization scope, the response does not contain the catalog, project, domain, or roles fields. However, the response still uniquely identifies the user.

A token scoped to a project also has both a service catalog and the user's roles applicable to the project.

A token scoped to a domain also has both a service catalog and the user's roles applicable to the project.

Optionally, The Identity API implementation might return an authentication attribute to indicate the supported authentication methods.

For authentication processes that require multiple round trips, The Identity API implementation might return an HTTP 401 Unauthorized error with additional information for the next authentication step.

The following examples illustrate several possible HTTP 401 Unauthorized authentication errors. Other errors like HTTP 403 Forbidden are also possible.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
auth	plain	xsd:string	An `auth` object.
identity	plain	xsd:string	An `identity` object.
methods	plain	xsd:string	The authentication method, which is `password` or `token`. With password authentication, you can specify user ID and password, user name and password scoped by domain ID or name, or user ID and password scoped by project ID or name with or without domain scope. With token authentication, you specify the token ID.
password (Optional)	plain	xsd:string	A `password` object.
scope (Optional)	plain	xsd:string	Token can be scoped for a domain or project. Specify either an `id` or `name` to uniquely identify the domain or project. Use project `name` only in conjunction with a domain `id` or `name`.
token (Optional)	plain	xsd:string	A `token` object. With token authentication, the `id` uniquely identifies the token. This method is typically used in combination with a request to change authorization scope.
user (Optional)	plain	xsd:string	A `user` object. Specify `id` or `name` to uniquely identify the user and `password`. Use `name` only in conjunction with a domain `id` or `name`.
id (Optional)	plain	xsd:string	With password authentication, `id` uniquely identifies the user. However, `name` uniquely identifies the user when used in conjunction with a domain `id` or `name`.
name (Optional)	plain	xsd:string	The user name.
password (Optional)	plain	xsd:string	The password.

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "0ca8f6",
                    "password": "secretsecret"
                }
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "id": "1789d1"
                    },
                    "name": "Joe",
                    "password": "secretsecret"
                }
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "example.com"
                    },
                    "name": "Joe",
                    "password": "secretsecret"
                }
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "token"
            ],
            "token": {
                "id": "e80b74"
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "0ca8f6",
                    "password": "secretsecret"
                }
            }
        },
        "scope": {
            "project": {
                "id": "263fd9"
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "0ca8f6",
                    "password": "secretsecret"
                }
            }
        },
        "scope": {
            "domain": {
                "id": "263fd9"
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "0ca8f6",
                    "password": "secretsecret"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "id": "1789d1"
                },
                "name": "project-x"
            }
        }
    }
}

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "0ca8f6",
                    "password": "secretsecret"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "example.com"
                },
                "name": "project-x"
            }
        }
    }
}

{
    "token": {
        "expires_at": "2013-02-27T18:30:59.999999Z",
        "issued_at": "2013-02-27T16:30:59.999999Z",
        "methods": [
            "password"
        ],
        "user": {
            "domain": {
                "id": "1789d1",
                "links": {
                    "self": "http://identity:35357/v3/domains/1789d1"
                },
                "name": "example.com"
            },
            "id": "0ca8f6",
            "links": {
                "self": "http://identity:35357/v3/users/0ca8f6"
            },
            "name": "Joe"
        }
    }
}

{
    "token": {
        "expires_at": "2013-02-27T18:30:59.999999Z",
        "issued_at": "2013-02-27T16:30:59.999999Z",
        "methods": [
            "password"
        ],
        "endpoints": [
            {
                "links": {
                    "self": "https://region-a.example.com:35357/v3/endpoints/130_P"
                },
                "id": "example-a",
                "interface": "public",
                "region_id": "region-a.geo-1",
                "url": "https://region-a.example.com:35357/v2.0/",
                "service_id": "100"
            },
            {
                "links": {
                    "self": "https://region-a.example.com:35357/v3/endpoints/example-a"
                },
                "id": "example-a",
                "interface": "public",
                "region_id": "region-a.geo-1",
                "url": "https://region-a.example.com:35357/v3/",
                "service_id": "100"
            }
        ],
        "project": {
            "domain": {
                "id": "1789d1",
                "links": {
                    "self": "http://identity:35357/v3/domains/1789d1"
                },
                "name": "example.com"
            },
            "id": "263fd9",
            "links": {
                "self": "http://identity:35357/v3/projects/263fd9"
            },
            "name": "project-x"
        },
        "roles": [
            {
                "id": "76e72a",
                "links": {
                    "self": "http://identity:35357/v3/roles/76e72a"
                },
                "name": "admin"
            },
            {
                "id": "f4f392",
                "links": {
                    "self": "http://identity:35357/v3/roles/f4f392"
                },
                "name": "member"
            }
        ],
        "user": {
            "domain": {
                "id": "1789d1",
                "links": {
                    "self": "http://identity:35357/v3/domains/1789d1"
                },
                "name": "example.com"
            },
            "id": "0ca8f6",
            "links": {
                "self": "http://identity:35357/v3/users/0ca8f6"
            },
            "name": "Joe"
        }
    }
}

{
    "token": {
        "expires_at": "2013-02-27T18:30:59.999999Z",
        "issued_at": "2013-02-27T16:30:59.999999Z",
        "methods": [
            "password"
        ],
        "catalog": [
            {
                "type": "identity",
                "id": "100",
                "endpoints": [
                    {
                        "links": {
                            "self": "https://region-a.example.com:35357/v3/endpoints/130_P"
                        },
                        "id": "example-a",
                        "interface": "public",
                        "region_id": "region-a.geo-1",
                        "url": "https://region-a.example.com:35357/v2.0/",
                        "service_id": "100"
                    },
                    {
                        "links": {
                            "self": "https://region-a.example.com:35357/v3/endpoints/example-a"
                        },
                        "id": "example-a",
                        "interface": "public",
                        "region_id": "region-a.geo-1",
                        "url": "https://region-a.example.com:35357/v3/",
                        "service_id": "100"
                    }
                ]
            }
        ],
        "domain": {
            "id": "1789d1",
            "links": {
                "self": "http://identity:35357/v3/domains/1789d1"
            },
            "name": "example.com"
        },
        "roles": [
            {
                "id": "76e72a",
                "links": {
                    "self": "http://identity:35357/v3/roles/76e72a"
                },
                "name": "admin"
            },
            {
                "id": "f4f392",
                "links": {
                    "self": "http://identity:35357/v3/roles/f4f392"
                },
                "name": "member"
            }
        ],
        "user": {
            "domain": {
                "id": "1789d1",
                "links": {
                    "self": "http://identity:35357/v3/domains/1789d1"
                },
                "name": "example.com"
            },
            "id": "0ca8f6",
            "links": {
                "self": "http://identity:35357/v3/users/0ca8f6"
            },
            "name": "Joe"
        }
    }
}

{
    "error": {
        "code": 401,
        "message": "The request you have made requires authentication",
        "title": "Not Authorized"
    }
}

{
    "error": {
        "code": 401,
        "identity": {
            "methods": [
                "password",
                "token",
                "challenge-response"
            ]
        },
        "message": "Need to authenticate with one or more supported methods",
        "title": "Not Authorized"
    }
}

{
    "error": {
        "code": 401,
        "identity": {
            "challenge-response": {
                "challenge": "What was the zip code of your birthplace?",
                "session_id": "123456"
            },
            "methods": [
                "challenge-response"
            ]
        },
        "message": "Additional authentications steps required.",
        "title": "Not Authorized"
    }
}

GET

/v3/auth/tokens

Validate token

Validates a specified token.

Pass your own token in the X-Auth-Token header and the token to be validated in the X-Subject-Token header. The Identity API returns the same response as when the subject token was issued by POST /auth/tokens.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
X-Subject-Token	header	xsd:string	The token ID.

Response parameters

Parameter	Style	Type	Description
token	plain	xsd:string	A `token` object.
expires_at	plain	xsd:string	The date and time stamp for when the token expires.
issued_at	plain	xsd:string	The date and time stamp for when the token was issued.
methods	plain	xsd:string	The authentication method, which is `password` or `token`. With password authentication, you can specify user ID and password, user name and password scoped by domain ID or name, or user ID and password scoped by project ID or name with or without domain scope. With token authentication, you specify the token ID.
user (Optional)	plain	xsd:string	A `user` object. Specify `id` or `name` to uniquely identify the user and `password`. Use `name` only in conjunction with a domain `id` or `name`.
domain (Optional)	plain	xsd:string	Specify either `id` or `name` to uniquely identify the domain.
id	plain	xsd:string	The domain ID.
links	plain	xsd:dict	The domain links.
name	plain	xsd:string	The domain name.
id	plain	xsd:string	The user ID.
links	plain	xsd:dict	The user links.
name	plain	xsd:string	The user name.

Headers:
X-Auth-Token: 1dd7e3
X-Subject-Token: c67580

{
    "token": {
        "expires_at": "2013-02-27T18:30:59.999999Z",
        "issued_at": "2013-02-27T16:30:59.999999Z",
        "methods": [
            "password"
        ],
        "user": {
            "domain": {
                "id": "1789d1",
                "links": {
                    "self": "http://identity:35357/v3/domains/1789d1"
                },
                "name": "example.com"
            },
            "id": "0ca8f6",
            "links": {
                "self": "http://identity:35357/v3/users/0ca8f6"
            },
            "name": "Joe"
        }
    }
}

HEAD

/v3/auth/tokens

Check token

Validates a specified token.

This call is similar to GET /auth/tokens, but no response body is provided, even in the X-Subject-Token header.

The Identity API returns the same response as when the subject token was issued by POST /auth/tokens, even if an error occurs because the token is not valid. A 204 response indicates that the X-Subject-Token is valid.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
X-Subject-Token	header	xsd:string	The token ID.

Headers:
X-Auth-Token: 1dd7e3
X-Subject-Token: c67580

This operation does not return a response body.

DELETE

/v3/auth/tokens

Revoke token

Revokes a specified token.

This call is similar to HEAD /auth/tokens, except that the X-Subject-Token token is immediately not valid (regardless of the expires_at attribute). An additional X-Auth-Token is not required.

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
X-Subject-Token	header	xsd:string	The token ID.

Headers:
X-Auth-Token: 1dd7e3
X-Subject-Token: c67580

This operation does not return a response body.

Service catalog

Manages the catalog of services.

POST

/v3/services

Create service

Creates a service.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
type	plain	xsd:string	The service type.
name (Optional)	plain	xsd:string	The service name.
enabled (Optional)	plain	xsd:boolean	Enables or disables a service. If `true`, the service is enabled. If `false`, the service is disabled. Default is `true`.

Response parameters

Parameter	Style	Type	Description
links	plain	csapi:dict	Policy links.
services	plain	xsd:string	A `services` object.
description (Optional)	plain	xsd:string	The description.
id	plain	xsd:string	The service ID.
links	plain	xsd:string	The service links.
name	plain	xsd:string	The service name.
type	plain	xsd:string	The service type.

{
    "service": {
        "type": "volume"
    }
}

{
    "service": {
        "enabled": true,
        "id": "686766",
        "links": {
            "self": "http://identity:5000/v3/services/686766"
        },
        "type": "volume"
    }
}

GET

/v3/services

List services

Lists services.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
type (Optional)	query	xsd:string	Filters by service type. Service types include compute, ec2, image, and identity.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
services	plain	xsd:string	A `services` object.
description (Optional)	plain	xsd:string	The description.
enabled	plain	xsd:boolean	If `true`, the service is enabled. If `false`, the service is disabled.
id	plain	xsd:string	The service ID.
links	plain	xsd:string	The service links.
name	plain	xsd:string	The service name.
type	plain	xsd:string	The service type.

{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://identity:5000/v3/services"
    },
    "services": [
        {
            "description": "Keystone Identity Service",
            "enabled": true,
            "id": "686766",
            "links": {
                "self": "http://identity:5000/v3/services/686766"
            },
            "name": "keystone",
            "type": "identity"
        },
        {
            "enabled": true,
            "id": "936521",
            "links": {
                "self": "http://identity:5000/v3/services/936521"
            },
            "type": "volume"
        }
    ]
}

GET

/v3/services/{service_id}

Show service details

Shows details for a specified service.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
service_id	URI	capi:uuid	The service ID.

Response parameters

Parameter	Style	Type	Description
service	plain	xsd:string	A `service` object.
description (Optional)	plain	xsd:string	The description.
enabled	plain	xsd:boolean	If `true`, the service is enabled. If `false`, the service is disabled.
id	plain	xsd:string	The service ID.
links	plain	xsd:string	The service links.
name	plain	xsd:string	The service name.
type	plain	xsd:string	The service type.

{
    "service": {
        "description": "Keystone Identity Service",
        "enabled": true,
        "id": "686766",
        "links": {
            "self": "http://identity:5000/v3/services/686766"
        },
        "name": "keystone",
        "type": "identity"
    }
}

This operation does not accept a request body.

PATCH

/v3/services/{service_id}

Update service

Updates a specified service.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
service_id	URI	capi:uuid	The service ID.
type	plain	xsd:string	The service type.

Response parameters

Parameter	Style	Type	Description
services	plain	xsd:string	A `services` object.
id	plain	xsd:string	The service ID.
type	plain	xsd:string	The service type.

{
    "type": "volume"
}

{
    "service": {
        "id": "686766",
        "type": "volume"
    }
}

DELETE

/v3/services/{service_id}

Delete service

Deletes a specified service.

Deleting a service when endpoints exist should either (1) delete all associated endpoints or (2) fail until endpoints are deleted.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
service_id	URI	capi:uuid	The service ID.

This operation does not accept a request body and does not return a response body.

Endpoints

Manages endpoints.

POST

/v3/endpoints

Create endpoint

Creates an endpoint.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
endpoint	plain	xsd:string	An `endpoint` object.
interface	plain	xsd:string	The interface type, which is `admin`, `public`, or `internal`.
name	plain	xsd:string	The name.
region	plain	xsd:string	The service region.
url	plain	xsd:string	The service URL.
service_id	plain	xsd:string	The service ID.

Response parameters

Parameter	Style	Type	Description
endpoint	plain	xsd:string	An `endpoint` object.
interface	plain	xsd:string	The interface type, which is `admin`, `public`, or `internal`.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name.
region	plain	xsd:string	The service region.
url	plain	xsd:string	The service URL.
service_id	plain	xsd:string	The service ID.

{
    "endpoint": {
        "interface": "public",
        "name": "name",
        "region": "north",
        "url": "http://identity:35357/v3/endpoints/828384",
        "service_id": "686766"
    }
}

{
    "endpoint": {
        "id": "828384",
        "interface": "internal",
        "links": {
            "self": "http://identity:35357/v3/endpoints/828384"
        },
        "name": "the internal volume endpoint",
        "region": "north",
        "service_id": "686766",
        "url": "http://identity:35357/v3/endpoints/828384"
    }
}

GET

/v3/endpoints

List endpoints

Lists available endpoints.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
interface (Optional)	query	xsd:string	Filters by interface.
service_id (Optional)	query	xsd:string	Filters by service_id.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
endpoints	plain	xsd:string	An `endpoints` object.
enabled	plain	xsd:boolean	If `true`, the endpoint is enabled. If `false`, the endpoint is disabled.
id	plain	xsd:uuid	The endpoint ID.
interface	plain	xsd:string	The interface type, which is `admin`, `public`, or `internal`.
links	plain	xsd:dict	The endpoint links.
region	plain	xsd:string	The service region.
region_id	plain	xsd:string	The service region ID.
service_id	plain	xsd:string	The service ID.
url	plain	xsd:string	The service URL.

{
    "endpoints": [
        {
            "id": "828384",
            "interface": "public",
            "links": {
                "self": "http://identity:35357/v3/endpoints/828384"
            },
            "name": "the public volume endpoint",
            "service_id": "686766"
        },
        {
            "id": "642136",
            "interface": "internal",
            "links": {
                "self": "http://identity:35357/v3/endpoints/642136"
            },
            "name": "the internal volume endpoint",
            "service_id": "686766"
        }
    ]
}

PATCH

/v3/endpoints/{endpoint_id}

Update endpoint

Updates a specified endpoint.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
endpoint_id	URI	capi:uuid	The endpoint ID.
endpoint	plain	xsd:string	An `endpoint` object.
interface (Optional)	plain	xsd:string	The interface type, which is `admin`, `public`, or `internal`.
name	plain	xsd:string	The name.
region (Optional)	plain	xsd:string	The service region.
url (Optional)	plain	xsd:string	The service URL.
service_id (Optional)	plain	xsd:string	The service ID.

Response parameters

Parameter	Style	Type	Description
endpoint	plain	xsd:string	An `endpoint` object.
interface	plain	xsd:string	The interface type, which is `admin`, `public`, or `internal`.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name.
region	plain	xsd:string	The service region.
url	plain	xsd:string	The service URL.
service_id	plain	xsd:string	The service ID.

{
    "endpoint": {
        "interface": "public",
        "name": "Name",
        "region": "north",
        "url": "http://identity:35357/v3/endpoints/828384",
        "service_id": "345678"
    }
}

{
    "endpoint": {
        "id": "828384",
        "interface": "internal",
        "links": {
            "self": "http://identity:35357/v3/endpoints/828384"
        },
        "name": "the internal volume endpoint",
        "region": "north",
        "service_id": "686766",
        "url": "http://identity:35357/v3/endpoints/828384"
    }
}

DELETE

/v3/endpoints/{endpoint_id}

Delete endpoint

Deletes a specified endpoint.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
endpoint_id	URI	capi:uuid	The endpoint ID.

This operation does not accept a request body and does not return a response body.

Domains

Manages domains.

Domains represent collections of users, groups, and projects. Each is owned by exactly one domain. Users, however, can be associated with multiple projects by granting roles to the user on a project, including projects owned by other domains.

Each domain defines a namespace where certain API-visible name attributes exist, which affects whether those names must be globally unique or unique within that domain. In the Identity API, the uniqueness of the following attributes is as follows:

Domain name. Globally unique across all domains.
Role name. Globally unique across all domains.
User name. Unique within the owning domain.
Project name. Unique within the owning domain.
Group name. Unique within the owning domain.

POST

/v3/domains

Create domain

Creates a domain.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
description (Optional)	plain	xsd:string	The domain description.
enabled (Optional)	plain	xsd:boolean	Enables or disables a domain. Set to `true` to enable the domain or `false` to disable the domain.
name	plain	xsd:string	The domain name.

Response parameters

Parameter	Style	Type	Description
description (Optional)	plain	xsd:string	The description.
enabled (Optional)	plain	xsd:boolean	If `true`, the domain is enabled. If `false`, the domain is disabled.
id	plain	xsd:string	The domain ID.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name of the resource.

{
    "domain": {
        "description": "Domain description",
        "enabled": true,
        "name": "myDomain"
    }
}

{
    "domain": {
        "description": "Domain description",
        "enabled": true,
        "id": "161718",
        "links": {
            "self": "http://identity:35357/v3/domains/161718"
        },
        "name": "myDomain"
    }
}

GET

/v3/domains

List domains

Lists domains.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
name (Optional)	query	xsd:string	Filters on a name.
enabled (Optional)	query	xsd:string	Filters on enabled or disabled roles. Values are `true` or `false`.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
description (Optional)	plain	xsd:string	The description.
enabled (Optional)	plain	xsd:boolean	If `true`, the domain is enabled. If `false`, the domain is disabled.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name of the resource.

{
    "domains": [
        {
            "description": "Domain description",
            "enabled": true,
            "id": "161718",
            "links": {
                "self": "http://identity:35357/v3/domains/161718"
            },
            "name": "myDomain"
        },
        {
            "description": "Another domain",
            "enabled": true,
            "id": "864369",
            "links": {
                "self": "http://identity:35357/v3/domains/864369"
            },
            "name": "anotherDomain"
        }
    ]
}

GET

/v3/domains/{domain_id}

Show domain details

Shows details for a specified domain.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.

Response parameters

Parameter	Style	Type	Description
domains	plain	xsd:string	A `domains` object.
description (Optional)	plain	xsd:string	The description.
enabled (Optional)	plain	xsd:boolean	If `true`, the domain is enabled. If `false`, the domain is disabled.
id	plain	xsd:string	The domain ID.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name of the resource.

{
    "domain": {
        "description": "Domain description",
        "enabled": true,
        "id": "161718",
        "links": {
            "self": "http://identity:35357/v3/domains/161718"
        },
        "name": "myDomain"
    }
}

This operation does not accept a request body.

PATCH

/v3/domains/{domain_id}

Update domain

Updates a specified domain.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
description (Optional)	plain	xsd:string	The domain description.
enabled (Optional)	plain	xsd:boolean	Enables or disables a domain. Set to `true` to enable the domain or `false` to disable the domain.
name	plain	xsd:string	The domain name.

{
    "domain": {
        "description": "my updated domain",
        "enabled": true,
        "name": "myUpdatedDomain"
    }
}

{
    "domain": {
        "description": "my updated domain",
        "enabled": true,
        "id": "161718",
        "links": {
            "self": "http://identity:35357/v3/domains/161718"
        },
        "name": "myUpdatedDomain"
    }
}

DELETE

/v3/domains/{domain_id}

Delete domain

Deletes a specified domain.

To minimize the risk of accidentally deleting a domain, you must first disable the domain by using the update domain API. If you try to delete an enabled domain, the call returns an HTTP 403 Forbidden response.

Deleting a domain deletes all entities owned by it, such as users, groups, and projects, as well as any credentials and granted roles that relate to those entities.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/domains/{domain_id}/users/{user_id}/roles

List roles for domain user

Lists roles for a user on a domain.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
user_id	URI	capi:uuid	The user ID.

{
    "roles": [
        {
            "id": "123456",
            "links": {
                "self": "http://identity:35357/v3/roles/123456"
            },
            "name": "admin"
        },
        {
            "id": "123457",
            "links": {
                "self": "http://identity:35357/v3/roles/123457"
            },
            "name": "manager"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/domains/161718/users/313233/roles",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

PUT

/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

Grant role to domain user

Grants a role to a specified domain user.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

HEAD

/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

Check role for domain user

Validates that a user has a role on a domain.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

DELETE

/v3/domains/{domain_id}/users/{user_id}/roles/{role_id}

Revoke role from domain user

Revokes a role from a specified domain user.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/domains/{domain_id}/groups/{group_id}/roles

List roles for domain group

Lists roles for a specified domain group.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
group_id	URI	capi:uuid	The group ID.

{
    "roles": [
        {
            "id": "123456",
            "links": {
                "self": "http://identity:35357/v3/roles/123456"
            },
            "name": "admin"
        },
        {
            "id": "123457",
            "links": {
                "self": "http://identity:35357/v3/roles/123457"
            },
            "name": "manager"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/domains/161718/groups/101112/roles",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

PUT

/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

Grant role to domain group

Grants a specified role to a specified domain group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

HEAD

/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

Check role for domain group

Validates that a group has a role on a domain.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

DELETE

/v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}

Revoke role from domain group

Revokes a role from a group on a domain.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id	URI	capi:uuid	The domain ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

Projects

Manages projects.

POST

/v3/projects

Create project

Creates a project.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
description (Optional)	plain	xsd:string	The project description.
domain_id (Optional)	plain	csapi:uuid	The ID of the domain for the project.
parent_id (Optional)	plain	csapi:uuid	The ID of the parent project.
enabled (Optional)	plain	xsd:boolean	Enables or disables a project. Set to `true` to enable the project or `false` to disable the project. Default is `true`.
name	plain	xsd:string	The project name.

Response parameters

Parameter	Style	Type	Description
description	plain	xsd:string	The project description.
domain_id	plain	csapi:uuid	The ID of the domain for the project.
parent_id	plain	csapi:uuid	The ID of the parent project.
enabled	plain	xsd:boolean	If set to `true`, project is enabled. If set to `false`, project is disabled.
id	plain	csapi:uuid	The ID for the project.
links	plain	xsd:dict	The project links.
name	plain	xsd:string	The project name.

{
    "project": {
        "description": "My new project",
        "domain_id": "1789d1",
        "parent_id": "123c56",
        "enabled": true,
        "name": "myNewProject"
    }
}

{
    "project": {
        "domain_id": "1789d1",
        "parent_id": "123c56",
        "enabled": true,
        "id": "456789",
        "links": {
            "self": "http://identity:35357/v3/projects/456789"
        },
        "name": "myNewProject"
    }
}

GET

/v3/projects

List projects

Lists projects.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id (Optional)	query	xsd:string	Filters on domain_id.
parent_id (Optional)	query	xsd:string	Filters on parent_id.
name (Optional)	query	xsd:string	Filters on a name.
enabled (Optional)	query	xsd:string	Filters on enabled or disabled roles. Values are `true` or `false`.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

{
    "projects": [
        {
            "domain_id": "1789d1",
            "parent_id": "123c56",
            "enabled": true,
            "id": "263fd9",
            "links": {
                "self": "https://identity:35357/v3/projects/263fd9"
            },
            "name": "Test Group"
        },
        {
            "domain_id": "1789d1",
            "parent_id": "123c56",
            "enabled": true,
            "id": "50ef01",
            "links": {
                "self": "https://identity:35357/v3/projects/50ef01"
            },
            "name": "Build Group"
        }
    ],
    "links": {
        "self": "https://identity:35357/v3/users/9fe1d3/projects",
        "previous": null,
        "next": null
    }
}

GET

/v3/projects/{project_id}

Show project details

Shows details for a specified project.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.

{
    "project": {
        "domain_id": "1789d1",
        "parent_id": "123c56",
        "enabled": true,
        "id": "456789",
        "links": {
            "self": "http://identity:35357/v3/projects/456789"
        },
        "name": "myNewProject"
    }
}

This operation does not accept a request body.

PATCH

/v3/projects/{project_id}

Update project

Updates a specified project.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.

{
    "project": {
        "description": "My updated project",
        "domain_id": "1789d1",
        "parent_id": "123c56",
        "enabled": true,
        "name": "myUpdatedProject"
    }
}

{
    "project": {
        "description": "My updated project",
        "domain_id": "1789d1",
        "parent_id": "123c56",
        "enabled": true,
        "id": "263fd9",
        "links": {
            "self": "http://identity:35357/v3/projects/263fd9"
        },
        "name": "myUpdatedProject"
    }
}

DELETE

/v3/projects/{project_id}

Delete project

Deletes a specified project.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/projects/{project_id}/users/{user_id}/roles

List roles for project user

Lists roles for a user in a project.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
user_id	URI	capi:uuid	The user ID.

{
    "roles": [
        {
            "id": "123456",
            "links": {
                "self": "http://identity:35357/v3/roles/123456"
            },
            "name": "admin"
        },
        {
            "id": "123457",
            "links": {
                "self": "http://identity:35357/v3/roles/123457"
            },
            "name": "manager"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/projects/456789/users/313233/roles",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

PUT

/v3/projects/{project_id}/users/{user_id}/roles/{role_id}

Grant role to project user

Grants a role to a user on a project.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

HEAD

/v3/projects/{project_id}/users/{user_id}/roles/{role_id}

Check role for project user

Validates that a user has a specified role on a project.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

DELETE

/v3/projects/{project_id}/users/{user_id}/roles/{role_id}

Revoke role from project user

Revokes a role from a project user.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
user_id	URI	capi:uuid	The user ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/projects/{project_id}/groups/{group_id}/roles

List roles for project group

Lists roles for a project group.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
group_id	URI	capi:uuid	The group ID.

{
    "roles": [
        {
            "id": "123456",
            "links": {
                "self": "http://identity:35357/v3/roles/123456"
            },
            "name": "admin"
        },
        {
            "id": "123457",
            "links": {
                "self": "http://identity:35357/v3/roles/123457"
            },
            "name": "manager"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/projects/456789/groups/101112/roles",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

PUT

/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

Grant role to project group

Grants a role to a project group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

HEAD

/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

Check role for project group

Validates that a project group has a role.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

DELETE

/v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

Revoke role from project group

Revokes a role from a project group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
project_id	URI	xsd:string	The project ID.
group_id	URI	capi:uuid	The group ID.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

Users

Manages users.

POST

/v3/users

Create user

Creates a user.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user	plain	xsd:string	A `user` object.
default_project_id (Optional)	plain	xsd:string	The default tenant for the new user.
description (Optional)	plain	xsd:string	The user description.
domain_id (Optional)	plain	csapi:uuid	The ID of the domain for the new user.
email (Optional)	plain	xsd:string	The email address for the new user.
enabled (Optional)	plain	xsd:boolean	Enables or disables the new user. To enable the user, set to `true`. To disable the user, set to `false`. Default is `true`.
name	plain	xsd:string	The user name.
password (Optional)	plain	xsd:string	The user password. Required for some authentication back ends.

Response parameters

Parameter	Style	Type	Description
user	plain	xsd:string	A `user` object.
default_project_id	plain	xsd:string	The default tenant for the new user.
description	plain	xsd:string	The user description.
domain_id	plain	csapi:uuid	The ID of the domain for the new user.
email	plain	xsd:string	The email address for the new user.
enabled	plain	xsd:boolean	If the user is enabled, this value is `true`. If the user is disabled, this value is `false`.
name	plain	xsd:string	The user name.
id	plain	csapi:uuid	The ID for the new user.
links	plain	xsd:dict	The links for the new user.
password	plain	xsd:string	The user password. Required for some authentication back ends.

{
    "user": {
        "default_project_id": "263fd9",
        "description": "James Doe's user",
        "domain_id": "1789d1",
        "email": "jdoe@example.com",
        "enabled": true,
        "name": "James Doe",
        "password": "secretsecret"
    }
}

{
    "user": {
        "default_project_id": "263fd9",
        "description": "James Doe's user",
        "domain_id": "1789d1",
        "email": "jdoe@example.com",
        "enabled": true,
        "id": "ff4e51",
        "links": {
            "self": "https://identity:35357/v3/users/ff4e51"
        },
        "name": "James Doe"
    }
}

GET

/v3/users

List users

Lists users.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id (Optional)	query	xsd:string	Filters on domain_id.
name (Optional)	query	xsd:string	Filters on a name.
enabled (Optional)	query	xsd:string	Filters on enabled or disabled roles. Values are `true` or `false`.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

{
    "users": [
        {
            "default_project_id": "263fd9",
            "description": "Admin user",
            "domain_id": "1789d1",
            "email": "admin@example.com",
            "enabled": true,
            "id": "0ca8f6",
            "links": {
                "self": "https://identity:35357/v3/users/0ca8f6"
            },
            "name": "admin"
        },
        {
            "default_project_id": "263fd9",
            "description": "John Smith's user",
            "domain_id": "1789d1",
            "email": "jsmith@example.com",
            "enabled": true,
            "id": "9fe1d3",
            "links": {
                "self": "https://identity:35357/v3/users/9fe1d3"
            },
            "name": "jsmith"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/users",
        "previous": null,
        "next": null
    }
}

GET

/v3/users/{user_id}

Show user details

Shows details for a specified user.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id	URI	capi:uuid	The user ID.

{
    "user": {
        "default_project_id": "263fd9",
        "description": "John Smith's user",
        "domain_id": "1789d1",
        "email": "jsmith@example.com",
        "enabled": true,
        "id": "9fe1d3",
        "links": {
            "self": "https://identity:35357/v3/users/9fe1d3"
        },
        "name": "jsmith"
    }
}

This operation does not accept a request body.

PATCH

/v3/users/{user_id}

Update user

Updates the password for or enables or disables a specified user.

This operation might return the HTTP 501 Not Implemented code if the back-end driver does not allow this functionality.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id	URI	capi:uuid	The user ID.

{
    "user": {
        "default_project_id": "263fd9",
        "description": "James Doe's user",
        "email": "jamesdoe@example.com",
        "enabled": true
    }
}

{
    "user": {
        "default_project_id": "263fd9",
        "description": "James Doe's user",
        "domain_id": "1789d1",
        "email": "jamesdoe@example.com",
        "enabled": true,
        "id": "ff4e51",
        "links": {
            "self": "https://identity:35357/v3/users/ff4e51"
        },
        "name": "jamesdoe"
    }
}

DELETE

/v3/users/{user_id}

Delete user

Deletes a specified user.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id	URI	capi:uuid	The user ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/users/{user_id}/groups

List groups for user

Lists groups for a specified user.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id	URI	capi:uuid	The user ID.

{
    "groups": [
        {
            "description": "Developers cleared for work on all general projects",
            "domain_id": "1789d1",
            "id": "ea167b",
            "links": {
                "self": "https://identity:35357/v3/groups/ea167b"
            },
            "name": "Developers"
        },
        {
            "description": "Developers cleared for work on secret projects",
            "domain_id": "1789d1",
            "id": "a62db1",
            "links": {
                "self": "https://identity:35357/v3/groups/a62db1"
            },
            "name": "Secure Developers"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/users/9fe1d3/groups",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

GET

/v3/users/{user_id}/projects

List projects for user

List projects for a specified user.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id	URI	capi:uuid	The user ID.

{
    "projects": [
        {
            "description": "description of this project",
            "domain_id": "161718",
            "enabled": true,
            "id": "456788",
            "parent_id": "212223",
            "links": {
                "self": "http://identity:35357/v3/projects/456788"
            },
            "name": "a project name"
        },
        {
            "description": "description of this project",
            "domain_id": "161718",
            "enabled": true,
            "id": "456789",
            "parent_id": "212223",
            "links": {
                "self": "http://identity:35357/v3/projects/456789"
            },
            "name": "another domain"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/users/313233/projects",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

Groups

Manages groups.

POST

/v3/groups

Create group

Creates a group.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
description (Optional)	plain	xsd:string	The group description.
domain_id (Optional)	plain	csapi:uuid	The ID of the domain for the group.
name	plain	xsd:string	The group name.

{
    "group": {
        "description": "Developers cleared for work on secret projects",
        "domain_id": "161718",
        "name": "Secure Developers"
    }
}

{
    "group": {
        "description": "Developers cleared for work on secret projects",
        "domain_id": "161718",
        "id": "101112",
        "links": {
            "self": "http://identity:35357/v3/groups/101112"
        },
        "name": "Secure Developers"
    }
}

GET

/v3/groups

List groups

Lists groups.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
domain_id (Optional)	query	xsd:string	Filters on domain_id.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
description (Optional)	plain	xsd:string	The description.
domain_id	plain	xsd:string	The domain ID.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name of the resource.

{
    "groups": [
        {
            "description": "Developers cleared for work on all general projects",
            "domain_id": "161718",
            "id": "101112",
            "links": {
                "self": "http://identity:35357/v3/groups/101112"
            },
            "name": "Developers"
        },
        {
            "description": "Developers cleared for work on secret projects",
            "domain_id": "161718",
            "id": "101113",
            "links": {
                "self": "http://identity:35357/v3/groups/101113"
            },
            "name": "Secure Developers"
        },
        {
            "description": "Testers cleared for work on all general projects",
            "domain_id": "161718",
            "id": "101114",
            "links": {
                "self": "http://identity:35357/v3/groups/101114"
            },
            "name": "Testers"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/groups",
        "previous": null,
        "next": null
    }
}

GET

/v3/groups/{group_id}

Show group details

Shows details for a specified group.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.

Response parameters

Parameter	Style	Type	Description
description (Optional)	plain	xsd:string	The description.
domain_id	plain	xsd:string	The domain ID.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
name	plain	xsd:string	The name of the resource.

{
    "group": {
        "description": "Developers cleared for work on secret projects",
        "domain_id": "161718",
        "id": "101112",
        "links": {
            "self": "http://identity:35357/v3/groups/101112"
        },
        "name": "Secure Developers"
    }
}

This operation does not accept a request body.

PATCH

/v3/groups/{group_id}

Update group

Updates a specified group.

Use this operation to update the name or description of a group. This operation might return the HTTP 501 Not Implemented code if the back-end driver does not allow this functionality.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.

{
    "group": {
        "description": "my updated group",
        "name": "myUpdatedGroup"
    }
}

{
    "group": {
        "description": "my updated group",
        "domain_id": "161718",
        "id": "101112",
        "links": {
            "self": "http://identity:35357/v3/groups/101112"
        },
        "name": "myUpdatedGroup"
    }
}

DELETE

/v3/groups/{group_id}

Delete group

Deletes a specified group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.

This operation does not accept a request body and does not return a response body.

GET

/v3/groups/{group_id}/users

List users in group

Lists the users in a specified group.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.
name (Optional)	query	xsd:string	Filters on a name.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.
domain_id (Optional)	query	xsd:string	Filters on domain_id.
description (Optional)	query	xsd:string	Filters on a description.
name (Optional)	query	xsd:string	Filters on a name.
enabled (Optional)	query	xsd:string	Filters on enabled or disabled roles. Values are `true` or `false`.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

{
    "users": [
        {
            "default_project_id": "414345",
            "description": "a user",
            "domain_id": "161718",
            "email": "user@example.com",
            "enabled": true,
            "id": "313233",
            "links": {
                "self": "http://identity:35357/v3/users/313233"
            },
            "name": "admin"
        },
        {
            "default_project_id": "414345",
            "description": "another user",
            "domain_id": "161718",
            "email": "user@example.com",
            "enabled": true,
            "id": "313233",
            "links": {
                "self": "http://identity:35357/v3/users/313233"
            },
            "name": "someone"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/groups/101112/users",
        "previous": null,
        "next": null
    }
}

PUT

/v3/groups/{group_id}/users/{user_id}

Assign user to group

Assigns a specified user to a specified group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.
user_id	URI	capi:uuid	The user ID.

This operation does not accept a request body and does not return a response body.

DELETE

/v3/groups/{group_id}/users/{user_id}

Remove user from group

Removes a user from a group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.
user_id	URI	capi:uuid	The user ID.

This operation does not accept a request body and does not return a response body.

HEAD

/v3/groups/{group_id}/users/{user_id}

Check user membership in group

Validates that a user is in a group.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group_id	URI	capi:uuid	The group ID.
user_id	URI	capi:uuid	The user ID.

This operation does not accept a request body and does not return a response body.

Credentials

Manages credentials.

POST

/v3/credentials

Create credential

Creates a credential.

The following example shows how to create an EC2-style credential. The credential blob is a string that contains a JSON-serialized dictionary with the access and secret keys. This format is required when you specify the ec2 type. To specify other credentials such as access_key, change the type and contents of the data blob.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.

{
    "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
    "project_id": "456789",
    "type": "ec2",
    "user_id": "616263"
}

{
    "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
    "id": "414243",
    "links": {
        "self": "http://identity:35357/v3/credentials/414243"
    },
    "project_id": "456789",
    "type": "ec2",
    "user_id": "616263"
}

GET

/v3/credentials

List credentials

Lists credentials.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
user_id (Optional)	query	xsd:string	Filters on user_id.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob.
user_id	plain	xsd:string	The ID of the user who owns the credential.

[
    {
        "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
        "id": "414243",
        "links": {
            "self": "http://identity:35357/v3/credentials/414243"
        },
        "project_id": "456789",
        "type": "ec2",
        "user_id": "616263"
    },
    {
        "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
        "id": "414243",
        "links": {
            "self": "http://identity:35357/v3/credentials/414243"
        },
        "project_id": "456789",
        "type": "ec2",
        "user_id": "616263"
    }
]

GET

/v3/credentials/{credential_id}

Show credential details

Shows details for a specified credential.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
credential_id	URI	capi:uuid	The credential ID.

{
    "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
    "id": "414243",
    "links": {
        "self": "http://identity:35357/v3/credentials/414243"
    },
    "project_id": "456789",
    "type": "ec2",
    "user_id": "616263"
}

This operation does not accept a request body.

PATCH

/v3/credentials/{credential_id}

Update credential

Updates a specified credential.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
credential_id	URI	capi:uuid	The credential ID.

{
    "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
    "project_id": "456789",
    "type": "ec2",
    "user_id": "616263"
}

{
    "blob": "{\"access\":\"181920\",\"secret\":\"secretKey\"}",
    "id": "414243",
    "links": {
        "self": "http://identity:35357/v3/credentials/414243"
    },
    "project_id": "456789",
    "type": "ec2",
    "user_id": "616263"
}

DELETE

/v3/credentials/{credential_id}

Delete credential

Deletes a specified credential.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
credential_id	URI	capi:uuid	The credential ID.

This operation does not accept a request body and does not return a response body.

Roles

Manages roles.

POST

/v3/roles

Create role

Creates a role.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
name	plain	xsd:string	The role name.

{
    "role": {
        "name": "a role name"
    }
}

{
    "id": "123456",
    "links": {
        "self": "http://identity:35357/v3/roles/123456"
    },
    "name": "a role name"
}

GET

/v3/roles

List roles

Lists roles.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
name (Optional)	query	xsd:string	Filters on a name.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

{
    "roles": [
        {
            "id": "123456",
            "links": {
                "self": "http://identity:35357/v3/roles/123456"
            },
            "name": "admin"
        },
        {
            "id": "123457",
            "links": {
                "self": "http://identity:35357/v3/roles/123457"
            },
            "name": "manager"
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/roles",
        "previous": null,
        "next": null
    }
}

GET

/v3/role_assignments

List role assignments

Lists role assignments.

The list of all role assignments can be long. To filter the list, use the query parameters.

Some typical examples are:

GET /role_assignments?user.id={user_id} lists all role assignments for the specified user.

GET /role_assignments?scope.project.id={project_id} lists all role assignments for the specified project.

Each role assignment entity in the collection contains a link to the assignment that created this entity.

Use the effective query parameter to list effective assignments at the user, project, and domain level. This parameter allows for the effects of group membership. The group role assignment entities themselves are not returned in the collection. This represents the effective role assignments that would be included in a scoped token. You can use the other query parameters with the effective parameter.

For example, to determine what a user can actually do, issue this request: GET /role_assignments?user.id={user_id}&effective

To return the equivalent set of role assignments that would be included in the token response of a project-scoped token, issue: GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective

In the response, the entity links section for entities that are included by virtue of group members also contains a url that you can use to access the membership of the group.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
group.id (Optional)	query	xsd:string	Filters on group ID. Specify `group.id={group_id}` to list all role assignments for the specified group.
role.id (Optional)	query	xsd:string	Filters on role ID. Specify `role.id={role_id}` to list all role assignments for the specified role.
scope.domain.id (Optional)	query	xsd:string	Filters on domain ID. Specify `scope.domain.id={domain_id}` to list all role assignments for the specified domain.
scope.project.id (Optional)	query	xsd:string	Filters on project ID. Specify `scope.project.id={project_id}` to list all role assignments for the specified project.
user.id (Optional)	query	xsd:string	Filters on user ID. Specify `user.id={user_id}` to list all role assignments for the specified user.
effective (Optional)	query	xsd:key	Lists effective assignments at the user, project, and domain level, allowing for the effects of group membership. The group role assignment entities themselves are not returned in the collection. This represents the effective role assignments that would be included in a scoped token. You can use the other query parameters with the `effective` parameter.

GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective

{
    "role_assignments": [
        {
            "links": {
                "assignment": "http://identity:35357/v3/domains/161718/users/313233/roles/123456"
            },
            "role": {
                "id": "123456"
            },
            "scope": {
                "domain": {
                    "id": "161718"
                }
            },
            "user": {
                "id": "313233"
            }
        },
        {
            "group": {
                "id": "101112"
            },
            "links": {
                "assignment": "http://identity:35357/v3/projects/456789/groups/101112/roles/123456"
            },
            "role": {
                "id": "123456"
            },
            "scope": {
                "project": {
                    "id": "456789"
                }
            }
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/role_assignments",
        "previous": null,
        "next": null
    }
}

GET /role_assignments?user.id={user_id}&scope.project.id={project_id}&effective

{
    "role_assignments": [
        {
            "links": {
                "assignment": "http://identity:35357/v3/domains/161718/users/313233/roles/123456"
            },
            "role": {
                "id": "123456"
            },
            "scope": {
                "domain": {
                    "id": "161718"
                }
            },
            "user": {
                "id": "313233"
            }
        },
        {
            "links": {
                "assignment": "http://identity:35357/v3/projects/456789/groups/101112/roles/123456",
                "membership": "http://identity:35357/v3/groups/101112/users/313233"
            },
            "role": {
                "id": "123456"
            },
            "scope": {
                "project": {
                    "id": "456789"
                }
            },
            "user": {
                "id": "313234"
            }
        }
    ],
    "links": {
        "self": "http://identity:35357/v3/role_assignments?effective",
        "previous": null,
        "next": null
    }
}

This operation does not accept a request body.

DELETE

/v3/roles/{role_id}

Delete role

Deletes a specified role.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
role_id	URI	capi:uuid	The role ID.

This operation does not accept a request body and does not return a response body.

Policies

Manages policies.

You can encode policy rule sets into a blob to be consumed by remote services. To do so, set type to application/json and specify policy rules as JSON strings in a blob. For example:

"blob": {
        "default": false
    }

Or:

 "blob": {
        "foobar_user": [
            "role:compute-user"
        ]
    }

POST

/v3/policies

Create policy

Creates a policy.

Normal response codes

201

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob. From the perspective of the Identity API, a policy blob can be based on any technology. In OpenStack, the `policy.json` blob (`type="application/json"`) is the conventional solution. However, you might want to use an alternative policy engine that uses a different policy language type. For example, `type="application/xacml+xml"`.
user_id	plain	xsd:string	The ID of the user who owns the credential.

Response parameters

Parameter	Style	Type	Description
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob.
user_id	plain	xsd:string	The ID of the user who owns the credential.

{
    "blob": {
        "default": false
    },
    "project_id": "456789",
    "type": "application/json",
    "user_id": "616263"
}

{
    "blob": {
        "foobar_user": [
            "role:compute-user"
        ]
    },
    "id": "717273",
    "links": {
        "self": "http://identity:35357/v3/policies/717273"
    },
    "project_id": "456789",
    "type": "application/json",
    "user_id": "616263"
}

GET

/v3/policies

List policies

Lists policies.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
type (Optional)	query	xsd:string	Filters by service type. Service types include compute, ec2, image, and identity.
page (Optional)	query	xsd:string	Enables you to page through the list.
per_page (Optional)	query	xsd:string	Sets the page size for paging through the list. Default page size is 30.

Response parameters

Parameter	Style	Type	Description
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob.
user_id	plain	xsd:string	The ID of the user who owns the credential.

[
    {
        "blob": {
            "foobar_user": [
                "role:compute-user"
            ]
        },
        "id": "717273",
        "links": {
            "self": "http://identity:35357/v3/policies/717273"
        },
        "project_id": "456789",
        "type": "application/json",
        "user_id": "616263"
    },
    {
        "blob": {
            "foobar_user": [
                "role:compute-user"
            ]
        },
        "id": "717274",
        "links": {
            "self": "http://identity:35357/v3/policies/717274"
        },
        "project_id": "456789",
        "type": "application/json",
        "user_id": "616263"
    }
]

GET

/v3/policies/{policy_id}

Show policy details

Shows details for a specified policy.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
policy_id	URI	capi:uuid	The policy ID.

Response parameters

Parameter	Style	Type	Description
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob.
user_id	plain	xsd:string	The ID of the user who owns the credential.

{
    "blob": {
        "foobar_user": [
            "role:compute-user"
        ]
    },
    "id": "717273",
    "links": {
        "self": "http://identity:35357/v3/policies/717273"
    },
    "project_id": "456789",
    "type": "application/json",
    "user_id": "616263"
}

This operation does not accept a request body.

PATCH

/v3/policies/{policy_id}

Update policy

Updates a specified policy.

Normal response codes

200

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
policy_id	URI	capi:uuid	The policy ID.

Response parameters

Parameter	Style	Type	Description
blob	plain	xsd:string	The policy rule set itself, as a serialized blob.
id	plain	csapi:uuid	The credential ID.
links	plain	csapi:dict	Policy links.
project_id	plain	csapi:uuid	The UUID for the project.
type	plain	xsd:string	The MIME media type of the serialized policy blob.
user_id	plain	xsd:string	The ID of the user who owns the credential.

{
    "blob": {
        "foobar_user": [
            "role:compute-user"
        ]
    },
    "project_id": "456789",
    "type": "application/json",
    "user_id": "616263"
}

{
    "blob": {
        "foobar_user": [
            "role:compute-user"
        ]
    },
    "id": "717273",
    "links": {
        "self": "http://identity:35357/v3/policies/717273"
    },
    "project_id": "456789",
    "type": "application/json",
    "user_id": "616263"
}

DELETE

/v3/policies/{policy_id}

Delete policy

Deletes a specified policy.

Normal response codes

204

Error response codes

Bad Request (400), Unauthorized (401), Forbidden (403), Method Not Allowed (405), Request Entity Too Large (413), Service Unavailable (503), Not Found (404)

Request parameters

Parameter	Style	Type	Description
X-Auth-Token	header	xsd:string	A valid authentication token for an administrative user.
policy_id	URI	capi:uuid	The policy ID.

This operation does not accept a request body and does not return a response body.