策略配置¶

警告

自 Keystone 19.0.0 (Wallaby) 起，JSON 格式的策略文件已被弃用。此 oslopolicy-convert-json-to-yaml 工具将以向后兼容的方式将现有的 JSON 格式策略文件迁移到 YAML。

配置¶

以下是 Keystone 中所有可用策略的概述。

有关示例配置文件，请参阅 policy.yaml。

keystone¶

admin_required

默认值:: role:admin 或 is_admin:1

(未提供描述)

service_role

默认值:: role:service

(未提供描述)

service_or_admin

默认值:: rule:admin_required 或 rule:service_role

(未提供描述)

owner

默认值:: user_id:%(user_id)s

(未提供描述)

admin_or_owner

默认值:: rule:admin_required 或 rule:owner

(未提供描述)

token_subject

默认值:: user_id:%(target.token.user_id)s

(未提供描述)

admin_or_token_subject

默认值:: rule:admin_required 或 rule:token_subject

(未提供描述)

service_admin_or_token_subject

默认值:: rule:service_or_admin 或 rule:token_subject

(未提供描述)

domain_managed_target_role

默认值:: 'manager':%(target.role.name)s 或 'member':%(target.role.name)s 或 'reader':%(target.role.name)s

(未提供描述)

identity:get_access_rule

默认值:

(role:reader 且 system_scope:all) 或 user_id:%(target.user.id)s

操作:

GET /v3/users/{user_id}/access_rules/{access_rule_id}
HEAD /v3/users/{user_id}/access_rules/{access_rule_id}

作用域类型:

system
project

显示访问规则详情。

identity:list_access_rules

默认值:

(role:reader 且 system_scope:all) 或 user_id:%(target.user.id)s

操作:

GET /v3/users/{user_id}/access_rules
HEAD /v3/users/{user_id}/access_rules

作用域类型:

system
project

列出用户的访问规则。

identity:delete_access_rule

默认值:

(role:admin 且 system_scope:all) 或 user_id:%(target.user.id)s

操作:

DELETE /v3/users/{user_id}/access_rules/{access_rule_id}

作用域类型:

system
project

删除一个访问规则。

identity:authorize_request_token

默认值:

rule:admin_required

操作:

PUT /v3/OS-OAUTH1/authorize/{request_token_id}

作用域类型:

project

授权 OAUTH1 请求令牌。

identity:get_access_token

默认值:

rule:admin_required

操作:

GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

作用域类型:

project

按访问令牌 ID 获取用户的 OAUTH1 访问令牌。

identity:get_access_token_role

默认值:

rule:admin_required

操作:

GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}

作用域类型:

project

获取用户 OAUTH1 访问令牌的角色。

identity:list_access_tokens

默认值:

rule:admin_required

操作:

GET /v3/users/{user_id}/OS-OAUTH1/access_tokens

作用域类型:

project

列出用户的 OAUTH1 访问令牌。

identity:list_access_token_roles

默认值:

rule:admin_required

操作:

GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles

作用域类型:

project

列出 OAUTH1 访问令牌的角色。

identity:delete_access_token

默认值:

rule:admin_required

操作:

DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}

作用域类型:

project

删除 OAUTH1 访问令牌。

identity:get_application_credential

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 rule:owner

操作:

GET /v3/users/{user_id}/application_credentials/{application_credential_id}
HEAD /v3/users/{user_id}/application_credentials/{application_credential_id}

作用域类型:

system
project

显示应用程序凭据详情。

identity:list_application_credentials

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 rule:owner

操作:

GET /v3/users/{user_id}/application_credentials
HEAD /v3/users/{user_id}/application_credentials

作用域类型:

system
project

列出用户的应用程序凭据。

identity:create_application_credential

默认值:

user_id:%(user_id)s

操作:

POST /v3/users/{user_id}/application_credentials

作用域类型:

project

创建应用程序凭据。

identity:delete_application_credential

默认值:

rule:admin_or_owner

操作:

DELETE /v3/users/{user_id}/application_credentials/{application_credential_id}

作用域类型:

system
project

删除应用程序凭据。

identity:get_auth_catalog

默认值:

<空字符串>

操作:

GET /v3/auth/catalog
HEAD /v3/auth/catalog

获取服务目录。

identity:get_auth_projects

默认值:

<空字符串>

操作:

GET /v3/auth/projects
HEAD /v3/auth/projects

列出用户通过角色分配可以访问的所有项目。

identity:get_auth_domains

默认值:

<空字符串>

操作:

GET /v3/auth/domains
HEAD /v3/auth/domains

列出用户通过角色分配可以访问的所有域。

identity:get_auth_system

默认值:

<空字符串>

操作:

GET /v3/auth/system
HEAD /v3/auth/system

列出用户通过角色分配可以访问的系统。

identity:get_consumer

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-OAUTH1/consumers/{consumer_id}

作用域类型:

system
project

显示 OAUTH1 消费者详情。

identity:list_consumers

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-OAUTH1/consumers

作用域类型:

system
project

列出 OAUTH1 消费者。

identity:create_consumer

默认值:

rule:admin_required

操作:

POST /v3/OS-OAUTH1/consumers

作用域类型:

system
project

创建 OAUTH1 消费者。

identity:update_consumer

默认值:

rule:admin_required

操作:

PATCH /v3/OS-OAUTH1/consumers/{consumer_id}

作用域类型:

system
project

更新 OAUTH1 消费者。

identity:delete_consumer

默认值:

rule:admin_required

操作:

DELETE /v3/OS-OAUTH1/consumers/{consumer_id}

作用域类型:

system
project

删除 OAUTH1 消费者。

identity:get_credential

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 user_id:%(target.credential.user_id)s

操作:

GET /v3/credentials/{credential_id}

作用域类型:

system
domain
project

显示凭据详情。

identity:list_credentials

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 user_id:%(target.credential.user_id)s

操作:

GET /v3/credentials

作用域类型:

system
domain
project

列出凭据。

identity:create_credential

默认值:

(rule:admin_required) 或 user_id:%(target.credential.user_id)s

操作:

POST /v3/credentials

作用域类型:

system
domain
project

创建凭据。

identity:update_credential

默认值:

(rule:admin_required) 或 user_id:%(target.credential.user_id)s

操作:

PATCH /v3/credentials/{credential_id}

作用域类型:

system
domain
project

更新凭据。

identity:delete_credential

默认值:

(rule:admin_required) 或 user_id:%(target.credential.user_id)s

操作:

DELETE /v3/credentials/{credential_id}

作用域类型:

system
domain
project

删除凭据。

identity:get_domain

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all) 或 token.domain.id:%(target.domain.id)s 或 token.project.domain.id:%(target.domain.id)s

操作:

GET /v3/domains/{domain_id}

作用域类型:

system
domain
project

显示域详情。

identity:list_domains

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.domain.id)s)

操作:

GET /v3/domains

作用域类型:

system
domain
project

列出域。

identity:create_domain

默认值:

rule:admin_required

操作:

POST /v3/domains

作用域类型:

system
project

创建域。

identity:update_domain

默认值:

rule:admin_required

操作:

PATCH /v3/domains/{domain_id}

作用域类型:

system
project

更新域。

identity:delete_domain

默认值:

rule:admin_required

操作:

DELETE /v3/domains/{domain_id}

作用域类型:

system
project

删除域。

identity:create_domain_config

默认值:

rule:admin_required

操作:

PUT /v3/domains/{domain_id}/config

作用域类型:

system
project

创建域配置。

identity:get_domain_config

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/domains/{domain_id}/config
HEAD /v3/domains/{domain_id}/config
GET /v3/domains/{domain_id}/config/{group}
HEAD /v3/domains/{domain_id}/config/{group}
GET /v3/domains/{domain_id}/config/{group}/{option}
HEAD /v3/domains/{domain_id}/config/{group}/{option}

作用域类型:

system
project

获取域的整个配置、域内的一个选项组或域内一个组中的特定配置选项。

identity:get_security_compliance_domain_config

默认值:

<空字符串>

操作:

GET /v3/domains/{domain_id}/config/security_compliance
HEAD /v3/domains/{domain_id}/config/security_compliance
GET /v3/domains/{domain_id}/config/security_compliance/{option}
HEAD /v3/domains/{domain_id}/config/security_compliance/{option}

作用域类型:

system
domain
project

获取域或域中特定选项的安全合规域配置。

identity:update_domain_config

默认值:

rule:admin_required

操作:

PATCH /v3/domains/{domain_id}/config
PATCH /v3/domains/{domain_id}/config/{group}
PATCH /v3/domains/{domain_id}/config/{group}/{option}

作用域类型:

system
project

更新域、特定组或组中的特定选项的域配置。

identity:delete_domain_config

默认值:

rule:admin_required

操作:

DELETE /v3/domains/{domain_id}/config
DELETE /v3/domains/{domain_id}/config/{group}
DELETE /v3/domains/{domain_id}/config/{group}/{option}

作用域类型:

system
project

删除域、特定组或组中的特定选项的域配置。

identity:get_domain_config_default

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/domains/config/default
HEAD /v3/domains/config/default
GET /v3/domains/config/{group}/default
HEAD /v3/domains/config/{group}/default
GET /v3/domains/config/{group}/{option}/default
HEAD /v3/domains/config/{group}/{option}/default

作用域类型:

system
project

获取域、特定组或组中的特定选项的域配置默认值。

identity:ec2_get_credential

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 user_id:%(target.credential.user_id)s

操作:

GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

作用域类型:

system
project

显示 ec2 凭据详情。

identity:ec2_list_credentials

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 rule:owner

操作:

GET /v3/users/{user_id}/credentials/OS-EC2

作用域类型:

system
project

列出 ec2 凭据。

identity:ec2_create_credential

默认值:

rule:admin_or_owner

操作:

POST /v3/users/{user_id}/credentials/OS-EC2

作用域类型:

system
project

创建 ec2 凭据。

identity:ec2_delete_credential

默认值:

(rule:admin_required) 或 user_id:%(target.credential.user_id)s

操作:

DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}

作用域类型:

system
project

删除 ec2 凭据。

identity:get_endpoint

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/endpoints/{endpoint_id}

作用域类型:

system
project

显示端点详情。

identity:list_endpoints

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/endpoints

作用域类型:

system
project

列出端点。

identity:create_endpoint

默认值:

rule:admin_required

操作:

POST /v3/endpoints

作用域类型:

system
project

创建端点。

identity:update_endpoint

默认值:

rule:admin_required

操作:

PATCH /v3/endpoints/{endpoint_id}

作用域类型:

system
project

更新端点。

identity:delete_endpoint

默认值:

rule:admin_required

操作:

DELETE /v3/endpoints/{endpoint_id}

作用域类型:

system
project

删除端点。

identity:create_endpoint_group

默认值:

rule:admin_required

操作:

POST /v3/OS-EP-FILTER/endpoint_groups

作用域类型:

system
project

创建端点组。

identity:list_endpoint_groups

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoint_groups

作用域类型:

system
project

列出端点组。

identity:get_endpoint_group

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

作用域类型:

system
project

获取端点组。

identity:update_endpoint_group

默认值:

rule:admin_required

操作:

PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

作用域类型:

system
project

更新端点组。

identity:delete_endpoint_group

默认值:

rule:admin_required

操作:

DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}

作用域类型:

system
project

删除端点组。

identity:list_projects_associated_with_endpoint_group

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects

作用域类型:

system
project

列出与特定端点组关联的所有项目。

identity:list_endpoints_associated_with_endpoint_group

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints

作用域类型:

system
project

列出与端点组关联的所有端点。

identity:get_endpoint_group_in_project

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

作用域类型:

system
project

检查端点组是否与项目关联。

identity:list_endpoint_groups_for_project

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups

作用域类型:

system
project

列出与特定项目关联的端点组。

identity:add_endpoint_group_to_project

默认值:

rule:admin_required

操作:

PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

作用域类型:

system
project

允许项目访问端点组。

identity:remove_endpoint_group_from_project

默认值:

rule:admin_required

操作:

DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}

作用域类型:

system
project

从项目移除端点组。

identity:check_grant

默认值:

(rule:admin_required) 或 ((role:reader 且 system_scope:all) 或 ((role:reader 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:reader 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.domain.id)s) 或 (role:reader 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:reader 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.domain.id)s)) 且 (domain_id:%(target.role.domain_id)s 或 None:%(target.role.domain_id)s))

操作:

HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

作用域类型:

system
domain
project

检查目标和执行者之间的角色授权。目标可以是域或项目。执行者可以是用户或组。这些术语也适用于 OS-INHERIT API，其中目标上的授权会继承到子树中的所有项目（如果适用）。

identity:list_grants

默认值:

(rule:admin_required) 或 ((role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:reader 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.domain.id)s) 或 (role:reader 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:reader 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.domain.id)s))

操作:

GET /v3/projects/{project_id}/users/{user_id}/roles
HEAD /v3/projects/{project_id}/users/{user_id}/roles
GET /v3/projects/{project_id}/groups/{group_id}/roles
HEAD /v3/projects/{project_id}/groups/{group_id}/roles
GET /v3/domains/{domain_id}/users/{user_id}/roles
HEAD /v3/domains/{domain_id}/users/{user_id}/roles
GET /v3/domains/{domain_id}/groups/{group_id}/roles
HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects

作用域类型:

system
domain
project

列出授予执行者在目标上的角色。目标可以是域或项目。执行者可以是用户或组。对于 OS-INHERIT API，可以列出在域上的执行者继承的角色授权，其中授权继承到指定域中的所有项目。

identity:create_grant

默认值:

(rule:admin_required) 或 ((role:admin 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:admin 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.domain.id)s) 或 (role:admin 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:admin 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.domain.id)s)) 且 (domain_id:%(target.role.domain_id)s 或 None:%(target.role.domain_id)s) 或 ((role:manager 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:manager 且 domain_id:%(target.user.domain_id)s 且 domain_id:%(target.domain.id)s) 或 (role:manager 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.project.domain_id)s) 或 (role:manager 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.domain.id)s)) 且 rule:domain_managed_target_role

操作:

PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

作用域类型:

system
domain
project

在目标和执行者之间创建角色授权。目标可以是域或项目。执行者可以是用户或组。这些术语也适用于 OS-INHERIT API，其中目标上的授权会继承到子树中的所有项目（如果适用）。

identity:revoke_grant

默认值:

操作:

DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects

作用域类型:

system
domain
project

撤销目标和执行者之间的角色授权。目标可以是域或项目。执行者可以是用户或组。这些术语也适用于 OS-INHERIT API，其中目标上的授权会继承到子树中的所有项目（如果适用）。在这种情况下，撤销目标中的角色授权将删除将其继承到目标的项目子树的逻辑效果。

identity:list_system_grants_for_user

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

[‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles

作用域类型:

system
project

列出特定用户在系统上拥有的所有授权。

identity:check_system_grant_for_user

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

[‘HEAD’, ‘GET’] /v3/system/users/{user_id}/roles/{role_id}

作用域类型:

system
project

检查用户是否在系统上拥有某个角色。

identity:create_system_grant_for_user

默认值:

rule:admin_required

操作:

[‘PUT’] /v3/system/users/{user_id}/roles/{role_id}

作用域类型:

system
project

授予用户系统上的角色。

identity:revoke_system_grant_for_user

默认值:

rule:admin_required

操作:

[‘DELETE’] /v3/system/users/{user_id}/roles/{role_id}

作用域类型:

system
project

从系统上的用户处移除角色。

identity:list_system_grants_for_group

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

[‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles

作用域类型:

system
project

列出特定组在系统上拥有的所有授权。

identity:check_system_grant_for_group

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

[‘HEAD’, ‘GET’] /v3/system/groups/{group_id}/roles/{role_id}

作用域类型:

system
project

检查组是否在系统上拥有某个角色。

identity:create_system_grant_for_group

默认值:

rule:admin_required

操作:

[‘PUT’] /v3/system/groups/{group_id}/roles/{role_id}

作用域类型:

system
project

授予组系统上的角色。

identity:revoke_system_grant_for_group

默认值:

rule:admin_required

操作:

[‘DELETE’] /v3/system/groups/{group_id}/roles/{role_id}

作用域类型:

system
project

从系统上的组处移除角色。

identity:get_group

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.group.domain_id)s)

操作:

GET /v3/groups/{group_id}
HEAD /v3/groups/{group_id}

作用域类型:

system
domain
project

显示组详细信息。

identity:list_groups

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.group.domain_id)s)

操作:

GET /v3/groups
HEAD /v3/groups

作用域类型:

system
domain
project

列出组。

identity:list_groups_for_user

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.user.domain_id)s) 或 user_id:%(user_id)s

操作:

GET /v3/users/{user_id}/groups
HEAD /v3/users/{user_id}/groups

作用域类型:

system
domain
project

列出用户所属的组。

identity:create_group

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.group.domain_id)s)

操作:

POST /v3/groups

作用域类型:

system
domain
project

创建组。

identity:update_group

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.group.domain_id)s)

操作:

PATCH /v3/groups/{group_id}

作用域类型:

system
domain
project

更新组。

identity:delete_group

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.group.domain_id)s)

操作:

DELETE /v3/groups/{group_id}

作用域类型:

system
domain
project

删除组。

identity:list_users_in_group

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.group.domain_id)s)

操作:

GET /v3/groups/{group_id}/users
HEAD /v3/groups/{group_id}/users

作用域类型:

system
domain
project

列出特定组的成员。

identity:remove_user_from_group

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.user.domain_id)s)

操作:

DELETE /v3/groups/{group_id}/users/{user_id}

作用域类型:

system
domain
project

从组中移除用户。

identity:check_user_in_group

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.user.domain_id)s)

操作:

HEAD /v3/groups/{group_id}/users/{user_id}
GET /v3/groups/{group_id}/users/{user_id}

作用域类型:

system
domain
project

检查用户是否是组的成员。

identity:add_user_to_group

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.group.domain_id)s 且 domain_id:%(target.user.domain_id)s)

操作:

PUT /v3/groups/{group_id}/users/{user_id}

作用域类型:

system
domain
project

将用户添加到组。

identity:create_identity_provider

默认值:

rule:admin_required

操作:

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}

作用域类型:

system
project

创建身份提供程序。

identity:list_identity_providers

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/identity_providers
HEAD /v3/OS-FEDERATION/identity_providers

作用域类型:

system
project

列出身份提供程序。

identity:get_identity_provider

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/identity_providers/{idp_id}
HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}

作用域类型:

system
project

获取身份提供程序。

identity:update_identity_provider

默认值:

rule:admin_required

操作:

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}

作用域类型:

system
project

更新身份提供程序。

identity:delete_identity_provider

默认值:

rule:admin_required

操作:

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}

作用域类型:

system
project

删除身份提供程序。

identity:get_implied_role

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/roles/{prior_role_id}/implies/{implied_role_id}

作用域类型:

system
project

获取两个角色之间的关联信息。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。

identity:list_implied_roles

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/roles/{prior_role_id}/implies
HEAD /v3/roles/{prior_role_id}/implies

作用域类型:

system
project

列出两个角色之间的关联。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。这将返回用户获得指定先验角色时将承担的所有派生角色。

identity:create_implied_role

默认值:

rule:admin_required

操作:

PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}

作用域类型:

system
project

创建两个角色之间的关联。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。

identity:delete_implied_role

默认值:

rule:admin_required

操作:

DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}

作用域类型:

system
project

删除两个角色之间的关联。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。删除关联将消除该效果。

identity:list_role_inference_rules

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/role_inferences
HEAD /v3/role_inferences

作用域类型:

system
project

列出系统中两个角色之间的所有关联。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。

identity:check_implied_role

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}

作用域类型:

system
project

检查两个角色之间的关联。当先验角色和派生角色之间存在关系，并且先验角色分配给用户时，用户也会承担派生角色。

identity:get_limit_model

默认值:

<空字符串>

操作:

GET /v3/limits/model
HEAD /v3/limits/model

作用域类型:

system
domain
project

获取限制实施模型。

identity:get_limit

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (domain_id:%(target.limit.domain.id)s 或 domain_id:%(target.limit.project.domain_id)s) 或 (project_id:%(target.limit.project_id)s 且 not None:%(target.limit.project_id)s)

操作:

GET /v3/limits/{limit_id}
HEAD /v3/limits/{limit_id}

作用域类型:

system
domain
project

显示限制详情。

identity:list_limits

默认值:

<空字符串>

操作:

GET /v3/limits
HEAD /v3/limits

作用域类型:

system
domain
project

列出限制。

identity:create_limits

默认值:

rule:admin_required

操作:

POST /v3/limits

作用域类型:

system
project

创建限制。

identity:update_limit

默认值:

rule:admin_required

操作:

PATCH /v3/limits/{limit_id}

作用域类型:

system
project

更新限制。

identity:delete_limit

默认值:

rule:admin_required

操作:

DELETE /v3/limits/{limit_id}

作用域类型:

system
project

删除限制。

identity:create_mapping

默认值:

rule:admin_required

操作:

PUT /v3/OS-FEDERATION/mappings/{mapping_id}

作用域类型:

system
project

创建一个包含一个或多个规则的新联合映射。

identity:get_mapping

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/mappings/{mapping_id}
HEAD /v3/OS-FEDERATION/mappings/{mapping_id}

作用域类型:

system
project

获取联合映射。

identity:list_mappings

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/mappings
HEAD /v3/OS-FEDERATION/mappings

作用域类型:

system
project

列出联合映射。

identity:delete_mapping

默认值:

rule:admin_required

操作:

DELETE /v3/OS-FEDERATION/mappings/{mapping_id}

作用域类型:

system
project

删除联合映射。

identity:update_mapping

默认值:

rule:admin_required

操作:

PATCH /v3/OS-FEDERATION/mappings/{mapping_id}

作用域类型:

system
project

更新联合映射。

identity:get_policy

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies/{policy_id}

作用域类型:

system
project

显示策略详情。

identity:list_policies

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies

作用域类型:

system
project

列出策略。

identity:create_policy

默认值:

rule:admin_required

操作:

POST /v3/policies

作用域类型:

system
project

创建策略。

identity:update_policy

默认值:

rule:admin_required

操作:

PATCH /v3/policies/{policy_id}

作用域类型:

system
project

更新策略。

identity:delete_policy

默认值:

rule:admin_required

操作:

DELETE /v3/policies/{policy_id}

作用域类型:

system
project

删除策略。

identity:create_policy_association_for_endpoint

默认值:

rule:admin_required

操作:

PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

作用域类型:

system
project

将策略与特定端点关联。

identity:check_policy_association_for_endpoint

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

作用域类型:

system
project

检查端点策略关联。

identity:delete_policy_association_for_endpoint

默认值:

rule:admin_required

操作:

DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}

作用域类型:

system
project

删除端点策略关联。

identity:create_policy_association_for_service

默认值:

rule:admin_required

操作:

PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

作用域类型:

system
project

将策略与特定服务关联。

identity:check_policy_association_for_service

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

作用域类型:

system
project

检查服务策略关联。

identity:delete_policy_association_for_service

默认值:

rule:admin_required

操作:

DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}

作用域类型:

system
project

删除服务策略关联。

identity:create_policy_association_for_region_and_service

默认值:

rule:admin_required

操作:

PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

作用域类型:

system
project

将策略与特定区域和服务的组合关联。

identity:check_policy_association_for_region_and_service

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

作用域类型:

system
project

检查区域和服务的策略关联。

identity:delete_policy_association_for_region_and_service

默认值:

rule:admin_required

操作:

DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}

作用域类型:

system
project

删除区域和服务的策略关联。

identity:get_policy_for_endpoint

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy

作用域类型:

system
project

获取端点的策略。

identity:list_endpoints_for_policy

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints

作用域类型:

system
project

列出策略允许的端点。

identity:get_project

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.project.domain_id)s) 或 project_id:%(target.project.id)s

操作:

GET /v3/projects/{project_id}

作用域类型:

system
domain
project

显示项目详情。

identity:list_projects

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.domain_id)s)

操作:

GET /v3/projects

作用域类型:

system
domain
project

列出项目。

identity:list_user_projects

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.user.domain_id)s) 或 user_id:%(target.user.id)s

操作:

GET /v3/users/{user_id}/projects

作用域类型:

system
domain
project

列出用户的项目。

identity:create_project

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

POST /v3/projects

作用域类型:

system
domain
project

创建项目。

identity:update_project

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

PATCH /v3/projects/{project_id}

作用域类型:

system
domain
project

更新项目。

identity:delete_project

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

DELETE /v3/projects/{project_id}

作用域类型:

system
domain
project

删除项目。

identity:list_project_tags

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.project.domain_id)s) 或 project_id:%(target.project.id)s

操作:

GET /v3/projects/{project_id}/tags
HEAD /v3/projects/{project_id}/tags

作用域类型:

system
domain
project

列出项目的标签。

identity:get_project_tag

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.project.domain_id)s) 或 project_id:%(target.project.id)s

操作:

GET /v3/projects/{project_id}/tags/{value}
HEAD /v3/projects/{project_id}/tags/{value}

作用域类型:

system
domain
project

检查项目是否包含标签。

identity:update_project_tags

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

PUT /v3/projects/{project_id}/tags

作用域类型:

system
domain
project

使用新的标签集替换项目上的所有标签。

identity:create_project_tag

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

PUT /v3/projects/{project_id}/tags/{value}

作用域类型:

system
domain
project

将单个标签添加到项目。

identity:delete_project_tags

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

DELETE /v3/projects/{project_id}/tags

作用域类型:

system
domain
project

删除项目上的所有标签。

identity:delete_project_tag

默认值:

(rule:admin_required) 或 (role:manager 且 domain_id:%(target.project.domain_id)s)

操作:

DELETE /v3/projects/{project_id}/tags/{value}

作用域类型:

system
domain
project

从项目中删除指定的标签。

identity:list_projects_for_endpoint

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects

作用域类型:

system
project

列出允许访问端点的项目。

identity:add_endpoint_to_project

默认值:

rule:admin_required

操作:

PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

作用域类型:

system
project

允许项目访问端点。

identity:check_endpoint_in_project

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

作用域类型:

system
project

检查项目是否允许访问端点。

identity:list_endpoints_for_project

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints

作用域类型:

system
project

列出项目允许访问的端点。

identity:remove_endpoint_from_project

默认值:

rule:admin_required

操作:

DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}

作用域类型:

system
project

从之前获得显式访问权限的项目中删除对端点的访问权限。

identity:create_protocol

默认值:

rule:admin_required

操作:

PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

作用域类型:

system
project

创建联合协议。

identity:update_protocol

默认值:

rule:admin_required

操作:

PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

作用域类型:

system
project

更新联合协议。

identity:get_protocol

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

作用域类型:

system
project

获取联合协议。

identity:list_protocols

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols

作用域类型:

system
project

列出联合协议。

identity:delete_protocol

默认值:

rule:admin_required

操作:

DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}

作用域类型:

system
project

删除联合协议。

identity:get_region

默认值:

<空字符串>

操作:

GET /v3/regions/{region_id}
HEAD /v3/regions/{region_id}

作用域类型:

system
domain
project

显示区域详情。

identity:list_regions

默认值:

<空字符串>

操作:

GET /v3/regions
HEAD /v3/regions

作用域类型:

system
domain
project

列出区域。

identity:create_region

默认值:

rule:admin_required

操作:

POST /v3/regions
PUT /v3/regions/{region_id}

作用域类型:

system
project

创建区域。

identity:update_region

默认值:

rule:admin_required

操作:

PATCH /v3/regions/{region_id}

作用域类型:

system
project

更新区域。

identity:delete_region

默认值:

rule:admin_required

操作:

DELETE /v3/regions/{region_id}

作用域类型:

system
project

删除区域。

identity:get_registered_limit

默认值:

<空字符串>

操作:

GET /v3/registered_limits/{registered_limit_id}
HEAD /v3/registered_limits/{registered_limit_id}

作用域类型:

system
domain
project

显示已注册限制详情。

identity:list_registered_limits

默认值:

<空字符串>

操作:

GET /v3/registered_limits
HEAD /v3/registered_limits

作用域类型:

system
domain
project

列出已注册限制。

identity:create_registered_limits

默认值:

rule:admin_required

操作:

POST /v3/registered_limits

作用域类型:

system
project

创建已注册限制。

identity:update_registered_limit

默认值:

rule:admin_required

操作:

PATCH /v3/registered_limits/{registered_limit_id}

作用域类型:

system
project

更新已注册限制。

identity:delete_registered_limit

默认值:

rule:admin_required

操作:

DELETE /v3/registered_limits/{registered_limit_id}

作用域类型:

system
project

删除已注册限制。

identity:list_revoke_events

默认值:

rule:service_or_admin

操作:

GET /v3/OS-REVOKE/events

作用域类型:

system
project

列出撤销事件。

identity:get_role

默认值:

(rule:admin_required 或 (role:reader 且 system_scope:all)) 或 (role:manager 且 rule:domain_managed_target_role)

操作:

GET /v3/roles/{role_id}
HEAD /v3/roles/{role_id}

作用域类型:

system
domain
project

显示角色详情。

identity:list_roles

默认值:

(rule:admin_required 或 (role:reader 且 system_scope:all)) 或 (role:manager 且 not domain_id:None)

操作:

GET /v3/roles
HEAD /v3/roles

作用域类型:

system
domain
project

列出角色。

identity:create_role

默认值:

rule:admin_required

操作:

POST /v3/roles

作用域类型:

system
project

创建角色。

identity:update_role

默认值:

rule:admin_required

操作:

PATCH /v3/roles/{role_id}

作用域类型:

system
project

更新角色。

identity:delete_role

默认值:

rule:admin_required

操作:

DELETE /v3/roles/{role_id}

作用域类型:

system
project

删除角色。

identity:get_domain_role

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/roles/{role_id}
HEAD /v3/roles/{role_id}

作用域类型:

system
project

显示域角色。

identity:list_domain_roles

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/roles?domain_id={domain_id}
HEAD /v3/roles?domain_id={domain_id}

作用域类型:

system
project

列出域角色。

identity:create_domain_role

默认值:

rule:admin_required

操作:

POST /v3/roles

作用域类型:

system
project

创建域角色。

identity:update_domain_role

默认值:

rule:admin_required

操作:

PATCH /v3/roles/{role_id}

作用域类型:

system
project

更新域角色。

identity:delete_domain_role

默认值:

rule:admin_required

操作:

DELETE /v3/roles/{role_id}

作用域类型:

system
project

删除域角色。

identity:list_role_assignments

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.domain_id)s)

操作:

GET /v3/role_assignments
HEAD /v3/role_assignments

作用域类型:

system
domain
project

列出角色分配。

identity:list_role_assignments_for_tree

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.domain_id)s)

操作:

GET /v3/role_assignments?include_subtree
HEAD /v3/role_assignments?include_subtree

作用域类型:

system
domain
project

列出给定层次项目树的角色分配。

identity:s3tokens_validate

默认值:

rule:service_or_admin

操作:

POST /v3/s3tokens

作用域类型:

system
domain
project

验证 S3 凭证并创建 Keystone 令牌。限制为服务用户或管理员，以防止通过预签名 URL 滥用。

identity:ec2tokens_validate

默认值:

rule:service_or_admin

操作:

POST /v3/ec2tokens

作用域类型:

system
domain
project

验证 EC2 凭证并创建 Keystone 令牌。限制为服务用户或管理员。

identity:get_service

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/services/{service_id}

作用域类型:

system
project

显示服务详情。

identity:list_services

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/services

作用域类型:

system
project

列出服务。

identity:create_service

默认值:

rule:admin_required

操作:

POST /v3/services

作用域类型:

system
project

创建服务。

identity:update_service

默认值:

rule:admin_required

操作:

PATCH /v3/services/{service_id}

作用域类型:

system
project

更新服务。

identity:delete_service

默认值:

rule:admin_required

操作:

DELETE /v3/services/{service_id}

作用域类型:

system
project

删除服务。

identity:create_service_provider

默认值:

rule:admin_required

操作:

PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}

作用域类型:

system
project

创建联合服务提供程序。

identity:list_service_providers

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/service_providers
HEAD /v3/OS-FEDERATION/service_providers

作用域类型:

system
project

列出联合服务提供程序。

identity:get_service_provider

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}

作用域类型:

system
project

获取联合服务提供程序。

identity:update_service_provider

默认值:

rule:admin_required

操作:

PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}

作用域类型:

system
project

更新联合服务提供程序。

identity:delete_service_provider

默认值:

rule:admin_required

操作:

DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}

作用域类型:

system
project

删除联合服务提供程序。

identity:revocation_list

默认值:

rule:service_or_admin

操作:

GET /v3/auth/tokens/OS-PKI/revoked

作用域类型:

system
project

列出已撤销的 PKI 令牌。

identity:check_token

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all) 或 rule:token_subject

操作:

HEAD /v3/auth/tokens

作用域类型:

system
domain
project

检查令牌。

identity:validate_token

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all) 或 rule:service_role 或 rule:token_subject

操作:

GET /v3/auth/tokens

作用域类型:

system
domain
project

验证令牌。

identity:revoke_token

默认值:

rule:admin_required 或 rule:token_subject

操作:

DELETE /v3/auth/tokens

作用域类型:

system
domain
project

撤销令牌。

identity:create_trust

默认值:

user_id:%(trust.trustor_user_id)s

操作:

POST /v3/OS-TRUST/trusts

作用域类型:

project

创建信任。

identity:list_trusts

默认值:

rule:admin_required 或 (role:reader 且 system_scope:all)

操作:

GET /v3/OS-TRUST/trusts
HEAD /v3/OS-TRUST/trusts

作用域类型:

system
project

列出信任。

identity:list_trusts_for_trustor

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all 或 user_id:%(target.trust.trustor_user_id)s)

操作:

GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}
HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id}

作用域类型:

system
project

列出信任人的信任。

identity:list_trusts_for_trustee

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all 或 user_id:%(target.trust.trustee_user_id)s)

操作:

GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}
HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id}

作用域类型:

system
project

列出受托人的信任。

identity:list_roles_for_trust

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all 或 user_id:%(target.trust.trustor_user_id)s 或 user_id:%(target.trust.trustee_user_id)s)

操作:

GET /v3/OS-TRUST/trusts/{trust_id}/roles
HEAD /v3/OS-TRUST/trusts/{trust_id}/roles

作用域类型:

system
project

列出信任委托的角色。

identity:get_role_for_trust

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all 或 user_id:%(target.trust.trustor_user_id)s 或 user_id:%(target.trust.trustee_user_id)s)

操作:

GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}
HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id}

作用域类型:

system
project

检查信任是否委托特定角色。

identity:delete_trust

默认值:

rule:admin_required 或 user_id:%(target.trust.trustor_user_id)s

操作:

DELETE /v3/OS-TRUST/trusts/{trust_id}

作用域类型:

system
project

撤销信任。

identity:get_trust

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all 或 user_id:%(target.trust.trustor_user_id)s 或 user_id:%(target.trust.trustee_user_id)s)

操作:

GET /v3/OS-TRUST/trusts/{trust_id}
HEAD /v3/OS-TRUST/trusts/{trust_id}

作用域类型:

system
project

获取信任。

identity:get_user

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 token.domain.id:%(target.user.domain_id)s) 或 user_id:%(target.user.id)s

操作:

GET /v3/users/{user_id}
HEAD /v3/users/{user_id}

作用域类型:

system
domain
project

显示用户详情。

identity:list_users

默认值:

(rule:admin_required) 或 (role:reader 且 system_scope:all) 或 (role:reader 且 domain_id:%(target.domain_id)s)

操作:

GET /v3/users
HEAD /v3/users

作用域类型:

system
domain
project

列出用户。

identity:list_projects_for_user

默认值:

<空字符串>

操作:

GET `` /v3/auth/projects``

列出用户通过角色分配可以访问的所有项目。

identity:list_domains_for_user

默认值:

<空字符串>

操作:

GET /v3/auth/domains

列出用户通过角色分配可以访问的所有域。

identity:create_user

默认值:

(rule:admin_required) 或 (role:manager 且 token.domain.id:%(target.user.domain_id)s)

操作:

POST /v3/users

作用域类型:

system
domain
project

创建一个用户。

identity:update_user

默认值:

(rule:admin_required) 或 (role:manager 且 token.domain.id:%(target.user.domain_id)s)

操作:

PATCH /v3/users/{user_id}

作用域类型:

system
domain
project

更新用户，包括管理密码重置。

identity:delete_user

默认值:

(rule:admin_required) 或 (role:manager 且 token.domain.id:%(target.user.domain_id)s)

操作:

DELETE /v3/users/{user_id}

作用域类型:

system
domain
project

删除用户。

策略配置

策略配置¶

配置¶

keystone¶

keystone 28.0.1.dev15

页面内容