From 57ab46abff84e769a0434ea4ce36849b8af86133 Mon Sep 17 00:00:00 2001 From: Arif Ali Date: Fri, 3 Dec 2021 20:52:11 +0000 Subject: [PATCH] Update configs * Add mysql-router relations * Add telegraf grafana dashboard relation * update neutron-agent config * Add extra juju config for landscape-client-bionic --- README.md | 12 + config/bundle_focal.yaml | 38 +- .../openstack_versioned_overlay_focal.yaml | 4 +- config/overlays/resources.yaml | 2 +- resources/keystone.yaml | 3094 +++++++++++------ .../update_landscape_certs_self.sh | 2 + 6 files changed, 2075 insertions(+), 1077 deletions(-) diff --git a/README.md b/README.md index e69de29..2ec68dd 100644 --- a/README.md +++ b/README.md @@ -0,0 +1,12 @@ +# CPE Deployments + +This my working deployment for lab for a customer that I support + +# What works + +* bionic queens +* CIS hardening level2 for bionic + +# TODO + +* FCE integration diff --git a/config/bundle_focal.yaml b/config/bundle_focal.yaml index 55a4f93..1d92864 100644 --- a/config/bundle_focal.yaml +++ b/config/bundle_focal.yaml @@ -90,7 +90,8 @@ variables: glance-vip: &glance-vip "10.0.1.214" heat-vip: &heat-vip "10.0.1.215" keystone-vip: &keystone-vip "10.0.1.216" - mysql-vip: &mysql-vip "10.0.1.217" + # not required for mysql-innodb-cluster + #mysql-vip: &mysql-vip "10.0.1.217" neutron-api-vip: &neutron-api-vip "10.0.1.218" nova-cc-vip: &nova-cc-vip "10.0.1.219" gnocchi-vip: &gnocchi-vip "10.0.1.220" @@ -624,6 +625,7 @@ applications: default-tenant-network-type: vxlan l2-population: True #global-physnet-mtu: 9000 + manage-neutron-plugin-legacy-mode: True to: - lxd:100 - lxd:101 @@ -986,7 +988,7 @@ applications: to: - lxd:200 openstack-service-checks: - charm: cs:~canonical-bootstack//nagiosopenstack-service-checks + charm: cs:~llama-charmers-next/openstack-service-checks constraints: *oam-space-constr bindings: "": *public-space @@ -1344,7 +1346,7 @@ relations: - [ "openstack-dashboard:ha", "hacluster-horizon:ha" ] - [ "openstack-dashboard:identity-service", "keystone:identity-service" ] - - [ "openstack-dashboard:shared-db", "keystone-mysql-router:shared-db" ] + - [ "openstack-dashboard:shared-db", "openstack-dashboard-mysql-router:shared-db" ] # ceilometer - [ "ceilometer:identity-credentials", "keystone:identity-credentials" ] @@ -1369,6 +1371,26 @@ relations: - [ "aodh:amqp", "rabbitmq-server:amqp" ] - [ "aodh:ha", "hacluster-aodh:ha" ] + # placement + - [ "placement:ha", "hacluster-placement:ha" ] + - [ "placement:shared-db", "placement-mysql-router:shared-db" ] + - [ "placement:identity-service", "keystone:identity-service" ] + - [ "placement:placement", "nova-cloud-controller:placement" ] + + # mysql-router + - [ "aodh-mysql-router:db-router", "mysql:db-router" ] + - [ "keystone-mysql-router:db-router", "mysql:db-router" ] + - [ "cinder-mysql-router:db-router", "mysql:db-router" ] +# - [ "cinder2-mysql-router:db-router", "mysql:db-router" ] + - [ "glance-mysql-router:db-router", "mysql:db-router" ] + - [ "gnocchi-mysql-router:db-router", "mysql:db-router" ] + - [ "heat-mysql-router:db-router", "mysql:db-router" ] + - [ "nova-cloud-controller-mysql-router:db-router", "mysql:db-router" ] + - [ "neutron-api-mysql-router:db-router", "mysql:db-router" ] + - [ "openstack-dashboard-mysql-router:db-router", "mysql:db-router" ] + - [ "placement-mysql-router:db-router", "mysql:db-router" ] + - [ "vault-mysql-router:db-router", "mysql:db-router" ] + # sysconfig relations #- [ "ceph-osd:juju-info", "sysconfig-storage:juju-info" ] - [ "nova-compute:juju-info", "sysconfig-compute:juju-info" ] @@ -1483,6 +1505,10 @@ relations: # juniper server - [ "juniper-server:juju-info", "ntp:juju-info" ] + # grafana dashboards + - [ "grafana:dashboards", "telegraf:dashboards" ] + - [ "grafana:dashboards", "telegraf-prometheus:dashboards" ] + # LMA/landscape subordinates - [ "nova-compute", "filebeat" ] - [ "nova-compute", "telegraf" ] @@ -1564,6 +1590,11 @@ relations: - [ "aodh", "landscape-client" ] - [ "aodh", "nrpe-container" ] + - [ "placement", "filebeat" ] + - [ "placement", "telegraf" ] + - [ "placement", "landscape-client" ] + - [ "placement", "nrpe-container" ] + - [ "juniper-server", "telegraf" ] - [ "juniper-server", "filebeat" ] - [ "juniper-server", "landscape-client" ] @@ -1578,6 +1609,7 @@ relations: - [ "hacluster-keystone:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - [ "hacluster-neutron:nrpe-external-master", "nrpe-container:nrpe-external-master" ] - [ "hacluster-nova:nrpe-external-master", "nrpe-container:nrpe-external-master" ] + - [ "hacluster-placement:nrpe-external-master", "nrpe-container:nrpe-external-master" ] # Landscape - [ "landscape-server:juju-info", "ntp:juju-info" ] diff --git a/config/overlays/openstack_versioned_overlay_focal.yaml b/config/overlays/openstack_versioned_overlay_focal.yaml index 9e2f91d..bec919d 100644 --- a/config/overlays/openstack_versioned_overlay_focal.yaml +++ b/config/overlays/openstack_versioned_overlay_focal.yaml @@ -93,7 +93,7 @@ applications: # charm: cs:lldpd-9 memcached: charm: cs:memcached-32 - mysql-innodb-cluster: + mysql: charm: cs:mysql-innodb-cluster-11 aodh-mysql-router: charm: cs:mysql-router-11 @@ -117,8 +117,6 @@ applications: charm: cs:mysql-router-11 vault-mysql-router: charm: cs:mysql-router-11 - manila-mysql-router: - charm: cs:mysql-router-11 nagios: charm: cs:nagios-44 neutron-gateway: diff --git a/config/overlays/resources.yaml b/config/overlays/resources.yaml index 4ccf468..77daf16 100644 --- a/config/overlays/resources.yaml +++ b/config/overlays/resources.yaml @@ -2,6 +2,6 @@ applications: keystone: options: - use-policyd-override: true + use-policyd-override: false resources: policyd-override: ../resources/keystone.zip diff --git a/resources/keystone.yaml b/resources/keystone.yaml index a30c646..0d20653 100644 --- a/resources/keystone.yaml +++ b/resources/keystone.yaml @@ -1,1070 +1,2024 @@ -# -#"admin_required": "role:admin or is_admin:1" - -# -#"service_role": "role:service" - -# -#"service_or_admin": "rule:admin_required or rule:service_role" - -# -#"owner": "user_id:%(user_id)s" - -# -#"admin_or_owner": "rule:admin_required or rule:owner" - -# -#"token_subject": "user_id:%(target.token.user_id)s" - -# -#"admin_or_token_subject": "rule:admin_required or rule:token_subject" - -# -#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" - -# Show application credential details. -# GET /v3/users/{user_id}/application_credentials/{application_credential_id} -# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} -#"identity:get_application_credential": "rule:admin_or_owner" - -# List application credentials for a user. -# GET /v3/users/{user_id}/application_credentials -# HEAD /v3/users/{user_id}/application_credentials -#"identity:list_application_credentials": "rule:admin_or_owner" - -# Create an application credential. -# POST /v3/users/{user_id}/application_credentials -#"identity:create_application_credential": "rule:admin_or_owner" - -# Delete an application credential. -# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} -#"identity:delete_application_credential": "rule:admin_or_owner" - -# Authorize OAUTH1 request token. -# PUT /v3/OS-OAUTH1/authorize/{request_token_id} -# Intended scope(s): project -#"identity:authorize_request_token": "rule:admin_required" - -# Get OAUTH1 access token for user by access token ID. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} -# Intended scope(s): project -#"identity:get_access_token": "rule:admin_required" - -# Get role for user OAUTH1 access token. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} -# Intended scope(s): project -#"identity:get_access_token_role": "rule:admin_required" - -# List OAUTH1 access tokens for user. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens -# Intended scope(s): project -#"identity:list_access_tokens": "rule:admin_required" - -# List OAUTH1 access token roles. -# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles -# Intended scope(s): project -#"identity:list_access_token_roles": "rule:admin_required" - -# Delete OAUTH1 access token. -# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} -# Intended scope(s): project -#"identity:delete_access_token": "rule:admin_required" - -# Get service catalog. -# GET /v3/auth/catalog -# HEAD /v3/auth/catalog -#"identity:get_auth_catalog": "" - -# List all projects a user has access to via role assignments. -# GET /v3/auth/projects -# HEAD /v3/auth/projects -#"identity:get_auth_projects": "" - -# List all domains a user has access to via role assignments. -# GET /v3/auth/domains -# HEAD /v3/auth/domains -#"identity:get_auth_domains": "" - -# List systems a user has access to via role assignments. -# GET /v3/auth/system -# HEAD /v3/auth/system -#"identity:get_auth_system": "" - -# Show OAUTH1 consumer details. -# GET /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:get_consumer": "rule:admin_required" - -# List OAUTH1 consumers. -# GET /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:list_consumers": "rule:admin_required" - -# Create OAUTH1 consumer. -# POST /v3/OS-OAUTH1/consumers -# Intended scope(s): system -#"identity:create_consumer": "rule:admin_required" - -# Update OAUTH1 consumer. -# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:update_consumer": "rule:admin_required" - -# Delete OAUTH1 consumer. -# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} -# Intended scope(s): system -#"identity:delete_consumer": "rule:admin_required" - -# Show credentials details. -# GET /v3/credentials/{credential_id} -#"identity:get_credential": "rule:admin_required" - -# List credentials. -# GET /v3/credentials -#"identity:list_credentials": "rule:admin_required" - -# Create credential. -# POST /v3/credentials -#"identity:create_credential": "rule:admin_required" - -# Update credential. -# PATCH /v3/credentials/{credential_id} -#"identity:update_credential": "rule:admin_required" - -# Delete credential. -# DELETE /v3/credentials/{credential_id} -#"identity:delete_credential": "rule:admin_required" - -# Show domain details. -# GET /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s" - -# List domains. -# GET /v3/domains -# Intended scope(s): system -#"identity:list_domains": "rule:admin_required" - -# Create domain. -# POST /v3/domains -# Intended scope(s): system -#"identity:create_domain": "rule:admin_required" - -# Update domain. -# PATCH /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:update_domain": "rule:admin_required" - -# Delete domain. -# DELETE /v3/domains/{domain_id} -# Intended scope(s): system -#"identity:delete_domain": "rule:admin_required" - -# Create domain configuration. -# PUT /v3/domains/{domain_id}/config -# Intended scope(s): system -#"identity:create_domain_config": "rule:admin_required" - -# Get the entire domain configuration for a domain, an option group -# within a domain, or a specific configuration option within a group -# for a domain. -# GET /v3/domains/{domain_id}/config -# HEAD /v3/domains/{domain_id}/config -# GET /v3/domains/{domain_id}/config/{group} -# HEAD /v3/domains/{domain_id}/config/{group} -# GET /v3/domains/{domain_id}/config/{group}/{option} -# HEAD /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:get_domain_config": "rule:admin_required" - -# Get security compliance domain configuration for either a domain or -# a specific option in a domain. -# GET /v3/domains/{domain_id}/config/security_compliance -# HEAD /v3/domains/{domain_id}/config/security_compliance -# GET v3/domains/{domain_id}/config/security_compliance/{option} -# HEAD v3/domains/{domain_id}/config/security_compliance/{option} -# Intended scope(s): system, project -#"identity:get_security_compliance_domain_config": "" - -# Update domain configuration for either a domain, specific group or a -# specific option in a group. -# PATCH /v3/domains/{domain_id}/config -# PATCH /v3/domains/{domain_id}/config/{group} -# PATCH /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:update_domain_config": "rule:admin_required" - -# Delete domain configuration for either a domain, specific group or a -# specific option in a group. -# DELETE /v3/domains/{domain_id}/config -# DELETE /v3/domains/{domain_id}/config/{group} -# DELETE /v3/domains/{domain_id}/config/{group}/{option} -# Intended scope(s): system -#"identity:delete_domain_config": "rule:admin_required" - -# Get domain configuration default for either a domain, specific group -# or a specific option in a group. -# GET /v3/domains/config/default -# HEAD /v3/domains/config/default -# GET /v3/domains/config/{group}/default -# HEAD /v3/domains/config/{group}/default -# GET /v3/domains/config/{group}/{option}/default -# HEAD /v3/domains/config/{group}/{option}/default -# Intended scope(s): system -#"identity:get_domain_config_default": "rule:admin_required" - -# Show ec2 credential details. -# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} -#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)" - -# List ec2 credentials. -# GET /v3/users/{user_id}/credentials/OS-EC2 -#"identity:ec2_list_credentials": "rule:admin_or_owner" - -# Create ec2 credential. -# POST /v3/users/{user_id}/credentials/OS-EC2 -#"identity:ec2_create_credential": "rule:admin_or_owner" - -# Delete ec2 credential. -# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} -#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)" - -# Show endpoint details. -# GET /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:get_endpoint": "rule:admin_required" - -# List endpoints. -# GET /v3/endpoints -# Intended scope(s): system -#"identity:list_endpoints": "rule:admin_required" - -# Create endpoint. -# POST /v3/endpoints -# Intended scope(s): system -#"identity:create_endpoint": "rule:admin_required" - -# Update endpoint. -# PATCH /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:update_endpoint": "rule:admin_required" - -# Delete endpoint. -# DELETE /v3/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_endpoint": "rule:admin_required" - -# Create endpoint group. -# POST /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:create_endpoint_group": "rule:admin_required" - -# List endpoint groups. -# GET /v3/OS-EP-FILTER/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups": "rule:admin_required" - -# Get endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:get_endpoint_group": "rule:admin_required" - -# Update endpoint group. -# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:update_endpoint_group": "rule:admin_required" - -# Delete endpoint group. -# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} -# Intended scope(s): system -#"identity:delete_endpoint_group": "rule:admin_required" - -# List all projects associated with a specific endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects -# Intended scope(s): system -#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required" - -# List all endpoints associated with an endpoint group. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required" - -# Check if an endpoint group is associated with a project. -# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:get_endpoint_group_in_project": "rule:admin_required" - -# List endpoint groups associated with a specific project. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups -# Intended scope(s): system -#"identity:list_endpoint_groups_for_project": "rule:admin_required" - -# Allow a project to access an endpoint group. -# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:add_endpoint_group_to_project": "rule:admin_required" - -# Remove endpoint group from project. -# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} -# Intended scope(s): system -#"identity:remove_endpoint_group_from_project": "rule:admin_required" - -# Check a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. -# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system -#"identity:check_grant": "rule:admin_required" - -# List roles granted to an actor on a target. A target can be either a -# domain or a project. An actor can be either a user or a group. For -# the OS-INHERIT APIs, it is possible to list inherited role grants -# for actors on domains, where grants are inherited to all projects in -# the specified domain. -# GET /v3/projects/{project_id}/users/{user_id}/roles -# HEAD /v3/projects/{project_id}/users/{user_id}/roles -# GET /v3/projects/{project_id}/groups/{group_id}/roles -# HEAD /v3/projects/{project_id}/groups/{group_id}/roles -# GET /v3/domains/{domain_id}/users/{user_id}/roles -# HEAD /v3/domains/{domain_id}/users/{user_id}/roles -# GET /v3/domains/{domain_id}/groups/{group_id}/roles -# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles -# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects -# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects -# Intended scope(s): system -#"identity:list_grants": "rule:admin_required" - -# Create a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. -# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system -#"identity:create_grant": "rule:admin_required" - -# Revoke a role grant between a target and an actor. A target can be -# either a domain or a project. An actor can be either a user or a -# group. These terms also apply to the OS-INHERIT APIs, where grants -# on the target are inherited to all projects in the subtree, if -# applicable. In that case, revoking the role grant in the target -# would remove the logical effect of inheriting it to the target's -# projects subtree. -# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} -# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} -# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} -# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} -# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects -# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects -# Intended scope(s): system -#"identity:revoke_grant": "rule:admin_required" - -# List all grants a specific user has on the system. -# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_user": "rule:admin_required" - -# Check if a user has a role on the system. -# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_user": "rule:admin_required" - -# Grant a user a role on the system. -# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_user": "rule:admin_required" - -# Remove a role from a user on the system. -# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_user": "rule:admin_required" - -# List all grants a specific group has on the system. -# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles -# Intended scope(s): system -#"identity:list_system_grants_for_group": "rule:admin_required" - -# Check if a group has a role on the system. -# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:check_system_grant_for_group": "rule:admin_required" - -# Grant a group a role on the system. -# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:create_system_grant_for_group": "rule:admin_required" - -# Remove a role from a group on the system. -# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} -# Intended scope(s): system -#"identity:revoke_system_grant_for_group": "rule:admin_required" - -# Show group details. -# GET /v3/groups/{group_id} -# HEAD /v3/groups/{group_id} -# Intended scope(s): system -#"identity:get_group": "rule:admin_required" - -# List groups. -# GET /v3/groups -# HEAD /v3/groups -# Intended scope(s): system -#"identity:list_groups": "rule:admin_required" - -# List groups to which a user belongs. -# GET /v3/users/{user_id}/groups -# HEAD /v3/users/{user_id}/groups -# Intended scope(s): system -#"identity:list_groups_for_user": "rule:admin_or_owner" - -# Create group. -# POST /v3/groups -# Intended scope(s): system -#"identity:create_group": "rule:admin_required" - -# Update group. -# PATCH /v3/groups/{group_id} -# Intended scope(s): system -#"identity:update_group": "rule:admin_required" - -# Delete group. -# DELETE /v3/groups/{group_id} -# Intended scope(s): system -#"identity:delete_group": "rule:admin_required" - -# List members of a specific group. -# GET /v3/groups/{group_id}/users -# HEAD /v3/groups/{group_id}/users -# Intended scope(s): system -#"identity:list_users_in_group": "rule:admin_required" - -# Remove user from group. -# DELETE /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system -#"identity:remove_user_from_group": "rule:admin_required" - -# Check whether a user is a member of a group. -# HEAD /v3/groups/{group_id}/users/{user_id} -# GET /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system -#"identity:check_user_in_group": "rule:admin_required" - -# Add user to group. -# PUT /v3/groups/{group_id}/users/{user_id} -# Intended scope(s): system -#"identity:add_user_to_group": "rule:admin_required" - -# Create identity provider. -# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:create_identity_provider": "rule:admin_required" - -# List identity providers. -# GET /v3/OS-FEDERATION/identity_providers -# HEAD /v3/OS-FEDERATION/identity_providers -# Intended scope(s): system -#"identity:list_identity_providers": "rule:admin_required" - -# Get identity provider. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id} -# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:get_identity_provider": "rule:admin_required" - -# Update identity provider. -# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:update_identity_provider": "rule:admin_required" - -# Delete identity provider. -# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} -# Intended scope(s): system -#"identity:delete_identity_provider": "rule:admin_required" - -# Get information about an association between two roles. When a -# relationship exists between a prior role and an implied role and the -# prior role is assigned to a user, the user also assumes the implied -# role. -# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:get_implied_role": "rule:admin_required" - -# List associations between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. This -# will return all the implied roles that would be assumed by the user -# who gets the specified prior role. -# GET /v3/roles/{prior_role_id}/implies -# HEAD /v3/roles/{prior_role_id}/implies -# Intended scope(s): system -#"identity:list_implied_roles": "rule:admin_required" - -# Create an association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. -# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:create_implied_role": "rule:admin_required" - -# Delete the association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. Removing -# the association will cause that effect to be eliminated. -# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:delete_implied_role": "rule:admin_required" - -# List all associations between two roles in the system. When a -# relationship exists between a prior role and an implied role and the -# prior role is assigned to a user, the user also assumes the implied -# role. -# GET /v3/role_inferences -# HEAD /v3/role_inferences -# Intended scope(s): system -#"identity:list_role_inference_rules": "rule:admin_required" - -# Check an association between two roles. When a relationship exists -# between a prior role and an implied role and the prior role is -# assigned to a user, the user also assumes the implied role. -# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} -# Intended scope(s): system -#"identity:check_implied_role": "rule:admin_required" - -# Show limit details. -# GET /v3/limits/{limit_id} -# HEAD /v3/limits/{limit_id} -# Intended scope(s): system, project -#"identity:get_limit": "" - -# List limits. -# GET /v3/limits -# HEAD /v3/limits -# Intended scope(s): system, project -#"identity:list_limits": "" - -# Create limits. -# POST /v3/limits -# Intended scope(s): system -#"identity:create_limits": "rule:admin_required" - -# Update limits. -# PUT /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:update_limits": "rule:admin_required" - -# Delete limit. -# DELETE /v3/limits/{limit_id} -# Intended scope(s): system -#"identity:delete_limit": "rule:admin_required" - -# Create a new federated mapping containing one or more sets of rules. -# PUT /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:create_mapping": "rule:admin_required" - -# Get a federated mapping. -# GET /v3/OS-FEDERATION/mappings/{mapping_id} -# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:get_mapping": "rule:admin_required" - -# List federated mappings. -# GET /v3/OS-FEDERATION/mappings -# HEAD /v3/OS-FEDERATION/mappings -# Intended scope(s): system -#"identity:list_mappings": "rule:admin_required" - -# Delete a federated mapping. -# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:delete_mapping": "rule:admin_required" - -# Update a federated mapping. -# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} -# Intended scope(s): system -#"identity:update_mapping": "rule:admin_required" - -# Show policy details. -# GET /v3/policy/{policy_id} -# Intended scope(s): system -#"identity:get_policy": "rule:admin_required" - -# List policies. -# GET /v3/policies -# Intended scope(s): system -#"identity:list_policies": "rule:admin_required" - -# Create policy. -# POST /v3/policies -# Intended scope(s): system -#"identity:create_policy": "rule:admin_required" - -# Update policy. -# PATCH /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:update_policy": "rule:admin_required" - -# Delete policy. -# DELETE /v3/policies/{policy_id} -# Intended scope(s): system -#"identity:delete_policy": "rule:admin_required" - -# Associate a policy to a specific endpoint. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:create_policy_association_for_endpoint": "rule:admin_required" - -# Check policy association for endpoint. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_policy_association_for_endpoint": "rule:admin_required" - -# Delete policy association for endpoint. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_endpoint": "rule:admin_required" - -# Associate a policy to a specific service. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:create_policy_association_for_service": "rule:admin_required" - -# Check policy association for service. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:check_policy_association_for_service": "rule:admin_required" - -# Delete policy association for service. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_service": "rule:admin_required" - -# Associate a policy to a specific region and service combination. -# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:create_policy_association_for_region_and_service": "rule:admin_required" - -# Check policy association for region and service. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:check_policy_association_for_region_and_service": "rule:admin_required" - -# Delete policy association for region and service. -# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} -# Intended scope(s): system -#"identity:delete_policy_association_for_region_and_service": "rule:admin_required" - -# Get policy for endpoint. -# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy -# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy -# Intended scope(s): system -#"identity:get_policy_for_endpoint": "rule:admin_required" - -# List endpoints for policy. -# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_policy": "rule:admin_required" - -# Show project details. -# GET /v3/projects/{project_id} -#"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s" - -# List projects. -# GET /v3/projects -# Intended scope(s): system -#"identity:list_projects": "rule:admin_required" - -# List projects for user. -# GET /v3/users/{user_id}/projects -#"identity:list_user_projects": "rule:admin_or_owner" - -# Create project. -# POST /v3/projects -# Intended scope(s): system -#"identity:create_project": "rule:admin_required" - -# Update project. -# PATCH /v3/projects/{project_id} -# Intended scope(s): system -#"identity:update_project": "rule:admin_required" - -# Delete project. -# DELETE /v3/projects/{project_id} -# Intended scope(s): system -#"identity:delete_project": "rule:admin_required" - -# List tags for a project. -# GET /v3/projects/{project_id}/tags -# HEAD /v3/projects/{project_id}/tags -#"identity:list_project_tags": "rule:admin_required or project_id:%(target.project.id)s" - -# Check if project contains a tag. -# GET /v3/projects/{project_id}/tags/{value} -# HEAD /v3/projects/{project_id}/tags/{value} -#"identity:get_project_tag": "rule:admin_required or project_id:%(target.project.id)s" - -# Replace all tags on a project with the new set of tags. -# PUT /v3/projects/{project_id}/tags -# Intended scope(s): system -#"identity:update_project_tags": "rule:admin_required" - -# Add a single tag to a project. -# PUT /v3/projects/{project_id}/tags/{value} -# Intended scope(s): system -#"identity:create_project_tag": "rule:admin_required" - -# Remove all tags from a project. -# DELETE /v3/projects/{project_id}/tags -# Intended scope(s): system -#"identity:delete_project_tags": "rule:admin_required" - -# Delete a specified tag from project. -# DELETE /v3/projects/{project_id}/tags/{value} -# Intended scope(s): system -#"identity:delete_project_tag": "rule:admin_required" - -# List projects allowed to access an endpoint. -# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects -# Intended scope(s): system -#"identity:list_projects_for_endpoint": "rule:admin_required" - -# Allow project to access an endpoint. -# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:add_endpoint_to_project": "rule:admin_required" - -# Check if a project is allowed to access an endpoint. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:check_endpoint_in_project": "rule:admin_required" - -# List the endpoints a project is allowed to access. -# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints -# Intended scope(s): system -#"identity:list_endpoints_for_project": "rule:admin_required" - -# Remove access to an endpoint from a project that has previously been -# given explicit access. -# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} -# Intended scope(s): system -#"identity:remove_endpoint_from_project": "rule:admin_required" - -# Create federated protocol. -# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:create_protocol": "rule:admin_required" - -# Update federated protocol. -# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:update_protocol": "rule:admin_required" - -# Get federated protocol. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:get_protocol": "rule:admin_required" - -# List federated protocols. -# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols -# Intended scope(s): system -#"identity:list_protocols": "rule:admin_required" - -# Delete federated protocol. -# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} -# Intended scope(s): system -#"identity:delete_protocol": "rule:admin_required" - -# Show region details. -# GET /v3/regions/{region_id} -# HEAD /v3/regions/{region_id} -# Intended scope(s): system, project -#"identity:get_region": "" - -# List regions. -# GET /v3/regions -# HEAD /v3/regions -# Intended scope(s): system, project -#"identity:list_regions": "" - -# Create region. -# POST /v3/regions -# PUT /v3/regions/{region_id} -# Intended scope(s): system -#"identity:create_region": "rule:admin_required" - -# Update region. -# PATCH /v3/regions/{region_id} -# Intended scope(s): system -#"identity:update_region": "rule:admin_required" - -# Delete region. -# DELETE /v3/regions/{region_id} -# Intended scope(s): system -#"identity:delete_region": "rule:admin_required" - -# Show registered limit details. -# GET /v3/registered_limits/{registered_limit_id} -# HEAD /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system, project -#"identity:get_registered_limit": "" - -# List registered limits. -# GET /v3/registered_limits -# HEAD /v3/registered_limits -# Intended scope(s): system, project -#"identity:list_registered_limits": "" - -# Create registered limits. -# POST /v3/registered_limits -# Intended scope(s): system -#"identity:create_registered_limits": "rule:admin_required" - -# Update registered limits. -# PUT /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:update_registered_limits": "rule:admin_required" - -# Delete registered limit. -# DELETE /v3/registered_limits/{registered_limit_id} -# Intended scope(s): system -#"identity:delete_registered_limit": "rule:admin_required" - -# List revocation events. -# GET /v3/OS-REVOKE/events -# Intended scope(s): system -#"identity:list_revoke_events": "rule:service_or_admin" - -# Show role details. -# GET /v3/roles/{role_id} -# HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_role": "rule:admin_required" - -# List roles. -# GET /v3/roles -# HEAD /v3/roles -# Intended scope(s): system -#"identity:list_roles": "rule:admin_required" - -# Create role. -# POST /v3/roles -# Intended scope(s): system -#"identity:create_role": "rule:admin_required" - -# Update role. -# PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_role": "rule:admin_required" - -# Delete role. -# DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_role": "rule:admin_required" - -# Show domain role. -# GET /v3/roles/{role_id} -# HEAD /v3/roles/{role_id} -# Intended scope(s): system -#"identity:get_domain_role": "rule:admin_required" - -# List domain roles. -# GET /v3/roles?domain_id={domain_id} -# HEAD /v3/roles?domain_id={domain_id} -# Intended scope(s): system -#"identity:list_domain_roles": "rule:admin_required" - -# Create domain role. -# POST /v3/roles -# Intended scope(s): system -#"identity:create_domain_role": "rule:admin_required" - -# Update domain role. -# PATCH /v3/roles/{role_id} -# Intended scope(s): system -#"identity:update_domain_role": "rule:admin_required" - -# Delete domain role. -# DELETE /v3/roles/{role_id} -# Intended scope(s): system -#"identity:delete_domain_role": "rule:admin_required" - -# List role assignments. -# GET /v3/role_assignments -# HEAD /v3/role_assignments -# Intended scope(s): system -#"identity:list_role_assignments": "rule:admin_required" - -# List all role assignments for a given tree of hierarchical projects. -# GET /v3/role_assignments?include_subtree -# HEAD /v3/role_assignments?include_subtree -# Intended scope(s): project -#"identity:list_role_assignments_for_tree": "rule:admin_required" - -# Show service details. -# GET /v3/services/{service_id} -# Intended scope(s): system -#"identity:get_service": "rule:admin_required" - -# List services. -# GET /v3/services -# Intended scope(s): system -#"identity:list_services": "rule:admin_required" - -# Create service. -# POST /v3/services -# Intended scope(s): system -#"identity:create_service": "rule:admin_required" - -# Update service. -# PATCH /v3/services/{service_id} -# Intended scope(s): system -#"identity:update_service": "rule:admin_required" - -# Delete service. -# DELETE /v3/services/{service_id} -# Intended scope(s): system -#"identity:delete_service": "rule:admin_required" - -# Create federated service provider. -# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:create_service_provider": "rule:admin_required" - -# List federated service providers. -# GET /v3/OS-FEDERATION/service_providers -# HEAD /v3/OS-FEDERATION/service_providers -# Intended scope(s): system -#"identity:list_service_providers": "rule:admin_required" - -# Get federated service provider. -# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} -# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:get_service_provider": "rule:admin_required" - -# Update federated service provider. -# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:update_service_provider": "rule:admin_required" - -# Delete federated service provider. -# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} -# Intended scope(s): system -#"identity:delete_service_provider": "rule:admin_required" - -# List revoked PKI tokens. -# GET /v3/auth/tokens/OS-PKI/revoked -# Intended scope(s): system, project -#"identity:revocation_list": "rule:service_or_admin" - -# Check a token. -# HEAD /v3/auth/tokens -#"identity:check_token": "rule:admin_or_token_subject" - -# Validate a token. -# GET /v3/auth/tokens -#"identity:validate_token": "rule:service_admin_or_token_subject" - -# Revoke a token. -# DELETE /v3/auth/tokens -#"identity:revoke_token": "rule:admin_or_token_subject" - -# Create trust. -# POST /v3/OS-TRUST/trusts -# Intended scope(s): project -#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" - -# List trusts. -# GET /v3/OS-TRUST/trusts -# HEAD /v3/OS-TRUST/trusts -# Intended scope(s): project -#"identity:list_trusts": "" - -# List roles delegated by a trust. -# GET /v3/OS-TRUST/trusts/{trust_id}/roles -# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles -# Intended scope(s): project -#"identity:list_roles_for_trust": "" - -# Check if trust delegates a particular role. -# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} -# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} -# Intended scope(s): project -#"identity:get_role_for_trust": "" - -# Revoke trust. -# DELETE /v3/OS-TRUST/trusts/{trust_id} -# Intended scope(s): project -#"identity:delete_trust": "" - -# Get trust. -# GET /v3/OS-TRUST/trusts/{trust_id} -# HEAD /v3/OS-TRUST/trusts/{trust_id} -# Intended scope(s): project -#"identity:get_trust": "" - -# Show user details. -# GET /v3/users/{user_id} -# HEAD /v3/users/{user_id} -#"identity:get_user": "rule:admin_or_owner" - -# List users. -# GET /v3/users -# HEAD /v3/users -# Intended scope(s): system -#"identity:list_users": "rule:admin_required" - -# List all projects a user has access to via role assignments. -# GET /v3/auth/projects -#"identity:list_projects_for_user": "" - -# List all domains a user has access to via role assignments. -# GET /v3/auth/domains -#"identity:list_domains_for_user": "" - -# Create a user. -# POST /v3/users -# Intended scope(s): system -#"identity:create_user": "rule:admin_required" - -# Update a user, including administrative password resets. -# PATCH /v3/users/{user_id} -# Intended scope(s): system -"identity:update_user": "rule:admin_or_owner" - -# Delete a user. -# DELETE /v3/users/{user_id} -# Intended scope(s): system -#"identity:delete_user": "rule:admin_required" +# +#"admin_required": "role:admin or is_admin:1" + +# +#"service_role": "role:service" + +# +#"service_or_admin": "rule:admin_required or rule:service_role" + +# +#"owner": "user_id:%(user_id)s" + +# +#"admin_or_owner": "rule:admin_required or rule:owner" + +# +#"token_subject": "user_id:%(target.token.user_id)s" + +# +#"admin_or_token_subject": "rule:admin_required or rule:token_subject" + +# +#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject" + +# Show access rule details. +# GET /v3/users/{user_id}/access_rules/{access_rule_id} +# HEAD /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:get_access_rule": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# List access rules for a user. +# GET /v3/users/{user_id}/access_rules +# HEAD /v3/users/{user_id}/access_rules +# Intended scope(s): system, project +#"identity:list_access_rules": "(role:reader and system_scope:all) or user_id:%(target.user.id)s" + +# Delete an access_rule. +# DELETE /v3/users/{user_id}/access_rules/{access_rule_id} +# Intended scope(s): system, project +#"identity:delete_access_rule": "(role:admin and system_scope:all) or user_id:%(target.user.id)s" + +# Authorize OAUTH1 request token. +# PUT /v3/OS-OAUTH1/authorize/{request_token_id} +# Intended scope(s): project +#"identity:authorize_request_token": "rule:admin_required" + +# Get OAUTH1 access token for user by access token ID. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:get_access_token": "rule:admin_required" + +# Get role for user OAUTH1 access token. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id} +# Intended scope(s): project +#"identity:get_access_token_role": "rule:admin_required" + +# List OAUTH1 access tokens for user. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens +# Intended scope(s): project +#"identity:list_access_tokens": "rule:admin_required" + +# List OAUTH1 access token roles. +# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles +# Intended scope(s): project +#"identity:list_access_token_roles": "rule:admin_required" + +# Delete OAUTH1 access token. +# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id} +# Intended scope(s): project +#"identity:delete_access_token": "rule:admin_required" + +# Show application credential details. +# GET /v3/users/{user_id}/application_credentials/{application_credential_id} +# HEAD /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:get_application_credential": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:get_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:get_application_credential":"(role:reader and +# system_scope:all) or rule:owner". The application credential API is +# now aware of system scope and default roles. +"identity:get_application_credentials": "rule:identity:get_application_credential" +# List application credentials for a user. +# GET /v3/users/{user_id}/application_credentials +# HEAD /v3/users/{user_id}/application_credentials +# Intended scope(s): system, project +#"identity:list_application_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:list_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:list_application_credentials":"(role:reader and +# system_scope:all) or rule:owner". The application credential API is +# now aware of system scope and default roles. +# Create an application credential. +# POST /v3/users/{user_id}/application_credentials +# Intended scope(s): project +#"identity:create_application_credential": "user_id:%(user_id)s" + +# Delete an application credential. +# DELETE /v3/users/{user_id}/application_credentials/{application_credential_id} +# Intended scope(s): system, project +#"identity:delete_application_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED +# "identity:delete_application_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:delete_application_credential":"(role:admin and +# system_scope:all) or rule:owner". The application credential API is +# now aware of system scope and default roles. +"identity:delete_application_credentials": "rule:identity:delete_application_credential" +# Get service catalog. +# GET /v3/auth/catalog +# HEAD /v3/auth/catalog +#"identity:get_auth_catalog": "" + +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +# HEAD /v3/auth/projects +#"identity:get_auth_projects": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +# HEAD /v3/auth/domains +#"identity:get_auth_domains": "" + +# List systems a user has access to via role assignments. +# GET /v3/auth/system +# HEAD /v3/auth/system +#"identity:get_auth_system": "" + +# Show OAUTH1 consumer details. +# GET /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:get_consumer": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_consumer":"rule:admin_required" has been +# deprecated since T in favor of "identity:get_consumer":"role:reader +# and system_scope:all". The OAUTH1 consumer API is now aware of +# system scope and default roles. +# List OAUTH1 consumers. +# GET /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:list_consumers": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_consumers":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_consumers":"role:reader and system_scope:all". The +# OAUTH1 consumer API is now aware of system scope and default roles. +# Create OAUTH1 consumer. +# POST /v3/OS-OAUTH1/consumers +# Intended scope(s): system +#"identity:create_consumer": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_consumer":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:create_consumer":"role:admin and system_scope:all". The +# OAUTH1 consumer API is now aware of system scope and default roles. +# Update OAUTH1 consumer. +# PATCH /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:update_consumer": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_consumer":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:update_consumer":"role:admin and system_scope:all". The +# OAUTH1 consumer API is now aware of system scope and default roles. +# Delete OAUTH1 consumer. +# DELETE /v3/OS-OAUTH1/consumers/{consumer_id} +# Intended scope(s): system +#"identity:delete_consumer": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_consumer":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:delete_consumer":"role:admin and system_scope:all". The +# OAUTH1 consumer API is now aware of system scope and default roles. +# Show credentials details. +# GET /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:get_credential":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:get_credential":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". The credential API is now +# aware of system scope and default roles. +# List credentials. +# GET /v3/credentials +# Intended scope(s): system, project +#"identity:list_credentials": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:list_credentials":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_credentials":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". The credential API is now +# aware of system scope and default roles. +# Create credential. +# POST /v3/credentials +# Intended scope(s): system, project +#"identity:create_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:create_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". The credential API is now +# aware of system scope and default roles. +# Update credential. +# PATCH /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:update_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:update_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:update_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". The credential API is now +# aware of system scope and default roles. +# Delete credential. +# DELETE /v3/credentials/{credential_id} +# Intended scope(s): system, project +#"identity:delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:delete_credential":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:delete_credential":"(role:admin and system_scope:all) or +# user_id:%(target.credential.user_id)s". The credential API is now +# aware of system scope and default roles. +# Show domain details. +# GET /v3/domains/{domain_id} +# Intended scope(s): system, domain, project +#"identity:get_domain": "(role:reader and system_scope:all) or token.domain.id:%(target.domain.id)s or token.project.domain.id:%(target.domain.id)s" + +# DEPRECATED "identity:get_domain":"rule:admin_required or +# token.project.domain.id:%(target.domain.id)s" has been deprecated +# since S in favor of "identity:get_domain":"(role:reader and +# system_scope:all) or token.domain.id:%(target.domain.id)s or +# token.project.domain.id:%(target.domain.id)s". The domain API is now +# aware of system scope and default roles. +# List domains. +# GET /v3/domains +# Intended scope(s): system +#"identity:list_domains": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_domains":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_domains":"role:reader +# and system_scope:all". The domain API is now aware of system scope +# and default roles. +# Create domain. +# POST /v3/domains +# Intended scope(s): system +#"identity:create_domain": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_domain":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_domain":"role:admin +# and system_scope:all". The domain API is now aware of system scope +# and default roles. +# Update domain. +# PATCH /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:update_domain": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_domain":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_domain":"role:admin +# and system_scope:all". The domain API is now aware of system scope +# and default roles. +# Delete domain. +# DELETE /v3/domains/{domain_id} +# Intended scope(s): system +#"identity:delete_domain": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_domain":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_domain":"role:admin +# and system_scope:all". The domain API is now aware of system scope +# and default roles. +# Create domain configuration. +# PUT /v3/domains/{domain_id}/config +# Intended scope(s): system +#"identity:create_domain_config": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_domain_config":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:create_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. +# Get the entire domain configuration for a domain, an option group +# within a domain, or a specific configuration option within a group +# for a domain. +# GET /v3/domains/{domain_id}/config +# HEAD /v3/domains/{domain_id}/config +# GET /v3/domains/{domain_id}/config/{group} +# HEAD /v3/domains/{domain_id}/config/{group} +# GET /v3/domains/{domain_id}/config/{group}/{option} +# HEAD /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:get_domain_config": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_domain_config":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_domain_config":"role:reader and system_scope:all". The +# domain config API is now aware of system scope and default roles. +# Get security compliance domain configuration for either a domain or +# a specific option in a domain. +# GET /v3/domains/{domain_id}/config/security_compliance +# HEAD /v3/domains/{domain_id}/config/security_compliance +# GET v3/domains/{domain_id}/config/security_compliance/{option} +# HEAD v3/domains/{domain_id}/config/security_compliance/{option} +# Intended scope(s): system, domain, project +#"identity:get_security_compliance_domain_config": "" + +# Update domain configuration for either a domain, specific group or a +# specific option in a group. +# PATCH /v3/domains/{domain_id}/config +# PATCH /v3/domains/{domain_id}/config/{group} +# PATCH /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:update_domain_config": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_domain_config":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:update_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. +# Delete domain configuration for either a domain, specific group or a +# specific option in a group. +# DELETE /v3/domains/{domain_id}/config +# DELETE /v3/domains/{domain_id}/config/{group} +# DELETE /v3/domains/{domain_id}/config/{group}/{option} +# Intended scope(s): system +#"identity:delete_domain_config": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_domain_config":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:delete_domain_config":"role:admin and system_scope:all". +# The domain config API is now aware of system scope and default +# roles. +# Get domain configuration default for either a domain, specific group +# or a specific option in a group. +# GET /v3/domains/config/default +# HEAD /v3/domains/config/default +# GET /v3/domains/config/{group}/default +# HEAD /v3/domains/config/{group}/default +# GET /v3/domains/config/{group}/{option}/default +# HEAD /v3/domains/config/{group}/{option}/default +# Intended scope(s): system +#"identity:get_domain_config_default": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_domain_config_default":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_config_default":"role:reader and +# system_scope:all". The domain config API is now aware of system +# scope and default roles. +# Show ec2 credential details. +# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_get_credential": "(role:reader and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:ec2_get_credential":"rule:admin_required or +# (rule:owner and user_id:%(target.credential.user_id)s)" has been +# deprecated since T in favor of +# "identity:ec2_get_credential":"(role:reader and system_scope:all) or +# user_id:%(target.credential.user_id)s". The EC2 credential API is +# now aware of system scope and default roles. +# List ec2 credentials. +# GET /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_list_credentials": "(role:reader and system_scope:all) or rule:owner" + +# DEPRECATED "identity:ec2_list_credentials":"rule:admin_or_owner" has +# been deprecated since T in favor of +# "identity:ec2_list_credentials":"(role:reader and system_scope:all) +# or rule:owner". The EC2 credential API is now aware of system scope +# and default roles. +# Create ec2 credential. +# POST /v3/users/{user_id}/credentials/OS-EC2 +# Intended scope(s): system, project +#"identity:ec2_create_credential": "(role:admin and system_scope:all) or rule:owner" + +# DEPRECATED "identity:ec2_create_credentials":"rule:admin_or_owner" +# has been deprecated since T in favor of +# "identity:ec2_create_credential":"(role:admin and system_scope:all) +# or rule:owner". The EC2 credential API is now aware of system scope +# and default roles. +"identity:ec2_create_credentials": "rule:identity:ec2_create_credential" +# Delete ec2 credential. +# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id} +# Intended scope(s): system, project +#"identity:ec2_delete_credential": "(role:admin and system_scope:all) or user_id:%(target.credential.user_id)s" + +# DEPRECATED "identity:ec2_delete_credentials":"rule:admin_required or +# (rule:owner and user_id:%(target.credential.user_id)s)" has been +# deprecated since T in favor of +# "identity:ec2_delete_credential":"(role:admin and system_scope:all) +# or user_id:%(target.credential.user_id)s". The EC2 credential API is +# now aware of system scope and default roles. +"identity:ec2_delete_credentials": "rule:identity:ec2_delete_credential" +# Show endpoint details. +# GET /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:get_endpoint": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_endpoint":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_endpoint":"role:reader +# and system_scope:all". The endpoint API is now aware of system scope +# and default roles. +# List endpoints. +# GET /v3/endpoints +# Intended scope(s): system +#"identity:list_endpoints": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_endpoints":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_endpoints":"role:reader and system_scope:all". The +# endpoint API is now aware of system scope and default roles. +# Create endpoint. +# POST /v3/endpoints +# Intended scope(s): system +#"identity:create_endpoint": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_endpoint":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_endpoint":"role:admin and system_scope:all". The +# endpoint API is now aware of system scope and default roles. +# Update endpoint. +# PATCH /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:update_endpoint": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_endpoint":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_endpoint":"role:admin and system_scope:all". The +# endpoint API is now aware of system scope and default roles. +# Delete endpoint. +# DELETE /v3/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_endpoint": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_endpoint":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_endpoint":"role:admin and system_scope:all". The +# endpoint API is now aware of system scope and default roles. +# Create endpoint group. +# POST /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:create_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_endpoint_group":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:create_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. +# List endpoint groups. +# GET /v3/OS-EP-FILTER/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_endpoint_groups":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_endpoint_groups":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. +# Get endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:get_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_endpoint_group":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_endpoint_group":"role:reader and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. +# Update endpoint group. +# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:update_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_endpoint_group":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:update_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. +# Delete endpoint group. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id} +# Intended scope(s): system +#"identity:delete_endpoint_group": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_endpoint_group":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:delete_endpoint_group":"role:admin and system_scope:all". +# The endpoint groups API is now aware of system scope and default +# roles. +# List all projects associated with a specific endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects +# Intended scope(s): system +#"identity:list_projects_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_projects_associated_with_endpoint_group":" +# rule:admin_required" has been deprecated since T in favor of +# "identity:list_projects_associated_with_endpoint_group":"role:reader +# and system_scope:all". The endpoint groups API is now aware of +# system scope and default roles. +# List all endpoints associated with an endpoint group. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_associated_with_endpoint_group": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_endpoints_associated_with_endpoint_group": +# "rule:admin_required" has been deprecated since T in favor of "ident +# ity:list_endpoints_associated_with_endpoint_group":"role:reader and +# system_scope:all". The endpoint groups API is now aware of system +# scope and default roles. +# Check if an endpoint group is associated with a project. +# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:get_endpoint_group_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:get_endpoint_group_in_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_endpoint_group_in_project":"role:reader and +# system_scope:all". The endpoint groups API is now aware of system +# scope and default roles. +# List endpoint groups associated with a specific project. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups +# Intended scope(s): system +#"identity:list_endpoint_groups_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoint_groups_for_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:list_endpoint_groups_for_project":"role:reader and +# system_scope:all". The endpoint groups API is now aware of system +# scope and default roles. +# Allow a project to access an endpoint group. +# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:add_endpoint_group_to_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:add_endpoint_group_to_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:add_endpoint_group_to_project":"role:admin and +# system_scope:all". The endpoint groups API is now aware of system +# scope and default roles. +# Remove endpoint group from project. +# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id} +# Intended scope(s): system +#"identity:remove_endpoint_group_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_group_from_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:remove_endpoint_group_from_project":"role:admin and +# system_scope:all". The endpoint groups API is now aware of system +# scope and default roles. +# Check a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:check_grant": "(role:reader and system_scope:all) or ((role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED "identity:check_grant":"rule:admin_required" has been +# deprecated since S in favor of "identity:check_grant":"(role:reader +# and system_scope:all) or ((role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". The assignment API is now aware of +# system scope and default roles. +# List roles granted to an actor on a target. A target can be either a +# domain or a project. An actor can be either a user or a group. For +# the OS-INHERIT APIs, it is possible to list inherited role grants +# for actors on domains, where grants are inherited to all projects in +# the specified domain. +# GET /v3/projects/{project_id}/users/{user_id}/roles +# HEAD /v3/projects/{project_id}/users/{user_id}/roles +# GET /v3/projects/{project_id}/groups/{group_id}/roles +# HEAD /v3/projects/{project_id}/groups/{group_id}/roles +# GET /v3/domains/{domain_id}/users/{user_id}/roles +# HEAD /v3/domains/{domain_id}/users/{user_id}/roles +# GET /v3/domains/{domain_id}/groups/{group_id}/roles +# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles +# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects +# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects +# Intended scope(s): system, domain +#"identity:list_grants": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)" + +# DEPRECATED "identity:list_grants":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_grants":"(role:reader +# and system_scope:all) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:reader and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)". The assignment API is now aware of +# system scope and default roles. +# Create a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. +# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:create_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED "identity:create_grant":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_grant":"(role:admin +# and system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". The assignment API is now aware of +# system scope and default roles. +# Revoke a role grant between a target and an actor. A target can be +# either a domain or a project. An actor can be either a user or a +# group. These terms also apply to the OS-INHERIT APIs, where grants +# on the target are inherited to all projects in the subtree, if +# applicable. In that case, revoking the role grant in the target +# would remove the logical effect of inheriting it to the target's +# projects subtree. +# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id} +# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} +# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects +# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects +# Intended scope(s): system, domain +#"identity:revoke_grant": "(role:admin and system_scope:all) or ((role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.user.domain_id)s and domain_id:%(target.domain.id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.project.domain_id)s) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.domain.id)s)) and (domain_id:%(target.role.domain_id)s or None:%(target.role.domain_id)s)" + +# DEPRECATED "identity:revoke_grant":"rule:admin_required" has been +# deprecated since S in favor of "identity:revoke_grant":"(role:admin +# and system_scope:all) or ((role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.user.domain_id)s and +# domain_id:%(target.domain.id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# domain_id:%(target.group.domain_id)s and +# domain_id:%(target.domain.id)s)) and +# (domain_id:%(target.role.domain_id)s or +# None:%(target.role.domain_id)s)". The assignment API is now aware of +# system scope and default roles. +# List all grants a specific user has on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_user":"role:reader and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Check if a user has a role on the system. +# ['HEAD', 'GET'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_user": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_user":"role:reader and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Grant a user a role on the system. +# ['PUT'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_user":"role:admin and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Remove a role from a user on the system. +# ['DELETE'] /v3/system/users/{user_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_user": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_user":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_user":"role:admin and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# List all grants a specific group has on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles +# Intended scope(s): system +#"identity:list_system_grants_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_system_grants_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_system_grants_for_group":"role:reader and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Check if a group has a role on the system. +# ['HEAD', 'GET'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:check_system_grant_for_group": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_system_grant_for_group":"role:reader and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Grant a group a role on the system. +# ['PUT'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:create_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:create_system_grant_for_group":"role:admin and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Remove a role from a group on the system. +# ['DELETE'] /v3/system/groups/{group_id}/roles/{role_id} +# Intended scope(s): system +#"identity:revoke_system_grant_for_group": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:revoke_system_grant_for_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:revoke_system_grant_for_group":"role:admin and +# system_scope:all". The assignment API is now aware of system scope +# and default roles. +# Show group details. +# GET /v3/groups/{group_id} +# HEAD /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:get_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:get_group":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_group":"(role:reader +# and system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". The group API is now aware +# of system scope and default roles. +# List groups. +# GET /v3/groups +# HEAD /v3/groups +# Intended scope(s): system, domain +#"identity:list_groups": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:list_groups":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_groups":"(role:reader +# and system_scope:all) or (role:reader and +# domain_id:%(target.group.domain_id)s)". The group API is now aware +# of system scope and default roles. +# List groups to which a user belongs. +# GET /v3/users/{user_id}/groups +# HEAD /v3/users/{user_id}/groups +# Intended scope(s): system, domain, project +#"identity:list_groups_for_user": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(user_id)s" + +# DEPRECATED "identity:list_groups_for_user":"rule:admin_or_owner" has +# been deprecated since S in favor of +# "identity:list_groups_for_user":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(user_id)s". The group API is now aware of system scope and +# default roles. +# Create group. +# POST /v3/groups +# Intended scope(s): system, domain +#"identity:create_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:create_group":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_group":"(role:admin +# and system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". The group API is now aware +# of system scope and default roles. +# Update group. +# PATCH /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:update_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:update_group":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_group":"(role:admin +# and system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". The group API is now aware +# of system scope and default roles. +# Delete group. +# DELETE /v3/groups/{group_id} +# Intended scope(s): system, domain +#"identity:delete_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:delete_group":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_group":"(role:admin +# and system_scope:all) or (role:admin and +# domain_id:%(target.group.domain_id)s)". The group API is now aware +# of system scope and default roles. +# List members of a specific group. +# GET /v3/groups/{group_id}/users +# HEAD /v3/groups/{group_id}/users +# Intended scope(s): system, domain +#"identity:list_users_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s)" + +# DEPRECATED "identity:list_users_in_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:list_users_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s)". The +# group API is now aware of system scope and default roles. +# Remove user from group. +# DELETE /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:remove_user_from_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:remove_user_from_group":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:remove_user_from_group":"(role:admin and system_scope:all) +# or (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". The group API is now aware of +# system scope and default roles. +# Check whether a user is a member of a group. +# HEAD /v3/groups/{group_id}/users/{user_id} +# GET /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:check_user_in_group": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:check_user_in_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:check_user_in_group":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". The group API is now aware of +# system scope and default roles. +# Add user to group. +# PUT /v3/groups/{group_id}/users/{user_id} +# Intended scope(s): system, domain +#"identity:add_user_to_group": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.group.domain_id)s and domain_id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:add_user_to_group":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:add_user_to_group":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.group.domain_id)s and +# domain_id:%(target.user.domain_id)s)". The group API is now aware of +# system scope and default roles. +# Create identity provider. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:create_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:create_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_identity_provider":"role:admin and +# system_scope:all". The identity provider API is now aware of system +# scope and default roles. +"identity:create_identity_providers": "rule:identity:create_identity_provider" +# List identity providers. +# GET /v3/OS-FEDERATION/identity_providers +# HEAD /v3/OS-FEDERATION/identity_providers +# Intended scope(s): system +#"identity:list_identity_providers": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_identity_providers":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:list_identity_providers":"role:reader and +# system_scope:all". The identity provider API is now aware of system +# scope and default roles. +# Get identity provider. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id} +# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:get_identity_provider": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_identity_providers":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:get_identity_provider":"role:reader and system_scope:all". +# The identity provider API is now aware of system scope and default +# roles. +"identity:get_identity_providers": "rule:identity:get_identity_provider" +# Update identity provider. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:update_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:update_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_identity_provider":"role:admin and +# system_scope:all". The identity provider API is now aware of system +# scope and default roles. +"identity:update_identity_providers": "rule:identity:update_identity_provider" +# Delete identity provider. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id} +# Intended scope(s): system +#"identity:delete_identity_provider": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:delete_identity_providers":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_identity_provider":"role:admin and +# system_scope:all". The identity provider API is now aware of system +# scope and default roles. +"identity:delete_identity_providers": "rule:identity:delete_identity_provider" +# Get information about an association between two roles. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:get_implied_role": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_implied_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:get_implied_role":"role:reader and system_scope:all". The +# implied role API is now aware of system scope and default roles. +# List associations between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. This +# will return all the implied roles that would be assumed by the user +# who gets the specified prior role. +# GET /v3/roles/{prior_role_id}/implies +# HEAD /v3/roles/{prior_role_id}/implies +# Intended scope(s): system +#"identity:list_implied_roles": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_implied_roles":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_implied_roles":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. +# Create an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:create_implied_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_implied_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:create_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. +# Delete the association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. Removing +# the association will cause that effect to be eliminated. +# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:delete_implied_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_implied_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:delete_implied_role":"role:admin and system_scope:all". +# The implied role API is now aware of system scope and default roles. +# List all associations between two roles in the system. When a +# relationship exists between a prior role and an implied role and the +# prior role is assigned to a user, the user also assumes the implied +# role. +# GET /v3/role_inferences +# HEAD /v3/role_inferences +# Intended scope(s): system +#"identity:list_role_inference_rules": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_role_inference_rules":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_role_inference_rules":"role:reader and +# system_scope:all". The implied role API is now aware of system scope +# and default roles. +# Check an association between two roles. When a relationship exists +# between a prior role and an implied role and the prior role is +# assigned to a user, the user also assumes the implied role. +# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id} +# Intended scope(s): system +#"identity:check_implied_role": "role:reader and system_scope:all" + +# DEPRECATED "identity:check_implied_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:check_implied_role":"role:reader and system_scope:all". +# The implied role API is now aware of system scope and default roles. +# Get limit enforcement model. +# GET /v3/limits/model +# HEAD /v3/limits/model +# Intended scope(s): system, domain, project +#"identity:get_limit_model": "" + +# Show limit details. +# GET /v3/limits/{limit_id} +# HEAD /v3/limits/{limit_id} +# Intended scope(s): system, domain, project +#"identity:get_limit": "(role:reader and system_scope:all) or (domain_id:%(target.limit.domain.id)s or domain_id:%(target.limit.project.domain_id)s) or (project_id:%(target.limit.project_id)s and not None:%(target.limit.project_id)s)" + +# List limits. +# GET /v3/limits +# HEAD /v3/limits +# Intended scope(s): system, domain, project +#"identity:list_limits": "" + +# Create limits. +# POST /v3/limits +# Intended scope(s): system +#"identity:create_limits": "role:admin and system_scope:all" + +# Update limit. +# PATCH /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:update_limit": "role:admin and system_scope:all" + +# Delete limit. +# DELETE /v3/limits/{limit_id} +# Intended scope(s): system +#"identity:delete_limit": "role:admin and system_scope:all" + +# Create a new federated mapping containing one or more sets of rules. +# PUT /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:create_mapping": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_mapping":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_mapping":"role:admin +# and system_scope:all". The federated mapping API is now aware of +# system scope and default roles. +# Get a federated mapping. +# GET /v3/OS-FEDERATION/mappings/{mapping_id} +# HEAD /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:get_mapping": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_mapping":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_mapping":"role:reader +# and system_scope:all". The federated mapping API is now aware of +# system scope and default roles. +# List federated mappings. +# GET /v3/OS-FEDERATION/mappings +# HEAD /v3/OS-FEDERATION/mappings +# Intended scope(s): system +#"identity:list_mappings": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_mappings":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_mappings":"role:reader +# and system_scope:all". The federated mapping API is now aware of +# system scope and default roles. +# Delete a federated mapping. +# DELETE /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:delete_mapping": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_mapping":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_mapping":"role:admin +# and system_scope:all". The federated mapping API is now aware of +# system scope and default roles. +# Update a federated mapping. +# PATCH /v3/OS-FEDERATION/mappings/{mapping_id} +# Intended scope(s): system +#"identity:update_mapping": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_mapping":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_mapping":"role:admin +# and system_scope:all". The federated mapping API is now aware of +# system scope and default roles. +# Show policy details. +# GET /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:get_policy": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_policy":"rule:admin_required" has been +# deprecated since T in favor of "identity:get_policy":"role:reader +# and system_scope:all". The policy API is now aware of system scope +# and default roles. +# List policies. +# GET /v3/policies +# Intended scope(s): system +#"identity:list_policies": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_policies":"rule:admin_required" has been +# deprecated since T in favor of "identity:list_policies":"role:reader +# and system_scope:all". The policy API is now aware of system scope +# and default roles. +# Create policy. +# POST /v3/policies +# Intended scope(s): system +#"identity:create_policy": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_policy":"rule:admin_required" has been +# deprecated since T in favor of "identity:create_policy":"role:admin +# and system_scope:all". The policy API is now aware of system scope +# and default roles. +# Update policy. +# PATCH /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:update_policy": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_policy":"rule:admin_required" has been +# deprecated since T in favor of "identity:update_policy":"role:admin +# and system_scope:all". The policy API is now aware of system scope +# and default roles. +# Delete policy. +# DELETE /v3/policies/{policy_id} +# Intended scope(s): system +#"identity:delete_policy": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_policy":"rule:admin_required" has been +# deprecated since T in favor of "identity:delete_policy":"role:admin +# and system_scope:all". The policy API is now aware of system scope +# and default roles. +# Associate a policy to a specific endpoint. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:create_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_policy_association_for_endpoint":"rule:a +# dmin_required" has been deprecated since T in favor of +# "identity:create_policy_association_for_endpoint":"role:admin and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Check policy association for endpoint. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_policy_association_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED "identity:check_policy_association_for_endpoint":"rule:ad +# min_required" has been deprecated since T in favor of +# "identity:check_policy_association_for_endpoint":"role:reader and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Delete policy association for endpoint. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_endpoint": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_policy_association_for_endpoint":"rule:a +# dmin_required" has been deprecated since T in favor of +# "identity:delete_policy_association_for_endpoint":"role:admin and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Associate a policy to a specific service. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:create_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_policy_association_for_service":"rule:ad +# min_required" has been deprecated since T in favor of +# "identity:create_policy_association_for_service":"role:admin and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Check policy association for service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:check_policy_association_for_service": "role:reader and system_scope:all" + +# DEPRECATED "identity:check_policy_association_for_service":"rule:adm +# in_required" has been deprecated since T in favor of +# "identity:check_policy_association_for_service":"role:reader and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Delete policy association for service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_policy_association_for_service":"rule:ad +# min_required" has been deprecated since T in favor of +# "identity:delete_policy_association_for_service":"role:admin and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Associate a policy to a specific region and service combination. +# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:create_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_policy_association_for_region_and_servic +# e":"rule:admin_required" has been deprecated since T in favor of "id +# entity:create_policy_association_for_region_and_service":"role:admin +# and system_scope:all". The policy association API is now aware of +# system scope and default roles. +# Check policy association for region and service. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:check_policy_association_for_region_and_service": "role:reader and system_scope:all" + +# DEPRECATED "identity:check_policy_association_for_region_and_service +# ":"rule:admin_required" has been deprecated since T in favor of "ide +# ntity:check_policy_association_for_region_and_service":"role:reader +# and system_scope:all". The policy association API is now aware of +# system scope and default roles. +# Delete policy association for region and service. +# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id} +# Intended scope(s): system +#"identity:delete_policy_association_for_region_and_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_policy_association_for_region_and_servic +# e":"rule:admin_required" has been deprecated since T in favor of "id +# entity:delete_policy_association_for_region_and_service":"role:admin +# and system_scope:all". The policy association API is now aware of +# system scope and default roles. +# Get policy for endpoint. +# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy +# Intended scope(s): system +#"identity:get_policy_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_policy_for_endpoint":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:get_policy_for_endpoint":"role:reader and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# List endpoints for policy. +# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_policy": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_policy":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_policy":"role:reader and +# system_scope:all". The policy association API is now aware of system +# scope and default roles. +# Show project details. +# GET /v3/projects/{project_id} +# Intended scope(s): system, domain, project +#"identity:get_project": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED "identity:get_project":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since S in +# favor of "identity:get_project":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". The project API is now aware of +# system scope and default roles. +# List projects. +# GET /v3/projects +# Intended scope(s): system, domain +#"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED "identity:list_projects":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_projects":"(role:reader and system_scope:all) or +# (role:reader and domain_id:%(target.domain_id)s)". The project API +# is now aware of system scope and default roles. +# List projects for user. +# GET /v3/users/{user_id}/projects +# Intended scope(s): system, domain, project +#"identity:list_user_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED "identity:list_user_projects":"rule:admin_or_owner" has +# been deprecated since S in favor of +# "identity:list_user_projects":"(role:reader and system_scope:all) or +# (role:reader and domain_id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". The project API is now aware of system +# scope and default roles. +# Create project. +# POST /v3/projects +# Intended scope(s): system, domain +#"identity:create_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED "identity:create_project":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_project":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s)". The +# project API is now aware of system scope and default roles. +# Update project. +# PATCH /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:update_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED "identity:update_project":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_project":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s)". The +# project API is now aware of system scope and default roles. +# Delete project. +# DELETE /v3/projects/{project_id} +# Intended scope(s): system, domain +#"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)" + +# DEPRECATED "identity:delete_project":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_project":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s)". The +# project API is now aware of system scope and default roles. +# List tags for a project. +# GET /v3/projects/{project_id}/tags +# HEAD /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:list_project_tags": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED "identity:list_project_tags":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:list_project_tags":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# Check if project contains a tag. +# GET /v3/projects/{project_id}/tags/{value} +# HEAD /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:get_project_tag": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or project_id:%(target.project.id)s" + +# DEPRECATED "identity:get_project_tag":"rule:admin_required or +# project_id:%(target.project.id)s" has been deprecated since T in +# favor of "identity:get_project_tag":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or +# project_id:%(target.project.id)s". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# Replace all tags on a project with the new set of tags. +# PUT /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:update_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED "identity:update_project_tags":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:update_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# Add a single tag to a project. +# PUT /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:create_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED "identity:create_project_tag":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:create_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# Remove all tags from a project. +# DELETE /v3/projects/{project_id}/tags +# Intended scope(s): system, domain, project +#"identity:delete_project_tags": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED "identity:delete_project_tags":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:delete_project_tags":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# Delete a specified tag from project. +# DELETE /v3/projects/{project_id}/tags/{value} +# Intended scope(s): system, domain, project +#"identity:delete_project_tag": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED "identity:delete_project_tag":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:delete_project_tag":"(role:admin and system_scope:all) or +# (role:admin and domain_id:%(target.project.domain_id)s) or +# (role:admin and project_id:%(target.project.id)s)". +# +# As of the Train release, the project tags API understands how to +# handle system-scoped tokens in addition to project and domain +# tokens, making the API more accessible to users without compromising +# security or manageability for administrators. The new default +# policies for this API account for these changes automatically. +# List projects allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects +# Intended scope(s): system +#"identity:list_projects_for_endpoint": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_projects_for_endpoint":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_projects_for_endpoint":"role:reader and +# system_scope:all". +# +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. +# Allow project to access an endpoint. +# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:add_endpoint_to_project": "role:admin and system_scope:all" + +# DEPRECATED "identity:add_endpoint_to_project":"rule:admin_required" +# has been deprecated since T in favor of +# "identity:add_endpoint_to_project":"role:admin and +# system_scope:all". +# +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. +# Check if a project is allowed to access an endpoint. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:check_endpoint_in_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:check_endpoint_in_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:check_endpoint_in_project":"role:reader and +# system_scope:all". +# +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. +# List the endpoints a project is allowed to access. +# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints +# Intended scope(s): system +#"identity:list_endpoints_for_project": "role:reader and system_scope:all" + +# DEPRECATED +# "identity:list_endpoints_for_project":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:list_endpoints_for_project":"role:reader and +# system_scope:all". +# +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. +# Remove access to an endpoint from a project that has previously been +# given explicit access. +# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id} +# Intended scope(s): system +#"identity:remove_endpoint_from_project": "role:admin and system_scope:all" + +# DEPRECATED +# "identity:remove_endpoint_from_project":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:remove_endpoint_from_project":"role:admin and +# system_scope:all". +# +# As of the Train release, the project endpoint API now understands +# default roles and system-scoped tokens, making the API more granular +# by default without compromising security. The new policy defaults +# account for these changes automatically. Be sure to take these new +# defaults into consideration if you are relying on overrides in your +# deployment for the project endpoint API. +# Create federated protocol. +# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:create_protocol": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_protocol":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:create_protocol":"role:admin and system_scope:all". The +# federated protocol API is now aware of system scope and default +# roles. +# Update federated protocol. +# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:update_protocol": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_protocol":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:update_protocol":"role:admin and system_scope:all". The +# federated protocol API is now aware of system scope and default +# roles. +# Get federated protocol. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:get_protocol": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_protocol":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_protocol":"role:reader +# and system_scope:all". The federated protocol API is now aware of +# system scope and default roles. +# List federated protocols. +# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols +# Intended scope(s): system +#"identity:list_protocols": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_protocols":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:list_protocols":"role:reader and system_scope:all". The +# federated protocol API is now aware of system scope and default +# roles. +# Delete federated protocol. +# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id} +# Intended scope(s): system +#"identity:delete_protocol": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_protocol":"rule:admin_required" has been +# deprecated since S in favor of +# "identity:delete_protocol":"role:admin and system_scope:all". The +# federated protocol API is now aware of system scope and default +# roles. +# Show region details. +# GET /v3/regions/{region_id} +# HEAD /v3/regions/{region_id} +# Intended scope(s): system, domain, project +#"identity:get_region": "" + +# List regions. +# GET /v3/regions +# HEAD /v3/regions +# Intended scope(s): system, domain, project +#"identity:list_regions": "" + +# Create region. +# POST /v3/regions +# PUT /v3/regions/{region_id} +# Intended scope(s): system +#"identity:create_region": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_region":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_region":"role:admin +# and system_scope:all". The region API is now aware of system scope +# and default roles. +# Update region. +# PATCH /v3/regions/{region_id} +# Intended scope(s): system +#"identity:update_region": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_region":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_region":"role:admin +# and system_scope:all". The region API is now aware of system scope +# and default roles. +# Delete region. +# DELETE /v3/regions/{region_id} +# Intended scope(s): system +#"identity:delete_region": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_region":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_region":"role:admin +# and system_scope:all". The region API is now aware of system scope +# and default roles. +# Show registered limit details. +# GET /v3/registered_limits/{registered_limit_id} +# HEAD /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system, domain, project +#"identity:get_registered_limit": "" + +# List registered limits. +# GET /v3/registered_limits +# HEAD /v3/registered_limits +# Intended scope(s): system, domain, project +#"identity:list_registered_limits": "" + +# Create registered limits. +# POST /v3/registered_limits +# Intended scope(s): system +#"identity:create_registered_limits": "role:admin and system_scope:all" + +# Update registered limit. +# PATCH /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:update_registered_limit": "role:admin and system_scope:all" + +# Delete registered limit. +# DELETE /v3/registered_limits/{registered_limit_id} +# Intended scope(s): system +#"identity:delete_registered_limit": "role:admin and system_scope:all" + +# List revocation events. +# GET /v3/OS-REVOKE/events +# Intended scope(s): system +#"identity:list_revoke_events": "rule:service_or_admin" + +# Show role details. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_role": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_role":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_role":"role:reader and +# system_scope:all". The role API is now aware of system scope and +# default roles. +# List roles. +# GET /v3/roles +# HEAD /v3/roles +# Intended scope(s): system +#"identity:list_roles": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_roles":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_roles":"role:reader +# and system_scope:all". The role API is now aware of system scope and +# default roles. +# Create role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_role":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_role":"role:admin +# and system_scope:all". The role API is now aware of system scope and +# default roles. +# Update role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_role":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_role":"role:admin +# and system_scope:all". The role API is now aware of system scope and +# default roles. +# Delete role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_role":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_role":"role:admin +# and system_scope:all". The role API is now aware of system scope and +# default roles. +# Show domain role. +# GET /v3/roles/{role_id} +# HEAD /v3/roles/{role_id} +# Intended scope(s): system +#"identity:get_domain_role": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_domain_role":"rule:admin_required" has been +# deprecated since T in favor of +# "identity:get_domain_role":"role:reader and system_scope:all". The +# role API is now aware of system scope and default roles. +# List domain roles. +# GET /v3/roles?domain_id={domain_id} +# HEAD /v3/roles?domain_id={domain_id} +# Intended scope(s): system +#"identity:list_domain_roles": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_domain_roles":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_domain_roles":"role:reader and system_scope:all". The +# role API is now aware of system scope and default roles. +# Create domain role. +# POST /v3/roles +# Intended scope(s): system +#"identity:create_domain_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_domain_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:create_domain_role":"role:admin and system_scope:all". The +# role API is now aware of system scope and default roles. +# Update domain role. +# PATCH /v3/roles/{role_id} +# Intended scope(s): system +#"identity:update_domain_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_domain_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:update_domain_role":"role:admin and system_scope:all". The +# role API is now aware of system scope and default roles. +# Delete domain role. +# DELETE /v3/roles/{role_id} +# Intended scope(s): system +#"identity:delete_domain_role": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_domain_role":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:delete_domain_role":"role:admin and system_scope:all". The +# role API is now aware of system scope and default roles. +# List role assignments. +# GET /v3/role_assignments +# HEAD /v3/role_assignments +# Intended scope(s): system, domain +#"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED "identity:list_role_assignments":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:list_role_assignments":"(role:reader and system_scope:all) +# or (role:reader and domain_id:%(target.domain_id)s)". The assignment +# API is now aware of system scope and default roles. +# List all role assignments for a given tree of hierarchical projects. +# GET /v3/role_assignments?include_subtree +# HEAD /v3/role_assignments?include_subtree +# Intended scope(s): system, domain, project +#"identity:list_role_assignments_for_tree": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.project.domain_id)s) or (role:admin and project_id:%(target.project.id)s)" + +# DEPRECATED +# "identity:list_role_assignments_for_tree":"rule:admin_required" has +# been deprecated since T in favor of +# "identity:list_role_assignments_for_tree":"(role:reader and +# system_scope:all) or (role:reader and +# domain_id:%(target.project.domain_id)s) or (role:admin and +# project_id:%(target.project.id)s)". The assignment API is now aware +# of system scope and default roles. +# Show service details. +# GET /v3/services/{service_id} +# Intended scope(s): system +#"identity:get_service": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_service":"rule:admin_required" has been +# deprecated since S in favor of "identity:get_service":"role:reader +# and system_scope:all". The service API is now aware of system scope +# and default roles. +# List services. +# GET /v3/services +# Intended scope(s): system +#"identity:list_services": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_services":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_services":"role:reader +# and system_scope:all". The service API is now aware of system scope +# and default roles. +# Create service. +# POST /v3/services +# Intended scope(s): system +#"identity:create_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_service":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_service":"role:admin +# and system_scope:all". The service API is now aware of system scope +# and default roles. +# Update service. +# PATCH /v3/services/{service_id} +# Intended scope(s): system +#"identity:update_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_service":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_service":"role:admin +# and system_scope:all". The service API is now aware of system scope +# and default roles. +# Delete service. +# DELETE /v3/services/{service_id} +# Intended scope(s): system +#"identity:delete_service": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_service":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_service":"role:admin +# and system_scope:all". The service API is now aware of system scope +# and default roles. +# Create federated service provider. +# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:create_service_provider": "role:admin and system_scope:all" + +# DEPRECATED "identity:create_service_provider":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:create_service_provider":"role:admin and +# system_scope:all". The service provider API is now aware of system +# scope and default roles. +# List federated service providers. +# GET /v3/OS-FEDERATION/service_providers +# HEAD /v3/OS-FEDERATION/service_providers +# Intended scope(s): system +#"identity:list_service_providers": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_service_providers":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:list_service_providers":"role:reader and +# system_scope:all". The service provider API is now aware of system +# scope and default roles. +# Get federated service provider. +# GET /v3/OS-FEDERATION/service_providers/{service_provider_id} +# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:get_service_provider": "role:reader and system_scope:all" + +# DEPRECATED "identity:get_service_provider":"rule:admin_required" has +# been deprecated since S in favor of +# "identity:get_service_provider":"role:reader and system_scope:all". +# The service provider API is now aware of system scope and default +# roles. +# Update federated service provider. +# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:update_service_provider": "role:admin and system_scope:all" + +# DEPRECATED "identity:update_service_provider":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:update_service_provider":"role:admin and +# system_scope:all". The service provider API is now aware of system +# scope and default roles. +# Delete federated service provider. +# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id} +# Intended scope(s): system +#"identity:delete_service_provider": "role:admin and system_scope:all" + +# DEPRECATED "identity:delete_service_provider":"rule:admin_required" +# has been deprecated since S in favor of +# "identity:delete_service_provider":"role:admin and +# system_scope:all". The service provider API is now aware of system +# scope and default roles. +# DEPRECATED +# "identity:revocation_list" has been deprecated since T. +# The identity:revocation_list policy isn't used to protect any APIs +# in keystone now that the revocation list API has been deprecated and +# only returns a 410 or 403 depending on how keystone is configured. +# This policy can be safely removed from policy files. +# List revoked PKI tokens. +# GET /v3/auth/tokens/OS-PKI/revoked +# Intended scope(s): system, project +#"identity:revocation_list": "rule:service_or_admin" + +# Check a token. +# HEAD /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:check_token": "(role:reader and system_scope:all) or rule:token_subject" + +# DEPRECATED "identity:check_token":"rule:admin_or_token_subject" has +# been deprecated since T in favor of +# "identity:check_token":"(role:reader and system_scope:all) or +# rule:token_subject". The token API is now aware of system scope and +# default roles. +# Validate a token. +# GET /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:validate_token": "(role:reader and system_scope:all) or rule:service_role or rule:token_subject" + +# DEPRECATED +# "identity:validate_token":"rule:service_admin_or_token_subject" has +# been deprecated since T in favor of +# "identity:validate_token":"(role:reader and system_scope:all) or +# rule:service_role or rule:token_subject". The token API is now aware +# of system scope and default roles. +# Revoke a token. +# DELETE /v3/auth/tokens +# Intended scope(s): system, domain, project +#"identity:revoke_token": "(role:admin and system_scope:all) or rule:token_subject" + +# DEPRECATED "identity:revoke_token":"rule:admin_or_token_subject" has +# been deprecated since T in favor of +# "identity:revoke_token":"(role:admin and system_scope:all) or +# rule:token_subject". The token API is now aware of system scope and +# default roles. +# Create trust. +# POST /v3/OS-TRUST/trusts +# Intended scope(s): project +#"identity:create_trust": "user_id:%(trust.trustor_user_id)s" + +# List trusts. +# GET /v3/OS-TRUST/trusts +# HEAD /v3/OS-TRUST/trusts +# Intended scope(s): system +#"identity:list_trusts": "role:reader and system_scope:all" + +# DEPRECATED "identity:list_trusts":"rule:admin_required" has been +# deprecated since T in favor of "identity:list_trusts":"role:reader +# and system_scope:all". The trust API is now aware of system scope +# and default roles. +# List trusts for trustor. +# GET /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# HEAD /v3/OS-TRUST/trusts?trustor_user_id={trustor_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustor": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# List trusts for trustee. +# GET /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# HEAD /v3/OS-TRUST/trusts?trustee_user_id={trustee_user_id} +# Intended scope(s): system, project +#"identity:list_trusts_for_trustee": "role:reader and system_scope:all or user_id:%(target.trust.trustee_user_id)s" + +# List roles delegated by a trust. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles +# Intended scope(s): system, project +#"identity:list_roles_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED "identity:list_roles_for_trust":"user_id:%(target.trust.t +# rustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" has +# been deprecated since T in favor of +# "identity:list_roles_for_trust":"role:reader and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". The trust API is now +# aware of system scope and default roles. +# Check if trust delegates a particular role. +# GET /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id}/roles/{role_id} +# Intended scope(s): system, project +#"identity:get_role_for_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED "identity:get_role_for_trust":"user_id:%(target.trust.tru +# stor_user_id)s or user_id:%(target.trust.trustee_user_id)s" has been +# deprecated since T in favor of +# "identity:get_role_for_trust":"role:reader and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". The trust API is now +# aware of system scope and default roles. +# Revoke trust. +# DELETE /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:delete_trust": "role:admin and system_scope:all or user_id:%(target.trust.trustor_user_id)s" + +# DEPRECATED +# "identity:delete_trust":"user_id:%(target.trust.trustor_user_id)s" +# has been deprecated since T in favor of +# "identity:delete_trust":"role:admin and system_scope:all or +# user_id:%(target.trust.trustor_user_id)s". The trust API is now +# aware of system scope and default roles. +# Get trust. +# GET /v3/OS-TRUST/trusts/{trust_id} +# HEAD /v3/OS-TRUST/trusts/{trust_id} +# Intended scope(s): system, project +#"identity:get_trust": "role:reader and system_scope:all or user_id:%(target.trust.trustor_user_id)s or user_id:%(target.trust.trustee_user_id)s" + +# DEPRECATED +# "identity:get_trust":"user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s" has been deprecated since +# T in favor of "identity:get_trust":"role:reader and system_scope:all +# or user_id:%(target.trust.trustor_user_id)s or +# user_id:%(target.trust.trustee_user_id)s". The trust API is now +# aware of system scope and default roles. +# Show user details. +# GET /v3/users/{user_id} +# HEAD /v3/users/{user_id} +# Intended scope(s): system, domain, project +#"identity:get_user": "(role:reader and system_scope:all) or (role:reader and token.domain.id:%(target.user.domain_id)s) or user_id:%(target.user.id)s" + +# DEPRECATED "identity:get_user":"rule:admin_or_owner" has been +# deprecated since S in favor of "identity:get_user":"(role:reader and +# system_scope:all) or (role:reader and +# token.domain.id:%(target.user.domain_id)s) or +# user_id:%(target.user.id)s". The user API is now aware of system +# scope and default roles. +# List users. +# GET /v3/users +# HEAD /v3/users +# Intended scope(s): system, domain +#"identity:list_users": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)" + +# DEPRECATED "identity:list_users":"rule:admin_required" has been +# deprecated since S in favor of "identity:list_users":"(role:reader +# and system_scope:all) or (role:reader and +# domain_id:%(target.domain_id)s)". The user API is now aware of +# system scope and default roles. +# List all projects a user has access to via role assignments. +# GET /v3/auth/projects +#"identity:list_projects_for_user": "" + +# List all domains a user has access to via role assignments. +# GET /v3/auth/domains +#"identity:list_domains_for_user": "" + +# Create a user. +# POST /v3/users +# Intended scope(s): system, domain +#"identity:create_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:create_user":"rule:admin_required" has been +# deprecated since S in favor of "identity:create_user":"(role:admin +# and system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". The user API is now +# aware of system scope and default roles. +# Update a user, including administrative password resets. +# PATCH /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:update_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:update_user":"rule:admin_required" has been +# deprecated since S in favor of "identity:update_user":"(role:admin +# and system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". The user API is now +# aware of system scope and default roles. +# Delete a user. +# DELETE /v3/users/{user_id} +# Intended scope(s): system, domain +#"identity:delete_user": "(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)" + +# DEPRECATED "identity:delete_user":"rule:admin_required" has been +# deprecated since S in favor of "identity:delete_user":"(role:admin +# and system_scope:all) or (role:admin and +# token.domain.id:%(target.user.domain_id)s)". The user API is now +# aware of system scope and default roles. diff --git a/scripts/arif-scripts/update_landscape_certs_self.sh b/scripts/arif-scripts/update_landscape_certs_self.sh index 50a55e8..d3f0ed6 100755 --- a/scripts/arif-scripts/update_landscape_certs_self.sh +++ b/scripts/arif-scripts/update_landscape_certs_self.sh @@ -3,10 +3,12 @@ # This is when landscape-haproxy the cert is SELFSIGNED. This will ensure that landscape will work landscape_crt=$(juju run --application landscape-haproxy 'sudo openssl x509 -in /var/lib/haproxy/default.pem' | base64) juju config landscape-client ssl-public-key="base64:${landscape_crt}" +juju config landscape-client-bionic ssl-public-key="base64:${landscape_crt}" # And yes, this needs to use the IP address, otherwise the the registration will fail landscape_ip=$(juju run --application landscape-haproxy 'unit-get private-address') juju config landscape-client url="https://${landscape_ip}/message-system" ping-url="http://${landscape_ip}/ping" +juju config landscape-client-bionic url="https://${landscape_ip}/message-system" ping-url="http://${landscape_ip}/ping" # May need to restart all the landscape-clients #juju run --application landscape-client 'sudo systemctl restart landscape-client.service'