The following is a sample keystone policy file that has been auto-generated from default policy values in code. If you’re using the default policies, then the maintenance of this file is not necessary, and it should not be copied into a deployment. Doing so will result in duplicate policy definitions. It is here to help explain which policy operations protect specific keystone APIs, but it is not suggested to copy and paste into a deployment unless you’re planning on providing a different policy for an operation that is not the default.
The sample policy file can also be viewed in file form.
#
#"admin_required": "role:admin or is_admin:1"
#
#"service_role": "role:service"
#
#"service_or_admin": "rule:admin_required or rule:service_role"
#
#"owner": "user_id:%(user_id)s"
#
#"admin_or_owner": "rule:admin_required or rule:owner"
#
#"token_subject": "user_id:%(target.token.user_id)s"
#
#"admin_or_token_subject": "rule:admin_required or rule:token_subject"
#
#"service_admin_or_token_subject": "rule:service_or_admin or rule:token_subject"
#
#"default": "rule:admin_required"
# Authorize OAUTH1 request token.
# PUT /v3/OS-OAUTH1/authorize/{request_token_id}
#"identity:authorize_request_token": "rule:admin_required"
# Get OAUTH1 access token for user by access token ID.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
#"identity:get_access_token": "rule:admin_required"
# Get role for user OAUTH1 access token.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}
#"identity:get_access_token_role": "rule:admin_required"
# List OAUTH1 access tokens for user.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens
#"identity:list_access_tokens": "rule:admin_required"
# List OAUTH1 access token roles.
# GET /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles
#"identity:list_access_token_roles": "rule:admin_required"
# Delete OAUTH1 access token.
# DELETE /v3/users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}
#"identity:delete_access_token": "rule:admin_required"
# Get service catalog.
# GET /v3/auth/catalog
# HEAD /v3/auth/catalog
#"identity:get_auth_catalog": ""
# List all projects a user has access to via role assignments.
# GET /v3/auth/projects
# HEAD /v3/auth/projects
#"identity:get_auth_projects": ""
# List all domains a user has access to via role assignments.
# GET /v3/auth/domains
# HEAD /v3/auth/domains
#"identity:get_auth_domains": ""
# Show OAUTH1 consumer details.
# GET /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:get_consumer": "rule:admin_required"
# List OAUTH1 consumers.
# GET /v3/OS-OAUTH1/consumers
#"identity:list_consumers": "rule:admin_required"
# Create OAUTH1 consumer.
# POST /v3/OS-OAUTH1/consumers
#"identity:create_consumer": "rule:admin_required"
# Update OAUTH1 consumer.
# PATCH /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:update_consumer": "rule:admin_required"
# Delete OAUTH1 consumer.
# DELETE /v3/OS-OAUTH1/consumers/{consumer_id}
#"identity:delete_consumer": "rule:admin_required"
# Show credentials details.
# GET /v3/credentials/{credential_id}
#"identity:get_credential": "rule:admin_required"
# List credentials.
# GET /v3/credentials
#"identity:list_credentials": "rule:admin_required"
# Create credential.
# POST /v3/credentials
#"identity:create_credential": "rule:admin_required"
# Update credential.
# PATCH /v3/credentials/{credential_id}
#"identity:update_credential": "rule:admin_required"
# Delete credential.
# DELETE /v3/credentials/{credential_id}
#"identity:delete_credential": "rule:admin_required"
# Show domain details.
# GET /v3/domains/{domain_id}
#"identity:get_domain": "rule:admin_required or token.project.domain.id:%(target.domain.id)s"
# List domains.
# GET /v3/domains
#"identity:list_domains": "rule:admin_required"
# Create domain.
# POST /v3/domains
#"identity:create_domain": "rule:admin_required"
# Update domain.
# PATCH /v3/domains/{domain_id}
#"identity:update_domain": "rule:admin_required"
# Delete domain.
# DELETE /v3/domains/{domain_id}
#"identity:delete_domain": "rule:admin_required"
# Create domain configuration.
# PUT /v3/domains/{domain_id}/config
#"identity:create_domain_config": "rule:admin_required"
# Get the entire domain configuration for a domain, an option group
# within a domain, or a specific configuration option within a group
# for a domain.
# GET /v3/domains/{domain_id}/config
# HEAD /v3/domains/{domain_id}/config
# GET /v3/domains/{domain_id}/config/{group}
# HEAD /v3/domains/{domain_id}/config/{group}
# GET /v3/domains/{domain_id}/config/{group}/{option}
# HEAD /v3/domains/{domain_id}/config/{group}/{option}
#"identity:get_domain_config": "rule:admin_required"
# Get security compliance domain configuration for either a domain or
# a specific option in a domain.
# GET /v3/domains/{domain_id}/config/security_compliance
# HEAD /v3/domains/{domain_id}/config/security_compliance
# GET v3/domains/{domain_id}/config/security_compliance/{option}
# HEAD v3/domains/{domain_id}/config/security_compliance/{option}
#"identity:get_security_compliance_domain_config": ""
# Update domain configuration for either a domain, specific group or a
# specific option in a group.
# PATCH /v3/domains/{domain_id}/config
# PATCH /v3/domains/{domain_id}/config/{group}
# PATCH /v3/domains/{domain_id}/config/{group}/{option}
#"identity:update_domain_config": "rule:admin_required"
# Delete domain configuration for either a domain, specific group or a
# specific option in a group.
# DELETE /v3/domains/{domain_id}/config
# DELETE /v3/domains/{domain_id}/config/{group}
# DELETE /v3/domains/{domain_id}/config/{group}/{option}
#"identity:delete_domain_config": "rule:admin_required"
# Get domain configuration default for either a domain, specific group
# or a specific option in a group.
# GET /v3/domains/config/default
# HEAD /v3/domains/config/default
# GET /v3/domains/config/{group}/default
# HEAD /v3/domains/config/{group}/default
# GET /v3/domains/config/{group}/{option}/default
# HEAD /v3/domains/config/{group}/{option}/default
#"identity:get_domain_config_default": "rule:admin_required"
# Show ec2 credential details.
# GET /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
# List ec2 credentials.
# GET /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_list_credentials": "rule:admin_or_owner"
# Create ec2 credential.
# POST /v3/users/{user_id}/credentials/OS-EC2
#"identity:ec2_create_credential": "rule:admin_or_owner"
# Delete ec2 credential.
# DELETE /v3/users/{user_id}/credentials/OS-EC2/{credential_id}
#"identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)"
# Show endpoint details.
# GET /v3/endpoints/{endpoint_id}
#"identity:get_endpoint": "rule:admin_required"
# List endpoints.
# GET /v3/endpoints
#"identity:list_endpoints": "rule:admin_required"
# Create endpoint.
# POST /v3/endpoints
#"identity:create_endpoint": "rule:admin_required"
# Update endpoint.
# PATCH /v3/endpoints/{endpoint_id}
#"identity:update_endpoint": "rule:admin_required"
# Delete endpoint.
# DELETE /v3/endpoints/{endpoint_id}
#"identity:delete_endpoint": "rule:admin_required"
# Create endpoint group.
# POST /v3/OS-EP-FILTER/endpoint_groups
#"identity:create_endpoint_group": "rule:admin_required"
# List endpoint groups.
# GET /v3/OS-EP-FILTER/endpoint_groups
#"identity:list_endpoint_groups": "rule:admin_required"
# Get endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:get_endpoint_group": "rule:admin_required"
# Update endpoint group.
# PATCH /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:update_endpoint_group": "rule:admin_required"
# Delete endpoint group.
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}
#"identity:delete_endpoint_group": "rule:admin_required"
# List all projects associated with a specific endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects
#"identity:list_projects_associated_with_endpoint_group": "rule:admin_required"
# List all endpoints associated with an endpoint group.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints
#"identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required"
# Check if an endpoint group is associated with a project.
# GET /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
# HEAD /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:get_endpoint_group_in_project": "rule:admin_required"
# List endpoint groups associated with a specific project.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoint_groups
#"identity:list_endpoint_groups_for_project": "rule:admin_required"
# Allow a project to access an endpoint group.
# PUT /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:add_endpoint_group_to_project": "rule:admin_required"
# Remove endpoint group from project.
# DELETE /v3/OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}
#"identity:remove_endpoint_group_from_project": "rule:admin_required"
# Check a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# HEAD /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# GET /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# GET /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# GET /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# GET /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# HEAD /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# HEAD /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
#"identity:check_grant": "rule:admin_required"
# List roles granted to an actor on a target. A target can be either a
# domain or a project. An actor can be either a user or a group. For
# the OS-INHERIT APIs, it is possible to list inherited role grants
# for actors on domains, where grants are inherited to all projects in
# the specified domain.
# GET /v3/projects/{project_id}/users/{user_id}/roles
# HEAD /v3/projects/{project_id}/users/{user_id}/roles
# GET /v3/projects/{project_id}/groups/{group_id}/roles
# HEAD /v3/projects/{project_id}/groups/{group_id}/roles
# GET /v3/domains/{domain_id}/users/{user_id}/roles
# HEAD /v3/domains/{domain_id}/users/{user_id}/roles
# GET /v3/domains/{domain_id}/groups/{group_id}/roles
# HEAD /v3/domains/{domain_id}/groups/{group_id}/roles
# GET /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects
# GET /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects
#"identity:list_grants": "rule:admin_required"
# Create a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable.
# PUT /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# PUT /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# PUT /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# PUT /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# PUT /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
#"identity:create_grant": "rule:admin_required"
# Revoke a role grant between a target and an actor. A target can be
# either a domain or a project. An actor can be either a user or a
# group. These terms also apply to the OS-INHERIT APIs, where grants
# on the target are inherited to all projects in the subtree, if
# applicable. In that case, revoking the role grant in the target
# would remove the logical effect of inheriting it to the target's
# projects subtree.
# DELETE /v3/projects/{project_id}/users/{user_id}/roles/{role_id}
# DELETE /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}
# DELETE /v3/domains/{domain_id}/users/{user_id}/roles/{role_id}
# DELETE /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id}
# DELETE /v3/OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/projects/{project_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects
# DELETE /v3/OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects
#"identity:revoke_grant": "rule:admin_required"
# Show group details.
# GET /v3/groups/{group_id}
# HEAD /v3/groups/{group_id}
#"identity:get_group": "rule:admin_required"
# List groups.
# GET /v3/groups
# HEAD /v3/groups
#"identity:list_groups": "rule:admin_required"
# List groups to which a user belongs.
# GET /v3/users/{user_id}/groups
# HEAD /v3/users/{user_id}/groups
#"identity:list_groups_for_user": "rule:admin_or_owner"
# Create group.
# POST /v3/groups
#"identity:create_group": "rule:admin_required"
# Update group.
# PATCH /v3/groups/{group_id}
#"identity:update_group": "rule:admin_required"
# Delete group.
# DELETE /v3/groups/{group_id}
#"identity:delete_group": "rule:admin_required"
# List members of a specific group.
# GET /v3/groups/{group_id}/users
# HEAD /v3/groups/{group_id}/users
#"identity:list_users_in_group": "rule:admin_required"
# Remove user from group.
# DELETE /v3/groups/{group_id}/users/{user_id}
#"identity:remove_user_from_group": "rule:admin_required"
# Check whether a user is a member of a group.
# HEAD /v3/groups/{group_id}/users/{user_id}
# GET /v3/groups/{group_id}/users/{user_id}
#"identity:check_user_in_group": "rule:admin_required"
# Add user to group.
# PUT /v3/groups/{group_id}/users/{user_id}
#"identity:add_user_to_group": "rule:admin_required"
# Create identity provider.
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:create_identity_provider": "rule:admin_required"
# List identity providers.
# GET /v3/OS-FEDERATION/identity_providers
# HEAD /v3/OS-FEDERATION/identity_providers
#"identity:list_identity_providers": "rule:admin_required"
# Get identity provider.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}
# HEAD /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:get_identity_providers": "rule:admin_required"
# Update identity provider.
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:update_identity_provider": "rule:admin_required"
# Delete identity provider.
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}
#"identity:delete_identity_provider": "rule:admin_required"
# Get information about an association between two roles. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET /v3/roles/{prior_role_id}/implies/{implied_role_id}
#"identity:get_implied_role": "rule:admin_required"
# List associations between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. This
# will return all the implied roles that would be assumed by the user
# who gets the specified prior role.
# GET /v3/roles/{prior_role_id}/implies
# HEAD /v3/roles/{prior_role_id}/implies
#"identity:list_implied_roles": "rule:admin_required"
# Create an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# PUT /v3/roles/{prior_role_id}/implies/{implied_role_id}
#"identity:create_implied_role": "rule:admin_required"
# Delete the association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role. Removing
# the association will cause that effect to be eliminated.
# DELETE /v3/roles/{prior_role_id}/implies/{implied_role_id}
#"identity:delete_implied_role": "rule:admin_required"
# List all associations between two roles in the system. When a
# relationship exists between a prior role and an implied role and the
# prior role is assigned to a user, the user also assumes the implied
# role.
# GET /v3/role_inferences
# HEAD /v3/role_inferences
#"identity:list_role_inference_rules": "rule:admin_required"
# Check an association between two roles. When a relationship exists
# between a prior role and an implied role and the prior role is
# assigned to a user, the user also assumes the implied role.
# HEAD /v3/roles/{prior_role_id}/implies/{implied_role_id}
#"identity:check_implied_role": "rule:admin_required"
# Create a new federated mapping containing one or more sets of rules.
# PUT /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:create_mapping": "rule:admin_required"
# Get a federated mapping.
# GET /v3/OS-FEDERATION/mappings/{mapping_id}
# HEAD /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:get_mapping": "rule:admin_required"
# List federated mappings.
# GET /v3/OS-FEDERATION/mappings
# HEAD /v3/OS-FEDERATION/mappings
#"identity:list_mappings": "rule:admin_required"
# Delete a federated mapping.
# DELETE /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:delete_mapping": "rule:admin_required"
# Update a federated mapping.
# PATCH /v3/OS-FEDERATION/mappings/{mapping_id}
#"identity:update_mapping": "rule:admin_required"
# Show policy details.
# GET /v3/policy/{policy_id}
#"identity:get_policy": "rule:admin_required"
# List policies.
# GET /v3/policies
#"identity:list_policies": "rule:admin_required"
# Create policy.
# POST /v3/policies
#"identity:create_policy": "rule:admin_required"
# Update policy.
# PATCH /v3/policies/{policy_id}
#"identity:update_policy": "rule:admin_required"
# Delete policy.
# DELETE /v3/policies/{policy_id}
#"identity:delete_policy": "rule:admin_required"
# Associate a policy to a specific endpoint.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:create_policy_association_for_endpoint": "rule:admin_required"
# Check policy association for endpoint.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:check_policy_association_for_endpoint": "rule:admin_required"
# Delete policy association for endpoint.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints/{endpoint_id}
#"identity:delete_policy_association_for_endpoint": "rule:admin_required"
# Associate a policy to a specific service.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:create_policy_association_for_service": "rule:admin_required"
# Check policy association for service.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:check_policy_association_for_service": "rule:admin_required"
# Delete policy association for service.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}
#"identity:delete_policy_association_for_service": "rule:admin_required"
# Associate a policy to a specific region and service combination.
# PUT /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:create_policy_association_for_region_and_service": "rule:admin_required"
# Check policy association for region and service.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
# HEAD /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:check_policy_association_for_region_and_service": "rule:admin_required"
# Delete policy association for region and service.
# DELETE /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/services/{service_id}/regions/{region_id}
#"identity:delete_policy_association_for_region_and_service": "rule:admin_required"
# Get policy for endpoint.
# GET /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
# HEAD /v3/endpoints/{endpoint_id}/OS-ENDPOINT-POLICY/policy
#"identity:get_policy_for_endpoint": "rule:admin_required"
# List endpoints for policy.
# GET /v3/policies/{policy_id}/OS-ENDPOINT-POLICY/endpoints
#"identity:list_endpoints_for_policy": "rule:admin_required"
# Show project details.
# GET /v3/projects/{project_id}
#"identity:get_project": "rule:admin_required or project_id:%(target.project.id)s"
# List projects.
# GET /v3/projects
#"identity:list_projects": "rule:admin_required"
# List projects for user.
# GET /v3/users/{user_id}/projects
#"identity:list_user_projects": "rule:admin_or_owner"
# Create project.
# POST /v3/projects
#"identity:create_project": "rule:admin_required"
# Update project.
# PATCH /v3/projects/{project_id}
#"identity:update_project": "rule:admin_required"
# Delete project.
# DELETE /v3/projects/{project_id}
#"identity:delete_project": "rule:admin_required"
# List projects allowed to access an endpoint.
# GET /v3/OS-EP-FILTER/endpoints/{endpoint_id}/projects
#"identity:list_projects_for_endpoint": "rule:admin_required"
# Allow project to access an endpoint.
# PUT /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:add_endpoint_to_project": "rule:admin_required"
# Check if a project is allowed to access an endpoint.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
# HEAD /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:check_endpoint_in_project": "rule:admin_required"
# List the endpoints a project is allowed to access.
# GET /v3/OS-EP-FILTER/projects/{project_id}/endpoints
#"identity:list_endpoints_for_project": "rule:admin_required"
# Remove access to an endpoint from a project that has previously been
# given explicit access.
# DELETE /v3/OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}
#"identity:remove_endpoint_from_project": "rule:admin_required"
# Create federated protocol.
# PUT /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:create_protocol": "rule:admin_required"
# Update federated protocol.
# PATCH /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:update_protocol": "rule:admin_required"
# Get federated protocol.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:get_protocol": "rule:admin_required"
# List federated protocols.
# GET /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols
#"identity:list_protocols": "rule:admin_required"
# Delete federated protocol.
# DELETE /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}
#"identity:delete_protocol": "rule:admin_required"
# Show region details.
# GET /v3/regions/{region_id}
# HEAD /v3/regions/{region_id}
#"identity:get_region": ""
# List regions.
# GET /v3/regions
# HEAD /v3/regions
#"identity:list_regions": ""
# Create region.
# POST /v3/regions
# PUT /v3/regions/{region_id}
#"identity:create_region": "rule:admin_required"
# Update region.
# PATCH /v3/regions/{region_id}
#"identity:update_region": "rule:admin_required"
# Delete region.
# DELETE /v3/regions/{region_id}
#"identity:delete_region": "rule:admin_required"
# List revocation events.
# GET /v3/OS-REVOKE/events
#"identity:list_revoke_events": "rule:service_or_admin"
# Show role details.
# GET /v3/roles/{role_id}
# HEAD /v3/roles/{role_id}
#"identity:get_role": "rule:admin_required"
# List roles.
# GET /v3/roles
# HEAD /v3/roles
#"identity:list_roles": "rule:admin_required"
# Create role.
# POST /v3/roles
#"identity:create_role": "rule:admin_required"
# Update role.
# PATCH /v3/roles/{role_id}
#"identity:update_role": "rule:admin_required"
# Delete role.
# DELETE /v3/roles/{role_id}
#"identity:delete_role": "rule:admin_required"
# Show domain role.
# GET /v3/roles/{role_id}
# HEAD /v3/roles/{role_id}
#"identity:get_domain_role": "rule:admin_required"
# List domain roles.
# GET /v3/roles?domain_id={domain_id}
# HEAD /v3/roles?domain_id={domain_id}
#"identity:list_domain_roles": "rule:admin_required"
# Create domain role.
# POST /v3/roles
#"identity:create_domain_role": "rule:admin_required"
# Update domain role.
# PATCH /v3/roles/{role_id}
#"identity:update_domain_role": "rule:admin_required"
# Delete domain role.
# DELETE /v3/roles/{role_id}
#"identity:delete_domain_role": "rule:admin_required"
# List role assignments.
# GET /v3/role_assignments
# HEAD /v3/role_assignments
#"identity:list_role_assignments": "rule:admin_required"
# List all role assignments for a given tree of hierarchical projects.
# GET /v3/role_assignments?include_subtree
# HEAD /v3/role_assignments?include_subtree
#"identity:list_role_assignments_for_tree": "rule:admin_required"
# Show service details.
# GET /v3/services/{service_id}
#"identity:get_service": "rule:admin_required"
# List services.
# GET /v3/services
#"identity:list_services": "rule:admin_required"
# Create service.
# POST /v3/services
#"identity:create_service": "rule:admin_required"
# Update service.
# PATCH /v3/services/{service_id}
#"identity:update_service": "rule:admin_required"
# Delete service.
# DELETE /v3/services/{service_id}
#"identity:delete_service": "rule:admin_required"
# Create federated service provider.
# PUT /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:create_service_provider": "rule:admin_required"
# List federated service providers.
# GET /v3/OS-FEDERATION/service_providers
# HEAD /v3/OS-FEDERATION/service_providers
#"identity:list_service_providers": "rule:admin_required"
# Get federated service provider.
# GET /v3/OS-FEDERATION/service_providers/{service_provider_id}
# HEAD /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:get_service_provider": "rule:admin_required"
# Update federated service provider.
# PATCH /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:update_service_provider": "rule:admin_required"
# Delete federated service provider.
# DELETE /v3/OS-FEDERATION/service_providers/{service_provider_id}
#"identity:delete_service_provider": "rule:admin_required"
# List revoked PKI tokens.
# GET /v3/auth/tokens/OS-PKI/revoked
#"identity:revocation_list": "rule:service_or_admin"
# Check a token.
# HEAD /v3/auth/tokens
#"identity:check_token": "rule:admin_or_token_subject"
# Validate a token.
# GET /v3/auth/tokens
# GET /v2.0/tokens/{token_id}
#"identity:validate_token": "rule:service_admin_or_token_subject"
# Validate a token.
# HEAD /v2.0/tokens/{token_id}
#"identity:validate_token_head": "rule:service_or_admin"
# Revoke a token.
# DELETE /v3/auth/tokens
#"identity:revoke_token": "rule:admin_or_token_subject"
#
#"identity:create_trust": "user_id:%(trust.trustor_user_id)s"
#
#"identity:list_trusts": ""
#
#"identity:list_roles_for_trust": ""
#
#"identity:get_role_for_trust": ""
#
#"identity:delete_trust": ""
# Show user details.
# GET /v3/users/{user_id}
# HEAD /v3/users/{user_id}
#"identity:get_user": "rule:admin_or_owner"
# List users.
# GET /v3/users
# HEAD /v3/users
#"identity:list_users": "rule:admin_required"
# List all projects a user has access to via role assignments.
# GET /v3/auth/projects
#"identity:list_projects_for_user": ""
# List all domains a user has access to via role assignments.
# GET /v3/auth/domains
#"identity:list_domains_for_user": ""
# Create a user.
# POST /v3/users
#"identity:create_user": "rule:admin_required"
# Update a user, including administrative password resets.
# PATCH /v3/users/{user_id}
#"identity:update_user": "rule:admin_required"
# Delete a user.
# DELETE /v3/users/{user_id}
#"identity:delete_user": "rule:admin_required"
# Self-service password change.
# POST /v3/users/{user_id}/password
#"identity:change_password": "rule:admin_or_owner"
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.