From 277adf9c7d124ac7e4bf545782b377df63202c4c Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Sun, 27 Jul 2014 14:57:13 -0500 Subject: [PATCH] JSON Home support Identity API V3.3 will support JSON Home. bp json-home Change-Id: I636391bfd800fb616c85d0e93070ac4b169bd8f0 --- .../identity-api-v3-os-ep-filter-ext.md | 36 +++ .../identity-api-v3-os-federation-ext.md | 38 ++++ .../identity-api-v3-os-inherit-ext.md | 18 ++ .../markdown/identity-api-v3-os-oauth1-ext.md | 28 +++ .../markdown/identity-api-v3-os-revoke-ext.md | 2 + .../identity-api-v3-os-simple-certs-ext.md | 4 + .../markdown/identity-api-v3-os-trust-ext.md | 14 ++ v3/src/markdown/identity-api-v3.md | 210 ++++++++++++++++++ 8 files changed, 350 insertions(+) diff --git a/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md b/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md index a089e1b9..6bbb6c1b 100644 --- a/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md +++ b/v3/src/markdown/identity-api-v3-os-ep-filter-ext.md @@ -43,6 +43,8 @@ does not have the right authorization a HTTP 401 Unauthorized is returned. #### Create Association: `PUT /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint` + Modifies the endpoint resource adding an association between the project and the endpoint. @@ -52,6 +54,8 @@ Response: #### Check Association: `HEAD /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint` + Verifies the existence of an association between a project and an endpoint. Response: @@ -60,6 +64,8 @@ Response: #### List Associations for Project: `GET /OS-EP-FILTER/projects/{project_id}/endpoints` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoints` + Returns all the endpoints that are currently associated with a specific project. Response: @@ -97,6 +103,8 @@ Response: #### Delete Association: `DELETE /OS-EP-FILTER/projects/{project_id}/endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint` + Eliminates a previously created association between a project and an endpoint. Response: @@ -105,6 +113,8 @@ Response: #### Get projects associated with endpoint: `GET /OS-EP-FILTER/endpoints/{endpoint_id}/projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_projects` + Returns a list of projects that are currently associated with the given endpoint. Response: @@ -145,6 +155,8 @@ Response: #### Create Endpoint Group Filter: `POST /OS-EP-FILTER/endpoint_groups` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups` + Request: { @@ -179,6 +191,8 @@ Response: #### Get Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group` + Response: Status: 200 OK @@ -200,12 +214,16 @@ Response: #### Check Endpoint Group: `HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group` + Response: Status: 200 OK #### Update Endpoint Group: `PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group` + The request block is the same as the one for create endpoint group, except that only the attributes that are being updated need to be included. @@ -243,12 +261,16 @@ Response: #### Remove Endpoint Group: `DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group` + Response: Status: 204 No Content #### List All Endpoint Groups: `GET /OS-EP-FILTER/endpoint_groups` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_groups` + Response: Status: 200 OK @@ -292,6 +314,8 @@ Response: #### List Endpoint Groups Associated with Project: `GET /OS-EP-FILTER/endpoint_groups/projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/project_endpoint_groups` + Response: Status: 200 OK @@ -324,12 +348,16 @@ Response: #### Create Endpoint Group to Project Association: `PUT /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project` + Response: Status: 204 No Content #### Get Endpoint Group to Project Association: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project` + Response: Status: 200 OK @@ -349,18 +377,24 @@ Response: #### Check Endpoint Group to Project Association: `HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project` + Response: Status: 200 OK #### Delete Endpoint Group to Project Association: `DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_project` + Response: Status: 204 No Content #### List Projects Associated with Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_projects` + Response: Status: 200 OK @@ -397,6 +431,8 @@ Response: #### List Service Endpoints Associated with Endpoint Group: `GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id}/endpoints` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-EP-FILTER/1.0/rel/endpoint_group_endpoints` + Response: Status: 200 OK diff --git a/v3/src/markdown/identity-api-v3-os-federation-ext.md b/v3/src/markdown/identity-api-v3-os-federation-ext.md index c52160ec..88d94041 100644 --- a/v3/src/markdown/identity-api-v3-os-federation-ext.md +++ b/v3/src/markdown/identity-api-v3-os-federation-ext.md @@ -143,6 +143,8 @@ Identity Provider API ### Register an Identity Provider: `PUT /OS-FEDERATION/identity_providers/{idp_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider` + Request: { @@ -170,6 +172,8 @@ Response: ### List identity providers: `GET /OS-FEDERATION/identity_providers` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_providers` + Response: Status: 200 OK @@ -204,6 +208,8 @@ Response: ### Get Identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider` + Response: Status: 200 OK @@ -222,6 +228,8 @@ Response: ### Delete identity provider: `DELETE /OS-FEDERATION/identity_providers/{idp_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider` + When an identity provider is deleted, any tokens generated by that identity provider will be revoked. @@ -231,6 +239,8 @@ Response: ### Update identity provider: `PATCH /OS-FEDERATION/identity_providers/{idp_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider` + Request: { @@ -260,6 +270,8 @@ provider will be revoked. ### Add a supported protocol and attribute mapping combination to an identity provider: `PUT /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol` + Request: { @@ -285,6 +297,8 @@ Response: ### List all supported protocol and attribute mapping combinations of an identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}/protocols` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocols` + Response: Status: 200 OK @@ -309,6 +323,8 @@ Response: ### Get a supported protocol and attribute mapping combination for an identity provider: `GET /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol` + Response: Status: 200 OK @@ -326,6 +342,8 @@ Response: ### Update the attribute mapping for an identity provider and protocol combination: `PATCH /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol` + Request: { @@ -351,6 +369,8 @@ Response: ### Delete a supported protocol and attribute mapping combination from an identity provider: `DELETE /OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol` + Response: Status: 204 No Content @@ -360,6 +380,8 @@ Mapping API ### Create a mapping: `PUT /OS-FEDERATION/mappings/{mapping_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping` + Request: { @@ -438,6 +460,8 @@ Response: ### Get a mapping: `GET /OS-FEDERATION/mappings/{mapping_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping` + Response: Status: 200 OK @@ -481,6 +505,8 @@ Response: ### Update a mapping: `PATCH /OS-FEDERATION/mappings/{mapping_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping` + Request: { @@ -559,6 +585,8 @@ Response: ### List all mappings: `GET /OS-FEDERATION/mappings` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mappings` + Response: Status 200 OK @@ -609,6 +637,8 @@ Response: ### Delete a mapping: `DELETE /OS-FEDERATION/mappings/{mapping_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/mapping` + Response: Status: 204 No Content @@ -618,6 +648,8 @@ Listing projects and domains ### List projects a federated user can access: `GET /OS-FEDERATION/projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/projects` + Returns a collection of projects to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a project and request a scoped token. Note that only enabled @@ -657,6 +689,8 @@ Response: ### List domains a federated user can access: `GET /OS-FEDERATION/domains` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/domains` + Returns a collection of domains to which the federated user has authorization to access. To access this resource, an unscoped token is used, the user can then select a domain and request a scoped token. Note that only enabled @@ -794,6 +828,8 @@ Authenticating ### Request an unscoped OS-FEDERATION token: `GET/POST /OS-FEDERATION/identity_providers/{identity_provider}/protocols/{protocol}/auth` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-FEDERATION/1.0/rel/identity_provider_protocol_auth` + A federated user may request an unscoped token, which can be used to get a scoped token. @@ -834,6 +870,8 @@ Example of an OS-FEDERATION token: ### Request a scoped OS-FEDERATION token: `POST /auth/tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + A federated user may request a scoped token, by using the unscoped token. A project or domain may be specified by either id or name. An id is sufficient to uniquely identify a project or domain. diff --git a/v3/src/markdown/identity-api-v3-os-inherit-ext.md b/v3/src/markdown/identity-api-v3-os-inherit-ext.md index cef24c29..4503301e 100644 --- a/v3/src/markdown/identity-api-v3-os-inherit-ext.md +++ b/v3/src/markdown/identity-api-v3-os-inherit-ext.md @@ -12,6 +12,8 @@ The following additional APIs are supported by this extension: #### Assign role to user on projects owned by a domain: `PUT /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects` + The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token. @@ -22,6 +24,8 @@ Response: #### Assign role to group on projects owned by a domain: `PUT /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects` + The inherited role is only applied to the owned projects (both existing and future projects), and will not appear as a role in a domain scoped token. @@ -32,6 +36,8 @@ Response: #### List user's inherited project roles on a domain: `GET /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/inherited_to_projects` +Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_user_roles_inherited_to_projects` + The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain. @@ -67,6 +73,8 @@ Response: #### List group's inherited project roles on domain: `GET /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/inherited_to_projects` +Relationship: `'http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_roles_inherited_to_projects` + The list only contains those role assignments to the domain that were specified as being inherited to projects within that domain. @@ -102,6 +110,8 @@ Response: #### Check if user has an inherited project role on domain: `HEAD /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects` + Response: Status: 204 No Content @@ -109,6 +119,8 @@ Response: #### Check if group has an inherited project role on domain: `HEAD /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects` + Response: Status: 204 No Content @@ -116,6 +128,8 @@ Response: #### Revoke an inherited project role from user on domain: `DELETE /OS-INHERIT/domains/{domain_id}/users/{user_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-INHERIT/1.0/rel/domain_user_role_inherited_to_projects` + Response: Status: 204 No Content @@ -123,6 +137,8 @@ Response: #### Revoke an inherited project role from group on domain: `DELETE /OS-INHERIT/domains/{domain_id}/groups/{group_id}/roles/{role_id}/inherited_to_projects` +Relationship: `http://docs.openstack.org/identity/rel/v3/ext/OS-INHERIT/1.0/domain_group_role_inherited_to_projects` + Response: Status: 204 No Content @@ -134,6 +150,8 @@ The following APIs are modified by this extension. #### List effective role assignments: `GET /role_assignments` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments` + The scope section in the list response is extended to allow the representation of role assignments that are inherited to projects. diff --git a/v3/src/markdown/identity-api-v3-os-oauth1-ext.md b/v3/src/markdown/identity-api-v3-os-oauth1-ext.md index 81ee812e..22a89994 100644 --- a/v3/src/markdown/identity-api-v3-os-oauth1-ext.md +++ b/v3/src/markdown/identity-api-v3-os-oauth1-ext.md @@ -65,6 +65,8 @@ Consumers API ### Create Consumer: `POST /OS-OAUTH1/consumers` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers` + Request: { @@ -92,6 +94,8 @@ The `secret` is only returned once, during consumer creation. ### List Consumers: `GET /OS-OAUTH1/consumers` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumers` + Response: Status: 200 OK @@ -121,6 +125,8 @@ Response: ### Get Consumer: `GET /OS-OAUTH1/consumers/{consumer_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer` + Response: Status: 200 OK @@ -137,6 +143,8 @@ Response: ### Delete Consumer: `DELETE /OS-OAUTH1/consumers/{consumer_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer` + When a Consumer is deleted, any Request Tokens, Access Tokens, or Identity API Tokens will also be deleted. @@ -146,6 +154,8 @@ Response: ### Update Consumer: `PATCH /OS-OAUTH1/consumers/{consumer_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/consumer` + Only a Consumer's `description` is mutable. Attempting to PATCH an immutable attribute should result in a HTTP 400 Bad Request. @@ -176,6 +186,8 @@ Delegated Auth APIs ### Create Request Token: `POST /OS-OAUTH1/request_token` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/request_tokens` + A Consumer uses the Consumer Key and Secret to obtain a Request Token. The Request Token is used to initiate User authorization. The Request Token, once authorized, can be exchanged along with the OAuth Verifier for an Access @@ -214,6 +226,8 @@ Response Parameters: ### Authorize Request Token: `PUT /OS-OAUTH1/authorize/{request_token_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/authorize_request_token` + To authorize the Request Token, the authorizing user must have access to the requested project. Upon successful authorization, an OAuth Verifier code is returned. The Consumer receives the OAuth Verifier @@ -242,6 +256,8 @@ Response: ### Create Access Token: `POST /OS-OAUTH1/access_token` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/access_tokens` + After the User authorizes the Request Token, the Consumer exchanges the authorized Request Token and OAuth Verifier for an Access Token. The Identity service may include an `oauth_expires_at` parameter in the response. If no such @@ -267,6 +283,8 @@ Response Parameters: ### Request an Identity API Token: `POST /auth/tokens` +Relationship: `http://docs.openstack.org/identity/rel/v3/auth_tokens` + The Consumer can now request valid Identity API service tokens representing the authorizing User's delegated authorization and identity (impersonation). The generated token's roles and scope will match that which the Consumer @@ -313,6 +331,8 @@ User Access Token APIs ### List authorized access tokens: `GET /users/{user_id}/OS-OAUTH1/access_tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_tokens` + Response: { @@ -338,6 +358,8 @@ Response: ### Get authorized access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token` + Response: { @@ -356,14 +378,20 @@ Response: ### List roles of an access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_roles` + See `GET /v3/roles` for an [example](https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#list-roles-get-roles) of this response format. ### Get a role of an access token: `GET /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token_role` + See `GET /v3/roles/{role_id}` for an [example](https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#get-role-get-rolesrole_id) of this response format. ### Revoke access token: `DELETE /users/{user_id}/OS-OAUTH1/access_tokens/{access_token_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-OAUTH1/1.0/rel/user_access_token` + A User can revoke an Access Token, preventing the Consumer from requesting new Identity API service tokens. This also revokes any Identity API tokens issued to the Consumer using that Access Token. diff --git a/v3/src/markdown/identity-api-v3-os-revoke-ext.md b/v3/src/markdown/identity-api-v3-os-revoke-ext.md index cf6a5e82..99e30f9b 100644 --- a/v3/src/markdown/identity-api-v3-os-revoke-ext.md +++ b/v3/src/markdown/identity-api-v3-os-revoke-ext.md @@ -81,6 +81,8 @@ API #### List revocation events: `GET /OS-REVOKE/events` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-REVOKE/1.0/rel/events` + Optional query parameters: - `since` (RFC 1123 format date time): limit the list of results to events that diff --git a/v3/src/markdown/identity-api-v3-os-simple-certs-ext.md b/v3/src/markdown/identity-api-v3-os-simple-certs-ext.md index 2b4fd126..5aebfc73 100644 --- a/v3/src/markdown/identity-api-v3-os-simple-certs-ext.md +++ b/v3/src/markdown/identity-api-v3-os-simple-certs-ext.md @@ -30,6 +30,8 @@ API #### Retrieve CA certificate chain: `GET /OS-SIMPLE-CERT/ca` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/ca_certificate` + Fetches the certificate chain used to authenticate signed tokens. It is possible that a chain of certificates (more than one) is returned. In @@ -63,6 +65,8 @@ this case the chain should be used when validating a token. #### Retrieve signing certificates: `GET /OS-SIMPLE-CERT/certificates` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates` + Fetches the certificates containing the public key for the private key that has been used to sign tokens. diff --git a/v3/src/markdown/identity-api-v3-os-trust-ext.md b/v3/src/markdown/identity-api-v3-os-trust-ext.md index 0ff186ed..a014cab8 100644 --- a/v3/src/markdown/identity-api-v3-os-trust-ext.md +++ b/v3/src/markdown/identity-api-v3-os-trust-ext.md @@ -203,6 +203,8 @@ the trust, the `impersonation` flag, the `trustee_user_id` and the #### Create trust: `POST /OS-TRUST/trusts` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts` + Request: { @@ -255,6 +257,8 @@ Response: #### List trusts: `GET /OS-TRUST/trusts` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trusts` + query_string: page (optional) query_string: per_page (optional, default 30) query filter for "trustee_user_id", "trustor_user_id" (optional) @@ -355,6 +359,8 @@ Response: #### Get trust: `GET /OS-TRUST/trusts/{trust_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust` + Response: Status: 200 OK @@ -389,12 +395,16 @@ Response: #### Delete trust: `DELETE /OS-TRUST/trusts/{trust_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust` + Response: Status: 204 No Content #### List roles delegated by a trust: `GET /OS-TRUST/trusts/{trust_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_roles` + Response: Status: 200 OK @@ -420,12 +430,16 @@ Response: #### Check if role is delegated by a trust: `HEAD /OS-TRUST/trusts/{trust_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role` + Response: Status: 204 No Content #### Get role delegated by a trust: `GET /OS-TRUST/trusts/{trust_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/ext/OS-TRUST/1.0/rel/trust_role` + Response: Status: 200 OK diff --git a/v3/src/markdown/identity-api-v3.md b/v3/src/markdown/identity-api-v3.md index 8b2f51f3..a5f03976 100644 --- a/v3/src/markdown/identity-api-v3.md +++ b/v3/src/markdown/identity-api-v3.md @@ -17,6 +17,7 @@ These features are not yet considered stable (expected September 4th, 2014). - Addition of `name` optional variable to be included from service definition into the service catalog. - Introduced a stand alone call to retrieve a service catalog. +- JSON Home support What's New in Version 3.2 ------------------------- @@ -1190,6 +1191,25 @@ Example entity: } } +JSON Home +--------- + +Identity API version 3.3 supports JSON Home for resource and extension +discovery. The identity server will return a JSON Home document on a `GET /v3` +request where the `Accept` header indicates that the response should be +`application/json-home`. The JSON Home document contains a mapping of +"relationships" to the relative path or path template to the actual resource. + +The JSON Home document includes not only the core APIs that are supported for +that version of the identity API, but also the resources for the enabled +extensions. Disabled extensions won't have their relationships in the JSON Home +document. A client application can query the JSON Home document to see if an +extension is available. + +Each of the resources in the Core API below specify the "relationship" for the +resource. A client application can look up the resource path or path template +for a resource by looking for that resource in the JSON Home document. + Core API -------- @@ -1223,6 +1243,32 @@ Response: } } +*New in 3.3*: `GET /v3/` will return a JSON Home response if the `Accept` +header indicates that the client wants an `application/json-home` response. +Note that the client must check the `Content-Type` in the response because +older servers will return a normal JSON response rather than the JSON Home +response. See http://tools.ietf.org/html/draft-nottingham-json-home-03 for a +description of the JSON Home document format. + +The JSON Home document returned includes all the core components and also the +resources for the enabled extensions. Resources for disabled extensions aren't +included. + +Request: + + GET /v3 + Accept: application/json-home + +Response: + + { + "resources": { + "http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens": { + "href": "/auth/tokens" + }, + ... One for each resource ... + } + } ### Tokens @@ -1238,6 +1284,8 @@ Use cases: #### Authenticate: `POST /auth/tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + Each request to create a token contains an attribute with `identity` information and, optionally, a `scope` describing the authorization scope being requested. Example request structure: @@ -1497,6 +1545,8 @@ token will be issued without an explicit scope of authorization. ##### Catalog Opt-Out: `POST /v3/auth/tokens?nocatalog` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + *New in version 3.1* If the caller specifies a `nocatalog` query parameter in the authentication request, then the authentication response will not contain the service catalog. The service catalog will otherwise be included in the @@ -1769,6 +1819,8 @@ For example: #### Validate token and get service catalog: `GET /auth/tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + To validate a token using the Identity API, pass your own token in the `X-Auth-Token` header, and the token to be validated in the `X-Subject-Token` header. The Identity service returns a service catalog in the response. @@ -1785,6 +1837,8 @@ token was issued by `POST /auth/tokens`. #### Validate token: `GET /auth/tokens?nocatalog` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + *New in version 3.2* To validate a token using the Identity API without returning a service catalog @@ -1795,12 +1849,16 @@ token was issued by `POST /auth/tokens?nocatalog`. #### Check token: `HEAD /auth/tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + This call is identical to `GET /auth/tokens`, but no response body is provided, even if an error occurs or the token is invalid. A 204 response indicates that the `X-Subject-Token` is valid. #### Revoke token: `DELETE /auth/tokens` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/auth_tokens` + This call is identical to `HEAD /auth/tokens` except that the `X-Subject-Token` token is immediately invalidated, regardless of its `expires_at` attribute. An additional `X-Auth-Token` is not required. @@ -1814,6 +1872,8 @@ The key use cases we need to cover: #### Get service catalog: `GET /catalog` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/catalog` + *New in version 3.3* This call returns a service catalog for the `X-Auth-Token` provided in the @@ -1864,6 +1924,8 @@ Response: #### List regions: `GET /regions` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/regions` + Optional query parameters: - `parent_region_id` (string) @@ -1894,6 +1956,8 @@ Response: #### Get region: `GET /regions/{region_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region` + Response: Status: 200 OK @@ -1912,6 +1976,8 @@ Response: #### Create region: `POST /regions` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/regions` + Request: { @@ -1944,6 +2010,8 @@ Response: #### Create region with specific ID: `PUT /regions/{user_defined_region_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region` + Request: { @@ -1980,6 +2048,8 @@ Response: #### Update region: `PATCH /regions/{region_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region` + Request: { @@ -2010,6 +2080,8 @@ Response: #### Delete region: `DELETE /regions/{region_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/region` + * Note: deleting a region with child regions should return a `409 Conflict` Response: @@ -2018,6 +2090,8 @@ Response: #### List services: `GET /services` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/services` + Optional query parameters: - `name` (string) *New in version 3.3* @@ -2057,6 +2131,8 @@ Response: #### Get service: `GET /services/{service_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service` + Response: Status: 200 OK @@ -2075,6 +2151,8 @@ Response: #### Create service: `POST /services` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/services` + Request: { @@ -2103,6 +2181,8 @@ Response: #### Update service: `PATCH /services/{service_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service` + The request block is the same as the one for create service, except that only the attributes that are being updated need to be included. @@ -2124,6 +2204,8 @@ Response: #### Delete service: `DELETE /services/{service_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/service` + * Note: deleting a service when endpoints exist should either 1) delete all associated endpoints or 2) fail until endpoints are deleted @@ -2135,6 +2217,8 @@ Response: #### List endpoints: `GET /endpoints` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoints` + Optional query parameters: - `interface` (string) @@ -2178,6 +2262,8 @@ Response: #### Get endpoint: `GET /endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint` + Response: Status: 200 OK @@ -2198,6 +2284,8 @@ Response: #### Create endpoint: `POST /endpoints` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoints` + Request: { @@ -2229,6 +2317,8 @@ Response: #### Update endpoint: `PATCH /endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint` + The request block is the same as the one for create endpoint, except that only the attributes that are being updated need to be included. @@ -2253,6 +2343,8 @@ Response: #### Delete endpoint: `DELETE /endpoints/{endpoint_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/endpoint` + Response: Status: 204 No Content @@ -2261,6 +2353,8 @@ Response: #### List domains: `GET /domains` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domains` + Optional query parameters: - `enabled` (key-only, no value expected) @@ -2300,6 +2394,8 @@ Response: #### Get domain: `GET /domains/{domain_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain` + Response: Status: 200 OK @@ -2318,6 +2414,8 @@ Response: #### Create domain: `POST /domains` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domains` + Request: { @@ -2346,6 +2444,8 @@ Response: #### Update domain: `PATCH /domains/{domain_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain` + The request block is the same as the one for create domain, except that only the attributes that are being updated need to be included. @@ -2375,6 +2475,8 @@ Response: #### Delete domain: `DELETE /domains/{domain_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain` + Deleting a domain will delete all the entities owned by it (Users, Groups, and Projects), as well as any credentials and role grants that relate to these entities. @@ -2392,6 +2494,8 @@ Response: #### List projects: `GET /projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/projects` + Optional query parameters: - `domain_id` (string) @@ -2432,6 +2536,8 @@ Response: #### Get project: `GET /projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project` + Response: Status: 200 OK @@ -2450,6 +2556,8 @@ Response: #### Create project: `POST /projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/projects` + Request: { @@ -2480,6 +2588,8 @@ Response: #### Update project: `PATCH /projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project` + The request block is the same as the one for create project, except that only the attributes that are being updated need to be included. @@ -2511,12 +2621,16 @@ Response: #### Delete project: `DELETE /projects/{project_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project` + Status: 204 No Content ### Users #### List users: `GET /users` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/users` + Optional query parameters: - `domain_id` (string) @@ -2563,6 +2677,8 @@ Response: #### Get user: `GET /users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user` + Response: Status: 200 OK @@ -2584,6 +2700,8 @@ Response: #### List user projects: `GET /users/{user_id}/projects` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_projects` + Optional query parameters: - `enabled` (key-only, no value expected) @@ -2623,6 +2741,8 @@ Response: #### List groups of which a user is a member: `GET /users/{user_id}/groups` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_groups` + Optional query parameters: - `name` (string) @@ -2661,6 +2781,8 @@ Response: #### Create user: `POST /users` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/users` + Request: { @@ -2696,6 +2818,8 @@ Response: #### Update user: `PATCH /users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user` + The request block is the same as the one for create user, except that only the attributes that are being updated need to be included. Use this method attempt to update user password or enable/disable the user. This may return a HTTP 501 @@ -2722,12 +2846,16 @@ Response: #### Delete user: `DELETE /users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user` + Response: Status: 204 No Content #### Change user password: `POST /users/{user_id}/password` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/user_change_password` + Request: { @@ -2745,6 +2873,8 @@ Response: #### Create group: `POST /groups` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/groups` + Request: { @@ -2772,6 +2902,8 @@ Response: #### List groups: `GET /groups` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/groups` + Optional query parameters: - `domain_id` (string) @@ -2820,6 +2952,8 @@ Response: #### Get group: `GET /groups/{group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group` + Response: Status: 200 OK @@ -2837,6 +2971,8 @@ Response: #### List users who are members of a group: `GET /groups/{group_id}/users` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_users` + Optional query parameters: - `enabled` (key-only, no value expected) @@ -2882,6 +3018,8 @@ Response: #### Update group: `PATCH /groups/{group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group` + The request block is the same as the one for create group, except that only the attributes that are being updated need to be included. This may return a HTTP 501 Not Implemented if the back-end driver doesn't allow for the functionality. @@ -2903,24 +3041,32 @@ Response: #### Delete group: `DELETE /groups/{group_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group` + Response: Status: 204 No Content #### Add user to group: `PUT /groups/{group_id}/users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user` + Response: Status: 204 No Content #### Remove user from group: `DELETE /groups/{group_id}/users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user` + Response: Status: 204 No Content #### Check if user is member of group: `HEAD /groups/{group_id}/users/{user_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/group_user` + Response: Status: 204 No Content @@ -2933,6 +3079,8 @@ The key use cases we need to cover: #### Create credential: `POST /credentials` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credentials` + This example shows creating an EC2 style credential where the credentials are a combination of access_key and secret. Other credentials (such as access_key) may be supported by simply changing the content of the key data. @@ -2967,6 +3115,8 @@ Response: #### List credentials: `GET /credentials` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credentials` + Optional query parameters: - `user_id` (string) @@ -3007,6 +3157,8 @@ Response: #### Get credential: `GET /credentials/{credential_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential` + Response: Status: 200 OK @@ -3026,6 +3178,8 @@ Response: #### Update credential: `PATCH /credentials/{credential_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential` + The request block is the same as the one for create credential, except that only the attributes that are being updated need to be included. @@ -3048,6 +3202,8 @@ Response: #### Delete credential: `DELETE /credentials/{credential_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/credential` + Response: Status: 204 No Content @@ -3061,6 +3217,8 @@ The key use cases we need to cover: #### Create role: `POST /roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/roles` + Request: { @@ -3085,6 +3243,8 @@ Response: #### List roles: `GET /roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/roles` + Optional query parameters: - `name` (string) @@ -3119,6 +3279,8 @@ Response: #### Get role: `GET /roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role` + Response: Status: 200 OK @@ -3135,6 +3297,8 @@ Response: #### Update role: `PATCH /roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role` + The request block is the same as the one for create role, except that only the attributes that are being updated need to be included. @@ -3154,24 +3318,32 @@ Response: #### Delete role: `DELETE /roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role` + Response: Status: 204 No Content #### Grant role to user on domain: `PUT /domains/{domain_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role` + Response: Status: 204 No Content #### Grant role to group on domain: `PUT /domains/{domain_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role` + Response: Status: 204 No Content #### List user's roles on domain: `GET /domains/{domain_id}/users/{user_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_roles` + Response: Status: 200 OK @@ -3202,6 +3374,8 @@ Response: #### List group's roles on domain: `GET /domains/{domain_id}/groups/{group_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_roles` + Response: Status: 200 OK @@ -3232,42 +3406,56 @@ Response: #### Check if user has role on domain: `HEAD /domains/{domain_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role` + Response: Status: 204 No Content #### Check if group has role on domain: `HEAD /domains/{domain_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role` + Response: Status: 204 No Content #### Revoke role from user on domain: `DELETE /domains/{domain_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_user_role` + Response: Status: 204 No Content #### Revoke role from group on domain: `DELETE /domains/{domain_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/domain_group_role` + Response: Status: 204 No Content #### Grant role to user on project: `PUT /projects/{project_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role` + Response: Status: 204 No Content #### Grant role to group on project: `PUT /projects/{project_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role` + Response: Status: 204 No Content #### List user's roles on project: `GET /projects/{project_id}/users/{user_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role` + Response: Status: 200 OK @@ -3298,6 +3486,8 @@ Response: #### List group's roles on project: `GET /projects/{project_id}/groups/{group_id}/roles` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_roles` + Response: Status: 200 OK @@ -3328,30 +3518,40 @@ Response: #### Check if user has role on project: `HEAD /projects/{project_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role` + Response: Status: 204 No Content #### Check if group has role on project: `HEAD /projects/{project_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role` + Response: Status: 204 No Content #### Revoke role from user on project: `DELETE /projects/{project_id}/users/{user_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_user_role` + Response: Status: 204 No Content #### Revoke role from group on project: `DELETE /projects/{project_id}/groups/{group_id}/roles/{role_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/project_group_role` + Response: Status: 204 No Content #### List effective role assignments: `GET /role_assignments` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/role_assignments` + *New in version 3.1* Optional query parameters: @@ -3506,6 +3706,8 @@ The key use cases we need to cover: #### Create policy: `POST /policies` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policies` + Request: { @@ -3530,6 +3732,8 @@ Response: #### List policies: `GET /policies` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policies` + Optional query parameters: - `type` (string) @@ -3566,6 +3770,8 @@ Response: #### Get policy: `GET /policies/{policy_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy` + Response: Status: 200 OK @@ -3583,6 +3789,8 @@ Response: #### Update policy: `PATCH /policies/{policy_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy` + The request block is the same as the one for create policy, except that only the attributes that are being updated need to be included. @@ -3603,6 +3811,8 @@ Response: #### Delete policy: `DELETE /policies/{policy_id}` +Relationship: `http://docs.openstack.org/api/openstack-identity/3/rel/policy` + Response: Status: 204 No Content