# variables in header {} # variables in path access_token_id: description: | The UUID of the access token. in: path required: false type: string consumer_id: description: | The UUID of the consumer. in: path required: false type: string domain_id: description: | The UUID of the domain. in: path required: false type: string endpoint_id: description: | The endpoint ID. in: path required: false type: string group_id: description: | The UUID of the group. in: path required: false type: string name: description: | The name of the group. in: path required: false type: string policy_id: description: | The policy ID. in: path required: false type: string project_id: description: | The UUID of the project. in: path required: false type: string region_id: description: | The region ID. in: path required: false type: string role_id: description: | The UUID of the role. in: path required: false type: string service_id: description: | The service ID. in: path required: false type: string user_id: description: | The UUID of the user. in: path required: false type: string # variables in query {} # variables in body blob: description: | The policy rule itself, as a serialized blob. in: body required: true type: object endpoints: description: | An ``endpoints`` object. in: body required: true type: array generation: description: | A unique integer value that identifies the key. The generation value changes only if you set a new key. If the request sets the key to the same value that already exists, the response shows the existing generation value, which makes the request idempotent. in: body required: true type: integer id: description: | The ID of the trust. in: body required: true type: string id_1: description: | The endpoint UUID. in: body required: true type: string id_2: description: | The ID of the policy. in: body required: true type: string impersonation: description: | The impersonation flag. Default is false. in: body required: false type: boolean interface: description: | The interface type, which describes the visibility of the endpoint. Value is: - ``public``. Visible by end users on a publicly available network interface. - ``internal``. Visible by end users on an unmetered internal network interface. - ``admin``. Visible by administrative users on a secure network interface. in: body required: true type: string links: description: | Trust links. in: body required: true type: object links_1: description: | The links for the ``endpoints`` resource. in: body required: true type: object links_2: description: | The links for the ``policy`` resource. in: body required: true type: object metadata: description: | A Base64-encoded JSON object that contains these key and value pairs: - ``source``. The identity who is requesting a ticket. - ``destination``. The target for which the ticket will be valid. - ``timestamp``. The current time stamp from the requester. - ``nonce``. Random, single-use data. See `Cryptographic nonce `_. The time stamp and nonce are required to prevent replay attacks. For example: .. code-block:: json { "source": "scheduler.host.example.com", "destination": "compute.host.example.com", "timestamp": "2012-03-26T10:01:01.720000", "nonce": 1234567890 } in: body required: true type: object name_1: description: | The role name. in: body required: true type: string name_2: description: | The name of the group. in: body required: true type: string next: description: | The ``next`` relative link for the ``endpoints`` resource. in: body required: true type: string oauth_expires_at: description: | The date and time when a request token expires. The date and time stamp format is `ISO 8601 `_: :: CCYY-MM-DDThh:mm:ss±hh:mm The ``±hh:mm`` value, if included, is the time zone as an offset from UTC. For example, ``2015-08-27T09:49:58-05:00``. If the Identity API does not include this attribute or its value is ``null``, the token never expires. in: body required: false type: string policy: description: | A ``policy`` object. in: body required: true type: object previous: description: | The ``previous`` relative link for the ``endpoints`` resource. in: body required: true type: string project_id_1: description: | The ID of the project. in: body required: true type: string region: description: | (Deprecated in v3.2) The geographic location of the service endpoint. in: body required: true type: string remaining_uses: description: | Remaining uses flag. Default is null. in: body required: false type: boolean roles: description: | A roles object. in: body required: true type: array roles_links: description: | A roles links object. Includes ``next``, ``previous``, and ``self`` links for roles. in: body required: true type: object self: description: | The ``self`` relative link for the ``endpoints`` resource. in: body required: true type: string service_id_1: description: | The UUID of the service to which the endpoint belongs. in: body required: true type: string signature: description: | A Base64-encoded HMAC signature over the Base64-encoded request metadata object. For example: ``Base64encode(HMAC(SigningKey, RequestMetadata))`` The long-term key of the requester is used for the signature. When the request is received, the KDS must verify the signature. To do so, the KDS must access the ``source`` from the request metadata to look up the associated long-term key to use to verify the signature. The KDS should not access any other data contained in the request metadata before verifying the signature. If the KDS fails to verify the signature, it risks issuing a ticket to a party who is impersonating the source. in: body required: true type: string ticket: description: | The ticket is encrypted with the long-term key of the source and contains a Base64-encoded JSON object containing the following key and value pairs: - ``skey``. The newly-generated Base64-encoded message signing key. - ``ekey``. The newly-generated Base64-encoded message encryption key. - ``esek``. Encrypted signing and encryption key pair for the receiver. For example: .. code-block:: json { "skey": "ZjhkuYZH8y87rzhgi7...", "ekey": "Fk8yksa8z8zKtakc8s...", "esek": "KBo8fajfo8ysad5hq2..." } The long-term key of the destination is used to encrypt the ``esek`` value. The ``esek`` value contains a Base64-encoded JSON object that contains the following key and value pairs: - ``key``. The Base64-encoded random key that is used to generate the signing and encryption keys. - ``timestamp``. The time stamp when the key was created. - ``ttl``. An integer value that specifies the validity length of the key, in seconds. For example: .. code-block:: json { "key": "Afa8sad2hgsd7asv7ad...", "timestamp": "2012-03-26T10:01:01.720000", "ttl": 28800 } The ``key`` and ``timestamp`` values are used as inputs to the HKDF ``expand`` function to generate the signing and encryption keys, as described in the overview on this page. The ``timestamp`` and ``ttl`` values must equal the ``expiration`` time stamp value that is contained in the response metadata. in: body required: true type: string trust: description: | A trust object. in: body required: true type: object trustee_user_id: description: | The trustee user ID. in: body required: true type: string trustor_user_id: description: | The trustor user ID. in: body required: true type: string type: description: | The MIME media type of the serialized policy blob. From the perspective of the Identity API, a policy blob can be based on any technology. In OpenStack, the ``policy.json`` blob (``type="application/json"``) is the conventional solution. However, you might want to use an alternative policy engine that uses a different policy language type. For example, ``type="application/xacml+xml"``. in: body required: true type: string url: description: | The endpoint URL. in: body required: true type: string