ac4cc65cb5
Contains .inc files which have all the contents of the .rst files but are grouped together for easier editing. Contains parameters.yaml, which has all parameters in one file. Contains request and response samples (JSON and XML) that are pointed to from the .inc files. Change-Id: I42d5451300f95774a3ec4df66bc95cb36795844d
393 lines
8.7 KiB
YAML
393 lines
8.7 KiB
YAML
# variables in header
|
|
{}
|
|
|
|
# variables in path
|
|
access_token_id:
|
|
description: |
|
|
The UUID of the access token.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
consumer_id:
|
|
description: |
|
|
The UUID of the consumer.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
domain_id:
|
|
description: |
|
|
The UUID of the domain.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
endpoint_id:
|
|
description: |
|
|
The endpoint ID.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
group_id:
|
|
description: |
|
|
The UUID of the group.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
name:
|
|
description: |
|
|
The name of the group.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
policy_id:
|
|
description: |
|
|
The policy ID.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
project_id:
|
|
description: |
|
|
The UUID of the project.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
region_id:
|
|
description: |
|
|
The region ID.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
role_id:
|
|
description: |
|
|
The UUID of the role.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
service_id:
|
|
description: |
|
|
The service ID.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
user_id:
|
|
description: |
|
|
The UUID of the user.
|
|
in: path
|
|
required: false
|
|
type: string
|
|
|
|
# variables in query
|
|
{}
|
|
|
|
# variables in body
|
|
blob:
|
|
description: |
|
|
The policy rule itself, as a serialized blob.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
endpoints:
|
|
description: |
|
|
An ``endpoints`` object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
generation:
|
|
description: |
|
|
A unique integer value that identifies the key.
|
|
The generation value changes only if you set a new key. If the
|
|
request sets the key to the same value that already exists, the
|
|
response shows the existing generation value, which makes the
|
|
request idempotent.
|
|
in: body
|
|
required: true
|
|
type: integer
|
|
id:
|
|
description: |
|
|
The ID of the trust.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
id_1:
|
|
description: |
|
|
The endpoint UUID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
id_2:
|
|
description: |
|
|
The ID of the policy.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
impersonation:
|
|
description: |
|
|
The impersonation flag. Default is false.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
interface:
|
|
description: |
|
|
The interface type, which describes the
|
|
visibility of the endpoint. Value is: - ``public``. Visible by
|
|
end users on a publicly available network interface. -
|
|
``internal``. Visible by end users on an unmetered internal
|
|
network interface. - ``admin``. Visible by administrative users
|
|
on a secure network interface.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
links:
|
|
description: |
|
|
Trust links.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_1:
|
|
description: |
|
|
The links for the ``endpoints`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
links_2:
|
|
description: |
|
|
The links for the ``policy`` resource.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
metadata:
|
|
description: |
|
|
A Base64-encoded JSON object that contains these key and value
|
|
pairs:
|
|
|
|
- ``source``. The identity who is requesting a ticket.
|
|
|
|
- ``destination``. The target for which the ticket will be valid.
|
|
|
|
- ``timestamp``. The current time stamp from the requester.
|
|
|
|
- ``nonce``. Random, single-use data. See `Cryptographic nonce
|
|
<https://en.wikipedia.org/wiki/Cryptographic_nonce>`_.
|
|
|
|
The time stamp and nonce are required to prevent replay attacks.
|
|
|
|
For example:
|
|
|
|
.. code-block:: json
|
|
|
|
{
|
|
"source": "scheduler.host.example.com",
|
|
"destination": "compute.host.example.com",
|
|
"timestamp": "2012-03-26T10:01:01.720000",
|
|
"nonce": 1234567890
|
|
}
|
|
in: body
|
|
required: true
|
|
type: object
|
|
name_1:
|
|
description: |
|
|
The role name.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
name_2:
|
|
description: |
|
|
The name of the group.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
next:
|
|
description: |
|
|
The ``next`` relative link for the ``endpoints``
|
|
resource.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
oauth_expires_at:
|
|
description: |
|
|
The date and time when a request token expires.
|
|
|
|
The date and time stamp format is `ISO 8601
|
|
<https://en.wikipedia.org/wiki/ISO_8601>`_:
|
|
|
|
::
|
|
|
|
CCYY-MM-DDThh:mm:ss±hh:mm
|
|
|
|
The ``±hh:mm`` value, if included, is the time zone as an offset
|
|
from UTC.
|
|
|
|
For example, ``2015-08-27T09:49:58-05:00``.
|
|
|
|
If the Identity API does not include this attribute or its value is
|
|
``null``, the token never expires.
|
|
in: body
|
|
required: false
|
|
type: string
|
|
policy:
|
|
description: |
|
|
A ``policy`` object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
previous:
|
|
description: |
|
|
The ``previous`` relative link for the
|
|
``endpoints`` resource.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
project_id_1:
|
|
description: |
|
|
The ID of the project.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
region:
|
|
description: |
|
|
(Deprecated in v3.2) The geographic location of
|
|
the service endpoint.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
remaining_uses:
|
|
description: |
|
|
Remaining uses flag. Default is null.
|
|
in: body
|
|
required: false
|
|
type: boolean
|
|
roles:
|
|
description: |
|
|
A roles object.
|
|
in: body
|
|
required: true
|
|
type: array
|
|
roles_links:
|
|
description: |
|
|
A roles links object. Includes ``next``,
|
|
``previous``, and ``self`` links for roles.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
self:
|
|
description: |
|
|
The ``self`` relative link for the ``endpoints``
|
|
resource.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
service_id_1:
|
|
description: |
|
|
The UUID of the service to which the endpoint
|
|
belongs.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
signature:
|
|
description: |
|
|
A Base64-encoded HMAC signature over the
|
|
Base64-encoded request metadata object. For example:
|
|
``Base64encode(HMAC(SigningKey, RequestMetadata))`` The long-term
|
|
key of the requester is used for the signature. When the request
|
|
is received, the KDS must verify the signature. To do so, the KDS
|
|
must access the ``source`` from the request metadata to look up
|
|
the associated long-term key to use to verify the signature. The
|
|
KDS should not access any other data contained in the request
|
|
metadata before verifying the signature. If the KDS fails to
|
|
verify the signature, it risks issuing a ticket to a party who is
|
|
impersonating the source.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
ticket:
|
|
description: |
|
|
The ticket is encrypted with the long-term key of the source and
|
|
contains a Base64-encoded JSON object containing the following key
|
|
and value pairs:
|
|
|
|
- ``skey``. The newly-generated Base64-encoded message signing key.
|
|
|
|
- ``ekey``. The newly-generated Base64-encoded message encryption
|
|
key.
|
|
|
|
- ``esek``. Encrypted signing and encryption key pair for the
|
|
receiver.
|
|
|
|
For example:
|
|
|
|
.. code-block:: json
|
|
|
|
{
|
|
"skey": "ZjhkuYZH8y87rzhgi7...",
|
|
"ekey": "Fk8yksa8z8zKtakc8s...",
|
|
"esek": "KBo8fajfo8ysad5hq2..."
|
|
}
|
|
|
|
The long-term key of the destination is used to encrypt the
|
|
``esek`` value. The ``esek`` value contains a Base64-encoded JSON
|
|
object that contains the following key and value pairs:
|
|
|
|
- ``key``. The Base64-encoded random key that is used to generate
|
|
the signing and encryption keys.
|
|
|
|
- ``timestamp``. The time stamp when the key was created.
|
|
|
|
- ``ttl``. An integer value that specifies the validity length of
|
|
the key, in seconds.
|
|
|
|
For example:
|
|
|
|
.. code-block:: json
|
|
|
|
{
|
|
"key": "Afa8sad2hgsd7asv7ad...",
|
|
"timestamp": "2012-03-26T10:01:01.720000",
|
|
"ttl": 28800
|
|
}
|
|
|
|
The ``key`` and ``timestamp`` values are used as inputs to the HKDF
|
|
``expand`` function to generate the signing and encryption keys, as
|
|
described in the overview on this page.
|
|
|
|
The ``timestamp`` and ``ttl`` values must equal the ``expiration``
|
|
time stamp value that is contained in the response metadata.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
trust:
|
|
description: |
|
|
A trust object.
|
|
in: body
|
|
required: true
|
|
type: object
|
|
trustee_user_id:
|
|
description: |
|
|
The trustee user ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
trustor_user_id:
|
|
description: |
|
|
The trustor user ID.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
type:
|
|
description: |
|
|
The MIME media type of the serialized policy
|
|
blob. From the perspective of the Identity API, a policy blob can
|
|
be based on any technology. In OpenStack, the ``policy.json`` blob
|
|
(``type="application/json"``) is the conventional solution.
|
|
However, you might want to use an alternative policy engine that
|
|
uses a different policy language type. For example,
|
|
``type="application/xacml+xml"``.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
url:
|
|
description: |
|
|
The endpoint URL.
|
|
in: body
|
|
required: true
|
|
type: string
|
|
|