713d92df4e
The current identity role list command (both v2 and v3) is overloaded with listing roles as well as assignments (if you provide user, group, project or domain options). This is in addition to the v3 assignment list command designed for this purpose. This overloading complicates the fact that roles can now be domain specific (i.e. have a domain attribute), so the command 'role list --domain <domain-name' will soon become ambigious (this is in a follow on patch). This patch: - Adds a v2 assignments list, with support for pulling the user and project from the auth credentials - For comapability, adds the same auth support to the existing v3 assignments list - Deprecates the use of role list and user role list to list assignments Change-Id: I65bafdef4f8c89e863dab101369d0d629fa818b8 Partial-Bug: 1605774
282 lines
5.4 KiB
ReStructuredText
282 lines
5.4 KiB
ReStructuredText
====
|
|
role
|
|
====
|
|
|
|
Identity v2, v3
|
|
|
|
role add
|
|
--------
|
|
|
|
Add role assignment to a user or group in a project or domain
|
|
|
|
.. program:: role add
|
|
.. code:: bash
|
|
|
|
os role add
|
|
--domain <domain> | --project <project> [--project-domain <project-domain>]
|
|
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
|
|
--inherited
|
|
<role>
|
|
|
|
.. option:: --domain <domain>
|
|
|
|
Include <domain> (name or ID)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --project <project>
|
|
|
|
Include <project> (name or ID)
|
|
|
|
.. option:: --user <user>
|
|
|
|
Include <user> (name or ID)
|
|
|
|
.. option:: --group <group>
|
|
|
|
Include <group> (name or ID)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --user-domain <user-domain>
|
|
|
|
Domain the user belongs to (name or ID).
|
|
This can be used in case collisions between user names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --group-domain <group-domain>
|
|
|
|
Domain the group belongs to (name or ID).
|
|
This can be used in case collisions between group names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --project-domain <project-domain>
|
|
|
|
Domain the project belongs to (name or ID).
|
|
This can be used in case collisions between project names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --inherited
|
|
|
|
Specifies if the role grant is inheritable to the sub projects.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. describe:: <role>
|
|
|
|
Role to add to <project>:<user> (name or ID)
|
|
|
|
role create
|
|
-----------
|
|
|
|
Create new role
|
|
|
|
.. program:: role create
|
|
.. code:: bash
|
|
|
|
os role create
|
|
[--or-show]
|
|
<name>
|
|
|
|
.. option:: --or-show
|
|
|
|
Return existing role
|
|
|
|
If the role already exists return the existing role data and do not fail.
|
|
|
|
.. describe:: <name>
|
|
|
|
New role name
|
|
|
|
role delete
|
|
-----------
|
|
|
|
Delete role(s)
|
|
|
|
.. program:: role delete
|
|
.. code:: bash
|
|
|
|
os role delete
|
|
<role> [<role> ...]
|
|
|
|
.. describe:: <role>
|
|
|
|
Role to delete (name or ID)
|
|
|
|
role list
|
|
---------
|
|
|
|
List roles
|
|
|
|
.. program:: role list
|
|
.. code:: bash
|
|
|
|
os role list
|
|
--domain <domain> | --project <project> [--project-domain <project-domain>]
|
|
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
|
|
--inherited
|
|
|
|
.. option:: --domain <domain>
|
|
|
|
Filter roles by <domain> (name or ID)
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. option:: --project <project>
|
|
|
|
Filter roles by <project> (name or ID)
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. option:: --user <user>
|
|
|
|
Filter roles by <user> (name or ID)
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. option:: --group <group>
|
|
|
|
Filter roles by <group> (name or ID)
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. option:: --user-domain <user-domain>
|
|
|
|
Domain the user belongs to (name or ID).
|
|
This can be used in case collisions between user names exist.
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --group-domain <group-domain>
|
|
|
|
Domain the group belongs to (name or ID).
|
|
This can be used in case collisions between group names exist.
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --project-domain <project-domain>
|
|
|
|
Domain the project belongs to (name or ID).
|
|
This can be used in case collisions between project names exist.
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --inherited
|
|
|
|
Specifies if the role grant is inheritable to the sub projects.
|
|
|
|
(Deprecated, please use ``role assignment list`` instead)
|
|
|
|
.. versionadded:: 3
|
|
|
|
role remove
|
|
-----------
|
|
|
|
Remove role assignment from domain/project : user/group
|
|
|
|
.. program:: role remove
|
|
.. code:: bash
|
|
|
|
os role remove
|
|
--domain <domain> | --project <project> [--project-domain <project-domain>]
|
|
--user <user> [--user-domain <user-domain>] | --group <group> [--group-domain <group-domain>]
|
|
--inherited
|
|
<role>
|
|
|
|
.. option:: --domain <domain>
|
|
|
|
Include <domain> (name or ID)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --project <project>
|
|
|
|
Include <project> (name or ID)
|
|
|
|
.. option:: --user <user>
|
|
|
|
Include <user> (name or ID)
|
|
|
|
.. option:: --group <group>
|
|
|
|
Include <group> (name or ID)
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --user-domain <user-domain>
|
|
|
|
Domain the user belongs to (name or ID).
|
|
This can be used in case collisions between user names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --group-domain <group-domain>
|
|
|
|
Domain the group belongs to (name or ID).
|
|
This can be used in case collisions between group names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --project-domain <project-domain>
|
|
|
|
Domain the project belongs to (name or ID).
|
|
This can be used in case collisions between project names exist.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. option:: --inherited
|
|
|
|
Specifies if the role grant is inheritable to the sub projects.
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. describe:: <role>
|
|
|
|
Role to remove (name or ID)
|
|
|
|
role set
|
|
--------
|
|
|
|
Set role properties
|
|
|
|
.. versionadded:: 3
|
|
|
|
.. program:: role set
|
|
.. code:: bash
|
|
|
|
os role set
|
|
[--name <name>]
|
|
<role>
|
|
|
|
.. option:: --name <name>
|
|
|
|
Set role name
|
|
|
|
.. describe:: <role>
|
|
|
|
Role to modify (name or ID)
|
|
|
|
role show
|
|
---------
|
|
|
|
Display role details
|
|
|
|
.. program:: role show
|
|
.. code:: bash
|
|
|
|
os role show
|
|
<role>
|
|
|
|
.. describe:: <role>
|
|
|
|
Role to display (name or ID)
|