api-ref/source/v3/parameters.yaml

# variables in header
X-Auth-Token:
  description: |
    A valid authentication token for an
    administrative user.
  in: header
  required: true
  type: string
X-Subject-Token:
  description: |
    The authentication token.  An authentication
    response returns the token ID in this header rather than in the
    response body.
  in: header
  required: true
  type: string

# variables in path
credential_id_path:
  description: |
    The UUID for the credential.
  in: path
  required: true
  type: string
domain_id_path:
  description: |
    The domain ID.
  in: path
  required: true
  type: string
endpoint_id_path:
  description: |
    The endpoint ID.
  in: path
  required: true
  type: string
group_id:
  description: |
    The group ID.
  in: path
  required: true
  type: string
group_id_path:
  description: |
    The group ID.
  in: path
  required: true
  type: string
implies_role_id:
  description: |
    Role ID for an implied role.
  in: path
  required: true
  type: string
limit_id_path:
  description: |
    The limit ID.
  in: path
  required: true
  type: string
option:
  description: |
    The option name. For the ``ldap`` group, a valid
    value is ``url`` or ``user_tree_dn``. For the ``identity`` group,
    a valid value is ``driver``.
  in: path
  required: true
  type: string
policy_id_path:
  description: |
    The policy ID.
  in: path
  required: true
  type: string
prior_role_id:
  description: |
    Role ID for a prior role.
  in: path
  required: true
  type: string
project_id_path:
  description: |
    The project ID.
  in: path
  required: true
  type: string
project_tag_path:
  description: |
    A simple string associated with a project. Can be used for assigning
    values to projects and filtering based on those values.
  in: path
  required: true
  type: string
region_id_path:
  description: |
    The region ID.
  in: path
  required: true
  type: string
registered_limit_id_path:
  description: |
    The registered limit ID.
  in: path
  required: true
  type: string
request_application_credential_id_path_required:
  description: |
    The ID of the application credential.
  in: path
  required: true
  type: string
request_application_credential_user_id_path_required:
  description: |
    The ID of the user who owns the application credential.
  in: path
  required: true
  type: string
role_id:
  description: |
    The role ID.
  in: path
  required: true
  type: string
role_id_path:
  description: |
    The role ID.
  in: path
  required: true
  type: string
service_id_path:
  description: |
    The service ID.
  in: path
  required: true
  type: string
user_id_path:
  description: |
    The user ID.
  in: path
  required: true
  type: string

# variables in query
allow_expired:
  description: |
    (Since v3.8) Allow fetching a token that has expired. By default expired
    tokens return a 404 exception.
  in: query
  required: false
  type: bool
domain_enabled_query:
  description: |
    If set to true, then only domains that are enabled will be returned, if set
    to false only that are disabled will be returned. Any value other than
    ``0``, including no value, will be interpreted as true.
  in: query
  required: false
  type: string
domain_id_query:
  description: |
    Filters the response by a domain ID.
  in: query
  required: false
  type: string
domain_name_query:
  description: |
    Filters the response by a domain name.
  in: query
  required: false
  type: string
effective_query:
  description: |
    Returns the effective assignments, including any assignments gained by
    virtue of group membership.
  in: query
  required: false
  type: key-only (no value required)
enabled_user_query:
  description: |
    Filters the response by either enabled (``true``)
    or disabled (``false``) users.
  in: query
  required: false
  type: string
group_id_query:
  description: |
    Filters the response by a group ID.
  in: query
  required: false
  type: string
group_name_query:
  description: |
    Filters the response by a group name.
  in: query
  required: false
  type: string
idp_id_query:
  description: |
    Filters the response by an identity provider ID.
  in: query
  required: false
  type: string
include_names_query:
  description: |
    If set to true, then the names of any entities returned will be include as
    well as their IDs. Any value other than ``0`` (including no value) will be
    interpreted as true.
  in: query
  required: false
  type: boolean
  min_version: 3.6
include_subtree_query:
  description: |
    If set to true, then relevant assignments in the project hierarchy below
    the project specified in the ``scope.project_id`` query parameter are also
    included in the response. Any value other than ``0`` (including no value)
    for ``include_subtree`` will be interpreted as true.
  in: query
  required: false
  type: boolean
  min_version: 3.6
interface_query:
  description: |
    Filters the response by an interface.
  in: query
  required: false
  type: string
is_domain_query:
  description: |
    If this is specified as true, then only projects acting as a domain are
    included. Otherwise, only projects that are not acting as a domain are
    included.
  in: query
  required: false
  type: boolean
  min_version: 3.6
name_user_query:
  description: |
    Filters the response by a user name.
  in: query
  required: false
  type: string
nocatalog:
  description: |
    (Since v3.1) The authentication response excludes
    the service catalog. By default, the response includes the service
    catalog.
  in: query
  required: false
  type: string
parent_id_query:
  description: |
    Filters the response by a parent ID.
  in: query
  required: false
  type: string
  min_version: 3.4
parent_region_id_query_not_required:
  description: |
    Filters the response by a parent region, by ID.
  in: query
  required: false
  type: string
parents_as_ids:
  description: |
    The entire parent hierarchy will be included as
    nested dictionaries in the response. It will contain
    all projects ids found by traversing up the hierarchy
    to the top-level project.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
parents_as_list:
  description: |
    The parent hierarchy will be included as a list in the response.
    This list will contain the projects found by traversing up the
    hierarchy to the top-level project. The returned list will be
    filtered against the projects the user has an effective role
    assignment on.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
password_expires_at_query:
  description: |
    Filter results based on which user passwords have expired. The query should
    include an ``operator`` and a ``timestamp`` with a colon (``:``) separating
    the two, for example::

      password_expires_at={operator}:{timestamp}

    - Valid operators are: ``lt``, ``lte``, ``gt``, ``gte``, ``eq``, and ``neq``

      - lt: expiration time lower than the timestamp
      - lte: expiration time lower than or equal to the timestamp
      - gt: expiration time higher than the timestamp
      - gte: expiration time higher than or equal to the timestamp
      - eq: expiration time equal to the timestamp
      - neq: expiration time not equal to the timestamp

    - Valid timestamps are of the form: ``YYYY-MM-DDTHH:mm:ssZ``.

    For example::

      /v3/users?password_expires_at=lt:2016-12-08T22:02:00Z

    The example would return a list of users whose password expired before the
    timestamp (``2016-12-08T22:02:00Z``).

  in: query
  required: false
  type: string
policy_type_query:
  description: |
    Filters the response by a MIME media type for the
    serialized policy blob. For example, ``application/json``.
  in: query
  required: false
  type: string
project_enabled_query:
  description: |
    If set to true, then only enabled projects will be returned. Any value
    other than ``0`` (including no value) will be interpreted as true.
  in: query
  required: false
  type: boolean
project_name_query:
  description: |
    Filters the response by a project name.
  in: query
  required: false
  type: string
protocol_id_query:
  description: |
    Filters the response by a protocol ID.
  in: query
  required: false
  type: string
region_id_query:
  description: |
    Filters the response by a region ID.
  in: query
  required: false
  type: string
resource_name_query:
  description: |
    Filters the response by a specified resource name.
  in: query
  required: false
  type: string
role_id_query:
  description: |
    Filters the response by a role ID.
  in: query
  required: false
  type: string
role_name_query:
  description: |
    Filters the response by a role name.
  in: query
  required: false
  type: string
scope_domain_id_query:
  description: |
    Filters the response by a domain ID.
  in: query
  required: false
  type: string
scope_os_inherit_inherited_to:
  description: |
    Filters based on role assignments that are inherited.
    The only value of ``inherited_to`` that is currently
    supported is ``projects``.
  in: query
  required: false
  type: string
scope_project_id_query:
  description: |
    Filters the response by a project ID.
  in: query
  required: false
  type: string
scope_system_query:
  description: |
    Filters the response by system assignments.
  in: query
  required: false
  type: string
service_id_query:
  description: |
    Filters the response by a service ID.
  in: query
  required: false
  type: string
service_type_query:
  description: |
    Filters the response by a service type. A valid
    value is ``compute``, ``ec2``, ``identity``, ``image``,
    ``network``, or ``volume``.
  in: query
  required: false
  type: string
subtree_as_ids:
  description: |
    The entire child hierarchy will be included as nested dictionaries
    in the response. It will contain all the projects ids found by
    traversing down the hierarchy.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
subtree_as_list:
  description: |
    The child hierarchy will be included as a list in the response.
    This list will contain the projects found by traversing down
    the hierarchy. The returned list will be filtered against the
    projects the user has an effective role assignment on.
  in: query
  required: false
  type: key-only, no value expected
  min_version: 3.4
unique_id_query:
  description: |
    Filters the response by a unique ID.
  in: query
  required: false
  type: string
user_id_query:
  description: |
    Filters the response by a user ID.
  in: query
  required: false
  type: string

# variables in body
audit_ids:
  description: |
    A list of one or two audit IDs. An audit ID is a
    unique, randomly generated, URL-safe string that you can use to
    track a token.  The first audit ID is the current audit ID for the
    token.  The second audit ID is present for only re-scoped tokens
    and is the audit ID from the token before it was re-scoped. A re-
    scoped token is one that was exchanged for another token of the
    same or different scope.  You can use these audit IDs to track the
    use of a token or chain of tokens across multiple requests and
    endpoints without exposing the token ID to non-privileged users.
  in: body
  required: true
  type: array
auth:
  description: |
    An ``auth`` object.
  in: body
  required: true
  type: object
auth_application_credential_restricted_body:
  description: |
    Whether the application credential is permitted to be used for creating and
    deleting additional application credentials and trusts.
  in: body
  required: true
  type: object
auth_domain:
  description: |
    Specify either ``id`` or ``name`` to uniquely
    identify the domain.
  in: body
  required: false
  type: object
auth_methods:
  description: |
    The authentication method, which is ``password``,
    ``token``, or both methods.  Indicates the accumulated set of
    authentication methods that were used to obtain the token. For
    example, if the token was obtained by password authentication, it
    contains ``password``. Later, if the token is exchanged by using
    the token authentication method one or more times, the
    subsequently created tokens contain both ``password`` and
    ``token`` in their ``methods`` attribute.  Unlike multi-factor
    authentication, the ``methods`` attribute merely indicates the
    methods that were used to authenticate the user in exchange for a
    token. The client is responsible for determining the total number
    of authentication factors.
  in: body
  required: true
  type: array
auth_methods_application_credential:
  description: |
    The authentication method. To authenticate with an application credential,
    specify ``application_credential``.
  in: body
  required: true
  type: array
auth_methods_passwd:
  description: |
    The authentication method. For password
    authentication, specify ``password``.
  in: body
  required: true
  type: array
auth_methods_token:
  description: |
    The authentication method. For token
    authentication, specify ``token``.
  in: body
  required: true
  type: array
auth_token:
  description: |
    A ``token`` object. The token authentication
    method is used. This method is typically used in combination with
    a request to change authorization scope.
  in: body
  required: true
  type: object
auth_token_id:
  description: |
    A token ID.
  in: body
  required: true
  type: string
catalog:
  description: |
    A ``catalog`` object.
  in: body
  required: true
  type: array
catalog_response_body_optional:
  description: |
    A ``catalog`` object.
  in: body
  required: false
  type: array
credential:
  description: |
    A ``credential`` object.
  in: body
  required: true
  type: object
credential_blob:
  description: |
    The credential itself, as a serialized blob.
  in: body
  required: true
  type: string
credential_blob_not_required:
  description: |
    The credential itself, as a serialized blob.
  in: body
  required: false
  type: string
credential_id:
  description: |
    The UUID for the credential.
  in: body
  required: true
  type: string
credential_links:
  description: |
    The links for the ``credential`` resource.
  in: body
  required: true
  type: object
credential_type:
  description: |
    The credential type, such as ``ec2`` or ``cert``.
    The implementation determines the list of supported types.
  in: body
  required: true
  type: string
credential_type_not_required:
  description: |
    The credential type, such as ``ec2`` or ``cert``.
    The implementation determines the list of supported types.
  in: body
  required: false
  type: string
credential_user_id:
  description: |
    The ID of the user who owns the credential.
  in: body
  required: true
  type: string
credential_user_id_not_required:
  description: |
    The ID of the user who owns the credential.
  in: body
  required: false
  type: string
credentials:
  description: |
    A list of ``credential`` objects.
  in: body
  required: true
  type: array
credentials_links:
  description: |
    The links for the ``credentials`` resource.
  in: body
  required: true
  type: object
default_limit:
  description: |
    The default limit for the registered limit.
  in: body
  required: true
  type: integer
default_project_id_request_body:
  description: |
    The ID of the default project for the user.
    A user's default project must not be a domain. Setting this
    attribute does not grant any actual authorization on the project,
    and is merely provided for convenience. Therefore, the referenced
    project does not need to exist within the user domain.  (Since v3.1)
    If the user does not have authorization to their default project,
    the default project is ignored at token creation.  (Since v3.1)
    Additionally, if your default project is not valid, a token is
    issued without an explicit scope of authorization.
  in: body
  required: false
  type: string
default_project_id_response_body:
  description: |
    The ID of the default project for the user.
  in: body
  required: false
  type: string
default_project_id_update_body:
  description: |
    The new ID of the default project for the user.
  in: body
  required: false
  type: string
description_limit_request_body:
  description: |
    The limit description.
  in: body
  required: false
  type: string
description_limit_response_body:
  description: |
    The limit description.
  in: body
  required: true
  type: string
description_region_request_body:
  description: |
    The region description.
  in: body
  required: false
  type: string
description_region_response_body:
  description: |
    The region description.
  in: body
  required: true
  type: string
description_registered_limit_request_body:
  description: |
    The registered limit description.
  in: body
  required: false
  type: string
description_registered_limit_response_body:
  description: |
    The registered limit description.
  in: body
  required: true
  type: string
domain:
  description: |
    A ``domain`` object
  in: body
  required: true
  type: object
domain_config:
  description: |
    A ``config`` object.
  in: body
  required: true
  type: object
domain_description_request_body:
  description: |
    The description of the domain.
  in: body
  required: false
  type: string
domain_description_response_body:
  description: |
    The description of the domain.
  in: body
  required: true
  type: string
domain_description_update_request_body:
  description: |
    The new description of the domain.
  in: body
  required: false
  type: string
domain_driver:
  description: |
    The Identity backend driver.
  in: body
  required: true
  type: string
domain_enabled_request_body:
  description: |
    If set to ``true``, domain is created enabled. If set to
    ``false``, domain is created disabled. The default is ``true``.

    Users can only authorize against an enabled domain (and any of its
    projects). In addition, users can only authenticate if the domain that owns
    them is also enabled. Disabling a domain prevents both of these things.
  in: body
  required: false
  type: string
domain_enabled_response_body:
  description: |
    If set to ``true``, domain is enabled. If set to
    ``false``, domain is disabled.
  in: body
  required: true
  type: string
domain_enabled_update_request_body:
  description: |
    If set to ``true``, domain is enabled. If set to
    ``false``, domain is disabled. The default is ``true``.

    Users can only authorize against an enabled domain (and any of its
    projects). In addition, users can only authenticate if the domain that owns
    them is also enabled. Disabling a domain prevents both of these things.
    When you disable a domain, all tokens that are authorized for that domain
    become no longer valid. If you reenable the domain, these tokens
    are not re-enabled.
  in: body
  required: false
  type: string
domain_id_response_body:
  description: |
    The ID of the domain.
  in: body
  required: true
  type: string
domain_ldap:
  description: |
    An ``ldap`` object. Required to set the LDAP
    group configuration options.
  in: body
  required: true
  type: object
domain_link_response_body:
  description: |
    The links to the ``domain`` resource.
  in: body
  required: true
  type: object
domain_name_request_body:
  description: |
    The name of the domain.
  in: body
  required: true
  type: string
domain_name_response_body:
  description: |
    The name of the domain.
  in: body
  required: true
  type: string
domain_name_update_request_body:
  description: |
    The new name of the domain.
  in: body
  required: false
  type: string
domain_scope_response_body_optional:
  description: |
    A ``domain`` object including the ``id`` and ``name`` representing the
    domain the token is scoped to. This is only included in tokens that are
    scoped to a domain.
  in: body
  required: false
  type: object
domain_url:
  description: |
    The LDAP URL.
  in: body
  required: true
  type: string
domain_user_tree_dn:
  description: |
    The base distinguished name (DN) of LDAP, from
    where all users can be reached. For example,
    ``ou=Users,dc=root,dc=org``.
  in: body
  required: true
  type: string
domains:
  description: |
    A list of ``domain`` objects
  in: body
  required: true
  type: array
email:
  description: |
    The email address for the user.
  in: body
  required: true
  type: string
enabled_user_request_body:
  description: |
    If the user is enabled, this value is ``true``.
    If the user is disabled, this value is ``false``.
  in: body
  required: false
  type: boolean
enabled_user_response_body:
  description: |
    If the user is enabled, this value is ``true``.
    If the user is disabled, this value is ``false``.
  in: body
  required: true
  type: boolean
enabled_user_update_body:
  description: |
    Enables or disables the user.  An enabled user
    can authenticate and receive authorization.  A disabled user
    cannot authenticate or receive authorization. Additionally, all
    tokens that the user holds become no longer valid. If you reenable
    this user, pre-existing tokens do not become valid.  To enable the
    user, set to ``true``. To disable the user, set to ``false``.
    Default is ``true``.
  in: body
  required: false
  type: boolean
endpoint:
  description: |
    An ``endpoint`` object.
  in: body
  required: true
  type: object
endpoint_enabled:
  description: |
    Indicates whether the endpoint appears in the
    service catalog:  - ``false``. The endpoint does not appear in the
    service catalog.  - ``true``. The endpoint appears in the service
    catalog.
  in: body
  required: true
  type: boolean
endpoint_enabled_not_required:
  description: |
    Defines whether the endpoint appears in the
    service catalog:  - ``false``. The endpoint does not appear in the
    service catalog.  - ``true``. The endpoint appears in the service
    catalog.  Default is ``true``.
  in: body
  required: false
  type: boolean
endpoint_id:
  description: |
    The endpoint ID.
  in: body
  required: true
  type: string
endpoint_interface:
  description: |
    The interface type, which describes the
    visibility of the endpoint.  Value is:  - ``public``. Visible by
    end users on a publicly available network   interface.  -
    ``internal``. Visible by end users on an unmetered internal
    network interface.  - ``admin``. Visible by administrative users
    on a secure network   interface.
  in: body
  required: true
  type: string
endpoint_links:
  description: |
    The links for the ``endpoint`` resource.
  in: body
  required: true
  type: object
endpoint_name:
  description: |
    The endpoint name.
  in: body
  required: true
  type: string
endpoint_region:
  description: |
    (Deprecated in v3.2) The geographic location of
    the service endpoint.
  in: body
  required: true
  type: string
endpoint_type:
  description: |
    The endpoint type.
  in: body
  required: true
  type: string
endpoint_url:
  description: |
    The endpoint URL.
  in: body
  required: true
  type: string
endpoints:
  description: |
    A list of ``endpoint`` objects.
  in: body
  required: true
  type: array
endpoints_links:
  description: |
    The links for the ``endpoints`` resource.
  in: body
  required: true
  type: object
expires_at:
  description: |
    The date and time when the token expires.

    The date and time stamp format is `ISO 8601
    <https://en.wikipedia.org/wiki/ISO_8601>`_:

    ::

       CCYY-MM-DDThh:mm:ss.sssZ

    For example, ``2015-08-27T09:49:58.000000Z``.

    A ``null`` value indicates that the token never expires.
  in: body
  required: true
  type: string
explicit_unscoped_string:
  description: |
    The authorization scope (Since v3.4). Specify
    ``unscoped`` to make an explicit unscoped token request, which
    returns an unscoped response without any authorization. This
    request behaves the same as a token request with no scope where
    the user has no default project defined. If an explicit,
    ``unscoped`` token request is not made and the user has
    authorization to their default project, then the response will
    return a project-scoped token. If a default project is not defined,
    a token is issued without an explicit scope of authorization,
    which is the same as asking for an explicit unscoped token.
  in: body
  required: false
  type: string
extra_request_body:
  description: |
    The extra attributes of a resource.
    The actual name ``extra`` is not the key name in the request body,
    but rather a collection of any attributes that a resource may contain
    that are not part of the resource's default attributes.
    Generally these are custom fields that are added to a resource in keystone
    by operators for their own specific uses,
    such as ``email`` and ``description`` for users.
  in: body
  required: false
  type: string
group:
  description: |
    A ``group`` object
  in: body
  required: true
  type: object
group_description_request_body:
  description: |
    The description of the group.
  in: body
  required: false
  type: string
group_description_response_body:
  description: |
    The description of the group.
  in: body
  required: true
  type: string
group_description_update_request_body:
  description: |
    The new description of the group.
  in: body
  required: false
  type: string
group_domain_id:
  description: |
    The ID of the domain that owns the group.  If you
    omit the domain ID, defaults to the domain to which the client
    token is scoped.
  in: body
  required: false
  type: string
group_domain_id_request_body:
  description: |
    The ID of the domain of the group. If the domain ID is not
    provided in the request, the Identity service will attempt to
    pull the domain ID from the token used in the request. Note that
    this requires the use of a domain-scoped token.
  in: body
  required: false
  type: string
group_domain_id_response_body:
  description: |
    The ID of the domain of the group.
  in: body
  required: true
  type: string
group_domain_id_update_request_body:
  description: |
    The ID of the new domain for the group. The ability to change the domain
    of a group is now deprecated, and will be removed in subsequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
group_id_response_body:
  description: |
    The ID of the group.
  in: body
  required: true
  type: string
group_name_request_body:
  description: |
    The name of the group.
  in: body
  required: true
  type: string
group_name_response_body:
  description: |
    The name of the group.
  in: body
  required: true
  type: string
group_name_update_request_body:
  description: |
    The new name of the group.
  in: body
  required: false
  type: string
groups:
  description: |
    A list of ``group`` objects
  in: body
  required: true
  type: array
id_region_response_body:
  description: |
    The ID for the region.
  in: body
  required: true
  type: string
id_region_resquest_body:
  description: |
    The ID for the region.
  in: body
  required: false
  type: string
id_user_body:
  description: |
    The user ID.
  in: body
  required: true
  type: string
identity:
  description: |
    An ``identity`` object.
  in: body
  required: true
  type: object
implies_role_array_body:
  description: |
    An array of implied role objects.
  in: body
  required: true
  type: array
implies_role_object_body:
  description: |
    An implied role object.
  in: body
  required: true
  type: object
is_domain_request_body:
  description: |
    Indicates whether the project also acts as a domain. If set to ``true``,
    this project acts as both a project and domain. As a domain, the project
    provides a name space in which you can create users, groups, and other
    projects. If set to ``false``, this project behaves as a regular project
    that contains only resources. Default is ``false``. You cannot update
    this parameter after you create the project.
  in: body
  required: false
  type: boolean
  min_version: 3.6
is_domain_response_body:
  description: |
    Indicates whether the project also acts as a domain. If set to ``true``,
    this project acts as both a project and domain. As a domain, the project
    provides a name space in which you can create users, groups, and other
    projects. If set to ``false``, this project behaves as a regular project
    that contains only resources.
  in: body
  required: true
  type: boolean
  min_version: 3.6
issued_at:
  description: |
    The date and time when the token was issued.

    The date and time stamp format is `ISO 8601
    <https://en.wikipedia.org/wiki/ISO_8601>`_:

    ::

       CCYY-MM-DDThh:mm:ss.sssZ

    For example, ``2015-08-27T09:49:58.000000Z``.
  in: body
  required: true
  type: string
limit:
  description: |
    A ``limit`` object
  in: body
  required: true
  type: array
limit_id:
  description: |
    The limit ID.
  in: body
  required: true
  type: string
limit_model_description_required_response_body:
  description: A short description of the enforcement model used
  in: body
  required: true
  type: string
limit_model_name_required_response_body:
  description: The name of the enforcement model
  in: body
  required: true
  type: string
limit_model_required_response_body:
  description: A model object describing the configured enforcement model used
    by the deployment.
  in: body
  required: true
  type: object
limits:
  description: |
    A list of ``limits`` objects
  in: body
  required: true
  type: array
link_collection:
  description: |
    The link to the collection of resources.
  in: body
  required: true
  type: object
link_response_body:
  description: |
    The link to the resources in question.
  in: body
  required: true
  type: object
links_project:
  description: |
    The links for the ``project`` resource.
  in: body
  required: true
  type: object
links_region:
  description: |
    The links for the ``region`` resource.
  in: body
  required: true
  type: object
links_user:
  description: |
    The links for the ``user`` resource.
  in: body
  required: true
  type: object
original_password:
  description: |
    The original password for the user.
  in: body
  required: true
  type: string
parent_region_id_request_body:
  description: |
    To make this region a child of another region,
    set this parameter to the ID of the parent region.
  in: body
  required: false
  type: string
parent_region_id_response_body:
  description: |
    To make this region a child of another region,
    set this parameter to the ID of the parent region.
  in: body
  required: true
  type: string
password:
  description: |
    The ``password`` object, contains the authentication information.
  in: body
  required: true
  type: object
password_expires_at:
  description: |
    The date and time when the password expires. The time zone
    is UTC.

    This is a response object attribute; not valid for requests.
    A ``null`` value indicates that the password never expires.
  in: body
  required: true
  type: string
  min_version: 3.7
password_request_body:
  description: |
    The password for the user.
  in: body
  required: false
  type: string
policies:
  description: |
    A ``policies`` object.
  in: body
  required: true
  type: array
policy:
  description: |
    A ``policy`` object.
  in: body
  required: true
  type: object
policy_blob_obj:
  description: |
    The policy rule itself, as a serialized blob.
  in: body
  required: true
  type: object
policy_blob_str:
  description: |
    The policy rule set itself, as a serialized blob.
  in: body
  required: true
  type: string
policy_id:
  description: |
    The policy ID.
  in: body
  required: true
  type: string
policy_links:
  description: |
    The links for the ``policy`` resource.
  in: body
  required: true
  type: object
policy_type:
  description: |
    The MIME media type of the serialized policy
    blob.
  in: body
  required: true
  type: string
prior_role_body:
  description: |
    A prior role object.
  in: body
  required: true
  type: object
project:
  description: |
    A ``project`` object
  in: body
  required: true
  type: object
project_description_request_body:
  description: |
    The description of the project.
  in: body
  required: false
  type: string
project_description_response_body:
  description: |
    The description of the project.
  in: body
  required: true
  type: string
project_domain_id:
  description: |
    The ID of the domain for the project.  If you
    omit the domain ID, default is the domain to which your token is
    scoped.
  in: body
  required: false
  type: string
project_domain_id_request_body:
  description: |
    The ID of the domain for the project.

    For projects acting as a domain, the ``domain_id`` must not be specified,
    it will be generated by the Identity service implementation.

    For regular projects (i.e. those not acing as a domain), if ``domain_id``
    is not specified, but ``parent_id`` is specified, then the domain ID of the
    parent will be used. If neither ``domain_id`` or ``parent_id`` is
    specified, the Identity service implementation will default to the domain
    to which the client's token is scoped. If both ``domain_id`` and
    ``parent_id`` are specified, and they do not indicate the same domain, an
    ``Bad Request (400)`` will be returned.
  in: body
  required: false
  type: string
project_domain_id_response_body:
  description: |
    The ID of the domain for the project.
  in: body
  required: true
  type: string
project_domain_id_update_request_body:
  description: |
    The ID of the new domain for the project. The ability to change the domain
    of a project is now deprecated, and will be removed in subequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
project_enabled_request_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled. The default is ``true``.
  in: body
  required: false
  type: boolean
project_enabled_response_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled.
  in: body
  required: true
  type: boolean
project_enabled_update_request_body:
  description: |
    If set to ``true``, project is enabled. If set to
    ``false``, project is disabled.
  in: body
  required: false
  type: boolean
project_id:
  description: |
    The ID for the project.
  in: body
  required: true
  type: string
project_name_request_body:
  description: |
    The name of the project, which must be unique within the
    owning domain. A project can have the same name as its domain.
  in: body
  required: true
  type: string
project_name_response_body:
  description: |
    The name of the project.
  in: body
  required: true
  type: string
project_name_update_request_body:
  description: |
    The name of the project, which must be unique within the
    owning domain. A project can have the same name as its domain.
  in: body
  required: false
  type: string
project_parent_id_request_body:
  description: |
    The ID of the parent of the project.

    If specified on project creation, this places the project within a
    hierarchy and implicitly defines the owning domain, which will be the
    same domain as the parent specified. If ``parent_id`` is
    not specified and ``is_domain`` is ``false``, then the project will use its
    owning domain as its parent. If ``is_domain`` is ``true`` (i.e. the project
    is acting as a domain), then ``parent_id`` must not specified (or if it is,
    it must be ``null``) since domains have no parents.

    ``parent_id`` is immutable, and can't be updated after the project is
    created - hence a project cannot be moved within the hierarchy.
  in: body
  required: false
  type: string
  min_version: 3.4
project_parent_id_response_body:
  description: |
    The ID of the parent for the project.
  in: body
  required: true
  type: string
  min_version: 3.4
project_scope_response_body_optional:
  description: |
    A ``project`` object including the ``id``, ``name`` and ``domain`` object
    representing the project the token is scoped to. This is only included in
    tokens that are scoped to a project.
  in: body
  required: false
  type: object
project_tags_request_body:
  description: |
    A list of simple strings assigned to a project.
    Tags can be used to classify projects into groups.
  in: body
  required: false
  type: array
projects:
  description: |
    A list of ``project`` objects
  in: body
  required: true
  type: array
region_id_not_required:
  description: |
    (Since v3.2) The ID of the region that contains
    the service endpoint.
  in: body
  required: false
  type: string
region_id_request_body:
  description: |
    The ID of the region that contains the service endpoint.
  in: body
  required: false
  type: string
region_id_required:
  description: |
    (Since v3.2) The ID of the region that contains
    the service endpoint.
  in: body
  required: true
  type: string
region_id_response_body:
  description: |
    The ID of the region that contains the service endpoint.
    The value can be None.
  in: body
  required: true
  type: string
region_object:
  description: |
    A ``region`` object
  in: body
  required: true
  type: object
regions_object:
  description: |
    A list of ``region`` object
  in: body
  required: true
  type: array
registered_limit:
  description: |
    A ``registered_limit`` objects
  in: body
  required: true
  type: array
registered_limit_id:
  description: |
    The registered limit ID.
  in: body
  required: true
  type: string
registered_limits:
  description: |
    A list of ``registered_limits`` objects
  in: body
  required: true
  type: array
request_application_credential_auth_id_body_not_required:
  description: |
    The ID of the application credential used for authentication. If not
    provided, the application credential must be identified by its name and
    its owning user.
  in: body
  required: false
  type: string
request_application_credential_auth_name_body_not_required:
  description: |
    The name of the application credential used for authentication. If
    provided, must be accompanied by a user object.
  in: body
  required: false
  type: string
request_application_credential_auth_secret_body_required:
  description: |
    The secret for authenticating the application credential.
  in: body
  required: true
  type: string
request_application_credential_body_required:
  description: |
    An application credential object.
  in: body
  required: true
  type: object
request_application_credential_description_body_not_required:
  description: |
    A description of the application credential's purpose.
  in: body
  required: false
  type: string
request_application_credential_expires_at_body_not_required:
  description: |
    An optional expiry time for the application credential. If unset, the
    application credential does not expire.
  in: body
  required: false
  type: string
request_application_credential_name_body_required:
  description: |
    The name of the application credential. Must be unique to a user.
  in: body
  required: true
  type: string
request_application_credential_roles_body_not_required:
  description: |
    An optional list of role objects, identified by ID or name. The list
    may only contain roles that the user has assigned on the project.
    If not provided, the roles assigned to the application credential will
    be the same as the roles in the current token.
  in: body
  required: false
  type: array
request_application_credential_secret_body_not_required:
  description: |
    The secret that the application credential will be created with. If not
    provided, one will be generated.
  in: body
  required: false
  type: string
request_application_credential_unrestricted_body_not_required:
  description: |
    An optional flag to restrict whether the application credential may be
    used for the creation or destruction of other application credentials or
    trusts. Defaults to false.
  in: body
  required: false
  type: boolean
request_application_credential_user_body_not_required:
  description: |
    A ``user`` object, required if an application credential is identified by
    name and not ID.
  in: body
  required: false
  type: object
resource_limit:
  description: |
    The override limit.
  in: body
  required: true
  type: integer
resource_name:
  description: |
    The resource name.
  in: body
  required: true
  type: string
response_application_credential_body:
  description: |
    The application credential object.
  in: body
  type: object
  required: true
response_application_credential_description_body:
  description: |
    A description of the application credential's purpose.
  in: body
  type: string
  required: true
response_application_credential_expires_at_body:
  description: |
    The expiration time of the application credential, if one was specified.
  in: body
  type: string
  required: true
response_application_credential_id_body:
  description: |
    The ID of the application credential.
  in: body
  type: string
  required: true
response_application_credential_name_body:
  description: |
    The name of the application credential.
  in: body
  type: string
  required: true
response_application_credential_project_id_body:
  description: |
    The ID of the project the application credential was created for and that
    authentication requests using this application credential will be scoped
    to.
  in: body
  type: string
  required: true
response_application_credential_roles_body:
  description: |
    A list of one or more roles that this application credential has
    associated with its project. A token using this application credential
    will have these same roles.
  in: body
  type: array
  required: true
response_application_credential_secret_body:
  description: |
    The secret for the application credential, either generated by the server
    or provided by the user. This is only ever shown once in the response to a
    create request. It is not stored nor ever shown again. If the secret is
    lost, a new application credential must be created.
  in: body
  type: string
  required: true
response_application_credential_unrestricted_body:
  description: |
    A flag indicating whether the application credential may be used for
    creation or destruction of other application credentials or trusts.
  in: body
  type: boolean
  required: true
response_body_project_tags_required:
  description: |
    A list of simple strings assigned to a project.
  in: body
  required: true
  type: array
response_body_system_required:
  description: |
    A list of systems to access based on role assignments.
  in: body
  required: true
  type: array
role:
  description: |
    A ``role`` object
  in: body
  required: true
  type: object
role_assignments:
  description: |
    A list of ``role_assignment`` objects.
  in: body
  required: true
  type: array
role_domain_id_request_body:
  description: |
    The ID of the domain of the role.
  in: body
  required: false
  type: string
role_id_response_body:
  description: |
    The role ID.
  in: body
  required: true
  type: string
role_inference_array_body:
  description: |
    An array of ``role_inference`` object.
  in: body
  required: true
  type: array
role_inference_body:
  description: |
    Role inference object that contains ``prior_role`` object
    and ``implies`` object.
  in: body
  required: true
  type: object
role_name_create_body:
  description: |
    The role name.
  in: body
  required: true
  type: string
role_name_response_body:
  description: |
    The role name.
  in: body
  required: true
  type: string
role_name_update_body:
  description: |
    The new role name.
  in: body
  required: false
  type: string
roles:
  description: |
    A list of ``role`` objects
  in: body
  required: true
  type: array
scope_string:
  description: |
    The authorization scope, including the system (Since v3.10), a project, or
    a domain (Since v3.4). If multiple scopes are specified in the same request
    (e.g. ``project`` and ``domain`` or ``domain`` and ``system``) an HTTP
    ``400 Bad Request`` will be returned, as a token cannot be simultaneously
    scoped to multiple authorization targets. An ID is sufficient to uniquely
    identify a project but if a project is specified by name, then the domain
    of the project must also be specified in order to uniquely identify the
    project by name. A domain scope may be specified by either the domain's ID
    or name with equivalent results.
  in: body
  required: false
  type: string
service:
  description: |
    A ``service`` object.
  in: body
  required: true
  type: object
service_description:
  description: |
    The service description.
  in: body
  required: false
  type: string
service_description_not_required:
  description: |
    The service description.
  in: body
  required: false
  type: string
service_enabled:
  description: |
    Defines whether the service and its endpoints
    appear in the service catalog:  - ``false``. The service and its
    endpoints do not appear in the   service catalog.  - ``true``. The
    service and its endpoints appear in the service   catalog.
  in: body
  required: false
  type: boolean
service_enabled_not_required:
  description: |
    Defines whether the service and its endpoints
    appear in the service catalog:  - ``false``. The service and its
    endpoints do not appear in the   service catalog.  - ``true``. The
    service and its endpoints appear in the service   catalog.
    Default is ``true``.
  in: body
  required: false
  type: boolean
service_id:
  description: |
    The UUID of the service to which the endpoint
    belongs.
  in: body
  required: true
  type: string
service_id_limit:
  description: |
    The UUID of the service to which the limit belongs.
  in: body
  required: true
  type: string
service_id_registered_limit:
  description: |
    The UUID of the service to which the registered limit
    belongs.
  in: body
  required: true
  type: string
service_links:
  description: |
    The links for the ``service`` resource.
  in: body
  required: true
  type: object
service_name:
  description: |
    The service name.
  in: body
  required: true
  type: string
service_type:
  description: |
    The service type, which describes the API
    implemented by the service. Value is ``compute``, ``ec2``,
    ``identity``, ``image``, ``network``, or ``volume``.
  in: body
  required: true
  type: string
services:
  description: |
    A list of ``service`` object.
  in: body
  required: true
  type: array
signed:
  description: |
    List of expired PKI tokens, signed by the
    cryptographic message syntax (CMS).
  in: body
  required: true
  type: string
system:
  description: |
    A ``system`` object.
  in: body
  required: false
  type: object
system_roles_response_body:
  description: |
    A list of ``role`` objects containing ``domain_id``, ``id``, ``links``,
    and ``name`` attributes.
  in: body
  required: true
  type: array
system_scope_response_body_optional:
  description: |
    A ``system`` object containing information about which parts of the system
    the token is scoped to. If the token is scoped to the entire deployment
    system, the ``system`` object will consist of ``{"all": true}``. This is
    only included in tokens that are scoped to the system.
  in: body
  required: false
  type: object
system_scope_string:
  description: |
    Authorization scope specific to the deployment system (Since v3.10).
    Specifying a project or domain scope in addition to system scope results
    in an HTTP ``400 Bad Request``.
  in: body
  required: false
  type: string
token:
  description: |
    A ``token`` object.
  in: body
  required: true
  type: object
user:
  description: |
    A ``user`` object.
  in: body
  required: true
  type: object
user_domain_id:
  description: |
    The ID of the domain for the user.
  in: body
  required: false
  type: string
user_domain_id_request_body:
  description: |
    The ID of the domain of the user. If the domain ID is not
    provided in the request, the Identity service will attempt to
    pull the domain ID from the token used in the request. Note that
    this requires the use of a domain-scoped token.
  in: body
  required: false
  type: string
user_domain_id_update_body:
  description: |
    The ID of the new domain for the user. The ability to change the domain
    of a user is now deprecated, and will be removed in subequent release.
    It is already disabled by default in most Identity service implementations.
  in: body
  required: false
  type: string
user_id:
  description: |
    The ID of the user.  Required if you do not
    specify the user name.
  in: body
  required: false
  type: string
user_name:
  description: |
    The user name.  Required if you do not specify
    the ID of the user.  If you specify the user name, you must also
    specify the domain, by ID or name.
  in: body
  required: false
  type: string
user_name_create_request_body:
  description: |
    The user name. Must be unique within the owning domain.
  in: body
  required: true
  type: string
user_name_response_body:
  description: |
    The user name. Must be unique within the owning domain.
  in: body
  required: true
  type: string
user_name_update_body:
  description: |
    The new name for the user. Must be unique within the owning domain.
  in: body
  required: false
  type: string
user_object:
  description: |
    A ``user`` object
  in: body
  required: true
  type: object
user_password_update_body:
  description: |
    The new password for the user.
  in: body
  required: true
  type: string
user_update_password_body:
  description: |
    The new password for the user.
  in: body
  required: false
  type: string
users:
  description: |
    A ``users`` object.
  in: body
  required: true
  type: array
users_object:
  description: |
    A list of ``user`` objects
  in: body
  required: true
  type: array