← Back to team overview

openstack team mailing list archive

Keystone Update (and API spec)

 

Hi Everyone,

Here's a quick Keystone API update. We had aimed to lock down the API last Sunday but have been running behind. However, we now have an updated spec. We've updated the documentation, WADL, XSD, and sample files in Keystone to reflect the core Keystone API we are aiming to implement for Diablo. The specs are available here (and in simple text below):

Service (Public) API: https://github.com/openstack/keystone/raw/master/keystone/content/service/identitydevguide.pdf<https://github.com/openstack/keystone/blob/master/keystone/content/service/identitydevguide.pdf>
Admin (Private/Privileged) API: https://github.com/openstack/keystone/raw/master/keystone/content/admin/identityadminguide.pdf
WADLs/XSD all available in the keystone/content folders in the source code

The latest changes include:

·         Minimizing the core API to handle authentication functionality only. To do this, we narrowed down the API calls to the list at the bottom of this email (also listed on the whiteboard for https://blueprints.launchpad.net/keystone/+spec/identity-api).

·         We've split the API into Service and Admin APIs (where the Service API is generally what is exposed on the internet while the Admin API is on a controlled network).

·         We've moved the majority of the CRUD logic to extensions (this allows the Keystone API to be implemented on top of any back-end system; ex. LDAP).

·         Extension support for multiple credentials (as defined inhttps://blueprints.launchpad.net/keystone/+spec/support-multiple-credentials)

·         Extension support for service registration (https://blueprints.launchpad.net/keystone/+spec/keystone-service-registration)

·         Removing the default tenant id (https://blueprints.launchpad.net/keystone/+spec/remove-default-tenant)

·         Refactoring calls to support POST instead of PUT (https://github.com/rackspace/keystone/issues/134)

·         Support in the model for roles for a user without a tenant (https://blueprints.launchpad.net/keystone/+spec/roles-for-none-tenant)


Updates:

  *   We're now using the Gerrit workflow to integrate with Launchpad: http://wiki.openstack.org/GerritWorkflow
  *   We're in the process of moving issues to Launchpad (waiting on Launchpad to complete the import). We'll be turning off the github.com/rackspace repo as soon as that is done.
  *   I'd like to introduce Joe Savak, who has joined the Rackspace team and will be dedicated to Identity (and therefore working closely with the Keystone project)

A big thank you to everyone who has contributed to the code and setting up the environment so far: THANK YOU!

We look forward to your continued input and help as we continue to work toward completing the Diablo release. Let us know what you think!

Thanks,
Ziad & Joe

Keystone v2.0 API
Service API:

    POST /tokens
        Returns a token in exchange for valid credentials.

    GET /tenants
        Returns a list of tenants for the token provided in the X-Auth-Token header.

        This implies that a token without a specific tenant returns a list of all tenants
        associated with the user, and that a token that has a tenant returns the single
        tenant the token is associated with.

Admin API (Superset of Service API):

    POST /tokens
        Returns a token in exchange for valid credentials.

    GET /tokens/{token_id}
        Validates a token.

        Returns token expiration, user info, and the user's roles for the given
        token.

    HEAD /tokens/{token_id}
        Validates a token (for performance).

    GET /tokens/{token_id}?belongsTo={tenant_id}
        Validates that a token belongs to a specific tenant.

        Returns token expiration, user info, and the user's roles for the given
        token.

    HEAD /tokens/{token_id}?belongsTo={tenant_id}
        Validates that a token belongs to a specific tenant (for performance).

    GET /users/?username={user_name}
        Returns detailed information about a specific user, by user name.

    GET /users/{user_id}
        Returns detailed information about a specific user, by user id.

    GET /users/{user_id}/roles
        Returns global roles for a specific user (excludes tenant roles).

    GET /tenants
        Returns a list of all tenants.

    GET /tenants/?name={tenant_name}
        Returns detailed information about a tenant, by name.

    GET /tenants/{tenant_id}
        Returns detailed information about a tenant, by id.

    GET /tenants/{tenant_id}/endpoints
        Returns a list of endpoints associated with a specific tenant.

    GET /tenants/{tenant_id}/users/{user_id}/roles
        Returns a list of roles for a user on a specific tenant.
This email may include confidential information. If you received it in error, please delete it.