• Native OpenStack API

noa
  1. Help Center
  2. Native OpenStack API
  3. API Reference
  4. Keystone
  5. Token Management
  6. Obtaining a User Token with the assume_role Method

Obtaining a User Token with the assume_role Method

Function Description

This interface is used to obtain a token of the delegating user with the assume_role method. For example, if user A grants permissions to user B to manage some resources of user A, user B can obtain the token of user A using the assume_role method.

NOTE:

The validity period of a token is 24 hours. If the same token is used for authentication, cache it to prevent frequent API calls.

URI

URI format

POST /v3/auth/tokens

Request

  • Request header parameter description

    Parameter

    Mandatory

    Type

    Description

    Content-Type

    Yes

    String

    Fill application/json;charset=utf8 in this field.

    X-Auth-Token

    Yes

    String

    Authenticated token with the Agent Operator permission.

  • Request body parameter description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    String Array

    Fill assume_role in this field.

    domain_name

    Yes

    String

    Domain name.

    xrole_name

    Yes

    String

    Agency name.

    roles

    No

    List Object

    Rights information.

    scope

    No

    JSON Object

    Range in which the token takes effect.

  • Sample request
    curl -i -k -H 'X-Auth-Token:$token' -H 'Content-Type:application/json;charset=utf8' -X POST -d '{"auth": {"identity":{"methods": ["assume_role"],"assume_role":{"domain_name":"exampledomain" ,"xrole_name":"exampleagency",}},"scope": {"domain":{"name": "exampledomain"}}}}' https://sample.domain.com/v3/auth/tokens

Response

  • Response header parameter description

    Parameter

    Mandatory

    Type

    Description

    X-Subject-Token

    Yes

    String

    A signed token.

  • Token format description

    Parameter

    Mandatory

    Type

    Description

    methods

    Yes

    JSON Array

    Method for obtaining a token.

    expires_at

    Yes

    String

    Token expiration time.

    issued_at

    Yes

    String

    Time when a token is generated.

    user

    Yes

    JSON Object

    Example:

    "user": { 
          "name": "username", 
          "id": "userid", 
          "password_expires_at":"2016-11-06T15:32:17.000000",
          "domain": { 
             "name": "domainname",
             "id": "domainid"
           } 
        }

    username: name of a user.

    userid: ID of a user.

    domainname: name of an enterprise account to which a user belongs.

    domainid: ID of an enterprise account to which a user belongs.

    password_expires_at: password expiration time (UTC time). If the value is null, the password will not expire. This parameter is optional.

    domain

    No

    JSON Object

    The system determines whether to return this field based on the scope specified in a request.

    Example:

    "domain": { 
          "name" : "domainame",     
          "id" : "domainid"
    }

    domainname: name of an enterprise account.

    domainid: ID of an enterprise account.

    project

    No

    JSON Object

    The system determines whether to return this field based on the scope specified in a request.

    Example:

    "project": { 
          "name": "projectname", 
          "id": "projectid", 
          "domain": { 
             "name": "domainname",
             "id": "domainid"
           } 
       }

    projectname: name of a project.

    projectid: ID of a project.

    domainname: name of an enterprise account to which a project belongs.

    domainid: ID of an enterprise account to which a project belongs.

    catalog

    No

    JSON Array

    Details of endpoints.

    Example:

    "catalog": [{
        "type": "identity",
        "id": "1331e5cff2a74d76b03da1225910e31d",
        "name": "iam",
        "endpoints": [{
            "url": "www.example.com/v3",
            "region": "*",
            "region_id": "*",
            "interface": "public",
            "id": "089d4a381d574308a703122d3ae738e9"
        }]
    }]

    roles

    Yes

    JSON Object

    Role list.

    Example:

    "roles" : [{ 
         "name" : "role1", 
         "id" : "roleid1" 
         }, { 
         "name" : "role2", 
         "id" : "roleid2" 
         } 
       ] 

    assumed_by

    Yes

    JSON Object

    Information about the delegated user.

    Example:

    "assumed_by": {
          "user": {
            "domain": {
              "name": "assumeddomainname",
              "id": "bfdd55e02a014894b5a2693f31539bba"
            },
            "name": "assumedusername",
            "id": "ff5ea657f1dd45c4b8f398cab9c145d1"
          }
        }
  • Sample response
    Information included in the response header:
    X-Subject-Token:MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALBglghkgBZQMEAgEwgXXXXX...
    
    X-Frame-Options: SAMEORIGIN
    
    Information included in the response body:
    {
      "token": {
        "methods": [
          "assume_role"
        ],
        "issued_at": "2017-05-18T11:44:05.232000Z",
        "expires_at": "2017-05-19T11:44:05.232000Z",
        "user": {
          "id": "93e12ecdad6f4abd84968741daf5c6a3",
          "name": "exampledomain/op_service",
          "password_expires_at":"2016-11-06T15:32:17.000000",
          "domain": {
            "id": "ce925c42c25943bebba10ea64af93102",
            "name": "exampledomain"
          }
        },
        "domain": {
          "id": "ce925c42c25943bebba10ea64af93102",
          "name": "exampledomain"
        },
        "roles": [
          {
            "id": "c11c61319f08404eaf94f8030b9d37bb",
            "name": "secu_admin"
          },
          {
            "id": "0",
            "name": "op_legacy"
          },
          {
            "id": "0",
            "name": "op_gated_tasssg1"
          },
          {
            "id": "0",
            "name": "op_gated_tasssg2"
          },
          {
            "id": "0",
            "name": "op_gated_tasssg4"
          },
          {
            "id": "0",
            "name": "op_gated_tasssg5"
          },
          {
            "id": "0",
            "name": "op_gated_tasssg6"
          }
        ],
        "assumed_by": {
          "user": {
            "domain": {
              "name": "examplename",
              "id": "c1a78a82d81c4a19b03bfe82d3add5e5"
            },
            "id": "cdeb158dda854cc3bab77d8926ffecf3",
            "name": "exampleusername"
          }
        }
      }
    }

Status Codes

Status Code

Description

201

The request is successful.

400

The server failed to process the request.

401

You must enter a username and password to access the requested page.

403

You are forbidden to access the requested page.

404

The server could not find the requested page.

500

Failed to complete the request because of an internal service error.

503

Failed to complete the request because the service is unavailable.