Add CRUD support for application credentials

Add support for creating, retrieving, and deleting application
credentials. Application credentials do not support updates.

In order to provide a positive user experience for the `--role` option,
this patch also includes an improvement to the
`identity.common._get_token_resource()` function that allows it to
introspect the roles list within a token. This way there is no need to
make a request to keystone to retrieve a role object, which would fail
most of the time anyway due to keystone's default policy prohibiting
unprivileged users from retrieving roles.

bp application-credentials

Change-Id: I29e03b72acd931305cbdac5a9ff666854d05c6d7

1 files changed, 109 insertions, 0 deletions

diff --git a/doc/source/cli/command-objects/application-credentials.rst b/doc/source/cli/command-objects/application-credentials.rst
new file mode 100644
index 00000000..08d85b11
--- /dev/null
+++ b/doc/source/cli/command-objects/application-credentials.rst
@@ -0,0 +1,109 @@
+======================
+application credential
+======================
+
+Identity v3
+
+With application credentials, a user can grant their applications limited
+access to their cloud resources. Once created, users can authenticate with an
+application credential by using the ``v3applicationcredential`` auth type.
+
+application credential create
+-----------------------------
+
+Create new application credential
+
+.. program:: application credential create
+.. code:: bash
+
+    openstack application credential create
+        [--secret <secret>]
+        [--role <role>]
+        [--expiration <expiration>]
+        [--description <description>]
+        [--unrestricted]
+        <name>
+
+.. option:: --secret <secret>
+
+    Secret to use for authentication (if not provided, one will be generated)
+
+.. option:: --role <role>
+
+    Roles to authorize (name or ID) (repeat option to set multiple values)
+
+.. option:: --expiration <expiration>
+
+    Sets an expiration date for the application credential (format of
+    YYYY-mm-ddTHH:MM:SS)
+
+.. option:: --description <description>
+
+    Application credential description
+
+.. option:: --unrestricted
+
+    Enable application credential to create and delete other application
+    credentials and trusts (this is potentially dangerous behavior and is
+    disabled by default)
+
+.. option:: --restricted
+
+    Prohibit application credential from creating and deleting other
+    application credentials and trusts (this is the default behavior)
+
+.. describe:: <name>
+
+    Name of the application credential
+
+
+application credential delete
+-----------------------------
+
+Delete application credential(s)
+
+.. program:: application credential delete
+.. code:: bash
+
+    openstack application credential delete
+        <application-credential> [<application-credential> ...]
+
+.. describe:: <application-credential>
+
+    Application credential(s) to delete (name or ID)
+
+application credential list
+---------------------------
+
+List application credentials
+
+.. program:: application credential list
+.. code:: bash
+
+    openstack application credential list
+        [--user <user>]
+        [--user-domain <user-domain>]
+
+.. option:: --user
+
+    User whose application credentials to list (name or ID)
+
+.. option:: --user-domain
+
+    Domain the user belongs to (name or ID). This can be
+    used in case collisions between user names exist.
+
+application credential show
+---------------------------
+
+Display application credential details
+
+.. program:: application credential show
+.. code:: bash
+
+    openstack application credential show
+        <application-credential>
+
+.. describe:: <application-credential>
+
+    Application credential to display (name or ID)