keystone.auth.plugins.base.
AuthHandlerResponse
(status, response_body, response_data)¶Bases: tuple
response_body
¶Alias for field number 1
response_data
¶Alias for field number 2
status
¶Alias for field number 0
keystone.auth.plugins.base.
AuthMethodHandler
[source]¶Bases: object
Abstract base class for an authentication plugin.
authenticate
(request, auth_payload)[source]¶Authenticate user and return an authentication context.
Parameters: |
|
---|
If successful, plugin must set user_id
in response_data
.
method_name
is used to convey any additional authentication methods
in case authentication is for re-scoping. For example, if the
authentication is for re-scoping, plugin must append the previous
method names into method_names
; NOTE: This behavior is exclusive
to the re-scope type action. Also, plugin may add any additional
information into extras
. Anything in extras
will be conveyed in
the token’s extras
attribute. Here’s an example of
response_data
on successful authentication:
{
"extras": {},
"methods": [
"password",
"token"
],
"user_id": "abc123"
}
Plugins are invoked in the order in which they are specified in the
methods
attribute of the identity
object. For example,
custom-plugin
is invoked before password
, which is invoked
before token
in the following authentication request:
{
"auth": {
"identity": {
"custom-plugin": {
"custom-data": "sdfdfsfsfsdfsf"
},
"methods": [
"custom-plugin",
"password",
"token"
],
"password": {
"user": {
"id": "s23sfad1",
"password": "secret"
}
},
"token": {
"id": "sdfafasdfsfasfasdfds"
}
}
}
}
Returns: | AuthHandlerResponse with status set to True if auth was
successful. If status is False and this is a multi-step
auth, the response_body can be in a form of a dict for
the next step in authentication. |
---|---|
Raises: | keystone.exception.Unauthorized – for authentication failure |
keystone.auth.plugins.core.
construct_method_map_from_config
()[source]¶Determine authentication method types for deployment.
Returns: | a dictionary containing the methods and their indexes |
---|
Keystone External Authentication Plugins.
keystone.auth.plugins.external.
KerberosDomain
(*args, **kwargs)[source]¶Bases: keystone.auth.plugins.external.Domain
Allows kerberos as a method.
keystone.auth.plugins.mapped.
Mapped
(*args, **kwargs)[source]¶Bases: keystone.auth.plugins.base.AuthMethodHandler
authenticate
(request, auth_payload)[source]¶Authenticate mapped user and set an authentication context.
Parameters: |
|
---|
In addition to user_id
in response_data
, this plugin sets
group_ids
, OS-FEDERATION:identity_provider
and
OS-FEDERATION:protocol
keystone.auth.plugins.mapped.
apply_mapping_filter
(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)[source]¶keystone.auth.plugins.mapped.
get_user_unique_id_and_display_name
(request, mapped_properties)[source]¶Setup federated username.
Function covers all the cases for properly setting user id, a primary
identifier for identity objects. Initial version of the mapping engine
assumed user is identified by name
and his id
is built from the
name. We, however need to be able to accept local rules that identify user
by either id or name/domain.
The following use-cases are covered:
Parameters: |
|
---|---|
Type: | dictionary |
Raises: | keystone.exception.Unauthorized – If neither user_name nor user_id is set. |
Returns: | tuple with user identification |
Return type: | tuple |
Time-based One-time Password Algorithm (TOTP) auth plugin.
TOTP is an algorithm that computes a one-time password from a shared secret key and the current time.
TOTP is an implementation of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.