keystone.identity.backends package

keystone.identity.backends package

Submodules

keystone.identity.backends.base module

class keystone.identity.backends.base.IdentityDriverBase[source]

Bases: object

Interface description for an Identity driver.

The schema for users and groups is different depending on whether the driver is domain aware or not (as returned by self.is_domain_aware()).

If the driver is not domain aware:

  • domain_id will be not be included in the user / group passed in to create_user / create_group
  • the domain_id should not be returned in user / group refs. They’ll be overwritten.

The password_expires_at in the user schema is a read-only attribute, meaning that it is expected in the response, but not in the request.

User schema (if driver is domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: string
    password:
        type: string
    password_expires_at:
        type: datetime
    enabled:
        type: boolean
    default_project_id:
        type: string
required: [id, name, domain_id, enabled]
additionalProperties: True

User schema (if driver is not domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    password:
        type: string
    password_expires_at:
        type: datetime
    enabled:
        type: boolean
    default_project_id:
        type: string
required: [id, name, enabled]
additionalProperties: True
# Note that domain_id is not allowed as a property

Group schema (if driver is domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: string
    description:
        type: string
required: [id, name, domain_id]
additionalProperties: True

Group schema (if driver is not domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    description:
        type: string
required: [id, name]
additionalProperties: True
# Note that domain_id is not allowed as a property
add_user_to_group(user_id, group_id)[source]

Add a user to a group.

Parameters:
  • user_id (str) – User ID.
  • group_id (str) – Group ID.
Raises:
authenticate(user_id, password)[source]

Authenticate a given user and password.

Parameters:
  • user_id (str) – User ID
  • password (str) – Password
Returns:

user. See user schema in IdentityDriverBase.

Return type:

dict

Raises:

AssertionError – If user or password is invalid.

change_password(user_id, new_password)[source]

Self-service password change.

Parameters:
  • user_id (str) – User ID.
  • new_password (str) – New password.
Raises:
check_user_in_group(user_id, group_id)[source]

Check if a user is a member of a group.

Parameters:
  • user_id (str) – User ID.
  • group_id (str) – Group ID.
Raises:
create_group(group_id, group)[source]

Create a new group.

Parameters:
  • group_id (str) – group ID. The driver can ignore this value.
  • group (dict) – group info. See group schema in IdentityDriverBase.
Returns:

group, matching the group schema.

Return type:

dict

Raises:

keystone.exception.Conflict – If a duplicate group exists.

create_user(user_id, user)[source]

Create a new user.

Parameters:
  • user_id (str) – user ID. The driver can ignore this value.
  • user (dict) – user info. See user schema in IdentityDriverBase.
Returns:

user, matching the user schema. The driver should not return the password.

Return type:

dict

Raises:

keystone.exception.Conflict – If a duplicate user exists.

default_assignment_driver()[source]
delete_group(group_id)[source]

Delete an existing group.

Parameters:group_id (str) – Group ID.
Raises:keystone.exception.GroupNotFound – If the group doesn’t exist.
delete_user(user_id)[source]

Delete an existing user.

Raises:keystone.exception.UserNotFound – If the user doesn’t exist.
generates_uuids()[source]

Indicate if Driver generates UUIDs as the local entity ID.

get_group(group_id)[source]

Get a group by ID.

Parameters:group_id (str) – group ID.
Returns:group info. See group schema in IdentityDriverBase
Return type:dict
Raises:keystone.exception.GroupNotFound – If the group doesn’t exist.
get_group_by_name(group_name, domain_id)[source]

Get a group by name.

Parameters:
  • group_name (str) – group name.
  • domain_id (str) – domain ID.
Returns:

group info. See group schema in IdentityDriverBase.

Return type:

dict

Raises:

keystone.exception.GroupNotFound – If the group doesn’t exist.

get_user(user_id)[source]

Get a user by ID.

Parameters:user_id (str) – User ID.
Returns:user. See user schema in IdentityDriverBase.
Return type:dict
Raises:keystone.exception.UserNotFound – If the user doesn’t exist.
get_user_by_name(user_name, domain_id)[source]

Get a user by name.

Returns:user_ref
Raises:keystone.exception.UserNotFound – If the user doesn’t exist.
is_domain_aware()[source]

Indicate if the driver supports domains.

is_sql

Indicate if this Driver uses SQL.

list_groups(hints)[source]

List groups in the system.

Parameters:hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.
Returns:a list of group_refs or an empty list. See group schema in IdentityDriverBase.
list_groups_for_user(user_id, hints)[source]

List groups a user is in.

Parameters:
Returns:

a list of group_refs or an empty list. See group schema in IdentityDriverBase.

Raises:

keystone.exception.UserNotFound – If the user doesn’t exist.

list_users(hints)[source]

List users in the system.

Parameters:hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.
Returns:a list of users or an empty list. See user schema in IdentityDriverBase.
Return type:list of dict
list_users_in_group(group_id, hints)[source]

List users in a group.

Parameters:
Returns:

a list of users or an empty list. See user schema in IdentityDriverBase.

Return type:

list of dict

Raises:

keystone.exception.GroupNotFound – If the group doesn’t exist.

multiple_domains_supported
remove_user_from_group(user_id, group_id)[source]

Remove a user from a group.

Parameters:
  • user_id (str) – User ID.
  • group_id (str) – Group ID.
Raises:

keystone.exception.NotFound – If the user is not in the group.

unset_default_project_id(project_id)[source]

Unset a user’s default project given a specific project ID.

Parameters:project_id (str) – project ID
update_group(group_id, group)[source]

Update an existing group.

Parameters:
  • group_id (str) – Group ID.
  • group (dict) – Group modification. See group schema in IdentityDriverBase. Required properties cannot be removed.
Returns:

group, matching the group schema.

Return type:

dict

Raises:
update_user(user_id, user)[source]

Update an existing user.

Parameters:
  • user_id (str) – User ID.
  • user (dict) – User modification. See user schema in IdentityDriverBase. Properties set to None will be removed. Required properties cannot be removed.
Returns:

user. See user schema in IdentityDriverBase.

Raises:
keystone.identity.backends.base.filter_user(user_ref)[source]

Filter out private items in a user dict.

‘password’, ‘tenants’ and ‘groups’ are never returned.

Returns:user_ref

keystone.identity.backends.resource_options module

keystone.identity.backends.resource_options.register_user_options()[source]

keystone.identity.backends.sql module

class keystone.identity.backends.sql.Identity(conf=None)[source]

Bases: keystone.identity.backends.base.IdentityDriverBase

add_user_to_group(user_id, group_id)[source]
authenticate(user_id, password)[source]
change_password(user_id, new_password)[source]
check_user_in_group(user_id, group_id)[source]
create_group(*args, **kwargs)[source]
create_user(*args, **kwargs)[source]
delete_group(group_id)[source]
delete_user(*args, **kwargs)[source]
get_group(group_id)[source]
get_group_by_name(group_name, domain_id)[source]
get_user(user_id)[source]
get_user_by_name(user_name, domain_id)[source]
is_sql
list_groups(hints, *args, **kwargs)[source]
list_groups_for_user(user_id, hints)[source]
list_users(hints, *args, **kwargs)[source]
list_users_in_group(group_id, hints)[source]
remove_user_from_group(user_id, group_id)[source]
unset_default_project_id(project_id)[source]
update_group(*args, **kwargs)[source]
update_user(*args, **kwargs)[source]

keystone.identity.backends.sql_model module

class keystone.identity.backends.sql_model.FederatedUser(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

attributes = [‘id’, ‘user_id’, ‘idp_id’, ‘protocol_id’, ‘unique_id’, ‘display_name’]
display_name
id
idp_id
protocol_id
unique_id
user_id
class keystone.identity.backends.sql_model.Group(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixinWithExtras

attributes = [‘id’, ‘name’, ‘domain_id’, ‘description’]
description
domain_id
extra
id
name
class keystone.identity.backends.sql_model.LocalUser(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

attributes = [‘id’, ‘user_id’, ‘domain_id’, ‘name’]
domain_id
failed_auth_at
failed_auth_count
id
name
passwords
user_id
class keystone.identity.backends.sql_model.NonLocalUser(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

SQL data model for nonlocal users (LDAP and custom).

attributes = [‘domain_id’, ‘name’, ‘user_id’]
domain_id
name
user_id
class keystone.identity.backends.sql_model.Password(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

attributes = [‘id’, ‘local_user_id’, ‘password’, ‘password_hash’, ‘created_at’, ‘expires_at’]
created_at
expires_at
id
local_user_id
password
password_hash
self_service
class keystone.identity.backends.sql_model.User(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixinWithExtras

attributes = [‘id’, ‘name’, ‘domain_id’, ‘password’, ‘enabled’, ‘default_project_id’, ‘password_expires_at’]
created_at
default_project_id
domain_id
enabled

Return whether user is enabled or not.

extra
federated_users
classmethod from_dict(user_dict)[source]

Override from_dict to remove password_expires_at attribute.

Overriding this method to remove password_expires_at attribute to support update_user and unit tests where password_expires_at inadvertently gets added by calling to_dict followed by from_dict.

Parameters:user_dict – User entity dictionary
Returns User:User object
get_resource_option(option_id)[source]
id
last_active_at
local_user
name

Return the current user name.

nonlocal_user
password

Return the current password.

password_created_at

Return when password was created at.

password_expires_at

Return when password expires at.

password_is_expired

Return whether password is expired or not.

password_ref

Return the current password ref.

readonly_attributes = [‘id’, ‘password_expires_at’, ‘password’]
resource_options_registry = <keystone.common.resource_options.ResourceOptionRegistry object>
to_dict(include_extra_dict=False)[source]
class keystone.identity.backends.sql_model.UserGroupMembership(*args, **kwargs)[source]

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

Group membership join table.

group_id
user_id
class keystone.identity.backends.sql_model.UserOption(option_id, option_value)[source]

Bases: sqlalchemy.ext.declarative.api.Base

option_id
option_value
user_id

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.