Authentication Framework Usage¶

The auth module¶

class AuthProvider(credentials, scope='project')[source]¶

Provide authentication

auth_data¶

Auth data for set scope

auth_request(method, url, headers=None, body=None, filters=None)[source]¶

Obtains auth data and decorates a request with that.

Parameters:	method -- HTTP method of the request url -- relative URL of the request (path) headers -- HTTP headers of the request body -- HTTP body in case of POST / PUT filters -- select a base URL out of the catalog
Returns:	a Tuple (url, headers, body)

base_url(filters, auth_data=None)[source]¶

Extracts the base_url based on provided filters

classmethod check_credentials(credentials)[source]¶

Verify credentials are valid.

clear_auth()[source]¶

Clear access cache

Can be called to clear the access cache so that next request will fetch a new token and base_url.

fill_credentials()[source]¶

Fill credentials object with data from auth

get_auth()[source]¶

Returns auth from cache if available, else auth first

reset_alt_auth_data()[source]¶

Configure auth provider to provide valid authentication data

scope¶

Scope used in auth requests

set_alt_auth_data(request_part, auth_data)[source]¶

Alternate auth data on next request

Configure auth provider to provide alt authentication data on a part of the next auth_request. If credentials are None, set invalid data.

Parameters:	request_part -- request part to contain invalid auth: url, headers, body auth_data -- alternative auth_data from which to get the invalid data to be injected

set_auth()[source]¶

Forces setting auth.

Forces setting auth, ignores cache if it exists. Refills credentials.

class Credentials(**kwargs)[source]¶

Set of credentials for accessing OpenStack services

ATTRIBUTES: list of valid class attributes representing credentials.

class KeystoneV2AuthProvider(credentials, auth_url, disable_ssl_certificate_validation=None, ca_certs=None, trace_requests=None, scope='project', http_timeout=None)[source]¶

Provides authentication based on the Identity V2 API

The Keystone Identity V2 API defines both unscoped and project scoped tokens. This auth provider only implements 'project'.

base_url(filters, auth_data=None)[source]¶

Base URL from catalog

Parameters:	filters -- Used to filter results

Filters can be:

• service: service type name such as compute, image, etc.
• region: service region name
• name: service name, only if service exists

• endpoint_type: type of endpoint such as

  adminURL, publicURL, internalURL

• api_version: the version of api used to replace catalog version
• skip_path: skips the suffix path of the url and uses base URL

Return type:	string
Returns:	url with filters applied

class KeystoneV3AuthProvider(credentials, auth_url, disable_ssl_certificate_validation=None, ca_certs=None, trace_requests=None, scope='project', http_timeout=None)[source]¶

Provides authentication based on the Identity V3 API

base_url(filters, auth_data=None)[source]¶

Base URL from catalog

If scope is not 'project', it may be that there is not catalog in the auth_data. In such case, as long as the requested service is 'identity', we can use the original auth URL to build the base_url.

Parameters:	filters -- Used to filter results

Filters can be:

• service: service type name such as compute, image, etc.
• region: service region name
• name: service name, only if service exists

• endpoint_type: type of endpoint such as

  adminURL, publicURL, internalURL

• api_version: the version of api used to replace catalog version
• skip_path: skips the suffix path of the url and uses base URL

Return type:	string
Returns:	url with filters applied

class KeystoneV3Credentials(**kwargs)[source]¶

Credentials suitable for the Keystone Identity V3 API

is_valid()[source]¶

Check of credentials (no API call)

Valid combinations of v3 credentials (excluding token) - User id, password (optional domain) - User name, password and its domain id/name For the scope, valid combinations are: - None - Project id (optional domain) - Project name and its domain id/name - Domain id - Domain name

get_credentials(auth_url, fill_in=True, identity_version='v2', disable_ssl_certificate_validation=None, ca_certs=None, trace_requests=None, http_timeout=None, **kwargs)[source]¶

Builds a credentials object based on the configured auth_version

Parameters:

(string) (identity_version) -- Full URI of the OpenStack Identity API(Keystone) which is used to fetch the token from Identity service. (boolean) (fill_in) -- obtain a token and fill in all credential details provided by the identity service. When fill_in is not specified, credentials are not validated. Validation can be invoked by invoking is_valid() (string) -- identity API version is used to select the matching auth provider and credentials class disable_ssl_certificate_validation -- whether to enforce SSL certificate validation in SSL API requests to the auth system ca_certs -- CA certificate bundle for validation of certificates in SSL API requests to the auth system trace_requests -- trace in log API requests to the auth system http_timeout -- timeout in seconds to wait for the http request to return (dict) (kwargs) -- Dict of credential key/value pairs

Examples:

Returns credentials from the provided parameters: >>> get_credentials(username='foo', password='bar')

Returns credentials including IDs: >>> get_credentials(username='foo', password='bar', fill_in=True)