keystone.token package

Submodules

keystone.token.controllers module

class keystone.token.controllers.Auth(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

authenticate(*args, **kwargs)[source]

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(*args, **kwargs)[source]
delete_token(*args, **kwargs)[source]

Delete a token, effectively invalidating it for authz.

endpoints(*args, **kwargs)[source]

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)[source]

Format a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}
revocation_list(*args, **kwargs)[source]
signing_cert(*args, **kwargs)[source]
validate_token(*args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(*args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

class keystone.token.controllers.BaseAuthenticationMethod(*args, **kwargs)[source]

Bases: object

Common utilities/dependencies for all authentication method classes.

exception keystone.token.controllers.ExternalAuthNotApplicable[source]

Bases: exceptions.Exception

External authentication is not applicable.

class keystone.token.controllers.ExternalAuthenticationMethod(*args, **kwargs)[source]

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate using an external authentication method.

authenticate(request, auth)[source]

Try to authenticate an external user via REMOTE_USER variable.

Parameters:
  • request – A request object.
  • auth – Dictionary representing the authentication request.
Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.LocalAuthenticationMethod(*args, **kwargs)[source]

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate against a local backend using password credentials.

authenticate(request, auth)[source]

Try to authenticate against the identity backend.

Parameters:
  • request – A request object.
  • auth – Dictionary representing the authentication request.
Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.TokenAuthenticationMethod(*args, **kwargs)[source]

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate using an existing token.

authenticate(request, auth)[source]

Try to authenticate using an already existing token.

Parameters:
  • request – A request object.
  • auth – Dictionary representing the authentication request.
Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.V2TokenDataHelper(*args, **kwargs)[source]

Bases: object

Create V2 token data.

classmethod format_catalog(catalog_ref)[source]

Munge catalogs from internal to output format.

Internal catalogs look like:

{$REGION: {
    {$SERVICE: {
        $key1: $value1,
        ...
        }
    }
}

The legacy api wants them to look like:

[{'name': $SERVICE[name],
  'type': $SERVICE,
  'endpoints': [{
      'tenantId': $tenant_id,
      ...
      'region': $REGION,
      }],
  'endpoints_links': [],
 }]
v3_to_v2_token(v3_token_data, token_id)[source]

Convert v3 token data into v2.0 token data.

This method expects a dictionary generated from V3TokenDataHelper.get_token_data() and converts it to look like a v2.0 token dictionary.

Parameters:
  • v3_token_data – dictionary formatted for v3 tokens
  • token_id – ID of the token being converted
Returns:

dictionary formatted for v2 tokens

Raises:

keystone.exception.Unauthorized – If a specific token type is not supported in v2.

keystone.token.controllers.authentication_method_generator(request, auth)[source]

Given an request return a suitable authentication method.

This is simply a generator to handle matching an authentication request with the appropriate authentication method.

Parameters:auth – Dictionary containing authentication information from the request.
Returns:An authentication method class object.

keystone.token.provider module

Token provider interface.

class keystone.token.provider.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'
INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'
V2 = 'v2.0'
V3 = 'v3.0'
VERSIONS = frozenset(['v3.0', 'v2.0'])
check_revocation(*args, **kwargs)[source]
check_revocation_v2(*args, **kwargs)[source]
check_revocation_v3(*args, **kwargs)[source]
driver_namespace = 'keystone.token.provider'
invalidate_individual_token_cache(*args, **kwargs)[source]
issue_token(*args, **kwargs)[source]
list_revoked_tokens(*args, **kwargs)[source]
revoke_token(*args, **kwargs)[source]
validate_token(*args, **kwargs)[source]

keystone.token.routers module

class keystone.token.routers.Router(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]

Module contents