keystone.token package

Submodules

keystone.token.controllers module

class keystone.token.controllers.Auth(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

authenticate(*args, **kwargs)[source]

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(*args, **kwargs)[source]
delete_token(*args, **kwargs)[source]

Delete a token, effectively invalidating it for authz.

endpoints(*args, **kwargs)[source]

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)[source]

Formats a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}
revocation_list(*args, **kwargs)[source]
signing_cert(*args, **kwargs)[source]
validate_token(*args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(*args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

exception keystone.token.controllers.ExternalAuthNotApplicable[source]

Bases: exceptions.Exception

External authentication is not applicable.

keystone.token.provider module

Token provider interface.

class keystone.token.provider.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'
INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'
V2 = 'v2.0'
V3 = 'v3.0'
VERSIONS = frozenset(['v3.0', 'v2.0'])
check_revocation(*args, **kwargs)[source]
check_revocation_v2(*args, **kwargs)[source]
check_revocation_v3(*args, **kwargs)[source]
driver_namespace = 'keystone.token.provider'
invalidate_individual_token_cache(*args, **kwargs)[source]
issue_v2_token(*args, **kwargs)[source]
issue_v3_token(*args, **kwargs)[source]
list_revoked_tokens(*args, **kwargs)[source]
revoke_token(*args, **kwargs)[source]
validate_non_persistent_token(*args, **kwargs)[source]
validate_token(*args, **kwargs)[source]
validate_v2_token(*args, **kwargs)[source]
validate_v3_token(*args, **kwargs)[source]
class keystone.token.provider.Provider[source]

Bases: object

Interface description for a Token provider.

get_token_version(token_data)[source]

Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data
Returns:token version string
Raises keystone.exception.UnsupportedTokenVersionException:
 If the token version is not expected.
issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]

Issue a V2 token.

Parameters:
  • token_ref (dict) – token data to generate token from
  • roles_ref (dict) – optional roles list
  • catalog_ref (dict) – optional catalog information
Returns:

(token_id, token_data)

issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]

Issue a V3 Token.

Parameters:
  • user_id (string) – identity of the user
  • method_names (list) – names of authentication methods
  • expires_at (string) – optional time the token will expire
  • project_id (string) – optional project identity
  • domain_id (string) – optional domain identity
  • auth_context (dict) – optional context from the authorization plugins
  • trust (dict) – optional trust reference
  • metadata_ref (dict) – optional metadata reference
  • include_catalog (boolean) – optional, include the catalog in token data
  • parent_audit_id (string) – optional, the audit id of the parent token
Returns:

(token_id, token_data)

needs_persistence()[source]

Determine if the token should be persisted.

If the token provider requires that the token be persisted to a backend this should return True, otherwise return False.

validate_non_persistent_token(token_id)[source]

Validate a given non-persistent token id and return the token_data.

Parameters:token_id (string) – the token id
Returns:token data
Raises keystone.exception.TokenNotFound:
 When the token is invalid
validate_v2_token(token_ref)[source]

Validate the given V2 token and return the token data.

Must raise Unauthorized exception if unable to validate token.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises keystone.exception.TokenNotFound:
 If the token doesn’t exist.
validate_v3_token(token_ref)[source]

Validate the given V3 token and return the token_data.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises keystone.exception.TokenNotFound:
 If the token doesn’t exist.
keystone.token.provider.audit_info(parent_audit_id)[source]

Build the audit data for a token.

If parent_audit_id is None, the list will be one element in length containing a newly generated audit_id.

If parent_audit_id is supplied, the list will be two elements in length containing a newly generated audit_id and the parent_audit_id. The parent_audit_id will always be element index 1 in the resulting list.

Parameters:parent_audit_id (str) – the audit of the original token in the chain
Returns:Keystone token audit data
keystone.token.provider.base64_encode(s)[source]

Encode a URL-safe string.

Return type:six.text_type
keystone.token.provider.default_expire_time()[source]

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object
keystone.token.provider.random_urlsafe_str()[source]

Generate a random URL-safe string.

Return type:six.text_type
keystone.token.provider.random_urlsafe_str_to_bytes(s)[source]

Convert a string from random_urlsafe_str() to six.binary_type.

Return type:six.binary_type

keystone.token.routers module

class keystone.token.routers.Router(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]

keystone.token.utils module

keystone.token.utils.generate_unique_id(token_id)[source]

Return a unique ID for a token.

The returned value is useful as the primary key of a database table, memcache store, or other lookup table.

Returns:Given a PKI token, returns it’s hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash).

Module contents