Bases: object
Abstract base class for an authentication plugin.
Authenticate user and return an authentication context.
Parameters: |
|
---|
If successful, plugin must set user_id in auth_context. method_name is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names into method_names. Also, plugin may add any additional information into extras. Anything in extras will be conveyed in the token’s extras attribute. Here’s an example of auth_context on successful authentication:
{
"extras": {},
"methods": [
"password",
"token"
],
"user_id": "abc123"
}
Plugins are invoked in the order in which they are specified in the methods attribute of the identity object. For example, custom-plugin is invoked before password, which is invoked before token in the following authentication request:
{
"auth": {
"identity": {
"custom-plugin": {
"custom-data": "sdfdfsfsfsdfsf"
},
"methods": [
"custom-plugin",
"password",
"token"
],
"password": {
"user": {
"id": "s23sfad1",
"password": "secrete"
}
},
"token": {
"id": "sdfafasdfsfasfasdfds"
}
}
}
}
Returns: | None if authentication is successful. Authentication payload in the form of a dictionary for the next authentication step if this is a multi step authentication. |
---|---|
Raises keystone.exception.Unauthorized: | |
for authentication failure |
Determine authentication method types for deployment.
Returns: | a dictionary containing the methods and their indexes |
---|
Keystone External Authentication Plugins.
Bases: keystone.auth.plugins.external.Domain
Allows kerberos as a method.
Bases: keystone.auth.plugins.base.AuthMethodHandler
Authenticate mapped user and set an authentication context.
Parameters: |
|
---|
In addition to user_id in auth_context, this plugin sets group_ids, OS-FEDERATION:identity_provider and OS-FEDERATION:protocol
Setup federated username.
Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by name and his id is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.
The following use-cases are covered:
Parameters: |
|
---|---|
Type: | dictionary |
Raises keystone.exception.Unauthorized: | |
If neither user_name nor user_id is set. |
|
Returns: | tuple with user identification |
Return type: | tuple |
Bases: keystone.auth.plugins.mapped.Mapped
Provide an entry point to authenticate with SAML2.
This plugin subclasses mapped.Mapped, and may be specified in keystone.conf:
[auth]
methods = external,password,token,saml2
saml2 = keystone.auth.plugins.mapped.Mapped
Time-based One-time Password Algorithm (TOTP) auth plugin.
TOTP is an algorithm that computes a one-time password from a shared secret key and the current time.
TOTP is an implementation of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.