Environment variable used to convey the Keystone auth context.
Auth context is essentially the user credential used for policy enforcement. It is a dictionary with the following attributes:
token: Token from the request
user_id: user ID of the principal
has a domain.
project-scoped
project-scoped.
domain-scoped
domain-scoped
is_delegated_auth: True if this is delegated (via trust or oauth)
trust_id: Trust ID if trust-scoped, or None
trustor_id: Trustor ID if trust-scoped, or None
trustee_id: Trustee ID if trust-scoped, or None
consumer_id: OAuth consumer ID, or None
access_token_id: OAuth access token ID, or None
roles (optional): list of role names for the given scope
membership if token was for a federated user
Bases: keystone.common.wsgi.Application
Base controller class for Identity API v2.
Remove parent_id since v2 calls are not hierarchy-aware.
Format a v2 style project list, including marker/limits.
Add name in incoming user refs to match the v2 spec.
Internally we use name to represent a user’s name. The v2 spec requires the use of username instead.
Add username to outgoing user refs to match the v2 spec.
Internally we use name to represent a user’s name. The v2 spec requires the use of username instead.
Convert a project_ref from v3 to v2.
This method should only be applied to project_refs being returned from the v2.0 controller(s).
If ref is a list type, we will iterate through each element and do the conversion.
Convert a user_ref from v3 to v2 compatible.
If ref is a list type, we will iterate through each element and do the conversion.
Bases: keystone.common.wsgi.Application
Base controller class for Identity API v3.
Child classes should set the collection_name and member_name class attributes, representing the collection of entities they are exposing to the API. This is required for supporting self-referential links, pagination, etc.
Class parameters:
Usually used by cls.filter_params()
Build list hints based on the context query string.
| Parameters: |
|
|---|
Provide call protection for complex target attributes.
As well as including the standard parameters from the original API call (which is passed in prep_info), this call will add in any additional entities or attributes (passed in target_attr), so that they can be referenced by policy rules.
Filter a list of references by filter values.
Remove unspecified parameters from the dictionary.
This function removes unspecified parameters from the dictionary. This method checks only root-level keys from a ref dictionary.
| Parameters: | ref – a dictionary representing deserialized response to be serialized |
|---|
Limit a list of entities.
The underlying driver layer may have already truncated the collection for us, but in case it was unable to handle truncation we check here.
| Parameters: |
|
|---|---|
| Returns: | boolean indicating whether the list was truncated, as well as the list of (truncated if necessary) entities. |
Determine if bool query param is ‘True’.
We treat this the same way as we do for policy enforcement:
{bool_param}=0 is treated as False
Any other value is considered to be equivalent to True, including the absence of a value
Wrap a collection, checking for filtering and pagination.
Returns the wrapped collection, which includes: - Executing any filtering not already carried out - Truncate to a set limit if necessary - Adds ‘self’ links in every member - Adds ‘next’, ‘self’ and ‘prev’ links for the whole collection.
| Parameters: |
|
|---|
Wrap API list calls with role based access controls (RBAC).
This handles both the protection of the API parameters as well as any filters supplied.
More complex API list calls (for example that need to examine the contents of an entity referenced by one of the filters) should pass in a callback function, that will be subsequently called to check protection for these multiple entities. This callback function should gather the appropriate entities needed and then call check_protection() in the V3Controller class.
Wrap API calls with role based access controls (RBAC).
This handles both the protection of the API parameters as well as any target entities for single-entity API calls.
More complex API calls (for example that deal with several different entities) should pass in a callback function, that will be subsequently called to check protection for these multiple entities. This callback function should gather the appropriate entities needed and then call check_protection() in the V3Controller class.
This module provides support for dependency injection.
Providers are registered via the @provider() decorator, and dependencies on them are registered with @requires(). Providers are available to their consumers via an attribute. See the documentation for the individual functions for more detail.
See also:
Bases: exceptions.Exception
Raised when a required dependency is not resolvable.
See resolve_future_dependencies() for more details.
A class decorator used to register providers.
When @provider() is used to decorate a class, members of that class will register themselves as providers for the named dependency. As an example, In the code fragment:
@dependency.provider('foo_api')
class Foo:
def __init__(self):
...
...
foo = Foo()
The object foo will be registered as a provider for foo_api. No more than one such instance should be created; additional instances will replace the previous ones, possibly resulting in different instances being used by different consumers.
A class decorator used to inject providers into consumers.
The required providers will be made available to instances of the decorated class via an attribute with the same name as the provider. For example, in the code fragment:
@dependency.requires('foo_api', 'bar_api')
class FooBarClient:
def __init__(self):
...
...
client = FooBarClient()
The object client will have attributes named foo_api and bar_api, which are instances of the named providers.
Objects must not rely on the existence of these attributes until after resolve_future_dependencies() has been called; they may not exist beforehand.
Dependencies registered via @required() must have providers; if not, an UnresolvableDependencyException will be raised when resolve_future_dependencies() is called.
Reset the registry of providers.
This is useful for unit testing to ensure that tests don’t use providers from previous tests.
Force injection of all dependencies.
Before this function is called, circular dependencies may not have been injected. This function should be called only once, after all global providers are registered. If an object needs to be created after this call, it must not have circular dependencies.
If any required dependencies are unresolvable, this function will raise an UnresolvableDependencyException.
Outside of this module, this function should be called with no arguments; the optional argument, __provider_name is used internally, and should be treated as an implementation detail.
Bases: object
Encapsulate driver hints for listing entities.
Hints are modifiers that affect the return of entities from a list_<entities> operation. They are typically passed to a driver to give direction as to what filtering, pagination or list limiting actions are being requested.
It is optional for a driver to action some or all of the list hints, but any filters that it does satisfy must be marked as such by calling removing the filter from the list.
A Hint object contains filters, which is a list of dicts that can be accessed publicly. Also it contains a dict called limit, which will indicate the amount of data we want to limit our listing to.
If the filter is discovered to never match, then cannot_match can be set to indicate that there will not be any matches and the backend work can be short-circuited.
Each filter term consists of:
name: the name of the attribute being matched
value: the value against which it is being matched
contains, startswith or endswith
case
type: will always be ‘filter’
Add a filter to the filters list, which is publicly accessible.
Ensure list truncation is detected in Driver list entity methods.
This is designed to wrap Driver list_{entity} methods in order to calculate if the resultant list has been truncated. Provided a limit dict is found in the hints list, we increment the limit by one so as to ask the wrapped function for one more entity than the limit, and then once the list has been generated, we check to see if the original limit has been exceeded, in which case we truncate back to that limit and set the ‘truncated’ boolean to ‘true’ in the hints limit dict.
Register extension with collection of admin extensions.
Extensions register the information here that will show up in the /extensions page as a way to indicate that the extension is active.
Bases: object
Attempt to create the key directory if it doesn’t exist.
Create a key repository and bootstrap it with a key.
| Parameters: |
|
|---|
Load keys from disk into a list.
The first key in the list is the primary key used for encryption. All other keys are active secondary keys that can be used for decrypting tokens.
| Parameters: | use_null_key – If true, a known key containing null bytes will be appended to the list of returned keys. |
|---|
Create a new primary key and revoke excess active keys.
| Parameters: |
|
|---|
Key rotation utilizes the following behaviors:
This strategy allows you to safely perform rotation on one node in a cluster, before syncing the results of the rotation to all other nodes (during both key rotation and synchronization, all nodes must recognize all primary keys).
Bases: object
Relationships for Common parameters.
Bases: object
Status values supported.
Bases: object
Base class for intermediary request layer.
The Manager layer exists to support additional logic that applies to all or some of the methods exposed by a service that are not specific to the HTTP interface.
It also provides a stable entry point to dynamic backends.
An example of a probable use case is logging all the calls.
Helper function to deprecate the original driver classes.
The keystone.{subsystem}.Driver classes are deprecated in favor of the new versioned classes. This function creates a new class based on a versioned class and adds a deprecation message when it is used.
This will allow existing custom drivers to work when the Driver class is renamed to include a version.
Example usage:
Driver = create_legacy_driver(CatalogDriverV8)
Truncate the list returned by the wrapped function.
This is designed to wrap Manager list_{entity} methods to ensure that any list limits that are defined are passed to the driver layer. If a hints list is provided, the wrapper will insert the relevant limit into the hints so that the underlying driver call can try and honor it. If the driver does truncate the response, it will update the ‘truncated’ attribute in the ‘limit’ entry in the hints list, which enables the caller of this function to know if truncation has taken place. If, however, the driver layer is unable to perform truncation, the ‘limit’ entry is simply left in the hints list for the caller to handle.
A _get_list_limit() method is required to be present in the object class hierarchy, which returns the limit for this backend to which we will truncate.
If a hints list is not provided in the arguments of the wrapped call then any limits set in the config file are ignored. This allows internal use of such wrapped methods where the entire data set is needed as input for the calculations of some other API (e.g. get role assignments for a given project).
Bases: object
Create a certificate signing environment.
This is based on a config section and reasonable OpenSSL defaults.
Bases: keystone.common.openssl.BaseCertificateConfigure
Generate files for PKI signing using OpenSSL.
Signed tokens require a private key and signing certificate which itself must be signed by a CA. This class generates them with workable defaults if each of the files are not present
Setup OSprofiler notifier and enable profiling.
| Parameters: |
|
|---|
Bases: webob.request.Request
Gets and sets the AUTH_TYPE key in the environment.
Gets and sets the keystone.oslo_request_context key in the environment.
Gets and sets the REMOTE_DOMAIN key in the environment.
Bases: object
Map client certificate to an existing user.
If user is ephemeral, there is no validation on the user himself; however it will be mapped to a corresponding group(s) and the scope of this ephemeral user is the same as what is assigned to the group.
| Parameters: |
|
|---|---|
| Returns: | A dictionary that contains the keys, such as user_id, user_name, domain_id, domain_name |
| Return type: | dict |
Bases: keystone.common.utils.SmarterEncoder
Special encoder to make token JSON a bit shorter.
Bases: json.encoder.JSONEncoder
Help for JSON encoding dict-like objects.
Return the boolean value, decoded from a string.
We test explicitly for a value meaning False, which can be one of several formats as specified in oslo strutils.FALSE_STRINGS. All other string values (including an empty string) are treated as meaning True.
Constant-time string comparison.
| Params provided: | |
|---|---|
| the first string | |
| Params known: | the second string |
| Returns: | True if the strings are equal. |
This function takes two strings and compares them. It is intended to be used when doing a comparison for authentication purposes to help guard against timing attacks. When using the function for this purpose, always provide the user-provided password as the first argument. The time this function will take is always a factor of the length of this string.
Check substitution of url.
The invalid urls are as follows: urls with substitutions that is not in the whitelist
Check the substitutions in the URL to make sure they are valid and on the whitelist.
| Parameters: | url (str) – the URL to validate |
|---|---|
| Return type: | None |
| Raises keystone.exception.URLValidationError: | |
| if the URL is invalid | |
Check that a plaintext password matches hashed.
hashpw returns the salt value concatenated with the actual hash value. It extracts the actual salt if this value is then passed as the salt.
Flatten a nested dictionary.
Converts a dictionary with nested values to a single level flat dictionary, with dotted notation for each key.
Format a user-defined URL with the given substitutions.
| Parameters: |
|
|---|---|
| Returns: | a formatted URL |
Retrieve KeystoneToken object from the auth context and returns it.
| Parameters: | context (dict) – The request context. |
|---|---|
| Raises keystone.exception.Unauthorized: | |
| If auth context cannot be found. | |
| Returns: | The KeystoneToken object. |
Get the gid and group name.
This is a convenience utility which accepts a variety of input which might represent a unix group. If successful it returns the gid and name. Valid input is:
If the input is a valid type but no group is found a KeyError is raised. If the input is not a valid type a TypeError is raised.
| Parameters: | group (object) – string, int or None specifying the group to lookup. |
|---|---|
| Returns: | tuple of (gid, name) |
Get the uid and user name.
This is a convenience utility which accepts a variety of input which might represent a unix user. If successful it returns the uid and name. Valid input is:
If the input is a valid type but no user is found a KeyError is raised. If the input is not a valid type a TypeError is raised.
| Parameters: | user (object) – string, int or None specifying the user to lookup. |
|---|---|
| Returns: | tuple of (uid, name) |
Hash a user dict’s password without modifying the passed-in dict.
Check if a string contains any url reserved characters.
Stringify time in ISO 8601 format.
Python provides a similar instance method for datetime.datetime objects called isoformat(). The format of the strings generated by isoformat() has a couple of problems: 1) The strings generated by isotime() are used in tokens and other public
APIs that we can’t change without a deprecation period. The strings generated by isoformat() are not the same format, so we can’t just change to it.
| Parameters: |
|
|---|---|
| Returns: | A time string represented in ISO 8601 format. |
| Return type: | str |
Return a list of the reserved characters.
Assure directory exists, set ownership and permissions.
Assure the directory exists and optionally set its ownership and permissions.
Each of the mode, user and group are optional, if None then that aspect is not modified.
Owner and group may be specified either with a symbolic name or numeric id.
| Parameters: |
|
|---|
Set the ownership and permissions on the pathname.
Each of the mode, user and group are optional, if None then that aspect is not modified.
Owner and group may be specified either with a symbolic name or numeric id.
| Parameters: |
|
|---|
Utility methods for working with WSGI servers.
Bases: keystone.common.wsgi.BaseApplication
Ensure the user is an admin.
| Raises: |
|
|---|
Bases: object
Base WSGI application wrapper. Subclasses need to implement __call__.
Used for paste app factories in paste.deploy config files.
Any local configuration (that is, values under the [app:APPNAME] section of the paste config) will be passed into the __init__ method as kwargs.
A hypothetical configuration would look like:
[app:wadl] latest_version = 1.3 paste.app_factory = keystone.fancy_api:Wadl.factory
which would result in a call to the Wadl class as
import keystone.fancy_api keystone.fancy_api.Wadl(latest_version=‘1.3’)
You could of course re-implement the factory method in subclasses, but using the kwarg passing it shouldn’t be necessary.
Bases: keystone.common.wsgi.Router
Router that supports use by ComposingRouter.
Bases: keystone.common.wsgi.Router
Bases: keystone.common.wsgi.Middleware
Helper class for debugging a WSGI application.
Can be inserted into any WSGI application chain to get information about the request and response.
Bases: keystone.common.wsgi.Router
A router that allows extensions to supplement or overwrite routes.
Expects to be subclassed.
Used for paste app factories in paste.deploy config files.
Any local configuration (that is, values under the [filter:APPNAME] section of the paste config) will be passed into the __init__ method as kwargs.
A hypothetical configuration would look like:
[filter:analytics] redis_host = 127.0.0.1 paste.filter_factory = keystone.analytics:Analytics.factory
which would result in a call to the Analytics class as
import keystone.analytics keystone.analytics.Analytics(app, redis_host=‘127.0.0.1’)
You could of course re-implement the factory method in subclasses, but using the kwarg passing it shouldn’t be necessary.
Bases: keystone.common.wsgi.Application
Base WSGI middleware.
These classes require an application to be initialized that will be called next. By default the middleware will simply call its wrapped app, or you can override __call__ to customize its behavior.
Used for paste app factories in paste.deploy config files.
Bases: object
WSGI middleware that maps incoming requests to WSGI apps.
Bases: keystone.common.wsgi.ExtensionRouter, keystone.common.wsgi.RoutersBase
Base class for V3 extension router.
Determine the best available locale.
This returns best available locale based on the Accept-Language HTTP header passed in the request.
Form a WSGI response based on the current error.