keystone.auth.plugins package¶
Submodules¶
keystone.auth.plugins.base module¶
-
class
keystone.auth.plugins.base.
AuthHandlerResponse
(status, response_body, response_data)¶ Bases:
tuple
-
response_body
¶ Alias for field number 1
-
response_data
¶ Alias for field number 2
-
status
¶ Alias for field number 0
-
-
class
keystone.auth.plugins.base.
AuthMethodHandler
[source]¶ Bases:
object
Abstract base class for an authentication plugin.
-
authenticate
(request, auth_payload)[source]¶ Authenticate user and return an authentication context.
Parameters: - request (common.request.Request) – context of an authentication request
- auth_payload (dict) – the payload content of the authentication request for a given method
If successful, plugin must set
user_id
inresponse_data
.method_name
is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names intomethod_names
; NOTE: This behavior is exclusive to the re-scope type action. Also, plugin may add any additional information intoextras
. Anything inextras
will be conveyed in the token’sextras
attribute. Here’s an example ofresponse_data
on successful authentication:{ "extras": {}, "methods": [ "password", "token" ], "user_id": "abc123" }
Plugins are invoked in the order in which they are specified in the
methods
attribute of theidentity
object. For example,custom-plugin
is invoked beforepassword
, which is invoked beforetoken
in the following authentication request:{ "auth": { "identity": { "custom-plugin": { "custom-data": "sdfdfsfsfsdfsf" }, "methods": [ "custom-plugin", "password", "token" ], "password": { "user": { "id": "s23sfad1", "password": "secret" } }, "token": { "id": "sdfafasdfsfasfasdfds" } } } }
Returns: AuthHandlerResponse with status set to True
if auth was successful. If status isFalse
and this is a multi-step auth, theresponse_body
can be in a form of a dict for the next step in authentication.Raises: keystone.exception.Unauthorized – for authentication failure
-
keystone.auth.plugins.core module¶
-
keystone.auth.plugins.core.
construct_method_map_from_config
()[source]¶ Determine authentication method types for deployment.
Returns: a dictionary containing the methods and their indexes
keystone.auth.plugins.external module¶
Keystone External Authentication Plugins.
-
class
keystone.auth.plugins.external.
KerberosDomain
(*args, **kwargs)[source]¶ Bases:
keystone.auth.plugins.external.Domain
Allows kerberos as a method.
keystone.auth.plugins.mapped module¶
-
class
keystone.auth.plugins.mapped.
Mapped
(*args, **kwargs)[source]¶ Bases:
keystone.auth.plugins.base.AuthMethodHandler
-
authenticate
(request, auth_payload)[source]¶ Authenticate mapped user and set an authentication context.
Parameters: - request – keystone’s request context
- auth_payload – the content of the authentication for a given method
In addition to
user_id
inresponse_data
, this plugin setsgroup_ids
,OS-FEDERATION:identity_provider
andOS-FEDERATION:protocol
-
-
keystone.auth.plugins.mapped.
apply_mapping_filter
(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)[source]¶
-
keystone.auth.plugins.mapped.
get_user_unique_id_and_display_name
(request, mapped_properties)[source]¶ Setup federated username.
Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by
name
and hisid
is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.The following use-cases are covered:
- If neither user_name nor user_id is set raise exception.Unauthorized
- If user_id is set and user_name not, set user_name equal to user_id
- If user_id is not set and user_name is, set user_id as url safe version of user_name.
Parameters: - request – current request object
- mapped_properties – Properties issued by a RuleProcessor.
Type: dictionary
Raises: keystone.exception.Unauthorized – If neither user_name nor user_id is set.
Returns: tuple with user identification
Return type: tuple
keystone.auth.plugins.oauth1 module¶
keystone.auth.plugins.password module¶
keystone.auth.plugins.token module¶
keystone.auth.plugins.totp module¶
Time-based One-time Password Algorithm (TOTP) auth plugin.
TOTP is an algorithm that computes a one-time password from a shared secret key and the current time.
TOTP is an implementation of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.