keystone.federation package¶
Subpackages¶
Submodules¶
keystone.federation.constants module¶
keystone.federation.controllers module¶
Workflow logic for the Federation service.
-
class
keystone.federation.controllers.
Auth
(*args, **kw)[source]¶ Bases:
keystone.auth.controllers.Auth
-
create_ecp_assertion
(request, auth)[source]¶ Exchange a scoped token for an ECP assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: ECP Assertion based on properties from the token
-
create_saml_assertion
(request, auth)[source]¶ Exchange a scoped token for a SAML assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: SAML Assertion based on properties from the token
-
-
class
keystone.federation.controllers.
DomainV3
[source]¶ Bases:
keystone.common.controller.V3Controller
-
collection_name
= 'domains'¶
-
list_domains_for_user
(request, *args, **kwargs)[source]¶ List all domains available to an authenticated user.
Parameters: context – request context Returns: list of accessible domains
-
member_name
= 'domain'¶
-
-
class
keystone.federation.controllers.
FederationProtocol
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
A federation protocol representation.
See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.
-
collection_name
= 'protocols'¶
-
member_name
= 'protocol'¶
-
-
class
keystone.federation.controllers.
IdentityProvider
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
Identity Provider representation.
-
collection_name
= 'identity_providers'¶
-
member_name
= 'identity_provider'¶
-
-
class
keystone.federation.controllers.
MappingController
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
-
collection_name
= 'mappings'¶
-
member_name
= 'mapping'¶
-
-
class
keystone.federation.controllers.
ProjectAssignmentV3
[source]¶ Bases:
keystone.common.controller.V3Controller
-
collection_name
= 'projects'¶
-
list_projects_for_user
(request, *args, **kwargs)[source]¶ List all projects available to an authenticated user.
Parameters: context – request context Returns: list of accessible projects
-
member_name
= 'project'¶
-
-
class
keystone.federation.controllers.
SAMLMetadataV3
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
-
member_name
= 'metadata'¶
-
keystone.federation.core module¶
Main entry point into the Federation service.
-
class
keystone.federation.core.
Manager
(*args, **kwargs)[source]¶ Bases:
keystone.common.manager.Manager
Default pivot point for the Federation backend.
See
keystone.common.manager.Manager
for more details on how this dynamically calls the backend.-
driver_namespace
= 'keystone.federation'¶
-
get_enabled_service_providers
(*args, **kwargs)[source]¶ List enabled service providers for Service Catalog.
Service Provider in a catalog contains three attributes:
id
,auth_url
,sp_url
, where:- id is a unique, user defined identifier for service provider object
- auth_url is an authentication URL of remote Keystone
- sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns: list of dictionaries with enabled service providers Return type: list of dicts
-
keystone.federation.idp module¶
-
class
keystone.federation.idp.
ECPGenerator
[source]¶ Bases:
object
A class for generating an ECP assertion.
-
class
keystone.federation.idp.
MetadataGenerator
[source]¶ Bases:
object
A class for generating SAML IdP Metadata.
-
generate_metadata
()[source]¶ Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
Returns: XML <EntityDescriptor> object. Raises: keystone.exception.ValidationError – If the required config options aren’t set.
-
-
class
keystone.federation.idp.
SAMLGenerator
[source]¶ Bases:
object
A class to generate SAML assertions.
-
samlize_token
(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶ Convert Keystone attributes to a SAML assertion.
Parameters: - issuer (string) – URL of the issuing party
- recipient (string) – URL of the recipient
- user (string) – User name
- user_domain_name (string) – User Domain name
- roles (list) – List of role names
- project (string) – Project name
- project_domain_name (string) – Project Domain name
- expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns: XML <Response> object
-
keystone.federation.routers module¶
-
class
keystone.federation.routers.
Routers
[source]¶ Bases:
keystone.common.wsgi.RoutersBase
API Endpoints for the Federation extension.
The API looks like:
PUT /OS-FEDERATION/identity_providers/{idp_id} GET /OS-FEDERATION/identity_providers GET /OS-FEDERATION/identity_providers/{idp_id} DELETE /OS-FEDERATION/identity_providers/{idp_id} PATCH /OS-FEDERATION/identity_providers/{idp_id} PUT /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PATCH /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} DELETE /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PUT /OS-FEDERATION/mappings GET /OS-FEDERATION/mappings PATCH /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/mappings/{mapping_id} DELETE /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/projects GET /OS-FEDERATION/domains PUT /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/service_providers GET /OS-FEDERATION/service_providers/{sp_id} DELETE /OS-FEDERATION/service_providers/{sp_id} PATCH /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth POST /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth GET /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/saml2 POST /auth/OS-FEDERATION/saml2/ecp GET /OS-FEDERATION/saml2/metadata GET /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com
keystone.federation.schema module¶
keystone.federation.utils module¶
Utilities for Federation Extension.
-
class
keystone.federation.utils.
DirectMaps
[source]¶ Bases:
object
An abstraction around the remote matches.
Each match is treated internally as a list.
-
class
keystone.federation.utils.
RuleProcessor
(mapping_id, rules)[source]¶ Bases:
object
A class to process assertions and mapping rules.
-
process
(assertion_data)[source]¶ Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
Parameters: assertion_data (dict) – an assertion containing values from an IdP Example assertion_data:
{ 'Email': 'testacct@example.com', 'UserName': 'testacct', 'FirstName': 'Test', 'LastName': 'Account', 'orgPersonType': 'Tester' }
Returns: dictionary with user and group_ids The expected return structure is:
{ 'name': 'foobar', 'group_ids': ['abc123', 'def456'], 'group_names': [ { 'name': 'group_name_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_1_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_2', 'domain': { 'id': 'xyz132' } } ] }
-
-
class
keystone.federation.utils.
UserType
[source]¶ Bases:
object
User mapping type.
-
EPHEMERAL
= 'ephemeral'¶
-
LOCAL
= 'local'¶
-
-
keystone.federation.utils.
transform_to_group_ids
(group_names, mapping_id, identity_api, resource_api)[source]¶ Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return.
Example of group_names parameter:
[ { "name": "group_name", "domain": { "id": "domain_id" }, }, { "name": "group_name_2", "domain": { "name": "domain_name" } } ]
Parameters: - group_names (list) – list of group identified by name and its domain.
- mapping_id (str) – id of the mapping used for mapping assertion into local credentials
- identity_api – identity_api object
- resource_api – resource manager object
Returns: generator object with group ids
Raises: keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.
-
keystone.federation.utils.
validate_idp
(idp, protocol, assertion)[source]¶ The IdP providing the assertion should be registered for the mapping.
-
keystone.federation.utils.
validate_mapped_group_ids
(group_ids, mapping_id, identity_api)[source]¶ Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: - mapping_id (str) – id of the mapping used for this operation
- identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises: keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.