keystone.identity.backends package¶
Subpackages¶
Submodules¶
keystone.identity.backends.base module¶
-
class
keystone.identity.backends.base.
IdentityDriverBase
[source]¶ Bases:
object
Interface description for an Identity driver.
The schema for users and groups is different depending on whether the driver is domain aware or not (as returned by self.is_domain_aware()).
If the driver is not domain aware:
- domain_id will be not be included in the user / group passed in to create_user / create_group
- the domain_id should not be returned in user / group refs. They’ll be overwritten.
The password_expires_at in the user schema is a read-only attribute, meaning that it is expected in the response, but not in the request.
User schema (if driver is domain aware):
type: object properties: id: type: string name: type: string domain_id: type: string password: type: string password_expires_at: type: datetime enabled: type: boolean default_project_id: type: string required: [id, name, domain_id, enabled] additionalProperties: True
User schema (if driver is not domain aware):
type: object properties: id: type: string name: type: string password: type: string password_expires_at: type: datetime enabled: type: boolean default_project_id: type: string required: [id, name, enabled] additionalProperties: True # Note that domain_id is not allowed as a property
Group schema (if driver is domain aware):
type: object properties: id: type: string name: type: string domain_id: type: string description: type: string required: [id, name, domain_id] additionalProperties: True
Group schema (if driver is not domain aware):
type: object properties: id: type: string name: type: string description: type: string required: [id, name] additionalProperties: True # Note that domain_id is not allowed as a property
-
add_user_to_group
(user_id, group_id)[source]¶ Add a user to a group.
Parameters: - user_id (str) – User ID.
- group_id (str) – Group ID.
Raises: - keystone.exception.UserNotFound – If the user doesn’t exist.
- keystone.exception.GroupNotFound – If the group doesn’t exist.
-
authenticate
(user_id, password)[source]¶ Authenticate a given user and password.
Parameters: - user_id (str) – User ID
- password (str) – Password
Returns: user. See user schema in
IdentityDriverBase
.Return type: dict
Raises: AssertionError – If user or password is invalid.
-
change_password
(user_id, new_password)[source]¶ Self-service password change.
Parameters: - user_id (str) – User ID.
- new_password (str) – New password.
Raises: - keystone.exception.UserNotFound – If the user doesn’t exist.
- keystone.exception.PasswordValidation – If password fails validation
-
check_user_in_group
(user_id, group_id)[source]¶ Check if a user is a member of a group.
Parameters: - user_id (str) – User ID.
- group_id (str) – Group ID.
Raises: - keystone.exception.NotFound – If the user is not a member of the group.
- keystone.exception.UserNotFound – If the user doesn’t exist.
- keystone.exception.GroupNotFound – If the group doesn’t exist.
-
create_group
(group_id, group)[source]¶ Create a new group.
Parameters: - group_id (str) – group ID. The driver can ignore this value.
- group (dict) – group info. See group schema in
IdentityDriverBase
.
Returns: group, matching the group schema.
Return type: dict
Raises: keystone.exception.Conflict – If a duplicate group exists.
-
create_user
(user_id, user)[source]¶ Create a new user.
Parameters: - user_id (str) – user ID. The driver can ignore this value.
- user (dict) – user info. See user schema in
IdentityDriverBase
.
Returns: user, matching the user schema. The driver should not return the password.
Return type: dict
Raises: keystone.exception.Conflict – If a duplicate user exists.
-
delete_group
(group_id)[source]¶ Delete an existing group.
Parameters: group_id (str) – Group ID. Raises: keystone.exception.GroupNotFound – If the group doesn’t exist.
-
delete_user
(user_id)[source]¶ Delete an existing user.
Raises: keystone.exception.UserNotFound – If the user doesn’t exist.
-
get_group
(group_id)[source]¶ Get a group by ID.
Parameters: group_id (str) – group ID. Returns: group info. See group schema in IdentityDriverBase
Return type: dict Raises: keystone.exception.GroupNotFound – If the group doesn’t exist.
-
get_group_by_name
(group_name, domain_id)[source]¶ Get a group by name.
Parameters: - group_name (str) – group name.
- domain_id (str) – domain ID.
Returns: group info. See group schema in
IdentityDriverBase
.Return type: dict
Raises: keystone.exception.GroupNotFound – If the group doesn’t exist.
-
get_user
(user_id)[source]¶ Get a user by ID.
Parameters: user_id (str) – User ID. Returns: user. See user schema in IdentityDriverBase
.Return type: dict Raises: keystone.exception.UserNotFound – If the user doesn’t exist.
-
get_user_by_name
(user_name, domain_id)[source]¶ Get a user by name.
Returns: user_ref Raises: keystone.exception.UserNotFound – If the user doesn’t exist.
-
is_sql
¶ Indicate if this Driver uses SQL.
-
list_groups
(hints)[source]¶ List groups in the system.
Parameters: hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible. Returns: a list of group_refs or an empty list. See group schema in IdentityDriverBase
.
-
list_groups_for_user
(user_id, hints)[source]¶ List groups a user is in.
Parameters: - user_id (str) – the user in question
- hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.
Returns: a list of group_refs or an empty list. See group schema in
IdentityDriverBase
.Raises: keystone.exception.UserNotFound – If the user doesn’t exist.
-
list_users
(hints)[source]¶ List users in the system.
Parameters: hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible. Returns: a list of users or an empty list. See user schema in IdentityDriverBase
.Return type: list of dict
-
list_users_in_group
(group_id, hints)[source]¶ List users in a group.
Parameters: - group_id (str) – the group in question
- hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.
Returns: a list of users or an empty list. See user schema in
IdentityDriverBase
.Return type: list of dict
Raises: keystone.exception.GroupNotFound – If the group doesn’t exist.
-
multiple_domains_supported
¶
-
remove_user_from_group
(user_id, group_id)[source]¶ Remove a user from a group.
Parameters: - user_id (str) – User ID.
- group_id (str) – Group ID.
Raises: keystone.exception.NotFound – If the user is not in the group.
-
update_group
(group_id, group)[source]¶ Update an existing group.
Parameters: - group_id (str) – Group ID.
- group (dict) – Group modification. See group schema in
IdentityDriverBase
. Required properties cannot be removed.
Returns: group, matching the group schema.
Return type: dict
Raises: - keystone.exception.GroupNotFound – If the group doesn’t exist.
- keystone.exception.Conflict – If a duplicate group exists.
-
update_user
(user_id, user)[source]¶ Update an existing user.
Parameters: - user_id (str) – User ID.
- user (dict) – User modification. See user schema in
IdentityDriverBase
. Properties set to None will be removed. Required properties cannot be removed.
Returns: user. See user schema in
IdentityDriverBase
.Raises: - keystone.exception.UserNotFound – If the user doesn’t exist.
- keystone.exception.Conflict – If a duplicate user exists in the same domain.
keystone.identity.backends.resource_options module¶
keystone.identity.backends.sql module¶
-
class
keystone.identity.backends.sql.
Identity
(conf=None)[source]¶ Bases:
keystone.identity.backends.base.IdentityDriverBase
-
is_sql
¶
-
keystone.identity.backends.sql_model module¶
-
class
keystone.identity.backends.sql_model.
FederatedUser
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.ModelDictMixin
-
attributes
= ['id', 'user_id', 'idp_id', 'protocol_id', 'unique_id', 'display_name']¶
-
display_name
¶
-
id
¶
-
idp_id
¶
-
protocol_id
¶
-
unique_id
¶
-
user_id
¶
-
-
class
keystone.identity.backends.sql_model.
Group
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.DictBase
-
attributes
= ['id', 'name', 'domain_id', 'description']¶
-
description
¶
-
domain_id
¶
-
extra
¶
-
id
¶
-
name
¶
-
-
class
keystone.identity.backends.sql_model.
LocalUser
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.DictBase
-
attributes
= ['id', 'user_id', 'domain_id', 'name']¶
-
domain_id
¶
-
failed_auth_at
¶
-
failed_auth_count
¶
-
id
¶
-
name
¶
-
passwords
¶
-
user_id
¶
-
-
class
keystone.identity.backends.sql_model.
NonLocalUser
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.ModelDictMixin
SQL data model for nonlocal users (LDAP and custom).
-
attributes
= ['domain_id', 'name', 'user_id']¶
-
domain_id
¶
-
name
¶
-
user_id
¶
-
-
class
keystone.identity.backends.sql_model.
Password
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.DictBase
-
attributes
= ['id', 'local_user_id', 'password', 'created_at', 'expires_at']¶
-
created_at
¶
-
expires_at
¶
-
id
¶
-
local_user_id
¶
-
password
¶
-
self_service
¶
-
-
class
keystone.identity.backends.sql_model.
User
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.DictBase
-
attributes
= ['id', 'name', 'domain_id', 'password', 'enabled', 'default_project_id', 'password_expires_at']¶
-
created_at
¶
-
default_project_id
¶
-
domain_id
¶
-
enabled
¶
-
extra
¶
-
federated_users
¶
-
classmethod
from_dict
(user_dict)[source]¶ Override from_dict to remove password_expires_at attribute.
Overriding this method to remove password_expires_at attribute to support update_user and unit tests where password_expires_at inadvertently gets added by calling to_dict followed by from_dict.
Parameters: user_dict – User entity dictionary Returns User: User object
-
id
¶
-
last_active_at
¶
-
local_user
¶
-
name
¶
-
nonlocal_user
¶
-
password
¶
-
password_created_at
¶ Return when password was created at.
-
password_expires_at
¶ Return when password expires at.
-
password_is_expired
¶ Return whether password is expired or not.
-
password_ref
¶ Return the current password ref.
-
readonly_attributes
= ['id', 'password_expires_at']¶
-
resource_options_registry
= <keystone.common.resource_options.ResourceOptionRegistry object>¶
-
-
class
keystone.identity.backends.sql_model.
UserGroupMembership
(*args, **kwargs)[source]¶ Bases:
sqlalchemy.ext.declarative.api.Base
,keystone.common.sql.core.DictBase
Group membership join table.
-
group_id
¶
-
user_id
¶
-