keystone.identity.backends package

Subpackages

• keystone.identity.backends.ldap package
  • Submodules
  • keystone.identity.backends.ldap.common module
  • keystone.identity.backends.ldap.core module
  • keystone.identity.backends.ldap.models module
  • Module contents

Submodules

keystone.identity.backends.base module

class keystone.identity.backends.base.IdentityDriverBase

Bases: object

Interface description for an Identity driver.

The schema for users and groups is different depending on whether the driver is domain aware or not (as returned by self.is_domain_aware()).

If the driver is not domain aware:

• domain_id will be not be included in the user / group passed in to create_user / create_group
• the domain_id should not be returned in user / group refs. They’ll be overwritten.

The password_expires_at in the user schema is a read-only attribute, meaning that it is expected in the response, but not in the request.

User schema (if driver is domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: string
    password:
        type: string
    password_expires_at:
        type: datetime
    enabled:
        type: boolean
    default_project_id:
        type: string
required: [id, name, domain_id, enabled]
additionalProperties: True

User schema (if driver is not domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    password:
        type: string
    password_expires_at:
        type: datetime
    enabled:
        type: boolean
    default_project_id:
        type: string
required: [id, name, enabled]
additionalProperties: True
# Note that domain_id is not allowed as a property

Group schema (if driver is domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    domain_id:
        type: string
    description:
        type: string
required: [id, name, domain_id]
additionalProperties: True

Group schema (if driver is not domain aware):

type: object
properties:
    id:
        type: string
    name:
        type: string
    description:
        type: string
required: [id, name]
additionalProperties: True
# Note that domain_id is not allowed as a property

add_user_to_group(user_id, group_id)

Add a user to a group.

Parameters:

• user_id (str) – User ID.
• group_id (str) – Group ID.

Raises:

• keystone.exception.UserNotFound – If the user doesn’t exist.
• keystone.exception.GroupNotFound – If the group doesn’t exist.

authenticate(user_id, password)

Authenticate a given user and password.

Parameters:

• user_id (str) – User ID
• password (str) – Password

Returns:

user. See user schema in IdentityDriverBase.

Return type:

dict

Raises:

AssertionError – If user or password is invalid.

change_password(user_id, new_password)

Self-service password change.

Parameters:

• user_id (str) – User ID.
• new_password (str) – New password.

Raises:

• keystone.exception.UserNotFound – If the user doesn’t exist.
• keystone.exception.PasswordValidation – If password fails validation

check_user_in_group(user_id, group_id)

Check if a user is a member of a group.

Parameters:

• user_id (str) – User ID.
• group_id (str) – Group ID.

Raises:

• keystone.exception.NotFound – If the user is not a member of the group.
• keystone.exception.UserNotFound – If the user doesn’t exist.
• keystone.exception.GroupNotFound – If the group doesn’t exist.

create_group(group_id, group)

Create a new group.

Parameters:

• group_id (str) – group ID. The driver can ignore this value.
• group (dict) – group info. See group schema in IdentityDriverBase.

Returns:

group, matching the group schema.

Return type:

dict

Raises:

keystone.exception.Conflict – If a duplicate group exists.

create_user(user_id, user)

Create a new user.

Parameters:

• user_id (str) – user ID. The driver can ignore this value.
• user (dict) – user info. See user schema in IdentityDriverBase.

Returns:

user, matching the user schema. The driver should not return the password.

Return type:

dict

Raises:

keystone.exception.Conflict – If a duplicate user exists.

default_assignment_driver()

delete_group(group_id)

Delete an existing group.

Parameters:group_id (str) – Group ID. Raises:keystone.exception.GroupNotFound – If the group doesn’t exist.

delete_user(user_id)

Delete an existing user.

Raises:keystone.exception.UserNotFound – If the user doesn’t exist.

generates_uuids()

Indicate if Driver generates UUIDs as the local entity ID.

get_group(group_id)

Get a group by ID.

Parameters:group_id (str) – group ID. Returns:group info. See group schema in IdentityDriverBase Return type:dict Raises:keystone.exception.GroupNotFound – If the group doesn’t exist.

get_group_by_name(group_name, domain_id)

Get a group by name.

Parameters:

• group_name (str) – group name.
• domain_id (str) – domain ID.

Returns:

group info. See group schema in IdentityDriverBase.

Return type:

dict

Raises:

keystone.exception.GroupNotFound – If the group doesn’t exist.

get_user(user_id)

Get a user by ID.

Parameters:user_id (str) – User ID. Returns:user. See user schema in IdentityDriverBase. Return type:dict Raises:keystone.exception.UserNotFound – If the user doesn’t exist.

get_user_by_name(user_name, domain_id)

Get a user by name.

Returns:user_ref Raises:keystone.exception.UserNotFound – If the user doesn’t exist.

is_domain_aware()

Indicate if the driver supports domains.

is_sql

Indicate if this Driver uses SQL.

list_groups(hints)

List groups in the system.

Parameters:hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible. Returns:a list of group_refs or an empty list. See group schema in IdentityDriverBase.

list_groups_for_user(user_id, hints)

List groups a user is in.

Parameters:

• user_id (str) – the user in question
• hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.

Returns:

a list of group_refs or an empty list. See group schema in IdentityDriverBase.

Raises:

keystone.exception.UserNotFound – If the user doesn’t exist.

list_users(hints)

List users in the system.

Parameters:hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible. Returns:a list of users or an empty list. See user schema in IdentityDriverBase. Return type:list of dict

list_users_in_group(group_id, hints)

List users in a group.

Parameters:

• group_id (str) – the group in question
• hints (keystone.common.driver_hints.Hints) – filter hints which the driver should implement if at all possible.

Returns:

a list of users or an empty list. See user schema in IdentityDriverBase.

Return type:

list of dict

Raises:

keystone.exception.GroupNotFound – If the group doesn’t exist.

multiple_domains_supported

remove_user_from_group(user_id, group_id)

Remove a user from a group.

Parameters:

• user_id (str) – User ID.
• group_id (str) – Group ID.

Raises:

keystone.exception.NotFound – If the user is not in the group.

update_group(group_id, group)

Update an existing group.

Parameters:

• group_id (str) – Group ID.
• group (dict) – Group modification. See group schema in IdentityDriverBase. Required properties cannot be removed.

Returns:

group, matching the group schema.

Return type:

dict

Raises:

• keystone.exception.GroupNotFound – If the group doesn’t exist.
• keystone.exception.Conflict – If a duplicate group exists.

update_user(user_id, user)

Update an existing user.

Parameters:

• user_id (str) – User ID.
• user (dict) – User modification. See user schema in IdentityDriverBase. Properties set to None will be removed. Required properties cannot be removed.

Returns:

user. See user schema in IdentityDriverBase.

Raises:

• keystone.exception.UserNotFound – If the user doesn’t exist.
• keystone.exception.Conflict – If a duplicate user exists in the same domain.

keystone.identity.backends.base.filter_user(user_ref)

Filter out private items in a user dict.

‘password’, ‘tenants’ and ‘groups’ are never returned.

Returns:user_ref

keystone.identity.backends.resource_options module

keystone.identity.backends.resource_options.register_user_options()

keystone.identity.backends.sql module

class keystone.identity.backends.sql.Identity(conf=None)

Bases: keystone.identity.backends.base.IdentityDriverBase

add_user_to_group(user_id, group_id)

authenticate(user_id, password)

change_password(user_id, new_password)

check_user_in_group(user_id, group_id)

create_group(*args, **kwargs)

create_user(*args, **kwargs)

delete_group(group_id)

delete_user(*args, **kwargs)

get_group(group_id)

get_group_by_name(group_name, domain_id)

get_user(user_id)

get_user_by_name(user_name, domain_id)

is_sql

list_groups(hints, *args, **kwargs)

list_groups_for_user(user_id, hints)

list_users(hints, *args, **kwargs)

list_users_in_group(group_id, hints)

remove_user_from_group(user_id, group_id)

update_group(*args, **kwargs)

update_user(*args, **kwargs)

keystone.identity.backends.sql_model module

class keystone.identity.backends.sql_model.FederatedUser(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

attributes = ['id', 'user_id', 'idp_id', 'protocol_id', 'unique_id', 'display_name']

display_name

id

idp_id

protocol_id

unique_id

user_id

class keystone.identity.backends.sql_model.Group(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'name', 'domain_id', 'description']

description

domain_id

extra

id

name

class keystone.identity.backends.sql_model.LocalUser(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'user_id', 'domain_id', 'name']

domain_id

failed_auth_at

failed_auth_count

id

name

passwords

user_id

class keystone.identity.backends.sql_model.NonLocalUser(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.ModelDictMixin

SQL data model for nonlocal users (LDAP and custom).

attributes = ['domain_id', 'name', 'user_id']

domain_id

name

user_id

class keystone.identity.backends.sql_model.Password(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'local_user_id', 'password', 'created_at', 'expires_at']

created_at

expires_at

id

local_user_id

password

self_service

class keystone.identity.backends.sql_model.User(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

attributes = ['id', 'name', 'domain_id', 'password', 'enabled', 'default_project_id', 'password_expires_at']

created_at

default_project_id

domain_id

enabled

extra

federated_users

classmethod from_dict(user_dict)

Override from_dict to remove password_expires_at attribute.

Overriding this method to remove password_expires_at attribute to support update_user and unit tests where password_expires_at inadvertently gets added by calling to_dict followed by from_dict.

Parameters:user_dict – User entity dictionary Returns User:User object

get_resource_option(option_id)

id

last_active_at

local_user

name

nonlocal_user

password

password_created_at

Return when password was created at.

password_expires_at

Return when password expires at.

password_is_expired

Return whether password is expired or not.

password_ref

Return the current password ref.

readonly_attributes = ['id', 'password_expires_at']

resource_options_registry = <keystone.common.resource_options.ResourceOptionRegistry object>

to_dict(include_extra_dict=False)

class keystone.identity.backends.sql_model.UserGroupMembership(*args, **kwargs)

Bases: sqlalchemy.ext.declarative.api.Base, keystone.common.sql.core.DictBase

Group membership join table.

group_id

user_id

class keystone.identity.backends.sql_model.UserOption(option_id, option_value)

Bases: sqlalchemy.ext.declarative.api.Base

option_id

option_value

user_id

Module contents