keystone.token package

Subpackages

• keystone.token.persistence package
  • Subpackages
    • keystone.token.persistence.backends package
      • Submodules
      • keystone.token.persistence.backends.kvs module
      • keystone.token.persistence.backends.sql module
      • Module contents
  • Submodules
  • keystone.token.persistence.core module
  • Module contents
• keystone.token.providers package
  • Subpackages
    • keystone.token.providers.fernet package
      • Submodules
      • keystone.token.providers.fernet.core module
      • keystone.token.providers.fernet.token_formatters module
      • Module contents
  • Submodules
  • keystone.token.providers.base module
  • keystone.token.providers.common module
  • keystone.token.providers.uuid module
  • Module contents

Submodules

keystone.token.controllers module

class keystone.token.controllers.Auth(*args, **kwargs)

Bases: keystone.common.controller.V2Controller

authenticate(*args, **kwargs)

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(*args, **kwargs)

delete_token(*args, **kwargs)

Delete a token, effectively invalidating it for authz.

endpoints(*args, **kwargs)

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)

Format a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}

revocation_list(*args, **kwargs)

signing_cert(*args, **kwargs)

validate_token(*args, **kwargs)

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(*args, **kwargs)

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

class keystone.token.controllers.BaseAuthenticationMethod(*args, **kwargs)

Bases: object

Common utilities/dependencies for all authentication method classes.

exception keystone.token.controllers.ExternalAuthNotApplicable

Bases: exceptions.Exception

External authentication is not applicable.

class keystone.token.controllers.ExternalAuthenticationMethod(*args, **kwargs)

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate using an external authentication method.

authenticate(request, auth)

Try to authenticate an external user via REMOTE_USER variable.

Parameters:

• request – A request object.
• auth – Dictionary representing the authentication request.

Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.LocalAuthenticationMethod(*args, **kwargs)

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate against a local backend using password credentials.

authenticate(request, auth)

Try to authenticate against the identity backend.

Parameters:

• request – A request object.
• auth – Dictionary representing the authentication request.

Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.TokenAuthenticationMethod(*args, **kwargs)

Bases: keystone.token.controllers.BaseAuthenticationMethod

Authenticate using an existing token.

authenticate(request, auth)

Try to authenticate using an already existing token.

Parameters:

• request – A request object.
• auth – Dictionary representing the authentication request.

Returns:

A tuple containing the user reference, project identifier, token expiration, bind information, and original audit information.

class keystone.token.controllers.V2TokenDataHelper(*args, **kwargs)

Bases: object

Create V2 token data.

classmethod format_catalog(catalog_ref)

Munge catalogs from internal to output format.

Internal catalogs look like:

{$REGION: {
    {$SERVICE: {
        $key1: $value1,
        ...
        }
    }
}

The legacy api wants them to look like:

[{'name': $SERVICE[name],
  'type': $SERVICE,
  'endpoints': [{
      'tenantId': $tenant_id,
      ...
      'region': $REGION,
      }],
  'endpoints_links': [],
 }]

v3_to_v2_token(v3_token_data, token_id)

Convert v3 token data into v2.0 token data.

This method expects a dictionary generated from V3TokenDataHelper.get_token_data() and converts it to look like a v2.0 token dictionary.

Parameters:

• v3_token_data – dictionary formatted for v3 tokens
• token_id – ID of the token being converted

Returns:

dictionary formatted for v2 tokens

Raises:

keystone.exception.Unauthorized – If a specific token type is not supported in v2.

keystone.token.controllers.authentication_method_generator(request, auth)

Given an request return a suitable authentication method.

This is simply a generator to handle matching an authentication request with the appropriate authentication method.

Parameters:auth – Dictionary containing authentication information from the request. Returns:An authentication method class object.

keystone.token.provider module

Token provider interface.

class keystone.token.provider.Manager(*args, **kwargs)

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'

INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'

V2 = 'v2.0'

V3 = 'v3.0'

VERSIONS = frozenset(['v3.0', 'v2.0'])

check_revocation(*args, **kwargs)

check_revocation_v2(*args, **kwargs)

check_revocation_v3(*args, **kwargs)

driver_namespace = 'keystone.token.provider'

invalidate_individual_token_cache(*args, **kwargs)

issue_token(*args, **kwargs)

list_revoked_tokens(*args, **kwargs)

revoke_token(*args, **kwargs)

validate_token(*args, **kwargs)

keystone.token.routers module

class keystone.token.routers.Router(mapper=None)

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)

Module contents