Workflow logic for the Federation service.
keystone.federation.controllers.
Auth
(*args, **kw)[source]¶Bases: keystone.auth.controllers.Auth
create_ecp_assertion
(request, auth)[source]¶Exchange a scoped token for an ECP assertion.
Parameters: | auth – Dictionary that contains a token and service provider ID |
---|---|
Returns: | ECP Assertion based on properties from the token |
create_saml_assertion
(request, auth)[source]¶Exchange a scoped token for a SAML assertion.
Parameters: | auth – Dictionary that contains a token and service provider ID |
---|---|
Returns: | SAML Assertion based on properties from the token |
keystone.federation.controllers.
DomainV3
[source]¶Bases: keystone.common.controller.V3Controller
collection_name
= 'domains'¶list_domains_for_user
(request, *args, **kwargs)[source]¶List all domains available to an authenticated user.
Parameters: | context – request context |
---|---|
Returns: | list of accessible domains |
member_name
= 'domain'¶keystone.federation.controllers.
FederationProtocol
(*args, **kwargs)[source]¶Bases: keystone.federation.controllers._ControllerBase
A federation protocol representation.
See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.
collection_name
= 'protocols'¶member_name
= 'protocol'¶keystone.federation.controllers.
IdentityProvider
(*args, **kwargs)[source]¶Bases: keystone.federation.controllers._ControllerBase
Identity Provider representation.
collection_name
= 'identity_providers'¶member_name
= 'identity_provider'¶keystone.federation.controllers.
MappingController
(*args, **kwargs)[source]¶Bases: keystone.federation.controllers._ControllerBase
collection_name
= 'mappings'¶member_name
= 'mapping'¶keystone.federation.controllers.
ProjectAssignmentV3
[source]¶Bases: keystone.common.controller.V3Controller
collection_name
= 'projects'¶list_projects_for_user
(request, *args, **kwargs)[source]¶List all projects available to an authenticated user.
Parameters: | context – request context |
---|---|
Returns: | list of accessible projects |
member_name
= 'project'¶keystone.federation.controllers.
SAMLMetadataV3
(*args, **kwargs)[source]¶Bases: keystone.federation.controllers._ControllerBase
member_name
= 'metadata'¶Main entry point into the Federation service.
keystone.federation.core.
Manager
(*args, **kwargs)[source]¶Bases: keystone.common.manager.Manager
Default pivot point for the Federation backend.
See keystone.common.manager.Manager
for more details on how this
dynamically calls the backend.
driver_namespace
= 'keystone.federation'¶get_enabled_service_providers
(*args, **kwargs)[source]¶List enabled service providers for Service Catalog.
Service Provider in a catalog contains three attributes: id
,
auth_url
, sp_url
, where:
Returns: | list of dictionaries with enabled service providers |
---|---|
Return type: | list of dicts |
keystone.federation.idp.
ECPGenerator
[source]¶Bases: object
A class for generating an ECP assertion.
keystone.federation.idp.
MetadataGenerator
[source]¶Bases: object
A class for generating SAML IdP Metadata.
generate_metadata
()[source]¶Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
Returns: | XML <EntityDescriptor> object. |
---|---|
Raises: | keystone.exception.ValidationError – If the required config options aren’t set. |
keystone.federation.idp.
SAMLGenerator
[source]¶Bases: object
A class to generate SAML assertions.
samlize_token
(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶Convert Keystone attributes to a SAML assertion.
Parameters: |
|
---|---|
Returns: | XML <Response> object |
keystone.federation.routers.
Routers
[source]¶Bases: keystone.common.wsgi.RoutersBase
API Endpoints for the Federation extension.
The API looks like:
PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
HEAD /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
HEAD /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}
PUT /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols
HEAD /OS-FEDERATION/identity_providers/
{idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
HEAD /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
HEAD /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
HEAD /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/projects
HEAD /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
HEAD /OS-FEDERATION/domains
PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
HEAD /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
HEAD /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
HEAD /OS-FEDERATION/saml2/metadata
GET /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
Utilities for Federation Extension.
keystone.federation.utils.
DirectMaps
[source]¶Bases: object
An abstraction around the remote matches.
Each match is treated internally as a list.
keystone.federation.utils.
RuleProcessor
(mapping_id, rules)[source]¶Bases: object
A class to process assertions and mapping rules.
process
(assertion_data)[source]¶Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
Parameters: | assertion_data (dict) – an assertion containing values from an IdP |
---|
Example assertion_data:
{
'Email': 'testacct@example.com',
'UserName': 'testacct',
'FirstName': 'Test',
'LastName': 'Account',
'orgPersonType': 'Tester'
}
Returns: | dictionary with user and group_ids |
---|
The expected return structure is:
{
'name': 'foobar',
'group_ids': ['abc123', 'def456'],
'group_names': [
{
'name': 'group_name_1',
'domain': {
'name': 'domain1'
}
},
{
'name': 'group_name_1_1',
'domain': {
'name': 'domain1'
}
},
{
'name': 'group_name_2',
'domain': {
'id': 'xyz132'
}
}
]
}
keystone.federation.utils.
UserType
[source]¶Bases: object
User mapping type.
EPHEMERAL
= 'ephemeral'¶LOCAL
= 'local'¶keystone.federation.utils.
transform_to_group_ids
(group_names, mapping_id, identity_api, resource_api)[source]¶Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return.
Example of group_names parameter:
[
{
"name": "group_name",
"domain": {
"id": "domain_id"
},
},
{
"name": "group_name_2",
"domain": {
"name": "domain_name"
}
}
]
Parameters: |
|
---|---|
Returns: | generator object with group ids |
Raises: | keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend. |
keystone.federation.utils.
validate_idp
(idp, protocol, assertion)[source]¶The IdP providing the assertion should be registered for the mapping.
keystone.federation.utils.
validate_mapped_group_ids
(group_ids, mapping_id, identity_api)[source]¶Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: |
|
---|---|
Raises: | keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend. |
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.