keystone.token.providers package

keystone.token.providers package

Submodules

keystone.token.providers.base module

class keystone.token.providers.base.Provider[source]

Bases: object

Interface description for a Token provider.

get_token_version(token_data)[source]

Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data
Returns:token version string
Raises:keystone.exception.UnsupportedTokenVersionException – If the token version is not expected.
issue_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, include_catalog=True, parent_audit_id=None)[source]

Issue a V3 Token.

Parameters:
  • user_id (string) – identity of the user
  • method_names (list) – names of authentication methods
  • expires_at (string) – optional time the token will expire
  • project_id (string) – optional project identity
  • domain_id (string) – optional domain identity
  • auth_context (dict) – optional context from the authorization plugins
  • trust (dict) – optional trust reference
  • include_catalog (boolean) – optional, include the catalog in token data
  • parent_audit_id (string) – optional, the audit id of the parent token
Returns:

(token_id, token_data)

needs_persistence()[source]

Determine if the token should be persisted.

If the token provider requires that the token be persisted to a backend this should return True, otherwise return False.

validate_token(token_ref)[source]

Validate the given V3 token and return the token_data.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises:keystone.exception.TokenNotFound – If the token doesn’t exist.

keystone.token.providers.common module

class keystone.token.providers.common.BaseProvider(*args, **kwargs)[source]

Bases: keystone.common.provider_api.ProviderAPIMixin, keystone.token.providers.base.Provider

get_token_version(token_data)[source]
issue_token(user_id, method_names, expires_at=None, system=None, project_id=None, domain_id=None, auth_context=None, trust=None, app_cred_id=None, include_catalog=True, parent_audit_id=None)[source]
validate_token(token_id)[source]
class keystone.token.providers.common.V3TokenDataHelper[source]

Bases: keystone.common.provider_api.ProviderAPIMixin, object

Token data helper.

get_token_data(user_id, method_names, system=None, domain_id=None, project_id=None, expires=None, app_cred_id=None, trust=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None)[source]
populate_roles_for_federated_user(token_data, group_ids, project_id=None, domain_id=None, user_id=None, system=None)[source]

Populate roles basing on provided groups and assignments.

Used for federated users with dynamically assigned groups. This method does not return anything, yet it modifies token_data in place.

Parameters:
  • token_data – a dictionary used for building token response
  • group_ids – list of group IDs a user is a member of
  • project_id – project ID to scope to
  • domain_id – domain ID to scope to
  • user_id – user ID
  • system – system scope if applicable
Raises:

keystone.exception.Unauthorized – when no roles were found

keystone.token.providers.common.build_audit_info(parent_audit_id=None)[source]

Build the audit data for a token.

If parent_audit_id is None, the list will be one element in length containing a newly generated audit_id.

If parent_audit_id is supplied, the list will be two elements in length containing a newly generated audit_id and the parent_audit_id. The parent_audit_id will always be element index 1 in the resulting list.

Parameters:parent_audit_id (str) – the audit of the original token in the chain
Returns:Keystone token audit data
keystone.token.providers.common.default_expire_time()[source]

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object
keystone.token.providers.common.random_urlsafe_str()[source]

Generate a random URL-safe string.

Return type:six.text_type

keystone.token.providers.uuid module

Keystone UUID Token Provider.

class keystone.token.providers.uuid.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider

needs_persistence()[source]

Should the token be written to a backend.

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.