keystoneauth1.identity.v3 package

Submodules

keystoneauth1.identity.v3.base module

class keystoneauth1.identity.v3.base.Auth(auth_url, auth_methods, **kwargs)

Bases: keystoneauth1.identity.v3.base.BaseAuth

Identity V3 Authentication Plugin.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • auth_methods (list) – A collection of methods to authenticate with.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
  • include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
  • unscoped (bool) – Force the return of an unscoped token. This will make the keystone server return an unscoped token even if a default_project_id is set for this user.
get_auth_ref(session, **kwargs)
get_cache_id_elements()
class keystoneauth1.identity.v3.base.AuthMethod(**kwargs)

Bases: object

One part of a V3 Authentication strategy.

V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.

Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.

get_auth_data(session, auth, headers, **kwargs)

Return the authentication section of an auth plugin.

Parameters:
  • session (keystonauth.session.Session) – The communication session.
  • auth (Auth) – The auth plugin calling the method.
  • headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
Returns:

The identifier of this plugin and a dict of authentication data for the auth type.
Return type:

tuple(string, dict)
get_cache_id_elements()

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

class keystoneauth1.identity.v3.base.AuthConstructor(auth_url, *args, **kwargs)

Bases: keystoneauth1.identity.v3.base.Auth

Abstract base class for creating an Auth Plugin.

The Auth Plugin created contains only one authentication method. This is generally the required usage.

An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.

class keystoneauth1.identity.v3.base.BaseAuth(auth_url, trust_id=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True, include_catalog=True)

Bases: keystoneauth1.identity.base.BaseIdentityPlugin

Identity V3 Authentication Plugin.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • auth_methods (list) – A collection of methods to authenticate with.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
  • include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
get_auth_ref(session, **kwargs)
has_scope_parameters

Does the plugin have parameters that will create a scoped token

token_url

The full URL where we will send authentication data.

keystoneauth1.identity.v3.federation module

class keystoneauth1.identity.v3.federation.FederationBaseAuth(auth_url, identity_provider, protocol, **kwargs)

Bases: keystoneauth1.identity.v3.federation._Rescoped

federated_token_url

Full URL where authorization data is sent.

keystoneauth1.identity.v3.k2k module

class keystoneauth1.identity.v3.k2k.Keystone2Keystone(base_plugin, service_provider, **kwargs)

Bases: keystoneauth1.identity.v3.federation._Rescoped

Plugin to execute the Keystone to Keyestone authentication flow.

In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).

Parameters:
  • base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.
  • service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()
REQUEST_ECP_URL = '/auth/OS-FEDERATION/saml2/ecp'

Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.

get_unscoped_auth_ref(session, **kwargs)

keystoneauth1.identity.v3.oidc module

class keystoneauth1.identity.v3.oidc.OidcAuthorizationCode(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint, grant_type='authorization_code', access_token_type='access_token', redirect_uri=None, code=None)

Bases: keystoneauth1.identity.v3.oidc._OidcBase

Implementation for OpenID Connect Authorization Code

get_unscoped_auth_ref(session)

Authenticate with OpenID Connect and get back claims.

This is a multi-step process. First an access token must be retrieved, to do this, an authorization code and redirect URL must be given.

Secondly, we then exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:a token data representation
Return type:keystoneauth1.access.AccessInfoV3
class keystoneauth1.identity.v3.oidc.OidcPassword(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint, grant_type='password', access_token_type='access_token', username=None, password=None, scope='profile')

Bases: keystoneauth1.identity.v3.oidc._OidcBase

Implementation for OpenID Connect Resource Owner Password Credential

get_unscoped_auth_ref(session)

Authenticate with OpenID Connect and get back claims.

This is a multi-step process. First an access token must be retrieved, to do this, the username and password, the OpenID Connect client ID and secret, and the access token endpoint must be known.

Secondly, we then exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:a token data representation
Return type:keystoneauth1.access.AccessInfoV3

keystoneauth1.identity.v3.password module

class keystoneauth1.identity.v3.password.PasswordMethod(**kwargs)

Bases: keystoneauth1.identity.v3.base.AuthMethod

Construct a User/Password based authentication method.

Parameters:
  • password (string) – Password for authentication.
  • username (string) – Username for authentication.
  • user_id (string) – User ID for authentication.
  • user_domain_id (string) – User’s domain ID for authentication.
  • user_domain_name (string) – User’s domain name for authentication.
get_auth_data(session, auth, headers, **kwargs)
get_cache_id_elements()
class keystoneauth1.identity.v3.password.Password(auth_url, *args, **kwargs)

Bases: keystoneauth1.identity.v3.base.AuthConstructor

A plugin for authenticating with a username and password.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • password (string) – Password for authentication.
  • username (string) – Username for authentication.
  • user_id (string) – User ID for authentication.
  • user_domain_id (string) – User’s domain ID for authentication.
  • user_domain_name (string) – User’s domain name for authentication.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

keystoneauth1.identity.v3.token module

class keystoneauth1.identity.v3.token.TokenMethod(**kwargs)

Bases: keystoneauth1.identity.v3.base.AuthMethod

Construct an Auth plugin to fetch a token from a token.

Parameters:token (string) – Token for authentication.
get_auth_data(session, auth, headers, **kwargs)
get_cache_id_elements()
class keystoneauth1.identity.v3.token.Token(auth_url, token, **kwargs)

Bases: keystoneauth1.identity.v3.base.AuthConstructor

A plugin for authenticating with an existing Token.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • token (string) – Token for authentication.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

Module contents

class keystoneauth1.identity.v3.Auth(auth_url, auth_methods, **kwargs)

Bases: keystoneauth1.identity.v3.base.BaseAuth

Identity V3 Authentication Plugin.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • auth_methods (list) – A collection of methods to authenticate with.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
  • include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
  • unscoped (bool) – Force the return of an unscoped token. This will make the keystone server return an unscoped token even if a default_project_id is set for this user.
get_auth_ref(session, **kwargs)
get_cache_id_elements()
class keystoneauth1.identity.v3.AuthConstructor(auth_url, *args, **kwargs)

Bases: keystoneauth1.identity.v3.base.Auth

Abstract base class for creating an Auth Plugin.

The Auth Plugin created contains only one authentication method. This is generally the required usage.

An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.

class keystoneauth1.identity.v3.AuthMethod(**kwargs)

Bases: object

One part of a V3 Authentication strategy.

V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.

Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.

get_auth_data(session, auth, headers, **kwargs)

Return the authentication section of an auth plugin.

Parameters:
  • session (keystonauth.session.Session) – The communication session.
  • auth (Auth) – The auth plugin calling the method.
  • headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
Returns:

The identifier of this plugin and a dict of authentication data for the auth type.
Return type:

tuple(string, dict)
get_cache_id_elements()

Get the elements for this auth method that make it unique.

These elements will be used as part of the keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id() to allow caching of the auth plugin.

Plugins should override this if they want to allow caching of their state.

To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.

class keystoneauth1.identity.v3.BaseAuth(auth_url, trust_id=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True, include_catalog=True)

Bases: keystoneauth1.identity.base.BaseIdentityPlugin

Identity V3 Authentication Plugin.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • auth_methods (list) – A collection of methods to authenticate with.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
  • include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
get_auth_ref(session, **kwargs)
has_scope_parameters

Does the plugin have parameters that will create a scoped token

token_url

The full URL where we will send authentication data.

class keystoneauth1.identity.v3.FederationBaseAuth(auth_url, identity_provider, protocol, **kwargs)

Bases: keystoneauth1.identity.v3.federation._Rescoped

federated_token_url

Full URL where authorization data is sent.

class keystoneauth1.identity.v3.Keystone2Keystone(base_plugin, service_provider, **kwargs)

Bases: keystoneauth1.identity.v3.federation._Rescoped

Plugin to execute the Keystone to Keyestone authentication flow.

In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).

Parameters:
  • base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.
  • service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()
REQUEST_ECP_URL = '/auth/OS-FEDERATION/saml2/ecp'
get_unscoped_auth_ref(session, **kwargs)
class keystoneauth1.identity.v3.Password(auth_url, *args, **kwargs)

Bases: keystoneauth1.identity.v3.base.AuthConstructor

A plugin for authenticating with a username and password.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • password (string) – Password for authentication.
  • username (string) – Username for authentication.
  • user_id (string) – User ID for authentication.
  • user_domain_id (string) – User’s domain ID for authentication.
  • user_domain_name (string) – User’s domain name for authentication.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
class keystoneauth1.identity.v3.PasswordMethod(**kwargs)

Bases: keystoneauth1.identity.v3.base.AuthMethod

Construct a User/Password based authentication method.

Parameters:
  • password (string) – Password for authentication.
  • username (string) – Username for authentication.
  • user_id (string) – User ID for authentication.
  • user_domain_id (string) – User’s domain ID for authentication.
  • user_domain_name (string) – User’s domain name for authentication.
get_auth_data(session, auth, headers, **kwargs)
get_cache_id_elements()
class keystoneauth1.identity.v3.Token(auth_url, token, **kwargs)

Bases: keystoneauth1.identity.v3.base.AuthConstructor

A plugin for authenticating with an existing Token.

Parameters:
  • auth_url (string) – Identity service endpoint for authentication.
  • token (string) – Token for authentication.
  • trust_id (string) – Trust ID for trust scoping.
  • domain_id (string) – Domain ID for domain scoping.
  • domain_name (string) – Domain name for domain scoping.
  • project_id (string) – Project ID for project scoping.
  • project_name (string) – Project name for project scoping.
  • project_domain_id (string) – Project’s domain ID for project.
  • project_domain_name (string) – Project’s domain name for project.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
class keystoneauth1.identity.v3.OidcPassword(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint, grant_type='password', access_token_type='access_token', username=None, password=None, scope='profile')

Bases: keystoneauth1.identity.v3.oidc._OidcBase

Implementation for OpenID Connect Resource Owner Password Credential

get_unscoped_auth_ref(session)

Authenticate with OpenID Connect and get back claims.

This is a multi-step process. First an access token must be retrieved, to do this, the username and password, the OpenID Connect client ID and secret, and the access token endpoint must be known.

Secondly, we then exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.

Parameters:session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
Returns:a token data representation
Return type:keystoneauth1.access.AccessInfoV3

Table Of Contents

Previous topic

keystoneauth1.identity.generic package

Next topic

keystoneauth1.loading package

Project Source

This Page

Navigation

© Copyright OpenStack Contributors. Last updated on 'Tue Jan 3 14:04:59 2017, commit 13054e8'. Created using Sphinx 1.2.3.