keystoneauth1.identity.v3.application_credential.
ApplicationCredentialMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
Parameters: |
|
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.application_credential.
ApplicationCredential
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an application credential.
Parameters: |
|
---|
keystoneauth1.identity.v3.base.
Auth
(auth_url, auth_methods, **kwargs)¶Bases: keystoneauth1.identity.v3.base.BaseAuth
Identity V3 Authentication Plugin.
Parameters: |
|
---|
get_auth_ref
(session, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.base.
AuthMethod
(**kwargs)¶Bases: object
One part of a V3 Authentication strategy.
V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.
Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.
get_auth_data
(session, auth, headers, **kwargs)¶Return the authentication section of an auth plugin.
Parameters: |
|
---|---|
Returns: | The identifier of this plugin and a dict of authentication data for the auth type. |
Return type: |
get_cache_id_elements
()¶Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to
allow caching of the auth plugin.
Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
keystoneauth1.identity.v3.base.
AuthConstructor
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.Auth
Abstract base class for creating an Auth Plugin.
The Auth Plugin created contains only one authentication method. This is generally the required usage.
An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.
keystoneauth1.identity.v3.base.
BaseAuth
(auth_url, trust_id=None, system_scope=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True, include_catalog=True)¶Bases: keystoneauth1.identity.base.BaseIdentityPlugin
Identity V3 Authentication Plugin.
Parameters: |
|
---|
get_auth_ref
(session, **kwargs)¶has_scope_parameters
¶Return true if parameters can be used to create a scoped token.
token_url
¶The full URL where we will send authentication data.
keystoneauth1.identity.v3.federation.
FederationBaseAuth
(auth_url, identity_provider, protocol, **kwargs)¶Bases: keystoneauth1.identity.v3.federation._Rescoped
Federation authentication plugin.
Parameters: |
|
---|
federated_token_url
¶Full URL where authorization data is sent.
keystoneauth1.identity.v3.k2k.
Keystone2Keystone
(base_plugin, service_provider, **kwargs)¶Bases: keystoneauth1.identity.v3.federation._Rescoped
Plugin to execute the Keystone to Keyestone authentication flow.
In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).
Parameters: |
|
---|
HTTP_MOVED_TEMPORARILY
= 302¶HTTP_SEE_OTHER
= 303¶REQUEST_ECP_URL
= '/auth/OS-FEDERATION/saml2/ecp'¶Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.
get_unscoped_auth_ref
(session, **kwargs)¶keystoneauth1.identity.v3.oidc.
OidcAuthorizationCode
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', redirect_uri=None, code=None, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Authorization Code.
get_payload
(session)¶Get an authorization grant for the “authorization_code” grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'authorization_code'¶keystoneauth1.identity.v3.oidc.
OidcClientCredentials
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Client Credentials.
get_payload
(session)¶Get an authorization grant for the client credentials grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'client_credentials'¶keystoneauth1.identity.v3.oidc.
OidcPassword
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', username=None, password=None, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Resource Owner Password Credential.
get_payload
(session)¶Get an authorization grant for the “password” grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'password'¶keystoneauth1.identity.v3.oidc.
OidcAccessToken
(auth_url, identity_provider, protocol, access_token, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect access token reuse.
get_payload
(session)¶OidcAccessToken does not require a payload.
get_unscoped_auth_ref
(session)¶Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a token data representation |
Return type: | keystoneauth1.access.AccessInfoV3 |
keystoneauth1.identity.v3.password.
PasswordMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Password based authentication method.
Parameters: |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.password.
Password
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and password.
Parameters: |
|
---|
keystoneauth1.identity.v3.token.
TokenMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct an Auth plugin to fetch a token from a token.
Parameters: | token (string) – Token for authentication. |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.token.
Token
(auth_url, token, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an existing Token.
Parameters: |
|
---|
keystoneauth1.identity.v3.tokenless_auth.
TokenlessAuth
(auth_url, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None)¶Bases: keystoneauth1.plugin.BaseAuthPlugin
A plugin for authenticating with Tokenless Auth.
This is for Tokenless Authentication. Scoped information like domain name and project ID will be passed in the headers and token validation request will be authenticated based on the provided HTTPS certificate along with the scope information.
get_endpoint
(session, service_type=None, **kwargs)¶Return a valid endpoint for a service.
Parameters: |
|
---|---|
Returns: | A valid endpoint URL or None if not available. |
Return type: |
get_headers
(session, **kwargs)¶Fetch authentication headers for message.
This is to override the default get_headers method to provide tokenless auth scope headers if token is not provided in the session.
Parameters: | session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
keystoneauth1.identity.v3.totp.
TOTPMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
Parameters: |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.totp.
TOTP
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and TOTP passcode.
Parameters: |
|
---|
keystoneauth1.identity.v3.
ApplicationCredential
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an application credential.
Parameters: |
|
---|
keystoneauth1.identity.v3.
ApplicationCredentialMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
Parameters: |
|
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.
Auth
(auth_url, auth_methods, **kwargs)¶Bases: keystoneauth1.identity.v3.base.BaseAuth
Identity V3 Authentication Plugin.
Parameters: |
|
---|
get_auth_ref
(session, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.
AuthConstructor
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.Auth
Abstract base class for creating an Auth Plugin.
The Auth Plugin created contains only one authentication method. This is generally the required usage.
An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.
keystoneauth1.identity.v3.
AuthMethod
(**kwargs)¶Bases: object
One part of a V3 Authentication strategy.
V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.
Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.
get_auth_data
(session, auth, headers, **kwargs)¶Return the authentication section of an auth plugin.
Parameters: |
|
---|---|
Returns: | The identifier of this plugin and a dict of authentication data for the auth type. |
Return type: |
get_cache_id_elements
()¶Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to
allow caching of the auth plugin.
Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
keystoneauth1.identity.v3.
BaseAuth
(auth_url, trust_id=None, system_scope=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True, include_catalog=True)¶Bases: keystoneauth1.identity.base.BaseIdentityPlugin
Identity V3 Authentication Plugin.
Parameters: |
|
---|
get_auth_ref
(session, **kwargs)¶has_scope_parameters
¶Return true if parameters can be used to create a scoped token.
token_url
¶The full URL where we will send authentication data.
keystoneauth1.identity.v3.
FederationBaseAuth
(auth_url, identity_provider, protocol, **kwargs)¶Bases: keystoneauth1.identity.v3.federation._Rescoped
Federation authentication plugin.
Parameters: |
|
---|
federated_token_url
¶Full URL where authorization data is sent.
keystoneauth1.identity.v3.
Keystone2Keystone
(base_plugin, service_provider, **kwargs)¶Bases: keystoneauth1.identity.v3.federation._Rescoped
Plugin to execute the Keystone to Keyestone authentication flow.
In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).
Parameters: |
|
---|
HTTP_MOVED_TEMPORARILY
= 302¶HTTP_SEE_OTHER
= 303¶REQUEST_ECP_URL
= '/auth/OS-FEDERATION/saml2/ecp'¶get_unscoped_auth_ref
(session, **kwargs)¶keystoneauth1.identity.v3.
Password
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and password.
Parameters: |
|
---|
keystoneauth1.identity.v3.
PasswordMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Password based authentication method.
Parameters: |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.
Token
(auth_url, token, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an existing Token.
Parameters: |
|
---|
keystoneauth1.identity.v3.
TokenMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct an Auth plugin to fetch a token from a token.
Parameters: | token (string) – Token for authentication. |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.
OidcAccessToken
(auth_url, identity_provider, protocol, access_token, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect access token reuse.
get_payload
(session)¶OidcAccessToken does not require a payload.
get_unscoped_auth_ref
(session)¶Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a token data representation |
Return type: | keystoneauth1.access.AccessInfoV3 |
keystoneauth1.identity.v3.
OidcAuthorizationCode
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', redirect_uri=None, code=None, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Authorization Code.
get_payload
(session)¶Get an authorization grant for the “authorization_code” grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'authorization_code'¶keystoneauth1.identity.v3.
OidcClientCredentials
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Client Credentials.
get_payload
(session)¶Get an authorization grant for the client credentials grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'client_credentials'¶keystoneauth1.identity.v3.
OidcPassword
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', username=None, password=None, **kwargs)¶Bases: keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Resource Owner Password Credential.
get_payload
(session)¶Get an authorization grant for the “password” grant type.
Parameters: | session (keystoneauth1.session.Session) – a session object to send out HTTP requests. |
---|---|
Returns: | a python dictionary containing the payload to be exchanged |
Return type: | dict |
grant_type
= 'password'¶keystoneauth1.identity.v3.
TOTPMethod
(**kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
Parameters: |
---|
get_auth_data
(session, auth, headers, **kwargs)¶get_cache_id_elements
()¶keystoneauth1.identity.v3.
TOTP
(auth_url, *args, **kwargs)¶Bases: keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and TOTP passcode.
Parameters: |
|
---|
keystoneauth1.identity.v3.
TokenlessAuth
(auth_url, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None)¶Bases: keystoneauth1.plugin.BaseAuthPlugin
A plugin for authenticating with Tokenless Auth.
This is for Tokenless Authentication. Scoped information like domain name and project ID will be passed in the headers and token validation request will be authenticated based on the provided HTTPS certificate along with the scope information.
get_endpoint
(session, service_type=None, **kwargs)¶Return a valid endpoint for a service.
Parameters: |
|
---|---|
Returns: | A valid endpoint URL or None if not available. |
Return type: |
get_headers
(session, **kwargs)¶Fetch authentication headers for message.
This is to override the default get_headers method to provide tokenless auth scope headers if token is not provided in the session.
Parameters: | session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.