keystoneauth1.identity.v3 package¶
Submodules¶
- keystoneauth1.identity.v3.application_credential module
- keystoneauth1.identity.v3.base module
- keystoneauth1.identity.v3.federation module
- keystoneauth1.identity.v3.k2k module
- keystoneauth1.identity.v3.multi_factor module
- keystoneauth1.identity.v3.oidc module
- keystoneauth1.identity.v3.password module
- keystoneauth1.identity.v3.receipt module
- keystoneauth1.identity.v3.token module
- keystoneauth1.identity.v3.tokenless_auth module
- keystoneauth1.identity.v3.totp module
Module contents¶
-
class
keystoneauth1.identity.v3.
ApplicationCredential
(auth_url, *args, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an application credential.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
application_credential_secret (string) – Application credential secret.
application_credential_id (string) – Application credential ID.
application_credential_name (string) – Application credential name.
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
-
class
keystoneauth1.identity.v3.
ApplicationCredentialMethod
(**kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
- Parameters
application_credential_secret (string) – Application credential secret.
application_credential_id (string) – Application credential id.
application_credential_name (string) – The name of the application credential, if an ID is not provided.
username (string) – Username for authentication, if an application credential ID is not provided.
user_id (string) – User ID for authentication, if an application credential ID is not provided.
user_domain_id (string) – User’s domain ID for authentication, if an application credential ID is not provided.
user_domain_name (string) – User’s domain name for authentication, if an application credential ID is not provided.
-
get_auth_data
(session, auth, headers, **kwargs)¶ Return the authentication section of an auth plugin.
- Parameters
session (keystoneauth1.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
class
keystoneauth1.identity.v3.
Auth
(auth_url, auth_methods, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.BaseAuth
Identity V3 Authentication Plugin.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
auth_methods (list) – A collection of methods to authenticate with.
trust_id (string) – Trust ID for trust scoping.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
unscoped (bool) – Force the return of an unscoped token. This will make the keystone server return an unscoped token even if a default_project_id is set for this user.
-
add_method
(method)¶ Add an additional initialized AuthMethod instance.
-
get_auth_ref
(session, **kwargs)¶ Obtain a token from an OpenStack Identity Service.
This method is overridden by the various token version plugins.
This function should not be called independently and is expected to be invoked via the do_authenticate function.
This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
- Raises
keystoneauth1.exceptions.response.InvalidResponse – The response returned wasn’t appropriate.
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
Token access information.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth plugin that make it unique.
As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.
This should be overridden by plugins that wish to allow caching.
- Returns
The unique attributes and values of this plugin.
- Return type
A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
-
class
keystoneauth1.identity.v3.
AuthConstructor
(auth_url, *args, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.Auth
Abstract base class for creating an Auth Plugin.
The Auth Plugin created contains only one authentication method. This is generally the required usage.
An AuthConstructor creates an AuthMethod based on the method’s arguments and the auth_method_class defined by the plugin. It then creates the auth plugin with only that authentication method.
-
class
keystoneauth1.identity.v3.
AuthMethod
(**kwargs)¶ Bases:
object
One part of a V3 Authentication strategy.
V3 Tokens allow multiple methods to be presented when authentication against the server. Each one of these methods is implemented by an AuthMethod.
Note: When implementing an AuthMethod use the method_parameters and do not use positional arguments. Otherwise they can’t be picked up by the factory method and don’t work as well with AuthConstructors.
-
abstract
get_auth_data
(session, auth, headers, **kwargs)¶ Return the authentication section of an auth plugin.
- Parameters
session (keystoneauth1.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
abstract
-
class
keystoneauth1.identity.v3.
BaseAuth
(auth_url, trust_id=None, system_scope=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, reauthenticate=True, include_catalog=True)¶ Bases:
keystoneauth1.identity.base.BaseIdentityPlugin
Identity V3 Authentication Plugin.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
trust_id (string) – Trust ID for trust scoping.
system_scope (string) – System information to scope to.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
include_catalog (bool) – Include the service catalog in the returned token. (optional) default True.
-
abstract
get_auth_ref
(session, **kwargs)¶ Obtain a token from an OpenStack Identity Service.
This method is overridden by the various token version plugins.
This function should not be called independently and is expected to be invoked via the do_authenticate function.
This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
- Raises
keystoneauth1.exceptions.response.InvalidResponse – The response returned wasn’t appropriate.
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
Token access information.
- Return type
-
property
has_scope_parameters
¶ Return true if parameters can be used to create a scoped token.
-
property
token_url
¶ The full URL where we will send authentication data.
-
class
keystoneauth1.identity.v3.
FederationBaseAuth
(auth_url, identity_provider, protocol, **kwargs)¶ Bases:
keystoneauth1.identity.v3.federation._Rescoped
Federation authentication plugin.
- Parameters
auth_url (string) – URL of the Identity Service
identity_provider (string) – name of the Identity Provider the client will authenticate against. This parameter will be used to build a dynamic URL used to obtain unscoped OpenStack token.
protocol (string) – name of the protocol the client will authenticate against.
-
property
federated_token_url
¶ Full URL where authorization data is sent.
-
class
keystoneauth1.identity.v3.
Keystone2Keystone
(base_plugin, service_provider, **kwargs)¶ Bases:
keystoneauth1.identity.v3.federation._Rescoped
Plugin to execute the Keystone to Keyestone authentication flow.
In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).
- Parameters
base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.
service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()
-
HTTP_MOVED_TEMPORARILY
= 302¶
-
HTTP_SEE_OTHER
= 303¶
-
REQUEST_ECP_URL
= '/auth/OS-FEDERATION/saml2/ecp'¶ Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.
-
get_unscoped_auth_ref
(session, **kwargs)¶ Fetch unscoped federated token.
-
class
keystoneauth1.identity.v3.
Password
(auth_url, *args, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and password.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
password (string) – Password for authentication.
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
trust_id (string) – Trust ID for trust scoping.
system_scope (string) – System information to scope to.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
-
class
keystoneauth1.identity.v3.
PasswordMethod
(**kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Password based authentication method.
- Parameters
password (string) – Password for authentication.
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
-
get_auth_data
(session, auth, headers, **kwargs)¶ Return the authentication section of an auth plugin.
- Parameters
session (keystoneauth1.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
class
keystoneauth1.identity.v3.
Token
(auth_url, token, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with an existing Token.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
token (string) – Token for authentication.
trust_id (string) – Trust ID for trust scoping.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
-
class
keystoneauth1.identity.v3.
TokenMethod
(**kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthMethod
Construct an Auth plugin to fetch a token from a token.
- Parameters
token (string) – Token for authentication.
-
get_auth_data
(session, auth, headers, **kwargs)¶ Return the authentication section of an auth plugin.
- Parameters
session (keystoneauth1.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
class
keystoneauth1.identity.v3.
OidcAccessToken
(auth_url, identity_provider, protocol, access_token, **kwargs)¶ Bases:
keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect access token reuse.
-
get_payload
(session)¶ OidcAccessToken does not require a payload.
-
get_unscoped_auth_ref
(session)¶ Authenticate with OpenID Connect and get back claims.
We exchange the access token upon accessing the protected Keystone endpoint (federated auth URL). This will trigger the OpenID Connect Provider to perform a user introspection and retrieve information (specified in the scope) about the user in the form of an OpenID Connect Claim. These claims will be sent to Keystone in the form of environment variables.
- Parameters
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns
a token data representation
- Return type
-
-
class
keystoneauth1.identity.v3.
OidcAuthorizationCode
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', redirect_uri=None, code=None, **kwargs)¶ Bases:
keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Authorization Code.
-
get_payload
(session)¶ Get an authorization grant for the “authorization_code” grant type.
- Parameters
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns
a python dictionary containing the payload to be exchanged
- Return type
-
grant_type
= 'authorization_code'¶
-
-
class
keystoneauth1.identity.v3.
OidcClientCredentials
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', **kwargs)¶ Bases:
keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Client Credentials.
-
get_payload
(session)¶ Get an authorization grant for the client credentials grant type.
- Parameters
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns
a python dictionary containing the payload to be exchanged
- Return type
-
grant_type
= 'client_credentials'¶
-
-
class
keystoneauth1.identity.v3.
OidcPassword
(auth_url, identity_provider, protocol, client_id, client_secret, access_token_endpoint=None, discovery_endpoint=None, access_token_type='access_token', username=None, password=None, **kwargs)¶ Bases:
keystoneauth1.identity.v3.oidc._OidcBase
Implementation for OpenID Connect Resource Owner Password Credential.
-
get_payload
(session)¶ Get an authorization grant for the “password” grant type.
- Parameters
session (keystoneauth1.session.Session) – a session object to send out HTTP requests.
- Returns
a python dictionary containing the payload to be exchanged
- Return type
-
grant_type
= 'password'¶
-
-
class
keystoneauth1.identity.v3.
TOTPMethod
(**kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthMethod
Construct a User/Passcode based authentication method.
- Parameters
passcode (string) – TOTP passcode for authentication.
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
-
get_auth_data
(session, auth, headers, **kwargs)¶ Return the authentication section of an auth plugin.
- Parameters
session (keystoneauth1.session.Session) – The communication session.
auth (base.Auth) – The auth plugin calling the method.
headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
- Returns
The identifier of this plugin and a dict of authentication data for the auth type.
- Return type
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
class
keystoneauth1.identity.v3.
TOTP
(auth_url, *args, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthConstructor
A plugin for authenticating with a username and TOTP passcode.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
passcode (string) – TOTP passcode for authentication.
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
trust_id (string) – Trust ID for trust scoping.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
-
class
keystoneauth1.identity.v3.
TokenlessAuth
(auth_url, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None)¶ Bases:
keystoneauth1.plugin.BaseAuthPlugin
A plugin for authenticating with Tokenless Auth.
This is for Tokenless Authentication. Scoped information like domain name and project ID will be passed in the headers and token validation request will be authenticated based on the provided HTTPS certificate along with the scope information.
-
get_endpoint
(session, service_type=None, **kwargs)¶ Return a valid endpoint for a service.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
- Returns
A valid endpoint URL or None if not available.
- Return type
string or None
-
get_headers
(session, **kwargs)¶ Fetch authentication headers for message.
This is to override the default get_headers method to provide tokenless auth scope headers if token is not provided in the session.
- Parameters
session (keystoneauth1.session.Session) – The session object that the auth_plugin belongs to.
- Returns
Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response.
- Return type
-
-
class
keystoneauth1.identity.v3.
ReceiptMethod
(**kwargs)¶ Bases:
keystoneauth1.identity.v3.base.AuthMethod
Construct an Auth plugin to continue authentication with a receipt.
- Parameters
receipt (string) – Receipt for authentication.
-
get_auth_data
(session, auth, headers, **kwargs)¶ Add the auth receipt to the headers.
We explicitly return None to avoid being added to the request methods, or body.
-
get_cache_id_elements
()¶ Get the elements for this auth method that make it unique.
These elements will be used as part of the
keystoneauth1.plugin.BaseIdentityPlugin.get_cache_id()
to allow caching of the auth plugin.Plugins should override this if they want to allow caching of their state.
To avoid collision or overrides the keys of the returned dictionary should be prefixed with the plugin identifier. For example the password plugin returns its username value as ‘password_username’.
-
class
keystoneauth1.identity.v3.
MultiFactor
(auth_url, auth_methods, **kwargs)¶ Bases:
keystoneauth1.identity.v3.base.Auth
A plugin for authenticating with multiple auth methods.
- Parameters
auth_url (string) – Identity service endpoint for authentication.
auth_methods (string) – names of the methods to authenticate with.
trust_id (string) – Trust ID for trust scoping.
system_scope (string) – System information to scope to.
domain_id (string) – Domain ID for domain scoping.
domain_name (string) – Domain name for domain scoping.
project_id (string) – Project ID for project scoping.
project_name (string) – Project name for project scoping.
project_domain_id (string) – Project’s domain ID for project.
project_domain_name (string) – Project’s domain name for project.
reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
Also accepts various keyword args based on which methods are specified.