keystoneclient.auth.base.
BaseAuthPlugin
¶Bases: object
The basic structure of an authentication plugin.
get_connection_params
(session, **kwargs)¶Return any additional connection parameters required for the plugin.
Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
get_endpoint
(session, **kwargs)¶Return an endpoint for the client.
There are no required keyword arguments to get_endpoint
as a plugin
implementation should use best effort with the information available to
determine the endpoint. However there are certain standard options that
will be generated by the clients and should be used by plugins:
service_type
: what sort of service is required.service_name
: the name of the service in the catalog.interface
: what visibility the endpoint should have.region_name
: the region the endpoint exists in.Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | The base URL that will be used to talk to the required service or None if not available. |
Return type: | string |
get_headers
(session, **kwargs)¶Fetch authentication headers for message.
This is a more generalized replacement of the older get_token to allow plugins to specify different or additional authentication headers to the OpenStack standard ‘X-Auth-Token’ header.
How the authentication headers are obtained is up to the plugin. If the headers are still valid they may be re-used, retrieved from cache or the plugin may invoke an authentication request against a server.
The default implementation of get_headers calls the get_token method to enable older style plugins to continue functioning unchanged. Subclasses should feel free to completely override this function to provide the headers that they want.
There are no required kwargs. They are passed directly to the auth plugin and they are implementation specific.
Returning None will indicate that no token was able to be retrieved and that authorization was a failure. Adding no authentication data can be achieved by returning an empty dictionary.
Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
get_options
()¶Return the list of parameters associated with the auth plugin.
This list may be used to generate CLI or config arguments.
Returns: | A list of Param objects describing available plugin parameters. |
---|---|
Return type: | List |
get_project_id
(session, **kwargs)¶Return the project id that we are authenticated to.
Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A project identifier or None if one is not available. |
Return type: | str |
get_token
(session, **kwargs)¶Obtain a token.
How the token is obtained is up to the plugin. If it is still valid it may be re-used, retrieved from cache or invoke an authentication request against a server.
There are no required kwargs. They are passed directly to the auth plugin and they are implementation specific.
Returning None will indicate that no token was able to be retrieved.
This function is misplaced as it should only be required for auth plugins that use the ‘X-Auth-Token’ header. However due to the way plugins evolved this method is required and often called to trigger an authentication request on a new plugin.
When implementing a new plugin it is advised that you implement this method, however if you don’t require the ‘X-Auth-Token’ header override the get_headers method instead.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A token to use. |
Return type: | string |
get_user_id
(session, **kwargs)¶Return a unique user identifier of the plugin.
Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A user identifier or None if one is not available. |
Return type: | str |
invalidate
()¶Invalidate the current authentication data.
This should result in fetching a new token on next call.
A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.
Returns: | True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up. |
---|---|
Return type: | bool |
load_from_argparse_arguments
(namespace, **kwargs)¶Load a specific plugin object from an argparse result.
Convert the results of a parse into the specified plugin.
Parameters: | namespace (argparse.Namespace) – The result from CLI parsing. |
---|---|
Returns: | An auth plugin, or None if a name is not provided. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
load_from_conf_options
(conf, group, **kwargs)¶Load the plugin from a CONF object.
Convert the options already registered into a real plugin.
Parameters: |
|
---|---|
Returns: | An authentication Plugin. |
Return type: |
load_from_options
(**kwargs)¶Create a plugin from the arguments retrieved from get_options.
A client can override this function to do argument validation or to handle differences between the registered options and what is required to create the plugin.
load_from_options_getter
(getter, **kwargs)¶Load a plugin from a getter function returning appropriate values.
To handle cases other than the provided CONF and CLI loading you can specify a custom loader function that will be queried for the option value.
The getter is a function that takes one value, an
oslo_config.cfg.Opt
and returns a value to load with.
Parameters: | getter (callable) – A function that returns a value for the given opt. |
---|---|
Returns: | An authentication Plugin. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
register_argparse_arguments
(parser)¶Register the CLI options provided by a specific plugin.
Given a plugin class convert it’s options into argparse arguments and add them to a parser.
Parameters: | parser (argparse.ArgumentParser) – the parser to attach argparse options. |
---|
register_conf_options
(conf, group)¶Register the oslo_config options that are needed for a plugin.
Parameters: |
|
---|
keystoneclient.auth.base.
get_available_plugin_classes
()¶Retrieve all the plugin classes available on the system.
Returns: | A dict with plugin entrypoint name as the key and the plugin class as the value. |
---|---|
Return type: | dict |
keystoneclient.auth.base.
get_available_plugin_names
()¶Get the names of all the plugins that are available on the system.
This is particularly useful for help and error text to prompt a user for example what plugins they may specify.
Returns: | A list of names. |
---|---|
Return type: | frozenset |
keystoneclient.auth.base.
get_plugin_class
(name)¶Retrieve a plugin class by its entrypoint name.
Parameters: | name (str) – The name of the object to get. |
---|---|
Returns: | An auth plugin class. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.cli.
load_from_argparse_arguments
(namespace, **kwargs)¶Retrieve the created plugin from the completed argparse results.
Loads and creates the auth plugin from the information parsed from the command line by argparse.
Parameters: | namespace (Namespace) – The result from CLI parsing. |
---|---|
Returns: | An auth plugin, or None if a name is not provided. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.cli.
register_argparse_arguments
(parser, argv, default=None)¶Register CLI options needed to create a plugin.
The function inspects the provided arguments so that it can also register the options required for that specific plugin if available.
Parameters: |
|
---|---|
Returns: | The plugin class that will be loaded or None if not provided. |
Return type: | |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.conf.
get_common_conf_options
()¶Get the oslo_config options common for all auth plugins.
These may be useful without being registered for config file generation or to manipulate the options before registering them yourself.
auth_plugin: | The name of the plugin to load. |
---|---|
auth_section: | The config file section to load options from. |
Returns: | A list of oslo_config options. |
---|
keystoneclient.auth.conf.
get_plugin_options
(name)¶Get the oslo_config options for a specific plugin.
This will be the list of config options that is registered and loaded by the specified plugin.
Returns: | A list of oslo_config options. |
---|
keystoneclient.auth.conf.
load_from_conf_options
(conf, group, **kwargs)¶Load a plugin from an oslo_config CONF object.
Each plugin will register their own required options and so there is no standard list and the plugin should be consulted.
The base options should have been registered with register_conf_options before this function is called.
Parameters: |
|
---|---|
Returns: | An authentication Plugin or None if a name is not provided |
Return type: | |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.conf.
register_conf_options
(conf, group)¶Register the oslo_config options that are needed for a plugin.
This only registers the basic options shared by all plugins. Options that are specific to a plugin are loaded just before they are read.
The defined options are:
- auth_plugin: the name of the auth plugin that will be used for
- authentication.
- auth_section: the group from which further auth plugin options should be
- taken. If section is not provided then the auth plugin options will be taken from the same group as provided in the parameters.
Parameters: |
|
---|
keystoneclient.auth.token_endpoint.
Token
(endpoint, token)¶Bases: keystoneclient.auth.base.BaseAuthPlugin
A provider that will always use the given token and endpoint.
This is really only useful for testing and in certain CLI cases where you have a known endpoint and admin token that you want to use.
get_endpoint
(session, **kwargs)¶Return the supplied endpoint.
Using this plugin the same endpoint is returned regardless of the parameters passed to the plugin.
get_options
()¶get_token
(session)¶keystoneclient.auth.
BaseAuthPlugin
¶Bases: object
The basic structure of an authentication plugin.
get_connection_params
(session, **kwargs)¶Return any additional connection parameters required for the plugin.
Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
get_endpoint
(session, **kwargs)¶Return an endpoint for the client.
There are no required keyword arguments to get_endpoint
as a plugin
implementation should use best effort with the information available to
determine the endpoint. However there are certain standard options that
will be generated by the clients and should be used by plugins:
service_type
: what sort of service is required.service_name
: the name of the service in the catalog.interface
: what visibility the endpoint should have.region_name
: the region the endpoint exists in.Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | The base URL that will be used to talk to the required service or None if not available. |
Return type: | string |
get_headers
(session, **kwargs)¶Fetch authentication headers for message.
This is a more generalized replacement of the older get_token to allow plugins to specify different or additional authentication headers to the OpenStack standard ‘X-Auth-Token’ header.
How the authentication headers are obtained is up to the plugin. If the headers are still valid they may be re-used, retrieved from cache or the plugin may invoke an authentication request against a server.
The default implementation of get_headers calls the get_token method to enable older style plugins to continue functioning unchanged. Subclasses should feel free to completely override this function to provide the headers that they want.
There are no required kwargs. They are passed directly to the auth plugin and they are implementation specific.
Returning None will indicate that no token was able to be retrieved and that authorization was a failure. Adding no authentication data can be achieved by returning an empty dictionary.
Parameters: | session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to. |
---|---|
Returns: | Headers that are set to authenticate a message or None for failure. Note that when checking this value that the empty dict is a valid, non-failure response. |
Return type: | dict |
get_options
()¶Return the list of parameters associated with the auth plugin.
This list may be used to generate CLI or config arguments.
Returns: | A list of Param objects describing available plugin parameters. |
---|---|
Return type: | List |
get_project_id
(session, **kwargs)¶Return the project id that we are authenticated to.
Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A project identifier or None if one is not available. |
Return type: | str |
get_token
(session, **kwargs)¶Obtain a token.
How the token is obtained is up to the plugin. If it is still valid it may be re-used, retrieved from cache or invoke an authentication request against a server.
There are no required kwargs. They are passed directly to the auth plugin and they are implementation specific.
Returning None will indicate that no token was able to be retrieved.
This function is misplaced as it should only be required for auth plugins that use the ‘X-Auth-Token’ header. However due to the way plugins evolved this method is required and often called to trigger an authentication request on a new plugin.
When implementing a new plugin it is advised that you implement this method, however if you don’t require the ‘X-Auth-Token’ header override the get_headers method instead.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A token to use. |
Return type: | string |
get_user_id
(session, **kwargs)¶Return a unique user identifier of the plugin.
Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.
Parameters: | session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls. |
---|---|
Returns: | A user identifier or None if one is not available. |
Return type: | str |
invalidate
()¶Invalidate the current authentication data.
This should result in fetching a new token on next call.
A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.
Returns: | True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up. |
---|---|
Return type: | bool |
load_from_argparse_arguments
(namespace, **kwargs)¶Load a specific plugin object from an argparse result.
Convert the results of a parse into the specified plugin.
Parameters: | namespace (argparse.Namespace) – The result from CLI parsing. |
---|---|
Returns: | An auth plugin, or None if a name is not provided. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
load_from_conf_options
(conf, group, **kwargs)¶Load the plugin from a CONF object.
Convert the options already registered into a real plugin.
Parameters: |
|
---|---|
Returns: | An authentication Plugin. |
Return type: |
load_from_options
(**kwargs)¶Create a plugin from the arguments retrieved from get_options.
A client can override this function to do argument validation or to handle differences between the registered options and what is required to create the plugin.
load_from_options_getter
(getter, **kwargs)¶Load a plugin from a getter function returning appropriate values.
To handle cases other than the provided CONF and CLI loading you can specify a custom loader function that will be queried for the option value.
The getter is a function that takes one value, an
oslo_config.cfg.Opt
and returns a value to load with.
Parameters: | getter (callable) – A function that returns a value for the given opt. |
---|---|
Returns: | An authentication Plugin. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
register_argparse_arguments
(parser)¶Register the CLI options provided by a specific plugin.
Given a plugin class convert it’s options into argparse arguments and add them to a parser.
Parameters: | parser (argparse.ArgumentParser) – the parser to attach argparse options. |
---|
register_conf_options
(conf, group)¶Register the oslo_config options that are needed for a plugin.
Parameters: |
|
---|
keystoneclient.auth.
get_available_plugin_names
()¶Get the names of all the plugins that are available on the system.
This is particularly useful for help and error text to prompt a user for example what plugins they may specify.
Returns: | A list of names. |
---|---|
Return type: | frozenset |
keystoneclient.auth.
get_available_plugin_classes
()¶Retrieve all the plugin classes available on the system.
Returns: | A dict with plugin entrypoint name as the key and the plugin class as the value. |
---|---|
Return type: | dict |
keystoneclient.auth.
get_plugin_class
(name)¶Retrieve a plugin class by its entrypoint name.
Parameters: | name (str) – The name of the object to get. |
---|---|
Returns: | An auth plugin class. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.
load_from_argparse_arguments
(namespace, **kwargs)¶Retrieve the created plugin from the completed argparse results.
Loads and creates the auth plugin from the information parsed from the command line by argparse.
Parameters: | namespace (Namespace) – The result from CLI parsing. |
---|---|
Returns: | An auth plugin, or None if a name is not provided. |
Return type: | keystoneclient.auth.BaseAuthPlugin |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.
register_argparse_arguments
(parser, argv, default=None)¶Register CLI options needed to create a plugin.
The function inspects the provided arguments so that it can also register the options required for that specific plugin if available.
Parameters: |
|
---|---|
Returns: | The plugin class that will be loaded or None if not provided. |
Return type: | |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.
get_common_conf_options
()¶Get the oslo_config options common for all auth plugins.
These may be useful without being registered for config file generation or to manipulate the options before registering them yourself.
auth_plugin: | The name of the plugin to load. |
---|---|
auth_section: | The config file section to load options from. |
Returns: | A list of oslo_config options. |
---|
keystoneclient.auth.
get_plugin_options
(name)¶Get the oslo_config options for a specific plugin.
This will be the list of config options that is registered and loaded by the specified plugin.
Returns: | A list of oslo_config options. |
---|
keystoneclient.auth.
load_from_conf_options
(conf, group, **kwargs)¶Load a plugin from an oslo_config CONF object.
Each plugin will register their own required options and so there is no standard list and the plugin should be consulted.
The base options should have been registered with register_conf_options before this function is called.
Parameters: |
|
---|---|
Returns: | An authentication Plugin or None if a name is not provided |
Return type: | |
Raises: | keystoneclient.exceptions.NoMatchingPlugin – if a plugin cannot be created. |
keystoneclient.auth.
register_conf_options
(conf, group)¶Register the oslo_config options that are needed for a plugin.
This only registers the basic options shared by all plugins. Options that are specific to a plugin are loaded just before they are read.
The defined options are:
- auth_plugin: the name of the auth plugin that will be used for
- authentication.
- auth_section: the group from which further auth plugin options should be
- taken. If section is not provided then the auth plugin options will be taken from the same group as provided in the parameters.
Parameters: |
|
---|
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.