keystoneclient.v3 package

Submodules

keystoneclient.v3.auth module

class keystoneclient.v3.auth.AuthManager(client)

Bases: keystoneclient.base.Manager

Retrieve auth context specific information.

The information returned by the auth routes is entirely dependant on the authentication information provided by the user.

domains()

List Domains that the specified token can be rescoped to.

Returns:a list of domains.
Return type:list of keystoneclient.v3.domains.Domain.
projects()

List projects that the specified token can be rescoped to.

Returns:a list of projects.
Return type:list of keystoneclient.v3.projects.Project

keystoneclient.v3.client module

class keystoneclient.v3.client.Client(**kwargs)

Bases: keystoneclient.httpclient.HTTPClient

Client for the OpenStack Identity API v3.

Parameters:
  • session (keystoneauth1.session.Session) – Session for requests. (optional)
  • user_id (string) – User ID for authentication. (optional)
  • username (string) – Username for authentication. (optional)
  • user_domain_id (string) – User’s domain ID for authentication. (optional)
  • user_domain_name (string) – User’s domain name for authentication. (optional)
  • password (string) – Password for authentication. (optional)
  • token (string) – Token for authentication. (optional)
  • domain_id (string) – Domain ID for domain scoping. (optional)
  • domain_name (string) – Domain name for domain scoping. (optional)
  • project_id (string) – Project ID for project scoping. (optional)
  • project_name (string) – Project name for project scoping. (optional)
  • project_domain_id (string) – Project’s domain ID for project scoping. (optional)
  • project_domain_name (string) – Project’s domain name for project scoping. (optional)
  • tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
  • tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
  • auth_url (string) – Identity service endpoint for authorization.
  • region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.
  • endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)
  • timeout (integer) – Allows customization of the timeout for client http requests. (optional)

Warning

Constructing an instance of this class without a session is deprecated as of the 1.7.0 release and will be removed in the 2.0.0 release.

Example:

>>> from keystoneauth1.identity import v3
>>> from keystoneauth1 import session
>>> from keystoneclient.v3 import client
>>> auth = v3.Password(user_domain_name=DOMAIN_NAME,
...                    username=USER,
...                    password=PASS,
...                    project_domain_name=PROJECT_DOMAIN_NAME,
...                    project_name=PROJECT_NAME,
...                    auth_url=KEYSTONE_URL)
>>> sess = session.Session(auth=auth)
>>> keystone = client.Client(session=sess)
>>> keystone.projects.list()
...
>>> user = keystone.users.get(USER_ID)
>>> user.delete()

Instances of this class have the following managers:

credentials

keystoneclient.v3.credentials.CredentialManager

ec2

keystoneclient.v3.ec2.EC2Manager

endpoint_filter

keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager

endpoint_policy

keystoneclient.v3.contrib.endpoint_policy.EndpointPolicyManager

endpoints

keystoneclient.v3.endpoints.EndpointManager

domains

keystoneclient.v3.domains.DomainManager

federation

keystoneclient.v3.contrib.federation.core.FederationManager

groups

keystoneclient.v3.groups.GroupManager

oauth1

keystoneclient.v3.contrib.oauth1.core.OAuthManager

policies

keystoneclient.v3.policies.PolicyManager

regions

keystoneclient.v3.regions.RegionManager

role_assignments

keystoneclient.v3.role_assignments.RoleAssignmentManager

roles

keystoneclient.v3.roles.RoleManager

simple_cert

keystoneclient.v3.contrib.simple_cert.SimpleCertManager

services

keystoneclient.v3.services.ServiceManager

tokens

keystoneclient.v3.tokens.TokenManager

trusts

keystoneclient.v3.contrib.trusts.TrustManager

users

keystoneclient.v3.users.UserManager

get_raw_token_from_identity_service(auth_url, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, token=None, trust_id=None, **kwargs)

Authenticate against the v3 Identity API.

If password and token methods are both provided then both methods will be used in the request.

Returns:

access.AccessInfo if authentication was successful.
Return type:

keystoneclient.access.AccessInfoV3
Raises:
process_token(**kwargs)

Extract and process information from the new auth_ref.

And set the relevant authentication information.

serialize(entity)
version = 'v3'

keystoneclient.v3.credentials module

class keystoneclient.v3.credentials.Credential(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity credential.

Attributes:
  • id: a uuid that identifies the credential
  • user_id: user ID to which credential belongs
  • type: the type of credential
  • blob: the text that represents the credential
  • project_id: project ID which limits the scope of the credential
class keystoneclient.v3.credentials.CredentialManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity credentials.

collection_key = 'credentials'
create(user, type, blob, project=None, **kwargs)

Create a credential.

Parameters:
  • user (str or keystoneclient.v3.users.User) – the user to which the credential belongs
  • type (str) – the type of the credential, valid values are: ec2, cert or totp
  • blob (str) – the arbitrary blob of the credential data, to be parsed according to the type
  • project (str or keystoneclient.v3.projects.Project) – the project which limits the scope of the credential, this attribbute is mandatory if the credential type is ec2
  • kwargs – any other attribute provided will be passed to the server
Returns:

the created credential
Return type:

keystoneclient.v3.credentials.Credential
delete(credential)

Delete a credential.

Parameters:credential (str or keystoneclient.v3.credentials.Credential) – the credential to be deleted
Returns:response object with 204 status
Return type:requests.models.Response
get(credential)

Retrieve a credential.

Parameters:credential (str or keystoneclient.v3.credentials.Credential) – the credential to be retrieved from the server
Returns:the specified credential
Return type:keystoneclient.v3.credentials.Credential
key = 'credential'
list(**kwargs)

List credentials.

Parameters:kwargs – If user_id or type is specified then credentials will be filtered accordingly.
Returns:a list of credentials
Return type:list of keystoneclient.v3.credentials.Credential
resource_class

alias of Credential

update(credential, user, type=None, blob=None, project=None, **kwargs)

Update a credential.

Parameters:
  • credential (str or keystoneclient.v3.credentials.Credential) – the credential to be updated on the server
  • user (str or keystoneclient.v3.users.User) – the new user to which the credential belongs
  • type (str) – the new type of the credential, valid values are: ec2, cert or totp
  • blob (str) – the new blob of the credential data and may be removed in the future release.
  • project (str or keystoneclient.v3.projects.Project) – the new project which limits the scope of the credential, this attribute is mandatory if the credential type is ec2
  • kwargs – any other attribute provided will be passed to the server
Returns:

the updated credential
Return type:

keystoneclient.v3.credentials.Credential

keystoneclient.v3.domains module

class keystoneclient.v3.domains.Domain(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity domain.

Attributes:
  • id: a uuid that identifies the domain
  • name: the name of the domain
  • description: a description of the domain
  • enabled: determines whether the domain is enabled
class keystoneclient.v3.domains.DomainManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity domains.

collection_key = 'domains'
create(name, description=None, enabled=True, **kwargs)

Create a domain.

Parameters:
  • name (str) – the name of the domain.
  • description (str) – a description of the domain.
  • enabled (bool) – whether the domain is enabled.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created domain returned from server.
Return type:

keystoneclient.v3.domains.Domain
delete(domain)

“Delete a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(domain)

Retrieve a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain to be retrieved from the server.
Returns:the specified domain returned from server.
Return type:keystoneclient.v3.domains.Domain
key = 'domain'
list(**kwargs)

List domains.

Parameters:kwargs – allows filter criteria to be passed where supported by the server.
Returns:a list of domains.
Return type:list of keystoneclient.v3.domains.Domain.
resource_class

alias of Domain

update(domain, name=None, description=None, enabled=None, **kwargs)

Update a domain.

Parameters:
  • domain (str or keystoneclient.v3.domains.Domain) – the domain to be updated on the server.
  • name (str) – the new name of the domain.
  • description (str) – the new description of the domain.
  • enabled (bool) – whether the domain is enabled.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated domain returned from server.
Return type:

keystoneclient.v3.domains.Domain

keystoneclient.v3.ec2 module

class keystoneclient.v3.ec2.EC2(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an EC2 resource.

Attributes:
  • id: a string that identifies the EC2 resource.
  • user_id: the ID field of a pre-existing user in the backend.
  • project_id: the ID field of a pre-existing project in the backend.
  • access: a string representing access key of the access/secret pair.
  • secret: a string representing the secret of the access/secret pair.
class keystoneclient.v3.ec2.EC2Manager(client)

Bases: keystoneclient.base.ManagerWithFind

create(user_id, project_id)

Create a new access/secret pair.

Parameters:
Returns:

the created access/secret pair returned from server.
Return type:

keystoneclient.v3.ec2.EC2
delete(user_id, access)

Delete an access/secret pair.

Parameters:
  • user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be deleted on the server.
  • access (str) – the access key whose access/secret pair will be deleted on the server.
Returns:

Response object with 204 status.
Return type:

requests.models.Response
get(user_id, access)

Retrieve an access/secret pair for a given access key.

Parameters:
  • user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be retrieved from the server.
  • access (str) – the access key whose access/secret pair will be retrieved from the server.
Returns:

the specified access/secret pair returned from server.
Return type:

keystoneclient.v3.ec2.EC2
list(user_id)

List access/secret pairs for a given user.

Parameters:user_id (str) – the ID of the user having access/secret pairs will be listed.
Returns:a list of access/secret pairs.
Return type:list of keystoneclient.v3.ec2.EC2
resource_class

alias of EC2

keystoneclient.v3.endpoints module

class keystoneclient.v3.endpoints.Endpoint(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity endpoint.

Attributes:

  • id: a uuid that identifies the endpoint

  • interface: ‘public’, ‘admin’ or ‘internal’ network interface

  • region: geographic location of the endpoint

  • service_id: service to which the endpoint belongs

  • url: fully qualified service endpoint

  • enabled: determines whether the endpoint appears in the service

    catalog

class keystoneclient.v3.endpoints.EndpointManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity endpoints.

collection_key = 'endpoints'
create(service, url, interface=None, region=None, enabled=True, **kwargs)

Create an endpoint.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service to which the endpoint belongs.
  • url (str) – the URL of the fully qualified service endpoint.
  • interface (str) – the network interface of the endpoint. Valid values are: public, admin or internal.
  • region (str or keystoneclient.v3.regions.Region) – the region to which the endpoint belongs.
  • enabled (bool) – whether the endpoint is enabled or not, determining if it appears in the service catalog.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created endpoint returned from server.
Return type:

keystoneclient.v3.endpoints.Endpoint
delete(endpoint)

Delete an endpoint.

Parameters:endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(endpoint)

Retrieve an endpoint.

Parameters:endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be retrieved from the server.
Returns:the specified endpoint returned from server.
Return type:keystoneclient.v3.endpoints.Endpoint
key = 'endpoint'
list(service=None, interface=None, region=None, enabled=None, region_id=None, **kwargs)

List endpoints.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service of the endpoints to be filtered on.
  • interface (str) – the network interface of the endpoints to be filtered on. Valid values are: public, admin or internal.
  • enabled (bool) – whether to return enabled or disabled endpoints.
  • region_id (str) – filter endpoints by the region_id attribute. If both region and region_id are specified, region takes precedence.
  • kwargs – any other attribute provided will filter endpoints on.
Returns:

a list of endpoints.
Return type:

list of keystoneclient.v3.endpoints.Endpoint
resource_class

alias of Endpoint

update(endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs)

Update an endpoint.

Parameters:
  • endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be updated on the server.
  • service (str or keystoneclient.v3.services.Service) – the new service to which the endpoint belongs.
  • url (str) – the new URL of the fully qualified service endpoint.
  • interface (str) – the new network interface of the endpoint. Valid values are: public, admin or internal.
  • region (str or keystoneclient.v3.regions.Region) – the new region to which the endpoint belongs.
  • enabled (bool) – determining if the endpoint appears in the service catalog by enabling or disabling it.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated endpoint returned from server.
Return type:

keystoneclient.v3.endpoints.Endpoint

keystoneclient.v3.groups module

class keystoneclient.v3.groups.Group(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user group.

Attributes:
  • id: a uuid that identifies the group
  • name: group name
  • description: group description
update(name=None, description=None)
class keystoneclient.v3.groups.GroupManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity groups.

collection_key = 'groups'
create(name, domain=None, description=None, **kwargs)

Create a group.

Parameters:
  • name (str) – the name of the group.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the group.
  • description (str) – a description of the group.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created group returned from server.
Return type:

keystoneclient.v3.groups.Group
delete(group)

Delete a group.

Parameters:group (str or keystoneclient.v3.groups.Group) – the group to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(group)

Retrieve a group.

Parameters:group (str or keystoneclient.v3.groups.Group) – the group to be retrieved from the server.
Returns:the specified group returned from server.
Return type:keystoneclient.v3.groups.Group
key = 'group'
list(user=None, domain=None, **kwargs)

List groups.

Parameters:
Returns:

a list of groups.
Return type:

list of keystoneclient.v3.groups.Group.
resource_class

alias of Group

update(group, name=None, description=None, **kwargs)

Update a group.

Parameters:
  • group (str or keystoneclient.v3.groups.Group) – the group to be updated on the server.
  • name (str) – the new name of the group.
  • description (str) – the new description of the group.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated group returned from server.
Return type:

keystoneclient.v3.groups.Group

keystoneclient.v3.policies module

class keystoneclient.v3.policies.Policy(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity policy.

Attributes:
  • id: a uuid that identifies the policy
  • blob: a policy document (blob)
  • type: the MIME type of the policy blob
update(blob=None, type=None)
class keystoneclient.v3.policies.PolicyManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity policies.

collection_key = 'policies'
create(blob, type='application/json', **kwargs)

Create a policy.

Parameters:
  • blob (str) – the policy document.
  • type (str) – the MIME type of the policy blob.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created policy returned from server.
Return type:

keystoneclient.v3.policies.Policy
delete(policy)

“Delete a policy.

Parameters:policy (str or keystoneclient.v3.policies.Policy) – the policy to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(policy)

Retrieve a policy.

Parameters:policy (str or keystoneclient.v3.policies.Policy) – the policy to be retrieved from the server.
Returns:the specified policy returned from server.
Return type:keystoneclient.v3.policies.Policy
key = 'policy'
list(**kwargs)

List policies.

Parameters:kwargs – allows filter criteria to be passed where supported by the server.
Returns:a list of policies.
Return type:list of keystoneclient.v3.policies.Policy.
resource_class

alias of Policy

update(policy, blob=None, type=None, **kwargs)

Update a policy.

Parameters:
  • policy (str or keystoneclient.v3.policies.Policy) – the policy to be updated on the server.
  • blob (str) – the new policy document.
  • type (str) – the new MIME type of the policy blob.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated policy returned from server.
Return type:

keystoneclient.v3.policies.Policy

keystoneclient.v3.projects module

class keystoneclient.v3.projects.Project(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity project.

Attributes:

  • id: a uuid that identifies the project

  • name: project name

  • description: project description

  • enabled: boolean to indicate if project is enabled

  • parent_id: a uuid representing this project’s parent in hierarchy

  • parents: a list or a structured dict containing the parents of this

    project in the hierarchy

  • subtree: a list or a structured dict containing the subtree of this

    project in the hierarchy

update(name=None, description=None, enabled=None)
class keystoneclient.v3.projects.ProjectManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity projects.

collection_key = 'projects'
create(name, domain, description=None, enabled=True, parent=None, **kwargs)

Create a project.

Parameters:
  • name (str) – the name of the project.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the project.
  • description (str) – the description of the project.
  • enabled (bool) – whether the project is enabled.
  • parent (str or keystoneclient.v3.projects.Project) – the parent of the project in the hierarchy.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created project returned from server.
Return type:

keystoneclient.v3.projects.Project
delete(project)

Delete a project.

Parameters:project (str or keystoneclient.v3.projects.Project) – the project to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(project, subtree_as_list=False, parents_as_list=False, subtree_as_ids=False, parents_as_ids=False)

Retrieve a project.

Parameters:
  • project (str or keystoneclient.v3.projects.Project) – the project to be retrieved from the server.
  • subtree_as_list (bool) – retrieve projects below this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
  • parents_as_list (bool) – retrieve projects above this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
  • subtree_as_ids (bool) – retrieve the IDs from the projects below this project in the hierarchy as a structured dictionary.
  • parents_as_ids (bool) – retrieve the IDs from the projects above this project in the hierarchy as a structured dictionary.
Returns:

the specified project returned from server.
Return type:

keystoneclient.v3.projects.Project
Raises:

keystoneclient.exceptions.ValidationError – if subtree_as_list and subtree_as_ids or parents_as_list and parents_as_ids are included at the same time in the call.
key = 'project'
list(domain=None, user=None, **kwargs)

List projects.

Parameters:
Returns:

a list of projects.
Return type:

list of keystoneclient.v3.projects.Project
resource_class

alias of Project

update(project, name=None, domain=None, description=None, enabled=None, **kwargs)

Update a project.

Parameters:
  • project (str or keystoneclient.v3.projects.Project) – the project to be updated on the server.
  • name (str) – the new name of the project.
  • domain (str or keystoneclient.v3.domains.Domain) – the new domain of the project.
  • description (str) – the new description of the project.
  • enabled (bool) – whether the project is enabled.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated project returned from server.
Return type:

keystoneclient.v3.projects.Project

keystoneclient.v3.regions module

class keystoneclient.v3.regions.Region(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a Catalog region.

Attributes:

  • id: a string that identifies the region.

  • description: a string that describes the region.

  • parent_region_id: a pre-existing region in the backend or its ID

    field. Allows for hierarchical region organization.

  • enabled: determines whether the endpoint appears in the catalog.

class keystoneclient.v3.regions.RegionManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity regions.

collection_key = 'regions'
create(id=None, description=None, enabled=True, parent_region=None, **kwargs)

Create a region.

Parameters:
  • id (str) – the unique identifier of the region. If not specified an ID will be created by the server.
  • description (str) – the description of the region.
  • enabled (bool) – whether the region is enabled or not, determining if it appears in the catalog.
  • parent_region (str or keystoneclient.v3.regions.Region) – the parent of the region in the hierarchy.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created region returned from server.
Return type:

keystoneclient.v3.regions.Region
delete(region)

Delete a region.

Parameters:region (str or keystoneclient.v3.regions.Region) – the region to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(region)

Retrieve a region.

Parameters:region (str or keystoneclient.v3.regions.Region) – the region to be retrieved from the server.
Returns:the specified region returned from server.
Return type:keystoneclient.v3.regions.Region
key = 'region'
list(**kwargs)

List regions.

Parameters:kwargs – any attributes provided will filter regions on.
Returns:a list of regions.
Return type:list of keystoneclient.v3.regions.Region.
resource_class

alias of Region

update(region, description=None, enabled=None, parent_region=None, **kwargs)

Update a region.

Parameters:
  • region (str or keystoneclient.v3.regions.Region) – the region to be updated on the server.
  • description (str) – the new description of the region.
  • enabled (bool) – determining if the region appears in the catalog by enabling or disabling it.
  • parent_region (str or keystoneclient.v3.regions.Region) – the new parent of the region in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated region returned from server.
Return type:

keystoneclient.v3.regions.Region

keystoneclient.v3.role_assignments module

class keystoneclient.v3.role_assignments.RoleAssignment(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role assignment.

Attributes:

  • role: an object which contains a role uuid

  • user or group: an object which contains either a user or

    group uuid

  • scope: an object which has either a project or domain object

    containing an uuid

class keystoneclient.v3.role_assignments.RoleAssignmentManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles assignments.

collection_key = 'role_assignments'
create(**kwargs)
delete(**kwargs)
find(**kwargs)
get(**kwargs)
key = 'role_assignment'
list(user=None, group=None, project=None, domain=None, role=None, effective=False, os_inherit_extension_inherited_to=None, include_subtree=False, include_names=False)

List role assignments.

If no arguments are provided, all role assignments in the system will be listed.

If both user and group are provided, a ValidationError will be raised. If both domain and project are provided, it will also raise a ValidationError.

Parameters:
  • user – User to be used as query filter. (optional)
  • group – Group to be used as query filter. (optional)
  • project – Project to be used as query filter. (optional)
  • domain – Domain to be used as query filter. (optional)
  • role – Role to be used as query filter. (optional)
  • effective (boolean) – return effective role assignments. (optional)
  • os_inherit_extension_inherited_to (string) – return inherited role assignments for either ‘projects’ or ‘domains’. (optional)
  • include_subtree (boolean) – Include subtree (optional)
  • include_names (boolean) – Display names instead of IDs. (optional)
put(**kwargs)
resource_class

alias of RoleAssignment

update(**kwargs)

keystoneclient.v3.roles module

class keystoneclient.v3.roles.InferenceRule(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Rule that states one ROle implies another.

Attributes:
  • prior_role: this role implies the other
  • implied_role: this role is implied by the other
class keystoneclient.v3.roles.Role(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role.

Attributes:
  • id: a uuid that identifies the role
  • name: user-facing identifier
  • domain: optional domain for the role
class keystoneclient.v3.roles.RoleManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles.

check(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Check if a user or group has a role on a domain or project.

Parameters:
  • user (str or keystoneclient.v3.users.User) – check for role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – check for role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – check for role grants on the specified domain. Either user or group must be specified. Project and domain are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – check for role grants on the specified project. Either user or group must be specified. Project and domain are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the specified role returned from server if it exists.
Return type:

keystoneclient.v3.roles.Role
Returns:

Response object with 204 status if specified role doesn’t exist.
Return type:

requests.models.Response
check_implied(prior_role, implied_role, **kwargs)

Check if an inference rule exists.

Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

response object with 200 status returned from server.
Return type:

requests.models.Response
collection_key = 'roles'
create(name, domain=None, **kwargs)

Create a role.

Parameters:
  • name (str) – the name of the role.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the role. If a value is passed it is a domain-scoped role, otherwise it’s a global role.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created role returned from server.
Return type:

keystoneclient.v3.roles.Role
create_implied(prior_role, implied_role, **kwargs)

Create an inference rule.

Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
  • kwargs – any other attribute provided will be passed to the server.
delete(role)

Delete a role.

When a role is deleted all the role inferences that have deleted role as prior role will be deleted as well.

Parameters:role (str or keystoneclient.v3.roles.Role) – the role to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
delete_implied(prior_role, implied_role, **kwargs)

Delete an inference rule.

Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

Response object with 204 status.
Return type:

requests.models.Response
get(role)

Retrieve a role.

Parameters:role (str or keystoneclient.v3.roles.Role) – the role to be retrieved from the server.
Returns:the specified role returned from server.
Return type:keystoneclient.v3.roles.Role
get_implied(prior_role, implied_role, **kwargs)

Retrieve an inference rule.

Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the specified role inference returned from server.
Return type:

keystoneclient.v3.roles.InferenceRule
grant(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Grant a role to a user or group on a domain or project.

Parameters:
  • role (str or keystoneclient.v3.roles.Role) – the role to be granted on the server.
  • user (str or keystoneclient.v3.users.User) – the specified user to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – the specified group to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain in which the role will be granted. Either user or group must be specified. Project and domain are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – the project in which the role will be granted. Either user or group must be specified. Project and domain are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the granted role returned from server.
Return type:

keystoneclient.v3.roles.Role
key = 'role'
list(user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

List roles and role grants.

Parameters:
  • user (str or keystoneclient.v3.users.User) – filter in role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – filter in role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – filter in role grants on the specified domain. Either user or group must be specified. Project and domain are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – filter in role grants on the specified project. Either user or group must be specified. Project and domain are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will filter roles on.
Returns:

a list of roles.
Return type:

list of keystoneclient.v3.roles.Role
list_role_inferences(**kwargs)

List role inferences.

Parameters:kwargs – attributes provided will be passed to the server.
Returns:a list of roles inferences.
Return type:list of keystoneclient.v3.roles.InferenceRule
resource_class

alias of Role

revoke(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Revoke a role from a user or group on a domain or project.

Parameters:
  • user (str or keystoneclient.v3.users.User) – revoke role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – revoke role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – revoke role grants on the specified domain. Either user or group must be specified. Project and domain are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – revoke role grants on the specified project. Either user or group must be specified. Project and domain are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the revoked role returned from server.
Return type:

list of keystoneclient.v3.roles.Role
update(role, name=None, **kwargs)

Update a role.

Parameters:
  • role (str or keystoneclient.v3.roles.Role) – the role to be updated on the server.
  • name (str) – the new name of the role.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated role returned from server.
Return type:

keystoneclient.v3.roles.Role

keystoneclient.v3.services module

class keystoneclient.v3.services.Service(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity service.

Attributes:
  • id: a uuid that identifies the service
  • name: the user-facing name of the service (e.g. Keystone)
  • description: a description of the service
  • type: the type of the service (e.g. ‘compute’, ‘identity’)
  • enabled: determines whether the service appears in the catalog
class keystoneclient.v3.services.ServiceManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity services.

collection_key = 'services'
create(name, type=None, enabled=True, description=None, **kwargs)

Create a service.

Parameters:
  • name (str) – the name of the service.
  • type (str) – the type of the service.
  • enabled (bool) – whether the service appears in the catalog.
  • description (str) – the description of the service.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created service returned from server.
Return type:

keystoneclient.v3.services.Service
delete(service=None, id=None)

Delete a service.

Parameters:service (str or keystoneclient.v3.services.Service) – the service to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(service)

Retrieve a service.

Parameters:service (str or keystoneclient.v3.services.Service) – the service to be retrieved from the server.
Returns:the specified service returned from server.
Return type:keystoneclient.v3.services.Service
key = 'service'
list(name=None, type=None, **kwargs)

List services.

Parameters:
  • name (str) – the name of the services to be filtered on.
  • type (str) – the type of the services to be filtered on.
  • kwargs – any other attribute provided will filter services on.
Returns:

a list of services.
Return type:

list of keystoneclient.v3.services.Service
resource_class

alias of Service

update(service, name=None, type=None, enabled=None, description=None, **kwargs)

Update a service.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service to be updated on the server.
  • name (str) – the new name of the service.
  • type (str) – the new type of the service.
  • enabled (bool) – whether the service appears in the catalog.
  • description (str) – the new description of the service.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated service returned from server.
Return type:

keystoneclient.v3.services.Service

keystoneclient.v3.tokens module

class keystoneclient.v3.tokens.TokenManager(client)

Bases: object

Manager class for manipulating Identity tokens.

get_revoked(audit_id_only=False)

Get revoked tokens list.

Parameters:audit_id_only (bool) – If true, the server is requested to not send token IDs, but only audit IDs instead. New in version 2.2.0.
Returns:A dict containing signed which is a CMS formatted string if the server signed the response. If audit_id_only is true then the response may be a dict containing revoked which is the list of token audit IDs and expiration times.
Return type:dict
get_token_data(token, include_catalog=True)

Fetch the data about a token from the identity server.

Parameters:
  • token (str) – The ID of the token to be fetched.
  • include_catalog (bool) – Whether the service catalog should be included in the response.
Return type:

dict
revoke_token(token)

Revoke a token.

Parameters:token (str or keystoneclient.access.AccessInfo) – The token to be revoked.
validate(token, include_catalog=True)

Validate a token.

Parameters:
  • token (str or keystoneclient.access.AccessInfo) – The token to be validated.
  • include_catalog – If False, the response is requested to not include the catalog.
Return type:

keystoneclient.access.AccessInfoV3

keystoneclient.v3.users module

class keystoneclient.v3.users.User(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user.

Attributes:
  • id: a uuid that identifies the user
class keystoneclient.v3.users.UserManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity users.

add_to_group(user, group)

Add the specified user as a member of the specified group.

Parameters:
Returns:

Response object with 204 status.
Return type:

requests.models.Response
check_in_group(user, group)

Check if the specified user is a member of the specified group.

Parameters:
Returns:

Response object with 204 status.
Return type:

requests.models.Response
collection_key = 'users'
create(name, domain=None, project=None, password=None, email=None, description=None, enabled=True, default_project=None, **kwargs)

Create a user.

Parameters:
  • name (str) – the name of the user.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the user.
  • project (str or keystoneclient.v3.projects.Project) – the default project of the user. (deprecated, see warning below)
  • password (str) – the password for the user.
  • email (str) – the email address of the user.
  • description (str) – a description of the user.
  • enabled (bool) – whether the user is enabled.
  • default_project (str or keystoneclient.v3.projects.Project) – the default project of the user.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created user returned from server.
Return type:

keystoneclient.v3.users.User

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

delete(user)

Delete a user.

Parameters:user (str or keystoneclient.v3.users.User) – the user to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(user)

Retrieve a user.

Parameters:user (str or keystoneclient.v3.users.User) – the user to be retrieved from the server.
Returns:the specified user returned from server.
Return type:keystoneclient.v3.users.User
key = 'user'
list(project=None, domain=None, group=None, default_project=None, **kwargs)

List users.

Parameters:
Returns:

a list of users.
Return type:

list of keystoneclient.v3.users.User.

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

remove_from_group(user, group)

Remove the specified user from the specified group.

Parameters:
Returns:

Response object with 204 status.
Return type:

requests.models.Response
resource_class

alias of User

update(user, name=None, domain=None, project=None, password=None, email=None, description=None, enabled=None, default_project=None, **kwargs)

Update a user.

Parameters:
Returns:

the updated user returned from server.
Return type:

keystoneclient.v3.users.User

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

update_password(old_password, new_password)

Update the password for the user the token belongs to.

Parameters:
  • old_password (str) – the user’s old password
  • new_password (str) – the user’s new password
Returns:

Response object with 204 status.
Return type:

requests.models.Response

Module contents