keystoneclient.v3 package

keystoneclient.v3 package

Submodules

keystoneclient.v3.application_credentials module

class keystoneclient.v3.application_credentials.ApplicationCredential(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity application credential.

Attributes:
  • id: a uuid that identifies the application credential
  • user: the user who owns the application credential
  • name: application credential name
  • secret: application credential secret
  • description: application credential description
  • expires_at: expiry time
  • roles: role assignments on the project
  • unrestricted: whether the application credential has restrictions
    applied
class keystoneclient.v3.application_credentials.ApplicationCredentialManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity application credentials.

collection_key = 'application_credentials'
create(name, user=None, secret=None, description=None, expires_at=None, roles=None, unrestricted=False, **kwargs)

Create a credential.

Parameters:
  • name (string) – application credential name
  • user (string) – User ID
  • secret – application credential secret
  • description – application credential description
  • expires_at (datetime.datetime) – expiry time
  • roles (List) – list of roles on the project. Maybe a list of IDs or a list of dicts specifying role name and domain
  • unrestricted (bool) – whether the application credential has restrictions applied
Returns:

the created application credential

Return type:

keystoneclient.v3.application_credentials.ApplicationCredential

delete(application_credential, user=None)

Delete an application credential.

Parameters:application_credential – the application credential to be deleted
Returns:response object with 204 status
Return type:requests.models.Response
find(user=None, **kwargs)

Find an application credential with attributes matching **kwargs.

Parameters:user (string) – User ID
Returns:a list of matching application credentials
Return type:list of keystoneclient.v3.application_credentials.ApplicationCredential
get(application_credential, user=None)

Retrieve an application credential.

Parameters:application_credential – the credential to be retrieved from the server
Returns:the specified application credential
Return type:keystoneclient.v3.application_credentials.ApplicationCredential
key = 'application_credential'
list(user=None, **kwargs)

List application credentials.

Parameters:user (string) – User ID
Returns:a list of application credentials
Return type:list of keystoneclient.v3.application_credentials.ApplicationCredential
resource_class

alias of ApplicationCredential

update()

keystoneclient.v3.auth module

class keystoneclient.v3.auth.AuthManager(client)

Bases: keystoneclient.base.Manager

Retrieve auth context specific information.

The information returned by the auth routes is entirely dependent on the authentication information provided by the user.

domains()

List Domains that the specified token can be rescoped to.

Returns:a list of domains.
Return type:list of keystoneclient.v3.domains.Domain.
projects()

List projects that the specified token can be rescoped to.

Returns:a list of projects.
Return type:list of keystoneclient.v3.projects.Project

keystoneclient.v3.client module

class keystoneclient.v3.client.Client(**kwargs)

Bases: keystoneclient.httpclient.HTTPClient

Client for the OpenStack Identity API v3.

Parameters:
  • session (keystoneauth1.session.Session) – Session for requests. (optional)
  • user_id (string) – User ID for authentication. (optional)
  • username (string) – Username for authentication. (optional)
  • user_domain_id (string) – User’s domain ID for authentication. (optional)
  • user_domain_name (string) – User’s domain name for authentication. (optional)
  • password (string) – Password for authentication. (optional)
  • token (string) – Token for authentication. (optional)
  • domain_id (string) – Domain ID for domain scoping. (optional)
  • domain_name (string) – Domain name for domain scoping. (optional)
  • project_id (string) – Project ID for project scoping. (optional)
  • project_name (string) – Project name for project scoping. (optional)
  • project_domain_id (string) – Project’s domain ID for project scoping. (optional)
  • project_domain_name (string) – Project’s domain name for project scoping. (optional)
  • tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
  • tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
  • auth_url (string) – Identity service endpoint for authorization.
  • region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.
  • endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)
  • timeout (integer) – Allows customization of the timeout for client http requests. (optional)

Warning

Constructing an instance of this class without a session is deprecated as of the 1.7.0 release and will be removed in the 2.0.0 release.

Example:

>>> from keystoneauth1.identity import v3
>>> from keystoneauth1 import session
>>> from keystoneclient.v3 import client
>>> auth = v3.Password(user_domain_name=DOMAIN_NAME,
...                    username=USER,
...                    password=PASS,
...                    project_domain_name=PROJECT_DOMAIN_NAME,
...                    project_name=PROJECT_NAME,
...                    auth_url=KEYSTONE_URL)
>>> sess = session.Session(auth=auth)
>>> keystone = client.Client(session=sess)
>>> keystone.projects.list()
...
>>> user = keystone.users.get(USER_ID)
>>> user.delete()

Instances of this class have the following managers:

credentials

keystoneclient.v3.credentials.CredentialManager

domain_configs

keystoneclient.v3.domain_configs.DomainConfigManager

ec2

keystoneclient.v3.ec2.EC2Manager

endpoint_filter

keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager

endpoint_groups

keystoneclient.v3.endpoint_groups.EndpointGroupManager

endpoint_policy

keystoneclient.v3.contrib.endpoint_policy.EndpointPolicyManager

endpoints

keystoneclient.v3.endpoints.EndpointManager

domains

keystoneclient.v3.domains.DomainManager

federation

keystoneclient.v3.contrib.federation.core.FederationManager

groups

keystoneclient.v3.groups.GroupManager

limits

keystoneclient.v3.limits.LimitManager

oauth1

keystoneclient.v3.contrib.oauth1.core.OAuthManager

policies

keystoneclient.v3.policies.PolicyManager

regions

keystoneclient.v3.regions.RegionManager

registered_limits

keystoneclient.v3.registered_limits.RegisteredLimitManager

role_assignments

keystoneclient.v3.role_assignments.RoleAssignmentManager

roles

keystoneclient.v3.roles.RoleManager

simple_cert

keystoneclient.v3.contrib.simple_cert.SimpleCertManager

services

keystoneclient.v3.services.ServiceManager

tokens

keystoneclient.v3.tokens.TokenManager

trusts

keystoneclient.v3.contrib.trusts.TrustManager

users

keystoneclient.v3.users.UserManager

get_raw_token_from_identity_service(auth_url, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, token=None, trust_id=None, **kwargs)

Authenticate against the v3 Identity API.

If password and token methods are both provided then both methods will be used in the request.

Returns:

access.AccessInfo if authentication was successful.

Return type:

keystoneclient.access.AccessInfoV3

Raises:
process_token(**kwargs)

Extract and process information from the new auth_ref.

And set the relevant authentication information.

serialize(entity)
version = 'v3'

keystoneclient.v3.credentials module

class keystoneclient.v3.credentials.Credential(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity credential.

Attributes:
  • id: a uuid that identifies the credential
  • user_id: user ID to which credential belongs
  • type: the type of credential
  • blob: the text that represents the credential
  • project_id: project ID which limits the scope of the credential
class keystoneclient.v3.credentials.CredentialManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity credentials.

collection_key = 'credentials'
create(user, type, blob, project=None, **kwargs)

Create a credential.

Parameters:
  • user (str or keystoneclient.v3.users.User) – the user to which the credential belongs
  • type (str) – the type of the credential, valid values are: ec2, cert or totp
  • blob (str) – the arbitrary blob of the credential data, to be parsed according to the type
  • project (str or keystoneclient.v3.projects.Project) – the project which limits the scope of the credential, this attribbute is mandatory if the credential type is ec2
  • kwargs – any other attribute provided will be passed to the server
Returns:

the created credential

Return type:

keystoneclient.v3.credentials.Credential

delete(credential)

Delete a credential.

Parameters:credential (str or keystoneclient.v3.credentials.Credential) – the credential to be deleted
Returns:response object with 204 status
Return type:requests.models.Response
get(credential)

Retrieve a credential.

Parameters:credential (str or keystoneclient.v3.credentials.Credential) – the credential to be retrieved from the server
Returns:the specified credential
Return type:keystoneclient.v3.credentials.Credential
key = 'credential'
list(**kwargs)

List credentials.

Parameters:kwargs – If user_id or type is specified then credentials will be filtered accordingly.
Returns:a list of credentials
Return type:list of keystoneclient.v3.credentials.Credential
resource_class

alias of Credential

update(credential, user, type=None, blob=None, project=None, **kwargs)

Update a credential.

Parameters:
  • credential (str or keystoneclient.v3.credentials.Credential) – the credential to be updated on the server
  • user (str or keystoneclient.v3.users.User) – the new user to which the credential belongs
  • type (str) – the new type of the credential, valid values are: ec2, cert or totp
  • blob (str) – the new blob of the credential data and may be removed in the future release.
  • project (str or keystoneclient.v3.projects.Project) – the new project which limits the scope of the credential, this attribute is mandatory if the credential type is ec2
  • kwargs – any other attribute provided will be passed to the server
Returns:

the updated credential

Return type:

keystoneclient.v3.credentials.Credential

keystoneclient.v3.domain_configs module

class keystoneclient.v3.domain_configs.DomainConfig(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

An object representing a domain config association.

This resource object does not necessarily contain fixed attributes, as new attributes are added in the server, they are supported here directly. The currently supported configs are identity and ldap.

class keystoneclient.v3.domain_configs.DomainConfigManager(client)

Bases: keystoneclient.base.Manager

Manager class for manipulating domain config associations.

build_url(domain)
create(domain, config)

Create a config for a domain.

Parameters:

Example of the config parameter:

{
     "identity": {
         "driver": "ldap"
     },
     "ldap": {
         "url": "ldap://myldap.com:389/",
         "user_tree_dn": "ou=Users,dc=my_new_root,dc=org"
     }
}
Returns:the created domain config returned from server.
Return type:keystoneclient.v3.domain_configs.DomainConfig
delete(domain)

Delete a config for a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain which the config will be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
find(**kwargs)
get(domain)

Get a config for a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain for which the config is defined.
Returns:the domain config returned from server.
Return type:keystoneclient.v3.domain_configs.DomainConfig
key = 'config'
list(**kwargs)
resource_class

alias of DomainConfig

update(domain, config)

Update a config for a domain.

Parameters:

Example of the config parameter:

{
     "identity": {
         "driver": "ldap"
     },
     "ldap": {
         "url": "ldap://myldap.com:389/",
         "user_tree_dn": "ou=Users,dc=my_new_root,dc=org"
     }
}
Returns:the updated domain config returned from server.
Return type:keystoneclient.v3.domain_configs.DomainConfig

keystoneclient.v3.domains module

class keystoneclient.v3.domains.Domain(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity domain.

Attributes:
  • id: a uuid that identifies the domain
  • name: the name of the domain
  • description: a description of the domain
  • enabled: determines whether the domain is enabled
class keystoneclient.v3.domains.DomainManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity domains.

collection_key = 'domains'
create(name, description=None, enabled=True, **kwargs)

Create a domain.

Parameters:
  • name (str) – the name of the domain.
  • description (str) – a description of the domain.
  • enabled (bool) – whether the domain is enabled.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created domain returned from server.

Return type:

keystoneclient.v3.domains.Domain

delete(domain)

“Delete a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(domain)

Retrieve a domain.

Parameters:domain (str or keystoneclient.v3.domains.Domain) – the domain to be retrieved from the server.
Returns:the specified domain returned from server.
Return type:keystoneclient.v3.domains.Domain
key = 'domain'
list(**kwargs)

List domains.

Parameters:kwargs – allows filter criteria to be passed where supported by the server.
Returns:a list of domains.
Return type:list of keystoneclient.v3.domains.Domain.
resource_class

alias of Domain

update(domain, name=None, description=None, enabled=None, **kwargs)

Update a domain.

Parameters:
  • domain (str or keystoneclient.v3.domains.Domain) – the domain to be updated on the server.
  • name (str) – the new name of the domain.
  • description (str) – the new description of the domain.
  • enabled (bool) – whether the domain is enabled.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated domain returned from server.

Return type:

keystoneclient.v3.domains.Domain

keystoneclient.v3.ec2 module

class keystoneclient.v3.ec2.EC2(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an EC2 resource.

Attributes:
  • id: a string that identifies the EC2 resource.
  • user_id: the ID field of a pre-existing user in the backend.
  • project_id: the ID field of a pre-existing project in the backend.
  • access: a string representing access key of the access/secret pair.
  • secret: a string representing the secret of the access/secret pair.
class keystoneclient.v3.ec2.EC2Manager(client)

Bases: keystoneclient.base.ManagerWithFind

create(user_id, project_id)

Create a new access/secret pair.

Parameters:
Returns:

the created access/secret pair returned from server.

Return type:

keystoneclient.v3.ec2.EC2

delete(user_id, access)

Delete an access/secret pair.

Parameters:
  • user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be deleted on the server.
  • access (str) – the access key whose access/secret pair will be deleted on the server.
Returns:

Response object with 204 status.

Return type:

requests.models.Response

get(user_id, access)

Retrieve an access/secret pair for a given access key.

Parameters:
  • user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be retrieved from the server.
  • access (str) – the access key whose access/secret pair will be retrieved from the server.
Returns:

the specified access/secret pair returned from server.

Return type:

keystoneclient.v3.ec2.EC2

list(user_id)

List access/secret pairs for a given user.

Parameters:user_id (str) – the ID of the user having access/secret pairs will be listed.
Returns:a list of access/secret pairs.
Return type:list of keystoneclient.v3.ec2.EC2
resource_class

alias of EC2

keystoneclient.v3.endpoint_groups module

class keystoneclient.v3.endpoint_groups.EndpointGroup(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an identity endpoint group.

Attributes:
  • id: a UUID that identifies the endpoint group
  • name: the endpoint group name
  • description: the endpoint group description
  • filters: representation of filters in the format of JSON that define
    what endpoint entities are part of the group
class keystoneclient.v3.endpoint_groups.EndpointGroupManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for Endpoint Groups.

base_url = 'OS-EP-FILTER'
check(endpoint_group)

Check if an endpoint group exists.

Parameters:endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be checked against the server.
Returns:none if the specified endpoint group exists.
collection_key = 'endpoint_groups'
create(name, filters, description=None, **kwargs)

Create an endpoint group.

Parameters:
  • name (str) – the name of the endpoint group.
  • filters (str) – representation of filters in the format of JSON that define what endpoint entities are part of the group.
  • description (str) – a description of the endpoint group.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created endpoint group returned from server.

Return type:

keystoneclient.v3.endpoint_groups.EndpointGroup

delete(endpoint_group)

Delete an endpoint group.

Parameters:endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(endpoint_group)

Retrieve an endpoint group.

Parameters:endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be retrieved from the server.
Returns:the specified endpoint group returned from server.
Return type:keystoneclient.v3.endpoint_groups.EndpointGroup
key = 'endpoint_group'
list(**kwargs)

List endpoint groups.

Any parameter provided will be passed to the server.

Returns:a list of endpoint groups.
Return type:list of keystoneclient.v3.endpoint_groups.EndpointGroup.
resource_class

alias of EndpointGroup

update(endpoint_group, name=None, filters=None, description=None, **kwargs)

Update an endpoint group.

Parameters:
  • name (str) – the new name of the endpoint group.
  • filters (str) – the new representation of filters in the format of JSON that define what endpoint entities are part of the group.
  • description (str) – the new description of the endpoint group.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated endpoint group returned from server.

Return type:

keystoneclient.v3.endpoint_groups.EndpointGroup

keystoneclient.v3.endpoints module

class keystoneclient.v3.endpoints.Endpoint(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity endpoint.

Attributes:
  • id: a uuid that identifies the endpoint
  • interface: ‘public’, ‘admin’ or ‘internal’ network interface
  • region: geographic location of the endpoint
  • service_id: service to which the endpoint belongs
  • url: fully qualified service endpoint
  • enabled: determines whether the endpoint appears in the service
    catalog
class keystoneclient.v3.endpoints.EndpointManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity endpoints.

collection_key = 'endpoints'
create(service, url, interface=None, region=None, enabled=True, **kwargs)

Create an endpoint.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service to which the endpoint belongs.
  • url (str) – the URL of the fully qualified service endpoint.
  • interface (str) – the network interface of the endpoint. Valid values are: public, admin or internal.
  • region (str or keystoneclient.v3.regions.Region) – the region to which the endpoint belongs.
  • enabled (bool) – whether the endpoint is enabled or not, determining if it appears in the service catalog.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created endpoint returned from server.

Return type:

keystoneclient.v3.endpoints.Endpoint

delete(endpoint)

Delete an endpoint.

Parameters:endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(endpoint)

Retrieve an endpoint.

Parameters:endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be retrieved from the server.
Returns:the specified endpoint returned from server.
Return type:keystoneclient.v3.endpoints.Endpoint
key = 'endpoint'
list(service=None, interface=None, region=None, enabled=None, region_id=None, **kwargs)

List endpoints.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service of the endpoints to be filtered on.
  • interface (str) – the network interface of the endpoints to be filtered on. Valid values are: public, admin or internal.
  • enabled (bool) – whether to return enabled or disabled endpoints.
  • region_id (str) – filter endpoints by the region_id attribute. If both region and region_id are specified, region takes precedence.
  • kwargs – any other attribute provided will filter endpoints on.
Returns:

a list of endpoints.

Return type:

list of keystoneclient.v3.endpoints.Endpoint

resource_class

alias of Endpoint

update(endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs)

Update an endpoint.

Parameters:
  • endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be updated on the server.
  • service (str or keystoneclient.v3.services.Service) – the new service to which the endpoint belongs.
  • url (str) – the new URL of the fully qualified service endpoint.
  • interface (str) – the new network interface of the endpoint. Valid values are: public, admin or internal.
  • region (str or keystoneclient.v3.regions.Region) – the new region to which the endpoint belongs.
  • enabled (bool) – determining if the endpoint appears in the service catalog by enabling or disabling it.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated endpoint returned from server.

Return type:

keystoneclient.v3.endpoints.Endpoint

keystoneclient.v3.groups module

class keystoneclient.v3.groups.Group(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user group.

Attributes:
  • id: a uuid that identifies the group
  • name: group name
  • description: group description
update(name=None, description=None)
class keystoneclient.v3.groups.GroupManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity groups.

collection_key = 'groups'
create(name, domain=None, description=None, **kwargs)

Create a group.

Parameters:
  • name (str) – the name of the group.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the group.
  • description (str) – a description of the group.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created group returned from server.

Return type:

keystoneclient.v3.groups.Group

delete(group)

Delete a group.

Parameters:group (str or keystoneclient.v3.groups.Group) – the group to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(group)

Retrieve a group.

Parameters:group (str or keystoneclient.v3.groups.Group) – the group to be retrieved from the server.
Returns:the specified group returned from server.
Return type:keystoneclient.v3.groups.Group
key = 'group'
list(user=None, domain=None, **kwargs)

List groups.

Parameters:
Returns:

a list of groups.

Return type:

list of keystoneclient.v3.groups.Group.

resource_class

alias of Group

update(group, name=None, description=None, **kwargs)

Update a group.

Parameters:
  • group (str or keystoneclient.v3.groups.Group) – the group to be updated on the server.
  • name (str) – the new name of the group.
  • description (str) – the new description of the group.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated group returned from server.

Return type:

keystoneclient.v3.groups.Group

keystoneclient.v3.limits module

class keystoneclient.v3.limits.Limit(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a project limit.

Attributes:
  • id: a UUID that identifies the project limit
  • service_id: a UUID that identifies the service for the limit
  • region_id: a UUID that identifies the region for the limit
  • project_id: a UUID that identifies the project for the limit
  • resource_name: the name of the resource to limit
  • resource_limit: the limit to apply to the project
  • description: a description for the project limit
class keystoneclient.v3.limits.LimitManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for project limits.

collection_key = 'limits'
create(project, service, resource_name, resource_limit, description=None, region=None, **kwargs)

Create a project-specific limit.

Parameters:
Returns:

a reference of the created limit

Return type:

keystoneclient.v3.limits.Limit

delete(limit)

Delete a project-specific limit.

Parameters:limit (str or keystoneclient.v3.limit.Limit) – the project-specific limit to be deleted.
Returns:Response object with 204 status
Return type:requests.models.Response
get(limit)

Retrieve a project limit.

Parameters:limit (str or keystoneclient.v3.limit.Limit) – the project-specific limit to be retrieved.
Returns:a project-specific limit
Return type:keystoneclient.v3.limit.Limit
key = 'limit'
list(service=None, region=None, resource_name=None, **kwargs)

List project-specific limits.

Any parameter provided will be passed to the server as a filter

Parameters:
Returns:

a list of project-specific limits.

Return type:

list of keystoneclient.v3.limits.Limit

resource_class

alias of Limit

update(limit, project=None, service=None, resource_name=None, resource_limit=None, description=None, **kwargs)

Update a project-specific limit.

Parameters:
  • limit – a limit to update
  • project (str or keystoneclient.v3.projects.Project) – the project ID of the limit to update
  • resource_limit – the limit of the limit’s resource to update
  • description (str) – a description of the limit
Type:

resource_limit: int

Returns:

a reference of the updated limit.

Return type:

keystoneclient.v3.limits.Limit

keystoneclient.v3.policies module

class keystoneclient.v3.policies.Policy(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity policy.

Attributes:
  • id: a uuid that identifies the policy
  • blob: a policy document (blob)
  • type: the MIME type of the policy blob
update(blob=None, type=None)
class keystoneclient.v3.policies.PolicyManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity policies.

collection_key = 'policies'
create(blob, type='application/json', **kwargs)

Create a policy.

Parameters:
  • blob (str) – the policy document.
  • type (str) – the MIME type of the policy blob.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created policy returned from server.

Return type:

keystoneclient.v3.policies.Policy

delete(policy)

“Delete a policy.

Parameters:policy (str or keystoneclient.v3.policies.Policy) – the policy to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(policy)

Retrieve a policy.

Parameters:policy (str or keystoneclient.v3.policies.Policy) – the policy to be retrieved from the server.
Returns:the specified policy returned from server.
Return type:keystoneclient.v3.policies.Policy
key = 'policy'
list(**kwargs)

List policies.

Parameters:kwargs – allows filter criteria to be passed where supported by the server.
Returns:a list of policies.
Return type:list of keystoneclient.v3.policies.Policy.
resource_class

alias of Policy

update(policy, blob=None, type=None, **kwargs)

Update a policy.

Parameters:
  • policy (str or keystoneclient.v3.policies.Policy) – the policy to be updated on the server.
  • blob (str) – the new policy document.
  • type (str) – the new MIME type of the policy blob.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the updated policy returned from server.

Return type:

keystoneclient.v3.policies.Policy

keystoneclient.v3.projects module

class keystoneclient.v3.projects.Project(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity project.

Attributes:
  • id: a uuid that identifies the project
  • name: project name
  • description: project description
  • enabled: boolean to indicate if project is enabled
  • parent_id: a uuid representing this project’s parent in hierarchy
  • parents: a list or a structured dict containing the parents of this
    project in the hierarchy
  • subtree: a list or a structured dict containing the subtree of this
    project in the hierarchy
add_tag(tag)
check_tag(tag)
delete_all_tags()
delete_tag(tag)
list_tags()
update(name=None, description=None, enabled=None)
update_tags(tags)
class keystoneclient.v3.projects.ProjectManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity projects.

add_tag(project, tag)

Add a tag to a project.

Parameters:
  • project – project to add a tag to.
  • tag – str name of tag.
check_tag(project, tag)

Check if tag is associated with project.

Parameters:
  • project – project to check tags for.
  • tag – str name of tag
Returns:

true if tag is associated, false otherwise

collection_key = 'projects'
create(name, domain, description=None, enabled=True, parent=None, **kwargs)

Create a project.

Parameters:
  • name (str) – the name of the project.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the project.
  • description (str) – the description of the project.
  • enabled (bool) – whether the project is enabled.
  • parent (str or keystoneclient.v3.projects.Project) – the parent of the project in the hierarchy.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created project returned from server.

Return type:

keystoneclient.v3.projects.Project

delete(project)

Delete a project.

Parameters:project (str or keystoneclient.v3.projects.Project) – the project to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
delete_tag(project, tag)

Remove tag from project.

Parameters:
  • projectd – project to remove tag from.
  • tag – str name of tag to remove from project
find(**kwargs)

Find a single item with attributes matching **kwargs.

get(project, subtree_as_list=False, parents_as_list=False, subtree_as_ids=False, parents_as_ids=False)

Retrieve a project.

Parameters:
  • project (str or keystoneclient.v3.projects.Project) – the project to be retrieved from the server.
  • subtree_as_list (bool) – retrieve projects below this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
  • parents_as_list (bool) – retrieve projects above this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
  • subtree_as_ids (bool) – retrieve the IDs from the projects below this project in the hierarchy as a structured dictionary.
  • parents_as_ids (bool) – retrieve the IDs from the projects above this project in the hierarchy as a structured dictionary.
Returns:

the specified project returned from server.

Return type:

keystoneclient.v3.projects.Project

Raises:

keystoneclient.exceptions.ValidationError – if subtree_as_list and subtree_as_ids or parents_as_list and parents_as_ids are included at the same time in the call.

key = 'project'
list(domain=None, user=None, **kwargs)

List projects.

Parameters:
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the projects to be filtered on.
  • user (str or keystoneclient.v3.users.User) – filter in projects the specified user has role assignments on.
  • kwargs – any other attribute provided will filter projects on. Project tags filter keyword: tags, tags_any, not_tags, and not_tags_any. tag attribute type string. Pass in a comma separated string to filter with multiple tags.
Returns:

a list of projects.

Return type:

list of keystoneclient.v3.projects.Project

list_tags(project)

List tags associated with project.

Parameters:project – project to list tags for.
Returns:list of str tag names
resource_class

alias of Project

update(project, name=None, domain=None, description=None, enabled=None, **kwargs)

Update a project.

Parameters:
  • project (str or keystoneclient.v3.projects.Project) – the project to be updated on the server.
  • name (str) – the new name of the project.
  • domain (str or keystoneclient.v3.domains.Domain) – the new domain of the project.
  • description (str) – the new description of the project.
  • enabled (bool) – whether the project is enabled.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated project returned from server.

Return type:

keystoneclient.v3.projects.Project

update_tags(project, tags)

Update tag list of a project.

Replaces current tag list with list specified in tags parameter.

Parameters:
  • project – project to update.
  • tags – list of str tag names to add to the project
Returns:

list of tags

keystoneclient.v3.regions module

class keystoneclient.v3.regions.Region(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a Catalog region.

Attributes:
  • id: a string that identifies the region.
  • description: a string that describes the region.
  • parent_region_id: a pre-existing region in the backend or its ID
    field. Allows for hierarchical region organization.
  • enabled: determines whether the endpoint appears in the catalog.
class keystoneclient.v3.regions.RegionManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity regions.

collection_key = 'regions'
create(id=None, description=None, enabled=True, parent_region=None, **kwargs)

Create a region.

Parameters:
  • id (str) – the unique identifier of the region. If not specified an ID will be created by the server.
  • description (str) – the description of the region.
  • enabled (bool) – whether the region is enabled or not, determining if it appears in the catalog.
  • parent_region (str or keystoneclient.v3.regions.Region) – the parent of the region in the hierarchy.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created region returned from server.

Return type:

keystoneclient.v3.regions.Region

delete(region)

Delete a region.

Parameters:region (str or keystoneclient.v3.regions.Region) – the region to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(region)

Retrieve a region.

Parameters:region (str or keystoneclient.v3.regions.Region) – the region to be retrieved from the server.
Returns:the specified region returned from server.
Return type:keystoneclient.v3.regions.Region
key = 'region'
list(**kwargs)

List regions.

Parameters:kwargs – any attributes provided will filter regions on.
Returns:a list of regions.
Return type:list of keystoneclient.v3.regions.Region.
resource_class

alias of Region

update(region, description=None, enabled=None, parent_region=None, **kwargs)

Update a region.

Parameters:
  • region (str or keystoneclient.v3.regions.Region) – the region to be updated on the server.
  • description (str) – the new description of the region.
  • enabled (bool) – determining if the region appears in the catalog by enabling or disabling it.
  • parent_region (str or keystoneclient.v3.regions.Region) – the new parent of the region in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated region returned from server.

Return type:

keystoneclient.v3.regions.Region

keystoneclient.v3.registered_limits module

class keystoneclient.v3.registered_limits.RegisteredLimit(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a registered limit.

Attributes:
  • id: a UUID that identifies the registered limit
  • service_id: a UUID that identifies the service for the limit
  • region_id: a UUID that identifies the region for the limit
  • resource_name: the name of the resource to limit
  • default_limit: the default limit for projects to assume
  • description: a description of the registered limit
class keystoneclient.v3.registered_limits.RegisteredLimitManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for registered limits.

collection_key = 'registered_limits'
create(service, resource_name, default_limit, description=None, region=None, **kwargs)

Create a registered limit.

Parameters:
  • service (str) – a UUID that identifies the service for the limit.
  • resource_name (str) – the name of the resource to limit.
  • default_limit (int) – the default limit for projects to assume.
  • description (str) – a string that describes the limit
  • region (str) – a UUID that identifies the region for the limit.
Returns:

a reference of the created registered limit.

Return type:

keystoneclient.v3.registered_limits.RegisteredLimit

delete(registered_limit)

Delete a registered limit.

Parameters:registered_limit (str or keystoneclient.v3.registered_limits.RegisteredLimit) – the registered limit to delete.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(registered_limit)

Retrieve a registered limit.

Parameters:registered_limit (str or keystoneclient.v3.registered_limits.RegisteredLimit) – the registered limit to get.
Returns:a specific registered limit.
Return type:keystoneclient.v3.registered_limits.RegisteredLimit
key = 'registered_limit'
list(service=None, resource_name=None, region=None, **kwargs)

List registered limits.

Any parameter provided will be passed to the server as a filter.

Parameters:
Returns:

a list of registered limits.

Return type:

list of keystoneclient.v3.registered_limits.RegisteredLimit

resource_class

alias of RegisteredLimit

update(registered_limit, service=None, resource_name=None, default_limit=None, description=None, region=None, **kwargs)

Update a registered limit.

Parameters:
  • registered_limit – the UUID or reference of the registered limit to update.
  • registered_limit – str or keystoneclient.v3.registered_limits.RegisteredLimit
  • service (str) – a UUID that identifies the service for the limit.
  • resource_name (str) – the name of the resource to limit.
  • default_limit – the default limit for projects to assume.
  • description (str) – a string that describes the limit
  • region (str) – a UUID that identifies the region for the limit.
Returns:

a reference of the updated registered limit.

Return type:

keystoneclient.v3.registered_limits.RegisteredLimit

keystoneclient.v3.role_assignments module

class keystoneclient.v3.role_assignments.RoleAssignment(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role assignment.

Attributes:
  • role: an object which contains a role uuid
  • user or group: an object which contains either a user or
    group uuid
  • scope: an object which has either a project or domain object
    containing an uuid
class keystoneclient.v3.role_assignments.RoleAssignmentManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles assignments.

collection_key = 'role_assignments'
create(**kwargs)
delete(**kwargs)
find(**kwargs)

Find a single item with attributes matching **kwargs.

get(**kwargs)
key = 'role_assignment'
list(user=None, group=None, project=None, domain=None, system=False, role=None, effective=False, os_inherit_extension_inherited_to=None, include_subtree=False, include_names=False)

List role assignments.

If no arguments are provided, all role assignments in the system will be listed.

If both user and group are provided, a ValidationError will be raised. If both domain and project are provided, it will also raise a ValidationError.

Parameters:
  • user – User to be used as query filter. (optional)
  • group – Group to be used as query filter. (optional)
  • project – Project to be used as query filter. (optional)
  • domain – Domain to be used as query filter. (optional)
  • system – Boolean to be used to filter system assignments. (optional)
  • role – Role to be used as query filter. (optional)
  • effective (boolean) – return effective role assignments. (optional)
  • os_inherit_extension_inherited_to (string) – return inherited role assignments for either ‘projects’ or ‘domains’. (optional)
  • include_subtree (boolean) – Include subtree (optional)
  • include_names (boolean) – Display names instead of IDs. (optional)
put(**kwargs)
resource_class

alias of RoleAssignment

update(**kwargs)

keystoneclient.v3.roles module

class keystoneclient.v3.roles.InferenceRule(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a rule that states one role implies another.

Attributes:
  • prior_role: this role implies the other
  • implied_role: this role is implied by the other
class keystoneclient.v3.roles.InferenceRuleManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity inference rules.

check(prior_role, implied_role)

Check if an inference rule exists.

Valid HTTP return codes:

  • 204: The rule inference exists
  • 404: A role cannot be found
Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
Returns:

response object with 204 status returned from server.

Return type:

requests.models.Response

collection_key = 'role_inferences'
create(prior_role, implied_role)

Create an inference rule.

An inference rule is comprised of two roles, a prior role and an implied role. The prior role will imply the implied role.

Valid HTTP return codes:

  • 201: Resource is created successfully
  • 404: A role cannot be found
  • 409: The inference rule already exists
Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
Returns:

a newly created role inference returned from server.

Return type:

keystoneclient.v3.roles.InferenceRule

delete(prior_role, implied_role)

Delete an inference rule.

When deleting an inference rule, both roles are required. Note that neither role is deleted, only the inference relationship is dissolved.

Valid HTTP return codes:

  • 204: Delete request is accepted
  • 404: A role cannot be found
Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
Returns:

Response object with 204 status.

Return type:

requests.models.Response

find(**kwargs)

Find a single item with attributes matching **kwargs.

get(prior_role, implied_role)

Retrieve an inference rule.

Valid HTTP return codes:

  • 200: Inference rule is returned
  • 404: A role cannot be found
Parameters:
  • prior_role – the role which implies implied_role.
  • implied_role – the role which is implied by prior_role.
Returns:

the specified role inference returned from server.

Return type:

keystoneclient.v3.roles.InferenceRule

key = 'role_inference'
list(prior_role)

List all roles that a role may imply.

Valid HTTP return codes:

  • 200: List of inference rules are returned
  • 404: A role cannot be found
Parameters:prior_role – the role which implies implied_role.
Returns:the specified role inference returned from server.
Return type:keystoneclient.v3.roles.InferenceRule
list_inference_roles()

List all rule inferences.

Valid HTTP return codes:

  • 200: All inference rules are returned
Parameters:kwargs – attributes provided will be passed to the server.
Returns:a list of inference rules.
Return type:list of keystoneclient.v3.roles.InferenceRule
put(**kwargs)
resource_class

alias of InferenceRule

update(**kwargs)
class keystoneclient.v3.roles.Role(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role.

Attributes:
  • id: a uuid that identifies the role
  • name: user-facing identifier
  • domain: optional domain for the role
class keystoneclient.v3.roles.RoleManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles.

check(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Check if a user or group has a role on a domain or project.

Parameters:
  • user (str or keystoneclient.v3.users.User) – check for role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – check for role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • system (str) – check for role grants on the system. Project, domain, and system are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – check for role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – check for role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the specified role returned from server if it exists.

Return type:

keystoneclient.v3.roles.Role

Returns:

Response object with 204 status if specified role doesn’t exist.

Return type:

requests.models.Response

check_implied(prior_role, implied_role, **kwargs)
collection_key = 'roles'
create(name, domain=None, **kwargs)

Create a role.

Parameters:
  • name (str) – the name of the role.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the role. If a value is passed it is a domain-scoped role, otherwise it’s a global role.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created role returned from server.

Return type:

keystoneclient.v3.roles.Role

create_implied(prior_role, implied_role, **kwargs)
delete(role)

Delete a role.

When a role is deleted all the role inferences that have deleted role as prior role will be deleted as well.

Parameters:role (str or keystoneclient.v3.roles.Role) – the role to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
delete_implied(prior_role, implied_role, **kwargs)
deprecation_msg = 'keystoneclient.v3.roles.InferenceRuleManager'
get(role)

Retrieve a role.

Parameters:role (str or keystoneclient.v3.roles.Role) – the role to be retrieved from the server.
Returns:the specified role returned from server.
Return type:keystoneclient.v3.roles.Role
get_implied(prior_role, implied_role, **kwargs)
grant(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Grant a role to a user or group on a domain or project.

Parameters:
  • role (str or keystoneclient.v3.roles.Role) – the role to be granted on the server.
  • user (str or keystoneclient.v3.users.User) – the specified user to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – the specified group to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • system (str) – system information to grant the role on. Project, domain, and system are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – the project in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the granted role returned from server.

Return type:

keystoneclient.v3.roles.Role

key = 'role'
list(user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

List roles and role grants.

Parameters:
  • user (str or keystoneclient.v3.users.User) – filter in role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – filter in role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – filter in role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – filter in role grants on the specified project. Either user or group must be specified. Project, domain and system are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will filter roles on.
Returns:

a list of roles.

Return type:

list of keystoneclient.v3.roles.Role

list_role_inferences(**kwargs)
resource_class

alias of Role

revoke(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Revoke a role from a user or group on a domain or project.

Parameters:
  • user (str or keystoneclient.v3.users.User) – revoke role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • group (str or keystoneclient.v3.groups.Group) – revoke role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.
  • system (str) – revoke role grants on the system. Project, domain, and system are mutually exclusive.
  • domain (str or keystoneclient.v3.domains.Domain) – revoke role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • project (str or keystoneclient.v3.projects.Project) – revoke role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.
  • os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the revoked role returned from server.

Return type:

list of keystoneclient.v3.roles.Role

update(role, name=None, **kwargs)

Update a role.

Parameters:
  • role (str or keystoneclient.v3.roles.Role) – the role to be updated on the server.
  • name (str) – the new name of the role.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated role returned from server.

Return type:

keystoneclient.v3.roles.Role

keystoneclient.v3.services module

class keystoneclient.v3.services.Service(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity service.

Attributes:
  • id: a uuid that identifies the service
  • name: the user-facing name of the service (e.g. Keystone)
  • description: a description of the service
  • type: the type of the service (e.g. ‘compute’, ‘identity’)
  • enabled: determines whether the service appears in the catalog
class keystoneclient.v3.services.ServiceManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity services.

collection_key = 'services'
create(name, type=None, enabled=True, description=None, **kwargs)

Create a service.

Parameters:
  • name (str) – the name of the service.
  • type (str) – the type of the service.
  • enabled (bool) – whether the service appears in the catalog.
  • description (str) – the description of the service.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created service returned from server.

Return type:

keystoneclient.v3.services.Service

delete(service=None, id=None)

Delete a service.

Parameters:service (str or keystoneclient.v3.services.Service) – the service to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(service)

Retrieve a service.

Parameters:service (str or keystoneclient.v3.services.Service) – the service to be retrieved from the server.
Returns:the specified service returned from server.
Return type:keystoneclient.v3.services.Service
key = 'service'
list(name=None, type=None, **kwargs)

List services.

Parameters:
  • name (str) – the name of the services to be filtered on.
  • type (str) – the type of the services to be filtered on.
  • kwargs – any other attribute provided will filter services on.
Returns:

a list of services.

Return type:

list of keystoneclient.v3.services.Service

resource_class

alias of Service

update(service, name=None, type=None, enabled=None, description=None, **kwargs)

Update a service.

Parameters:
  • service (str or keystoneclient.v3.services.Service) – the service to be updated on the server.
  • name (str) – the new name of the service.
  • type (str) – the new type of the service.
  • enabled (bool) – whether the service appears in the catalog.
  • description (str) – the new description of the service.
  • kwargs – any other attribute provided will be passed to server.
Returns:

the updated service returned from server.

Return type:

keystoneclient.v3.services.Service

keystoneclient.v3.tokens module

class keystoneclient.v3.tokens.TokenManager(client)

Bases: object

Manager class for manipulating Identity tokens.

get_revoked(audit_id_only=False)

Get revoked tokens list.

Parameters:audit_id_only (bool) – If true, the server is requested to not send token IDs, but only audit IDs instead. New in version 2.2.0.
Returns:A dict containing signed which is a CMS formatted string if the server signed the response. If audit_id_only is true then the response may be a dict containing revoked which is the list of token audit IDs and expiration times.
Return type:dict
get_token_data(token, include_catalog=True, allow_expired=False)

Fetch the data about a token from the identity server.

Parameters:
  • token (str) – The ID of the token to be fetched.
  • include_catalog (bool) – Whether the service catalog should be included in the response.
  • allow_expired – If True the token will be validated and returned if it has already expired.
Return type:

dict

revoke_token(token)

Revoke a token.

Parameters:token (str or keystoneclient.access.AccessInfo) – The token to be revoked.
validate(token, include_catalog=True, allow_expired=False)

Validate a token.

Parameters:
  • token (str or keystoneclient.access.AccessInfo) – The token to be validated.
  • include_catalog – If False, the response is requested to not include the catalog.
  • allow_expired (bool) – If True the token will be validated and returned if it has already expired.
Return type:

keystoneclient.access.AccessInfoV3

keystoneclient.v3.users module

class keystoneclient.v3.users.User(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user.

Attributes:
  • id: a uuid that identifies the user
class keystoneclient.v3.users.UserManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity users.

add_to_group(user, group)

Add the specified user as a member of the specified group.

Parameters:
Returns:

Response object with 204 status.

Return type:

requests.models.Response

check_in_group(user, group)

Check if the specified user is a member of the specified group.

Parameters:
Returns:

Response object with 204 status.

Return type:

requests.models.Response

collection_key = 'users'
create(name, domain=None, project=None, password=None, email=None, description=None, enabled=True, default_project=None, **kwargs)

Create a user.

Parameters:
  • name (str) – the name of the user.
  • domain (str or keystoneclient.v3.domains.Domain) – the domain of the user.
  • project (str or keystoneclient.v3.projects.Project) – the default project of the user. (deprecated, see warning below)
  • password (str) – the password for the user.
  • email (str) – the email address of the user.
  • description (str) – a description of the user.
  • enabled (bool) – whether the user is enabled.
  • default_project (str or keystoneclient.v3.projects.Project) – the default project of the user.
  • kwargs – any other attribute provided will be passed to the server.
Returns:

the created user returned from server.

Return type:

keystoneclient.v3.users.User

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

delete(user)

Delete a user.

Parameters:user (str or keystoneclient.v3.users.User) – the user to be deleted on the server.
Returns:Response object with 204 status.
Return type:requests.models.Response
get(user)

Retrieve a user.

Parameters:user (str or keystoneclient.v3.users.User) – the user to be retrieved from the server.
Returns:the specified user returned from server.
Return type:keystoneclient.v3.users.User
key = 'user'
list(project=None, domain=None, group=None, default_project=None, **kwargs)

List users.

Parameters:
Returns:

a list of users.

Return type:

list of keystoneclient.v3.users.User.

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

remove_from_group(user, group)

Remove the specified user from the specified group.

Parameters:
Returns:

Response object with 204 status.

Return type:

requests.models.Response

resource_class

alias of User

update(user, name=None, domain=None, project=None, password=None, email=None, description=None, enabled=None, default_project=None, **kwargs)

Update a user.

Parameters:
Returns:

the updated user returned from server.

Return type:

keystoneclient.v3.users.User

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

update_password(old_password, new_password)

Update the password for the user the token belongs to.

Parameters:
  • old_password (str) – the user’s old password
  • new_password (str) – the user’s new password
Returns:

Response object with 204 status.

Return type:

requests.models.Response

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.