keystoneclient.auth.identity package

Subpackages

• keystoneclient.auth.identity.generic package
  • Submodules
  • keystoneclient.auth.identity.generic.base module
  • keystoneclient.auth.identity.generic.cli module
  • keystoneclient.auth.identity.generic.password module
  • keystoneclient.auth.identity.generic.token module
  • Module contents
• keystoneclient.auth.identity.v3 package
  • Submodules
  • keystoneclient.auth.identity.v3.base module
  • keystoneclient.auth.identity.v3.federated module
  • keystoneclient.auth.identity.v3.password module
  • keystoneclient.auth.identity.v3.token module
  • Module contents

Submodules

keystoneclient.auth.identity.access module

class keystoneclient.auth.identity.access.AccessInfoPlugin(auth_ref, auth_url=None)

Bases: keystoneclient.auth.identity.base.BaseIdentityPlugin

A plugin that turns an existing AccessInfo object into a usable plugin.

There are cases where reuse of an auth_ref or AccessInfo object is warranted such as from a cache, from auth_token middleware, or another source.

Turn the existing access info object into an identity plugin. This plugin cannot be refreshed as the AccessInfo object does not contain any authorizing information.

Parameters

• auth_ref (keystoneclient.access.AccessInfo) – the existing AccessInfo object.

• auth_url – the url where this AccessInfo was retrieved from. Required if using the AUTH_INTERFACE with get_endpoint. (optional)

get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This method should not be called independently and is expected to be invoked via the do_authenticate() method.

This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access().

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

• keystoneclient.exceptions.InvalidResponse – The response returned wasn’t appropriate.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Token access information.

Return type

keystoneclient.access.AccessInfo

invalidate()

Invalidate the current authentication data.

This should result in fetching a new token on next call.

A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.

Returns

True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.

Return type

bool

keystoneclient.auth.identity.base module

class keystoneclient.auth.identity.base.BaseIdentityPlugin(auth_url=None, username=None, password=None, token=None, trust_id=None, reauthenticate=True)

Bases: keystoneclient.auth.base.BaseAuthPlugin

MIN_TOKEN_LIFE_SECONDS = 120

get_access(session, **kwargs)

Fetch or return a current AccessInfo object.

If a valid AccessInfo is present then it is returned otherwise a new one will be fetched.

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Valid AccessInfo

Return type

keystoneclient.access.AccessInfo

abstract get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This method should not be called independently and is expected to be invoked via the do_authenticate() method.

This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access().

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

• keystoneclient.exceptions.InvalidResponse – The response returned wasn’t appropriate.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Token access information.

Return type

keystoneclient.access.AccessInfo

get_discovery(session, url, authenticated=None)

Return the discovery object for a URL.

Check the session and the plugin cache to see if we have already performed discovery on the URL and if so return it, otherwise create a new discovery object, cache it and return it.

This function is expected to be used by subclasses and should not be needed by users.

Parameters

• session (keystoneclient.session.Session) – A session object to discover with.

• url (str) – The url to lookup.

• authenticated (bool) – Include a token in the discovery call. (optional) Defaults to None (use a token if a plugin is installed).

Raises

• keystoneclient.exceptions.DiscoveryFailure – if for some reason the lookup fails.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A discovery object with the results of looking up that URL.

get_endpoint(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, **kwargs)

Return a valid endpoint for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

Parameters

• session (keystoneclient.session.Session) – A session object that can be used for communication.

• service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.

• interface (string) – The exposure of the endpoint. Should be public, internal, admin, or auth. auth is special here to use the auth_url rather than a URL extracted from the service catalog. Defaults to public.

• region_name (string) – The region the endpoint should exist in. (optional)

• service_name (string) – The name of the service in the catalog. (optional)

• version (tuple) – The minimum version number required for this endpoint. (optional)

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A valid endpoint URL or None if not available.

Return type

string or None

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

get_project_id(session, **kwargs)

Return the project id that we are authenticated to.

Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.

Parameters

session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.

Returns

A project identifier or None if one is not available.

Return type

str

get_token(session, **kwargs)

Return a valid auth token.

If a valid token is not present then a new one will be fetched.

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A valid token.

Return type

string

get_user_id(session, **kwargs)

Return a unique user identifier of the plugin.

Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.

Parameters

session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.

Returns

A user identifier or None if one is not available.

Return type

str

invalidate()

Invalidate the current authentication data.

This should result in fetching a new token on next call.

A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.

Returns

True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.

Return type

bool

property password

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property token

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property trust_id

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property username

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

keystoneclient.auth.identity.base.get_options()

keystoneclient.auth.identity.v2 module

class keystoneclient.auth.identity.v2.Auth(auth_url, trust_id=None, tenant_id=None, tenant_name=None, reauthenticate=True)

Bases: keystoneclient.auth.identity.base.BaseIdentityPlugin

Identity V2 Authentication Plugin.

Parameters

• auth_url (string) – Identity service endpoint for authorization.

• trust_id (string) – Trust ID for trust scoping.

• tenant_id (string) – Tenant ID for project scoping.

• tenant_name (string) – Tenant name for project scoping.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

abstract get_auth_data(headers=None)

Return the authentication section of an auth plugin.

Parameters

headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns

A dict of authentication data for the auth type.

Return type

dict

get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This method should not be called independently and is expected to be invoked via the do_authenticate() method.

This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access().

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

• keystoneclient.exceptions.InvalidResponse – The response returned wasn’t appropriate.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Token access information.

Return type

keystoneclient.access.AccessInfo

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

property trust_id

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

class keystoneclient.auth.identity.v2.Password(auth_url, username=<object object>, password=None, user_id=<object object>, **kwargs)

Bases: keystoneclient.auth.identity.v2.Auth

A plugin for authenticating with a username and password.

A username or user_id must be provided.

Parameters

• auth_url (string) – Identity service endpoint for authorization.

• username (string) – Username for authentication.

• password (string) – Password for authentication.

• user_id (string) – User ID for authentication.

• trust_id (string) – Trust ID for trust scoping.

• tenant_id (string) – Tenant ID for tenant scoping.

• tenant_name (string) – Tenant name for tenant scoping.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

Raises

TypeError – if a user_id or username is not provided.

get_auth_data(headers=None)

Return the authentication section of an auth plugin.

Parameters

headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns

A dict of authentication data for the auth type.

Return type

dict

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

classmethod load_from_argparse_arguments(namespace, **kwargs)

Load a specific plugin object from an argparse result.

Convert the results of a parse into the specified plugin.

Parameters

namespace (argparse.Namespace) – The result from CLI parsing.

Returns

An auth plugin, or None if a name is not provided.

Return type

keystoneclient.auth.BaseAuthPlugin

property password

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property username

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

class keystoneclient.auth.identity.v2.Token(auth_url, token, **kwargs)

Bases: keystoneclient.auth.identity.v2.Auth

A plugin for authenticating with an existing token.

Parameters

• auth_url (string) – Identity service endpoint for authorization.

• token (string) – Existing token for authentication.

• tenant_id (string) – Tenant ID for tenant scoping.

• tenant_name (string) – Tenant name for tenant scoping.

• trust_id (string) – Trust ID for trust scoping.

• reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True

get_auth_data(headers=None)

Return the authentication section of an auth plugin.

Parameters

headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.

Returns

A dict of authentication data for the auth type.

Return type

dict

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

property token

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

Module contents

class keystoneclient.auth.identity.BaseIdentityPlugin(auth_url=None, username=None, password=None, token=None, trust_id=None, reauthenticate=True)

Bases: keystoneclient.auth.base.BaseAuthPlugin

MIN_TOKEN_LIFE_SECONDS = 120

get_access(session, **kwargs)

Fetch or return a current AccessInfo object.

If a valid AccessInfo is present then it is returned otherwise a new one will be fetched.

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Valid AccessInfo

Return type

keystoneclient.access.AccessInfo

abstract get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This method should not be called independently and is expected to be invoked via the do_authenticate() method.

This method will be invoked if the AccessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access().

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

• keystoneclient.exceptions.InvalidResponse – The response returned wasn’t appropriate.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

Token access information.

Return type

keystoneclient.access.AccessInfo

get_discovery(session, url, authenticated=None)

Return the discovery object for a URL.

Check the session and the plugin cache to see if we have already performed discovery on the URL and if so return it, otherwise create a new discovery object, cache it and return it.

This function is expected to be used by subclasses and should not be needed by users.

Parameters

• session (keystoneclient.session.Session) – A session object to discover with.

• url (str) – The url to lookup.

• authenticated (bool) – Include a token in the discovery call. (optional) Defaults to None (use a token if a plugin is installed).

Raises

• keystoneclient.exceptions.DiscoveryFailure – if for some reason the lookup fails.

• keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A discovery object with the results of looking up that URL.

get_endpoint(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, **kwargs)

Return a valid endpoint for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

Parameters

• session (keystoneclient.session.Session) – A session object that can be used for communication.

• service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.

• interface (string) – The exposure of the endpoint. Should be public, internal, admin, or auth. auth is special here to use the auth_url rather than a URL extracted from the service catalog. Defaults to public.

• region_name (string) – The region the endpoint should exist in. (optional)

• service_name (string) – The name of the service in the catalog. (optional)

• version (tuple) – The minimum version number required for this endpoint. (optional)

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A valid endpoint URL or None if not available.

Return type

string or None

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

get_project_id(session, **kwargs)

Return the project id that we are authenticated to.

Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.

Parameters

session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.

Returns

A project identifier or None if one is not available.

Return type

str

get_token(session, **kwargs)

Return a valid auth token.

If a valid token is not present then a new one will be fetched.

Parameters

session (keystoneclient.session.Session) – A session object that can be used for communication.

Raises

keystoneclient.exceptions.HttpError – An error from an invalid HTTP response.

Returns

A valid token.

Return type

string

get_user_id(session, **kwargs)

Return a unique user identifier of the plugin.

Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.

Parameters

session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.

Returns

A user identifier or None if one is not available.

Return type

str

invalidate()

Invalidate the current authentication data.

This should result in fetching a new token on next call.

A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.

Returns

True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.

Return type

bool

property password

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property token

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property trust_id

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

property username

Deprecated as of the 1.7.0 release.

It may be removed in the 2.0.0 release.

class keystoneclient.auth.identity.Password(auth_url, username=None, user_id=None, password=None, user_domain_id=None, user_domain_name=None, **kwargs)

Bases: keystoneclient.auth.identity.generic.base.BaseGenericPlugin

A common user/password authentication plugin.

Parameters

• username (string) – Username for authentication.

• user_id (string) – User ID for authentication.

• password (string) – Password for authentication.

• user_domain_id (string) – User’s domain ID for authentication.

• user_domain_name (string) – User’s domain name for authentication.

create_plugin(session, version, url, raw_status=None)

Create a plugin from the given parameters.

This function will be called multiple times with the version and url of a potential endpoint. If a plugin can be constructed that fits the params then it should return it. If not return None and then another call will be made with other available URLs.

Parameters

• session (keystoneclient.session.Session) – A session object.

• version (tuple) – A tuple of the API version at the URL.

• url (string) – The base URL for this version.

• raw_status (string) – The status that was in the discovery field.

Returns

A plugin that can match the parameters or None if nothing.

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

classmethod load_from_argparse_arguments(namespace, **kwargs)

Load a specific plugin object from an argparse result.

Convert the results of a parse into the specified plugin.

Parameters

namespace (argparse.Namespace) – The result from CLI parsing.

Returns

An auth plugin, or None if a name is not provided.

Return type

keystoneclient.auth.BaseAuthPlugin

class keystoneclient.auth.identity.Token(auth_url, token=None, **kwargs)

Bases: keystoneclient.auth.identity.generic.base.BaseGenericPlugin

Generic token auth plugin.

Parameters

token (string) – Token for authentication.

create_plugin(session, version, url, raw_status=None)

Create a plugin from the given parameters.

This function will be called multiple times with the version and url of a potential endpoint. If a plugin can be constructed that fits the params then it should return it. If not return None and then another call will be made with other available URLs.

Parameters

• session (keystoneclient.session.Session) – A session object.

• version (tuple) – A tuple of the API version at the URL.

• url (string) – The base URL for this version.

• raw_status (string) – The status that was in the discovery field.

Returns

A plugin that can match the parameters or None if nothing.

classmethod get_options()

Return the list of parameters associated with the auth plugin.

This list may be used to generate CLI or config arguments.

Returns

A list of Param objects describing available plugin parameters.

Return type

List

keystoneclient.auth.identity.V2Password

alias of keystoneclient.auth.identity.v2.Password

keystoneclient.auth.identity.V2Token

alias of keystoneclient.auth.identity.v2.Token

keystoneclient.auth.identity.V3Password

alias of keystoneclient.auth.identity.v3.password.Password

keystoneclient.auth.identity.V3Token

alias of keystoneclient.auth.identity.v3.token.Token