keystoneclient.v3 package¶
Subpackages¶
- keystoneclient.v3.contrib package
- Subpackages
- keystoneclient.v3.contrib.federation package
- Submodules
- keystoneclient.v3.contrib.federation.base module
- keystoneclient.v3.contrib.federation.core module
- keystoneclient.v3.contrib.federation.domains module
- keystoneclient.v3.contrib.federation.identity_providers module
- keystoneclient.v3.contrib.federation.mappings module
- keystoneclient.v3.contrib.federation.projects module
- keystoneclient.v3.contrib.federation.protocols module
- keystoneclient.v3.contrib.federation.saml module
- keystoneclient.v3.contrib.federation.service_providers module
- Module contents
- keystoneclient.v3.contrib.oauth1 package
- Submodules
- keystoneclient.v3.contrib.oauth1.access_tokens module
- keystoneclient.v3.contrib.oauth1.auth module
- keystoneclient.v3.contrib.oauth1.consumers module
- keystoneclient.v3.contrib.oauth1.core module
- keystoneclient.v3.contrib.oauth1.request_tokens module
- keystoneclient.v3.contrib.oauth1.utils module
- Module contents
- keystoneclient.v3.contrib.federation package
- Submodules
- keystoneclient.v3.contrib.endpoint_filter module
EndpointFilterManager
EndpointFilterManager.OS_EP_FILTER_EXT
EndpointFilterManager.add_endpoint_group_to_project()
EndpointFilterManager.add_endpoint_to_project()
EndpointFilterManager.check_endpoint_group_in_project()
EndpointFilterManager.check_endpoint_in_project()
EndpointFilterManager.delete_endpoint_from_project()
EndpointFilterManager.delete_endpoint_group_from_project()
EndpointFilterManager.list_endpoint_groups_for_project()
EndpointFilterManager.list_endpoints_for_project()
EndpointFilterManager.list_projects_for_endpoint()
EndpointFilterManager.list_projects_for_endpoint_group()
- keystoneclient.v3.contrib.endpoint_policy module
EndpointPolicyManager
EndpointPolicyManager.OS_EP_POLICY_EXT
EndpointPolicyManager.check_policy_association_for_endpoint()
EndpointPolicyManager.check_policy_association_for_region_and_service()
EndpointPolicyManager.check_policy_association_for_service()
EndpointPolicyManager.create_policy_association_for_endpoint()
EndpointPolicyManager.create_policy_association_for_region_and_service()
EndpointPolicyManager.create_policy_association_for_service()
EndpointPolicyManager.delete_policy_association_for_endpoint()
EndpointPolicyManager.delete_policy_association_for_region_and_service()
EndpointPolicyManager.delete_policy_association_for_service()
EndpointPolicyManager.get_policy_for_endpoint()
EndpointPolicyManager.list_endpoints_for_policy()
- keystoneclient.v3.contrib.simple_cert module
- keystoneclient.v3.contrib.trusts module
- Module contents
- Subpackages
Submodules¶
keystoneclient.v3.access_rules module¶
- class keystoneclient.v3.access_rules.AccessRule(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity access rule for application credentials.
- Attributes:
id: a uuid that identifies the access rule
- method: The request method that the application credential is
permitted to use for a given API endpoint
- path: The API path that the application credential is permitted to
access
- service: The service type identifier for the service that the
application credential is permitted to access
- class keystoneclient.v3.access_rules.AccessRuleManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity access rules.
- collection_key = 'access_rules'¶
- create()¶
- delete(access_rule, user=None)¶
Delete an access rule.
- Parameters:
access_rule (str or
keystoneclient.v3.access_rules.AccessRule
) – the access rule to be deleteduser (string) – User ID
- Returns:
response object with 204 status
- Return type:
requests.models.Response
- find(user=None, **kwargs)¶
Find an access rule with attributes matching
**kwargs
.- Parameters:
user (string) – User ID
- Returns:
a list of matching access rules
- Return type:
- get(access_rule, user=None)¶
Retrieve an access rule.
- Parameters:
access_rule (str or
keystoneclient.v3.access_rules.AccessRule
) – the access rule to be retrieved from the serveruser (string) – User ID
- Returns:
the specified access rule
- Return type:
- key = 'access_rule'¶
- list(user=None, **kwargs)¶
List access rules.
- Parameters:
user (string) – User ID
- Returns:
a list of access rules
- Return type:
- resource_class¶
alias of
AccessRule
- update()¶
keystoneclient.v3.application_credentials module¶
- class keystoneclient.v3.application_credentials.ApplicationCredential(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity application credential.
- Attributes:
id: a uuid that identifies the application credential
user: the user who owns the application credential
name: application credential name
secret: application credential secret
description: application credential description
expires_at: expiry time
roles: role assignments on the project
- unrestricted: whether the application credential has restrictions
applied
- access_rules: a list of access rules defining what API requests the
application credential may be used for
- class keystoneclient.v3.application_credentials.ApplicationCredentialManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity application credentials.
- collection_key = 'application_credentials'¶
- create(name, user=None, secret=None, description=None, expires_at=None, roles=None, unrestricted=False, access_rules=None, **kwargs)¶
Create a credential.
- Parameters:
name (string) – application credential name
user (string) – User ID
secret – application credential secret
description – application credential description
expires_at (datetime.datetime) – expiry time
roles (List) – list of roles on the project. Maybe a list of IDs or a list of dicts specifying role name and domain
unrestricted (bool) – whether the application credential has restrictions applied
access_rules (List) – a list of dicts representing access rules
- Returns:
the created application credential
- Return type:
keystoneclient.v3.application_credentials.ApplicationCredential
- delete(application_credential, user=None)¶
Delete an application credential.
- Parameters:
application_credential – the application credential to be deleted
- Returns:
response object with 204 status
- Return type:
requests.models.Response
- find(user=None, **kwargs)¶
Find an application credential with attributes matching
**kwargs
.- Parameters:
user (string) – User ID
- Returns:
a list of matching application credentials
- Return type:
list of
keystoneclient.v3.application_credentials.ApplicationCredential
- get(application_credential, user=None)¶
Retrieve an application credential.
- Parameters:
application_credential – the credential to be retrieved from the server
- Returns:
the specified application credential
- Return type:
keystoneclient.v3.application_credentials.ApplicationCredential
- key = 'application_credential'¶
- list(user=None, **kwargs)¶
List application credentials.
- Parameters:
user (string) – User ID
- Returns:
a list of application credentials
- Return type:
list of
keystoneclient.v3.application_credentials.ApplicationCredential
- resource_class¶
alias of
ApplicationCredential
- update()¶
keystoneclient.v3.auth module¶
- class keystoneclient.v3.auth.AuthManager(client)¶
Bases:
Manager
Retrieve auth context specific information.
The information returned by the auth routes is entirely dependent on the authentication information provided by the user.
- domains()¶
List Domains that the specified token can be rescoped to.
- Returns:
a list of domains.
- Return type:
list of
keystoneclient.v3.domains.Domain
.
- projects()¶
List projects that the specified token can be rescoped to.
- Returns:
a list of projects.
- Return type:
- systems()¶
List Systems that the specified token can be rescoped to.
At the moment this is either empty or “all”.
- Returns:
a list of systems.
- Return type:
list of
keystoneclient.v3.systems.System
.
keystoneclient.v3.client module¶
- class keystoneclient.v3.client.Client(**kwargs)¶
Bases:
HTTPClient
Client for the OpenStack Identity API v3.
- Parameters:
session (keystoneauth1.session.Session) – Session for requests. (optional)
user_id (string) – User ID for authentication. (optional)
username (string) – Username for authentication. (optional)
user_domain_id (string) – User’s domain ID for authentication. (optional)
user_domain_name (string) – User’s domain name for authentication. (optional)
password (string) – Password for authentication. (optional)
token (string) – Token for authentication. (optional)
domain_id (string) – Domain ID for domain scoping. (optional)
domain_name (string) – Domain name for domain scoping. (optional)
project_id (string) – Project ID for project scoping. (optional)
project_name (string) – Project name for project scoping. (optional)
project_domain_id (string) – Project’s domain ID for project scoping. (optional)
project_domain_name (string) – Project’s domain name for project scoping. (optional)
tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
auth_url (string) – Identity service endpoint for authorization.
region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.
endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)
timeout (integer) – Allows customization of the timeout for client http requests. (optional)
Warning
Constructing an instance of this class without a session is deprecated as of the 1.7.0 release and will be removed in the 2.0.0 release.
Example:
>>> from keystoneauth1.identity import v3 >>> from keystoneauth1 import session >>> from keystoneclient.v3 import client >>> auth = v3.Password(user_domain_name=DOMAIN_NAME, ... username=USER, ... password=PASS, ... project_domain_name=PROJECT_DOMAIN_NAME, ... project_name=PROJECT_NAME, ... auth_url=KEYSTONE_URL) >>> sess = session.Session(auth=auth) >>> keystone = client.Client(session=sess) >>> keystone.projects.list() ... >>> user = keystone.users.get(USER_ID) >>> user.delete()
Instances of this class have the following managers:
- credentials¶
- domain_configs¶
- endpoint_filter¶
keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager
- endpoint_groups¶
- endpoint_policy¶
keystoneclient.v3.contrib.endpoint_policy.EndpointPolicyManager
- registered_limits¶
- role_assignments¶
- get_raw_token_from_identity_service(auth_url, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, token=None, trust_id=None, **kwargs)¶
Authenticate against the v3 Identity API.
If password and token methods are both provided then both methods will be used in the request.
- Returns:
access.AccessInfo if authentication was successful.
- Return type:
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if unable to authenticate or validate the existing authorization token.
keystoneclient.exceptions.Unauthorized – if authentication fails due to invalid token.
- process_token(**kwargs)¶
Extract and process information from the new auth_ref.
And set the relevant authentication information.
- serialize(entity)¶
- version = 'v3'¶
keystoneclient.v3.credentials module¶
- class keystoneclient.v3.credentials.Credential(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity credential.
- Attributes:
id: a uuid that identifies the credential
user_id: user ID to which credential belongs
type: the type of credential
blob: the text that represents the credential
project_id: project ID which limits the scope of the credential
- class keystoneclient.v3.credentials.CredentialManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity credentials.
- collection_key = 'credentials'¶
- create(user, type, blob, project=None, **kwargs)¶
Create a credential.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to which the credential belongstype (str) – the type of the credential, valid values are:
ec2
,cert
ortotp
blob (str) – the arbitrary blob of the credential data, to be parsed according to the type
project (str or
keystoneclient.v3.projects.Project
) – the project which limits the scope of the credential, this attribbute is mandatory if the credential type is ec2kwargs – any other attribute provided will be passed to the server
- Returns:
the created credential
- Return type:
- delete(credential)¶
Delete a credential.
- Parameters:
credential (str or
keystoneclient.v3.credentials.Credential
) – the credential to be deleted- Returns:
response object with 204 status
- Return type:
requests.models.Response
- get(credential)¶
Retrieve a credential.
- Parameters:
credential (str or
keystoneclient.v3.credentials.Credential
) – the credential to be retrieved from the server- Returns:
the specified credential
- Return type:
- key = 'credential'¶
- list(**kwargs)¶
List credentials.
- Parameters:
kwargs – If user_id or type is specified then credentials will be filtered accordingly.
- Returns:
a list of credentials
- Return type:
- resource_class¶
alias of
Credential
- update(credential, user, type=None, blob=None, project=None, **kwargs)¶
Update a credential.
- Parameters:
credential (str or
keystoneclient.v3.credentials.Credential
) – the credential to be updated on the serveruser (str or
keystoneclient.v3.users.User
) – the new user to which the credential belongstype (str) – the new type of the credential, valid values are:
ec2
,cert
ortotp
blob (str) – the new blob of the credential data and may be removed in the future release.
project (str or
keystoneclient.v3.projects.Project
) – the new project which limits the scope of the credential, this attribute is mandatory if the credential type is ec2kwargs – any other attribute provided will be passed to the server
- Returns:
the updated credential
- Return type:
keystoneclient.v3.domain_configs module¶
- class keystoneclient.v3.domain_configs.DomainConfig(manager, info, loaded=False)¶
Bases:
Resource
An object representing a domain config association.
This resource object does not necessarily contain fixed attributes, as new attributes are added in the server, they are supported here directly. The currently supported configs are identity and ldap.
- class keystoneclient.v3.domain_configs.DomainConfigManager(client)¶
Bases:
Manager
Manager class for manipulating domain config associations.
- build_url(domain)¶
- create(domain, config)¶
Create a config for a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain where the config is going to be applied.config (dict) – a dictionary of domain configurations.
Example of the
config
parameter:{ "identity": { "driver": "ldap" }, "ldap": { "url": "ldap://myldap.com:389/", "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" } }
- Returns:
the created domain config returned from server.
- Return type:
- delete(domain)¶
Delete a config for a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain which the config will be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- find(**kwargs)¶
- get(domain)¶
Get a config for a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain for which the config is defined.- Returns:
the domain config returned from server.
- Return type:
- key = 'config'¶
- list(**kwargs)¶
- resource_class¶
alias of
DomainConfig
- update(domain, config)¶
Update a config for a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain where the config is going to be updated.config (dict) – a dictionary of domain configurations.
Example of the
config
parameter:{ "identity": { "driver": "ldap" }, "ldap": { "url": "ldap://myldap.com:389/", "user_tree_dn": "ou=Users,dc=my_new_root,dc=org" } }
- Returns:
the updated domain config returned from server.
- Return type:
keystoneclient.v3.domains module¶
- class keystoneclient.v3.domains.Domain(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity domain.
- Attributes:
id: a uuid that identifies the domain
name: the name of the domain
description: a description of the domain
enabled: determines whether the domain is enabled
- class keystoneclient.v3.domains.DomainManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity domains.
- collection_key = 'domains'¶
- create(name, description=None, enabled=True, **kwargs)¶
Create a domain.
- Parameters:
- Returns:
the created domain returned from server.
- Return type:
- delete(domain)¶
“Delete a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(domain)¶
Retrieve a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain to be retrieved from the server.- Returns:
the specified domain returned from server.
- Return type:
- key = 'domain'¶
- list(**kwargs)¶
List domains.
- Parameters:
kwargs – allows filter criteria to be passed where supported by the server.
- Returns:
a list of domains.
- Return type:
list of
keystoneclient.v3.domains.Domain
.
- update(domain, name=None, description=None, enabled=None, **kwargs)¶
Update a domain.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain to be updated on the server.name (str) – the new name of the domain.
description (str) – the new description of the domain.
enabled (bool) – whether the domain is enabled.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the updated domain returned from server.
- Return type:
keystoneclient.v3.ec2 module¶
- class keystoneclient.v3.ec2.EC2(manager, info, loaded=False)¶
Bases:
Resource
Represents an EC2 resource.
- Attributes:
id: a string that identifies the EC2 resource.
user_id: the ID field of a pre-existing user in the backend.
project_id: the ID field of a pre-existing project in the backend.
access: a string representing access key of the access/secret pair.
secret: a string representing the secret of the access/secret pair.
- class keystoneclient.v3.ec2.EC2Manager(client)¶
Bases:
ManagerWithFind
- create(user_id, project_id)¶
Create a new access/secret pair.
- Parameters:
user_id (str or
keystoneclient.v3.users.User
) – the ID of the user having access/secret pair.project_id (str or
keystoneclient.v3.projects.Project
) – the ID of the project having access/secret pair.
- Returns:
the created access/secret pair returned from server.
- Return type:
- delete(user_id, access)¶
Delete an access/secret pair.
- Parameters:
user_id (str or
keystoneclient.v3.users.User
) – the ID of the user whose access/secret pair will be deleted on the server.access (str) – the access key whose access/secret pair will be deleted on the server.
- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(user_id, access)¶
Retrieve an access/secret pair for a given access key.
- Parameters:
user_id (str or
keystoneclient.v3.users.User
) – the ID of the user whose access/secret pair will be retrieved from the server.access (str) – the access key whose access/secret pair will be retrieved from the server.
- Returns:
the specified access/secret pair returned from server.
- Return type:
- list(user_id)¶
List access/secret pairs for a given user.
- Parameters:
user_id (str) – the ID of the user having access/secret pairs will be listed.
- Returns:
a list of access/secret pairs.
- Return type:
list of
keystoneclient.v3.ec2.EC2
keystoneclient.v3.endpoint_groups module¶
- class keystoneclient.v3.endpoint_groups.EndpointGroup(manager, info, loaded=False)¶
Bases:
Resource
Represents an identity endpoint group.
- Attributes:
id: a UUID that identifies the endpoint group
name: the endpoint group name
description: the endpoint group description
- filters: representation of filters in the format of JSON that define
what endpoint entities are part of the group
- class keystoneclient.v3.endpoint_groups.EndpointGroupManager(client)¶
Bases:
CrudManager
Manager class for Endpoint Groups.
- base_url = 'OS-EP-FILTER'¶
- check(endpoint_group)¶
Check if an endpoint group exists.
- Parameters:
endpoint_group (str or
keystoneclient.v3.endpoint_groups.EndpointGroup
) – the endpoint group to be checked against the server.- Returns:
none if the specified endpoint group exists.
- collection_key = 'endpoint_groups'¶
- create(name, filters, description=None, **kwargs)¶
Create an endpoint group.
- Parameters:
- Returns:
the created endpoint group returned from server.
- Return type:
- delete(endpoint_group)¶
Delete an endpoint group.
- Parameters:
endpoint_group (str or
keystoneclient.v3.endpoint_groups.EndpointGroup
) – the endpoint group to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(endpoint_group)¶
Retrieve an endpoint group.
- Parameters:
endpoint_group (str or
keystoneclient.v3.endpoint_groups.EndpointGroup
) – the endpoint group to be retrieved from the server.- Returns:
the specified endpoint group returned from server.
- Return type:
- key = 'endpoint_group'¶
- list(**kwargs)¶
List endpoint groups.
Any parameter provided will be passed to the server.
- Returns:
a list of endpoint groups.
- Return type:
- resource_class¶
alias of
EndpointGroup
- update(endpoint_group, name=None, filters=None, description=None, **kwargs)¶
Update an endpoint group.
- Parameters:
name (str) – the new name of the endpoint group.
filters (str) – the new representation of filters in the format of JSON that define what endpoint entities are part of the group.
description (str) – the new description of the endpoint group.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the updated endpoint group returned from server.
- Return type:
keystoneclient.v3.endpoints module¶
- class keystoneclient.v3.endpoints.Endpoint(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity endpoint.
- Attributes:
id: a uuid that identifies the endpoint
interface: ‘public’, ‘admin’ or ‘internal’ network interface
region: geographic location of the endpoint
service_id: service to which the endpoint belongs
url: fully qualified service endpoint
- enabled: determines whether the endpoint appears in the service
catalog
- class keystoneclient.v3.endpoints.EndpointManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity endpoints.
- collection_key = 'endpoints'¶
- create(service, url, interface=None, region=None, enabled=True, **kwargs)¶
Create an endpoint.
- Parameters:
service (str or
keystoneclient.v3.services.Service
) – the service to which the endpoint belongs.url (str) – the URL of the fully qualified service endpoint.
interface (str) – the network interface of the endpoint. Valid values are:
public
,admin
orinternal
.region (str or
keystoneclient.v3.regions.Region
) – the region to which the endpoint belongs.enabled (bool) – whether the endpoint is enabled or not, determining if it appears in the service catalog.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the created endpoint returned from server.
- Return type:
- delete(endpoint)¶
Delete an endpoint.
- Parameters:
endpoint (str or
keystoneclient.v3.endpoints.Endpoint
) – the endpoint to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(endpoint)¶
Retrieve an endpoint.
- Parameters:
endpoint (str or
keystoneclient.v3.endpoints.Endpoint
) – the endpoint to be retrieved from the server.- Returns:
the specified endpoint returned from server.
- Return type:
- key = 'endpoint'¶
- list(service=None, interface=None, region=None, enabled=None, region_id=None, **kwargs)¶
List endpoints.
- Parameters:
service (str or
keystoneclient.v3.services.Service
) – the service of the endpoints to be filtered on.interface (str) – the network interface of the endpoints to be filtered on. Valid values are:
public
,admin
orinternal
.enabled (bool) – whether to return enabled or disabled endpoints.
region_id (str) – filter endpoints by the region_id attribute. If both region and region_id are specified, region takes precedence.
kwargs – any other attribute provided will filter endpoints on.
- Returns:
a list of endpoints.
- Return type:
- update(endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs)¶
Update an endpoint.
- Parameters:
endpoint (str or
keystoneclient.v3.endpoints.Endpoint
) – the endpoint to be updated on the server.service (str or
keystoneclient.v3.services.Service
) – the new service to which the endpoint belongs.url (str) – the new URL of the fully qualified service endpoint.
interface (str) – the new network interface of the endpoint. Valid values are:
public
,admin
orinternal
.region (str or
keystoneclient.v3.regions.Region
) – the new region to which the endpoint belongs.enabled (bool) – determining if the endpoint appears in the service catalog by enabling or disabling it.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the updated endpoint returned from server.
- Return type:
keystoneclient.v3.groups module¶
- class keystoneclient.v3.groups.Group(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity user group.
- Attributes:
id: a uuid that identifies the group
name: group name
description: group description
- update(name=None, description=None)¶
- class keystoneclient.v3.groups.GroupManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity groups.
- collection_key = 'groups'¶
- create(name, domain=None, description=None, **kwargs)¶
Create a group.
- Parameters:
name (str) – the name of the group.
domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the group.description (str) – a description of the group.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the created group returned from server.
- Return type:
- delete(group)¶
Delete a group.
- Parameters:
group (str or
keystoneclient.v3.groups.Group
) – the group to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(group)¶
Retrieve a group.
- Parameters:
group (str or
keystoneclient.v3.groups.Group
) – the group to be retrieved from the server.- Returns:
the specified group returned from server.
- Return type:
- key = 'group'¶
- list(user=None, domain=None, **kwargs)¶
List groups.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user of the groups to be filtered on.domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the groups to be filtered on.kwargs – any other attribute provided will filter groups on.
- Returns:
a list of groups.
- Return type:
list of
keystoneclient.v3.groups.Group
.
- update(group, name=None, description=None, **kwargs)¶
Update a group.
- Parameters:
group (str or
keystoneclient.v3.groups.Group
) – the group to be updated on the server.name (str) – the new name of the group.
description (str) – the new description of the group.
kwargs – any other attribute provided will be passed to server.
- Returns:
the updated group returned from server.
- Return type:
keystoneclient.v3.limits module¶
- class keystoneclient.v3.limits.Limit(manager, info, loaded=False)¶
Bases:
Resource
Represents a project limit.
- Attributes:
id: a UUID that identifies the project limit
service_id: a UUID that identifies the service for the limit
region_id: a UUID that identifies the region for the limit
project_id: a UUID that identifies the project for the limit
resource_name: the name of the resource to limit
resource_limit: the limit to apply to the project
description: a description for the project limit
- class keystoneclient.v3.limits.LimitManager(client)¶
Bases:
CrudManager
Manager class for project limits.
- collection_key = 'limits'¶
- create(project, service, resource_name, resource_limit, description=None, region=None, **kwargs)¶
Create a project-specific limit.
- Parameters:
project (str or
keystoneclient.v3.projects.Project
) – the project to create a limit for.service (str or
keystoneclient.v3.services.Service
) – the service that owns the resource to limit.resource_name (str) – the name of the resource to limit
resource_limit (int) – the quantity of the limit
description (str) – a description of the limit
region (str or
keystoneclient.v3.regions.Region
) – region the limit applies to
- Returns:
a reference of the created limit
- Return type:
- delete(limit)¶
Delete a project-specific limit.
- Parameters:
limit (str or
keystoneclient.v3.limit.Limit
) – the project-specific limit to be deleted.- Returns:
Response object with 204 status
- Return type:
requests.models.Response
- get(limit)¶
Retrieve a project limit.
- Parameters:
limit (str or
keystoneclient.v3.limit.Limit
) – the project-specific limit to be retrieved.- Returns:
a project-specific limit
- Return type:
keystoneclient.v3.limit.Limit
- key = 'limit'¶
- list(service=None, region=None, resource_name=None, **kwargs)¶
List project-specific limits.
Any parameter provided will be passed to the server as a filter
- Parameters:
service (UUID or
keystoneclient.v3.services.Service
) – service to filter limits byregion (UUID or
keystoneclient.v3.regions.Region
) – region to filter limits byresource_name (str) – the name of the resource to filter limits by
- Returns:
a list of project-specific limits.
- Return type:
list of
keystoneclient.v3.limits.Limit
- update(limit, project=None, service=None, resource_name=None, resource_limit=None, description=None, **kwargs)¶
Update a project-specific limit.
- Parameters:
limit – a limit to update
project (str or
keystoneclient.v3.projects.Project
) – the project ID of the limit to updateresource_limit – the limit of the limit’s resource to update
description (str) – a description of the limit
- Type:
resource_limit: int
- Returns:
a reference of the updated limit.
- Return type:
keystoneclient.v3.policies module¶
- class keystoneclient.v3.policies.Policy(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity policy.
- Attributes:
id: a uuid that identifies the policy
blob: a policy document (blob)
type: the MIME type of the policy blob
- update(blob=None, type=None)¶
- class keystoneclient.v3.policies.PolicyManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity policies.
- collection_key = 'policies'¶
- create(blob, type='application/json', **kwargs)¶
Create a policy.
- Parameters:
- Returns:
the created policy returned from server.
- Return type:
- delete(policy)¶
“Delete a policy.
- Parameters:
policy (str or
keystoneclient.v3.policies.Policy
) – the policy to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(policy)¶
Retrieve a policy.
- Parameters:
policy (str or
keystoneclient.v3.policies.Policy
) – the policy to be retrieved from the server.- Returns:
the specified policy returned from server.
- Return type:
- key = 'policy'¶
- list(**kwargs)¶
List policies.
- Parameters:
kwargs – allows filter criteria to be passed where supported by the server.
- Returns:
a list of policies.
- Return type:
list of
keystoneclient.v3.policies.Policy
.
- update(policy, blob=None, type=None, **kwargs)¶
Update a policy.
- Parameters:
policy (str or
keystoneclient.v3.policies.Policy
) – the policy to be updated on the server.blob (str) – the new policy document.
type (str) – the new MIME type of the policy blob.
kwargs – any other attribute provided will be passed to the server.
- Returns:
the updated policy returned from server.
- Return type:
keystoneclient.v3.projects module¶
- class keystoneclient.v3.projects.Project(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity project.
- Attributes:
id: a uuid that identifies the project
name: project name
description: project description
enabled: boolean to indicate if project is enabled
parent_id: a uuid representing this project’s parent in hierarchy
- parents: a list or a structured dict containing the parents of this
project in the hierarchy
- subtree: a list or a structured dict containing the subtree of this
project in the hierarchy
- add_tag(tag)¶
- check_tag(tag)¶
- delete_all_tags()¶
- delete_tag(tag)¶
- list_tags()¶
- update(name=None, description=None, enabled=None)¶
- update_tags(tags)¶
- class keystoneclient.v3.projects.ProjectManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity projects.
- add_tag(project, tag)¶
Add a tag to a project.
- Parameters:
project – project to add a tag to.
tag – str name of tag.
- check_tag(project, tag)¶
Check if tag is associated with project.
- Parameters:
project – project to check tags for.
tag – str name of tag
- Returns:
true if tag is associated, false otherwise
- collection_key = 'projects'¶
- create(name, domain, description=None, enabled=True, parent=None, **kwargs)¶
Create a project.
- Parameters:
name (str) – the name of the project.
domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the project.description (str) – the description of the project.
enabled (bool) – whether the project is enabled.
parent (str or
keystoneclient.v3.projects.Project
) – the parent of the project in the hierarchy.kwargs – any other attribute provided will be passed to the server.
- Returns:
the created project returned from server.
- Return type:
- delete(project)¶
Delete a project.
- Parameters:
project (str or
keystoneclient.v3.projects.Project
) – the project to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- delete_tag(project, tag)¶
Remove tag from project.
- Parameters:
projectd – project to remove tag from.
tag – str name of tag to remove from project
- find(**kwargs)¶
Find a single item with attributes matching
**kwargs
.
- get(project, subtree_as_list=False, parents_as_list=False, subtree_as_ids=False, parents_as_ids=False)¶
Retrieve a project.
- Parameters:
project (str or
keystoneclient.v3.projects.Project
) – the project to be retrieved from the server.subtree_as_list (bool) – retrieve projects below this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
parents_as_list (bool) – retrieve projects above this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.
subtree_as_ids (bool) – retrieve the IDs from the projects below this project in the hierarchy as a structured dictionary.
parents_as_ids (bool) – retrieve the IDs from the projects above this project in the hierarchy as a structured dictionary.
- Returns:
the specified project returned from server.
- Return type:
- Raises:
keystoneclient.exceptions.ValidationError – if subtree_as_list and subtree_as_ids or parents_as_list and parents_as_ids are included at the same time in the call.
- key = 'project'¶
- list(domain=None, user=None, parent=None, **kwargs)¶
List projects.
- Parameters:
domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the projects to be filtered on.user (str or
keystoneclient.v3.users.User
) – filter in projects the specified user has role assignments on.parent (str or
keystoneclient.v3.projects.Project
) – filter in projects the specified project is a parent forkwargs – any other attribute provided will filter projects on. Project tags filter keyword:
tags
,tags_any
,not_tags
, andnot_tags_any
. tag attribute type string. Pass in a comma separated string to filter with multiple tags.
- Returns:
a list of projects.
- Return type:
- list_tags(project)¶
List tags associated with project.
- Parameters:
project – project to list tags for.
- Returns:
list of str tag names
- update(project, name=None, domain=None, description=None, enabled=None, **kwargs)¶
Update a project.
- Parameters:
project (str or
keystoneclient.v3.projects.Project
) – the project to be updated on the server.name (str) – the new name of the project.
domain (str or
keystoneclient.v3.domains.Domain
) – the new domain of the project.description (str) – the new description of the project.
enabled (bool) – whether the project is enabled.
kwargs – any other attribute provided will be passed to server.
- Returns:
the updated project returned from server.
- Return type:
- update_tags(project, tags)¶
Update tag list of a project.
Replaces current tag list with list specified in tags parameter.
- Parameters:
project – project to update.
tags – list of str tag names to add to the project
- Returns:
list of tags
keystoneclient.v3.regions module¶
- class keystoneclient.v3.regions.Region(manager, info, loaded=False)¶
Bases:
Resource
Represents a Catalog region.
- Attributes:
id: a string that identifies the region.
description: a string that describes the region.
- parent_region_id: a pre-existing region in the backend or its ID
field. Allows for hierarchical region organization.
enabled: determines whether the endpoint appears in the catalog.
- class keystoneclient.v3.regions.RegionManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity regions.
- collection_key = 'regions'¶
- create(id=None, description=None, enabled=True, parent_region=None, **kwargs)¶
Create a region.
- Parameters:
id (str) – the unique identifier of the region. If not specified an ID will be created by the server.
description (str) – the description of the region.
enabled (bool) – whether the region is enabled or not, determining if it appears in the catalog.
parent_region (str or
keystoneclient.v3.regions.Region
) – the parent of the region in the hierarchy.kwargs – any other attribute provided will be passed to the server.
- Returns:
the created region returned from server.
- Return type:
- delete(region)¶
Delete a region.
- Parameters:
region (str or
keystoneclient.v3.regions.Region
) – the region to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(region)¶
Retrieve a region.
- Parameters:
region (str or
keystoneclient.v3.regions.Region
) – the region to be retrieved from the server.- Returns:
the specified region returned from server.
- Return type:
- key = 'region'¶
- list(**kwargs)¶
List regions.
- Parameters:
kwargs – any attributes provided will filter regions on.
- Returns:
a list of regions.
- Return type:
list of
keystoneclient.v3.regions.Region
.
- update(region, description=None, enabled=None, parent_region=None, **kwargs)¶
Update a region.
- Parameters:
region (str or
keystoneclient.v3.regions.Region
) – the region to be updated on the server.description (str) – the new description of the region.
enabled (bool) – determining if the region appears in the catalog by enabling or disabling it.
parent_region (str or
keystoneclient.v3.regions.Region
) – the new parent of the region in the hierarchy.kwargs – any other attribute provided will be passed to server.
- Returns:
the updated region returned from server.
- Return type:
keystoneclient.v3.registered_limits module¶
- class keystoneclient.v3.registered_limits.RegisteredLimit(manager, info, loaded=False)¶
Bases:
Resource
Represents a registered limit.
- Attributes:
id: a UUID that identifies the registered limit
service_id: a UUID that identifies the service for the limit
region_id: a UUID that identifies the region for the limit
resource_name: the name of the resource to limit
default_limit: the default limit for projects to assume
description: a description of the registered limit
- class keystoneclient.v3.registered_limits.RegisteredLimitManager(client)¶
Bases:
CrudManager
Manager class for registered limits.
- collection_key = 'registered_limits'¶
- create(service, resource_name, default_limit, description=None, region=None, **kwargs)¶
Create a registered limit.
- Parameters:
service (str) – a UUID that identifies the service for the limit.
resource_name (str) – the name of the resource to limit.
default_limit (int) – the default limit for projects to assume.
description (str) – a string that describes the limit
region (str) – a UUID that identifies the region for the limit.
- Returns:
a reference of the created registered limit.
- Return type:
- delete(registered_limit)¶
Delete a registered limit.
- Parameters:
registered_limit (str or
keystoneclient.v3.registered_limits.RegisteredLimit
) – the registered limit to delete.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(registered_limit)¶
Retrieve a registered limit.
- Parameters:
registered_limit (str or
keystoneclient.v3.registered_limits.RegisteredLimit
) – the registered limit to get.- Returns:
a specific registered limit.
- Return type:
- key = 'registered_limit'¶
- list(service=None, resource_name=None, region=None, **kwargs)¶
List registered limits.
Any parameter provided will be passed to the server as a filter.
- Parameters:
service (a UUID or
keystoneclient.v3.services.Service
) – filter registered limits by serviceresource_name (str) – filter registered limits by resource name
region (a UUID or
keystoneclient.v3.regions.Region
) – filter registered limits by region
- Returns:
a list of registered limits.
- Return type:
- resource_class¶
alias of
RegisteredLimit
- update(registered_limit, service=None, resource_name=None, default_limit=None, description=None, region=None, **kwargs)¶
Update a registered limit.
- Parameters:
registered_limit – the UUID or reference of the registered limit to update.
registered_limit – str or
keystoneclient.v3.registered_limits.RegisteredLimit
service (str) – a UUID that identifies the service for the limit.
resource_name (str) – the name of the resource to limit.
default_limit (int) – the default limit for projects to assume.
description (str) – a string that describes the limit
region (str) – a UUID that identifies the region for the limit.
- Returns:
a reference of the updated registered limit.
- Return type:
keystoneclient.v3.role_assignments module¶
- class keystoneclient.v3.role_assignments.RoleAssignment(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity role assignment.
- Attributes:
role: an object which contains a role uuid
- user or group: an object which contains either a user or
group uuid
- scope: an object which has either a project or domain object
containing an uuid
- class keystoneclient.v3.role_assignments.RoleAssignmentManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity roles assignments.
- collection_key = 'role_assignments'¶
- create(**kwargs)¶
- delete(**kwargs)¶
- find(**kwargs)¶
Find a single item with attributes matching
**kwargs
.
- get(**kwargs)¶
- key = 'role_assignment'¶
- list(user=None, group=None, project=None, domain=None, system=False, role=None, effective=False, os_inherit_extension_inherited_to=None, include_subtree=False, include_names=False)¶
List role assignments.
If no arguments are provided, all role assignments in the system will be listed.
If both user and group are provided, a ValidationError will be raised. If both domain and project are provided, it will also raise a ValidationError.
- Parameters:
user – User to be used as query filter. (optional)
group – Group to be used as query filter. (optional)
project – Project to be used as query filter. (optional)
domain – Domain to be used as query filter. (optional)
system – Boolean to be used to filter system assignments. (optional)
role – Role to be used as query filter. (optional)
effective (boolean) – return effective role assignments. (optional)
os_inherit_extension_inherited_to (string) – return inherited role assignments for either ‘projects’ or ‘domains’. (optional)
include_subtree (boolean) – Include subtree (optional)
include_names (boolean) – Display names instead of IDs. (optional)
- put(**kwargs)¶
- resource_class¶
alias of
RoleAssignment
- update(**kwargs)¶
keystoneclient.v3.roles module¶
- class keystoneclient.v3.roles.InferenceRule(manager, info, loaded=False)¶
Bases:
Resource
Represents a rule that states one role implies another.
- Attributes:
prior_role: this role implies the other
implied_role: this role is implied by the other
- class keystoneclient.v3.roles.InferenceRuleManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity inference rules.
- check(prior_role, implied_role)¶
Check if an inference rule exists.
Valid HTTP return codes:
204: The rule inference exists
404: A role cannot be found
- Parameters:
prior_role – the role which implies
implied_role
.implied_role – the role which is implied by
prior_role
.
- Returns:
response object with 204 status returned from server.
- Return type:
requests.models.Response
- collection_key = 'role_inferences'¶
- create(prior_role, implied_role)¶
Create an inference rule.
An inference rule is comprised of two roles, a prior role and an implied role. The prior role will imply the implied role.
Valid HTTP return codes:
201: Resource is created successfully
404: A role cannot be found
409: The inference rule already exists
- Parameters:
prior_role – the role which implies
implied_role
.implied_role – the role which is implied by
prior_role
.
- Returns:
a newly created role inference returned from server.
- Return type:
- delete(prior_role, implied_role)¶
Delete an inference rule.
When deleting an inference rule, both roles are required. Note that neither role is deleted, only the inference relationship is dissolved.
Valid HTTP return codes:
204: Delete request is accepted
404: A role cannot be found
- Parameters:
prior_role – the role which implies
implied_role
.implied_role – the role which is implied by
prior_role
.
- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- find(**kwargs)¶
Find a single item with attributes matching
**kwargs
.
- get(prior_role, implied_role)¶
Retrieve an inference rule.
Valid HTTP return codes:
200: Inference rule is returned
404: A role cannot be found
- Parameters:
prior_role – the role which implies
implied_role
.implied_role – the role which is implied by
prior_role
.
- Returns:
the specified role inference returned from server.
- Return type:
- key = 'role_inference'¶
- list(prior_role)¶
List all roles that a role may imply.
Valid HTTP return codes:
200: List of inference rules are returned
404: A role cannot be found
- Parameters:
prior_role – the role which implies
implied_role
.- Returns:
the specified role inference returned from server.
- Return type:
- list_inference_roles()¶
List all rule inferences.
Valid HTTP return codes:
200: All inference rules are returned
- Parameters:
kwargs – attributes provided will be passed to the server.
- Returns:
a list of inference rules.
- Return type:
- put(**kwargs)¶
- resource_class¶
alias of
InferenceRule
- update(**kwargs)¶
- class keystoneclient.v3.roles.Role(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity role.
- Attributes:
id: a uuid that identifies the role
name: user-facing identifier
domain: optional domain for the role
- class keystoneclient.v3.roles.RoleManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity roles.
- check(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶
Check if a user or group has a role on a domain or project.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – check for role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.group (str or
keystoneclient.v3.groups.Group
) – check for role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.system (str) – check for role grants on the system. Project, domain, and system are mutually exclusive.
domain (str or
keystoneclient.v3.domains.Domain
) – check for role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.project (str or
keystoneclient.v3.projects.Project
) – check for role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
kwargs – any other attribute provided will be passed to server.
- Returns:
the specified role returned from server if it exists.
- Return type:
- Returns:
Response object with 204 status if specified role doesn’t exist.
- Return type:
requests.models.Response
- check_implied(prior_role, implied_role, **kwargs)¶
- collection_key = 'roles'¶
- create(name, domain=None, **kwargs)¶
Create a role.
- Parameters:
name (str) – the name of the role.
domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the role. If a value is passed it is a domain-scoped role, otherwise it’s a global role.kwargs – any other attribute provided will be passed to the server.
- Returns:
the created role returned from server.
- Return type:
- create_implied(prior_role, implied_role, **kwargs)¶
- delete(role)¶
Delete a role.
When a role is deleted all the role inferences that have deleted role as prior role will be deleted as well.
- Parameters:
role (str or
keystoneclient.v3.roles.Role
) – the role to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- delete_implied(prior_role, implied_role, **kwargs)¶
- deprecation_msg = 'keystoneclient.v3.roles.InferenceRuleManager'¶
- get(role)¶
Retrieve a role.
- Parameters:
role (str or
keystoneclient.v3.roles.Role
) – the role to be retrieved from the server.- Returns:
the specified role returned from server.
- Return type:
- get_implied(prior_role, implied_role, **kwargs)¶
- grant(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶
Grant a role to a user or group on a domain or project.
- Parameters:
role (str or
keystoneclient.v3.roles.Role
) – the role to be granted on the server.user (str or
keystoneclient.v3.users.User
) – the specified user to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.group (str or
keystoneclient.v3.groups.Group
) – the specified group to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.system (str) – system information to grant the role on. Project, domain, and system are mutually exclusive.
domain (str or
keystoneclient.v3.domains.Domain
) – the domain in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.project (str or
keystoneclient.v3.projects.Project
) – the project in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
kwargs – any other attribute provided will be passed to server.
- Returns:
the granted role returned from server.
- Return type:
- key = 'role'¶
- list(user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶
List roles and role grants.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – filter in role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.group (str or
keystoneclient.v3.groups.Group
) – filter in role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.domain (str or
keystoneclient.v3.domains.Domain
) – filter in role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.project (str or
keystoneclient.v3.projects.Project
) – filter in role grants on the specified project. Either user or group must be specified. Project, domain and system are mutually exclusive.os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
kwargs – any other attribute provided will filter roles on.
- Returns:
a list of roles.
- Return type:
list of
keystoneclient.v3.roles.Role
- list_role_inferences(**kwargs)¶
- revoke(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶
Revoke a role from a user or group on a domain or project.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – revoke role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.group (str or
keystoneclient.v3.groups.Group
) – revoke role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.system (str) – revoke role grants on the system. Project, domain, and system are mutually exclusive.
domain (str or
keystoneclient.v3.domains.Domain
) – revoke role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.project (str or
keystoneclient.v3.projects.Project
) – revoke role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.
kwargs – any other attribute provided will be passed to server.
- Returns:
the revoked role returned from server.
- Return type:
list of
keystoneclient.v3.roles.Role
- update(role, name=None, **kwargs)¶
Update a role.
- Parameters:
role (str or
keystoneclient.v3.roles.Role
) – the role to be updated on the server.name (str) – the new name of the role.
kwargs – any other attribute provided will be passed to server.
- Returns:
the updated role returned from server.
- Return type:
keystoneclient.v3.services module¶
- class keystoneclient.v3.services.Service(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity service.
- Attributes:
id: a uuid that identifies the service
name: the user-facing name of the service (e.g. Keystone)
description: a description of the service
type: the type of the service (e.g. ‘compute’, ‘identity’)
enabled: determines whether the service appears in the catalog
- class keystoneclient.v3.services.ServiceManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity services.
- collection_key = 'services'¶
- create(name, type=None, enabled=True, description=None, **kwargs)¶
Create a service.
- Parameters:
- Returns:
the created service returned from server.
- Return type:
- delete(service=None, id=None)¶
Delete a service.
- Parameters:
service (str or
keystoneclient.v3.services.Service
) – the service to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(service)¶
Retrieve a service.
- Parameters:
service (str or
keystoneclient.v3.services.Service
) – the service to be retrieved from the server.- Returns:
the specified service returned from server.
- Return type:
- key = 'service'¶
- list(name=None, type=None, **kwargs)¶
List services.
- Parameters:
- Returns:
a list of services.
- Return type:
- update(service, name=None, type=None, enabled=None, description=None, **kwargs)¶
Update a service.
- Parameters:
service (str or
keystoneclient.v3.services.Service
) – the service to be updated on the server.name (str) – the new name of the service.
type (str) – the new type of the service.
enabled (bool) – whether the service appears in the catalog.
description (str) – the new description of the service.
kwargs – any other attribute provided will be passed to server.
- Returns:
the updated service returned from server.
- Return type:
keystoneclient.v3.system module¶
keystoneclient.v3.tokens module¶
- class keystoneclient.v3.tokens.TokenManager(client)¶
Bases:
object
Manager class for manipulating Identity tokens.
- get_revoked(audit_id_only=False)¶
Get revoked tokens list.
- Parameters:
audit_id_only (bool) – If true, the server is requested to not send token IDs, but only audit IDs instead. New in version 2.2.0.
- Returns:
A dict containing
signed
which is a CMS formatted string if the server signed the response. If audit_id_only is true then the response may be a dict containingrevoked
which is the list of token audit IDs and expiration times.- Return type:
- get_token_data(token, include_catalog=True, allow_expired=False, access_rules_support=None)¶
Fetch the data about a token from the identity server.
- Parameters:
token (str) – The ID of the token to be fetched.
include_catalog (bool) – Whether the service catalog should be included in the response.
allow_expired – If True the token will be validated and returned if it has already expired.
access_rules_support (float) – Version number indicating that the client is capable of enforcing keystone access rules, if unset this client does not support access rules.
- Return type:
- revoke_token(token)¶
Revoke a token.
- Parameters:
token (str or
keystoneclient.access.AccessInfo
) – The token to be revoked.
- validate(token, include_catalog=True, allow_expired=False, access_rules_support=None)¶
Validate a token.
- Parameters:
token (str or
keystoneclient.access.AccessInfo
) – The token to be validated.include_catalog – If False, the response is requested to not include the catalog.
allow_expired (bool) – If True the token will be validated and returned if it has already expired.
access_rules_support (float) – Version number indicating that the client is capable of enforcing keystone access rules, if unset this client does not support access rules.
- Return type:
keystoneclient.v3.users module¶
- class keystoneclient.v3.users.User(manager, info, loaded=False)¶
Bases:
Resource
Represents an Identity user.
- Attributes:
id: a uuid that identifies the user
- class keystoneclient.v3.users.UserManager(client)¶
Bases:
CrudManager
Manager class for manipulating Identity users.
- add_to_group(user, group)¶
Add the specified user as a member of the specified group.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be added to the group.group (str or
keystoneclient.v3.groups.Group
) – the group to put the user in.
- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- check_in_group(user, group)¶
Check if the specified user is a member of the specified group.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be verified in the group.group (str or
keystoneclient.v3.groups.Group
) – the group to check the user in.
- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- collection_key = 'users'¶
- create(name, domain=None, project=None, password=None, email=None, description=None, enabled=True, default_project=None, **kwargs)¶
Create a user.
- Parameters:
name (str) – the name of the user.
domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the user.project (str or
keystoneclient.v3.projects.Project
) – the default project of the user. (deprecated, see warning below)password (str) – the password for the user.
email (str) – the email address of the user.
description (str) – a description of the user.
enabled (bool) – whether the user is enabled.
default_project (str or
keystoneclient.v3.projects.Project
) – the default project of the user.kwargs – any other attribute provided will be passed to the server.
- Returns:
the created user returned from server.
- Return type:
Warning
The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project will be used.
- delete(user)¶
Delete a user.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be deleted on the server.- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- get(user)¶
Retrieve a user.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be retrieved from the server.- Returns:
the specified user returned from server.
- Return type:
- key = 'user'¶
- list(project=None, domain=None, group=None, default_project=None, **kwargs)¶
List users.
- Parameters:
project (str or
keystoneclient.v3.projects.Project
) – the default project of the users to be filtered on. (deprecated, see warning below)domain (str or
keystoneclient.v3.domains.Domain
) – the domain of the users to be filtered on.group (str or
keystoneclient.v3.groups.Group
) – the group in which the users are member of.default_project (str or
keystoneclient.v3.projects.Project
) – the default project of the users to be filtered on.kwargs – any other attribute provided will filter users on.
- Returns:
a list of users.
- Return type:
list of
keystoneclient.v3.users.User
.
Warning
The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project will be used.
- remove_from_group(user, group)¶
Remove the specified user from the specified group.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be removed from the group.group (str or
keystoneclient.v3.groups.Group
) – the group to remove the user from.
- Returns:
Response object with 204 status.
- Return type:
requests.models.Response
- update(user, name=None, domain=None, project=None, password=None, email=None, description=None, enabled=None, default_project=None, **kwargs)¶
Update a user.
- Parameters:
user (str or
keystoneclient.v3.users.User
) – the user to be updated on the server.name (str) – the new name of the user.
domain (str or
keystoneclient.v3.domains.Domain
) – the new domain of the user.project (str or
keystoneclient.v3.projects.Project
) – the new default project of the user. (deprecated, see warning below)password (str) – the new password of the user.
email (str) – the new email of the user.
description (str) – the newdescription of the user.
enabled (bool) – whether the user is enabled.
default_project (str or
keystoneclient.v3.projects.Project
) – the new default project of the user.kwargs – any other attribute provided will be passed to server.
- Returns:
the updated user returned from server.
- Return type:
Warning
The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.
If both default_project and project is provided, the default_project will be used.