keystoneclient package¶
Subpackages¶
- keystoneclient.auth package
- Subpackages
- Submodules
- keystoneclient.auth.base module
BaseAuthPlugin
BaseAuthPlugin.get_connection_params()
BaseAuthPlugin.get_endpoint()
BaseAuthPlugin.get_headers()
BaseAuthPlugin.get_options()
BaseAuthPlugin.get_project_id()
BaseAuthPlugin.get_token()
BaseAuthPlugin.get_user_id()
BaseAuthPlugin.invalidate()
BaseAuthPlugin.load_from_argparse_arguments()
BaseAuthPlugin.load_from_conf_options()
BaseAuthPlugin.load_from_options()
BaseAuthPlugin.load_from_options_getter()
BaseAuthPlugin.register_argparse_arguments()
BaseAuthPlugin.register_conf_options()
get_available_plugin_classes()
get_available_plugin_names()
get_plugin_class()
- keystoneclient.auth.cli module
- keystoneclient.auth.conf module
- keystoneclient.auth.token_endpoint module
- Module contents
BaseAuthPlugin
BaseAuthPlugin.get_connection_params()
BaseAuthPlugin.get_endpoint()
BaseAuthPlugin.get_headers()
BaseAuthPlugin.get_options()
BaseAuthPlugin.get_project_id()
BaseAuthPlugin.get_token()
BaseAuthPlugin.get_user_id()
BaseAuthPlugin.invalidate()
BaseAuthPlugin.load_from_argparse_arguments()
BaseAuthPlugin.load_from_conf_options()
BaseAuthPlugin.load_from_options()
BaseAuthPlugin.load_from_options_getter()
BaseAuthPlugin.register_argparse_arguments()
BaseAuthPlugin.register_conf_options()
get_available_plugin_classes()
get_available_plugin_names()
get_common_conf_options()
get_plugin_class()
get_plugin_options()
load_from_argparse_arguments()
load_from_conf_options()
register_argparse_arguments()
register_conf_options()
- keystoneclient.common package
- Submodules
- keystoneclient.common.cms module
- Module contents
- keystoneclient.contrib package
- keystoneclient.generic package
- keystoneclient.v2_0 package
- Submodules
- keystoneclient.v2_0.certificates module
- keystoneclient.v2_0.client module
- keystoneclient.v2_0.ec2 module
- keystoneclient.v2_0.endpoints module
- keystoneclient.v2_0.extensions module
- keystoneclient.v2_0.roles module
- keystoneclient.v2_0.services module
- keystoneclient.v2_0.tenants module
- keystoneclient.v2_0.tokens module
- keystoneclient.v2_0.users module
- Module contents
- keystoneclient.v3 package
- Subpackages
- Submodules
- keystoneclient.v3.access_rules module
- keystoneclient.v3.application_credentials module
ApplicationCredential
ApplicationCredentialManager
ApplicationCredentialManager.collection_key
ApplicationCredentialManager.create()
ApplicationCredentialManager.delete()
ApplicationCredentialManager.find()
ApplicationCredentialManager.get()
ApplicationCredentialManager.key
ApplicationCredentialManager.list()
ApplicationCredentialManager.resource_class
ApplicationCredentialManager.update()
- keystoneclient.v3.auth module
- keystoneclient.v3.client module
Client
Client.credentials
Client.domain_configs
Client.ec2
Client.endpoint_filter
Client.endpoint_groups
Client.endpoint_policy
Client.endpoints
Client.domains
Client.federation
Client.groups
Client.limits
Client.oauth1
Client.policies
Client.regions
Client.registered_limits
Client.role_assignments
Client.roles
Client.simple_cert
Client.services
Client.tokens
Client.trusts
Client.users
Client.get_raw_token_from_identity_service()
Client.process_token()
Client.serialize()
Client.version
- keystoneclient.v3.credentials module
- keystoneclient.v3.domain_configs module
- keystoneclient.v3.domains module
- keystoneclient.v3.ec2 module
- keystoneclient.v3.endpoint_groups module
EndpointGroup
EndpointGroupManager
EndpointGroupManager.base_url
EndpointGroupManager.check()
EndpointGroupManager.collection_key
EndpointGroupManager.create()
EndpointGroupManager.delete()
EndpointGroupManager.get()
EndpointGroupManager.key
EndpointGroupManager.list()
EndpointGroupManager.resource_class
EndpointGroupManager.update()
- keystoneclient.v3.endpoints module
- keystoneclient.v3.groups module
- keystoneclient.v3.limits module
- keystoneclient.v3.policies module
- keystoneclient.v3.projects module
Project
ProjectManager
ProjectManager.add_tag()
ProjectManager.check_tag()
ProjectManager.collection_key
ProjectManager.create()
ProjectManager.delete()
ProjectManager.delete_tag()
ProjectManager.find()
ProjectManager.get()
ProjectManager.key
ProjectManager.list()
ProjectManager.list_tags()
ProjectManager.resource_class
ProjectManager.update()
ProjectManager.update_tags()
- keystoneclient.v3.regions module
- keystoneclient.v3.registered_limits module
- keystoneclient.v3.role_assignments module
RoleAssignment
RoleAssignmentManager
RoleAssignmentManager.collection_key
RoleAssignmentManager.create()
RoleAssignmentManager.delete()
RoleAssignmentManager.find()
RoleAssignmentManager.get()
RoleAssignmentManager.key
RoleAssignmentManager.list()
RoleAssignmentManager.put()
RoleAssignmentManager.resource_class
RoleAssignmentManager.update()
- keystoneclient.v3.roles module
InferenceRule
InferenceRuleManager
InferenceRuleManager.check()
InferenceRuleManager.collection_key
InferenceRuleManager.create()
InferenceRuleManager.delete()
InferenceRuleManager.find()
InferenceRuleManager.get()
InferenceRuleManager.key
InferenceRuleManager.list()
InferenceRuleManager.list_inference_roles()
InferenceRuleManager.put()
InferenceRuleManager.resource_class
InferenceRuleManager.update()
Role
RoleManager
RoleManager.check()
RoleManager.check_implied()
RoleManager.collection_key
RoleManager.create()
RoleManager.create_implied()
RoleManager.delete()
RoleManager.delete_implied()
RoleManager.deprecation_msg
RoleManager.get()
RoleManager.get_implied()
RoleManager.grant()
RoleManager.key
RoleManager.list()
RoleManager.list_role_inferences()
RoleManager.resource_class
RoleManager.revoke()
RoleManager.update()
- keystoneclient.v3.services module
- keystoneclient.v3.tokens module
- keystoneclient.v3.users module
- Module contents
Submodules¶
keystoneclient.access module¶
- class keystoneclient.access.AccessInfo(*args, **kwargs)¶
Bases:
dict
Encapsulates a raw authentication token from keystone.
Provides helper methods for extracting useful values from that token.
- property audit_chain_id¶
Return the audit chain ID if present.
In the event that a token was rescoped then this ID will be the
audit_id
of the initial token. Returns None if no value present.- Returns:
str or None.
- property audit_id¶
Return the audit ID if present.
- Returns:
str or None.
- property auth_token¶
Return the token_id associated with the auth request.
To be used in headers for authenticating OpenStack API requests.
- Returns:
str
- property auth_url¶
Return a tuple of identity URLs.
The identity URLs are from publicURL and adminURL for the service ‘identity’ from the service catalog associated with the authorization request. If the authentication request wasn’t scoped to a tenant (project), this property will return None.
DEPRECATED: this doesn’t correctly handle region name. You should fetch it from the service catalog yourself. This may be removed in the 2.0.0 release.
- Returns:
tuple of urls
- property domain_id¶
Return the domain id associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_name¶
Return the domain name associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_scoped¶
Return true if the auth token was scoped to a domain.
- Returns:
bool
- property expires¶
Return the token expiration (as datetime object).
- Returns:
datetime
- classmethod factory(resp=None, body=None, region_name=None, auth_token=None, **kwargs)¶
Factory function to create a new AccessInfo object.
Create AccessInfo object given a successful auth response & body or a user-provided dict.
Warning
Use of the region_name argument is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
- has_service_catalog()¶
Return true if the authorization token has a service catalog.
- Returns:
boolean
- property initial_audit_id¶
The audit ID of the initially requested token.
This is the
audit_chain_id
if present or theaudit_id
.
- property is_federated¶
Return true if federation was used to get the token.
- Returns:
boolean
- classmethod is_valid(body, **kwargs)¶
Determine if processing valid v2 or v3 token.
Validates from the auth body or a user-provided dict.
- Returns:
true if auth body matches implementing class
- Return type:
boolean
- property issued¶
Return the token issue time (as datetime object).
- Returns:
datetime
- property management_url¶
Return the first adminURL of the identity endpoint.
The identity endpoint is from the service catalog associated with the authorization request, or None if the authentication request wasn’t scoped to a tenant (project).
DEPRECATED: this doesn’t correctly handle region name. You should fetch it from the service catalog yourself. This may be removed in the 2.0.0 release.
- Returns:
tuple of urls
- property oauth_access_token_id¶
Return the access token ID if OAuth authentication used.
- Returns:
str or None.
- property oauth_consumer_id¶
Return the consumer ID if OAuth authentication used.
- Returns:
str or None.
- property project_domain_id¶
Return the project’s domain id associated with the auth request.
For v2, it returns ‘default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_domain_name¶
Return the project’s domain name associated with the auth request.
For v2, it returns ‘Default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_id¶
Return the project ID associated with the auth request.
This returns None if the auth token wasn’t scoped to a project.
- Returns:
str or None (if no project associated with the token)
- property project_name¶
Return the project name associated with the auth request.
- Returns:
str or None (if no project associated with the token)
- property project_scoped¶
Return true if the auth token was scoped to a tenant(project).
- Returns:
bool
- property role_ids¶
Return a list of user’s role ids associated with the auth request.
- Returns:
a list of strings of role ids
- property role_names¶
Return a list of user’s role names associated with the auth request.
- Returns:
a list of strings of role names
- property scoped¶
Return true if the auth token was scoped.
Return true if scoped to a tenant(project) or domain, and contains a populated service catalog.
Warning
This is deprecated as of the 1.7.0 release in favor of project_scoped and may be removed in the 2.0.0 release.
- Returns:
bool
- property tenant_id¶
Synonym for project_id.
- property tenant_name¶
Synonym for project_name.
- property trust_id¶
Return the trust id associated with the auth request.
- Returns:
str or None (if no trust associated with the token)
- property trust_scoped¶
Return true if the auth token was scoped from a delegated trust.
The trust delegation is via the OS-TRUST v3 extension.
- Returns:
bool
- property trustee_user_id¶
Return the trustee user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property trustor_user_id¶
Return the trustor user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property user_domain_id¶
Return the user’s domain id associated with the auth request.
For v2, it always returns ‘default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_domain_name¶
Return the user’s domain name associated with the auth request.
For v2, it always returns ‘Default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_id¶
Return the user id associated with the auth request.
- Returns:
str
- property username¶
Return the username associated with the auth request.
Follows the pattern defined in the V2 API of first looking for ‘name’, returning that if available, and falling back to ‘username’ if name is unavailable.
- Returns:
str
- property version¶
Return the version of the auth token from identity service.
- Returns:
str
- will_expire_soon(stale_duration=None)¶
Determine if expiration is about to occur.
- Returns:
true if expiration is within the given duration
- Return type:
boolean
- class keystoneclient.access.AccessInfoV2(*args, **kwargs)¶
Bases:
AccessInfo
An object for encapsulating raw v2 auth token from identity service.
- property audit_chain_id¶
Return the audit chain ID if present.
In the event that a token was rescoped then this ID will be the
audit_id
of the initial token. Returns None if no value present.- Returns:
str or None.
- property audit_id¶
Return the audit ID if present.
- Returns:
str or None.
- property auth_token¶
Return the token_id associated with the auth request.
To be used in headers for authenticating OpenStack API requests.
- Returns:
str
- property auth_url¶
Deprecated as of the 1.7.0 release.
Use service_catalog.get_urls() instead. It may be removed in the 2.0.0 release.
- property domain_id¶
Return the domain id associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_name¶
Return the domain name associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_scoped¶
Return true if the auth token was scoped to a domain.
- Returns:
bool
- property expires¶
Return the token expiration (as datetime object).
- Returns:
datetime
- has_service_catalog()¶
Return true if the authorization token has a service catalog.
- Returns:
boolean
- property is_federated¶
Return true if federation was used to get the token.
- Returns:
boolean
- classmethod is_valid(body, **kwargs)¶
Determine if processing valid v2 or v3 token.
Validates from the auth body or a user-provided dict.
- Returns:
true if auth body matches implementing class
- Return type:
boolean
- property issued¶
Return the token issue time (as datetime object).
- Returns:
datetime
- property management_url¶
Deprecated as of the 1.7.0 release.
Use service_catalog.get_urls() instead. It may be removed in the 2.0.0 release.
- property oauth_access_token_id¶
Return the access token ID if OAuth authentication used.
- Returns:
str or None.
- property oauth_consumer_id¶
Return the consumer ID if OAuth authentication used.
- Returns:
str or None.
- property project_domain_id¶
Return the project’s domain id associated with the auth request.
For v2, it returns ‘default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_domain_name¶
Return the project’s domain name associated with the auth request.
For v2, it returns ‘Default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_id¶
Return the project ID associated with the auth request.
This returns None if the auth token wasn’t scoped to a project.
- Returns:
str or None (if no project associated with the token)
- property project_name¶
Return the project name associated with the auth request.
- Returns:
str or None (if no project associated with the token)
- property project_scoped¶
Return true if the auth token was scoped to a tenant(project).
- Returns:
bool
- property role_ids¶
Return a list of user’s role ids associated with the auth request.
- Returns:
a list of strings of role ids
- property role_names¶
Return a list of user’s role names associated with the auth request.
- Returns:
a list of strings of role names
- property scoped¶
Deprecated as of the 1.7.0 release.
Use project_scoped instead. It may be removed in the 2.0.0 release.
- property trust_id¶
Return the trust id associated with the auth request.
- Returns:
str or None (if no trust associated with the token)
- property trust_scoped¶
Return true if the auth token was scoped from a delegated trust.
The trust delegation is via the OS-TRUST v3 extension.
- Returns:
bool
- property trustee_user_id¶
Return the trustee user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property trustor_user_id¶
Return the trustor user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property user_domain_id¶
Return the user’s domain id associated with the auth request.
For v2, it always returns ‘default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_domain_name¶
Return the user’s domain name associated with the auth request.
For v2, it always returns ‘Default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_id¶
Return the user id associated with the auth request.
- Returns:
str
- property username¶
Return the username associated with the auth request.
Follows the pattern defined in the V2 API of first looking for ‘name’, returning that if available, and falling back to ‘username’ if name is unavailable.
- Returns:
str
- class keystoneclient.access.AccessInfoV3(token, *args, **kwargs)¶
Bases:
AccessInfo
An object encapsulating raw v3 auth token from identity service.
- property audit_chain_id¶
Return the audit chain ID if present.
In the event that a token was rescoped then this ID will be the
audit_id
of the initial token. Returns None if no value present.- Returns:
str or None.
- property audit_id¶
Return the audit ID if present.
- Returns:
str or None.
- property auth_url¶
Deprecated as of the 1.7.0 release.
Use service_catalog.get_urls() instead. It may be removed in the 2.0.0 release.
- property domain_id¶
Return the domain id associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_name¶
Return the domain name associated with the auth request.
- Returns:
str or None (if no domain associated with the token)
- property domain_scoped¶
Return true if the auth token was scoped to a domain.
- Returns:
bool
- property expires¶
Return the token expiration (as datetime object).
- Returns:
datetime
- has_service_catalog()¶
Return true if the authorization token has a service catalog.
- Returns:
boolean
- property is_federated¶
Return true if federation was used to get the token.
- Returns:
boolean
- classmethod is_valid(body, **kwargs)¶
Determine if processing valid v2 or v3 token.
Validates from the auth body or a user-provided dict.
- Returns:
true if auth body matches implementing class
- Return type:
boolean
- property issued¶
Return the token issue time (as datetime object).
- Returns:
datetime
- property management_url¶
Deprecated as of the 1.7.0 release.
Use service_catalog.get_urls() instead. It may be removed in the 2.0.0 release.
- property oauth_access_token_id¶
Return the access token ID if OAuth authentication used.
- Returns:
str or None.
- property oauth_consumer_id¶
Return the consumer ID if OAuth authentication used.
- Returns:
str or None.
- property project_domain_id¶
Return the project’s domain id associated with the auth request.
For v2, it returns ‘default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_domain_name¶
Return the project’s domain name associated with the auth request.
For v2, it returns ‘Default’ if a project is scoped or None which may be different from the keystone configuration.
- Returns:
str
- property project_id¶
Return the project ID associated with the auth request.
This returns None if the auth token wasn’t scoped to a project.
- Returns:
str or None (if no project associated with the token)
- property project_name¶
Return the project name associated with the auth request.
- Returns:
str or None (if no project associated with the token)
- property project_scoped¶
Return true if the auth token was scoped to a tenant(project).
- Returns:
bool
- property role_ids¶
Return a list of user’s role ids associated with the auth request.
- Returns:
a list of strings of role ids
- property role_names¶
Return a list of user’s role names associated with the auth request.
- Returns:
a list of strings of role names
- property scoped¶
Deprecated as of the 1.7.0 release.
Use project_scoped instead. It may be removed in the 2.0.0 release.
- property trust_id¶
Return the trust id associated with the auth request.
- Returns:
str or None (if no trust associated with the token)
- property trust_scoped¶
Return true if the auth token was scoped from a delegated trust.
The trust delegation is via the OS-TRUST v3 extension.
- Returns:
bool
- property trustee_user_id¶
Return the trustee user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property trustor_user_id¶
Return the trustor user id associated with a trust.
- Returns:
str or None (if no trust associated with the token)
- property user_domain_id¶
Return the user’s domain id associated with the auth request.
For v2, it always returns ‘default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_domain_name¶
Return the user’s domain name associated with the auth request.
For v2, it always returns ‘Default’ which may be different from the Keystone configuration.
- Returns:
str
- property user_id¶
Return the user id associated with the auth request.
- Returns:
str
- property username¶
Return the username associated with the auth request.
Follows the pattern defined in the V2 API of first looking for ‘name’, returning that if available, and falling back to ‘username’ if name is unavailable.
- Returns:
str
keystoneclient.adapter module¶
- class keystoneclient.adapter.Adapter(session, service_type=None, service_name=None, interface=None, region_name=None, endpoint_override=None, version=None, auth=None, user_agent=None, connect_retries=None, logger=None)¶
Bases:
object
An instance of a session with local variables.
A session is a global object that is shared around amongst many clients. It therefore contains state that is relevant to everyone. There is a lot of state such as the service type and region_name that are only relevant to a particular client that is using the session. An adapter provides a wrapper of client local data around the global session object.
- Parameters:
session (keystoneclient.session.Session) – The session object to wrap.
service_type (str) – The default service_type for URL discovery.
service_name (str) – The default service_name for URL discovery.
interface (str) – The default interface for URL discovery.
region_name (str) – The default region_name for URL discovery.
endpoint_override (str) – Always use this endpoint URL for requests for this client.
version (tuple) – The version that this API targets.
auth (keystoneclient.auth.base.BaseAuthPlugin) – An auth plugin to use instead of the session one.
user_agent (str) – The User-Agent string to set.
connect_retries (int) – the maximum number of retries that should be attempted for connection errors. Default None - use session default which is don’t retry.
logger (logging.Logger) – A logging object to use for requests that pass through this adapter.
- delete(url, **kwargs)¶
- get(url, **kwargs)¶
- get_endpoint(auth=None, **kwargs)¶
Get an endpoint as provided by the auth plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use for token. Overrides the plugin on the session. (optional)- Raises:
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns:
An endpoint if available or None.
- Return type:
string
- get_project_id(auth=None)¶
Return the authenticated project_id as provided by the auth plugin.
- Parameters:
auth (keystoneclient.auth.base.BaseAuthPlugin) – The auth plugin to use for token. Overrides the plugin on the session. (optional)
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns:
Current project_id or None if not supported by plugin.
- Return type:
string
- get_token(auth=None)¶
Return a token as provided by the auth plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use for token. Overrides the plugin on the session. (optional)- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
- Returns:
A valid token.
- Return type:
string
- get_user_id(auth=None)¶
Return the authenticated user_id as provided by the auth plugin.
- Parameters:
auth (keystoneclient.auth.base.BaseAuthPlugin) – The auth plugin to use for token. Overrides the plugin on the session. (optional)
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns:
Current user_id or None if not supported by plugin.
- Return type:
string
- head(url, **kwargs)¶
- invalidate(auth=None)¶
Invalidate an authentication plugin.
- patch(url, **kwargs)¶
- post(url, **kwargs)¶
- put(url, **kwargs)¶
- request(url, method, **kwargs)¶
- class keystoneclient.adapter.LegacyJsonAdapter(session, service_type=None, service_name=None, interface=None, region_name=None, endpoint_override=None, version=None, auth=None, user_agent=None, connect_retries=None, logger=None)¶
Bases:
Adapter
Make something that looks like an old HTTPClient.
A common case when using an adapter is that we want an interface similar to the HTTPClients of old which returned the body as JSON as well.
You probably don’t want this if you are starting from scratch.
- request(*args, **kwargs)¶
keystoneclient.base module¶
Base utilities to build API operation managers and objects on top of.
- class keystoneclient.base.CrudManager(client)¶
Bases:
Manager
Base manager class for manipulating Keystone entities.
Children of this class are expected to define a collection_key and key.
collection_key: Usually a plural noun by convention (e.g. entities); used to refer collections in both URL’s (e.g. /v3/entities) and JSON objects containing a list of member resources (e.g. {‘entities’: [{}, {}, {}]}).
key: Usually a singular noun by convention (e.g. entity); used to refer to an individual member of the collection.
- base_url = None¶
- build_key_only_query(params_list)¶
Build a query that does not include values, just keys.
The Identity API has some calls that define queries without values, this can not be accomplished by using urllib.parse.urlencode(). This method builds a query using only the keys.
- build_url(dict_args_in_out=None)¶
Build a resource URL for the given kwargs.
Given an example collection where collection_key = ‘entities’ and key = ‘entity’, the following URL’s could be generated.
By default, the URL will represent a collection of entities, e.g.:
/entities
If kwargs contains an entity_id, then the URL will represent a specific member, e.g.:
/entities/{entity_id}
If a base_url is provided, the generated URL will be appended to it.
If a ‘tail’ is provided, it will be appended to the end of the URL.
- collection_key = None¶
- create(**kwargs)¶
- delete(**kwargs)¶
- find(**kwargs)¶
Find a single item with attributes matching
**kwargs
.
- get(**kwargs)¶
- head(**kwargs)¶
- key = None¶
- list(fallback_to_auth=False, **kwargs)¶
- put(**kwargs)¶
- update(**kwargs)¶
- class keystoneclient.base.Manager(client)¶
Bases:
object
Basic manager type providing common operations.
Managers interact with a particular type of API (servers, flavors, images, etc.) and provide CRUD operations for them.
- Parameters:
client – instance of BaseClient descendant for HTTP requests
- property api¶
The client.
Warning
This property is deprecated as of the 1.7.0 release in favor of
client()
and may be removed in the 2.0.0 release.
- resource_class = None¶
- class keystoneclient.base.ManagerWithFind(client)¶
Bases:
Manager
Manager with additional find()/findall() methods.
- find(**kwargs)¶
Find a single item with attributes matching
**kwargs
.This isn’t very efficient: it loads the entire list then filters on the Python side.
- findall(**kwargs)¶
Find all items with attributes matching
**kwargs
.This isn’t very efficient: it loads the entire list then filters on the Python side.
- abstract list()¶
- class keystoneclient.base.Resource(manager, info, loaded=False)¶
Bases:
object
Base class for OpenStack resources (tenant, user, etc.).
This is pretty much just a bag for attributes.
- HUMAN_ID = False¶
- NAME_ATTR = 'name'¶
- delete()¶
- get()¶
Support for lazy loading details.
Some clients, such as novaclient have the option to lazy load the details, details which can be loaded with this function.
- property human_id¶
Human-readable ID which can be used for bash completion.
- is_loaded()¶
- set_loaded(val)¶
- to_dict()¶
- keystoneclient.base.filter_kwargs(f)¶
- keystoneclient.base.filter_none(**kwargs)¶
Remove any entries from a dictionary where the value is None.
- keystoneclient.base.getid(obj)¶
Return id if argument is a Resource.
Abstracts the common pattern of allowing both an object or an object’s ID (UUID) as a parameter when dealing with relationships.
keystoneclient.baseclient module¶
keystoneclient.client module¶
- keystoneclient.client.Client(version=None, unstable=False, session=None, **kwargs)¶
Factory function to create a new identity service client.
The returned client will be either a V3 or V2 client. Check the version using the
version
property or the instance’s class (with instanceof).- Parameters:
version (tuple) – The required version of the identity API. If specified the client will be selected such that the major version is equivalent and an endpoint provides at least the specified minor version. For example to specify the 3.1 API use
(3, 1)
. (optional)unstable (bool) – Accept endpoints not marked as ‘stable’. (optional)
session (keystoneclient.session.Session) – A session object to be used for communication. If one is not provided it will be constructed from the provided kwargs. (optional)
kwargs – Additional arguments are passed through to the client that is being created.
- Returns:
New keystone client object.
- Return type:
keystoneclient.v3.client.Client
orkeystoneclient.v2_0.client.Client
- Raises:
keystoneclient.exceptions.DiscoveryFailure – if the server’s response is invalid.
keystoneclient.exceptions.VersionNotAvailable – if a suitable client cannot be found.
- class keystoneclient.client.HTTPClient(username=None, tenant_id=None, tenant_name=None, password=None, auth_url=None, region_name=None, endpoint=None, token=None, auth_ref=None, use_keyring=False, force_new_token=False, stale_duration=None, user_id=None, user_domain_id=None, user_domain_name=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, trust_id=None, session=None, service_name=None, interface='admin', endpoint_override=None, auth=None, user_agent='python-keystoneclient', connect_retries=None, **kwargs)¶
Bases:
HTTPClient
Deprecated alias for httpclient.HTTPClient.
This class is deprecated as of the 1.7.0 release in favor of
keystoneclient.httpclient.HTTPClient
and may be removed in the 2.0.0 release.
keystoneclient.discover module¶
- class keystoneclient.discover.Discover(session=None, authenticated=None, **kwargs)¶
Bases:
Discover
A means to discover and create clients.
Clients are created depending on the supported API versions on the server.
Querying the server is done on object creation and every subsequent method operates upon the data that was retrieved.
The connection parameters associated with this method are the same format and name as those used by a client (see
keystoneclient.v2_0.client.Client
andkeystoneclient.v3.client.Client
). If not overridden in subsequent methods they will also be what is passed to the constructed client.In the event that auth_url and endpoint is provided then auth_url will be used in accordance with how the client operates.
Warning
Creating an instance of this class without using the session argument is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
- Parameters:
session (keystoneclient.session.Session) – A session object that will be used for communication. Clients will also be constructed with this session.
auth_url (string) – Identity service endpoint for authorization. (optional)
endpoint (string) – A user-supplied endpoint URL for the identity service. (optional)
original_ip (string) – The original IP of the requesting user which will be sent to identity service in a ‘Forwarded’ header. (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
debug (boolean) – Enables debug logging of all request and responses to the identity service. default False (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
cacert (string) – Path to the Privacy Enhanced Mail (PEM) file which contains the trusted authority X.509 certificates needed to established SSL connection with the identity service. (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
key (string) – Path to the Privacy Enhanced Mail (PEM) file which contains the unencrypted client private key needed to established two-way SSL connection with the identity service. (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
cert (string) – Path to the Privacy Enhanced Mail (PEM) file which contains the corresponding X.509 client certificate needed to established two-way SSL connection with the identity service. (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
insecure (boolean) – Does not perform X.509 certificate validation when establishing SSL connection with identity service. default: False (optional) This is ignored if a session is provided. Deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
authenticated (bool) – Should a token be used to perform the initial discovery operations. default: None (attach a token if an auth plugin is available).
- available_versions(**kwargs)¶
Return a list of identity APIs available on the server.
The list returned includes the data associated with them.
Warning
This method is deprecated as of the 1.7.0 release in favor of
raw_version_data()
and may be removed in the 2.0.0 release.- Parameters:
unstable (bool) – Accept endpoints not marked ‘stable’. (optional) Equates to setting allow_experimental and allow_unknown to True.
allow_experimental (bool) – Allow experimental version endpoints.
allow_deprecated (bool) – Allow deprecated version endpoints.
allow_unknown (bool) – Allow endpoints with an unrecognised status.
- Returns:
A List of dictionaries as presented by the server. Each dict will contain the version and the URL to use for the version. It is a direct representation of the layout presented by the identity API.
- create_client(version=None, unstable=False, **kwargs)¶
Factory function to create a new identity service client.
- Parameters:
version (tuple) – The required version of the identity API. If specified the client will be selected such that the major version is equivalent and an endpoint provides at least the specified minor version. For example to specify the 3.1 API use (3, 1). (optional)
unstable (bool) – Accept endpoints not marked ‘stable’. (optional)
kwargs – Additional arguments will override those provided to this object’s constructor.
- Returns:
An instantiated identity client object.
- Raises:
keystoneclient.exceptions.DiscoveryFailure – if the server response is invalid
keystoneclient.exceptions.VersionNotAvailable – if a suitable client cannot be found.
- raw_version_data(unstable=False, **kwargs)¶
Get raw version information from URL.
Raw data indicates that only minimal validation processing is performed on the data, so what is returned here will be the data in the same format it was received from the endpoint.
- Parameters:
unstable (bool) – equates to setting allow_experimental and allow_unknown. This argument is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
allow_experimental (bool) – Allow experimental version endpoints.
allow_deprecated (bool) – Allow deprecated version endpoints.
allow_unknown (bool) – Allow endpoints with an unrecognised status.
- Returns:
The endpoints returned from the server that match the criteria.
- Return type:
List
Example:
>>> from keystoneclient import discover >>> disc = discover.Discovery(auth_url='http://localhost:5000') >>> disc.raw_version_data() [{'id': 'v3.0', 'links': [{'href': u'http://127.0.0.1:5000/v3/', 'rel': u'self'}], 'media-types': [ {'base': 'application/json', 'type': 'application/vnd.openstack.identity-v3+json'}, {'base': 'application/xml', 'type': 'application/vnd.openstack.identity-v3+xml'}], 'status': 'stable', 'updated': '2013-03-06T00:00:00Z'}, {'id': 'v2.0', 'links': [{'href': u'http://127.0.0.1:5000/v2.0/', 'rel': u'self'}, {'href': u'...', 'rel': u'describedby', 'type': u'application/pdf'}], 'media-types': [ {'base': 'application/json', 'type': 'application/vnd.openstack.identity-v2.0+json'}, {'base': 'application/xml', 'type': 'application/vnd.openstack.identity-v2.0+xml'}], 'status': 'stable', 'updated': '2013-03-06T00:00:00Z'}]
- keystoneclient.discover.add_catalog_discover_hack(service_type, old, new)¶
Add a version removal rule for a particular service.
Originally deployments of OpenStack would contain a versioned endpoint in the catalog for different services. E.g. an identity service might look like
http://localhost:5000/v2.0
. This is a problem when we want to use a different version like v3.0 as there is no way to tell where it is located. We cannot simply change all service catalogs either so there must be a way to handle the older style of catalog.This function adds a rule for a given service type that if part of the URL matches a given regular expression in old then it will be replaced with the new value. This will replace all instances of old with new. It should therefore contain a regex anchor.
For example the included rule states:
add_catalog_version_hack('identity', re.compile('/v2.0/?$'), '/')
so if the catalog retrieves an identity URL that ends with /v2.0 or /v2.0/ then it should replace it simply with / to fix the user’s catalog.
- keystoneclient.discover.available_versions(url, session=None, **kwargs)¶
Retrieve raw version data from a url.
- keystoneclient.discover.normalize_version_number(version)¶
Turn a version representation into a tuple.
Takes a string, tuple or float which represent version formats we can handle and converts them into a (major, minor) version tuple that we can actually use for discovery.
- e.g. ‘v3.3’ gives (3, 3)
3.1 gives (3, 1)
- keystoneclient.discover.version_match(required, candidate)¶
Test that an available version satisfies the required version.
To be suitable a version must be of the same major version as required and be at least a match in minor/patch level.
eg. 3.3 is a match for a required 3.1 but 4.1 is not.
keystoneclient.exceptions module¶
Exception definitions.
- exception keystoneclient.exceptions.AmbiguousEndpoints(endpoints=None)¶
Bases:
CatalogException
Found more than one matching endpoint in Service Catalog.
- exception keystoneclient.exceptions.AuthPluginOptionsMissing(opt_names)¶
Bases:
AuthorizationFailure
Auth plugin misses some options.
- exception keystoneclient.exceptions.AuthSystemNotFound(auth_system)¶
Bases:
AuthorizationFailure
User has specified an AuthSystem that is not installed.
- exception keystoneclient.exceptions.AuthorizationFailure(message=None)¶
Bases:
ClientException
- message = 'Cannot authorize API client.'¶
- exception keystoneclient.exceptions.BadGateway(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpServerError
HTTP 502 - Bad Gateway.
The server was acting as a gateway or proxy and received an invalid response from the upstream server.
- http_status = 502¶
- message = 'Bad Gateway'¶
- exception keystoneclient.exceptions.BadRequest(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 400 - Bad Request.
The request cannot be fulfilled due to bad syntax.
- http_status = 400¶
- message = 'Bad Request'¶
- exception keystoneclient.exceptions.CMSError(output)¶
Bases:
Exception
Error reading the certificate.
- exception keystoneclient.exceptions.CertificateConfigError(output)¶
Bases:
Exception
Error reading the certificate.
- exception keystoneclient.exceptions.ClientException(message=None)¶
Bases:
Exception
The base exception for everything to do with clients.
- message = 'ClientException'¶
- exception keystoneclient.exceptions.CommandError(message=None)¶
Bases:
ClientException
Error in CLI tool.
- exception keystoneclient.exceptions.Conflict(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 409 - Conflict.
Indicates that the request could not be processed because of conflict in the request, such as an edit conflict.
- http_status = 409¶
- message = 'Conflict'¶
- exception keystoneclient.exceptions.ConnectionError(message=None)¶
Bases:
ClientException
- message = 'Cannot connect to API service.'¶
- keystoneclient.exceptions.ConnectionRefused¶
Connection refused while trying to connect to API service.
An alias of
keystoneauth1.exceptions.connection.ConnectFailure
- exception keystoneclient.exceptions.DiscoveryFailure(message=None)¶
Bases:
ClientException
- message = 'Discovery of client versions failed.'¶
- exception keystoneclient.exceptions.EmptyCatalog(message=None)¶
Bases:
EndpointNotFound
- message = 'The service catalog is empty.'¶
- keystoneclient.exceptions.EndpointException¶
Something is rotten in Service Catalog.
An alias of
keystoneauth1.exceptions.catalog.CatalogException
- exception keystoneclient.exceptions.EndpointNotFound(message=None)¶
Bases:
CatalogException
- message = 'Could not find requested endpoint in Service Catalog.'¶
- exception keystoneclient.exceptions.ExpectationFailed(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 417 - Expectation Failed.
The server cannot meet the requirements of the Expect request-header field.
- http_status = 417¶
- message = 'Expectation Failed'¶
- exception keystoneclient.exceptions.Forbidden(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 403 - Forbidden.
The request was a valid request, but the server is refusing to respond to it.
- http_status = 403¶
- message = 'Forbidden'¶
- exception keystoneclient.exceptions.GatewayTimeout(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpServerError
HTTP 504 - Gateway Timeout.
The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
- http_status = 504¶
- message = 'Gateway Timeout'¶
- exception keystoneclient.exceptions.Gone(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 410 - Gone.
Indicates that the resource requested is no longer available and will not be available again.
- http_status = 410¶
- message = 'Gone'¶
- exception keystoneclient.exceptions.HTTPClientError(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpError
Client-side HTTP error.
Exception for cases in which the client seems to have erred.
- message = 'HTTP Client Error'¶
- exception keystoneclient.exceptions.HTTPRedirection(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpError
HTTP Redirection.
- message = 'HTTP Redirection'¶
- exception keystoneclient.exceptions.HttpError(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
ClientException
The base exception class for all HTTP exceptions.
- http_status = 0¶
- message = 'HTTP Error'¶
- exception keystoneclient.exceptions.HttpNotImplemented(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpServerError
HTTP 501 - Not Implemented.
The server either does not recognize the request method, or it lacks the ability to fulfill the request.
- http_status = 501¶
- message = 'Not Implemented'¶
- exception keystoneclient.exceptions.HttpServerError(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpError
Server-side HTTP error.
Exception for cases in which the server is aware that it has erred or is incapable of performing the request.
- message = 'HTTP Server Error'¶
- exception keystoneclient.exceptions.HttpVersionNotSupported(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpServerError
HTTP 505 - HttpVersion Not Supported.
The server does not support the HTTP protocol version used in the request.
- http_status = 505¶
- message = 'HTTP Version Not Supported'¶
- exception keystoneclient.exceptions.InternalServerError(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HttpServerError
HTTP 500 - Internal Server Error.
A generic error message, given when no more specific message is suitable.
- http_status = 500¶
- message = 'Internal Server Error'¶
- exception keystoneclient.exceptions.InvalidResponse(response)¶
Bases:
ClientException
The response from the server is not valid for this request.
- exception keystoneclient.exceptions.LengthRequired(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 411 - Length Required.
The request did not specify the length of its content, which is required by the requested resource.
- http_status = 411¶
- message = 'Length Required'¶
- exception keystoneclient.exceptions.MethodNotAllowed(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 405 - Method Not Allowed.
A request was made of a resource using a request method not supported by that resource.
- http_status = 405¶
- message = 'Method Not Allowed'¶
- exception keystoneclient.exceptions.MethodNotImplemented(message=None)¶
Bases:
ClientException
Method not implemented by the keystoneclient API.
- exception keystoneclient.exceptions.MissingAuthPlugin(message=None)¶
Bases:
AuthPluginException
- message = 'An authenticated request is required but no plugin available.'¶
- exception keystoneclient.exceptions.MultipleChoices(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPRedirection
HTTP 300 - Multiple Choices.
Indicates multiple options for the resource that the client may follow.
- http_status = 300¶
- message = 'Multiple Choices'¶
- exception keystoneclient.exceptions.NoMatchingPlugin(name)¶
Bases:
AuthPluginException
No auth plugins could be created from the parameters provided.
- Parameters:
name (str) – The name of the plugin that was attempted to load.
- name¶
The name of the plugin that was attempted to load.
- exception keystoneclient.exceptions.NoUniqueMatch(message=None)¶
Bases:
ClientException
Multiple entities found instead of one.
- exception keystoneclient.exceptions.NotAcceptable(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 406 - Not Acceptable.
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.
- http_status = 406¶
- message = 'Not Acceptable'¶
- exception keystoneclient.exceptions.NotFound(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 404 - Not Found.
The requested resource could not be found but may be available again in the future.
- http_status = 404¶
- message = 'Not Found'¶
- exception keystoneclient.exceptions.PaymentRequired(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 402 - Payment Required.
Reserved for future use.
- http_status = 402¶
- message = 'Payment Required'¶
- exception keystoneclient.exceptions.PreconditionFailed(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 412 - Precondition Failed.
The server does not meet one of the preconditions that the requester put on the request.
- http_status = 412¶
- message = 'Precondition Failed'¶
- exception keystoneclient.exceptions.ProxyAuthenticationRequired(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 407 - Proxy Authentication Required.
The client must first authenticate itself with the proxy.
- http_status = 407¶
- message = 'Proxy Authentication Required'¶
- exception keystoneclient.exceptions.RequestEntityTooLarge(*args, **kwargs)¶
Bases:
HTTPClientError
HTTP 413 - Request Entity Too Large.
The request is larger than the server is willing or able to process.
- http_status = 413¶
- message = 'Request Entity Too Large'¶
- exception keystoneclient.exceptions.RequestTimeout(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 408 - Request Timeout.
The server timed out waiting for the request.
- http_status = 408¶
- message = 'Request Timeout'¶
- exception keystoneclient.exceptions.RequestUriTooLong(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 414 - Request-URI Too Long.
The URI provided was too long for the server to process.
- http_status = 414¶
- message = 'Request-URI Too Long'¶
- exception keystoneclient.exceptions.RequestedRangeNotSatisfiable(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 416 - Requested Range Not Satisfiable.
The client has asked for a portion of the file, but the server cannot supply that portion.
- http_status = 416¶
- message = 'Requested Range Not Satisfiable'¶
- exception keystoneclient.exceptions.SSLError(message=None)¶
Bases:
ConnectionError
- message = 'An SSL error occurred.'¶
Bases:
HttpServerError
HTTP 503 - Service Unavailable.
The server is currently unavailable.
- exception keystoneclient.exceptions.Unauthorized(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 401 - Unauthorized.
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.
- http_status = 401¶
- message = 'Unauthorized'¶
- exception keystoneclient.exceptions.UnprocessableEntity(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 422 - Unprocessable Entity.
The request was well-formed but was unable to be followed due to semantic errors.
- http_status = 422¶
- message = 'Unprocessable Entity'¶
- exception keystoneclient.exceptions.UnsupportedMediaType(message=None, details=None, response=None, request_id=None, url=None, method=None, http_status=None, retry_after=0)¶
Bases:
HTTPClientError
HTTP 415 - Unsupported Media Type.
The request entity has a media type which the server or resource does not support.
- http_status = 415¶
- message = 'Unsupported Media Type'¶
- exception keystoneclient.exceptions.UnsupportedParameters(names)¶
Bases:
ClientException
A parameter that was provided or returned is not supported.
- Parameters:
names (List(str)) – Names of the unsupported parameters.
- names¶
Names of the unsupported parameters.
- exception keystoneclient.exceptions.UnsupportedVersion(message=None)¶
Bases:
ClientException
User is trying to use an unsupported version of the API.
- exception keystoneclient.exceptions.ValidationError(message=None)¶
Bases:
ClientException
Error in validation on API client side.
- exception keystoneclient.exceptions.VersionNotAvailable(message=None)¶
Bases:
DiscoveryFailure
- message = 'Discovery failed. Requested version is not available.'¶
keystoneclient.httpclient module¶
OpenStack Client interface. Handles the REST calls and responses.
- class keystoneclient.httpclient.HTTPClient(username=None, tenant_id=None, tenant_name=None, password=None, auth_url=None, region_name=None, endpoint=None, token=None, auth_ref=None, use_keyring=False, force_new_token=False, stale_duration=None, user_id=None, user_domain_id=None, user_domain_name=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, trust_id=None, session=None, service_name=None, interface='admin', endpoint_override=None, auth=None, user_agent='python-keystoneclient', connect_retries=None, **kwargs)¶
Bases:
Client
,BaseAuthPlugin
HTTP client.
Warning
Creating an instance of this class without using the session argument is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
- Parameters:
user_id (string) – User ID for authentication. (optional)
username (string) – Username for authentication. (optional)
user_domain_id (string) – User’s domain ID for authentication. (optional)
user_domain_name (string) – User’s domain name for authentication. (optional)
password (string) – Password for authentication. (optional)
domain_id (string) – Domain ID for domain scoping. (optional)
domain_name (string) – Domain name for domain scoping. (optional)
project_id (string) – Project ID for project scoping. (optional)
project_name (string) – Project name for project scoping. (optional)
project_domain_id (string) – Project’s domain ID for project scoping. (optional)
project_domain_name (string) – Project’s domain name for project scoping. (optional)
auth_url (string) – Identity service endpoint for authorization.
region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.
timeout (integer) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)
token (string) – Token for authentication. (optional)
cacert (string) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
key (string) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
cert (string) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
insecure (boolean) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
original_ip (string) – This argument is deprecated as of the 1.7.0 release in favor of session and may be removed in the 2.0.0 release. (optional)
auth_ref (dict) – To allow for consumers of the client to manage their own caching strategy, you may initialize a client with a previously captured auth_reference (token). If there are keyword arguments passed that also exist in auth_ref, the value from the argument will take precedence.
use_keyring (boolean) – Enables caching auth_ref into keyring. default: False (optional)
force_new_token (boolean) – Keyring related parameter, forces request for new token. default: False (optional)
stale_duration (integer) – Gap in seconds to determine if token from keyring is about to expire. default: 30 (optional)
tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
trust_id (string) – Trust ID for trust scoping. (optional)
session (keystoneclient.session.Session) – A Session object to be used for communicating with the identity service.
service_name (string) – The default service_name for URL discovery. default: None (optional)
interface (string) – The default interface for URL discovery. default: admin (optional)
endpoint_override (string) – Always use this endpoint URL for requests for this client. (optional)
auth (keystoneclient.auth.base.BaseAuthPlugin) – An auth plugin to use instead of the session one. (optional)
user_agent (string) – The User-Agent string to set. default: python-keystoneclient (optional)
connect_retries (int) – the maximum number of retries that should be attempted for connection errors. Default None - use session default which is don’t retry. (optional)
- property auth_token¶
- authenticate(username=None, password=None, tenant_name=None, tenant_id=None, auth_url=None, token=None, user_id=None, domain_name=None, domain_id=None, project_name=None, project_id=None, user_domain_id=None, user_domain_name=None, project_domain_id=None, project_domain_name=None, trust_id=None, region_name=None)¶
Authenticate user.
Uses the data provided at instantiation to authenticate against the Identity server. This may use either a username and password or token for authentication. If a tenant name or id was provided then the resulting authenticated client will be scoped to that tenant and contain a service catalog of available endpoints.
With the v2.0 API, if a tenant name or ID is not provided, the authentication token returned will be ‘unscoped’ and limited in capabilities until a fully-scoped token is acquired.
With the v3 API, if a domain name or id was provided then the resulting authenticated client will be scoped to that domain. If a project name or ID is not provided, and the authenticating user has a default project configured, the authentication token returned will be ‘scoped’ to the default project. Otherwise, the authentication token returned will be ‘unscoped’ and limited in capabilities until a fully-scoped token is acquired.
With the v3 API, with the OS-TRUST extension enabled, the trust_id can be provided to allow project-specific role delegation between users
If successful, sets the self.auth_ref and self.auth_token with the returned token. If not already set, will also set self.management_url from the details provided in the token.
- Returns:
True
if authentication was successful.- Raises:
keystoneclient.exceptions.AuthorizationFailure – if unable to authenticate or validate the existing authorization token
keystoneclient.exceptions.ValueError – if insufficient parameters are used.
If keyring is used, token is retrieved from keyring instead. Authentication will only be necessary if any of the following conditions are met:
keyring is not used
if token is not found in keyring
if token retrieved from keyring is expired or about to expired (as determined by stale_duration)
if force_new_token is true
- delete(url, **kwargs)¶
Perform an authenticate DELETE request.
This calls
request()
withmethod
set toDELETE
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- deprecated_adapter_variables = {'region_name': None}¶
- deprecated_session_variables = {'cert': None, 'original_ip': None, 'timeout': None, 'verify_cert': 'verify'}¶
- get(url, **kwargs)¶
Perform an authenticated GET request.
This calls
request()
withmethod
set toGET
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- get_auth_ref_from_keyring(**kwargs)¶
Retrieve auth_ref from keyring.
If auth_ref is found in keyring, (keyring_key, auth_ref) is returned. Otherwise, (keyring_key, None) is returned.
- Returns:
(keyring_key, auth_ref) or (keyring_key, None)
- Returns:
or (None, None) if use_keyring is not set in the object
- get_endpoint(session, interface=None, **kwargs)¶
Return an endpoint for the client.
There are no required keyword arguments to
get_endpoint
as a plugin implementation should use best effort with the information available to determine the endpoint. However there are certain standard options that will be generated by the clients and should be used by plugins:service_type
: what sort of service is required.service_name
: the name of the service in the catalog.interface
: what visibility the endpoint should have.region_name
: the region the endpoint exists in.
- Parameters:
session (keystoneclient.session.Session) – The session object that the auth_plugin belongs to.
- Returns:
The base URL that will be used to talk to the required service or None if not available.
- Return type:
string
- get_project_id(session, **kwargs)¶
Return the project id that we are authenticated to.
Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.
- Parameters:
session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.
- Returns:
A project identifier or None if one is not available.
- Return type:
- get_raw_token_from_identity_service(auth_url, username=None, password=None, tenant_name=None, tenant_id=None, token=None, user_id=None, user_domain_id=None, user_domain_name=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, trust_id=None)¶
Authenticate against the Identity API and get a token.
Not implemented here because auth protocols should be API version-specific.
Expected to authenticate or validate an existing authentication reference already associated with the client. Invoking this call always makes a call to the Identity service.
- Returns:
(
resp
,body
)
- get_token(session, **kwargs)¶
Obtain a token.
How the token is obtained is up to the plugin. If it is still valid it may be re-used, retrieved from cache or invoke an authentication request against a server.
There are no required kwargs. They are passed directly to the auth plugin and they are implementation specific.
Returning None will indicate that no token was able to be retrieved.
This function is misplaced as it should only be required for auth plugins that use the ‘X-Auth-Token’ header. However due to the way plugins evolved this method is required and often called to trigger an authentication request on a new plugin.
When implementing a new plugin it is advised that you implement this method, however if you don’t require the ‘X-Auth-Token’ header override the get_headers method instead.
- Parameters:
session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.
- Returns:
A token to use.
- Return type:
string
- get_user_id(session, **kwargs)¶
Return a unique user identifier of the plugin.
Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.
- Parameters:
session (keystoneclient.session.Session) – A session object so the plugin can make HTTP calls.
- Returns:
A user identifier or None if one is not available.
- Return type:
- has_service_catalog()¶
Return True if this client provides a service catalog.
- head(url, **kwargs)¶
Perform an authenticated HEAD request.
This calls
request()
withmethod
set toHEAD
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- property management_url¶
- patch(url, **kwargs)¶
Perform an authenticate PATCH request.
This calls
request()
withmethod
set toPATCH
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- post(url, **kwargs)¶
Perform an authenticate POST request.
This calls
request()
withmethod
set toPOST
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- process_token(region_name=None)¶
Extract and process information from the new auth_ref.
And set the relevant authentication information.
- put(url, **kwargs)¶
Perform an authenticate PUT request.
This calls
request()
withmethod
set toPUT
and an authentication token if one is available.Warning
DEPRECATED: This function is no longer used and is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release. It was designed to be used by the managers and the managers now receive an adapter so this function is no longer on the standard request path.
- request(*args, **kwargs)¶
Send an http request with the specified characteristics.
Wrapper around requests.request to handle tasks such as setting headers, JSON encoding/decoding, and error handling.
Warning
DEPRECATED: This function is no longer used. It was designed to be used only by the managers and the managers now receive an adapter so this function is no longer on the standard request path. This may be removed in the 2.0.0 release.
- serialize(entity)¶
- property service_catalog¶
Return this client’s service catalog.
- store_auth_ref_into_keyring(keyring_key)¶
Store auth_ref into keyring.
- property tenant_id¶
Provide read-only backwards compatibility for tenant_id.
Warning
This is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
- property tenant_name¶
Provide read-only backwards compatibility for tenant_name.
Warning
This is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
- version = None¶
- keystoneclient.httpclient.USER_AGENT = 'python-keystoneclient'¶
Default user agent string.
This property is deprecated as of the 1.7.0 release in favor of
keystoneclient.session.USER_AGENT
and may be removed in the 2.0.0 release.
- keystoneclient.httpclient.request(*args, **kwargs)¶
Make a request.
This function is deprecated as of the 1.7.0 release in favor of
keystoneclient.session.request()
and may be removed in the 2.0.0 release.
keystoneclient.i18n module¶
oslo.i18n integration module.
See https://docs.openstack.org/oslo.i18n/latest/user/index.html .
keystoneclient.service_catalog module¶
- class keystoneclient.service_catalog.ServiceCatalog(region_name=None)¶
Bases:
object
Helper methods for dealing with a Keystone Service Catalog.
Warning
Setting region_name is deprecated in favor of passing the region name as a parameter to calls made to the service catalog as of the 1.7.0 release and may be removed in the 2.0.0 release.
- classmethod factory(resource_dict, token=None, region_name=None)¶
Create ServiceCatalog object given an auth token.
Warning
Setting region_name is deprecated in favor of passing the region name as a parameter to calls made to the service catalog as of the 1.7.0 release and may be removed in the 2.0.0 release.
- abstract get_data()¶
Get the raw catalog structure.
Get the version dependent catalog structure as it is presented within the resource.
- Returns:
list containing raw catalog data entries or None
- get_endpoints(service_type=None, endpoint_type=None, region_name=None, service_name=None)¶
Fetch and filter endpoints for the specified service(s).
Returns endpoints for the specified service (or all) containing the specified type (or all) and region (or all) and service name.
If there is no name in the service catalog the service_name check will be skipped. This allows compatibility with services that existed before the name was available in the catalog.
- abstract get_token()¶
Fetch token details from service catalog.
Returns a dictionary containing the following:
- `id`: Token's ID - `expires`: Token's expiration - `user_id`: Authenticated user's ID - `tenant_id`: Authorized project's ID - `domain_id`: Authorized domain's ID
- abstract get_urls(attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None)¶
Fetch endpoint urls from the service catalog.
Fetch the endpoints from the service catalog for a particular endpoint attribute. If no attribute is given, return the first endpoint of the specified type.
- Parameters:
attr (string) – Endpoint attribute name.
filter_value (string) – Endpoint attribute value.
service_type (string) – Service type of the endpoint.
endpoint_type (string) – Type of endpoint. Possible values: public or publicURL, internal or internalURL, admin or adminURL
region_name (string) – Region of the endpoint.
service_name (string) – The assigned name of the service.
- Returns:
tuple of urls or None (if no match found)
- property region_name¶
Region name.
Warning
region_name is deprecated in favor of passing the region name as a parameter to calls made to the service catalog as of the 1.7.0 release and may be removed in the 2.0.0 release.
- url_for(attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None)¶
Fetch an endpoint from the service catalog.
Fetch the specified endpoint from the service catalog for a particular endpoint attribute. If no attribute is given, return the first endpoint of the specified type.
- Valid endpoint types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
- Parameters:
attr (string) – Endpoint attribute name.
filter_value (string) – Endpoint attribute value.
service_type (string) – Service type of the endpoint.
endpoint_type (string) – Type of endpoint.
region_name (string) – Region of the endpoint.
service_name (string) – The assigned name of the service.
- class keystoneclient.service_catalog.ServiceCatalogV2(resource_dict, region_name=None)¶
Bases:
ServiceCatalog
An object for encapsulating the v2 service catalog.
The object is created using raw v2 auth token from Keystone.
- get_data()¶
Get the raw catalog structure.
Get the version dependent catalog structure as it is presented within the resource.
- Returns:
list containing raw catalog data entries or None
- get_token()¶
Fetch token details from service catalog.
Returns a dictionary containing the following:
- `id`: Token's ID - `expires`: Token's expiration - `user_id`: Authenticated user's ID - `tenant_id`: Authorized project's ID - `domain_id`: Authorized domain's ID
- get_urls(attr=None, filter_value=None, service_type='identity', endpoint_type='publicURL', region_name=None, service_name=None)¶
Fetch endpoint urls from the service catalog.
Fetch the endpoints from the service catalog for a particular endpoint attribute. If no attribute is given, return the first endpoint of the specified type.
- Parameters:
attr (string) – Endpoint attribute name.
filter_value (string) – Endpoint attribute value.
service_type (string) – Service type of the endpoint.
endpoint_type (string) – Type of endpoint. Possible values: public or publicURL, internal or internalURL, admin or adminURL
region_name (string) – Region of the endpoint.
service_name (string) – The assigned name of the service.
- Returns:
tuple of urls or None (if no match found)
- classmethod is_valid(resource_dict)¶
- class keystoneclient.service_catalog.ServiceCatalogV3(token, resource_dict, region_name=None)¶
Bases:
ServiceCatalog
An object for encapsulating the v3 service catalog.
The object is created using raw v3 auth token from Keystone.
- get_data()¶
Get the raw catalog structure.
Get the version dependent catalog structure as it is presented within the resource.
- Returns:
list containing raw catalog data entries or None
- get_token()¶
Fetch token details from service catalog.
Returns a dictionary containing the following:
- `id`: Token's ID - `expires`: Token's expiration - `user_id`: Authenticated user's ID - `tenant_id`: Authorized project's ID - `domain_id`: Authorized domain's ID
- get_urls(attr=None, filter_value=None, service_type='identity', endpoint_type='public', region_name=None, service_name=None)¶
Fetch endpoint urls from the service catalog.
Fetch the endpoints from the service catalog for a particular endpoint attribute. If no attribute is given, return the first endpoint of the specified type.
- Parameters:
attr (string) – Endpoint attribute name.
filter_value (string) – Endpoint attribute value.
service_type (string) – Service type of the endpoint.
endpoint_type (string) – Type of endpoint. Possible values: public or publicURL, internal or internalURL, admin or adminURL
region_name (string) – Region of the endpoint.
service_name (string) – The assigned name of the service.
- Returns:
tuple of urls or None (if no match found)
- classmethod is_valid(resource_dict)¶
keystoneclient.session module¶
- class keystoneclient.session.Session(auth=None, session=None, original_ip=None, verify=True, cert=None, timeout=None, user_agent=None, redirect=30)¶
Bases:
object
Maintains client communication state and common functionality.
As much as possible the parameters to this class reflect and are passed directly to the requests library.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – An authentication plugin to authenticate the session with. (optional, defaults to None)session (requests.Session) – A requests session object that can be used for issuing requests. (optional)
original_ip (string) – The original IP of the requesting user which will be sent to identity service in a ‘Forwarded’ header. (optional)
verify – The verification arguments to pass to requests. These are of the same form as requests expects, so True or False to verify (or not) against system certificates or a path to a bundle or CA certs to check against or None for requests to attempt to locate and use certificates. (optional, defaults to True)
cert – A client certificate to pass to requests. These are of the same form as requests expects. Either a single filename containing both the certificate and key or a tuple containing the path to the certificate then a path to the key. (optional)
timeout (float) – A timeout to pass to requests. This should be a numerical value indicating some amount (or fraction) of seconds or 0 for no timeout. (optional, defaults to 0)
user_agent (string) – A User-Agent header string to use for the request. If not provided a default is used. (optional, defaults to ‘python-keystoneclient’)
redirect (int/bool) – Controls the maximum number of redirections that can be followed by a request. Either an integer for a specific count or True/False for forever/never. (optional, default to 30)
- DEFAULT_REDIRECT_LIMIT = 30¶
This property is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
- REDIRECT_STATUSES = (301, 302, 303, 305, 307)¶
This property is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
- classmethod construct(kwargs)¶
Handle constructing a session from both old and new arguments.
Support constructing a session from the old
HTTPClient
args as well as the new request-style arguments.Warning
DEPRECATED as of 1.7.0: This function is purely for bridging the gap between older client arguments and the session arguments that they relate to. It is not intended to be used as a generic Session Factory. This function may be removed in the 2.0.0 release.
This function purposefully modifies the input kwargs dictionary so that the remaining kwargs dict can be reused and passed on to other functions without session arguments.
- get_auth_connection_params(auth=None, **kwargs)¶
Return auth connection params as provided by the auth plugin.
An auth plugin may specify connection parameters to the request like providing a client certificate for communication.
We restrict the values that may be returned from this function to prevent an auth plugin overriding values unrelated to connection parameters. The values that are currently accepted are:
cert: a path to a client certificate, or tuple of client certificate and key pair that are used with this request.
verify: a boolean value to indicate verifying SSL certificates against the system CAs or a path to a CA file to verify with.
These values are passed to the requests library and further information on accepted values may be found there.
- Parameters:
auth (keystoneclient.auth.base.BaseAuthPlugin) – The auth plugin to use for tokens. Overrides the plugin on the session. (optional)
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
keystoneclient.exceptions.UnsupportedParameters – if the plugin returns a parameter that is not supported by this session.
- Returns:
Authentication headers or None for failure.
- Return type:
- get_auth_headers(auth=None, **kwargs)¶
Return auth headers as provided by the auth plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use for token. Overrides the plugin on the session. (optional)- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns:
Authentication headers or None for failure.
- Return type:
- classmethod get_conf_options(deprecated_opts=None)¶
Get oslo_config options that are needed for a
Session
.These may be useful without being registered for config file generation or to manipulate the options before registering them yourself.
- The options that are set are:
- cafile:
The certificate authority filename.
- certfile:
The client certificate file to present.
- keyfile:
The key for the client certificate.
- insecure:
Whether to ignore SSL verification.
- timeout:
The max time to wait for HTTP connections.
- Parameters:
deprecated_opts (dict) –
Deprecated options that should be included in the definition of new options. This should be a dict from the name of the new option to a list of oslo.DeprecatedOpts that correspond to the new option. (optional)
For example, to support the
ca_file
option pointing to the newcafile
option name:old_opt = oslo_cfg.DeprecatedOpt('ca_file', 'old_group') deprecated_opts={'cafile': [old_opt]}
- Returns:
A list of oslo_config options.
- get_endpoint(auth=None, **kwargs)¶
Get an endpoint as provided by the auth plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use for token. Overrides the plugin on the session. (optional)- Raises:
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns:
An endpoint if available or None.
- Return type:
string
- get_project_id(auth=None)¶
Return the authenticated project_id as provided by the auth plugin.
- Parameters:
auth (keystoneclient.auth.base.BaseAuthPlugin) – The auth plugin to use for token. Overrides the plugin on the session. (optional)
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns string:
Current project_id or None if not supported by plugin.
- get_token(auth=None)¶
Return a token as provided by the auth plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use for token. Overrides the plugin on the session. (optional)- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
Warning
This method is deprecated as of the 1.7.0 release in favor of
get_auth_headers()
and may be removed in the 2.0.0 release. This method assumes that the only header that is used to authenticate a message is ‘X-Auth-Token’ which may not be correct.- Returns:
A valid token.
- Return type:
string
- get_user_id(auth=None)¶
Return the authenticated user_id as provided by the auth plugin.
- Parameters:
auth (keystoneclient.auth.base.BaseAuthPlugin) – The auth plugin to use for token. Overrides the plugin on the session. (optional)
- Raises:
keystoneclient.exceptions.AuthorizationFailure – if a new token fetch fails.
keystoneclient.exceptions.MissingAuthPlugin – if a plugin is not available.
- Returns string:
Current user_id or None if not supported by plugin.
- invalidate(auth=None)¶
Invalidate an authentication plugin.
- Parameters:
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to invalidate. Overrides the plugin on the session. (optional)
- classmethod load_from_cli_options(args, **kwargs)¶
Create a
Session
object from CLI arguments.The CLI arguments must have been registered with
register_cli_options()
.- Parameters:
args (Namespace) – result of parsed arguments.
- Returns:
A new session object.
- Return type:
- classmethod load_from_conf_options(conf, group, **kwargs)¶
Create a session object from an oslo_config object.
The options must have been previously registered with register_conf_options.
- static register_cli_options(parser)¶
Register the argparse arguments that are needed for a session.
- Parameters:
parser (argparse.ArgumentParser) – parser to add to.
- classmethod register_conf_options(conf, group, deprecated_opts=None)¶
Register the oslo_config options that are needed for a session.
- The options that are set are:
- cafile:
The certificate authority filename.
- certfile:
The client certificate file to present.
- keyfile:
The key for the client certificate.
- insecure:
Whether to ignore SSL verification.
- timeout:
The max time to wait for HTTP connections.
- Parameters:
conf (oslo_config.Cfg) – config object to register with.
group (string) – The ini group to register options in.
deprecated_opts (dict) –
Deprecated options that should be included in the definition of new options. This should be a dict from the name of the new option to a list of oslo.DeprecatedOpts that correspond to the new option. (optional)
For example, to support the
ca_file
option pointing to the newcafile
option name:old_opt = oslo_cfg.DeprecatedOpt('ca_file', 'old_group') deprecated_opts={'cafile': [old_opt]}
- Returns:
The list of options that was registered.
- request(url, method, json=None, original_ip=None, user_agent=None, redirect=None, authenticated=None, endpoint_filter=None, auth=None, requests_auth=None, raise_exc=True, allow_reauth=True, log=True, endpoint_override=None, connect_retries=0, logger=<Logger keystoneclient.session (WARNING)>, **kwargs)¶
Send an HTTP request with the specified characteristics.
Wrapper around requests.Session.request to handle tasks such as setting headers, JSON encoding/decoding, and error handling.
Arguments that are not handled are passed through to the requests library.
- Parameters:
url (string) – Path or fully qualified URL of HTTP request. If only a path is provided then endpoint_filter must also be provided such that the base URL can be determined. If a fully qualified URL is provided then endpoint_filter will be ignored.
method (string) – The http method to use. (e.g. ‘GET’, ‘POST’)
original_ip (string) – Mark this request as forwarded for this ip. (optional)
headers (dict) – Headers to be included in the request. (optional)
json – Some data to be represented as JSON. (optional)
user_agent (string) – A user_agent to use for the request. If present will override one present in headers. (optional)
redirect (int/bool) – the maximum number of redirections that can be followed by a request. Either an integer for a specific count or True/False for forever/never. (optional)
connect_retries (int) – the maximum number of retries that should be attempted for connection errors. (optional, defaults to 0 - never retry).
authenticated (bool) – True if a token should be attached to this request, False if not or None for attach if an auth_plugin is available. (optional, defaults to None)
endpoint_filter (dict) – Data to be provided to an auth plugin with which it should be able to determine an endpoint to use for this request. If not provided then URL is expected to be a fully qualified URL. (optional)
endpoint_override (str) – The URL to use instead of looking up the endpoint in the auth plugin. This will be ignored if a fully qualified URL is provided but take priority over an endpoint_filter. (optional)
auth (
keystoneclient.auth.base.BaseAuthPlugin
) – The auth plugin to use when authenticating this request. This will override the plugin that is attached to the session (if any). (optional)requests_auth (
requests.auth.AuthBase
) – A requests library auth plugin that cannot be passed via kwarg because the auth kwarg collides with our own auth plugins. (optional)raise_exc (bool) – If True then raise an appropriate exception for failed HTTP requests. If False then return the request object. (optional, default True)
allow_reauth (bool) – Allow fetching a new token and retrying the request on receiving a 401 Unauthorized response. (optional, default True)
log (bool) – If True then log the request and response data to the debug log. (optional, default True)
logger (logging.Logger) – The logger object to use to log request and responses. If not provided the keystoneclient.session default logger will be used.
kwargs – any other parameter that can be passed to requests.Session.request (such as headers). Except: ‘data’ will be overwritten by the data in ‘json’ param. ‘allow_redirects’ is ignored as redirects are handled by the session.
- Raises:
keystoneclient.exceptions.ClientException – For connection failure, or to indicate an error response code.
- Returns:
The response to the request.
- user_agent = None¶
- class keystoneclient.session.TCPKeepAliveAdapter(pool_connections=10, pool_maxsize=10, max_retries=0, pool_block=False)¶
Bases:
HTTPAdapter
The custom adapter used to set TCP Keep-Alive on all connections.
This Adapter also preserves the default behaviour of Requests which disables Nagle’s Algorithm. See also: http://blogs.msdn.com/b/windowsazurestorage/archive/2010/06/25/nagle-s-algorithm-is-not-friendly-towards-small-requests.aspx
- init_poolmanager(*args, **kwargs)¶
Initializes a urllib3 PoolManager.
This method should not be called from user code, and is only exposed for use when subclassing the
HTTPAdapter
.- Parameters:
connections – The number of urllib3 connection pools to cache.
maxsize – The maximum number of connections to save in the pool.
block – Block when no free connections are available.
pool_kwargs – Extra keyword arguments used to initialize the Pool Manager.
- keystoneclient.session.request(url, method='GET', **kwargs)¶
keystoneclient.utils module¶
- keystoneclient.utils.find_resource(manager, name_or_id)¶
Helper for the _find_* methods.
- keystoneclient.utils.hash_signed_token(signed_text, mode='md5')¶
- keystoneclient.utils.isotime(at=None, subsecond=False)¶
Stringify time in ISO 8601 format.
- keystoneclient.utils.prompt_for_password()¶
Prompt user for password if not provided.
Prompt is used so the password doesn’t show up in the bash history.
- keystoneclient.utils.prompt_user_password()¶
Prompt user for a password.
Prompt for a password if stdin is a tty.
- keystoneclient.utils.strtime(at=None)¶