keystone.auth package

Subpackages

• keystone.auth.plugins package
  • Submodules
  • keystone.auth.plugins.core module
  • keystone.auth.plugins.external module
  • keystone.auth.plugins.mapped module
  • keystone.auth.plugins.oauth1 module
  • keystone.auth.plugins.password module
  • keystone.auth.plugins.saml2 module
  • keystone.auth.plugins.token module
  • keystone.auth.plugins.totp module
  • Module contents

Submodules

keystone.auth.controllers module

class keystone.auth.controllers.Auth(*args, **kw)

Bases: keystone.common.controller.V3Controller

authenticate(context, auth_info, auth_context)

Authenticate user.

authenticate_for_token(context, auth=None)

Authenticate user and issue a token.

check_token(context, *args, **kwargs)

collection_name = 'tokens'

get_auth_catalog(context, *args, **kwargs)

get_auth_domains(context, *args, **kwargs)

get_auth_projects(context, *args, **kwargs)

member_name = 'token'

revocation_list(context, *args, **kwargs)

revoke_token(context, *args, **kwargs)

validate_token(context, *args, **kwargs)

class keystone.auth.controllers.AuthContext

Bases: dict

Retrofitting auth_context to reconcile identity attributes.

The identity attributes must not have conflicting values among the auth plug-ins. The only exception is expires_at, which is set to its earliest value.

IDENTITY_ATTRIBUTES = frozenset(['access_token_id', 'project_id', 'user_id', 'domain_id', 'expires_at'])

class keystone.auth.controllers.AuthInfo(*args, **kwargs)

Bases: object

Encapsulation of “auth” request.

static create(context, auth=None, scope_only=False)

get_method_data(method)

Get the auth method payload.

Returns:auth method payload

get_method_names()

Returns the identity method names.

Returns:list of auth method names

get_scope()

Get scope information.

Verify and return the scoping information.

Returns:(domain_id, project_id, trust_ref, unscoped). If scope to a project, (None, project_id, None, None) will be returned. If scoped to a domain, (domain_id, None, None, None) will be returned. If scoped to a trust, (None, project_id, trust_ref, None), Will be returned, where the project_id comes from the trust definition. If unscoped, (None, None, None, ‘unscoped’) will be returned.

set_scope(domain_id=None, project_id=None, trust=None, unscoped=None)

Set scope information.

keystone.auth.controllers.get_auth_method(method_name)

keystone.auth.controllers.load_auth_method(method)

keystone.auth.controllers.load_auth_methods()

keystone.auth.controllers.render_token_data_response(token_id, token_data, created=False)

Render token data HTTP response.

Stash token ID into the X-Subject-Token header.

keystone.auth.core module

class keystone.auth.core.AuthMethodHandler

Bases: object

Abstract base class for an authentication plugin.

authenticate(context, auth_payload, auth_context)

Authenticate user and return an authentication context.

Parameters:

• context – keystone’s request context
• auth_payload – the content of the authentication for a given method
• auth_context – user authentication context, a dictionary shared by all plugins. It contains “method_names” and “extras” by default. “method_names” is a list and “extras” is a dictionary.

If successful, plugin must set user_id in auth_context. method_name is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names into method_names. Also, plugin may add any additional information into extras. Anything in extras will be conveyed in the token’s extras attribute. Here’s an example of auth_context on successful authentication:

{
    "extras": {},
    "methods": [
        "password",
        "token"
    ],
    "user_id": "abc123"
}

Plugins are invoked in the order in which they are specified in the methods attribute of the identity object. For example, custom-plugin is invoked before password, which is invoked before token in the following authentication request:

{
    "auth": {
        "identity": {
            "custom-plugin": {
                "custom-data": "sdfdfsfsfsdfsf"
            },
            "methods": [
                "custom-plugin",
                "password",
                "token"
            ],
            "password": {
                "user": {
                    "id": "s23sfad1",
                    "password": "secrete"
                }
            },
            "token": {
                "id": "sdfafasdfsfasfasdfds"
            }
        }
    }
}

Returns:None if authentication is successful. Authentication payload in the form of a dictionary for the next authentication step if this is a multi step authentication. Raises:keystone.exception.Unauthorized – for authentication failure

keystone.auth.routers module

class keystone.auth.routers.Routers

Bases: keystone.common.wsgi.RoutersBase

append_v3_routers(mapper, routers)

Module contents