keystone.token package

Subpackages

• keystone.token.persistence package
  • Subpackages
    • keystone.token.persistence.backends package
      • Submodules
      • keystone.token.persistence.backends.kvs module
      • keystone.token.persistence.backends.memcache module
      • keystone.token.persistence.backends.memcache_pool module
      • keystone.token.persistence.backends.sql module
      • Module contents
  • Submodules
  • keystone.token.persistence.core module
  • Module contents
• keystone.token.providers package
  • Subpackages
    • keystone.token.providers.fernet package
      • Submodules
      • keystone.token.providers.fernet.core module
      • keystone.token.providers.fernet.token_formatters module
      • keystone.token.providers.fernet.utils module
      • Module contents
  • Submodules
  • keystone.token.providers.common module
  • keystone.token.providers.pki module
  • keystone.token.providers.pkiz module
  • keystone.token.providers.uuid module
  • Module contents

Submodules

keystone.token.controllers module

class keystone.token.controllers.Auth(*args, **kwargs)

Bases: keystone.common.controller.V2Controller

authenticate(*args, **kwargs)

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(*args, **kwargs)

delete_token(*args, **kwargs)

Delete a token, effectively invalidating it for authz.

endpoints(*args, **kwargs)

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)

Formats a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}

revocation_list(*args, **kwargs)

signing_cert(*args, **kwargs)

validate_token(*args, **kwargs)

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(*args, **kwargs)

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

exception keystone.token.controllers.ExternalAuthNotApplicable

Bases: exceptions.Exception

External authentication is not applicable.

keystone.token.provider module

Token provider interface.

class keystone.token.provider.Manager(*args, **kwargs)

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'

INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'

V2 = 'v2.0'

V3 = 'v3.0'

VERSIONS = frozenset(['v3.0', 'v2.0'])

check_revocation(*args, **kwargs)

check_revocation_v2(*args, **kwargs)

check_revocation_v3(*args, **kwargs)

driver_namespace = 'keystone.token.provider'

invalidate_individual_token_cache(*args, **kwargs)

issue_v2_token(*args, **kwargs)

issue_v3_token(*args, **kwargs)

list_revoked_tokens(*args, **kwargs)

revoke_token(*args, **kwargs)

validate_non_persistent_token(*args, **kwargs)

validate_token(*args, **kwargs)

validate_v2_token(*args, **kwargs)

validate_v3_token(*args, **kwargs)

class keystone.token.provider.Provider

Bases: object

Interface description for a Token provider.

get_token_version(token_data)

Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data Returns:token version string Raises:keystone.exception.UnsupportedTokenVersionException – If the token version is not expected.

issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)

Issue a V2 token.

Parameters:

• token_ref (dict) – token data to generate token from
• roles_ref (dict) – optional roles list
• catalog_ref (dict) – optional catalog information

Returns:

(token_id, token_data)

issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)

Issue a V3 Token.

Parameters:

• user_id (string) – identity of the user
• method_names (list) – names of authentication methods
• expires_at (string) – optional time the token will expire
• project_id (string) – optional project identity
• domain_id (string) – optional domain identity
• auth_context (dict) – optional context from the authorization plugins
• trust (dict) – optional trust reference
• metadata_ref (dict) – optional metadata reference
• include_catalog (boolean) – optional, include the catalog in token data
• parent_audit_id (string) – optional, the audit id of the parent token

Returns:

(token_id, token_data)

needs_persistence()

Determine if the token should be persisted.

If the token provider requires that the token be persisted to a backend this should return True, otherwise return False.

validate_non_persistent_token(token_id)

Validate a given non-persistent token id and return the token_data.

Parameters:token_id (string) – the token id Returns:token data Raises:keystone.exception.TokenNotFound – When the token is invalid

validate_v2_token(token_ref)

Validate the given V2 token and return the token data.

Must raise Unauthorized exception if unable to validate token.

Parameters:token_ref (dict) – the token reference Returns:token data Raises:keystone.exception.TokenNotFound – If the token doesn’t exist.

validate_v3_token(token_ref)

Validate the given V3 token and return the token_data.

Parameters:token_ref (dict) – the token reference Returns:token data Raises:keystone.exception.TokenNotFound – If the token doesn’t exist.

keystone.token.provider.audit_info(parent_audit_id)

Build the audit data for a token.

If parent_audit_id is None, the list will be one element in length containing a newly generated audit_id.

If parent_audit_id is supplied, the list will be two elements in length containing a newly generated audit_id and the parent_audit_id. The parent_audit_id will always be element index 1 in the resulting list.

Parameters:parent_audit_id (str) – the audit of the original token in the chain Returns:Keystone token audit data

keystone.token.provider.base64_encode(s)

Encode a URL-safe string.

Return type:six.text_type

keystone.token.provider.default_expire_time()

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object

keystone.token.provider.random_urlsafe_str()

Generate a random URL-safe string.

Return type:six.text_type

keystone.token.provider.random_urlsafe_str_to_bytes(s)

Convert a string from random_urlsafe_str() to six.binary_type.

Return type:six.binary_type

keystone.token.routers module

class keystone.token.routers.Router(mapper=None)

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)

keystone.token.utils module

keystone.token.utils.generate_unique_id(token_id)

Return a unique ID for a token.

The returned value is useful as the primary key of a database table, memcache store, or other lookup table.

Returns:Given a PKI token, returns it’s hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash).

Module contents