keystoneauth1.identity package

Submodules

keystoneauth1.identity.access module

class keystoneauth1.identity.access.AccessInfoPlugin(auth_ref, auth_url=None)

Bases: keystoneauth1.identity.base.BaseIdentityPlugin

A plugin that turns an existing AccessInfo object into a usable plugin.

There are cases where reuse of an auth_ref or AccessInfo object is warranted such as from a cache, from auth_token middleware, or another source.

Turn the existing access info object into an identity plugin. This plugin cannot be refreshed as the AccessInfo object does not contain any authorizing information.

Parameters:
  • auth_ref (keystoneauth1.access.AccessInfo) – the existing AccessInfo object.
  • auth_url – the url where this AccessInfo was retrieved from. Required if using the AUTH_INTERFACE with get_endpoint. (optional)
get_auth_ref(session, **kwargs)
invalidate()

keystoneauth1.identity.base module

class keystoneauth1.identity.base.BaseIdentityPlugin(auth_url=None, reauthenticate=True)

Bases: keystoneauth1.plugin.BaseAuthPlugin

MIN_TOKEN_LIFE_SECONDS = 120
get_access(session, **kwargs)

Fetch or return a current AccessInfo object.

If a valid AccessInfo is present then it is returned otherwise a new one will be fetched.

Parameters:session (keystoneauth1.session.Session) – A session object that can be used for communication.
Raises:keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
Returns:Valid AccessInfo
Return type:keystoneauth1.access.AccessInfo
get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This function should not be called independently and is expected to be invoked via the do_authenticate function.

This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.

Parameters:

session (keystoneauth1.session.Session) – A session object that can be used for communication.

Raises:
Returns:

Token access information.

Return type:

keystoneauth1.access.AccessInfo

get_auth_state()

Retrieve the current authentication state for the plugin.

Retrieve any internal state that represents the authenticated plugin.

This should not fetch any new data if it is not present.

Returns:a string that can be stored or None if there is no auth state present in the plugin. This string can be reloaded with set_auth_state to set the same authentication.
Return type:str or None if no auth present.
get_cache_id()

Fetch an identifier that uniquely identifies the auth options.

The returned identifier need not be decomposable or otherwise provide any way to recreate the plugin.

This string MUST change if any of the parameters that are used to uniquely identity this plugin change. It should not change upon a reauthentication of the plugin.

Returns:A unique string for the set of options
Return type:str or None if this is unsupported or unavailable.
get_cache_id_elements()

Get the elements for this auth plugin that make it unique.

As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.

This should be overridden by plugins that wish to allow caching.

Returns:The unique attributes and values of this plugin.
Return type:A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
get_discovery(session, url, authenticated=None)

Return the discovery object for a URL.

Check the session and the plugin cache to see if we have already performed discovery on the URL and if so return it, otherwise create a new discovery object, cache it and return it.

This function is expected to be used by subclasses and should not be needed by users.

Parameters:
  • session (keystoneauth1.session.Session) – A session object to discover with.
  • url (str) – The url to lookup.
  • authenticated (bool) – Include a token in the discovery call. (optional) Defaults to None (use a token if a plugin is installed).
Raises:
Returns:

A discovery object with the results of looking up that URL.

get_endpoint(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow={}, allow_version_hack=True, skip_discovery=False, min_version=None, max_version=None, **kwargs)

Return a valid endpoint for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

version, min_version and max_version can all be given either as a string or a tuple.

Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
Parameters:
  • session (keystoneauth1.session.Session) – A session object that can be used for communication.
  • service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
  • interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
  • region_name (string) – The region the endpoint should exist in. (optional)
  • service_name (string) – The name of the service in the catalog. (optional)
  • version – The minimum version number required for this endpoint. (optional)
  • allow (dict) – Extra filters to pass when discovering API versions. (optional)
  • allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
  • skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
  • min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
Raises:

keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

Returns:

A valid endpoint URL or None if not available.

Return type:

string or None

get_endpoint_data(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow={}, allow_version_hack=True, discover_versions=True, skip_discovery=False, min_version=None, max_version=None, endpoint_override=None, **kwargs)

Return a valid endpoint data for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

version, min_version and max_version can all be given either as a string or a tuple.

Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
Parameters:
  • session (keystoneauth1.session.Session) – A session object that can be used for communication.
  • service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
  • interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
  • region_name (string) – The region the endpoint should exist in. (optional)
  • service_name (string) – The name of the service in the catalog. (optional)
  • version – The minimum version number required for this endpoint. (optional)
  • allow (dict) – Extra filters to pass when discovering API versions. (optional)
  • allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
  • discover_versions (bool) – Whether to get version metadata from the version discovery document even if it’s not neccessary to fulfill the major version request. (optional, defaults to True)
  • skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
  • min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • endpoint_override (str) – URL to use instead of looking in the catalog. Catalog lookup will be skipped, but version discovery will be run. Sets allow_version_hack to False (optional)
Raises:

keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

Returns:

Valid EndpointData or None if not available.

Return type:

keystoneauth1.discover.EndpointData or None

get_project_id(session, **kwargs)
get_sp_auth_url(session, sp_id, **kwargs)
get_sp_url(session, sp_id, **kwargs)
get_token(session, **kwargs)

Return a valid auth token.

If a valid token is not present then a new one will be fetched.

Parameters:session (keystoneauth1.session.Session) – A session object that can be used for communication.
Raises:keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
Returns:A valid token.
Return type:string
get_user_id(session, **kwargs)
invalidate()

Invalidate the current authentication data.

This should result in fetching a new token on next call.

A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.

Returns:True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.
Return type:bool
set_auth_state(data)

Install existing authentication state for a plugin.

Take the output of get_auth_state and install that authentication state into the current authentication plugin.

keystoneauth1.identity.v2 module

class keystoneauth1.identity.v2.Auth(auth_url, trust_id=None, tenant_id=None, tenant_name=None, reauthenticate=True)

Bases: keystoneauth1.identity.base.BaseIdentityPlugin

Identity V2 Authentication Plugin.

Parameters:
  • auth_url (string) – Identity service endpoint for authorization.
  • trust_id (string) – Trust ID for trust scoping.
  • tenant_id (string) – Tenant ID for project scoping.
  • tenant_name (string) – Tenant name for project scoping.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
get_auth_data(headers=None)

Return the authentication section of an auth plugin.

Parameters:headers (dict) – The headers that will be sent with the auth request if a plugin needs to add to them.
Returns:A dict of authentication data for the auth type.
Return type:dict
get_auth_ref(session, **kwargs)
has_scope_parameters

Return true if parameters can be used to create a scoped token.

class keystoneauth1.identity.v2.Password(auth_url, username=<object object>, password=None, user_id=<object object>, **kwargs)

Bases: keystoneauth1.identity.v2.Auth

A plugin for authenticating with a username and password.

A username or user_id must be provided.

Parameters:
  • auth_url (string) – Identity service endpoint for authorization.
  • username (string) – Username for authentication.
  • password (string) – Password for authentication.
  • user_id (string) – User ID for authentication.
  • trust_id (string) – Trust ID for trust scoping.
  • tenant_id (string) – Tenant ID for tenant scoping.
  • tenant_name (string) – Tenant name for tenant scoping.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
Raises:

TypeError – if a user_id or username is not provided.

get_auth_data(headers=None)
get_cache_id_elements()
class keystoneauth1.identity.v2.Token(auth_url, token, **kwargs)

Bases: keystoneauth1.identity.v2.Auth

A plugin for authenticating with an existing token.

Parameters:
  • auth_url (string) – Identity service endpoint for authorization.
  • token (string) – Existing token for authentication.
  • tenant_id (string) – Tenant ID for tenant scoping.
  • tenant_name (string) – Tenant name for tenant scoping.
  • trust_id (string) – Trust ID for trust scoping.
  • reauthenticate (bool) – Allow fetching a new token if the current one is going to expire. (optional) default True
get_auth_data(headers=None)
get_cache_id_elements()

Module contents

class keystoneauth1.identity.BaseIdentityPlugin(auth_url=None, reauthenticate=True)

Bases: keystoneauth1.plugin.BaseAuthPlugin

MIN_TOKEN_LIFE_SECONDS = 120
get_access(session, **kwargs)

Fetch or return a current AccessInfo object.

If a valid AccessInfo is present then it is returned otherwise a new one will be fetched.

Parameters:session (keystoneauth1.session.Session) – A session object that can be used for communication.
Raises:keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
Returns:Valid AccessInfo
Return type:keystoneauth1.access.AccessInfo
get_auth_ref(session, **kwargs)

Obtain a token from an OpenStack Identity Service.

This method is overridden by the various token version plugins.

This function should not be called independently and is expected to be invoked via the do_authenticate function.

This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.

Parameters:

session (keystoneauth1.session.Session) – A session object that can be used for communication.

Raises:
Returns:

Token access information.

Return type:

keystoneauth1.access.AccessInfo

get_auth_state()

Retrieve the current authentication state for the plugin.

Retrieve any internal state that represents the authenticated plugin.

This should not fetch any new data if it is not present.

Returns:a string that can be stored or None if there is no auth state present in the plugin. This string can be reloaded with set_auth_state to set the same authentication.
Return type:str or None if no auth present.
get_cache_id()

Fetch an identifier that uniquely identifies the auth options.

The returned identifier need not be decomposable or otherwise provide any way to recreate the plugin.

This string MUST change if any of the parameters that are used to uniquely identity this plugin change. It should not change upon a reauthentication of the plugin.

Returns:A unique string for the set of options
Return type:str or None if this is unsupported or unavailable.
get_cache_id_elements()

Get the elements for this auth plugin that make it unique.

As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.

This should be overridden by plugins that wish to allow caching.

Returns:The unique attributes and values of this plugin.
Return type:A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
get_discovery(session, url, authenticated=None)

Return the discovery object for a URL.

Check the session and the plugin cache to see if we have already performed discovery on the URL and if so return it, otherwise create a new discovery object, cache it and return it.

This function is expected to be used by subclasses and should not be needed by users.

Parameters:
  • session (keystoneauth1.session.Session) – A session object to discover with.
  • url (str) – The url to lookup.
  • authenticated (bool) – Include a token in the discovery call. (optional) Defaults to None (use a token if a plugin is installed).
Raises:
Returns:

A discovery object with the results of looking up that URL.

get_endpoint(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow={}, allow_version_hack=True, skip_discovery=False, min_version=None, max_version=None, **kwargs)

Return a valid endpoint for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

version, min_version and max_version can all be given either as a string or a tuple.

Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
Parameters:
  • session (keystoneauth1.session.Session) – A session object that can be used for communication.
  • service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
  • interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
  • region_name (string) – The region the endpoint should exist in. (optional)
  • service_name (string) – The name of the service in the catalog. (optional)
  • version – The minimum version number required for this endpoint. (optional)
  • allow (dict) – Extra filters to pass when discovering API versions. (optional)
  • allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
  • skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
  • min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
Raises:

keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

Returns:

A valid endpoint URL or None if not available.

Return type:

string or None

get_endpoint_data(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow={}, allow_version_hack=True, discover_versions=True, skip_discovery=False, min_version=None, max_version=None, endpoint_override=None, **kwargs)

Return a valid endpoint data for a service.

If a valid token is not present then a new one will be fetched using the session and kwargs.

version, min_version and max_version can all be given either as a string or a tuple.

Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
Parameters:
  • session (keystoneauth1.session.Session) – A session object that can be used for communication.
  • service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
  • interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
  • region_name (string) – The region the endpoint should exist in. (optional)
  • service_name (string) – The name of the service in the catalog. (optional)
  • version – The minimum version number required for this endpoint. (optional)
  • allow (dict) – Extra filters to pass when discovering API versions. (optional)
  • allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
  • discover_versions (bool) – Whether to get version metadata from the version discovery document even if it’s not neccessary to fulfill the major version request. (optional, defaults to True)
  • skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
  • min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
  • endpoint_override (str) – URL to use instead of looking in the catalog. Catalog lookup will be skipped, but version discovery will be run. Sets allow_version_hack to False (optional)
Raises:

keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.

Returns:

Valid EndpointData or None if not available.

Return type:

keystoneauth1.discover.EndpointData or None

get_project_id(session, **kwargs)
get_sp_auth_url(session, sp_id, **kwargs)
get_sp_url(session, sp_id, **kwargs)
get_token(session, **kwargs)

Return a valid auth token.

If a valid token is not present then a new one will be fetched.

Parameters:session (keystoneauth1.session.Session) – A session object that can be used for communication.
Raises:keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
Returns:A valid token.
Return type:string
get_user_id(session, **kwargs)
invalidate()

Invalidate the current authentication data.

This should result in fetching a new token on next call.

A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.

Returns:True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.
Return type:bool
set_auth_state(data)

Install existing authentication state for a plugin.

Take the output of get_auth_state and install that authentication state into the current authentication plugin.

class keystoneauth1.identity.Password(auth_url, username=None, user_id=None, password=None, user_domain_id=None, user_domain_name=None, **kwargs)

Bases: keystoneauth1.identity.generic.base.BaseGenericPlugin

See keystoneauth1.identity.generic.Password

create_plugin(session, version, url, raw_status=None)
get_cache_id_elements()
user_domain_id
user_domain_name
class keystoneauth1.identity.Token(auth_url, token=None, **kwargs)

Bases: keystoneauth1.identity.generic.base.BaseGenericPlugin

See keystoneauth1.identity.generic.Token

create_plugin(session, version, url, raw_status=None)
get_cache_id_elements()
keystoneauth1.identity.V2Password

See keystoneauth1.identity.v2.Password

alias of Password

keystoneauth1.identity.V2Token

See keystoneauth1.identity.v2.Token

alias of Token

keystoneauth1.identity.V3Password

See keystoneauth1.identity.v3.Password

alias of Password

keystoneauth1.identity.V3Token

See keystoneauth1.identity.v3.Token

alias of Token

keystoneauth1.identity.V3OidcPassword

See keystoneauth1.identity.v3.oidc.OidcPassword

alias of OidcPassword

keystoneauth1.identity.V3OidcAuthorizationCode

See keystoneauth1.identity.v3.oidc.OidcAuthorizationCode

alias of OidcAuthorizationCode

keystoneauth1.identity.V3OidcAccessToken

See keystoneauth1.identity.v3.oidc.OidcAccessToken

alias of OidcAccessToken

keystoneauth1.identity.V3TOTP

See keystoneauth1.identity.v3.TOTP

alias of TOTP

keystoneauth1.identity.V3TokenlessAuth

See keystoneauth1.identity.v3.TokenlessAuth

alias of TokenlessAuth