Workflow Logic the Identity service.
Bases: keystone.common.controller.V3Controller
Bases: keystone.common.controller.V3Controller
Main entry point into the Identity service.
Bases: dict
Discover, store and provide access to domain specific configs.
The setup_domain_drivers() call will be made via the wrapper from the first call to any driver function handled by this manager.
Domain specific configurations are only supported for the identity backend and the individual configurations are either specified in the resource database or in individual domain configuration files, depending on the setting of the ‘domain_configurations_from_database’ config option.
The result will be that for each domain with a specific configuration, this class will hold a reference to a ConfigOpts and driver object that the identity manager and driver can use.
Check for, and load, any new domain specific config for this domain.
This is only supported for the database-stored domain specific configuration.
When the domain specific drivers were set up, we stored away the specific config for this domain that was available at that time. So we now read the current version and compare. While this might seem somewhat inefficient, the sensitive config call is cached, so should be light weight. More importantly, when the cache timeout is reached, we will get any config that has been updated from any other keystone process.
This cache-timeout approach works for both multi-process and multi-threaded keystone configurations. In multi-threaded configurations, even though we might remove a driver object (that could be in use by another thread), this won’t actually be thrown away until all references to it have been broken. When that other thread is released back and is restarted with another command to process, next time it accesses the driver it will pickup the new one.
Bases: object
Interface description for an Identity driver.
Adds a user to a group.
| Raises: |
|
|---|
Authenticate a given user and password.
| Returns: | user_ref |
|---|---|
| Raises AssertionError: | |
| If user or password is invalid. | |
Checks if a user is a member of a group.
| Raises: |
|
|---|
Creates a new group.
| Raises keystone.exception.Conflict: | |
|---|---|
| If a duplicate group exists. | |
Creates a new user.
| Raises keystone.exception.Conflict: | |
|---|---|
| If a duplicate user exists. | |
Deletes an existing group.
| Raises keystone.exception.GroupNotFound: | |
|---|---|
| If the group doesn’t exist. | |
Deletes an existing user.
| Raises keystone.exception.UserNotFound: | |
|---|---|
| If the user doesn’t exist. | |
Get a group by ID.
| Returns: | group_ref |
|---|---|
| Raises keystone.exception.GroupNotFound: | |
| If the group doesn’t exist. | |
Get a group by name.
| Returns: | group_ref |
|---|---|
| Raises keystone.exception.GroupNotFound: | |
| If the group doesn’t exist. | |
Get a user by ID.
| Returns: | user_ref |
|---|---|
| Raises keystone.exception.UserNotFound: | |
| If the user doesn’t exist. | |
Get a user by name.
| Returns: | user_ref |
|---|---|
| Raises keystone.exception.UserNotFound: | |
| If the user doesn’t exist. | |
List groups in the system.
| Parameters: | hints – filter hints which the driver should implement if at all possible. |
|---|---|
| Returns: | a list of group_refs or an empty list. |
List groups a user is in
| Parameters: |
|
|---|---|
| Returns: | a list of group_refs or an empty list. |
List users in the system.
| Parameters: | hints – filter hints which the driver should implement if at all possible. |
|---|---|
| Returns: | a list of user_refs or an empty list. |
List users in a group.
| Parameters: |
|
|---|---|
| Returns: | a list of user_refs or an empty list. |
Removes a user from a group.
| Raises keystone.exception.NotFound: | |
|---|---|
| If the entity not found. | |
Updates an existing group.
| Raises: |
|
|---|
Updates an existing user.
| Raises: |
|
|---|
Bases: keystone.common.manager.Manager
Default pivot point for the Identity backend.
See keystone.common.manager.Manager for more details on how this dynamically calls the backend.
This class also handles the support of domain specific backends, by using the DomainConfigs class. The setup call for DomainConfigs is called from with the @domains_configured wrapper in a lazy loading fashion to get around the fact that we can’t satisfy the assignment api it needs from within our __init__() function since the assignment driver is not itself yet initialized.
Each of the identity calls are pre-processed here to choose, based on domain, which of the drivers should be called. The non-domain-specific driver is still in place, and is used if there is no specific driver for the domain in question (or we are not using multiple domain drivers).
Starting with Juno, in order to be able to obtain the domain from just an ID being presented as part of an API call, a public ID to domain and local ID mapping is maintained. This mapping also allows for the local ID of drivers that do not provide simple UUIDs (such as LDAP) to be referenced via a public facing ID. The mapping itself is automatically generated as entities are accessed via the driver.
This mapping is only used when: - the entity is being handled by anything other than the default driver, or - the entity is being handled by the default LDAP driver and backward compatible IDs are not required.
This means that in the standard case of a single SQL backend or the default settings of a single LDAP backend (since backward compatible IDs is set to True by default), no mapping is used. An alternative approach would be to always use the mapping table, but in the cases where we don’t need it to make the public and local IDs the same. It is felt that not using the mapping by default is a more prudent way to introduce this functionality.
Assert the user and the user’s domain are enabled.
:raise AssertionError if the user or the user’s domain is disabled.
Emit a notification to the callback system to revoke grant tokens.
This method and associated callback listener removes the need for making a direct call to another manager to delete and revoke tokens.
| Parameters: | user_project (dict) – {‘user_id’: user_id, ‘project_id’: project_id} |
|---|
Emit a notification to the callback system to revoke user tokens.
This method and associated callback listener removes the need for making a direct call to another manager to delete and revoke tokens.
| Parameters: | user_id (string) – user identifier |
|---|
Bases: object
Interface description for an ID Mapping driver.
Create and store a mapping to a public_id.
| Parameters: |
|
|---|---|
| Returns: | public ID |
Deletes an entry for the given public_id.
| Parameters: | public_id – The public ID for the mapping to be deleted. |
|---|
The method is silent if no mapping is found.
Returns the local mapping.
| Parameters: | public_id – The public ID for the mapping required. |
|---|---|
| Returns dict: | Containing the entity domain, local ID and type. If no mapping is found, it returns None. |
Bases: keystone.common.manager.Manager
Default pivot point for the ID Mapping backend.
Bases: object
Interface description for an Shadow Users driver.
Create a new user with the federated identity
| Parameters: |
|
|---|---|
| Returns dict: | Containing the user reference |
Returns the found user for the federated identity
| Parameters: |
|
|---|---|
| Returns dict: | Containing the user reference |
Updates federated user’s display name if changed
| Parameters: |
|
|---|
Bases: keystone.common.manager.Manager
Default pivot point for the Shadow Users backend.
Wraps API calls to lazy load domain configs after init.
This is required since the assignment manager needs to be initialized before this manager, and yet this manager’s init wants to be able to make assignment calls (to build the domain configs). So instead, we check if the domains have been initialized on entry to each call, and if requires load them,
ID Generator provider interface.
Bases: object
Interface description for an ID Generator provider.
Bases: keystone.common.manager.Manager
Default pivot point for the identifier generator backend.
WSGI Routers for the Identity service.