keystoneauth1.identity package¶
Subpackages¶
- keystoneauth1.identity.generic package
- keystoneauth1.identity.v3 package
- Submodules
- keystoneauth1.identity.v3.application_credential module
- keystoneauth1.identity.v3.base module
- keystoneauth1.identity.v3.federation module
- keystoneauth1.identity.v3.k2k module
- keystoneauth1.identity.v3.multi_factor module
- keystoneauth1.identity.v3.oauth2_client_credential module
- keystoneauth1.identity.v3.oidc module
- keystoneauth1.identity.v3.password module
- keystoneauth1.identity.v3.receipt module
- keystoneauth1.identity.v3.token module
- keystoneauth1.identity.v3.tokenless_auth module
- keystoneauth1.identity.v3.totp module
- Module contents
- Submodules
Submodules¶
Module contents¶
- class keystoneauth1.identity.BaseIdentityPlugin(auth_url=None, reauthenticate=True)
Bases:
keystoneauth1.plugin.BaseAuthPlugin
- MIN_TOKEN_LIFE_SECONDS = 120
- get_access(session, **kwargs)
Fetch or return a current AccessInfo object.
If a valid AccessInfo is present then it is returned otherwise a new one will be fetched.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
- Raises
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
Valid AccessInfo
- Return type
keystoneauth1.access.AccessInfo
- get_all_version_data(session, interface='public', region_name=None, service_type=None, **kwargs)
Get version data for all services in the catalog.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
interface – Type of endpoint to get version data for. Can be a single value or a list of values. A value of None indicates that all interfaces should be queried. (optional, defaults to public)
region_name (string) – Region of endpoints to get version data for. A valueof None indicates that all regions should be queried. (optional, defaults to None)
service_type (string) – Limit the version data to a single service. (optional, defaults to None)
- Returns
A dictionary keyed by region_name with values containing dictionaries keyed by interface with values being a list of
VersionData
.
- get_api_major_version(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow=None, allow_version_hack=True, skip_discovery=False, discover_versions=False, min_version=None, max_version=None, **kwargs)
Return the major API version for a service.
If a valid token is not present then a new one will be fetched using the session and kwargs.
version, min_version and max_version can all be given either as a string or a tuple.
- Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
region_name (string) – The region the endpoint should exist in. (optional)
service_name (string) – The name of the service in the catalog. (optional)
version – The minimum version number required for this endpoint. (optional)
allow (dict) – Extra filters to pass when discovering API versions. (optional)
allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
discover_versions (bool) – Whether to get version metadata from the version discovery document even if it’s not neccessary to fulfill the major version request. Defaults to False because get_endpoint doesn’t need metadata. (optional, defaults to False)
min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
- Raises
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
The major version of the API of the service discovered.
- Return type
tuple or None
Note
Implementation notes follow. Users should not need to wrap their head around these implementation notes. get_api_major_version should do what is expected with the least possible cost while still consistently returning a value if possible.
There are many cases when major version can be satisfied without actually calling the discovery endpoint (like when the version is in the url). If the user has a cloud with the versioned endpoint
https://volume.example.com/v3
in the catalog for theblock-storage
service and they do:client = adapter.Adapter( session, service_type='block-storage', min_version=2, max_version=3) volume_version = client.get_api_major_version()
The version actually be returned with no api calls other than getting the token. For that reason,
get_api_major_version()
first callsget_endpoint_data()
withdiscover_versions=False
.If their catalog has an unversioned endpoint
https://volume.example.com
for theblock-storage
service and they do this:client = adapter.Adapter(session, service_type='block-storage')
client is now set up to “use whatever is in the catalog”. Since the url doesn’t have a version,
get_endpoint_data()
withdiscover_versions=False
will result inapi_version=None
. (No version was requested so it didn’t need to do the round trip)In order to find out what version the endpoint actually is, we must make a round trip. Therefore, if
api_version
isNone
after the first call,get_api_major_version()
will make a second call toget_endpoint_data()
withdiscover_versions=True
.
- abstract get_auth_ref(session, **kwargs)
Obtain a token from an OpenStack Identity Service.
This method is overridden by the various token version plugins.
This function should not be called independently and is expected to be invoked via the do_authenticate function.
This function will be invoked if the AcessInfo object cached by the plugin is not valid. Thus plugins should always fetch a new AccessInfo when invoked. If you are looking to just retrieve the current auth data then you should use get_access.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
- Raises
keystoneauth1.exceptions.response.InvalidResponse – The response returned wasn’t appropriate.
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
Token access information.
- Return type
keystoneauth1.access.AccessInfo
- get_auth_state()
Retrieve the current authentication state for the plugin.
Retrieve any internal state that represents the authenticated plugin.
This should not fetch any new data if it is not present.
- Returns
a string that can be stored or None if there is no auth state present in the plugin. This string can be reloaded with set_auth_state to set the same authentication.
- Return type
str or None if no auth present.
- get_cache_id()
Fetch an identifier that uniquely identifies the auth options.
The returned identifier need not be decomposable or otherwise provide any way to recreate the plugin.
This string MUST change if any of the parameters that are used to uniquely identity this plugin change. It should not change upon a reauthentication of the plugin.
- Returns
A unique string for the set of options
- Return type
str or None if this is unsupported or unavailable.
- get_cache_id_elements()
Get the elements for this auth plugin that make it unique.
As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.
This should be overridden by plugins that wish to allow caching.
- Returns
The unique attributes and values of this plugin.
- Return type
A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
- get_discovery(session, url, authenticated=None)
Return the discovery object for a URL.
Check the session and the plugin cache to see if we have already performed discovery on the URL and if so return it, otherwise create a new discovery object, cache it and return it.
This function is expected to be used by subclasses and should not be needed by users.
- Parameters
- Raises
keystoneauth1.exceptions.discovery.DiscoveryFailure – if for some reason the lookup fails.
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
A discovery object with the results of looking up that URL.
- get_endpoint(session, service_type=None, interface=None, region_name=None, service_name=None, version=None, allow=None, allow_version_hack=True, skip_discovery=False, min_version=None, max_version=None, **kwargs)
Return a valid endpoint for a service.
If a valid token is not present then a new one will be fetched using the session and kwargs.
version, min_version and max_version can all be given either as a string or a tuple.
- Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
region_name (string) – The region the endpoint should exist in. (optional)
service_name (string) – The name of the service in the catalog. (optional)
version – The minimum version number required for this endpoint. (optional)
allow (dict) – Extra filters to pass when discovering API versions. (optional)
allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
- Raises
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
A valid endpoint URL or None if not available.
- Return type
string or None
- get_endpoint_data(session, service_type=None, interface=None, region_name=None, service_name=None, allow=None, allow_version_hack=True, discover_versions=True, skip_discovery=False, min_version=None, max_version=None, endpoint_override=None, **kwargs)
Return a valid endpoint data for a service.
If a valid token is not present then a new one will be fetched using the session and kwargs.
version, min_version and max_version can all be given either as a string or a tuple.
- Valid interface types: public or publicURL,
internal or internalURL, admin or ‘adminURL`
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
service_type (string) – The type of service to lookup the endpoint for. This plugin will return None (failure) if service_type is not provided.
interface – Type of endpoint. Can be a single value or a list of values. If it’s a list of values, they will be looked for in order of preference. Can also be keystoneauth1.plugin.AUTH_INTERFACE to indicate that the auth_url should be used instead of the value in the catalog. (optional, defaults to public)
region_name (string) – The region the endpoint should exist in. (optional)
service_name (string) – The name of the service in the catalog. (optional)
allow (dict) – Extra filters to pass when discovering API versions. (optional)
allow_version_hack (bool) – Allow keystoneauth to hack up catalog URLS to support older schemes. (optional, default True)
discover_versions (bool) – Whether to get version metadata from the version discovery document even if it’s not neccessary to fulfill the major version request. (optional, defaults to True)
skip_discovery (bool) – Whether to skip version discovery even if a version has been given. This is useful if endpoint_override or similar has been given and grabbing additional information about the endpoint is not useful.
min_version – The minimum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
max_version – The maximum version that is acceptable. Mutually exclusive with version. If min_version is given with no max_version it is as if max version is ‘latest’. (optional)
endpoint_override (str) – URL to use instead of looking in the catalog. Catalog lookup will be skipped, but version discovery will be run. Sets allow_version_hack to False (optional)
kwargs – Ignored.
- Raises
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
Valid EndpointData or None if not available.
- Return type
keystoneauth1.discover.EndpointData or None
- get_project_id(session, **kwargs)
Return the project id that we are authenticated to.
Wherever possible the project id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated project id.
- Parameters
session (keystoneauth1.session.Session) – A session object so the plugin can make HTTP calls.
- Returns
A project identifier or None if one is not available.
- Return type
- get_sp_auth_url(session, sp_id, **kwargs)
Return auth_url from the Service Provider object.
This url is used for obtaining unscoped federated token from remote cloud.
- Parameters
sp_id (string) – ID of the Service Provider to be queried.
- Returns
A Service Provider auth_url or None if one is not available.
- Return type
- get_sp_url(session, sp_id, **kwargs)
Return sp_url from the Service Provider object.
This url is used for passing SAML2 assertion to the remote cloud.
- get_token(session, **kwargs)
Return a valid auth token.
If a valid token is not present then a new one will be fetched.
- Parameters
session (keystoneauth1.session.Session) – A session object that can be used for communication.
- Raises
keystoneauth1.exceptions.http.HttpError – An error from an invalid HTTP response.
- Returns
A valid token.
- Return type
string
- get_user_id(session, **kwargs)
Return a unique user identifier of the plugin.
Wherever possible the user id should be inferred from the token however there are certain URLs and other places that require access to the currently authenticated user id.
- Parameters
session (keystoneauth1.session.Session) – A session object so the plugin can make HTTP calls.
- Returns
A user identifier or None if one is not available.
- Return type
- invalidate()
Invalidate the current authentication data.
This should result in fetching a new token on next call.
A plugin may be invalidated if an Unauthorized HTTP response is returned to indicate that the token may have been revoked or is otherwise now invalid.
- Returns
True if there was something that the plugin did to invalidate. This means that it makes sense to try again. If nothing happens returns False to indicate give up.
- Return type
- set_auth_state(data)
Install existing authentication state for a plugin.
Take the output of get_auth_state and install that authentication state into the current authentication plugin.
- class keystoneauth1.identity.Password(auth_url, username=None, user_id=None, password=None, user_domain_id=None, user_domain_name=None, **kwargs)
Bases:
keystoneauth1.identity.generic.base.BaseGenericPlugin
A common user/password authentication plugin.
- Parameters
username (string) – Username for authentication.
user_id (string) – User ID for authentication.
password (string) – Password for authentication.
user_domain_id (string) – User’s domain ID for authentication.
user_domain_name (string) – User’s domain name for authentication.
- create_plugin(session, version, url, raw_status=None)
Create a plugin from the given parameters.
This function will be called multiple times with the version and url of a potential endpoint. If a plugin can be constructed that fits the params then it should return it. If not return None and then another call will be made with other available URLs.
- Parameters
- Returns
A plugin that can match the parameters or None if nothing.
- get_cache_id_elements()
Get the elements for this auth plugin that make it unique.
As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.
This should be overridden by plugins that wish to allow caching.
- Returns
The unique attributes and values of this plugin.
- Return type
A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
- property user_domain_id
- property user_domain_name
- class keystoneauth1.identity.Token(auth_url, token=None, **kwargs)
Bases:
keystoneauth1.identity.generic.base.BaseGenericPlugin
Generic token auth plugin.
- Parameters
token (string) – Token for authentication.
- create_plugin(session, version, url, raw_status=None)
Create a plugin from the given parameters.
This function will be called multiple times with the version and url of a potential endpoint. If a plugin can be constructed that fits the params then it should return it. If not return None and then another call will be made with other available URLs.
- Parameters
- Returns
A plugin that can match the parameters or None if nothing.
- get_cache_id_elements()
Get the elements for this auth plugin that make it unique.
As part of the get_cache_id requirement we need to determine what aspects of this plugin and its values that make up the unique elements.
This should be overridden by plugins that wish to allow caching.
- Returns
The unique attributes and values of this plugin.
- Return type
A flat dict with a str key and str or None value. This is required as we feed these values into a hash. Pairs where the value is None are ignored in the hashed id.
- keystoneauth1.identity.V2Password
See
keystoneauth1.identity.v2.Password
- keystoneauth1.identity.V2Token
See
keystoneauth1.identity.v2.Token
- keystoneauth1.identity.V3ApplicationCredential
See
keystoneauth1.identity.v3.ApplicationCredential
- keystoneauth1.identity.V3MultiFactor
See
keystoneauth1.identity.v3.MultiFactor
- keystoneauth1.identity.V3OAuth2ClientCredential
See
keystoneauth1.identity.v3.OAuth2ClientCredential
- keystoneauth1.identity.V3OidcAccessToken
See
keystoneauth1.identity.v3.oidc.OidcAccessToken
- keystoneauth1.identity.V3OidcAuthorizationCode
See
keystoneauth1.identity.v3.oidc.OidcAuthorizationCode
- keystoneauth1.identity.V3OidcDeviceAuthorization
See
keystoneauth1.identity.v3.oidc.OidcDeviceAuthorization
- keystoneauth1.identity.V3OidcPassword
See
keystoneauth1.identity.v3.oidc.OidcPassword
- keystoneauth1.identity.V3Password
See
keystoneauth1.identity.v3.Password
- keystoneauth1.identity.V3TOTP
See
keystoneauth1.identity.v3.TOTP
- keystoneauth1.identity.V3Token
See
keystoneauth1.identity.v3.Token
- keystoneauth1.identity.V3TokenlessAuth
See
keystoneauth1.identity.v3.TokenlessAuth