keystone.token package¶
Subpackages¶
- keystone.token.persistence package
- keystone.token.providers package
Submodules¶
keystone.token.controllers module¶
-
class
keystone.token.controllers.
Auth
(*args, **kwargs)[source]¶ Bases:
keystone.common.controller.V2Controller
-
authenticate
(*args, **kwargs)¶ Authenticate credentials and return a token.
Accept auth as a dict that looks like:
{ "auth":{ "passwordCredentials":{ "username":"test_user", "password":"mypass" }, "tenantName":"customer-x" } }
In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.
Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.
-
ca_cert
(*args, **kwargs)¶
-
delete_token
(*args, **kwargs)¶ Delete a token, effectively invalidating it for authz.
-
endpoints
(*args, **kwargs)¶ Return a list of endpoints available to the token.
-
classmethod
format_endpoint_list
(catalog_ref)¶ Formats a list of endpoints according to Identity API v2.
The v2.0 API wants an endpoint list to look like:
{ 'endpoints': [ { 'id': $endpoint_id, 'name': $SERVICE[name], 'type': $SERVICE, 'tenantId': $tenant_id, 'region': $REGION, } ], 'endpoints_links': [], }
-
revocation_list
(*args, **kwargs)¶
-
signing_cert
(*args, **kwargs)¶
-
validate_token
(*args, **kwargs)¶ Check that a token is valid.
Optionally, also ensure that it is owned by a specific tenant.
Returns metadata about the token along any associated roles.
-
validate_token_head
(*args, **kwargs)¶ Check that a token is valid.
Optionally, also ensure that it is owned by a specific tenant.
Identical to
validate_token
, except does not return a response.The code in
keystone.common.wsgi.render_response
will remove the content body.
-
keystone.token.provider module¶
Token provider interface.
-
class
keystone.token.provider.
Manager
(*args, **kwargs)[source]¶ Bases:
keystone.common.manager.Manager
Default pivot point for the token provider backend.
See
keystone.common.manager.Manager
for more details on how this dynamically calls the backend.-
INVALIDATE_PROJECT_TOKEN_PERSISTENCE
= 'invalidate_project_tokens'¶
-
INVALIDATE_USER_TOKEN_PERSISTENCE
= 'invalidate_user_tokens'¶
-
V2
= 'v2.0'¶
-
V3
= 'v3.0'¶
-
VERSIONS
= frozenset(['v3.0', 'v2.0'])¶
-
driver_namespace
= 'keystone.token.provider'¶
-
-
class
keystone.token.provider.
Provider
[source]¶ Bases:
object
Interface description for a Token provider.
-
get_token_version
(token_data)[source]¶ Return the version of the given token data.
If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.
Parameters: token_data (dict) – token_data Returns: token version string Raises keystone.exception.UnsupportedTokenVersionException: If the token version is not expected.
-
issue_v2_token
(token_ref, roles_ref=None, catalog_ref=None)[source]¶ Issue a V2 token.
Parameters: - token_ref (dict) – token data to generate token from
- roles_ref (dict) – optional roles list
- catalog_ref (dict) – optional catalog information
Returns: (token_id, token_data)
-
issue_v3_token
(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]¶ Issue a V3 Token.
Parameters: - user_id (string) – identity of the user
- method_names (list) – names of authentication methods
- expires_at (string) – optional time the token will expire
- project_id (string) – optional project identity
- domain_id (string) – optional domain identity
- auth_context (dict) – optional context from the authorization plugins
- trust (dict) – optional trust reference
- metadata_ref (dict) – optional metadata reference
- include_catalog (boolean) – optional, include the catalog in token data
- parent_audit_id (string) – optional, the audit id of the parent token
Returns: (token_id, token_data)
-
needs_persistence
()[source]¶ Determine if the token should be persisted.
If the token provider requires that the token be persisted to a backend this should return True, otherwise return False.
-
validate_non_persistent_token
(token_id)[source]¶ Validate a given non-persistent token id and return the token_data.
Parameters: token_id (string) – the token id Returns: token data Raises keystone.exception.TokenNotFound: When the token is invalid
-
validate_v2_token
(token_ref)[source]¶ Validate the given V2 token and return the token data.
Must raise Unauthorized exception if unable to validate token.
Parameters: token_ref (dict) – the token reference Returns: token data Raises keystone.exception.TokenNotFound: If the token doesn’t exist.
-
validate_v3_token
(token_ref)[source]¶ Validate the given V3 token and return the token_data.
Parameters: token_ref (dict) – the token reference Returns: token data Raises keystone.exception.TokenNotFound: If the token doesn’t exist.
-
-
keystone.token.provider.
audit_info
(parent_audit_id)[source]¶ Build the audit data for a token.
If
parent_audit_id
is None, the list will be one element in length containing a newly generated audit_id.If
parent_audit_id
is supplied, the list will be two elements in length containing a newly generated audit_id and theparent_audit_id
. Theparent_audit_id
will always be element index 1 in the resulting list.Parameters: parent_audit_id (str) – the audit of the original token in the chain Returns: Keystone token audit data
-
keystone.token.provider.
base64_encode
(s)[source]¶ Encode a URL-safe string.
Return type: six.text_type
-
keystone.token.provider.
default_expire_time
()[source]¶ Determine when a fresh token should expire.
Expiration time varies based on configuration (see
[token] expiration
).Returns: a naive UTC datetime.datetime object
-
keystone.token.provider.
random_urlsafe_str
()[source]¶ Generate a random URL-safe string.
Return type: six.text_type
-
keystone.token.provider.
random_urlsafe_str_to_bytes
(s)[source]¶ Convert a string from
random_urlsafe_str()
to six.binary_type.Return type: six.binary_type
keystone.token.utils module¶
-
keystone.token.utils.
generate_unique_id
(token_id)[source]¶ Return a unique ID for a token.
The returned value is useful as the primary key of a database table, memcache store, or other lookup table.
Returns: Given a PKI token, returns it’s hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash).