Authentication plugins provide a generic means by which to extend the authentication mechanisms known to OpenStack clients.
In the vast majority of cases the authentication plugins used will be those written for use with the OpenStack Identity Service (Keystone), however this is not the only possible case, and the mechanisms by which authentication plugins are used and implemented should be generic enough to cover completely customized authentication solutions.
The subset of authentication plugins intended for use with an OpenStack Identity server (such as Keystone) are called Identity Plugins.
Keystoneclient ships with a number of plugins and particularly Identity Plugins.
V2 Identity Plugins¶
Standard V2 identity plugins are defined in the module:
Password: Authenticate against a V2 identity service using a username and password.
Token: Authenticate against a V2 identity service using an existing token.
V2 identity plugins must use an auth_url that points to the root of a V2 identity server URL, i.e.: http://hostname:5000/v2.0.
V3 Identity Plugins¶
Standard V3 identity plugins are defined in the module
V3 Identity plugins are slightly different from their V2 counterparts as a V3
authentication request can contain multiple authentication methods. To handle
this V3 defines a number of different
PasswordMethod: Authenticate against a V3 identity service using a username and password.
TokenMethod: Authenticate against a V3 identity service using an existing token.
>>> from keystoneclient import session >>> from keystoneclient.auth.identity import v3 >>> password = v3.PasswordMethod(username='user', ... password='password') >>> auth = v3.Auth(auth_url='http://my.keystone.com:5000/v3', ... auth_methods=[password], ... project_id='projectid') >>> sess = session.Session(auth=auth)
>>> auth = v3.Password(auth_url='http://my.keystone.com:5000/v3', ... username='username', ... password='password', ... project_id='projectid') >>> sess = session.Session(auth=auth)
This will have exactly the same effect as using the single
V3 identity plugins must use an auth_url that points to the root of a V3 identity server URL, i.e.: http://hostname:5000/v3.
Version Independent Identity Plugins¶
Standard version independent identity plugins are defined in the module
For the cases of plugins that exist under both the identity V2 and V3 APIs there is an abstraction to allow the plugin to determine which of the V2 and V3 APIs are supported by the server and use the most appropriate API.
These plugins are:
Password: Authenticate using a user/password against either v2 or v3 API.
Token: Authenticate using an existing token against either v2 or v3 API.
These plugins work by first querying the identity server to determine available versions and so the auth_url used with the plugins should point to the base URL of the identity server to use. If the auth_url points to either a V2 or V3 endpoint it will restrict the plugin to only working with that version of the API.
In addition to the Identity plugins a simple plugin that will always use the
same provided token and endpoint is available. This is useful in situations
where you have an
ADMIN_TOKEN or in testing when you specifically know the
endpoint you want to communicate with.
It can be found at
V3 OAuth 1.0a Plugins¶
There also exists a plugin for OAuth 1.0a authentication. We provide a helper
authentication plugin at:
The plugin requires the OAuth consumer’s key and secret, as well as the OAuth
access token’s key and secret. For example:
>>> from keystoneclient.v3.contrib.oauth1 import auth >>> from keystoneclient import session >>> from keystoneclient.v3 import client >>> a = auth.OAuth('http://my.keystone.com:5000/v3', ... consumer_key=consumer_id, ... consumer_secret=consumer_secret, ... access_key=access_token_key, ... access_secret=access_token_secret) >>> s = session.Session(auth=a)
Loading Plugins by Name¶
In auth_token middleware and for some service to service communication it is possible to specify a plugin to load via name. The authentication options that are available are then specific to the plugin that you specified. Currently the authentication plugins that are available in keystoneclient are:
Creating Authentication Plugins¶
Creating an Identity Plugin¶
If you have implemented a new authentication mechanism into the Identity service then you will be able to reuse a lot of the infrastructure available for the existing Identity mechanisms. As the V2 identity API is essentially frozen, it is expected that new plugins are for the V3 API.
To implement a new V3 plugin that can be combined with others you should
implement the base
and implement the
If your Plugin cannot be used in conjunction with existing
keystoneclient.auth.identity.v3.AuthMethod then you should just
AuthMethod should take all
the required parameters via
__init__() and return from
get_auth_data() a tuple
with the unique identifier of this plugin (e.g. password) and a dictionary
containing the payload of values to send to the authentication server. The
session, calling auth object and request headers are also passed to this
function so that the plugin may use or manipulate them.
Creating a Custom Plugin¶
get_token() is called to
retrieve the string token from a plugin. It is intended that a plugin will
cache a received token and so if the token is still valid then it should be
re-used rather than fetching a new one. A session object is provided with which
the plugin can contact it’s server. (Note: use authenticated=False when
making those requests or it will end up being called recursively). The return
value should be the token as a string.
get_endpoint() is called to
determine a base URL for a particular service’s requests. The keyword arguments
provided to the function are those that are given by the endpoint_filter
keystoneclient.session.Session.request(). A session object
is also provided so that the plugin may contact an external source to determine
the endpoint. Again this will be generally be called once per request and so
it is up to the plugin to cache these responses if appropriate. The return
value should be the base URL to communicate with.
The most simple example of a plugin is the
When writing a plugin you should ensure that any fetch operation is thread safe. A common pattern is for a service to hold a single service authentication plugin globally and re-use that between all threads. This means that when a token expires there may be multiple threads that all try to fetch a new plugin at the same time. It is the responsibility of the plugin to ensure that this case is handled in a way that still results in correct reauthentication.