keystone.auth.plugins.mapped module

class keystone.auth.plugins.mapped.Mapped[source]

Bases: AuthMethodHandler


Authenticate mapped user and set an authentication context.


auth_payload – the content of the authentication for a given method

In addition to user_id in response_data, this plugin sets group_ids, OS-FEDERATION:identity_provider and OS-FEDERATION:protocol

keystone.auth.plugins.mapped.apply_mapping_filter(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)[source]
keystone.auth.plugins.mapped.configure_project_domain(shadow_project, idp_domain_id, resource_api)[source]

Configure federated projects domain.

We set the domain to be the default (idp_domain_id) if the project from the attribute mapping comes without a domain.

keystone.auth.plugins.mapped.handle_projects_from_mapping(shadow_projects, idp_domain_id, existing_roles, user, assignment_api, resource_api)[source]
keystone.auth.plugins.mapped.handle_scoped_token(token, federation_api, identity_api)[source]
keystone.auth.plugins.mapped.handle_unscoped_token(auth_payload, resource_api, federation_api, identity_api, assignment_api, role_api)[source]
keystone.auth.plugins.mapped.validate_and_prepare_federated_user(mapped_properties, idp_domain_id, resource_api)[source]

Setup federated username.

Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by name and his id is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.

The following use-cases are covered:

  1. If neither user_name nor user_id is set raise exception.Unauthorized

  2. If user_id is set and user_name not, set user_name equal to user_id

  3. If user_id is not set and user_name is, set user_id as url safe version of user_name.

Furthermore, we set the IdP as the user domain, if the user definition does not come with a domain definition.

  • mapped_properties – Properties issued by a RuleProcessor.

  • idp_domain_id – The domain ID of the IdP registered in OpenStack.

  • resource_api – The resource API used to access the database layer.








keystone.exception.Unauthorized – If neither user_name nor user_id is set.


tuple with user identification

Return type: