keystone.federation.utils module¶
Utilities for Federation Extension.
- class keystone.federation.utils.DirectMaps[source]¶
Bases:
objectAn abstraction around the remote matches.
Each match is treated internally as a list.
- class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]¶
Bases:
objectA class to process assertions and mapping rules.
- process(assertion_data)[source]¶
Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
- Parameters:
assertion_data (dict) – an assertion containing values from an IdP
Example assertion_data:
{ 'Email': 'testacct@example.com', 'UserName': 'testacct', 'FirstName': 'Test', 'LastName': 'Account', 'orgPersonType': 'Tester' }
- Returns:
dictionary with user and group_ids
The expected return structure is:
{ 'name': 'foobar', 'group_ids': ['abc123', 'def456'], 'group_names': [ { 'name': 'group_name_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_1_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_2', 'domain': { 'id': 'xyz132' } } ] }
- class keystone.federation.utils.RuleProcessorToHonorDomainOption(mapping_id, rules)[source]¶
Bases:
RuleProcessorHandles the default domain configured in the attribute mapping.
This rule processor is designed to handle the domain attribute configured at the root of the attribute mapping. When this attribute is configured, we should take it as the default one for the attribute mapping, instead of the domain of the IdP. Moreover, we should respect the override to it that can take place at the groups, user, and projects attributes definition.
- class keystone.federation.utils.UserType[source]¶
Bases:
objectUser mapping type.
- EPHEMERAL = 'ephemeral'¶
- LOCAL = 'local'¶
- keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]¶
Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.
Example of group_names parameter:
[ { "name": "group_name", "domain": { "id": "domain_id" }, }, { "name": "group_name_2", "domain": { "name": "domain_name" } } ]
- Parameters:
group_names (list) – list of group identified by name and its domain.
mapping_id (str) – id of the mapping used for mapping assertion into local credentials
identity_api – identity_api object
resource_api – resource manager object
- Returns:
generator object with group ids
- keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]¶
The IdP providing the assertion should be registered for the mapping.
- keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]¶
Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
- Parameters:
mapping_id (str) – id of the mapping used for this operation
identity_api (identity.Manager) – Identity Manager object used for communication with backend
- Raises:
keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.
