keystone.federation package¶

Subpackages¶

keystone.federation.backends package

Submodules¶

keystone.federation.constants module¶

keystone.federation.controllers module¶

Workflow logic for the Federation service.

class keystone.federation.controllers.Auth(*args, **kw)[source]¶

Bases: keystone.auth.controllers.Auth

create_ecp_assertion(request, auth)[source]¶

Exchange a scoped token for an ECP assertion.

Parameters:	auth – Dictionary that contains a token and service provider ID
Returns:	ECP Assertion based on properties from the token

create_saml_assertion(request, auth)[source]¶

Exchange a scoped token for a SAML assertion.

Parameters:	auth – Dictionary that contains a token and service provider ID
Returns:	SAML Assertion based on properties from the token

federated_authentication(request, idp_id, protocol_id)[source]¶

Authenticate from dedicated url endpoint.

Build HTTP request body for federated authentication and inject it into the authenticate_for_token function.

federated_idp_specific_sso_auth(request, idp_id, protocol_id)[source]¶

federated_sso_auth(request, protocol_id)[source]¶

render_html_response(host, token_id)[source]¶: Form an HTML Form from a template with autosubmit.

class keystone.federation.controllers.DomainV3[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'¶

list_domains_for_user(request, *args, **kwargs)[source]¶

List all domains available to an authenticated user.

Parameters:	context – request context
Returns:	list of accessible domains

member_name = 'domain'¶

class keystone.federation.controllers.FederationProtocol(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

A federation protocol representation.

See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.

collection_name = 'protocols'¶

create_protocol(request, *args, **kwargs)[source]¶

delete_protocol(request, *args, **kwargs)[source]¶

get_protocol(request, *args, **kwargs)[source]¶

list_protocols(request, *args, **kwargs)[source]¶

member_name = 'protocol'¶

update_protocol(request, *args, **kwargs)[source]¶

classmethod wrap_member(context, ref)[source]¶

class keystone.federation.controllers.IdentityProvider(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

Identity Provider representation.

collection_name = 'identity_providers'¶

create_identity_provider(request, *args, **kwargs)[source]¶

delete_identity_provider(request, *args, **kwargs)[source]¶

get_identity_provider(request, *args, **kwargs)[source]¶

list_identity_providers(request, **kwargs)[source]¶

member_name = 'identity_provider'¶

update_identity_provider(request, *args, **kwargs)[source]¶

classmethod wrap_member(context, ref)[source]¶

class keystone.federation.controllers.MappingController(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

collection_name = 'mappings'¶

create_mapping(request, *args, **kwargs)[source]¶

delete_mapping(request, *args, **kwargs)[source]¶

get_mapping(request, *args, **kwargs)[source]¶

list_mappings(request, *args, **kwargs)[source]¶

member_name = 'mapping'¶

update_mapping(request, *args, **kwargs)[source]¶

class keystone.federation.controllers.ProjectAssignmentV3[source]¶

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'¶

list_projects_for_user(request, *args, **kwargs)[source]¶

List all projects available to an authenticated user.

Parameters:	context – request context
Returns:	list of accessible projects

member_name = 'project'¶

class keystone.federation.controllers.SAMLMetadataV3(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

get_metadata(context)[source]¶

member_name = 'metadata'¶

class keystone.federation.controllers.ServiceProvider(*args, **kwargs)[source]¶

Bases: keystone.federation.controllers._ControllerBase

Service Provider representation.

collection_name = 'service_providers'¶

create_service_provider(request, *args, **kwargs)[source]¶

delete_service_provider(request, *args, **kwargs)[source]¶

get_service_provider(request, *args, **kwargs)[source]¶

list_service_providers(request, **kwargs)[source]¶

member_name = 'service_provider'¶

update_service_provider(request, *args, **kwargs)[source]¶

keystone.federation.core module¶

Main entry point into the Federation service.

class keystone.federation.core.Manager(*args, **kwargs)[source]¶

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_idp(*args, **kwargs)[source]¶

create_protocol(*args, **kwargs)[source]¶

create_sp(*args, **kwargs)[source]¶

delete_sp(*args, **kwargs)[source]¶

driver_namespace = 'keystone.federation'¶

evaluate(*args, **kwargs)[source]¶

get_enabled_service_providers(*args, **kwargs)[source]¶

List enabled service providers for Service Catalog.

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

id is a unique, user defined identifier for service provider object
auth_url is an authentication URL of remote Keystone
sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.

Returns:	list of dictionaries with enabled service providers
Return type:	list of dicts

update_protocol(*args, **kwargs)[source]¶

update_sp(*args, **kwargs)[source]¶

keystone.federation.idp module¶

class keystone.federation.idp.ECPGenerator[source]¶

Bases: object

A class for generating an ECP assertion.

static generate_ecp(saml_assertion, relay_state_prefix)[source]¶

class keystone.federation.idp.MetadataGenerator[source]¶

Bases: object

A class for generating SAML IdP Metadata.

generate_metadata()[source]¶

Generate Identity Provider Metadata.

Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.

Returns:	XML <EntityDescriptor> object.
Raises:	keystone.exception.ValidationError – If the required config options aren’t set.

class keystone.federation.idp.SAMLGenerator[source]¶

Bases: object

A class to generate SAML assertions.

samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶

Convert Keystone attributes to a SAML assertion.

Parameters:

issuer (string) – URL of the issuing party
recipient (string) – URL of the recipient
user (string) – User name
user_domain_name (string) – User Domain name
roles (list) – List of role names
project (string) – Project name
project_domain_name (string) – Project Domain name
expires_in (int) – Sets how long the assertion is valid for, in seconds

Returns:

XML <Response> object

keystone.federation.routers module¶

class keystone.federation.routers.Routers[source]¶

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the Federation extension.

The API looks like:

PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}

PUT /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}

PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}

GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains

PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}

GET /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com


POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata

GET /auth/OS-FEDERATION/websso/{protocol_id}
    ?origin=https%3A//horizon.example.com

POST /auth/OS-FEDERATION/websso/{protocol_id}
     ?origin=https%3A//horizon.example.com

append_v3_routers(mapper, routers)[source]¶

keystone.federation.schema module¶

keystone.federation.utils module¶

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]¶

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]¶

Add a matched value to the list of matches.

Parameters:	value (list) – the match to save

class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]¶

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]¶

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:	assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}

Returns:	dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}

class keystone.federation.utils.UserType[source]¶

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'¶

LOCAL = 'local'¶

keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]¶

keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]¶

keystone.federation.utils.get_assertion_params_from_env(request)[source]¶

keystone.federation.utils.get_remote_id_parameter(protocol)[source]¶

keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]¶

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]

Parameters:	group_names (list) – list of group identified by name and its domain. mapping_id (str) – id of the mapping used for mapping assertion into local credentials identity_api – identity_api object resource_api – resource manager object
Returns:	generator object with group ids
Raises:	keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.

keystone.federation.utils.validate_expiration(token_ref)[source]¶

keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]¶: The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]¶

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:	mapping_id (str) – id of the mapping used for this operation identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises:	keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]¶

OpenStack

keystone.federation package¶

Subpackages¶

Submodules¶

keystone.federation.constants module¶

keystone.federation.controllers module¶

keystone.federation.core module¶

keystone.federation.idp module¶

keystone.federation.routers module¶

keystone.federation.schema module¶

keystone.federation.utils module¶

Module contents¶

Table Of Contents

Previous topic

Next topic

Project Source

This Page

OpenStack

keystone.federation package¶

Subpackages¶

Submodules¶

keystone.federation.constants module¶

keystone.federation.controllers module¶

keystone.federation.core module¶

keystone.federation.idp module¶

keystone.federation.routers module¶

keystone.federation.schema module¶

keystone.federation.utils module¶

Module contents¶

Table Of Contents

Previous topic

Next topic

Project Source

This Page

Quick search