keystone.auth package¶

Subpackages¶

Submodules¶

keystone.auth.controllers module¶

class keystone.auth.controllers.Auth(*args, **kw)[source]¶

Bases: keystone.common.controller.V3Controller

authenticate(request, auth_info, auth_context)[source]¶

Authenticate user.

authenticate_for_token(request, auth=None)[source]¶

Authenticate user and issue a token.

check_token(request, *args, **kwargs)[source]¶

collection_name = 'tokens'¶

get_auth_catalog(request, *args, **kwargs)[source]¶

get_auth_domains(request, *args, **kwargs)[source]¶

get_auth_projects(request, *args, **kwargs)[source]¶

member_name = 'token'¶

revocation_list(request, *args, **kwargs)[source]¶

revoke_token(request, *args, **kwargs)[source]¶

validate_token(request, *args, **kwargs)[source]¶

keystone.auth.controllers.render_token_data_response(token_id, token_data, created=False)[source]¶

Render token data HTTP response.

Stash token ID into the X-Subject-Token header.

keystone.auth.controllers.validate_issue_token_auth(auth=None)[source]¶

keystone.auth.core module¶

class keystone.auth.core.AuthContext[source]¶

Bases: dict

Retrofitting auth_context to reconcile identity attributes.

The identity attributes must not have conflicting values among the auth plug-ins. The only exception is expires_at, which is set to its earliest value.

IDENTITY_ATTRIBUTES = frozenset(['access_token_id', 'project_id', 'user_id', 'domain_id', 'expires_at'])¶

update(E=None, **F)[source]¶

Override update to prevent conflicting values.

class keystone.auth.core.AuthInfo(*args, **kwargs)[source]¶

Bases: object

Encapsulation of “auth” request.

static create(auth=None, scope_only=False)[source]¶

get_method_data(method)[source]¶

Get the auth method payload.

Returns:	auth method payload

get_method_names()[source]¶

Return the identity method names.

Returns:	list of auth method names

get_scope()[source]¶

Get scope information.

Verify and return the scoping information.

Returns:	(domain_id, project_id, trust_ref, unscoped). If scope to a project, (None, project_id, None, None) will be returned. If scoped to a domain, (domain_id, None, None, None) will be returned. If scoped to a trust, (None, project_id, trust_ref, None), Will be returned, where the project_id comes from the trust definition. If unscoped, (None, None, None, ‘unscoped’) will be returned.

set_scope(domain_id=None, project_id=None, trust=None, unscoped=None)[source]¶

Set scope information.

class keystone.auth.core.UserMFARulesValidator(*args, **kwargs)[source]¶

Bases: object

Helper object that can validate the MFA Rules.

check_auth_methods_against_rules(user_id, auth_methods)[source]¶

Validate the MFA rules against the successful auth methods.

Parameters:	user_id (str) – The user’s ID (uuid). auth_methods (set) – List of methods that were used for auth
Returns:	Boolean, True means rules match and auth may proceed, False means rules do not match.

keystone.auth.core.get_auth_method(method_name)[source]¶

keystone.auth.core.load_auth_method(method)[source]¶

keystone.auth.core.load_auth_methods()[source]¶

keystone.auth.routers module¶

class keystone.auth.routers.Routers[source]¶

Bases: keystone.common.wsgi.RoutersBase

append_v3_routers(mapper, routers)[source]¶

keystone.auth.schema module¶

Module contents¶