keystone.token.providers package

keystone.token.providers package


keystone.token.providers.base module

class keystone.token.providers.base.Provider[source]

Bases: object

Interface description for a Token provider.


Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data
Returns:token version string
Raises:keystone.exception.UnsupportedTokenVersionException – If the token version is not expected.
issue_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, include_catalog=True, parent_audit_id=None)[source]

Issue a V3 Token.

  • user_id (string) – identity of the user
  • method_names (list) – names of authentication methods
  • expires_at (string) – optional time the token will expire
  • project_id (string) – optional project identity
  • domain_id (string) – optional domain identity
  • auth_context (dict) – optional context from the authorization plugins
  • trust (dict) – optional trust reference
  • include_catalog (boolean) – optional, include the catalog in token data
  • parent_audit_id (string) – optional, the audit id of the parent token

(token_id, token_data)


Determine if the token should be persisted.

If the token provider requires that the token be persisted to a backend this should return True, otherwise return False.


Validate the given V3 token and return the token_data.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises:keystone.exception.TokenNotFound – If the token doesn’t exist.

keystone.token.providers.common module

class keystone.token.providers.common.BaseProvider(*args, **kwargs)[source]

Bases: keystone.token.providers.base.Provider

issue_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, include_catalog=True, parent_audit_id=None)[source]
class keystone.token.providers.common.V3TokenDataHelper(*args, **kwargs)[source]

Bases: object

Token data helper.

get_token_data(user_id, method_names, domain_id=None, project_id=None, expires=None, trust=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None)[source]
populate_roles_for_federated_user(token_data, group_ids, project_id=None, domain_id=None, user_id=None)[source]

Populate roles basing on provided groups and project/domain.

Used for federated users with dynamically assigned groups. This method does not return anything, yet it modifies token_data in place.

  • token_data – a dictionary used for building token response
  • group_ids – list of group IDs a user is a member of
  • project_id – project ID to scope to
  • domain_id – domain ID to scope to
  • user_id – user ID

keystone.exception.Unauthorized – when no roles were found


Build the audit data for a token.

If parent_audit_id is None, the list will be one element in length containing a newly generated audit_id.

If parent_audit_id is supplied, the list will be two elements in length containing a newly generated audit_id and the parent_audit_id. The parent_audit_id will always be element index 1 in the resulting list.

Parameters:parent_audit_id (str) – the audit of the original token in the chain
Returns:Keystone token audit data

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object

Generate a random URL-safe string.

Return type:six.text_type

keystone.token.providers.uuid module

Keystone UUID Token Provider.

class keystone.token.providers.uuid.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider


Should the token be written to a backend.

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.