keystone.auth.plugins package¶

Submodules¶

keystone.auth.plugins.application_credential module¶

class keystone.auth.plugins.application_credential.ApplicationCredential[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Authenticate an application.

keystone.auth.plugins.base module¶

class keystone.auth.plugins.base.AuthHandlerResponse(status, response_body, response_data)¶

Bases: tuple

response_body¶

Alias for field number 1

response_data¶

Alias for field number 2

status¶

Alias for field number 0

class keystone.auth.plugins.base.AuthMethodHandler[source]¶

Bases: keystone.common.provider_api.ProviderAPIMixin, object

Abstract base class for an authentication plugin.

authenticate(request, auth_payload)[source]¶

Authenticate user and return an authentication context.

Parameters:	request (common.request.Request) – context of an authentication request auth_payload (dict) – the payload content of the authentication request for a given method

If successful, plugin must set user_id in response_data. method_name is used to convey any additional authentication methods in case authentication is for re-scoping. For example, if the authentication is for re-scoping, plugin must append the previous method names into method_names; NOTE: This behavior is exclusive to the re-scope type action. Also, plugin may add any additional information into extras. Anything in extras will be conveyed in the token’s extras attribute. Here’s an example of response_data on successful authentication:

{
    "extras": {},
    "methods": [
        "password",
        "token"
    ],
    "user_id": "abc123"
}

Plugins are invoked in the order in which they are specified in the methods attribute of the identity object. For example, custom-plugin is invoked before password, which is invoked before token in the following authentication request:

{
    "auth": {
        "identity": {
            "custom-plugin": {
                "custom-data": "sdfdfsfsfsdfsf"
            },
            "methods": [
                "custom-plugin",
                "password",
                "token"
            ],
            "password": {
                "user": {
                    "id": "s23sfad1",
                    "password": "secret"
                }
            },
            "token": {
                "id": "sdfafasdfsfasfasdfds"
            }
        }
    }
}

Returns:	AuthHandlerResponse with status set to True if auth was successful. If status is False and this is a multi-step auth, the response_body can be in a form of a dict for the next step in authentication.
Raises:	keystone.exception.Unauthorized – for authentication failure

keystone.auth.plugins.core module¶

class keystone.auth.plugins.core.AppCredInfo[source]¶

Bases: keystone.auth.plugins.core.BaseUserInfo

class keystone.auth.plugins.core.BaseUserInfo[source]¶

Bases: keystone.common.provider_api.ProviderAPIMixin, object

classmethod create(auth_payload, method_name)[source]¶

class keystone.auth.plugins.core.TOTPUserInfo[source]¶

Bases: keystone.auth.plugins.core.BaseUserInfo

class keystone.auth.plugins.core.UserAuthInfo[source]¶

Bases: keystone.auth.plugins.core.BaseUserInfo

keystone.auth.plugins.core.construct_method_map_from_config()[source]¶

Determine authentication method types for deployment.

Returns:	a dictionary containing the methods and their indexes

keystone.auth.plugins.core.convert_integer_to_method_list(method_int)[source]¶

Convert an integer to a list of methods.

Parameters:	method_int – an integer representing methods
Returns:	a corresponding list of methods

keystone.auth.plugins.core.convert_method_list_to_integer(methods)[source]¶

Convert the method type(s) to an integer.

Parameters:	methods – a list of method names
Returns:	an integer representing the methods

keystone.auth.plugins.external module¶

Keystone External Authentication Plugins.

class keystone.auth.plugins.external.Base[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Use REMOTE_USER to look up the user in the identity backend.

The user_id from the actual user from the REMOTE_USER env variable is placed in the response_data.

class keystone.auth.plugins.external.DefaultDomain[source]¶

Bases: keystone.auth.plugins.external.Base

class keystone.auth.plugins.external.Domain[source]¶

Bases: keystone.auth.plugins.external.Base

class keystone.auth.plugins.external.KerberosDomain[source]¶

Bases: keystone.auth.plugins.external.Domain

Allows kerberos as a method.

keystone.auth.plugins.mapped module¶

class keystone.auth.plugins.mapped.Mapped[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Authenticate mapped user and set an authentication context.

Parameters:	request – keystone’s request context auth_payload – the content of the authentication for a given method

In addition to user_id in response_data, this plugin sets group_ids, OS-FEDERATION:identity_provider and OS-FEDERATION:protocol

keystone.auth.plugins.mapped.apply_mapping_filter(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)[source]¶

keystone.auth.plugins.mapped.extract_assertion_data(request)[source]¶

keystone.auth.plugins.mapped.get_user_unique_id_and_display_name(request, mapped_properties)[source]¶

Setup federated username.

Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by name and his id is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.

The following use-cases are covered:

1. If neither user_name nor user_id is set raise exception.Unauthorized
2. If user_id is set and user_name not, set user_name equal to user_id
3. If user_id is not set and user_name is, set user_id as url safe version of user_name.

Parameters:	request – current request object mapped_properties – Properties issued by a RuleProcessor.
Type:	dictionary
Raises:	keystone.exception.Unauthorized – If neither user_name nor user_id is set.
Returns:	tuple with user identification
Return type:	tuple

keystone.auth.plugins.mapped.handle_scoped_token(request, token_ref, federation_api, identity_api)[source]¶

keystone.auth.plugins.mapped.handle_unscoped_token(request, auth_payload, resource_api, federation_api, identity_api, assignment_api, role_api)[source]¶

keystone.auth.plugins.oauth1 module¶

class keystone.auth.plugins.oauth1.OAuth[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Turn a signed request with an access key into a keystone token.

keystone.auth.plugins.password module¶

class keystone.auth.plugins.password.Password[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Try to authenticate against the identity backend.

keystone.auth.plugins.token module¶

class keystone.auth.plugins.token.Token[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

keystone.auth.plugins.token.token_authenticate(request, token_ref)[source]¶

keystone.auth.plugins.totp module¶

Time-based One-time Password Algorithm (TOTP) auth plugin.

TOTP is an algorithm that computes a one-time password from a shared secret key and the current time.

TOTP is an implementation of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

class keystone.auth.plugins.totp.TOTP[source]¶

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]¶

Try to authenticate using TOTP.

Module contents¶