keystone.federation package

keystone.federation package

Submodules

keystone.federation.constants module

keystone.federation.controllers module

Workflow logic for the Federation service.

class keystone.federation.controllers.Auth(*args, **kw)[source]

Bases: keystone.auth.controllers.Auth

create_ecp_assertion(request, auth)[source]

Exchange a scoped token for an ECP assertion.

Parameters:auth – Dictionary that contains a token and service provider ID
Returns:ECP Assertion based on properties from the token
create_saml_assertion(request, auth)[source]

Exchange a scoped token for a SAML assertion.

Parameters:auth – Dictionary that contains a token and service provider ID
Returns:SAML Assertion based on properties from the token
federated_authentication(request, idp_id, protocol_id)[source]

Authenticate from dedicated url endpoint.

Build HTTP request body for federated authentication and inject it into the authenticate_for_token function.

federated_idp_specific_sso_auth(request, idp_id, protocol_id)[source]
federated_sso_auth(request, protocol_id)[source]
render_html_response(host, token_id)[source]

Form an HTML Form from a template with autosubmit.

class keystone.federation.controllers.DomainV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'
list_domains_for_user(*args, **kwargs)[source]

List all domains available to an authenticated user.

Parameters:context – request context
Returns:list of accessible domains
member_name = 'domain'
class keystone.federation.controllers.FederationProtocol[source]

Bases: keystone.federation.controllers._ControllerBase

A federation protocol representation.

See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.

collection_name = 'protocols'
create_protocol(request, *args, **kwargs)[source]
delete_protocol(request, *args, **kwargs)[source]
get_protocol(request, *args, **kwargs)[source]
list_protocols(request, *args, **kwargs)[source]
member_name = 'protocol'
update_protocol(request, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.federation.controllers.IdentityProvider[source]

Bases: keystone.federation.controllers._ControllerBase

Identity Provider representation.

collection_name = 'identity_providers'
create_identity_provider(request, *args, **kwargs)[source]
delete_identity_provider(request, *args, **kwargs)[source]
get_identity_provider(request, *args, **kwargs)[source]
list_identity_providers(request, **kwargs)[source]
member_name = 'identity_provider'
update_identity_provider(request, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.federation.controllers.MappingController[source]

Bases: keystone.federation.controllers._ControllerBase

collection_name = 'mappings'
create_mapping(request, *args, **kwargs)[source]
delete_mapping(request, *args, **kwargs)[source]
get_mapping(request, *args, **kwargs)[source]
list_mappings(request, *args, **kwargs)[source]
member_name = 'mapping'
update_mapping(request, *args, **kwargs)[source]
class keystone.federation.controllers.ProjectAssignmentV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'
list_projects_for_user(*args, **kwargs)[source]

List all projects available to an authenticated user.

Parameters:context – request context
Returns:list of accessible projects
member_name = 'project'
class keystone.federation.controllers.SAMLMetadataV3[source]

Bases: keystone.federation.controllers._ControllerBase

get_metadata(context)[source]
member_name = 'metadata'
class keystone.federation.controllers.ServiceProvider[source]

Bases: keystone.federation.controllers._ControllerBase

Service Provider representation.

collection_name = 'service_providers'
create_service_provider(request, *args, **kwargs)[source]
delete_service_provider(request, *args, **kwargs)[source]
get_service_provider(request, *args, **kwargs)[source]
list_service_providers(request, **kwargs)[source]
member_name = 'service_provider'
update_service_provider(request, *args, **kwargs)[source]

keystone.federation.core module

Main entry point into the Federation service.

class keystone.federation.core.Manager[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_idp(*args, **kwargs)[source]
create_protocol(*args, **kwargs)[source]
create_sp(*args, **kwargs)[source]
delete_idp(*args, **kwargs)[source]
delete_sp(*args, **kwargs)[source]
driver_namespace = 'keystone.federation'
evaluate(*args, **kwargs)[source]
get_enabled_service_providers(*args, **kwargs)[source]

List enabled service providers for Service Catalog.

Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:

  • id is a unique, user defined identifier for service provider object
  • auth_url is an authentication URL of remote Keystone
  • sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns:list of dictionaries with enabled service providers
Return type:list of dicts
update_protocol(*args, **kwargs)[source]
update_sp(*args, **kwargs)[source]

keystone.federation.idp module

class keystone.federation.idp.ECPGenerator[source]

Bases: object

A class for generating an ECP assertion.

static generate_ecp(saml_assertion, relay_state_prefix)[source]
class keystone.federation.idp.MetadataGenerator[source]

Bases: object

A class for generating SAML IdP Metadata.

generate_metadata()[source]

Generate Identity Provider Metadata.

Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.

Returns:XML <EntityDescriptor> object.
Raises:keystone.exception.ValidationError – If the required config options aren’t set.
class keystone.federation.idp.SAMLGenerator[source]

Bases: object

A class to generate SAML assertions.

samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]

Convert Keystone attributes to a SAML assertion.

Parameters:
  • issuer (string) – URL of the issuing party
  • recipient (string) – URL of the recipient
  • user (string) – User name
  • user_domain_name (string) – User Domain name
  • roles (list) – List of role names
  • project (string) – Project name
  • project_domain_name (string) – Project Domain name
  • expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns:

XML <Response> object

keystone.federation.routers module

class keystone.federation.routers.Routers[source]

Bases: keystone.common.wsgi.RoutersBase

API Endpoints for the Federation extension.

The API looks like:

PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
HEAD /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
HEAD /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}

PUT /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
HEAD /OS-FEDERATION/identity_providers/
    {idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
HEAD /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}

PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
HEAD /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
HEAD /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}

GET /OS-FEDERATION/projects
HEAD /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
HEAD /OS-FEDERATION/domains

PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
HEAD /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
HEAD /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}

GET /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
    protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
    {idp_id}/protocols/{protocol_id}/websso
    ?origin=https%3A//horizon.example.com


POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
HEAD /OS-FEDERATION/saml2/metadata

GET /auth/OS-FEDERATION/websso/{protocol_id}
    ?origin=https%3A//horizon.example.com

POST /auth/OS-FEDERATION/websso/{protocol_id}
     ?origin=https%3A//horizon.example.com
append_v3_routers(mapper, routers)[source]

keystone.federation.schema module

keystone.federation.utils module

Utilities for Federation Extension.

class keystone.federation.utils.DirectMaps[source]

Bases: object

An abstraction around the remote matches.

Each match is treated internally as a list.

add(values)[source]

Add a matched value to the list of matches.

Parameters:value (list) – the match to save
class keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]

Transform assertion to a dictionary.

The dictionary contains mapping of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}
Returns:dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456'],
    'group_names': [
        {
            'name': 'group_name_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_1_1',
            'domain': {
                'name': 'domain1'
            }
        },
        {
            'name': 'group_name_2',
            'domain': {
                'id': 'xyz132'
            }
        }
    ]
}
class keystone.federation.utils.UserType[source]

Bases: object

User mapping type.

EPHEMERAL = 'ephemeral'
LOCAL = 'local'
keystone.federation.utils.assert_enabled_identity_provider(federation_api, idp_id)[source]
keystone.federation.utils.assert_enabled_service_provider_object(service_provider)[source]
keystone.federation.utils.get_assertion_params_from_env(request)[source]
keystone.federation.utils.get_remote_id_parameter(protocol)[source]
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]

Transform groups identified by name/domain to their ids.

Function accepts list of groups identified by a name and domain giving a list of group ids in return.

Example of group_names parameter:

[
    {
        "name": "group_name",
        "domain": {
            "id": "domain_id"
        },
    },
    {
        "name": "group_name_2",
        "domain": {
            "name": "domain_name"
        }
    }
]
Parameters:
  • group_names (list) – list of group identified by name and its domain.
  • mapping_id (str) – id of the mapping used for mapping assertion into local credentials
  • identity_api – identity_api object
  • resource_api – resource manager object
Returns:

generator object with group ids

Raises:

keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.

keystone.federation.utils.validate_expiration(token_ref)[source]
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]

The IdP providing the assertion should be registered for the mapping.

keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]

Iterate over group ids and make sure they are present in the backend.

This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str

Parameters:
  • mapping_id (str) – id of the mapping used for this operation
  • identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises:

keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.

keystone.federation.utils.validate_mapping_structure(ref)[source]

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.