keystone.auth.plugins.mapped module

keystone.auth.plugins.mapped module

class keystone.auth.plugins.mapped.Mapped[source]

Bases: keystone.auth.plugins.base.AuthMethodHandler

authenticate(request, auth_payload)[source]

Authenticate mapped user and set an authentication context.

  • request – keystone’s request context
  • auth_payload – the content of the authentication for a given method

In addition to user_id in response_data, this plugin sets group_ids, OS-FEDERATION:identity_provider and OS-FEDERATION:protocol

keystone.auth.plugins.mapped.apply_mapping_filter(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)[source]
keystone.auth.plugins.mapped.get_user_unique_id_and_display_name(request, mapped_properties)[source]

Setup federated username.

Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by name and his id is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.

The following use-cases are covered:

  1. If neither user_name nor user_id is set raise exception.Unauthorized
  2. If user_id is set and user_name not, set user_name equal to user_id
  3. If user_id is not set and user_name is, set user_id as url safe version of user_name.
  • request – current request object
  • mapped_properties – Properties issued by a RuleProcessor.



keystone.exception.Unauthorized – If neither user_name nor user_id is set.


tuple with user identification

Return type:


keystone.auth.plugins.mapped.handle_scoped_token(request, token, federation_api, identity_api)[source]
keystone.auth.plugins.mapped.handle_unscoped_token(request, auth_payload, resource_api, federation_api, identity_api, assignment_api, role_api)[source]
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.