keystoneauth1.identity.v3.k2k module¶
- class keystoneauth1.identity.v3.k2k.Keystone2Keystone(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
Bases:
_Rescoped
Plugin to execute the Keystone to Keyestone authentication flow.
In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).
- Parameters:
base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.
service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()
- HTTP_MOVED_TEMPORARILY = 302
- HTTP_SEE_OTHER = 303
- REQUEST_ECP_URL = '/auth/OS-FEDERATION/saml2/ecp'
Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.
- __abstractmethods__ = frozenset({})
- __annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'ty.Dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}
- __doc__ = 'Plugin to execute the Keystone to Keyestone authentication flow.\n\n In this plugin, an ECP wrapped SAML assertion provided by a keystone\n Identity Provider (IdP) is used to request an OpenStack unscoped token\n from a keystone Service Provider (SP).\n\n :param base_plugin: Auth plugin already authenticated against the keystone\n IdP.\n :type base_plugin: keystoneauth1.identity.v3.base.BaseAuth\n\n :param service_provider: The Service Provider ID as returned by\n ServiceProviderManager.list()\n :type service_provider: str\n\n '
- __init__(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
- __module__ = 'keystoneauth1.identity.v3.k2k'
- _abc_impl = <_abc._abc_data object>
- _discovery_cache: ty.Dict[str, discover.Discover]
- _get_ecp_assertion(session: Session) str
- classmethod _remote_auth_url(auth_url: str) str
Return auth_url of the remote Keystone Service Provider.
Remote cloud’s auth_url is an endpoint for getting federated unscoped token, typically that would be
https://remote.example.com:5000/v3/OS-FEDERATION/identity_providers/ <idp>/protocols/<protocol_id>/auth
. However we need to generate a real auth_url, used for token scoping. This function assumes there are static values today in the remote auth_url stored in the Service Provider attribute and those can be used as a delimiter. If the sp_auth_url doesn’t comply with standard federation auth url the function will simply return whole string.
- _send_service_provider_ecp_authn_response(session: Session, sp_url: str, sp_auth_url: str) Response
Present ECP wrapped SAML assertion to the keystone SP.
The assertion is issued by the keystone IdP and it is targeted to the keystone that will serve as Service Provider.
- Parameters:
session – a session object to send out HTTP requests.
sp_url (str) – URL where the ECP wrapped SAML assertion will be presented to the keystone SP. Usually, something like: https://sp.com/Shibboleth.sso/SAML2/ECP
sp_auth_url (str) – Federated authentication URL of the keystone SP. It is specified by IdP, for example: https://sp.com/v3/OS-FEDERATION/identity_providers/ idp_id/protocols/protocol_id/auth
- auth_ref: ty.Optional[access.AccessInfo]
- auth_url: str
- get_unscoped_auth_ref(session: Session, **kwargs: Any) AccessInfoV3
Fetch unscoped federated token.
- reauthenticate: bool