libcloud.common.openstack_identity module

Common / shared code for handling authentication against OpenStack identity service (Keystone).

class libcloud.common.openstack_identity.OpenStackAuthenticationCache[source]

Bases: object

Base class for external OpenStack authentication caches.

Authentication tokens are always cached in memory in OpenStackIdentityConnection.auth_token and related fields. These tokens are lost when the driver is garbage collected. To share tokens among multiple drivers, processes, or systems, use an OpenStackAuthenticationCache in OpenStackIdentityConnection.auth_cache.

Cache implementors should inherit this class and define the methods below.

clear(key)[source]

Clear an authentication context from the cache.

Parameters:

key (OpenStackAuthenticationCacheKey) – Key to clear.

get(key)[source]

Get an authentication context from the cache.

Parameters:

key (OpenStackAuthenticationCacheKey) – Key to fetch.

Returns:

The cached context for the given key, if present; None if not.

Return type:

OpenStackAuthenticationContext

put(key, context)[source]

Put an authentication context into the cache.

Parameters:
class libcloud.common.openstack_identity.OpenStackAuthenticationCacheKey(auth_url, user_id, token_scope, tenant_name, domain_name, tenant_domain_id)

Bases: tuple

Create new instance of OpenStackAuthenticationCacheKey(auth_url, user_id, token_scope, tenant_name, domain_name, tenant_domain_id)

auth_url

Alias for field number 0

domain_name

Alias for field number 4

tenant_domain_id

Alias for field number 5

tenant_name

Alias for field number 3

token_scope

Alias for field number 2

user_id

Alias for field number 1

class libcloud.common.openstack_identity.OpenStackAuthenticationContext(token, expiration=None, user=None, roles=None, urls=None)[source]

Bases: object

An authentication token and related context.

class libcloud.common.openstack_identity.OpenStackIdentityConnection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: ConnectionUserAndKey

Base identity connection class which contains common / shared logic.

Note: This class shouldn’t be instantiated directly.

Initialize user_id and key; set secure to an int based on passed value.

add_default_headers(headers)[source]

Adds default headers (such as Authorization, X-Foo-Bar) to the passed headers

Should return a dictionary.

auth_version: str = None
authenticate(force=False)[source]

Authenticate against the identity API.

Parameters:

force (bool) – Forcefully update the token even if it’s already cached and still valid.

authenticated_request(action, params=None, data=None, headers=None, method='GET', raw=False)[source]

Perform an authenticated request against the identity API.

clear_cached_auth_context()[source]

Clear the cached authentication context.

The context is cleared from fields on this connection and from the external cache, if one is configured.

is_token_valid()[source]

Return True if the current auth token is already cached and hasn’t expired yet.

Returns:

True if the token is still valid, False otherwise.

Return type:

bool

list_supported_versions()[source]

Retrieve a list of all the identity versions which are supported by this installation.

Return type:

list of OpenStackIdentityVersion

morph_action_hook(action)[source]

Here we strip any duplicated leading or trailing slashes to prevent typos and other issues where some APIs don’t correctly handle double slashes.

Keep in mind that in some situations, “/” is a valid path name so we have a module flag which disables this behavior (https://github.com/apache/libcloud/issues/1529).

responseCls

alias of OpenStackAuthResponse

timeout: int | float | None = None
class libcloud.common.openstack_identity.OpenStackIdentityDomain(id, name, enabled)[source]

Bases: object

class libcloud.common.openstack_identity.OpenStackIdentityEndpointType[source]

Bases: object

Enum class for openstack identity endpoint type.

ADMIN = 'admin'
EXTERNAL = 'external'
INTERNAL = 'internal'
class libcloud.common.openstack_identity.OpenStackIdentityProject(id, name, description, enabled, domain_id=None)[source]

Bases: object

class libcloud.common.openstack_identity.OpenStackIdentityRole(id, name, description, enabled)[source]

Bases: object

class libcloud.common.openstack_identity.OpenStackIdentityUser(id, domain_id, name, email, description, enabled)[source]

Bases: object

class libcloud.common.openstack_identity.OpenStackIdentityVersion(version, status, updated, url)[source]

Bases: object

class libcloud.common.openstack_identity.OpenStackIdentity_1_0_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentityConnection

Connection class for Keystone API v1.0.

Initialize user_id and key; set secure to an int based on passed value.

auth_version: str = '1.0'
authenticate(force=False)[source]

Authenticate against the identity API.

Parameters:

force (bool) – Forcefully update the token even if it’s already cached and still valid.

name = 'OpenStack Identity API v1.0'
responseCls

alias of OpenStackAuthResponse

class libcloud.common.openstack_identity.OpenStackIdentity_1_1_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentityConnection

Connection class for Keystone API v1.1.

Initialize user_id and key; set secure to an int based on passed value.

auth_version: str = '1.1'
authenticate(force=False)[source]

Authenticate against the identity API.

Parameters:

force (bool) – Forcefully update the token even if it’s already cached and still valid.

name = 'OpenStack Identity API v1.1'
responseCls

alias of OpenStackAuthResponse

class libcloud.common.openstack_identity.OpenStackIdentity_2_0_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentityConnection

Connection class for Keystone API v2.0.

Initialize user_id and key; set secure to an int based on passed value.

auth_version: str = '2.0'
authenticate(auth_type='api_key', force=False)[source]

Authenticate against the identity API.

Parameters:

force (bool) – Forcefully update the token even if it’s already cached and still valid.

list_projects()[source]
list_tenants()[source]
name = 'OpenStack Identity API v1.0'
responseCls

alias of OpenStackAuthResponse

class libcloud.common.openstack_identity.OpenStackIdentity_2_0_Connection_VOMS(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentityConnection, CertificateConnection

Connection class for Keystone API v2.0. with VOMS proxy support In this case the key parameter will be the path of the VOMS proxy file.

Initialize user_id and key; set secure to an int based on passed value.

auth_version: str = '2.0'
authenticate(force=False)[source]

Authenticate against the identity API.

Parameters:

force (bool) – Forcefully update the token even if it’s already cached and still valid.

name = 'OpenStack Identity API v2.0 VOMS support'
responseCls

alias of OpenStackAuthResponse

class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection(auth_url, user_id, key, tenant_name=None, domain_name='Default', tenant_domain_id='default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentityConnection

Connection class for Keystone API v3.x.

Parameters:

  • tenant_name (str) – Name of the project this user belongs to. Note: When token_scope is set to project, this argument control to which project to scope the token to.

  • domain_name (str) – Domain the user belongs to. Note: When token_scope is set to token, this argument controls to which domain to scope the token to.

  • token_scope (str) – Whether to scope a token to a “project”, a “domain” or “unscoped”

  • auth_cache (OpenStackAuthenticationCache) – Where to cache authentication tokens.

VALID_TOKEN_SCOPES = ['project', 'domain', 'unscoped']
auth_version: str = '3.0'
authenticate(force=False)[source]

Perform authentication.

create_user(email, password, name, description=None, domain_id=None, default_project_id=None, enabled=True)[source]

Create a new user account.

Parameters:

  • email (str) – User’s mail address.

  • password (str) – User’s password.

  • name (str) – User’s name.

  • description (str) – Optional description.

  • domain_id (str) – ID of the domain to add the user to (optional).

  • default_project_id (str) – ID of the default user project (optional).

  • enabled (bool) – True to enable user after creation.

Returns:

Created user.

Return type:

OpenStackIdentityUser

disable_user(user)[source]

Disable user account.

Note: This operation appears to be idempotent.

Parameters:

user (OpenStackIdentityUser) – User to disable.

Returns:

User account which has been disabled.

Return type:

OpenStackIdentityUser

enable_user(user)[source]

Enable user account.

Note: This operation appears to be idempotent.

Parameters:

user (OpenStackIdentityUser) – User to enable.

Returns:

User account which has been enabled.

Return type:

OpenStackIdentityUser

get_domain(domain_id)[source]

Retrieve information about a single domain.

Parameters:

domain_id (str) – ID of domain to retrieve information for.

Return type:

OpenStackIdentityDomain

get_user(user_id)[source]

Get a user account by ID.

Parameters:

user_id – User’s id.

Returns:

Located user.

Return type:

OpenStackIdentityUser

grant_domain_role_to_user(domain, role, user)[source]

Grant domain role to a user.

Note: This function appears to be idempotent.

Parameters:
Returns:

True on success.

Return type:

bool

grant_project_role_to_user(project, role, user)[source]

Grant project role to a user.

Note: This function appears to be idempotent.

Parameters:
Returns:

True on success.

Return type:

bool

list_domains()[source]

List the available domains.

Return type:

list of OpenStackIdentityDomain

list_projects()[source]

List the available projects.

Note: To perform this action, user you are currently authenticated with needs to be an admin.

Return type:

list of OpenStackIdentityProject

list_roles()[source]

List the available roles.

Return type:

list of OpenStackIdentityRole

list_user_domain_roles(domain, user)[source]

Retrieve all the roles for a particular user on a domain.

Return type:

list of OpenStackIdentityRole

list_user_projects(user)[source]

Retrieve all the projects user belongs to.

Return type:

list of OpenStackIdentityProject

list_users()[source]

List the available users.

Return type:

list of OpenStackIdentityUser

name = 'OpenStack Identity API v3.x'
responseCls

alias of OpenStackAuthResponse

revoke_domain_role_from_user(domain, user, role)[source]

Revoke domain role from a user.

Parameters:
Returns:

True on success.

Return type:

bool

revoke_project_role_from_user(project, role, user)[source]

Revoke project role from a user.

Parameters:
Returns:

True on success.

Return type:

bool

class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection_AppCred(auth_url, user_id, key, tenant_name=None, domain_name=None, tenant_domain_id=None, token_scope=None, timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentity_3_0_Connection

Connection class for Keystone API v3.x using Application Credentials.

‘user_id’ is the application credential id and ‘key’ is the application credential secret.

Tenant, domain and scope options are ignored as they are contained within the app credential itself and can’t be changed.

name = 'OpenStack Identity API v3.x with Application Credentials'
class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection_OIDC_access_token(auth_url, user_id, key, tenant_name=None, domain_name='Default', tenant_domain_id='default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]

Bases: OpenStackIdentity_3_0_Connection

Connection class for Keystone API v3.x. using OpenID Connect tokens

The OIDC token must be set in the self.key attribute.

The identity provider name required to get the full path must be set in the self.user_id attribute.

The protocol name required to get the full path must be set in the self.tenant_name attribute.

The self.domain_name attribute can be used either to select the domain name in case of domain scoped token or to select the project name in case of project scoped token

Parameters:

  • tenant_name (str) – Name of the project this user belongs to. Note: When token_scope is set to project, this argument control to which project to scope the token to.

  • domain_name (str) – Domain the user belongs to. Note: When token_scope is set to token, this argument controls to which domain to scope the token to.

  • token_scope (str) – Whether to scope a token to a “project”, a “domain” or “unscoped”

  • auth_cache (OpenStackAuthenticationCache) – Where to cache authentication tokens.

auth_version: str = '3.0'
authenticate(force=False)[source]

Perform authentication.

name = 'OpenStack Identity API v3.x with OIDC support'
responseCls

alias of OpenStackAuthResponse

class libcloud.common.openstack_identity.OpenStackServiceCatalog(service_catalog, auth_version='1.1')[source]

Bases: object

http://docs.openstack.org/api/openstack-identity-service/2.0/content/

This class should be instantiated with the contents of the ‘serviceCatalog’ in the auth response. This will do the work of figuring out which services actually exist in the catalog as well as split them up by type, name, and region if available

get_catalog()[source]

Deprecated in the favor of get_entries method.

get_endpoint(service_type=None, name=None, region=None, endpoint_type='external')[source]

Retrieve a single endpoint using the provided criteria.

Note: If no or more than one matching endpoint is found, an exception is thrown.

get_endpoints(service_type=None, name=None)[source]

Retrieve all the endpoints for the provided service type and name.

Return type:

list of OpenStackServiceCatalogEntryEndpoint

get_entries()[source]

Return all the entries for this service catalog.

Return type:

list of OpenStackServiceCatalogEntry

get_public_urls(service_type=None, name=None)[source]

Retrieve all the available public (external) URLs for the provided service type and name.

get_regions(service_type=None)[source]

Retrieve a list of all the available regions.

Parameters:

service_type (str) – If specified, only return regions for this service type.

Return type:

list of str

get_service_names(service_type=None, region=None)[source]

Retrieve list of service names that match service type and region.

Return type:

list of str

get_service_types(region=None)[source]

Retrieve all the available service types.

Parameters:

region (str) – Optional region to retrieve service types for.

Return type:

list of str

class libcloud.common.openstack_identity.OpenStackServiceCatalogEntry(service_type, endpoints=None, service_name=None)[source]

Bases: object

Parameters:

  • service_type (str) – Service type.

  • endpoints (list) – Endpoints belonging to this entry.

  • service_name (str) – Optional service name.

class libcloud.common.openstack_identity.OpenStackServiceCatalogEntryEndpoint(region, url, endpoint_type='external')[source]

Bases: object

Parameters:

  • region (str) – Endpoint region.

  • url (str) – Endpoint URL.

  • endpoint_type (str) – Endpoint type (external / internal / admin).

VALID_ENDPOINT_TYPES = ['internal', 'external', 'admin']
libcloud.common.openstack_identity.get_class_for_auth_version(auth_version)[source]

Retrieve class for the provided auth version.