libcloud.common.openstack_identity module
Common / shared code for handling authentication against OpenStack identity service (Keystone).
- class libcloud.common.openstack_identity.OpenStackAuthenticationCache[source]
Bases:
object
Base class for external OpenStack authentication caches.
Authentication tokens are always cached in memory in
OpenStackIdentityConnection
.auth_token and related fields. These tokens are lost when the driver is garbage collected. To share tokens among multiple drivers, processes, or systems, use anOpenStackAuthenticationCache
in OpenStackIdentityConnection.auth_cache.Cache implementors should inherit this class and define the methods below.
- clear(key)[source]
Clear an authentication context from the cache.
- Parameters:
key (
OpenStackAuthenticationCacheKey
) – Key to clear.
- get(key)[source]
Get an authentication context from the cache.
- Parameters:
key (
OpenStackAuthenticationCacheKey
) – Key to fetch.- Returns:
The cached context for the given key, if present; None if not.
- Return type:
- put(key, context)[source]
Put an authentication context into the cache.
- Parameters:
key (
OpenStackAuthenticationCacheKey
) – Key where the context will be stored.context (
OpenStackAuthenticationContext
) – The context to cache.
- class libcloud.common.openstack_identity.OpenStackAuthenticationCacheKey(auth_url, user_id, token_scope, tenant_name, domain_name, tenant_domain_id)
Bases:
tuple
Create new instance of OpenStackAuthenticationCacheKey(auth_url, user_id, token_scope, tenant_name, domain_name, tenant_domain_id)
- auth_url
Alias for field number 0
- domain_name
Alias for field number 4
- tenant_domain_id
Alias for field number 5
- tenant_name
Alias for field number 3
- token_scope
Alias for field number 2
- user_id
Alias for field number 1
- class libcloud.common.openstack_identity.OpenStackAuthenticationContext(token, expiration=None, user=None, roles=None, urls=None)[source]
Bases:
object
An authentication token and related context.
- class libcloud.common.openstack_identity.OpenStackIdentityConnection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
ConnectionUserAndKey
Base identity connection class which contains common / shared logic.
Note: This class shouldn’t be instantiated directly.
Initialize user_id and key; set secure to an
int
based on passed value.- add_default_headers(headers)[source]
Adds default headers (such as Authorization, X-Foo-Bar) to the passed headers
Should return a dictionary.
- authenticate(force=False)[source]
Authenticate against the identity API.
- Parameters:
force (
bool
) – Forcefully update the token even if it’s already cached and still valid.
- authenticated_request(action, params=None, data=None, headers=None, method='GET', raw=False)[source]
Perform an authenticated request against the identity API.
- clear_cached_auth_context()[source]
Clear the cached authentication context.
The context is cleared from fields on this connection and from the external cache, if one is configured.
- is_token_valid()[source]
Return True if the current auth token is already cached and hasn’t expired yet.
- Returns:
True
if the token is still valid,False
otherwise.- Return type:
bool
- list_supported_versions()[source]
Retrieve a list of all the identity versions which are supported by this installation.
- Return type:
list
ofOpenStackIdentityVersion
- morph_action_hook(action)[source]
Here we strip any duplicated leading or trailing slashes to prevent typos and other issues where some APIs don’t correctly handle double slashes.
Keep in mind that in some situations, “/” is a valid path name so we have a module flag which disables this behavior (https://github.com/apache/libcloud/issues/1529).
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackIdentityDomain(id, name, enabled)[source]
Bases:
object
- class libcloud.common.openstack_identity.OpenStackIdentityEndpointType[source]
Bases:
object
Enum class for openstack identity endpoint type.
- ADMIN = 'admin'
- EXTERNAL = 'external'
- INTERNAL = 'internal'
- class libcloud.common.openstack_identity.OpenStackIdentityProject(id, name, description, enabled, domain_id=None)[source]
Bases:
object
- class libcloud.common.openstack_identity.OpenStackIdentityRole(id, name, description, enabled)[source]
Bases:
object
- class libcloud.common.openstack_identity.OpenStackIdentityUser(id, domain_id, name, email, description, enabled)[source]
Bases:
object
- class libcloud.common.openstack_identity.OpenStackIdentityVersion(version, status, updated, url)[source]
Bases:
object
- class libcloud.common.openstack_identity.OpenStackIdentity_1_0_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentityConnection
Connection class for Keystone API v1.0.
Initialize user_id and key; set secure to an
int
based on passed value.- authenticate(force=False)[source]
Authenticate against the identity API.
- Parameters:
force (
bool
) – Forcefully update the token even if it’s already cached and still valid.
- name = 'OpenStack Identity API v1.0'
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackIdentity_1_1_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentityConnection
Connection class for Keystone API v1.1.
Initialize user_id and key; set secure to an
int
based on passed value.- authenticate(force=False)[source]
Authenticate against the identity API.
- Parameters:
force (
bool
) – Forcefully update the token even if it’s already cached and still valid.
- name = 'OpenStack Identity API v1.1'
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackIdentity_2_0_Connection(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentityConnection
Connection class for Keystone API v2.0.
Initialize user_id and key; set secure to an
int
based on passed value.- authenticate(auth_type='api_key', force=False)[source]
Authenticate against the identity API.
- Parameters:
force (
bool
) – Forcefully update the token even if it’s already cached and still valid.
- name = 'OpenStack Identity API v1.0'
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackIdentity_2_0_Connection_VOMS(auth_url, user_id, key, tenant_name=None, tenant_domain_id='default', domain_name='Default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentityConnection
,CertificateConnection
Connection class for Keystone API v2.0. with VOMS proxy support In this case the key parameter will be the path of the VOMS proxy file.
Initialize user_id and key; set secure to an
int
based on passed value.- authenticate(force=False)[source]
Authenticate against the identity API.
- Parameters:
force (
bool
) – Forcefully update the token even if it’s already cached and still valid.
- name = 'OpenStack Identity API v2.0 VOMS support'
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection(auth_url, user_id, key, tenant_name=None, domain_name='Default', tenant_domain_id='default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentityConnection
Connection class for Keystone API v3.x.
- Parameters:
tenant_name (
str
) – Name of the project this user belongs to. Note: When token_scope is set to project, this argument control to which project to scope the token to.domain_name (
str
) – Domain the user belongs to. Note: When token_scope is set to token, this argument controls to which domain to scope the token to.token_scope (
str
) – Whether to scope a token to a “project”, a “domain” or “unscoped”auth_cache (
OpenStackAuthenticationCache
) – Where to cache authentication tokens.
- VALID_TOKEN_SCOPES = ['project', 'domain', 'unscoped']
- create_user(email, password, name, description=None, domain_id=None, default_project_id=None, enabled=True)[source]
Create a new user account.
- Parameters:
email (
str
) – User’s mail address.password (
str
) – User’s password.name (
str
) – User’s name.description (
str
) – Optional description.domain_id (
str
) – ID of the domain to add the user to (optional).default_project_id (
str
) – ID of the default user project (optional).enabled (
bool
) – True to enable user after creation.
- Returns:
Created user.
- Return type:
- disable_user(user)[source]
Disable user account.
Note: This operation appears to be idempotent.
- Parameters:
user (
OpenStackIdentityUser
) – User to disable.- Returns:
User account which has been disabled.
- Return type:
- enable_user(user)[source]
Enable user account.
Note: This operation appears to be idempotent.
- Parameters:
user (
OpenStackIdentityUser
) – User to enable.- Returns:
User account which has been enabled.
- Return type:
- get_domain(domain_id)[source]
Retrieve information about a single domain.
- Parameters:
domain_id (
str
) – ID of domain to retrieve information for.- Return type:
- get_user(user_id)[source]
Get a user account by ID.
- Parameters:
user_id – User’s id.
- Returns:
Located user.
- Return type:
- grant_domain_role_to_user(domain, role, user)[source]
Grant domain role to a user.
Note: This function appears to be idempotent.
- Parameters:
domain (
OpenStackIdentityDomain
) – Domain to grant the role to.role (
OpenStackIdentityRole
) – Role to grant.user (
OpenStackIdentityUser
) – User to grant the role to.
- Returns:
True
on success.- Return type:
bool
- grant_project_role_to_user(project, role, user)[source]
Grant project role to a user.
Note: This function appears to be idempotent.
- Parameters:
project (
OpenStackIdentityDomain
) – Project to grant the role to.role (
OpenStackIdentityRole
) – Role to grant.user (
OpenStackIdentityUser
) – User to grant the role to.
- Returns:
True
on success.- Return type:
bool
- list_domains()[source]
List the available domains.
- Return type:
list
ofOpenStackIdentityDomain
- list_projects()[source]
List the available projects.
Note: To perform this action, user you are currently authenticated with needs to be an admin.
- Return type:
list
ofOpenStackIdentityProject
- list_roles()[source]
List the available roles.
- Return type:
list
ofOpenStackIdentityRole
- list_user_domain_roles(domain, user)[source]
Retrieve all the roles for a particular user on a domain.
- Return type:
list
ofOpenStackIdentityRole
- list_user_projects(user)[source]
Retrieve all the projects user belongs to.
- Return type:
list
ofOpenStackIdentityProject
- list_users()[source]
List the available users.
- Return type:
list
ofOpenStackIdentityUser
- name = 'OpenStack Identity API v3.x'
- responseCls
alias of
OpenStackAuthResponse
- revoke_domain_role_from_user(domain, user, role)[source]
Revoke domain role from a user.
- Parameters:
domain (
OpenStackIdentityDomain
) – Domain to revoke the role from.role (
OpenStackIdentityRole
) – Role to revoke.user (
OpenStackIdentityUser
) – User to revoke the role from.
- Returns:
True
on success.- Return type:
bool
- revoke_project_role_from_user(project, role, user)[source]
Revoke project role from a user.
- Parameters:
project (
OpenStackIdentityDomain
) – Project to revoke the role from.role (
OpenStackIdentityRole
) – Role to revoke.user (
OpenStackIdentityUser
) – User to revoke the role from.
- Returns:
True
on success.- Return type:
bool
- class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection_AppCred(auth_url, user_id, key, tenant_name=None, domain_name=None, tenant_domain_id=None, token_scope=None, timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentity_3_0_Connection
Connection class for Keystone API v3.x using Application Credentials.
‘user_id’ is the application credential id and ‘key’ is the application credential secret.
Tenant, domain and scope options are ignored as they are contained within the app credential itself and can’t be changed.
- name = 'OpenStack Identity API v3.x with Application Credentials'
- class libcloud.common.openstack_identity.OpenStackIdentity_3_0_Connection_OIDC_access_token(auth_url, user_id, key, tenant_name=None, domain_name='Default', tenant_domain_id='default', token_scope='project', timeout=None, proxy_url=None, parent_conn=None, auth_cache=None)[source]
Bases:
OpenStackIdentity_3_0_Connection
Connection class for Keystone API v3.x. using OpenID Connect tokens
The OIDC token must be set in the self.key attribute.
The identity provider name required to get the full path must be set in the self.user_id attribute.
The protocol name required to get the full path must be set in the self.tenant_name attribute.
The self.domain_name attribute can be used either to select the domain name in case of domain scoped token or to select the project name in case of project scoped token
- Parameters:
tenant_name (
str
) – Name of the project this user belongs to. Note: When token_scope is set to project, this argument control to which project to scope the token to.domain_name (
str
) – Domain the user belongs to. Note: When token_scope is set to token, this argument controls to which domain to scope the token to.token_scope (
str
) – Whether to scope a token to a “project”, a “domain” or “unscoped”auth_cache (
OpenStackAuthenticationCache
) – Where to cache authentication tokens.
- name = 'OpenStack Identity API v3.x with OIDC support'
- responseCls
alias of
OpenStackAuthResponse
- class libcloud.common.openstack_identity.OpenStackServiceCatalog(service_catalog, auth_version='1.1')[source]
Bases:
object
http://docs.openstack.org/api/openstack-identity-service/2.0/content/
This class should be instantiated with the contents of the ‘serviceCatalog’ in the auth response. This will do the work of figuring out which services actually exist in the catalog as well as split them up by type, name, and region if available
- get_endpoint(service_type=None, name=None, region=None, endpoint_type='external')[source]
Retrieve a single endpoint using the provided criteria.
Note: If no or more than one matching endpoint is found, an exception is thrown.
- get_endpoints(service_type=None, name=None)[source]
Retrieve all the endpoints for the provided service type and name.
- Return type:
- get_entries()[source]
Return all the entries for this service catalog.
- Return type:
list
ofOpenStackServiceCatalogEntry
- get_public_urls(service_type=None, name=None)[source]
Retrieve all the available public (external) URLs for the provided service type and name.
- get_regions(service_type=None)[source]
Retrieve a list of all the available regions.
- Parameters:
service_type (
str
) – If specified, only return regions for this service type.- Return type:
list
ofstr
- class libcloud.common.openstack_identity.OpenStackServiceCatalogEntry(service_type, endpoints=None, service_name=None)[source]
Bases:
object
- Parameters:
service_type (
str
) – Service type.endpoints (
list
) – Endpoints belonging to this entry.service_name (
str
) – Optional service name.
- class libcloud.common.openstack_identity.OpenStackServiceCatalogEntryEndpoint(region, url, endpoint_type='external')[source]
Bases:
object
- Parameters:
region (
str
) – Endpoint region.url (
str
) – Endpoint URL.endpoint_type (
str
) – Endpoint type (external / internal / admin).
- VALID_ENDPOINT_TYPES = ['internal', 'external', 'admin']