keystone.token.providers package

Submodules

keystone.token.providers.common module

class keystone.token.providers.common.BaseProvider(*args, **kwargs)[source]

Bases: keystone.token.provider.Provider

get_token_version(token_data)[source]
issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]
issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]
validate_non_persistent_token(token_id)[source]
validate_v2_token(token_ref)[source]
validate_v3_token(token_ref)[source]
class keystone.token.providers.common.V2TokenDataHelper(*args, **kwargs)[source]

Bases: object

Create V2 token data.

classmethod format_catalog(catalog_ref)[source]

Munge catalogs from internal to output format.

Internal catalogs look like:

{$REGION: {
    {$SERVICE: {
        $key1: $value1,
        ...
        }
    }
}

The legacy api wants them to look like:

[{'name': $SERVICE[name],
  'type': $SERVICE,
  'endpoints': [{
      'tenantId': $tenant_id,
      ...
      'region': $REGION,
      }],
  'endpoints_links': [],
 }]
classmethod format_token(token_ref, roles_ref=None, catalog_ref=None, trust_ref=None)[source]
v3_to_v2_token(v3_token_data, token_id)[source]

Convert v3 token data into v2.0 token data.

This method expects a dictionary generated from V3TokenDataHelper.get_token_data() and converts it to look like a v2.0 token dictionary.

Parameters:
  • v3_token_data – dictionary formatted for v3 tokens
  • token_id – ID of the token being converted
Returns:

dictionary formatted for v2 tokens

Raises keystone.exception.Unauthorized:
 

If a specific token type is not supported in v2.

class keystone.token.providers.common.V3TokenDataHelper(*args, **kwargs)[source]

Bases: object

Token data helper.

get_token_data(user_id, method_names, domain_id=None, project_id=None, expires=None, trust=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None)[source]
populate_roles_for_federated_user(token_data, group_ids, project_id=None, domain_id=None, user_id=None)[source]

Populate roles basing on provided groups and project/domain.

Used for federated users with dynamically assigned groups. This method does not return anything, yet it modifies token_data in place.

Parameters:
  • token_data – a dictionary used for building token response
  • group_ids – list of group IDs a user is a member of
  • project_id – project ID to scope to
  • domain_id – domain ID to scope to
  • user_id – user ID
Raises keystone.exception.Unauthorized:
 

when no roles were found

keystone.token.providers.pki module

Keystone PKI Token Provider.

class keystone.token.providers.pki.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider

needs_persistence()[source]

Should the token be written to a backend.

keystone.token.providers.pkiz module

Keystone Compressed PKI Token Provider.

class keystone.token.providers.pkiz.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider

needs_persistence()[source]

Should the token be written to a backend.

keystone.token.providers.uuid module

Keystone UUID Token Provider.

class keystone.token.providers.uuid.Provider(*args, **kwargs)[source]

Bases: keystone.token.providers.common.BaseProvider

needs_persistence()[source]

Should the token be written to a backend.

Module contents