keystone.auth.plugins package

Submodules

keystone.auth.plugins.core module

class keystone.auth.plugins.core.BaseUserInfo(*args, **kwargs)

Bases: object

classmethod create(auth_payload, method_name)

class keystone.auth.plugins.core.TOTPUserInfo

Bases: keystone.auth.plugins.core.BaseUserInfo

class keystone.auth.plugins.core.UserAuthInfo

Bases: keystone.auth.plugins.core.BaseUserInfo

keystone.auth.plugins.core.construct_method_map_from_config()

Determine authentication method types for deployment.

Returns:a dictionary containing the methods and their indexes

keystone.auth.plugins.core.convert_integer_to_method_list(method_int)

Convert an integer to a list of methods.

Parameters:method_int – an integer representing methods Returns:a corresponding list of methods

keystone.auth.plugins.core.convert_method_list_to_integer(methods)

Convert the method type(s) to an integer.

Parameters:methods – a list of method names Returns:an integer representing the methods

keystone.auth.plugins.external module

Keystone External Authentication Plugins

class keystone.auth.plugins.external.Base

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_info, auth_context)

Use REMOTE_USER to look up the user in the identity backend.

auth_context is an in-out variable that will be updated with the user_id from the actual user from the REMOTE_USER env variable.

class keystone.auth.plugins.external.DefaultDomain(*args, **kwargs)

Bases: keystone.auth.plugins.external.Base

class keystone.auth.plugins.external.Domain(*args, **kwargs)

Bases: keystone.auth.plugins.external.Base

class keystone.auth.plugins.external.KerberosDomain(*args, **kwargs)

Bases: keystone.auth.plugins.external.Domain

Allows kerberos as a method.

keystone.auth.plugins.mapped module

class keystone.auth.plugins.mapped.Mapped(*args, **kwargs)

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_payload, auth_context)

Authenticate mapped user and set an authentication context.

Parameters:

• context – keystone’s request context
• auth_payload – the content of the authentication for a given method
• auth_context – user authentication context, a dictionary shared by all plugins.

In addition to user_id in auth_context, this plugin sets group_ids, OS-FEDERATION:identity_provider and OS-FEDERATION:protocol

keystone.auth.plugins.mapped.apply_mapping_filter(identity_provider, protocol, assertion, resource_api, federation_api, identity_api)

keystone.auth.plugins.mapped.extract_assertion_data(context)

keystone.auth.plugins.mapped.get_user_unique_id_and_display_name(context, mapped_properties)

Setup federated username.

Function covers all the cases for properly setting user id, a primary identifier for identity objects. Initial version of the mapping engine assumed user is identified by name and his id is built from the name. We, however need to be able to accept local rules that identify user by either id or name/domain.

The following use-cases are covered:

1. If neither user_name nor user_id is set raise exception.Unauthorized
2. If user_id is set and user_name not, set user_name equal to user_id
3. If user_id is not set and user_name is, set user_id as url safe version of user_name.

Parameters:

• context – authentication context
• mapped_properties – Properties issued by a RuleProcessor.

Type:

dictionary

Raises keystone.exception.Unauthorized:  

If neither user_name nor user_id is set.

Returns:

tuple with user identification

Return type:

tuple

keystone.auth.plugins.mapped.handle_scoped_token(context, auth_payload, auth_context, token_ref, federation_api, identity_api, token_provider_api)

keystone.auth.plugins.mapped.handle_unscoped_token(context, auth_payload, auth_context, resource_api, federation_api, identity_api)

keystone.auth.plugins.oauth1 module

class keystone.auth.plugins.oauth1.OAuth(*args, **kwargs)

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_info, auth_context)

Turn a signed request with an access key into a keystone token.

keystone.auth.plugins.password module

class keystone.auth.plugins.password.Password(*args, **kwargs)

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_payload, auth_context)

Try to authenticate against the identity backend.

keystone.auth.plugins.saml2 module

class keystone.auth.plugins.saml2.Saml2(*args, **kwargs)

Bases: keystone.auth.plugins.mapped.Mapped

Provide an entry point to authenticate with SAML2.

This plugin subclasses mapped.Mapped, and may be specified in keystone.conf:

[auth]
methods = external,password,token,saml2
saml2 = keystone.auth.plugins.mapped.Mapped

keystone.auth.plugins.token module

class keystone.auth.plugins.token.Token(*args, **kwargs)

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_payload, user_context)

keystone.auth.plugins.token.token_authenticate(context, auth_payload, user_context, token_ref)

keystone.auth.plugins.totp module

Time-based One-time Password Algorithm (TOTP) auth plugin

TOTP is an algorithm that computes a one-time password from a shared secret key and the current time.

TOTP is an implementation of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals, so passwords generated close together in time from the same secret key will be equal.

class keystone.auth.plugins.totp.TOTP(*args, **kwargs)

Bases: keystone.auth.core.AuthMethodHandler

authenticate(context, auth_payload, auth_context)

Try to authenticate using TOTP

Module contents