Authentication Plugins¶
Introduction¶
Authentication plugins provide a generic means by which to extend the authentication mechanisms known to OpenStack clients.
In the vast majority of cases the authentication plugins used will be those written for use with the OpenStack Identity Service (Keystone), however this is not the only possible case, and the mechanisms by which authentication plugins are used and implemented should be generic enough to cover completely customized authentication solutions.
The subset of authentication plugins intended for use with an OpenStack Identity server (such as Keystone) are called Identity Plugins.
Available Plugins¶
Keystoneauth ships with a number of plugins and particularly Identity Plugins.
V2 Identity Plugins¶
Standard V2 identity plugins are defined in the module:
keystoneauth1.identity.v2
They include:
Password
: Authenticate against a V2 identity service using a username and password.Token
: Authenticate against a V2 identity service using an existing token.
V2 identity plugins must use an auth_url that points to the root of a V2
identity server URL, i.e.: http://hostname:5000/v2.0
.
V3 Identity Plugins¶
Standard V3 identity plugins are defined in the module
keystoneauth1.identity.v3
.
V3 Identity plugins are slightly different from their V2 counterparts as a V3
authentication request can contain multiple authentication methods. To handle
this V3 defines a number of different
AuthMethod
classes:
PasswordMethod
: Authenticate against a V3 identity service using a username and password.TokenMethod
: Authenticate against a V3 identity service using an existing token.ReceiptMethod
: Authenticate against a V3 identity service using an existing auth-receipt. This method has to be used in conjunction with at least one other method.TOTPMethod
: Authenticate against a V3 identity service using Time-Based One-Time Password (TOTP).TokenlessAuth
: Authenticate against a V3 identity service using tokenless authentication.ApplicationCredentialMethod
: Authenticate against a V3 identity service using an application credential.KerberosMethod
: Authenticate against a V3 identity service using Kerberos.OAuth2ClientCredentialMethod
: Authenticate against a V3 identity service using an OAuth2.0 client credential.OAuth2mTlsClientCredential
: Authenticate against a V3 identity service using an OAuth2.0 Mutual-TLS client credentials.
The AuthMethod
objects are then
passed to the Auth
plugin:
>>> from keystoneauth1 import session
>>> from keystoneauth1.identity import v3
>>> password = v3.PasswordMethod(username='user',
... password='password',
... user_domain_name='default')
>>> auth = v3.Auth(auth_url='http://my.keystone.com:5000/v3',
... auth_methods=[password],
... project_id='projectid')
>>> sess = session.Session(auth=auth)
You can even add additional methods to an existing auth instance after it has been created:
>>> totp = v3.TOTPMethod(username='user',
... passcode='123456',
... user_domain_name='default')
>>> auth.add_method(totp)
Or use the MultiFactor
helper
plugin to do it all simply in one go, an example of whichs exists in the
section below.
For the common cases where you will only want to use one
AuthMethod
there are also helper
authentication plugins for the various
AuthMethod
which can be used more
like the V2 plugins:
Password
: Authenticate using only aPasswordMethod
.Token
: Authenticate using only aTokenMethod
.TOTP
: Authenticate using only aTOTPMethod
.Kerberos
: Authenticate using only aKerberosMethod
.
>>> auth = v3.Password(auth_url='http://my.keystone.com:5000/v3',
... username='username',
... password='password',
... project_id='projectid',
... user_domain_name='default')
>>> sess = session.Session(auth=auth)
This will have exactly the same effect as using the single
PasswordMethod
above.
V3 identity plugins must use an auth_url that points to the root of a V3
identity server URL, i.e.: http://hostname:5000/v3
.
Multi-Factor with V3 Identity Plugins¶
The basic example of multi-factor authentication is when you supply all the needed auth methods up front.
This can be done by building an Auth class with method instances:
from keystoneauth1 import session
from keystoneauth1.identity import v3
auth = v3.Auth(
auth_url='http://my.keystone.com:5000/v3',
auth_methods=[
v3.PasswordMethod(
username='user',
password='password',
user_domain_id="default",
),
v3.TOTPMethod(
username='user',
passcode='123456',
user_domain_id="default",
)
],
project_id='projectid',
)
sess = session.Session(auth=auth)
Or by letting the helper plugin do it for you:
from keystoneauth1 import session
from keystoneauth1.identity import v3
auth = v3.MultiFactor(
auth_url='http://my.keystone.com:5000/v3',
auth_methods=['v3password', 'v3totp'],
username='user',
password='password',
passcode='123456',
user_domain_id="default",
project_id='projectid',
)
sess = session.Session(auth=auth)
Note: The MultiFactor
helper
does not support auth receipts as an option in auth_methods, but one can
be added with auth.add_method.
When you supply just one method when multiple are needed, a
MissingAuthMethods
error will
be raised. This can be caught, and you can infer based on the error what
the missing methods were, and from it extract the receipt to continue
authentication:
auth = v3.Password(auth_url='http://my.keystone.com:5000/v3',
username='username',
password='password',
project_id='projectid',
user_domain_id='default')
sess = session.Session(auth=auth)
try:
sess.get_token()
except exceptions.MissingAuthMethods as e:
receipt = e.receipt
methods = e.methods
required_methods = e.required_auth_methods
Once you know what auth methods are needed to continue, you can extend the existing auth plugin with additional methods:
auth.add_method(
v3.TOTPMethod(
username='user',
passcode='123456',
user_domain_id='default',
)
)
sess.get_token()
Or if you do not have the existing auth method, but have the receipt you can continue as well:
auth = v3.TOTP(
auth_url='http://my.keystone.com:5000/v3',
username='user',
passcode='123456',
user_domain_id='default',
project_id='projectid',
)
auth.add_method(v3.ReceiptMethod(receipt=receipt))
sess = session.Session(auth=auth)
sess.get_token()
Standalone Plugins¶
Services can be deployed in a standalone environment where there is no integration with an identity service. The following plugins are provided to support standalone services:
HTTPBasicAuth
: HTTP Basic authenticationNoAuth
: No authentication
Standalone plugins must be given an endpoint that points to the URL of the one service being used, since there is no service catalog to look up endpoints:
from keystoneauth1 import session
from keystoneauth1 import noauth
auth = noauth.NoAuth(endpoint='http://hostname:6385/')
sess = session.Session(auth=auth)
HTTPBasicAuth
also requres a username and
password:
from keystoneauth1 import session
from keystoneauth1 import http_basic
auth = http_basic.HTTPBasicAuth(endpoint='http://hostname:6385/',
username='myUser',
password='myPassword')
sess = session.Session(auth=auth)
Federation¶
The following V3 plugins are provided to support federation:
MappedKerberos
: Federated (mapped) Kerberos.Password
: SAML2 password authentication.v3:OpenIDConnectAccessToken
: Plugin to reuse an existing OpenID Connect access token.v3:OpenIDConnectAuthorizationCode
: OpenID Connect Authorization Code grant type.v3:OpenIDConnectClientCredentials
: OpenID Connect Client Credentials grant type.v3:OpenIDConnectPassword
: OpenID Connect Resource Owner Password Credentials grant type.Keystone2Keystone
: Keystone to Keystone Federation.
The Keystone2Keystone plugin is special as it takes a Password auth for one keystone instance acting as an Identity Provider as input in order to create a session on the keystone acting as a Service Provider, for example:
from keystoneauth1 import session
from keystoneauth1.identity import v3
from keystoneauth1.identity.v3 import k2k
pwauth = v3.Password(auth_url='http://my.keystone.com:5000/v3',
username='username',
password='password',
project_id='projectid',
user_domain_name='Default')
k2kauth = k2k.Keystone2Keystone(pwauth, 'mysp',
project_id='federated_projectid')
k2ksession = session.Session(auth=k2kauth)
The OpenIDConnectPassword plugin also supports OTP. This option is required in cases when the Identity Provider requires more than a password to authenticate the user. As the OTP usually is a short-lived code that continually changes, then, when this option is active, the user will be requested to input the OTP code when executing the authentication process.
To enable this option, the user will need to export the environment variable “OS_IDP_OTP_KEY” with the OTP key used by the Identity Provider’s authentication API.
E.g.: If the Identity Provider’s authentication API requires some JSON like:
{
"username": "user1",
"password": "passwd",
"totp": "763907"
}
Then, you will use the “totp” value in your “OS_IDP_OTP_KEY”, something like “export OS_IDP_OTP_KEY=totp”.
After the configuration of the “OS_IDP_OTP_KEY” environment variable, every time that you will log in through the python openstack-client, a prompt will be displayed requesting to you to input your OTP code.
Version Independent Identity Plugins¶
Standard version independent identity plugins are defined in the module
keystoneauth1.identity.generic
.
For the cases of plugins that exist under both the identity V2 and V3 APIs there is an abstraction to allow the plugin to determine which of the V2 and V3 APIs are supported by the server and use the most appropriate API.
These plugins are:
Password
: Authenticate using a user/password against either v2 or v3 API.Token
: Authenticate using an existing token against either v2 or v3 API.
These plugins work by first querying the identity server to determine available versions and so the auth_url used with the plugins should point to the base URL of the identity server to use. If the auth_url points to either a V2 or V3 endpoint it will restrict the plugin to only working with that version of the API.
Simple Plugins¶
In addition to the Identity plugins a simple plugin that will always use the same provided token and endpoint is available. This is useful for situations where you have a token and want to bypass authentication to obtain a new token for subsequent requests. Testing, proxies, and service-to-service authentication on behalf of a user are good examples use cases for this authentication plugin.
It can be found at keystoneauth1.token_endpoint.Token
.
For example:
>>> from keystoneauth1 import token_endpoint
>>> from keystoneauth1 import session
>>> a = token_endpoint.Token('http://my.keystone.com:5000/v3',
... token=token)
>>> s = session.Session(auth=a)
V3 OAuth 1.0a Plugins¶
There also exists a plugin for OAuth 1.0a authentication. We provide a helper
authentication plugin at:
V3OAuth1
.
The plugin requires the OAuth consumer’s key and secret, as well as the OAuth
access token’s key and secret. For example:
>>> from keystoneauth1.extras import oauth1
>>> from keystoneauth1 import session
>>> a = oauth1.V3OAuth1('http://my.keystone.com:5000/v3',
... consumer_key=consumer_id,
... consumer_secret=consumer_secret,
... access_key=access_token_key,
... access_secret=access_token_secret)
>>> s = session.Session(auth=a)
Application Credentials¶
There is a specific authentication method for interacting with Identity servers that support application credential authentication. Since application credentials are associated to a user on a specific project, some parameters are not required as they would be with traditional password authentication. The following method can be used to authenticate for a token using an application credential:
ApplicationCredential
:
The following example shows the method usage with a session:
>>> from keystoneauth1 import session
>>> from keystone.identity import v3
>>> auth = v3.ApplicationCredential(
application_credential_secret='application_credential_secret',
application_credential_id='c2872b920853478292623be94b657090'
)
>>> sess = session.Session(auth=auth)
OAuth2.0 Client Credentials¶
Warning
The access token must be only added for the requests using HTTPS according to RFC6749.
There is a specific authentication method for interacting with Identity
servers that support OAuth2.0 Client Credential Grant. The notable difference
from the other authentication method is that, after passing the
authentication, the session
will add “Authorization” header with an
OAuth2.0 access token to sent subsequent requests. The following method can be
used to authenticate for a token using OAuth2.0 client credentials:
OAuth2ClientCredential
:
The following example shows the method usage with a session:
>>> from keystoneauth1 import session
>>> from keystone.identity import v3
>>> auth = v3.OAuth2ClientCredential(
oauth2_endpoint='https://keystone.host/identity/v3/OS-OAUTH2/token'
oauth2_client_id='f96a2fec117141a6b5fbaa0485632244',
oauth2_client_secret='client_credential_secret'
)
>>> sess = session.Session(auth=auth)
OAuth2.0 Mutual-TLS Client Credentials¶
Warning
The access token must be only added for the requests using mutual TLS according to RFC8705.
There is a specific authentication method for interacting with Identity
servers that support OAuth 2.0 Mutual-TLS Client Authentication. The notable
difference from the other authentication method is that, after passing the
authentication, the session
will add “Authorization” header with an
OAuth2.0 Certificate-Bound Access Tokens to sent subsequent requests. The
following method can be used to authenticate for a token using OAuth2.0
Mutual-TLS client credentials:
OAuth2mTlsClientCredential
:
The following example shows the method usage with a session:
>>> from keystoneauth1 import session
>>> from keystone.identity import v3
>>> auth = v3.OAuth2mTlsClientCredential(
auth_url='http://keystone.host:5000/v3'
oauth2_endpoint='https://keystone.host/identity/v3/OS-OAUTH2/token'
oauth2_client_id='f96a2fec117141a6b5fbaa0485632244'
)
>>> sess = session.Session(auth=auth)
Tokenless Auth¶
A plugin for tokenless authentication also exists. It provides a means to authorize client operations within the Identity server by using an X.509 TLS client certificate without having to issue a token. We provide a tokenless authentication plugin at:
TokenlessAuth
It is mostly used by service clients for token validation and here is an example of how this plugin would be used in practice:
>>> from keystoneauth1 import session
>>> from keystoneauth1.identity import v3
>>> auth = v3.TokenlessAuth(auth_url='https://keystone:5000/v3',
... domain_name='my_service_domain')
>>> sess = session.Session(
... auth=auth,
... cert=('/opt/service_client.crt',
... '/opt/service_client.key'),
... verify='/opt/ca.crt')
Loading Plugins by Name¶
In auth_token middleware and for some service to service communication it is possible to specify a plugin to load via name. The authentication options that are available are then specific to the plugin that you specified. Currently the authentication plugins that are available in keystoneauth are:
http_basic:
keystoneauth1.http_basic.HTTPBasicAuth
none:
keystoneauth1.noauth.NoAuth
password:
keystoneauth1.identity.generic.Password
token:
keystoneauth1.identity.generic.Token
v2password:
keystoneauth1.identity.v2.Password
v2token:
keystoneauth1.identity.v2.Token
v3applicationcredential:
keystoneauth1.identity.v3.ApplicationCredential
v3password:
keystoneauth1.identity.v3.Password
v3token:
keystoneauth1.identity.v3.Token
v3fedkerb:
keystoneauth1.extras.kerberos.MappedKerberos
v3kerberos:
keystoneauth1.extras.kerberos.Kerberos
v3oauth1:
keystoneauth1.extras.oauth1.v3.OAuth1
v3oidcaccesstoken:
keystoneauth1.identity.v3:OpenIDConnectAccessToken
v3oidcauthcode:
keystoneauth1.identity.v3:OpenIDConnectAuthorizationCode
v3oidcdeviceauthz:
keystoneauth1.loading._plugins.identity.v3:OpenIDConnectDeviceAuthorization
v3oidcclientcredentials:
keystoneauth1.identity.v3:OpenIDConnectClientCredentials
v3oidcpassword:
keystoneauth1.identity.v3:OpenIDConnectPassword
v3samlpassword:
keystoneauth1.extras._saml2.v3.Password
v3tokenlessauth:
keystoneauth1.identity.v3.TokenlessAuth
v3totp:
keystoneauth1.identity.v3.TOTP
v3oauth2clientcredential:
keystoneauth1.identity.v3.OAuth2ClientCredential
v3oauth2mtlsclientcredential:
keystoneauth1.identity.v3.OAuth2mTlsClientCredential
Creating Authentication Plugins¶
Creating an Identity Plugin¶
If you have implemented a new authentication mechanism into the Identity service then you will be able to reuse a lot of the infrastructure available for the existing Identity mechanisms. As the V2 identity API is essentially frozen, it is expected that new plugins are for the V3 API.
To implement a new V3 plugin that can be combined with others you should
implement the base keystoneauth1.identity.v3.AuthMethod
class
and implement the
get_auth_data()
function.
If your Plugin cannot be used in conjunction with existing
keystoneauth1.identity.v3.AuthMethod
then you should just
override keystoneauth1.identity.v3.Auth
directly.
The new AuthMethod
should take all
the required parameters via
__init__()
and return from
get_auth_data()
a tuple
with the unique identifier of this plugin (e.g. password) and a dictionary
containing the payload of values to send to the authentication server. The
session, calling auth object and request headers are also passed to this
function so that the plugin may use or manipulate them.
You should also provide a class that inherits from
keystoneauth1.identity.v3.Auth
with an instance of your new
AuthMethod
as the auth_methods
parameter to keystoneauth1.identity.v3.Auth
.
By convention (and like above) these are named PluginType and
PluginTypeMethod (for example
Password
and
PasswordMethod
).
Creating a Custom Plugin¶
To implement an entirely new plugin you should implement the base class
keystoneauth1.plugin.BaseAuthPlugin
and provide the
get_endpoint()
,
get_token()
and
invalidate()
methods.
get_token()
is called to retrieve
the string token from a plugin. It is intended that a plugin will cache a
received token and so if the token is still valid then it should be re-used
rather than fetching a new one. A session object is provided with which the
plugin can contact it’s server. (Note: use authenticated=False when making
those requests or it will end up being called recursively). The return value
should be the token as a string.
get_endpoint()
is called to
determine a base URL for a particular service’s requests. The keyword arguments
provided to the function are those that are given by the endpoint_filter
variable in keystoneauth1.session.Session.request()
. A session object
is also provided so that the plugin may contact an external source to determine
the endpoint. Again this will be generally be called once per request and so
it is up to the plugin to cache these responses if appropriate. The return
value should be the base URL to communicate with.
invalidate()
should also be
implemented to clear the current user credentials so that on the next
get_token()
call a new token can
be retrieved.
The most simple example of a plugin is the
keystoneauth1.token_endpoint.Token
plugin.