keystone.token package

Submodules

keystone.token.controllers module

class keystone.token.controllers.Auth(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

authenticate(context, auth=None)[source]

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(context, auth=None)[source]
delete_token(context, token_id)[source]

Delete a token, effectively invalidating it for authz.

endpoints(context, token_id)[source]

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)[source]

Formats a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}
revocation_list(context, *args, **kwargs)[source]
signing_cert(context, auth=None)[source]
validate_token(context, *args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(context, *args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

exception keystone.token.controllers.ExternalAuthNotApplicable[source]

Bases: exceptions.Exception

External authentication is not applicable.

keystone.token.core module

Main entry point into the Token service.

class keystone.token.core.Driver[source]

Bases: object

Interface description for a Token driver.

create_token(token_id, data)[source]

Create a token by id and data.

Parameters:
  • token_id (string) – identity of the token
  • data – dictionary with additional reference information
{
    expires=''
    id=token_id,
    user=user_ref,
    tenant=tenant_ref,
    metadata=metadata_ref
}
Returns:token_ref or None.
delete_token(token_id)[source]

Deletes a token by id.

Parameters:token_id (string) – identity of the token
Returns:None.
Raises:keystone.exception.TokenNotFound
delete_tokens(user_id, tenant_id=None, trust_id=None, consumer_id=None)[source]

Deletes tokens by user.

If the tenant_id is not None, only delete the tokens by user id under the specified tenant.

If the trust_id is not None, it will be used to query tokens and the user_id will be ignored.

If the consumer_id is not None, only delete the tokens by consumer id that match the specified consumer id.

Parameters:
  • user_id (string) – identity of user
  • tenant_id (string) – identity of the tenant
  • trust_id (string) – identity of the trust
  • consumer_id (string) – identity of the consumer
Returns:

None.

Raises:

keystone.exception.TokenNotFound

flush_expired_tokens()[source]

Archive or delete tokens that have expired.

get_token(token_id)[source]

Get a token by id.

Parameters:token_id (string) – identity of the token
Returns:token_ref
Raises:keystone.exception.TokenNotFound
list_revoked_tokens()[source]

Returns a list of all revoked tokens

Returns:list of token_id’s
keystone.token.core.EXPIRATION_TIME()
class keystone.token.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Token backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

create_token(token_id, data)[source]
delete_token(token_id)[source]
delete_tokens(user_id, tenant_id=None, trust_id=None, consumer_id=None)[source]
delete_tokens_for_domain(domain_id)[source]

Delete all tokens for a given domain.

delete_tokens_for_user(user_id, project_id=None)[source]

Delete all tokens for a given user or user-project combination.

This method adds in the extra logic for handling trust-scoped token revocations in a single call instead of needing to explicitly handle trusts in the caller’s logic.

delete_tokens_for_users(user_ids, project_id=None)[source]

Delete all tokens for a list of user_ids.

Parameters:
  • user_ids – list of user identifiers
  • project_id – optional project identifier
get_token(token_id)[source]
invalidate_revocation_list()[source]
list_revoked_tokens(*arg, **kw)[source]
list_tokens(*args, **kwargs)[source]

Returns a list of current token_id’s for a user

This is effectively a private method only used by the delete_tokens method and should not be called by anything outside of the token_api manager or the token driver itself.

Parameters:
  • user_id (string) – identity of the user
  • tenant_id (string) – identity of the tenant
  • trust_id (string) – identity of the trust
  • consumer_id (string) – identity of the consumer
Returns:

list of token_id’s

unique_id(token_id)[source]

Return a unique ID for a token.

The returned value is useful as the primary key of a database table, memcache store, or other lookup table.

Returns:Given a PKI token, returns it’s hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash).
keystone.token.core.REVOCATION_CACHE_EXPIRATION_TIME()
keystone.token.core.default_expire_time()[source]

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object
keystone.token.core.validate_auth_info(self, user_ref, tenant_ref)[source]

Validate user and tenant auth info.

Validate the user and tenant auth info in order to ensure that user and tenant information is valid and not disabled.

Consolidate the checks here to ensure consistency between token auth and ec2 auth.

Params user_ref:
 the authenticating user
Params tenant_ref:
 the scope of authorization, if any
Raises Unauthorized:
 if any of the user, user’s domain, tenant or tenant’s domain are either disabled or otherwise invalid

keystone.token.provider module

Token provider interface.

keystone.token.provider.EXPIRATION_TIME()
class keystone.token.provider.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

check_revocation(token)[source]
check_revocation_v2(token)[source]
check_revocation_v3(token)[source]
check_v2_token(token_id, belongs_to=None)[source]

Check the validity of the given V2 token.

Parameters:
  • token_id – identity of the token
  • belongs_to – optional identity of the scoped project
Returns:

None

Raises:

keystone.exception.Unauthorized

check_v3_token(token_id)[source]

Check the validity of the given V3 token.

Parameters:token_id – identity of the token
Returns:None
Raises:keystone.exception.Unauthorized
classmethod get_token_provider()[source]

Return package path to the configured token provider.

The value should come from keystone.conf [token] provider, however this method ensures backwards compatibility for keystone.conf [signing] token_format until Havana + 2.

Return the provider based on token_format if provider is not set. Otherwise, ignore token_format and return the configured provider instead.

invalidate_individual_token_cache(token_id)[source]
validate_token(token_id, belongs_to=None)[source]
validate_v2_token(token_id, belongs_to=None)[source]
validate_v3_token(token_id)[source]
class keystone.token.provider.Provider[source]

Bases: object

Interface description for a Token provider.

get_token_version(token_data)[source]

Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data
Returns:token version string
Raises:keystone.token.provider.UnsupportedTokenVersionException
issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]

Issue a V2 token.

Parameters:
  • token_ref (dict) – token data to generate token from
  • roles_ref (dict) – optional roles list
  • catalog_ref (dict) – optional catalog information
Returns:

(token_id, token_data)

issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, metadata_ref=None, include_catalog=True)[source]

Issue a V3 Token.

Parameters:
  • user_id (string) – identity of the user
  • method_names (list) – names of authentication methods
  • expires_at (string) – optional time the token will expire
  • project_id (string) – optional project identity
  • domain_id (string) – optional domain identity
  • auth_context (dict) – optional context from the authorization plugins
  • metadata_ref (dict) – optional metadata reference
  • include_catalog (boolean) – optional, include the catalog in token data
Returns:

(token_id, token_data)

revoke_token(token_id)[source]

Revoke a given token.

Parameters:token_id (string) – identity of the token
Returns:None.
validate_token(token_id)[source]

Detect token version and validate token and return the token data.

Must raise Unauthorized exception if unable to validate token.

Parameters:token_id (string) – identity of the token
Returns:token_data
Raises:keystone.exception.TokenNotFound
validate_v2_token(token_id)[source]

Validate the given V2 token and return the token data.

Must raise Unauthorized exception if unable to validate token.

Parameters:token_id (string) – identity of the token
Returns:token data
Raises:keystone.exception.TokenNotFound
validate_v3_token(token_id)[source]

Validate the given V3 token and return the token_data.

Parameters:token_id (string) – identity of the token
Returns:token data
Raises:keystone.exception.TokenNotFound
exception keystone.token.provider.UnsupportedTokenVersionException[source]

Bases: exceptions.Exception

Token version is unrecognizable or unsupported.

keystone.token.routers module

class keystone.token.routers.Router(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]

Module contents