keystone.identity package

Submodules

keystone.identity.controllers module

Workflow Logic the Identity service.

class keystone.identity.controllers.DeprecatedMeta[source]

Bases: type

Metaclass that ensures that the correct methods on the deprecated classes are reported as deprecated on call.

static moved_to_assignment(class_name)[source]
class keystone.identity.controllers.DomainV3(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.DomainV3

class keystone.identity.controllers.GroupV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'groups'
create_group(context, *args, **kwargs)[source]
delete_group(context, *args, **kwargs)[source]
get_group(context, *args, **kwargs)[source]
list_groups(context, **kwargs)[source]
list_groups_for_user(context, **kwargs)[source]
member_name = 'group'
update_group(context, *args, **kwargs)[source]
class keystone.identity.controllers.ProjectV3(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.ProjectV3

class keystone.identity.controllers.Role(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.Role

class keystone.identity.controllers.RoleAssignmentV3(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.RoleAssignmentV3

class keystone.identity.controllers.RoleV3(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.RoleV3

class keystone.identity.controllers.Tenant(*args, **kwargs)[source]

Bases: keystone.assignment.controllers.Tenant

class keystone.identity.controllers.User(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

create_user(context, user)[source]
delete_user(context, user_id)[source]
get_user(context, user_id)[source]
get_user_by_name(context, user_name)[source]
get_users(context)[source]
set_user_enabled(context, user_id, user)[source]
set_user_password(context, user_id, user)[source]
update_user(context, user_id, user)[source]
class keystone.identity.controllers.UserV3[source]

Bases: keystone.common.controller.V3Controller

add_user_to_group(context, *args, **kwargs)[source]
change_password(context, *args, **kwargs)[source]
check_user_in_group(context, *args, **kwargs)[source]
collection_name = 'users'
create_user(context, *args, **kwargs)[source]
delete_user(context, *args, **kwargs)[source]
get_user(context, *args, **kwargs)[source]
list_users(context, **kwargs)[source]
list_users_in_group(context, **kwargs)[source]
member_name = 'user'
remove_user_from_group(context, *args, **kwargs)[source]
update_user(context, *args, **kwargs)[source]

keystone.identity.core module

Main entry point into the Identity service.

class keystone.identity.core.DomainConfigs[source]

Bases: dict

Discover, store and provide access to domain specific configs.

The setup_domain_drivers() call will be made via the wrapper from the first call to any driver function handled by this manager. This setup call it will scan the domain config directory for files of the form

keystone.<domain_name>.conf

For each file, the domain_name will be turned into a domain_id and then this class will:

  • Create a new config structure, adding in the specific additional options defined in this config file
  • Initialise a new instance of the required driver with this new config.
configured = False
driver = None
get_domain_conf(domain_id)[source]
get_domain_driver(domain_id)[source]
reload_domain_driver(assignment_api, domain_id)[source]
setup_domain_drivers(standard_driver, assignment_api)[source]
class keystone.identity.core.Driver[source]

Bases: object

Interface description for an Identity driver.

add_user_to_group(user_id, group_id)[source]

Adds a user to a group.

Raises:keystone.exception.UserNotFound, keystone.exception.GroupNotFound
authenticate(user_id, password)[source]

Authenticate a given user and password. :returns: user_ref :raises: AssertionError

check_user_in_group(user_id, group_id)[source]

Checks if a user is a member of a group.

Raises:keystone.exception.UserNotFound, keystone.exception.GroupNotFound
create_group(group_id, group)[source]

Creates a new group.

Raises:keystone.exception.Conflict
create_user(user_id, user)[source]

Creates a new user.

Raises:keystone.exception.Conflict
delete_group(group_id)[source]

Deletes an existing group.

Raises:keystone.exception.GroupNotFound
delete_user(user_id)[source]

Deletes an existing user.

Raises:keystone.exception.UserNotFound
get_group(group_id)[source]

Get a group by ID.

Returns:group_ref
Raises:keystone.exception.GroupNotFound
get_user(user_id)[source]

Get a user by ID.

Returns:user_ref
Raises:keystone.exception.UserNotFound
get_user_by_name(user_name, domain_id)[source]

Get a user by name.

Returns:user_ref
Raises:keystone.exception.UserNotFound
is_domain_aware()[source]

Indicates if Driver supports domains.

list_groups(hints)[source]

List groups in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of group_refs or an empty list.
list_groups_for_user(user_id, hints)[source]

List groups a user is in

Parameters:
  • user_id – the user in question
  • hints – filter hints which the driver should implement if at all possible.
Returns:

a list of group_refs or an empty list.

list_users(hints)[source]

List users in the system.

Parameters:hints – filter hints which the driver should implement if at all possible.
Returns:a list of user_refs or an empty list.
list_users_in_group(group_id, hints)[source]

List users in a group.

Parameters:
  • group_id – the group in question
  • hints – filter hints which the driver should implement if at all possible.
Returns:

a list of user_refs or an empty list.

remove_user_from_group(user_id, group_id)[source]

Removes a user from a group.

Raises:keystone.exception.NotFound
update_group(group_id, group)[source]

Updates an existing group.

Raises:keystone.exceptionGroupNotFound, keystone.exception.Conflict
update_user(user_id, user)[source]

Updates an existing user.

Raises:keystone.exception.UserNotFound, keystone.exception.Conflict
class keystone.identity.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Identity backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

This class also handles the support of domain specific backends, by using the DomainConfigs class. The setup call for DomainConfigs is called from with the @domains_configured wrapper in a lazy loading fashion to get around the fact that we can’t satisfy the assignment api it needs from within our __init__() function since the assignment driver is not itself yet initialized.

Each of the identity calls are pre-processed here to choose, based on domain, which of the drivers should be called. The non-domain-specific driver is still in place, and is used if there is no specific driver for the domain in question.

add_role_to_user_and_project(*args, **kwargs)[source]
add_user_to_group(*args, **kwargs)[source]
add_user_to_project(*args, **kwargs)[source]
authenticate(wrapped_self, context, user_id, *args, **kwargs)[source]

Always send a notification.

change_password(*args, **kwargs)[source]
check_user_in_group(*args, **kwargs)[source]
create_domain(*args, **kwargs)[source]
create_grant(*args, **kwargs)[source]
create_group(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

create_role(*args, **kwargs)[source]
create_user(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_domain(*args, **kwargs)[source]
delete_grant(*args, **kwargs)[source]
delete_group(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

delete_role(*args, **kwargs)[source]
delete_user(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

get_domain(*args, **kwargs)[source]
get_domain_by_name(*args, **kwargs)[source]
get_grant(*args, **kwargs)[source]
get_group(*args, **kwargs)[source]
get_project(*args, **kwargs)[source]
get_project_users(*args, **kwargs)[source]
get_role(*args, **kwargs)[source]
get_roles_for_user_and_domain(*args, **kwargs)[source]
get_roles_for_user_and_project(*args, **kwargs)[source]
get_user(*args, **kwargs)[source]
get_user_by_name(*args, **kwargs)[source]
list_domains(*args, **kwargs)[source]
list_grants(*args, **kwargs)[source]
list_groups(*args, **kwargs)[source]
list_groups_for_user(*args, **kwargs)[source]
list_projects(*args, **kwargs)[source]
list_projects_for_user(*args, **kwargs)[source]
list_roles(*args, **kwargs)[source]
list_users(*args, **kwargs)[source]
list_users_in_group(*args, **kwargs)[source]
remove_role_from_user_and_project(*args, **kwargs)[source]
remove_user_from_group(*args, **kwargs)[source]
remove_user_from_project(*args, **kwargs)[source]
revoke_tokens_for_group(group_id, domain_scope)[source]
update_domain(*args, **kwargs)[source]
update_group(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

update_role(*args, **kwargs)[source]
update_user(*args, **kwargs)[source]

Send a notification if the wrapped callable is successful.

keystone.identity.core.domains_configured(f)[source]

Wraps API calls to lazy load domain configs after init.

This is required since the assignment manager needs to be initialized before this manager, and yet this manager’s init wants to be able to make assignment calls (to build the domain configs). So instead, we check if the domains have been initialized on entry to each call, and if requires load them,

keystone.identity.core.filter_user(user_ref)[source]

Filter out private items in a user dict.

‘password’, ‘tenants’ and ‘groups’ are never returned.

Returns:user_ref
keystone.identity.core.moved_to_assignment(f)[source]

keystone.identity.routers module

WSGI Routers for the Identity service.

class keystone.identity.routers.Admin(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]
keystone.identity.routers.append_v3_routers(mapper, routers)[source]

Module contents