keystone.contrib.federation package

Submodules

keystone.contrib.federation.controllers module

Extensions supporting Federation.

class keystone.contrib.federation.controllers.Auth(*args, **kw)[source]

Bases: keystone.auth.controllers.Auth

federated_authentication(context, identity_provider, protocol)[source]

Authenticate from dedicated url endpoint.

Build HTTP request body for federated authentication and inject it into the authenticate_for_token function.

class keystone.contrib.federation.controllers.DomainV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'domains'
list_domains_for_groups(context, *args, **kwargs)[source]

List all domains available to an authenticated user’s groups.

Parameters:context – request context
Returns:list of accessible domains
member_name = 'domain'
class keystone.contrib.federation.controllers.FederationProtocol(*args, **kwargs)[source]

Bases: keystone.contrib.federation.controllers._ControllerBase

A federation protocol representation.

See IdentityProvider docstring for explanation on _mutable_parameters and _public_parameters class attributes.

collection_name = 'protocols'
create_protocol(context, *args, **kwargs)[source]
delete_protocol(context, *args, **kwargs)[source]
get_protocol(context, *args, **kwargs)[source]
list_protocols(context, *args, **kwargs)[source]
member_name = 'protocol'
update_protocol(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.contrib.federation.controllers.IdentityProvider(*args, **kwargs)[source]

Bases: keystone.contrib.federation.controllers._ControllerBase

Identity Provider representation.

collection_name = 'identity_providers'
create_identity_provider(context, *args, **kwargs)[source]
delete_identity_provider(context, *args, **kwargs)[source]
get_identity_provider(context, *args, **kwargs)[source]
list_identity_providers(context, *args, **kwargs)[source]
member_name = 'identity_provider'
update_identity_provider(context, *args, **kwargs)[source]
classmethod wrap_member(context, ref)[source]
class keystone.contrib.federation.controllers.MappingController(*args, **kwargs)[source]

Bases: keystone.contrib.federation.controllers._ControllerBase

collection_name = 'mappings'
create_mapping(context, *args, **kwargs)[source]
delete_mapping(context, *args, **kwargs)[source]
get_mapping(context, *args, **kwargs)[source]
list_mappings(context, *args, **kwargs)[source]
member_name = 'mapping'
update_mapping(context, *args, **kwargs)[source]
class keystone.contrib.federation.controllers.ProjectV3[source]

Bases: keystone.common.controller.V3Controller

collection_name = 'projects'
list_projects_for_groups(context, *args, **kwargs)[source]

List all projects available to an authenticated user’s groups.

Parameters:context – request context
Returns:list of accessible projects
member_name = 'project'

keystone.contrib.federation.core module

Extension supporting Federation.

class keystone.contrib.federation.core.Driver[source]

Bases: object

create_idp(idp_id, idp)[source]

Create an identity provider.

Returns:idp_ref
create_mapping(mapping_ref)[source]

Create a mapping.

Parameters:mapping_ref (dict) – mapping ref with mapping name
Returns:mapping_ref
create_protocol(idp_id, protocol_id, protocol)[source]

Add an IdP-Protocol configuration.

Raises:keystone.exception.IdentityProviderNotFound
delete_idp(idp_id)[source]

Delete an identity provider.

Raises:keystone.exception.IdentityProviderNotFound
delete_mapping(mapping_id)[source]

Delete a mapping.

Parameters:mapping_id – id of mapping to delete
Returns:None
delete_protocol(idp_id, protocol_id)[source]

Delete an IdP-Protocol configuration.

Raises:keystone.exception.IdentityProviderNotFound, keystone.exception.FederatedProtocolNotFound,
get_idp(idp_id)[source]

Get an identity provider by ID.

Raises:keystone.exception.IdentityProviderNotFound
get_mapping(mapping_id)[source]

Get a mapping, returns the mapping based on mapping_id.

Parameters:mapping_id – id of mapping to get
Returns:mapping_ref
get_mapping_from_idp_and_protocol(idp_id, protocol_id)[source]

Get mapping based on idp_id and protocol_id.

Parameters:
  • idp_id (string) – id of the identity provider
  • protocol_id (string) – id of the protocol
Raises:

keystone.exception.IdentityProviderNotFound, keystone.exception.FederatedProtocolNotFound,

Returns:

mapping_ref

get_protocol(idp_id, protocol_id)[source]

Get an IdP-Protocol configuration.

Raises:keystone.exception.IdentityProviderNotFound, keystone.exception.FederatedProtocolNotFound
list_idps()[source]

List all identity providers.

Raises:keystone.exception.IdentityProviderNotFound
list_mappings()[source]

List all mappings.

returns: list of mappings

list_protocols(idp_id)[source]

List an IdP’s supported protocols.

Raises:keystone.exception.IdentityProviderNotFound,
update_idp(idp_id, idp)[source]

Update an identity provider by ID.

Raises:keystone.exception.IdentityProviderNotFound
update_mapping(mapping_id, mapping_ref)[source]

Update a mapping.

Parameters:
  • mapping_id (string) – id of mapping to update
  • mapping_ref (dict) – new mapping ref
Returns:

mapping_ref

update_protocol(idp_id, protocol_id, protocol)[source]

Change an IdP-Protocol configuration.

Raises:keystone.exception.IdentityProviderNotFound, keystone.exception.FederatedProtocolNotFound
class keystone.contrib.federation.core.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the Federation backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

keystone.contrib.federation.routers module

class keystone.contrib.federation.routers.FederationExtension(application, mapper=None)[source]

Bases: keystone.common.wsgi.ExtensionRouter

API Endpoints for the Federation extension.

The API looks like:

PUT /OS-FEDERATION/identity_providers/$identity_provider
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/$identity_provider
DELETE /OS-FEDERATION/identity_providers/$identity_provider
PATCH /OS-FEDERATION/identity_providers/$identity_provider

PUT /OS-FEDERATION/identity_providers/
    $identity_provider/protocols/$protocol
GET /OS-FEDERATION/identity_providers/
    $identity_provider/protocols
GET /OS-FEDERATION/identity_providers/
    $identity_provider/protocols/$protocol
PATCH /OS-FEDERATION/identity_providers/
    $identity_provider/protocols/$protocol
DELETE /OS-FEDERATION/identity_providers/
    $identity_provider/protocols/$protocol

PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/$mapping_id
GET /OS-FEDERATION/mappings/$mapping_id
DELETE /OS-FEDERATION/mappings/$mapping_id

GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains

GET /OS-FEDERATION/identity_providers/$identity_provider/
    protocols/$protocol/auth
POST /OS-FEDERATION/identity_providers/$identity_provider/
    protocols/$protocol/auth
add_routes(mapper)[source]

keystone.contrib.federation.utils module

Utilities for Federation Extension.

class keystone.contrib.federation.utils.RuleProcessor(rules)[source]

Bases: object

A class to process assertions and mapping rules.

process(assertion_data)[source]

Transform assertion to a dictionary of user name and group ids based on mapping rules.

This function will iterate through the mapping rules to find assertions that are valid.

Parameters:assertion_data (dict) – an assertion containing values from an IdP

Example assertion_data:

{
    'Email': 'testacct@example.com',
    'UserName': 'testacct',
    'FirstName': 'Test',
    'LastName': 'Account',
    'orgPersonType': 'Tester'
}
Returns:dictionary with user and group_ids

The expected return structure is:

{
    'name': 'foobar',
    'group_ids': ['abc123', 'def456']
}
keystone.contrib.federation.utils.validate_mapping_structure(ref)[source]

Module contents