token Package

token Package

controllers Module

class keystone.token.controllers.Auth(*args, **kwargs)[source]

Bases: keystone.common.controller.V2Controller

authenticate(context, auth=None)[source]

Authenticate credentials and return a token.

Accept auth as a dict that looks like:

{
    "auth":{
        "passwordCredentials":{
            "username":"test_user",
            "password":"mypass"
        },
        "tenantName":"customer-x"
    }
}

In this case, tenant is optional, if not provided the token will be considered “unscoped” and can later be used to get a scoped token.

Alternatively, this call accepts auth with only a token and tenant that will return a token that is scoped to that tenant.

ca_cert(context, auth=None)[source]
delete_token(context, token_id)[source]

Delete a token, effectively invalidating it for authz.

endpoints(context, token_id)[source]

Return a list of endpoints available to the token.

classmethod format_endpoint_list(catalog_ref)[source]

Formats a list of endpoints according to Identity API v2.

The v2.0 API wants an endpoint list to look like:

{
    'endpoints': [
        {
            'id': $endpoint_id,
            'name': $SERVICE[name],
            'type': $SERVICE,
            'tenantId': $tenant_id,
            'region': $REGION,
        }
    ],
    'endpoints_links': [],
}
revocation_list(context, *args, **kwargs)[source]
signing_cert(context, auth=None)[source]
validate_token(context, *args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Returns metadata about the token along any associated roles.

validate_token_head(context, *args, **kwargs)[source]

Check that a token is valid.

Optionally, also ensure that it is owned by a specific tenant.

Identical to validate_token, except does not return a response.

The code in keystone.common.wsgi.render_response will remove the content body.

exception keystone.token.controllers.ExternalAuthNotApplicable[source]

Bases: exceptions.Exception

External authentication is not applicable.

core Module

Main entry point into the Token service.

class keystone.token.core.Driver(*args, **kwargs)[source]

Bases: keystone.token.persistence.core.Driver

keystone.token.core.EXPIRATION_TIME()
class keystone.token.core.Manager(*args, **kwargs)[source]

Bases: keystone.token.persistence.core.Manager

keystone.token.core.REVOCATION_CACHE_EXPIRATION_TIME()
keystone.token.core.default_expire_time(*args, **kwargs)[source]
keystone.token.core.validate_auth_info(*args, **kwargs)[source]

Validate user and tenant auth info.

Validate the user and tenant auth info in order to ensure that user and tenant information is valid and not disabled.

Consolidate the checks here to ensure consistency between token auth and ec2 auth.

Params user_ref:
 the authenticating user
Params tenant_ref:
 the scope of authorization, if any
Raises Unauthorized:
 if any of the user, user’s domain, tenant or tenant’s domain are either disabled or otherwise invalid

provider Module

Token provider interface.

keystone.token.provider.EXPIRATION_TIME()
class keystone.token.provider.Manager(*args, **kwargs)[source]

Bases: keystone.common.manager.Manager

Default pivot point for the token provider backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

INVALIDATE_PROJECT_TOKEN_PERSISTENCE = 'invalidate_project_tokens'
INVALIDATE_USER_TOKEN_PERSISTENCE = 'invalidate_user_tokens'
V2 = 'v2.0'
V3 = 'v3.0'
VERSIONS = frozenset(['v3.0', 'v2.0'])
check_revocation(token)[source]
check_revocation_v2(token)[source]
check_revocation_v3(token)[source]
check_v2_token(*args, **kwargs)[source]

Check the validity of the given V2 token.

Parameters:
  • token_id – identity of the token
  • belongs_to – optional identity of the scoped project
Returns:

None

Raises :

keystone.exception.Unauthorized

check_v3_token(*args, **kwargs)[source]

Check the validity of the given V3 token.

Parameters:token_id – identity of the token
Returns:None
Raises :keystone.exception.Unauthorized
classmethod get_token_provider()[source]

Return package path to the configured token provider.

The value should come from keystone.conf [token] provider, however this method ensures backwards compatibility for keystone.conf [signing] token_format until Havana + 2.

Return the provider based on token_format if provider is not set. Otherwise, ignore token_format and return the configured provider instead.

invalidate_individual_token_cache(token_id)[source]
issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]
issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]
list_revoked_tokens()[source]
revoke_token(token_id, revoke_chain=False)[source]
unique_id(token_id)[source]

Return a unique ID for a token.

The returned value is useful as the primary key of a database table, memcache store, or other lookup table.

Returns:Given a PKI token, returns it’s hashed value. Otherwise, returns the passed-in value (such as a UUID token ID or an existing hash).
validate_token(token_id, belongs_to=None)[source]
validate_v2_token(token_id, belongs_to=None)[source]
validate_v3_token(token_id)[source]
class keystone.token.provider.Provider[source]

Bases: object

Interface description for a Token provider.

get_token_version(token_data)[source]

Return the version of the given token data.

If the given token data is unrecognizable, UnsupportedTokenVersionException is raised.

Parameters:token_data (dict) – token_data
Returns:token version string
Raises :keystone.token.provider.UnsupportedTokenVersionException
issue_v2_token(token_ref, roles_ref=None, catalog_ref=None)[source]

Issue a V2 token.

Parameters:
  • token_ref (dict) – token data to generate token from
  • roles_ref (dict) – optional roles list
  • catalog_ref (dict) – optional catalog information
Returns:

(token_id, token_data)

issue_v3_token(user_id, method_names, expires_at=None, project_id=None, domain_id=None, auth_context=None, trust=None, metadata_ref=None, include_catalog=True, parent_audit_id=None)[source]

Issue a V3 Token.

Parameters:
  • user_id (string) – identity of the user
  • method_names (list) – names of authentication methods
  • expires_at (string) – optional time the token will expire
  • project_id (string) – optional project identity
  • domain_id (string) – optional domain identity
  • auth_context (dict) – optional context from the authorization plugins
  • trust (dict) – optional trust reference
  • metadata_ref (dict) – optional metadata reference
  • include_catalog (boolean) – optional, include the catalog in token data
  • parent_audit_id (string) – optional, the audit id of the parent token
Returns:

(token_id, token_data)

validate_v2_token(token_ref)[source]

Validate the given V2 token and return the token data.

Must raise Unauthorized exception if unable to validate token.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises :keystone.exception.TokenNotFound
validate_v3_token(token_ref)[source]

Validate the given V3 token and return the token_data.

Parameters:token_ref (dict) – the token reference
Returns:token data
Raises :keystone.exception.TokenNotFound
keystone.token.provider.audit_info(parent_audit_id)[source]

Build the audit data for a token.

If parent_audit_id is None, the list will be one element in length containing a newly generated audit_id.

If parent_audit_id is supplied, the list will be two elements in length containing a newly generated audit_id and the parent_audit_id. The parent_audit_id will always be element index 1 in the resulting list.

Parameters:parent_audit_id (str) – the audit of the original token in the chain
Returns:Keystone token audit data
keystone.token.provider.default_expire_time()[source]

Determine when a fresh token should expire.

Expiration time varies based on configuration (see [token] expiration).

Returns:a naive UTC datetime.datetime object

routers Module

class keystone.token.routers.Router(mapper=None)[source]

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)[source]

Table Of Contents

Previous topic

token Package

Next topic

backends Package

This Page