keystone.federation package¶
Subpackages¶
Submodules¶
keystone.federation.constants module¶
keystone.federation.controllers module¶
Workflow logic for the Federation service.
-
class
keystone.federation.controllers.
Auth
(*args, **kw)[source]¶ Bases:
keystone.auth.controllers.Auth
-
create_ecp_assertion
(*args, **kwargs)[source]¶ Exchange a scoped token for an ECP assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: ECP Assertion based on properties from the token
-
create_saml_assertion
(*args, **kwargs)[source]¶ Exchange a scoped token for a SAML assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: SAML Assertion based on properties from the token
-
-
class
keystone.federation.controllers.
DomainV3
[source]¶ Bases:
keystone.common.controller.V3Controller
-
collection_name
= 'domains'¶
-
list_domains_for_groups
(context, *args, **kwargs)[source]¶ List all domains available to an authenticated user’s groups.
Parameters: context – request context Returns: list of accessible domains
-
member_name
= 'domain'¶
-
-
class
keystone.federation.controllers.
FederationProtocol
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
A federation protocol representation.
See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.
-
collection_name
= 'protocols'¶
-
member_name
= 'protocol'¶
-
-
class
keystone.federation.controllers.
IdentityProvider
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
Identity Provider representation.
-
collection_name
= 'identity_providers'¶
-
member_name
= 'identity_provider'¶
-
-
class
keystone.federation.controllers.
MappingController
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
-
collection_name
= 'mappings'¶
-
member_name
= 'mapping'¶
-
-
class
keystone.federation.controllers.
ProjectAssignmentV3
[source]¶ Bases:
keystone.common.controller.V3Controller
-
collection_name
= 'projects'¶
-
list_projects_for_groups
(context, *args, **kwargs)[source]¶ List all projects available to an authenticated user’s groups.
Parameters: context – request context Returns: list of accessible projects
-
member_name
= 'project'¶
-
-
class
keystone.federation.controllers.
SAMLMetadataV3
(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase
-
member_name
= 'metadata'¶
-
keystone.federation.core module¶
Main entry point into the Federation service.
-
class
keystone.federation.core.
FederationDriverBase
[source]¶ Bases:
object
-
create_idp
(idp_id, idp)[source]¶ Create an identity provider.
Parameters: - idp_id (string) – ID of IdP object
- idp (dict) – idp object
Returns: idp ref
Return type: dict
-
create_mapping
(mapping_id, mapping)[source]¶ Create a mapping.
Parameters: - mapping_id (string) – ID of mapping object
- mapping (dict) – mapping ref with mapping name
Returns: mapping ref
Return type: dict
-
create_protocol
(idp_id, protocol_id, protocol)[source]¶ Add an IdP-Protocol configuration.
Parameters: - idp_id (string) – ID of IdP object
- protocol_id (string) – ID of protocol object
- protocol (dict) – protocol object
Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
Returns: protocol ref
Return type: dict
-
create_sp
(sp_id, sp)[source]¶ Create a service provider.
Parameters: - sp_id (string) – id of the service provider
- sp (dict) – service prvider object
Returns: service provider ref
Return type: dict
-
delete_idp
(idp_id)[source]¶ Delete an identity provider.
Parameters: idp_id (string) – ID of IdP object Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
-
delete_mapping
(mapping_id)[source]¶ Delete a mapping.
Parameters: mapping_id – id of mapping to delete Returns: None
-
delete_protocol
(idp_id, protocol_id)[source]¶ Delete an IdP-Protocol configuration.
Parameters: - idp_id (string) – ID of IdP object
- protocol_id (string) – ID of protocol object
Raises: - keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
- keystone.exception.FederatedProtocolNotFound – If the federated protocol cannot be found.
-
delete_sp
(sp_id)[source]¶ Delete a service provider.
Parameters: sp_id (string) – id of the service provider Raises: keystone.exception.ServiceProviderNotFound – If the service provider doesn’t exist.
-
get_enabled_service_providers
()[source]¶ List enabled service providers for Service Catalog
Service Provider in a catalog contains three attributes:
id
,auth_url
,sp_url
, where:- id is a unique, user defined identifier for service provider object
- auth_url is an authentication URL of remote Keystone
- sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns: list of dictionaries with enabled service providers Return type: list of dicts
-
get_idp
(idp_id)[source]¶ Get an identity provider by ID.
Parameters: idp_id (string) – ID of IdP object Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist. Returns: idp ref Return type: dict
-
get_idp_from_remote_id
(remote_id)[source]¶ Get an identity provider by remote ID.
Parameters: remote_id – ID of remote IdP Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist. Returns: idp ref Return type: dict
-
get_mapping
(mapping_id)[source]¶ Get a mapping, returns the mapping based on mapping_id.
Parameters: mapping_id – id of mapping to get Raises: keystone.exception.MappingNotFound – If the mapping cannot be found. Returns: mapping ref Return type: dict
-
get_mapping_from_idp_and_protocol
(idp_id, protocol_id)[source]¶ Get mapping based on idp_id and protocol_id.
Parameters: - idp_id (string) – id of the identity provider
- protocol_id (string) – id of the protocol
Raises: - keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
- keystone.exception.FederatedProtocolNotFound – If the federated protocol cannot be found.
Returns: mapping ref
Return type: dict
-
get_protocol
(idp_id, protocol_id)[source]¶ Get an IdP-Protocol configuration.
Parameters: - idp_id (string) – ID of IdP object
- protocol_id (string) – ID of protocol object
Raises: - keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
- keystone.exception.FederatedProtocolNotFound – If the federated protocol cannot be found.
Returns: protocol ref
Return type: dict
-
get_sp
(sp_id)[source]¶ Get a service provider.
Parameters: sp_id (string) – id of the service provider Returns: service provider ref Return type: dict Raises: keystone.exception.ServiceProviderNotFound – If the service provider doesn’t exist.
-
list_protocols
(idp_id)[source]¶ List an IdP’s supported protocols.
Parameters: idp_id (string) – ID of IdP object Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist. Returns: list of protocol ref Return type: list of dict
-
update_idp
(idp_id, idp)[source]¶ Update an identity provider by ID.
Parameters: - idp_id (string) – ID of IdP object
- idp (dict) – idp object
Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
Returns: idp ref
Return type: dict
-
update_mapping
(mapping_id, mapping_ref)[source]¶ Update a mapping.
Parameters: - mapping_id (string) – id of mapping to update
- mapping_ref (dict) – new mapping ref
Returns: mapping ref
Return type: dict
-
update_protocol
(idp_id, protocol_id, protocol)[source]¶ Change an IdP-Protocol configuration.
Parameters: - idp_id (string) – ID of IdP object
- protocol_id (string) – ID of protocol object
- protocol (dict) – protocol object
Raises: - keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
- keystone.exception.FederatedProtocolNotFound – If the federated protocol cannot be found.
Returns: protocol ref
Return type: dict
-
update_sp
(sp_id, sp)[source]¶ Update a service provider.
Parameters: - sp_id (string) – id of the service provider
- sp (dict) – service prvider object
Returns: service provider ref
Return type: dict
Raises: keystone.exception.ServiceProviderNotFound – If the service provider doesn’t exist.
-
-
class
keystone.federation.core.
FederationDriverV8
[source]¶ Bases:
keystone.federation.core.FederationDriverBase
Removed or redefined methods from V8.
Move the abstract methods of any methods removed or modified in later versions of the driver from FederationDriverBase to here. We maintain this so that legacy drivers, which will be a subclass of FederationDriverV8, can still reference them.
-
list_idps
()[source]¶ List all identity providers.
Returns: list of idp refs Return type: list of dicts Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
-
-
class
keystone.federation.core.
FederationDriverV9
[source]¶ Bases:
keystone.federation.core.FederationDriverBase
New or redefined methods from V8.
Add any new V9 abstract methods (or those with modified signatures) to this class.
-
list_idps
(hints)[source]¶ List all identity providers.
Parameters: hints – filter hints which the driver should implement if at all possible. Returns: list of idp refs Return type: list of dicts Raises: keystone.exception.IdentityProviderNotFound – If the IdP doesn’t exist.
-
list_sps
(hints)[source]¶ List all service providers.
Parameters: hints – filter hints which the driver should implement if at all possible. Returns: List of service provider ref objects Return type: list of dicts Raises: keystone.exception.ServiceProviderNotFound – If the SP doesn’t exist.
-
-
class
keystone.federation.core.
Manager
(*args, **kwargs)[source]¶ Bases:
keystone.common.manager.Manager
Default pivot point for the Federation backend.
See
keystone.common.manager.Manager
for more details on how this dynamically calls the backend.-
driver_namespace
= 'keystone.federation'¶
-
get_enabled_service_providers
(*args, **kwargs)[source]¶ List enabled service providers for Service Catalog
Service Provider in a catalog contains three attributes:
id
,auth_url
,sp_url
, where:- id is a unique, user defined identifier for service provider object
- auth_url is an authentication URL of remote Keystone
- sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns: list of dictionaries with enabled service providers Return type: list of dicts
-
-
class
keystone.federation.core.
V9FederationWrapperForV8Driver
(*args, **kwargs)[source]¶ Bases:
keystone.federation.core.FederationDriverV9
Wrapper class to supported a V8 legacy driver.
In order to support legacy drivers without having to make the manager code driver-version aware, we wrap legacy drivers so that they look like the latest version. For the various changes made in a new driver, here are the actions needed in this wrapper:
- Method removed from new driver - remove the call-through method from this
- class, since the manager will no longer be calling it.
- Method signature (or meaning) changed - wrap the old method in a new
- signature here, and munge the input and output parameters accordingly.
- New method added to new driver - add a method to implement the new
- functionality here if possible. If that is not possible, then return NotImplemented, since we do not guarantee to support new functionality with legacy drivers.
keystone.federation.idp module¶
-
class
keystone.federation.idp.
ECPGenerator
[source]¶ Bases:
object
A class for generating an ECP assertion.
-
class
keystone.federation.idp.
MetadataGenerator
[source]¶ Bases:
object
A class for generating SAML IdP Metadata.
-
generate_metadata
()[source]¶ Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
Returns: XML <EntityDescriptor> object. Raises: keystone.exception.ValidationError – If the required config options aren’t set.
-
-
class
keystone.federation.idp.
SAMLGenerator
[source]¶ Bases:
object
A class to generate SAML assertions.
-
samlize_token
(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶ Convert Keystone attributes to a SAML assertion.
Parameters: - issuer (string) – URL of the issuing party
- recipient (string) – URL of the recipient
- user (string) – User name
- user_domain_name (string) – User Domain name
- roles (list) – List of role names
- project (string) – Project name
- project_domain_name (string) – Project Domain name
- expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns: XML <Response> object
-
keystone.federation.routers module¶
-
class
keystone.federation.routers.
Routers
[source]¶ Bases:
keystone.common.wsgi.RoutersBase
API Endpoints for the Federation extension.
The API looks like:
PUT /OS-FEDERATION/identity_providers/{idp_id} GET /OS-FEDERATION/identity_providers GET /OS-FEDERATION/identity_providers/{idp_id} DELETE /OS-FEDERATION/identity_providers/{idp_id} PATCH /OS-FEDERATION/identity_providers/{idp_id} PUT /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PATCH /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} DELETE /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PUT /OS-FEDERATION/mappings GET /OS-FEDERATION/mappings PATCH /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/mappings/{mapping_id} DELETE /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/projects GET /OS-FEDERATION/domains PUT /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/service_providers GET /OS-FEDERATION/service_providers/{sp_id} DELETE /OS-FEDERATION/service_providers/{sp_id} PATCH /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth POST /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth GET /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/saml2 POST /auth/OS-FEDERATION/saml2/ecp GET /OS-FEDERATION/saml2/metadata GET /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com
keystone.federation.schema module¶
keystone.federation.utils module¶
Utilities for Federation Extension.
-
class
keystone.federation.utils.
DirectMaps
[source]¶ Bases:
object
An abstraction around the remote matches.
Each match is treated internally as a list.
-
class
keystone.federation.utils.
RuleProcessor
(mapping_id, rules)[source]¶ Bases:
object
A class to process assertions and mapping rules.
-
process
(assertion_data)[source]¶ Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
Parameters: assertion_data (dict) – an assertion containing values from an IdP Example assertion_data:
{ 'Email': 'testacct@example.com', 'UserName': 'testacct', 'FirstName': 'Test', 'LastName': 'Account', 'orgPersonType': 'Tester' }
Returns: dictionary with user and group_ids The expected return structure is:
{ 'name': 'foobar', 'group_ids': ['abc123', 'def456'], 'group_names': [ { 'name': 'group_name_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_1_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_2', 'domain': { 'id': 'xyz132' } } ] }
-
-
class
keystone.federation.utils.
UserType
[source]¶ Bases:
object
User mapping type.
-
EPHEMERAL
= 'ephemeral'¶
-
LOCAL
= 'local'¶
-
-
keystone.federation.utils.
transform_to_group_ids
(group_names, mapping_id, identity_api, resource_api)[source]¶ Transform groups identified by name/domain to their ids
Function accepts list of groups identified by a name and domain giving a list of group ids in return.
Example of group_names parameter:
[ { "name": "group_name", "domain": { "id": "domain_id" }, }, { "name": "group_name_2", "domain": { "name": "domain_name" } } ]
Parameters: - group_names (list) – list of group identified by name and its domain.
- mapping_id (str) – id of the mapping used for mapping assertion into local credentials
- identity_api – identity_api object
- resource_api – resource manager object
Returns: generator object with group ids
Raises: keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.
-
keystone.federation.utils.
validate_groups
(group_ids, mapping_id, identity_api)[source]¶ Check group ids cardinality and check their existence in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: - mapping_id (str) – id of the mapping used for this operation
- identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises: - keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.
- keystone.exception.MissingGroups – If
group_ids
cardinality is 0.
-
keystone.federation.utils.
validate_groups_cardinality
(group_ids, mapping_id)[source]¶ Check if groups list is non-empty.
Parameters: group_ids (list of str) – list of group ids Raises: keystone.exception.MissingGroups – if group_ids
cardinality is 0
-
keystone.federation.utils.
validate_groups_in_backend
(group_ids, mapping_id, identity_api)[source]¶ Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: - mapping_id (str) – id of the mapping used for this operation
- identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises: keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.