keystone.federation package¶
Subpackages¶
Submodules¶
keystone.federation.constants module¶
keystone.federation.controllers module¶
Workflow logic for the Federation service.
-
class
keystone.federation.controllers.Auth(*args, **kw)[source]¶ Bases:
keystone.auth.controllers.Auth-
create_ecp_assertion(request, auth)[source]¶ Exchange a scoped token for an ECP assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: ECP Assertion based on properties from the token
-
create_saml_assertion(request, auth)[source]¶ Exchange a scoped token for a SAML assertion.
Parameters: auth – Dictionary that contains a token and service provider ID Returns: SAML Assertion based on properties from the token
-
-
class
keystone.federation.controllers.DomainV3[source]¶ Bases:
keystone.common.controller.V3Controller-
collection_name= ‘domains’¶
-
list_domains_for_user(request, *args, **kwargs)[source]¶ List all domains available to an authenticated user.
Parameters: context – request context Returns: list of accessible domains
-
member_name= ‘domain’¶
-
-
class
keystone.federation.controllers.FederationProtocol(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBaseA federation protocol representation.
See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.
-
collection_name= ‘protocols’¶
-
member_name= ‘protocol’¶
-
-
class
keystone.federation.controllers.IdentityProvider(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBaseIdentity Provider representation.
-
collection_name= ‘identity_providers’¶
-
member_name= ‘identity_provider’¶
-
-
class
keystone.federation.controllers.MappingController(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase-
collection_name= ‘mappings’¶
-
member_name= ‘mapping’¶
-
-
class
keystone.federation.controllers.ProjectAssignmentV3[source]¶ Bases:
keystone.common.controller.V3Controller-
collection_name= ‘projects’¶
-
list_projects_for_user(request, *args, **kwargs)[source]¶ List all projects available to an authenticated user.
Parameters: context – request context Returns: list of accessible projects
-
member_name= ‘project’¶
-
-
class
keystone.federation.controllers.SAMLMetadataV3(*args, **kwargs)[source]¶ Bases:
keystone.federation.controllers._ControllerBase-
member_name= ‘metadata’¶
-
keystone.federation.core module¶
Main entry point into the Federation service.
-
class
keystone.federation.core.Manager(*args, **kwargs)[source]¶ Bases:
keystone.common.manager.ManagerDefault pivot point for the Federation backend.
See
keystone.common.manager.Managerfor more details on how this dynamically calls the backend.-
driver_namespace= ‘keystone.federation’¶
-
get_enabled_service_providers(*args, **kwargs)[source]¶ List enabled service providers for Service Catalog.
Service Provider in a catalog contains three attributes:
id,auth_url,sp_url, where:- id is a unique, user defined identifier for service provider object
- auth_url is an authentication URL of remote Keystone
- sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
Returns: list of dictionaries with enabled service providers Return type: list of dicts
-
keystone.federation.idp module¶
-
class
keystone.federation.idp.ECPGenerator[source]¶ Bases:
objectA class for generating an ECP assertion.
-
class
keystone.federation.idp.MetadataGenerator[source]¶ Bases:
objectA class for generating SAML IdP Metadata.
-
generate_metadata()[source]¶ Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
Returns: XML <EntityDescriptor> object. Raises: keystone.exception.ValidationError – If the required config options aren’t set.
-
-
class
keystone.federation.idp.SAMLGenerator[source]¶ Bases:
objectA class to generate SAML assertions.
-
samlize_token(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, expires_in=None)[source]¶ Convert Keystone attributes to a SAML assertion.
Parameters: - issuer (string) – URL of the issuing party
- recipient (string) – URL of the recipient
- user (string) – User name
- user_domain_name (string) – User Domain name
- roles (list) – List of role names
- project (string) – Project name
- project_domain_name (string) – Project Domain name
- expires_in (int) – Sets how long the assertion is valid for, in seconds
Returns: XML <Response> object
-
keystone.federation.routers module¶
-
class
keystone.federation.routers.Routers[source]¶ Bases:
keystone.common.wsgi.RoutersBaseAPI Endpoints for the Federation extension.
The API looks like:
PUT /OS-FEDERATION/identity_providers/{idp_id} GET /OS-FEDERATION/identity_providers GET /OS-FEDERATION/identity_providers/{idp_id} DELETE /OS-FEDERATION/identity_providers/{idp_id} PATCH /OS-FEDERATION/identity_providers/{idp_id} PUT /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols GET /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PATCH /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} DELETE /OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id} PUT /OS-FEDERATION/mappings GET /OS-FEDERATION/mappings PATCH /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/mappings/{mapping_id} DELETE /OS-FEDERATION/mappings/{mapping_id} GET /OS-FEDERATION/projects GET /OS-FEDERATION/domains PUT /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/service_providers GET /OS-FEDERATION/service_providers/{sp_id} DELETE /OS-FEDERATION/service_providers/{sp_id} PATCH /OS-FEDERATION/service_providers/{sp_id} GET /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth POST /OS-FEDERATION/identity_providers/{idp_id}/ protocols/{protocol_id}/auth GET /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/identity_providers/ {idp_id}/protocols/{protocol_id}/websso ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/saml2 POST /auth/OS-FEDERATION/saml2/ecp GET /OS-FEDERATION/saml2/metadata GET /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com POST /auth/OS-FEDERATION/websso/{protocol_id} ?origin=https%3A//horizon.example.com
keystone.federation.schema module¶
keystone.federation.utils module¶
Utilities for Federation Extension.
-
class
keystone.federation.utils.DirectMaps[source]¶ Bases:
objectAn abstraction around the remote matches.
Each match is treated internally as a list.
-
class
keystone.federation.utils.RuleProcessor(mapping_id, rules)[source]¶ Bases:
objectA class to process assertions and mapping rules.
-
process(assertion_data)[source]¶ Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
Parameters: assertion_data (dict) – an assertion containing values from an IdP Example assertion_data:
{ 'Email': '[email protected]', 'UserName': 'testacct', 'FirstName': 'Test', 'LastName': 'Account', 'orgPersonType': 'Tester' }
Returns: dictionary with user and group_ids The expected return structure is:
{ 'name': 'foobar', 'group_ids': ['abc123', 'def456'], 'group_names': [ { 'name': 'group_name_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_1_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_2', 'domain': { 'id': 'xyz132' } } ] }
-
-
class
keystone.federation.utils.UserType[source]¶ Bases:
objectUser mapping type.
-
EPHEMERAL= ‘ephemeral’¶
-
LOCAL= ‘local’¶
-
-
keystone.federation.utils.transform_to_group_ids(group_names, mapping_id, identity_api, resource_api)[source]¶ Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return.
Example of group_names parameter:
[ { "name": "group_name", "domain": { "id": "domain_id" }, }, { "name": "group_name_2", "domain": { "name": "domain_name" } } ]
Parameters: - group_names (list) – list of group identified by name and its domain.
- mapping_id (str) – id of the mapping used for mapping assertion into local credentials
- identity_api – identity_api object
- resource_api – resource manager object
Returns: generator object with group ids
Raises: keystone.exception.MappedGroupNotFound – in case asked group doesn’t exist in the backend.
-
keystone.federation.utils.validate_idp(idp, protocol, assertion)[source]¶ The IdP providing the assertion should be registered for the mapping.
-
keystone.federation.utils.validate_mapped_group_ids(group_ids, mapping_id, identity_api)[source]¶ Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: - mapping_id (str) – id of the mapping used for this operation
- identity_api (identity.Manager) – Identity Manager object used for communication with backend
Raises: keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.