keystone.federation package¶
Subpackages¶
Submodules¶
keystone.federation.constants module¶
keystone.federation.core module¶
Main entry point into the Federation service.
-
class
keystone.federation.core.
Manager
[source]¶ Bases:
keystone.common.manager.Manager
Default pivot point for the Federation backend.
See
keystone.common.manager.Manager
for more details on how this dynamically calls the backend.-
driver_namespace
= 'keystone.federation'¶
-
get_enabled_service_providers
()[source]¶ List enabled service providers for Service Catalog.
Service Provider in a catalog contains three attributes:
id
,auth_url
,sp_url
, where:id is a unique, user defined identifier for service provider object
auth_url is an authentication URL of remote Keystone
sp_url a URL accessible at the remote service provider where SAML assertion is transmitted.
- Returns
list of dictionaries with enabled service providers
- Return type
list of dicts
-
keystone.federation.idp module¶
-
class
keystone.federation.idp.
ECPGenerator
[source]¶ Bases:
object
A class for generating an ECP assertion.
-
class
keystone.federation.idp.
MetadataGenerator
[source]¶ Bases:
object
A class for generating SAML IdP Metadata.
-
generate_metadata
()[source]¶ Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
- Returns
XML <EntityDescriptor> object.
- Raises
keystone.exception.ValidationError – If the required config options aren’t set.
-
-
class
keystone.federation.idp.
SAMLGenerator
[source]¶ Bases:
object
A class to generate SAML assertions.
-
samlize_token
(issuer, recipient, user, user_domain_name, roles, project, project_domain_name, groups, expires_in=None)[source]¶ Convert Keystone attributes to a SAML assertion.
- Parameters
issuer (string) – URL of the issuing party
recipient (string) – URL of the recipient
user (string) – User name
user_domain_name (string) – User Domain name
roles (list) – List of role names
project (string) – Project name
project_domain_name (string) – Project Domain name
groups (list) – List of strings of user groups and domain name, where strings are serialized dictionaries.
expires_in (int) – Sets how long the assertion is valid for, in seconds
- Returns
XML <Response> object
-
keystone.federation.schema module¶
keystone.federation.utils module¶
Utilities for Federation Extension.
-
class
keystone.federation.utils.
DirectMaps
[source]¶ Bases:
object
An abstraction around the remote matches.
Each match is treated internally as a list.
-
class
keystone.federation.utils.
RuleProcessor
(mapping_id, rules)[source]¶ Bases:
object
A class to process assertions and mapping rules.
-
process
(assertion_data)[source]¶ Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
- Parameters
assertion_data (dict) – an assertion containing values from an IdP
Example assertion_data:
{ 'Email': 'testacct@example.com', 'UserName': 'testacct', 'FirstName': 'Test', 'LastName': 'Account', 'orgPersonType': 'Tester' }
- Returns
dictionary with user and group_ids
The expected return structure is:
{ 'name': 'foobar', 'group_ids': ['abc123', 'def456'], 'group_names': [ { 'name': 'group_name_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_1_1', 'domain': { 'name': 'domain1' } }, { 'name': 'group_name_2', 'domain': { 'id': 'xyz132' } } ] }
-
-
class
keystone.federation.utils.
UserType
[source]¶ Bases:
object
User mapping type.
-
EPHEMERAL
= 'ephemeral'¶
-
LOCAL
= 'local'¶
-
-
keystone.federation.utils.
transform_to_group_ids
(group_names, mapping_id, identity_api, resource_api)[source]¶ Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return. A message is logged if the group doesn’t exist in the backend.
Example of group_names parameter:
[ { "name": "group_name", "domain": { "id": "domain_id" }, }, { "name": "group_name_2", "domain": { "name": "domain_name" } } ]
- Parameters
group_names (list) – list of group identified by name and its domain.
mapping_id (str) – id of the mapping used for mapping assertion into local credentials
identity_api – identity_api object
resource_api – resource manager object
- Returns
generator object with group ids
-
keystone.federation.utils.
validate_idp
(idp, protocol, assertion)[source]¶ The IdP providing the assertion should be registered for the mapping.
-
keystone.federation.utils.
validate_mapped_group_ids
(group_ids, mapping_id, identity_api)[source]¶ Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
- Parameters
mapping_id (str) – id of the mapping used for this operation
identity_api (identity.Manager) – Identity Manager object used for communication with backend
- Raises
keystone.exception.MappedGroupNotFound – If the group returned by mapping was not found in the backend.