openstack/python-keystoneclient
Code Issues Proposed changes
0d43c46ffa
python-keystoneclient/keystoneclient/v3/client.py

354 lines
14 KiB
Python
Raw Normal View History

v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
# Copyright 2011 Nebula, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
Adjust import items according to hacking import rule This patch adjust import items and add missing blank lines acording to http://docs.openstack.org/developer/hacking/#imports {{stdlib imports in human alphabetical order}} \n {{third-party lib imports in human alphabetical order}} \n {{project imports in human alphabetical order}} \n \n {{begin your code}} hacking project also enforce some checks for import group. Let make the change in keytoneclient Change-Id: Ic83bd5ee426905588f4a2d555851a9a01fc69f02
2014-01-17 20:13:24 +08:00
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
import logging
Deprecate create v3 Client without session There was a comment to deprecate creating a v3 Client without a session. bp deprecations Change-Id: Ifc3fa9ffef12554646ca80f04527de757df3aa95
2015-07-26 08:55:30 -05:00
import warnings
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
Change oslo.serialization to oslo_serialization The oslo libraries are moving away from namespace packages. bp drop-namespace-packages Change-Id: I76dc9f733b222144f0274f8854877587c3501d1e
2015-01-20 10:47:44 -06:00
from oslo_serialization import jsonutils
Use oslo.utils and oslo.serialization Left timeutils and strutils in openstack/common since they are used in openstack/common/apiclient and memorycache. Change-Id: Idb5f09c159d907dfba84cd1f7501f650318af7d9
2014-10-14 17:49:17 -04:00
Create V3 Auth Plugins Extract the authentication code from a v3 client and move it to a series of auth plugins. As v3 authentication can contain multiple authentication methods this concept is represented by an AuthMethod. An auth plugin then is provided with multiple mechanisms to authenticate with. There is also some helper class for the standard case where you only need to authenticate with one method. When a v3 client wants to do authentication it will create a new v3 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44 blueprint: auth-plugins
2014-01-21 11:40:28 +10:00
from keystoneclient.auth.identity import v3 as v3_auth
flake8: fix alphabetical imports and enable H306 Change-Id: I0f4fcc9796e8529e7217dc24abe95660633cad33
2013-08-01 17:09:55 -05:00
from keystoneclient import exceptions
Rename client.py to httpclient.py The discoverable entry point is to be client.Client however adding this functionality to the current client.py is impossible as we end up with circular dependencies. This patch simply renames the current client.py to httpclient.py to make future patches that will modify client.py more readable. Required for: blueprint api-version-discovery Change-Id: Ibcea03f6e1df0ae05329297166a8b8117fc3ce7b
2013-07-31 16:13:13 +10:00
from keystoneclient import httpclient
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
from keystoneclient.i18n import _
Add support for app cred access rules This change adds access_rules as a parameter for creating application credentials, and also adds the ability to list access rules and to retrieve and delete individual rules. Directly creating an access rule or updating one is not supported. bp whitelist-extension-for-app-creds Depends-On: https://review.opendev.org/671374 Change-Id: I490f1e6b421d4f36f588f83a511ce39b9b4204e2
2019-08-20 17:37:34 -07:00
from keystoneclient.v3 import access_rules
Add CRUD support for application credentials Add support for creating, reading, and deleting application credentials. Application credentials do not support updating. Keystoneclient does not handle authentication with application credentials. This is done in keystoneauth. Additional work will be needed in python-openstackclient to support both CRUD and auth for application credentials. bp application credentials Change-Id: I21214238deac2c45f2f2d666287c2ae106955ab1
2018-01-17 23:46:56 +01:00
from keystoneclient.v3 import application_credentials
Support /auth routes for list projects and domains The /auth routes are the preferred mechanism for listing the projects and domains that the current token can be authenticated to as they supports both federated and regular tokens. Expose these routes via the client so that they can be consumed. Change-Id: I9724a648ebd9d21edf8ffcc64f4cdb897a99101c
2015-03-30 17:16:25 +11:00
from keystoneclient.v3 import auth
Implement endpoint filtering functionality on the client side. bp/endpoint-filtering Change-Id: I48cb8dbd2720bb0c5777712b68a8a5b8f3bf7f60
2014-03-24 22:13:48 -07:00
from keystoneclient.v3.contrib import endpoint_filter
Add support for endpoint policy. This adds the client library class for the endpoint policy extension. Implements: bp endpoint-policy Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
2014-09-18 09:59:38 +01:00
from keystoneclient.v3.contrib import endpoint_policy
Add CRUD operations for Identity Providers. Add relevant methods for adding, updating, listing, getting, and deleting Identity Provider objects. Change-Id: Ib77781b507d2c06c368a1877eb716ec7fe2d88e4 Implements: blueprint federation-crud-operations
2014-03-26 17:44:08 +01:00
from keystoneclient.v3.contrib import federation
OAuth request/access token and consumer support for oauth client API Add support for creating request and access tokens, and to authorize request tokens. Also adding basic CRUD for consumer entities. DocImpact Change-Id: Ib9d0b223f202a7e33cbad1602da5be7479cd3284 implements: bp add-oauth-support
2013-12-09 07:50:44 -06:00
from keystoneclient.v3.contrib import oauth1
Add OS-SIMPLE-CERT support for v3. There was no API support for the OS-SIMPLE-CERT v3 extension. bp auth-token-use-client Change-Id: Ic3d36018fc2e5a5a0da8d37a7fa58b77b8fa8e15
2014-12-16 13:28:05 -06:00
from keystoneclient.v3.contrib import simple_cert
Initial Trusts support Implements client support for the basic trusts API operations, note this does not include support for the roles subpath operations, support for those can be added in a subsequent patch. Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece blueprint: delegation-impersonation-support
2013-08-02 11:45:38 +01:00
from keystoneclient.v3.contrib import trusts
v3 Credential CRUD Change-Id: I646ff7db3ccf827f912ebdb78fdf8d765d52c26c
2012-09-11 15:42:38 -05:00
from keystoneclient.v3 import credentials
Support domain-specific configuration management Provide support for the domain-specific configuration storage available via the REST API. Domain configs are JSON blobs and we have fine grained control on them via the Identity API. This fine grained control is not defined yet in the client, though - for now, we can manage everything like Python dictionaries and use operations like "update" whenever we want to delete a specific group or option. This approach is similar to what is done in the federation mapping API to handle mapping rules. Functional tests are also included, this is useful to check if the new feature works in an integration environment. Co-Auhtored-By: Henry Nash <henryn@linux.vnet.ibm.com> Co-Authored-By: Rodrigo Duarte <rduartes@redhat.com> Closes-Bug: 1433306 Partially Implements: blueprint domain-config-ext Change-Id: Ie6795b8633fed38c58b79250c11c9a045b7f95a4
2015-03-24 17:57:25 +00:00
from keystoneclient.v3 import domain_configs
v3 Domain CRUD Change-Id: I830055dc3bd079715403029a85890c40b687f632
2012-09-11 12:32:01 -05:00
from keystoneclient.v3 import domains
Add EC2 CRUD credential support to v3 API The keystone V3 API ships with EC2 in the pipeline by default. The CRUD manager is available for the V2 API and we should also make it available for v3. Change-Id: I635a12b1647d5187ded7d0aea9c0277dfbb15eff Closes-Bug: #1236326
2015-06-01 13:13:38 +10:00
from keystoneclient.v3 import ec2
Add support for endpoint group CRUD The following API calls are made available: - POST /OS-EP-FILTER/endpoint_groups - GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - GET /OS-EP-FILTER/endpoint_groups Partial-Bug: #1641674 Change-Id: I285eefe82152b178268f671e8800a0ff8c1511e4
2017-01-05 23:37:39 -03:00
from keystoneclient.v3 import endpoint_groups
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
from keystoneclient.v3 import endpoints
Add support for user groups This initial change provides the support in keystoneclient to match the api specified in the blueprint. Keystone itself does not yet support these calls, so if you actually called these, then you would get an error from the server. However the changes should be benign in terms of other api calls. Blueprint keystone/+spec/user-groups Api changes: review.openstack.org/#/c/18138 DocImpact Change-Id: I9abfa82b39fa0c6d58fe0d22622944d3e6be39be
2012-12-07 16:47:56 +00:00
from keystoneclient.v3 import groups
Add support for project-specific limits Thsi commit adds client support for managing limits in keystone. bp unified-limits Change-Id: I33251dbd4d3bfaf178ca86a2f5d564ac94879dd2
2018-06-11 19:19:03 +00:00
from keystoneclient.v3 import limits
v3 Policy CRUD Change-Id: Iaecf3427877dd1751bb546c24413bc759938922c
2012-09-11 11:44:05 -05:00
from keystoneclient.v3 import policies
v3 Project CRUD Change-Id: I027dbba3a0573fde590295be5b31e3701d8c01f5
2012-09-11 15:38:22 -05:00
from keystoneclient.v3 import projects
Regions Management Client code for v3 API regions implementation. Change-Id: I5c1526457395ba3fb06977bea775ff572ec840ba Closes-Bug: 1289519
2014-04-11 16:39:16 -04:00
from keystoneclient.v3 import regions
Add support for registered limits This change add client support for creating, reading, updating, and deleting registered limits. A subsequent patch will do the same for project-specific limits. bp unified-limits Depends-On: https://review.openstack.org/#/c/569741/ Change-Id: I6b5d106d08af53c2ad41ed3f799e9e71d370c6dd
2018-01-24 21:46:52 +00:00
from keystoneclient.v3 import registered_limits
Add /role_assignments endpoint support This patch adds role assignments list support to keystoneclient. Created RoleAssignment resource and RoleAssignmentManager classes. RoleAssignmentManager only implements the list() method, the other inherited methods from base.CrudManager raises a MethodNotImplemented error with customized messages. This bp is complimented with the OSC part: https://blueprints.launchpad.net/python-openstackclient/+spec/roles-assignment-list Change-Id: I164b58b67ff42320238e943ddfa9d0a8aadd0a6d Implements: blueprint roles-assignment-support Closes-Bug: #1246310
2014-05-01 11:07:59 -03:00
from keystoneclient.v3 import role_assignments
v3 Role CRUD Change-Id: Iacb6e56ef60537b7cd3a4fbe3db1f0db1604fdc2
2012-09-11 15:34:56 -05:00
from keystoneclient.v3 import roles
v3 Service CRUD Change-Id: I5594ce92e99241f95775773233f09170a8a371b1
2012-09-11 11:22:30 -05:00
from keystoneclient.v3 import services
expose the revoke token for V3 Implement the v3 revoke token method for CLI. Change-Id: Ib01f6341e087866ca05862c200e6c783fb1a8ff5 Closes-Bug: #1331972
2014-06-26 10:47:23 +08:00
from keystoneclient.v3 import tokens
v3 User CRUD Change-Id: Ieea3c474ce3795e2c97e399988228cdb2715f2ef
2012-09-11 15:40:37 -05:00
from keystoneclient.v3 import users
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
_logger = logging.getLogger(__name__)
Rename client.py to httpclient.py The discoverable entry point is to be client.Client however adding this functionality to the current client.py is impossible as we end up with circular dependencies. This patch simply renames the current client.py to httpclient.py to make future patches that will modify client.py more readable. Required for: blueprint api-version-discovery Change-Id: Ibcea03f6e1df0ae05329297166a8b8117fc3ce7b
2013-07-31 16:13:13 +10:00
class Client(httpclient.HTTPClient):
Fixing D301 PEP257 violation. Currently tox ignores D301. D301: Use r”“” if any backslashes in adocstring. This change removes D301 ignore and fix violations. Change-Id: I9dbe2c9d59e2c2d8585a53840a579a9b9c57a09c
2016-05-02 16:29:24 +00:00
r"""Client for the OpenStack Identity API v3.
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
Document session as an argument to v3.Client Developers are probably going to want to know what the type of the session argument is since other methods of constructing v3.client.Client are deprecated. Change-Id: Ifb94ef134b86980f88e7cf3c80344c458937d1ab
2016-02-28 11:10:41 -06:00
:param session: Session for requests. (optional)
:type session: keystoneauth1.session.Session
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string user_id: User ID for authentication. (optional)
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
:param string username: Username for authentication. (optional)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string user_domain_id: User's domain ID for authentication.
(optional)
:param string user_domain_name: User's domain name for authentication.
(optional)
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
:param string password: Password for authentication. (optional)
:param string token: Token for authentication. (optional)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string domain_id: Domain ID for domain scoping. (optional)
:param string domain_name: Domain name for domain scoping. (optional)
:param string project_id: Project ID for project scoping. (optional)
:param string project_name: Project name for project scoping. (optional)
:param string project_domain_id: Project's domain ID for project
scoping. (optional)
:param string project_domain_name: Project's domain name for project
scoping. (optional)
:param string tenant_name: Tenant name. (optional)
Proper deprecation for HTTPClient tenant_id, tenant_name parameters HTTPClient() tenant_id and tenant_name parameters weren't properly deprecated since they were only mentioned in the docstring. Proper deprecation requires use of warnings/debtcollector and documentation. Also fixed a bunch of places in the tests where tenant_id and tenant_name were still being used despite being deprecated. bp deprecations Change-Id: I9c4f596b8ff10aede6c417886638a942cb18044c
2015-07-24 15:06:00 -05:00
The tenant_name keyword argument is deprecated
as of the 1.7.0 release in favor of project_name
and may be removed in the 2.0.0 release.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string tenant_id: Tenant id. (optional)
Proper deprecation for HTTPClient tenant_id, tenant_name parameters HTTPClient() tenant_id and tenant_name parameters weren't properly deprecated since they were only mentioned in the docstring. Proper deprecation requires use of warnings/debtcollector and documentation. Also fixed a bunch of places in the tests where tenant_id and tenant_name were still being used despite being deprecated. bp deprecations Change-Id: I9c4f596b8ff10aede6c417886638a942cb18044c
2015-07-24 15:06:00 -05:00
The tenant_id keyword argument is deprecated as of
the 1.7.0 release in favor of project_id and may
be removed in the 2.0.0 release.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string auth_url: Identity service endpoint for authorization.
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
:param string region_name: Name of a region to select when choosing an
endpoint from the service catalog.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
:param string endpoint: A user-supplied endpoint URL for the identity
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
service. Lazy-authentication is possible for API
service calls if endpoint is set at
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
instantiation. (optional)
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
:param integer timeout: Allows customization of the timeout for client
http requests. (optional)
Deprecate create v3 Client without session There was a comment to deprecate creating a v3 Client without a session. bp deprecations Change-Id: Ifc3fa9ffef12554646ca80f04527de757df3aa95
2015-07-26 08:55:30 -05:00
.. warning::
Constructing an instance of this class without a session is
deprecated as of the 1.7.0 release and will be removed in the
2.0.0 release.
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
Example::
Update Client examples to use sessions The docstring examples in the v2_0 and v3 Client classes showed passing username and password. Passing username and password is deprecated in favor of using keystoneauth session. The examples shouldn't use deprecated behavior otherwise we'll never get developers to stop using it. Change-Id: Ia79ed7a02a48553eba8eb83a654c3c75601fa07d
2016-02-28 08:59:43 -06:00
>>> from keystoneauth1.identity import v3
>>> from keystoneauth1 import session
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
>>> from keystoneclient.v3 import client
Update Client examples to use sessions The docstring examples in the v2_0 and v3 Client classes showed passing username and password. Passing username and password is deprecated in favor of using keystoneauth session. The examples shouldn't use deprecated behavior otherwise we'll never get developers to stop using it. Change-Id: Ia79ed7a02a48553eba8eb83a654c3c75601fa07d
2016-02-28 08:59:43 -06:00
>>> auth = v3.Password(user_domain_name=DOMAIN_NAME,
... username=USER,
... password=PASS,
... project_domain_name=PROJECT_DOMAIN_NAME,
... project_name=PROJECT_NAME,
... auth_url=KEYSTONE_URL)
>>> sess = session.Session(auth=auth)
>>> keystone = client.Client(session=sess)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
>>> keystone.projects.list()
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
...
>>> user = keystone.users.get(USER_ID)
>>> user.delete()
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
Instances of this class have the following managers:
.. py:attribute:: credentials
:py:class:`keystoneclient.v3.credentials.CredentialManager`
Support domain-specific configuration management Provide support for the domain-specific configuration storage available via the REST API. Domain configs are JSON blobs and we have fine grained control on them via the Identity API. This fine grained control is not defined yet in the client, though - for now, we can manage everything like Python dictionaries and use operations like "update" whenever we want to delete a specific group or option. This approach is similar to what is done in the federation mapping API to handle mapping rules. Functional tests are also included, this is useful to check if the new feature works in an integration environment. Co-Auhtored-By: Henry Nash <henryn@linux.vnet.ibm.com> Co-Authored-By: Rodrigo Duarte <rduartes@redhat.com> Closes-Bug: 1433306 Partially Implements: blueprint domain-config-ext Change-Id: Ie6795b8633fed38c58b79250c11c9a045b7f95a4
2015-03-24 17:57:25 +00:00
.. py:attribute:: domain_configs
:py:class:`keystoneclient.v3.domain_configs.DomainConfigManager`
Add EC2 CRUD credential support to v3 API The keystone V3 API ships with EC2 in the pipeline by default. The CRUD manager is available for the V2 API and we should also make it available for v3. Change-Id: I635a12b1647d5187ded7d0aea9c0277dfbb15eff Closes-Bug: #1236326
2015-06-01 13:13:38 +10:00
.. py:attribute:: ec2
:py:class:`keystoneclient.v3.ec2.EC2Manager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: endpoint_filter
:py:class:`keystoneclient.v3.contrib.endpoint_filter.\
Fixing D204, D205, and D207 PEP257 violation. Currently tox ignores D204, D205, and D207. D204: 1 blank required after class docstring. D205: Blank line required between one-line summary and description. D207: Docstring is under-indented. This change removes D204, D205, and D207 ignores in tox and fix violations. Change-Id: Id20d216fbd7647d468859b960088aac61c582d9b
2016-05-03 18:08:31 +00:00
EndpointFilterManager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
Add support for endpoint group CRUD The following API calls are made available: - POST /OS-EP-FILTER/endpoint_groups - GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - GET /OS-EP-FILTER/endpoint_groups Partial-Bug: #1641674 Change-Id: I285eefe82152b178268f671e8800a0ff8c1511e4
2017-01-05 23:37:39 -03:00
.. py:attribute:: endpoint_groups
:py:class:`keystoneclient.v3.endpoint_groups.\
EndpointGroupManager`
Add support for endpoint policy. This adds the client library class for the endpoint policy extension. Implements: bp endpoint-policy Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
2014-09-18 09:59:38 +01:00
.. py:attribute:: endpoint_policy
:py:class:`keystoneclient.v3.contrib.endpoint_policy.\
Fixing D204, D205, and D207 PEP257 violation. Currently tox ignores D204, D205, and D207. D204: 1 blank required after class docstring. D205: Blank line required between one-line summary and description. D207: Docstring is under-indented. This change removes D204, D205, and D207 ignores in tox and fix violations. Change-Id: Id20d216fbd7647d468859b960088aac61c582d9b
2016-05-03 18:08:31 +00:00
EndpointPolicyManager`
Add support for endpoint policy. This adds the client library class for the endpoint policy extension. Implements: bp endpoint-policy Change-Id: I7153d7a093f4299d7f912b0b4a9a02ffacdb9e69
2014-09-18 09:59:38 +01:00
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: endpoints
:py:class:`keystoneclient.v3.endpoints.EndpointManager`
.. py:attribute:: domains
:py:class:`keystoneclient.v3.domains.DomainManager`
.. py:attribute:: federation
:py:class:`keystoneclient.v3.contrib.federation.core.FederationManager`
.. py:attribute:: groups
:py:class:`keystoneclient.v3.groups.GroupManager`
Add support for project-specific limits Thsi commit adds client support for managing limits in keystone. bp unified-limits Change-Id: I33251dbd4d3bfaf178ca86a2f5d564ac94879dd2
2018-06-11 19:19:03 +00:00
.. py:attribute:: limits
:py:class:`keystoneclient.v3.limits.LimitManager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: oauth1
:py:class:`keystoneclient.v3.contrib.oauth1.core.OAuthManager`
.. py:attribute:: policies
:py:class:`keystoneclient.v3.policies.PolicyManager`
.. py:attribute:: regions
:py:class:`keystoneclient.v3.regions.RegionManager`
Add support for registered limits This change add client support for creating, reading, updating, and deleting registered limits. A subsequent patch will do the same for project-specific limits. bp unified-limits Depends-On: https://review.openstack.org/#/c/569741/ Change-Id: I6b5d106d08af53c2ad41ed3f799e9e71d370c6dd
2018-01-24 21:46:52 +00:00
.. py:attribute:: registered_limits
:py:class:`keystoneclient.v3.registered_limits.RegisteredLimitManager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: role_assignments
:py:class:`keystoneclient.v3.role_assignments.RoleAssignmentManager`
.. py:attribute:: roles
:py:class:`keystoneclient.v3.roles.RoleManager`
Add OS-SIMPLE-CERT support for v3. There was no API support for the OS-SIMPLE-CERT v3 extension. bp auth-token-use-client Change-Id: Ic3d36018fc2e5a5a0da8d37a7fa58b77b8fa8e15
2014-12-16 13:28:05 -06:00
.. py:attribute:: simple_cert
:py:class:`keystoneclient.v3.contrib.simple_cert.SimpleCertManager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: services
:py:class:`keystoneclient.v3.services.ServiceManager`
expose the revoke token for V3 Implement the v3 revoke token method for CLI. Change-Id: Ib01f6341e087866ca05862c200e6c783fb1a8ff5 Closes-Bug: #1331972
2014-06-26 10:47:23 +08:00
.. py:attribute:: tokens
:py:class:`keystoneclient.v3.tokens.TokenManager`
Docstrings for usability. The keystoneclient docstrings should give guidance for an application developer to actually use the library. Here's a start. Partial-Bug: #1330769 Change-Id: I1a9434704d0cd6b58de76933ff78c8d5c0aa3e3b
2014-06-12 14:51:21 -05:00
.. py:attribute:: trusts
:py:class:`keystoneclient.v3.contrib.trusts.TrustManager`
move attributes of v3.client.Client into alphabetical order Just make self.users be consistent with the other assignments. Change-Id: Ib3053774e9dd905eb4ef50668d6638ce19750177
2014-08-05 15:09:01 +08:00
.. py:attribute:: users
:py:class:`keystoneclient.v3.users.UserManager`
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
"""
Discover supported APIs Allow discovery of the API versions a server supports and create an appropriate client based on this. Implements: blueprint api-version-discovery Change-Id: I63e6759889066a784dc47e35152c82e1ead7951d
2013-09-23 11:50:57 +10:00
version = 'v3'
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
def __init__(self, **kwargs):
Fix and enable H401 Remove leading spaces from doc comments. Change-Id: I75b055c0d64dda478c63839d44158e301900107f
2013-06-21 19:04:50 +02:00
"""Initialize a new client for the Keystone v3 API."""
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
super(Client, self).__init__(**kwargs)
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
Deprecate create v3 Client without session There was a comment to deprecate creating a v3 Client without a session. bp deprecations Change-Id: Ifc3fa9ffef12554646ca80f04527de757df3aa95
2015-07-26 08:55:30 -05:00
if not kwargs.get('session'):
warnings.warn(
'Constructing an instance of the '
'keystoneclient.v3.client.Client class without a session is '
'deprecated as of the 1.7.0 release and may be removed in '
'the 2.0.0 release.', DeprecationWarning)
Add support for app cred access rules This change adds access_rules as a parameter for creating application credentials, and also adds the ability to list access rules and to retrieve and delete individual rules. Directly creating an access rule or updating one is not supported. bp whitelist-extension-for-app-creds Depends-On: https://review.opendev.org/671374 Change-Id: I490f1e6b421d4f36f588f83a511ce39b9b4204e2
2019-08-20 17:37:34 -07:00
self.access_rules = (
access_rules.AccessRuleManager(self._adapter)
)
Add CRUD support for application credentials Add support for creating, reading, and deleting application credentials. Application credentials do not support updating. Keystoneclient does not handle authentication with application credentials. This is done in keystoneauth. Additional work will be needed in python-openstackclient to support both CRUD and auth for application credentials. bp application credentials Change-Id: I21214238deac2c45f2f2d666287c2ae106955ab1
2018-01-17 23:46:56 +01:00
self.application_credentials = (
application_credentials.ApplicationCredentialManager(self._adapter)
)
Support /auth routes for list projects and domains The /auth routes are the preferred mechanism for listing the projects and domains that the current token can be authenticated to as they supports both federated and regular tokens. Expose these routes via the client so that they can be consumed. Change-Id: I9724a648ebd9d21edf8ffcc64f4cdb897a99101c
2015-03-30 17:16:25 +11:00
self.auth = auth.AuthManager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.credentials = credentials.CredentialManager(self._adapter)
Add EC2 CRUD credential support to v3 API The keystone V3 API ships with EC2 in the pipeline by default. The CRUD manager is available for the V2 API and we should also make it available for v3. Change-Id: I635a12b1647d5187ded7d0aea9c0277dfbb15eff Closes-Bug: #1236326
2015-06-01 13:13:38 +10:00
self.ec2 = ec2.EC2Manager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.endpoint_filter = endpoint_filter.EndpointFilterManager(
self._adapter)
Add support for endpoint group CRUD The following API calls are made available: - POST /OS-EP-FILTER/endpoint_groups - GET /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - HEAD /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - PATCH /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - DELETE /OS-EP-FILTER/endpoint_groups/{endpoint_group_id} - GET /OS-EP-FILTER/endpoint_groups Partial-Bug: #1641674 Change-Id: I285eefe82152b178268f671e8800a0ff8c1511e4
2017-01-05 23:37:39 -03:00
self.endpoint_groups = endpoint_groups.EndpointGroupManager(
self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.endpoint_policy = endpoint_policy.EndpointPolicyManager(
self._adapter)
self.endpoints = endpoints.EndpointManager(self._adapter)
Support domain-specific configuration management Provide support for the domain-specific configuration storage available via the REST API. Domain configs are JSON blobs and we have fine grained control on them via the Identity API. This fine grained control is not defined yet in the client, though - for now, we can manage everything like Python dictionaries and use operations like "update" whenever we want to delete a specific group or option. This approach is similar to what is done in the federation mapping API to handle mapping rules. Functional tests are also included, this is useful to check if the new feature works in an integration environment. Co-Auhtored-By: Henry Nash <henryn@linux.vnet.ibm.com> Co-Authored-By: Rodrigo Duarte <rduartes@redhat.com> Closes-Bug: 1433306 Partially Implements: blueprint domain-config-ext Change-Id: Ie6795b8633fed38c58b79250c11c9a045b7f95a4
2015-03-24 17:57:25 +00:00
self.domain_configs = domain_configs.DomainConfigManager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.domains = domains.DomainManager(self._adapter)
self.federation = federation.FederationManager(self._adapter)
self.groups = groups.GroupManager(self._adapter)
Add support for project-specific limits Thsi commit adds client support for managing limits in keystone. bp unified-limits Change-Id: I33251dbd4d3bfaf178ca86a2f5d564ac94879dd2
2018-06-11 19:19:03 +00:00
self.limits = limits.LimitManager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.oauth1 = oauth1.create_oauth_manager(self._adapter)
self.policies = policies.PolicyManager(self._adapter)
self.projects = projects.ProjectManager(self._adapter)
Add support for registered limits This change add client support for creating, reading, updating, and deleting registered limits. A subsequent patch will do the same for project-specific limits. bp unified-limits Depends-On: https://review.openstack.org/#/c/569741/ Change-Id: I6b5d106d08af53c2ad41ed3f799e9e71d370c6dd
2018-01-24 21:46:52 +00:00
self.registered_limits = registered_limits.RegisteredLimitManager(
self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.regions = regions.RegionManager(self._adapter)
self.role_assignments = (
role_assignments.RoleAssignmentManager(self._adapter))
self.roles = roles.RoleManager(self._adapter)
re-work inference rule bindings - At least one API was not implemented (list_implied_roles) - the tests were lacking assertions and proper mocked responses - some of the functionality just didn't work (see bug) - returning Role objects instead of InferenceRule objects Related commits: - I80a40e88b571fe9b0eca3af8b705ea79f28eb904 - I66e863fb83f8dfcca2c48116d4377df060f402c3 Closes-Bug: 1647934 Change-Id: I7b449a93d7d4d3eb9ca857f6c1f78f884bad2534
2016-12-18 13:07:59 -08:00
self.inference_rules = roles.InferenceRuleManager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.services = services.ServiceManager(self._adapter)
Add OS-SIMPLE-CERT support for v3. There was no API support for the OS-SIMPLE-CERT v3 extension. bp auth-token-use-client Change-Id: Ic3d36018fc2e5a5a0da8d37a7fa58b77b8fa8e15
2014-12-16 13:28:05 -06:00
self.simple_cert = simple_cert.SimpleCertManager(self._adapter)
Make keystoneclient use an adapter Apart from making keystoneclient follow the same patterns of using an adapter that we are trying to push onto other clients this severs the cyclical dependency between managers and the client object. There are a few changes that have had to be rolled into one to make the transition work. These can't be separated unfortunately as they are interdependent. * managers are now passed the adapter instead of the client. They therefore don't have reference to the other managers on the client. * The adapter has been subclassed to provide user_id as there are some managers that require user_id be provided for changing passwords etc. * client.auth_url has been replaced with a call to get_endpoint which is supported by the adapter. * management=True has been removed from all the managers and they now correctly set the interface they want. Change-Id: I49fbd50571f0c1484e1cbc3dcb2159d25b21b1bc
2014-07-04 09:09:18 +10:00
self.tokens = tokens.TokenManager(self._adapter)
self.trusts = trusts.TrustManager(self._adapter)
self.users = users.UserManager(self._adapter)
v3 Service CRUD Change-Id: I5594ce92e99241f95775773233f09170a8a371b1
2012-09-11 11:22:30 -05:00
Create V3 Auth Plugins Extract the authentication code from a v3 client and move it to a series of auth plugins. As v3 authentication can contain multiple authentication methods this concept is represented by an AuthMethod. An auth plugin then is provided with multiple mechanisms to authenticate with. There is also some helper class for the standard case where you only need to authenticate with one method. When a v3 client wants to do authentication it will create a new v3 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44 blueprint: auth-plugins
2014-01-21 11:40:28 +10:00
# DEPRECATED: if session is passed then we go to the new behaviour of
# authenticating on the first required call.
if 'session' not in kwargs and self.management_url is None:
Client V3 shouldn't inherit V2 Client V3 is a completely different implementation of the API, if we want to intermix the V2 and V3 APIs then we don't need to version our client at all. Change-Id: I80579cd41df73ccfc6c8feb76843772829afac4e
2013-07-18 15:54:41 +10:00
self.authenticate()
v3 Client & test utils Change-Id: I6cafaad053b7fa1ca31f4f5aed1f86aa97c4e87e
2012-09-11 11:20:16 -05:00
def serialize(self, entity):
Use OSLO jsonutils instead of json module For most things there is very little difference, but as we have a jsonutils module we should probably be using it. Change-Id: I406ea81bb56ad90cc9ff9b8b58b0d35b694dc802
2013-08-16 11:45:44 +10:00
return jsonutils.dumps(entity, sort_keys=True)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
Properly handle Regions in keystoneclient Region name is taken as a parameter but is ignored in all communication with the service catalog. Currently region can be stored in the token data and then requests to url functions will return the appropriate region. This is the wrong approach because there is nothing specific to the token (or auth_data) that is region specific. Instead region information should be held by the client. Closes-Bug: 1147530 Closes-Bug: 1255992 Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
2013-10-22 09:41:00 +10:00
def process_token(self, **kwargs):
Fix and enable H401 Remove leading spaces from doc comments. Change-Id: I75b055c0d64dda478c63839d44158e301900107f
2013-06-21 19:04:50 +02:00
"""Extract and process information from the new auth_ref.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
And set the relevant authentication information.
"""
Properly handle Regions in keystoneclient Region name is taken as a parameter but is ignored in all communication with the service catalog. Currently region can be stored in the token data and then requests to url functions will return the appropriate region. This is the wrong approach because there is nothing specific to the token (or auth_data) that is region specific. Instead region information should be held by the client. Closes-Bug: 1147530 Closes-Bug: 1255992 Change-Id: I812aa89c8b4af28e294e63926a7f88e8246fffc5
2013-10-22 09:41:00 +10:00
super(Client, self).process_token(**kwargs)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
if self.auth_ref.domain_scoped:
if not self.auth_ref.domain_id:
raise exceptions.AuthorizationFailure(
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
_("Token didn't provide domain_id"))
Respect region name when processing domain URL When deprecating the use of management_url from service_catalog we updated the management_url setter for the project scoped token, however we missed the domain scoped token case. There is actually nothing we can do here to test this scenario as the backwards compatibility code that was installed handles this for us and there is no problem, however we should not be internally relying on deprecated code. Change-Id: I59bac4d9d74f2eb8bc6edd40518c7cd5a4fe1343
2014-01-10 16:38:55 +10:00
self._process_management_url(kwargs.get('region_name'))
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
self.domain_name = self.auth_ref.domain_name
self.domain_id = self.auth_ref.domain_id
Adds to Keystone to convert V2 endpoints to V3 The Domain Quota Management Driver uses the V3 Authentication Token. Also, it tries to contact Keystone for getting list of projects in a domain using V3 API like /v3/projects?domain_id=<id>. But the keystone v3/client.py default uses V2 API and hence code changed to convert V2 endpoints for V3 endpoints. This change is required to implement blue print domain-quota-driver-api Change-Id: If62ffc5e5252477bbe4d80f14c0a7653e11d5403 Closes-Bug: 1260916
2014-02-24 01:47:21 +01:00
if self._management_url:
self._management_url = self._management_url.replace('/v2.0', '/v3')
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
def get_raw_token_from_identity_service(self, auth_url, user_id=None,
username=None,
user_domain_id=None,
user_domain_name=None,
password=None,
domain_id=None, domain_name=None,
project_id=None, project_name=None,
project_domain_id=None,
project_domain_name=None,
Initial Trusts support Implements client support for the basic trusts API operations, note this does not include support for the roles subpath operations, support for those can be added in a subsequent patch. Change-Id: I0c6ba12bad5cc8f3f10697d2a3dcf4f3be8c7ece blueprint: delegation-impersonation-support
2013-08-02 11:45:38 +01:00
token=None,
trust_id=None,
**kwargs):
Fix and enable H401 Remove leading spaces from doc comments. Change-Id: I75b055c0d64dda478c63839d44158e301900107f
2013-06-21 19:04:50 +02:00
"""Authenticate against the v3 Identity API.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
Remove _factory methods from auth plugins This was a simple factory that would give compatibility for the existing client to load up the appropriate auth plugin. A more robust plugin loading mechanism is coming for this and having it available encourages other auth plugins that they should be using that where they shouldn't. Just remove it from the auth plugin class. It shouldn't be used by anyone else so lets keep it on the client objects. Blueprint: plugin-params Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
2014-03-21 14:39:13 +10:00
If password and token methods are both provided then both methods will
be used in the request.
Create V3 Auth Plugins Extract the authentication code from a v3 client and move it to a series of auth plugins. As v3 authentication can contain multiple authentication methods this concept is represented by an AuthMethod. An auth plugin then is provided with multiple mechanisms to authenticate with. There is also some helper class for the standard case where you only need to authenticate with one method. When a v3 client wants to do authentication it will create a new v3 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44 blueprint: auth-plugins
2014-01-21 11:40:28 +10:00
:returns: access.AccessInfo if authentication was successful.
Link to AccessInfoV3 returned from get_raw_token_from_identity_service Developers using get_raw_token_from_identity_service are going to want to know more info about the value returned, so provide them a link to the class docs. Change-Id: Ic1b100f1f362219b64c677dda90faaf51e93cc6a
2016-02-28 11:14:19 -06:00
:rtype: :class:`keystoneclient.access.AccessInfoV3`
Cleanup docs - raises class The argument to the :raises: directive is the class name. If the class name is a valid reference it's rendered as a link to the class. This change cleans up the :raises: directives to use the reference correctly and use a valid class reference. Change-Id: I84188b60de0ab4c6b5b2fb5a203c43bfde094707
2014-10-12 19:41:38 -05:00
:raises keystoneclient.exceptions.AuthorizationFailure: if unable to
authenticate or validate the existing authorization token.
:raises keystoneclient.exceptions.Unauthorized: if authentication fails
due to invalid token.
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
"""
try:
Create V3 Auth Plugins Extract the authentication code from a v3 client and move it to a series of auth plugins. As v3 authentication can contain multiple authentication methods this concept is represented by an AuthMethod. An auth plugin then is provided with multiple mechanisms to authenticate with. There is also some helper class for the standard case where you only need to authenticate with one method. When a v3 client wants to do authentication it will create a new v3 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44 blueprint: auth-plugins
2014-01-21 11:40:28 +10:00
if auth_url is None:
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
raise ValueError(_("Cannot authenticate without an auth_url"))
Create V3 Auth Plugins Extract the authentication code from a v3 client and move it to a series of auth plugins. As v3 authentication can contain multiple authentication methods this concept is represented by an AuthMethod. An auth plugin then is provided with multiple mechanisms to authenticate with. There is also some helper class for the standard case where you only need to authenticate with one method. When a v3 client wants to do authentication it will create a new v3 auth plugin, do the authentication and then take that result for the client to use. Change-Id: I5fa6a6e1c2e114e1428e35b723700c63a3cbed44 blueprint: auth-plugins
2014-01-21 11:40:28 +10:00
Remove _factory methods from auth plugins This was a simple factory that would give compatibility for the existing client to load up the appropriate auth plugin. A more robust plugin loading mechanism is coming for this and having it available encourages other auth plugins that they should be using that where they shouldn't. Just remove it from the auth plugin class. It shouldn't be used by anyone else so lets keep it on the client objects. Blueprint: plugin-params Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
2014-03-21 14:39:13 +10:00
auth_methods = []
if token:
auth_methods.append(v3_auth.TokenMethod(token=token))
if password:
m = v3_auth.PasswordMethod(user_id=user_id,
username=username,
user_domain_id=user_domain_id,
user_domain_name=user_domain_name,
password=password)
auth_methods.append(m)
if not auth_methods:
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
msg = _('A user and password or token is required.')
Remove _factory methods from auth plugins This was a simple factory that would give compatibility for the existing client to load up the appropriate auth plugin. A more robust plugin loading mechanism is coming for this and having it available encourages other auth plugins that they should be using that where they shouldn't. Just remove it from the auth plugin class. It shouldn't be used by anyone else so lets keep it on the client objects. Blueprint: plugin-params Change-Id: I0618b646f302300d41c7dd7153a1c0bdc237a745
2014-03-21 14:39:13 +10:00
raise exceptions.AuthorizationFailure(msg)
plugin = v3_auth.Auth(auth_url, auth_methods,
trust_id=trust_id,
domain_id=domain_id,
domain_name=domain_name,
project_id=project_id,
project_name=project_name,
project_domain_id=project_domain_id,
project_domain_name=project_domain_name)
return plugin.get_auth_ref(self.session)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
except (exceptions.AuthorizationFailure, exceptions.Unauthorized):
_logger.debug('Authorization failed.')
raise
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
except exceptions.EndpointNotFound:
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
msg = _('There was no suitable authentication url for this'
' request')
Handle URLs via the session and auth_plugins In the future clients will simply pass the service they expect to talk to and the path. This will prevent every service trying to get their own base urls from the service catalog individually. This can later be extended to have the auth plugin actually contact the URL from the service catalog which will let us have unversioned endpoints in the catalog handled from a single location. Change-Id: I80f0b5b1dbb45565fec09d1cb2c0552cfb9a72f5 blueprint: auth-plugin-endpoints
2013-12-05 16:32:56 +10:00
raise exceptions.AuthorizationFailure(msg)
Implements v3 auth client. Added support for domain scoping. Enhancement on AccessInfo to support reading v2/v3 token information. Enhancement on ServiceCatalog for reading/filtering v2/v3 service catalog information. Change-Id: Ibb678b9933d3673e37d0fba857a152a3c5d2b4f4
2013-02-13 22:52:05 -06:00
except Exception as e:
I18n Keystoneclient didn't provide translated messages. With this change, the messages are marked for translation. DocImpact Implements: blueprint keystoneclient-i18n Change-Id: I85263a71671a1dffed524185266e6bb7ae559630
2014-10-27 10:54:48 -05:00
raise exceptions.AuthorizationFailure(
_('Authorization failed: %s') % e)
Copy Permalink