Table Of Contents

Previous topic

s3 Package

Next topic

backends Package

This Page

identity Package

identity Package

core Module

Main entry point into the Identity service.

class keystone.identity.core.AdminRouter(mapper=None)

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)
class keystone.identity.core.Driver

Bases: object

Interface description for an Identity driver.

add_role_to_user_and_tenant(user_id, tenant_id, role_id)

Add a role to a user within given tenant.

add_user_to_tenant(tenant_id, user_id)
authenticate(user_id=None, tenant_id=None, password=None)

Authenticate a given user, tenant and password.

Returns: (user, tenant, metadata).

create_metadata(user_id, tenant_id, metadata)
create_role(role_id, role)
create_tenant(tenant_id, tenant)
create_user(user_id, user)
delete_metadata(user_id, tenant_id, metadata)
delete_role(role_id)
delete_tenant(tenant_id, tenant)
delete_user(user_id)
get_all_tenants()
get_metadata(user_id, tenant_id)
get_role(role_id)

Get a role by id.

Returns: role_ref or None.

get_roles_for_user_and_tenant(user_id, tenant_id)

Get the roles associated with a user within given tenant.

Returns: a list of role ids.

get_tenant(tenant_id)

Get a tenant by id.

Returns: tenant_ref or None.

get_tenant_by_name(tenant_name)

Get a tenant by name.

Returns: tenant_ref or None.

get_tenants_for_user(user_id)

Get the tenants associated with a given user.

Returns: a list of tenant ids.

get_user(user_id)

Get a user by id.

Returns: user_ref or None.

get_user_by_name(user_name)

Get a user by name.

Returns: user_ref or None.

list_roles()

List all roles in the system.

Returns: a list of role_refs or an empty list.

list_users()

List all users in the system.

NOTE(termie): I’d prefer if this listed only the users for a given
tenant.

Returns: a list of user_refs or an empty list.

remove_role_from_user_and_tenant(user_id, tenant_id, role_id)

Remove a role from a user within given tenant.

remove_user_from_tenant(tenant_id, user_id)
update_metadata(user_id, tenant_id, metadata)
update_role(role_id, role)
update_tenant(tenant_id, tenant)
update_user(user_id, user)
class keystone.identity.core.Manager

Bases: keystone.common.manager.Manager

Default pivot point for the Identity backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.

class keystone.identity.core.PublicRouter(mapper=None)

Bases: keystone.common.wsgi.ComposableRouter

add_routes(mapper)
class keystone.identity.core.RoleController

Bases: keystone.common.wsgi.Application

add_role_to_user(context, user_id, role_id, tenant_id=None)

Add a role to a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

create_role(context, role)
create_role_ref(context, user_id, role)

This is actually used for adding a user to a tenant.

In the legacy data model adding a user to a tenant required setting a role.

delete_role(context, role_id)
delete_role_ref(context, user_id, role_ref_id)

This is actually used for deleting a user from a tenant.

In the legacy data model removing a user from a tenant required deleting a role.

To emulate this, we encode the tenant and role in the role_ref_id, and if this happens to be the last role for the user-tenant pair, we remove the user from the tenant.

get_role(context, role_id)
get_role_refs(context, user_id)

Ultimate hack to get around having to make role_refs first-class.

This will basically iterate over the various roles the user has in all tenants the user is a member of and create fake role_refs where the id encodes the user-tenant-role information so we can look up the appropriate data when we need to delete them.

get_roles(context)
get_user_roles(context, user_id, tenant_id=None)

Get the roles for a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

remove_role_from_user(context, user_id, role_id, tenant_id=None)

Remove a role from a user and tenant pair.

Since we’re trying to ignore the idea of user-only roles we’re not implementing them in hopes that the idea will die off.

class keystone.identity.core.TenantController

Bases: keystone.common.wsgi.Application

create_tenant(context, tenant)
delete_tenant(context, tenant_id, **kw)
get_all_tenants(context, **kw)

Gets a list of all tenants for an admin user.

get_tenant(context, tenant_id)
get_tenant_users(context, tenant_id, **kw)
get_tenants_for_token(context, **kw)

Get valid tenants for token based on token used to authenticate.

Pulls the token from the context, validates it and gets the valid tenants for the user in the token.

Doesn’t care about token scopedness.

update_tenant(context, tenant_id, tenant)
class keystone.identity.core.UserController

Bases: keystone.common.wsgi.Application

create_user(context, user)
delete_user(context, user_id)
get_user(context, user_id)
get_users(context)
set_user_enabled(context, user_id, user)
set_user_password(context, user_id, user)
update_user(context, user_id, user)
update_user_tenant(context, user_id, user)

Update the default tenant.

models Module

Model descriptions.

Unless marked otherwise, all fields are strings.

class keystone.identity.models.Model

Bases: dict

Base model class.

known_keys
class keystone.identity.models.Role

Bases: keystone.identity.models.Model

Role object.

Required keys:
id name
optional_keys = ()
required_keys = ('id', 'name')
class keystone.identity.models.Tenant

Bases: keystone.identity.models.Model

Tenant object.

Required keys:
id name
Optional Keys:
description enabled (bool, default True)
optional_keys = ('description', 'enabled')
required_keys = ('id', 'name')
class keystone.identity.models.User

Bases: keystone.identity.models.Model

User object.

Required keys:
id name
Optional keys:
password description email enabled (bool, default True)
optional_keys = ('password', 'description', 'email', 'enabled')
required_keys = ('id', 'name')