keystoneauth1.identity.v3.k2k module

class keystoneauth1.identity.v3.k2k.Keystone2Keystone(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)

Bases: _Rescoped

Plugin to execute the Keystone to Keyestone authentication flow.

In this plugin, an ECP wrapped SAML assertion provided by a keystone Identity Provider (IdP) is used to request an OpenStack unscoped token from a keystone Service Provider (SP).

Parameters:

  • base_plugin (keystoneauth1.identity.v3.base.BaseAuth) – Auth plugin already authenticated against the keystone IdP.

  • service_provider (str) – The Service Provider ID as returned by ServiceProviderManager.list()

HTTP_MOVED_TEMPORARILY = 302
HTTP_SEE_OTHER = 303
REQUEST_ECP_URL = '/auth/OS-FEDERATION/saml2/ecp'

Path where the ECP wrapped SAML assertion should be presented to the Keystone Service Provider.

__abstractmethods__ = frozenset({})
__annotations__ = {'MIN_TOKEN_LIFE_SECONDS': 'int', '_discovery_cache': 'dict[str, discover.Discover]', 'auth_ref': 'ty.Optional[access.AccessInfo]', 'auth_url': 'str', 'reauthenticate': 'bool'}
__doc__ = 'Plugin to execute the Keystone to Keyestone authentication flow.\n\nIn this plugin, an ECP wrapped SAML assertion provided by a keystone\nIdentity Provider (IdP) is used to request an OpenStack unscoped token\nfrom a keystone Service Provider (SP).\n\n:param base_plugin: Auth plugin already authenticated against the keystone\n                    IdP.\n:type base_plugin: keystoneauth1.identity.v3.base.BaseAuth\n\n:param service_provider: The Service Provider ID as returned by\n                         ServiceProviderManager.list()\n:type service_provider: str\n\n'
__firstlineno__ = 27
__init__(base_plugin: BaseIdentityPlugin, service_provider: str, *, trust_id: str | None = None, system_scope: str | None = None, domain_id: str | None = None, domain_name: str | None = None, project_id: str | None = None, project_name: str | None = None, project_domain_id: str | None = None, project_domain_name: str | None = None, reauthenticate: bool = True, include_catalog: bool = True)
__module__ = 'keystoneauth1.identity.v3.k2k'
__static_attributes__ = ('_local_cloud_plugin', '_sp_id', 'auth_url')
_abc_impl = <_abc._abc_data object>
_discovery_cache: dict[str, discover.Discover]
_get_ecp_assertion(session: Session) str
classmethod _remote_auth_url(auth_url: str) str

Return auth_url of the remote Keystone Service Provider.

Remote cloud’s auth_url is an endpoint for getting federated unscoped token, typically that would be https://remote.example.com:5000/v3/OS-FEDERATION/identity_providers/ <idp>/protocols/<protocol_id>/auth. However we need to generate a real auth_url, used for token scoping. This function assumes there are static values today in the remote auth_url stored in the Service Provider attribute and those can be used as a delimiter. If the sp_auth_url doesn’t comply with standard federation auth url the function will simply return whole string.

Parameters:

auth_url (str) – auth_url of the remote cloud

Returns:

auth_url of remote cloud where a token can be validated or scoped.

Return type:

str

_send_service_provider_ecp_authn_response(session: Session, sp_url: str, sp_auth_url: str) Response

Present ECP wrapped SAML assertion to the keystone SP.

The assertion is issued by the keystone IdP and it is targeted to the keystone that will serve as Service Provider.

Parameters:
auth_ref: ty.Optional[access.AccessInfo]
auth_url: str
get_unscoped_auth_ref(session: Session) AccessInfoV3

Fetch unscoped federated token.

reauthenticate: bool