keystoneclient.v3 package¶

Subpackages¶

Submodules¶

keystoneclient.v3.access_rules module¶

class keystoneclient.v3.access_rules.AccessRule(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity access rule for application credentials.

Attributes:

• id: a uuid that identifies the access rule

• method: The request method that the application credential is

  permitted to use for a given API endpoint

• path: The API path that the application credential is permitted to

  access

• service: The service type identifier for the service that the

  application credential is permitted to access

class keystoneclient.v3.access_rules.AccessRuleManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity access rules.

collection_key = 'access_rules'¶

create()¶

delete(access_rule, user=None)¶

Delete an access rule.

Parameters

• access_rule (str or keystoneclient.v3.access_rules.AccessRule) – the access rule to be deleted

• user (string) – User ID

Returns

response object with 204 status

Return type

requests.models.Response

find(user=None, **kwargs)¶

Find an access rule with attributes matching **kwargs.

Parameters

user (string) – User ID

Returns

a list of matching access rules

Return type

list of keystoneclient.v3.access_rules.AccessRule

get(access_rule, user=None)¶

Retrieve an access rule.

Parameters

• access_rule (str or keystoneclient.v3.access_rules.AccessRule) – the access rule to be retrieved from the server

• user (string) – User ID

Returns

the specified access rule

Return type

keystoneclient.v3.access_rules.AccessRule

key = 'access_rule'¶

list(user=None, **kwargs)¶

List access rules.

Parameters

user (string) – User ID

Returns

a list of access rules

Return type

list of keystoneclient.v3.access_rules.AccessRule

resource_class¶

alias of AccessRule

update()¶

keystoneclient.v3.application_credentials module¶

class keystoneclient.v3.application_credentials.ApplicationCredential(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity application credential.

Attributes:

• id: a uuid that identifies the application credential

• user: the user who owns the application credential

• name: application credential name

• secret: application credential secret

• description: application credential description

• expires_at: expiry time

• roles: role assignments on the project

• unrestricted: whether the application credential has restrictions

  applied

• access_rules: a list of access rules defining what API requests the

  application credential may be used for

class keystoneclient.v3.application_credentials.ApplicationCredentialManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity application credentials.

collection_key = 'application_credentials'¶

create(name, user=None, secret=None, description=None, expires_at=None, roles=None, unrestricted=False, access_rules=None, **kwargs)¶

Create a credential.

Parameters

• name (string) – application credential name

• user (string) – User ID

• secret – application credential secret

• description – application credential description

• expires_at (datetime.datetime) – expiry time

• roles (List) – list of roles on the project. Maybe a list of IDs or a list of dicts specifying role name and domain

• unrestricted (bool) – whether the application credential has restrictions applied

• access_rules (List) – a list of dicts representing access rules

Returns

the created application credential

Return type

keystoneclient.v3.application_credentials.ApplicationCredential

delete(application_credential, user=None)¶

Delete an application credential.

Parameters

application_credential – the application credential to be deleted

Returns

response object with 204 status

Return type

requests.models.Response

find(user=None, **kwargs)¶

Find an application credential with attributes matching **kwargs.

Parameters

user (string) – User ID

Returns

a list of matching application credentials

Return type

list of keystoneclient.v3.application_credentials.ApplicationCredential

get(application_credential, user=None)¶

Retrieve an application credential.

Parameters

application_credential – the credential to be retrieved from the server

Returns

the specified application credential

Return type

keystoneclient.v3.application_credentials.ApplicationCredential

key = 'application_credential'¶

list(user=None, **kwargs)¶

List application credentials.

Parameters

user (string) – User ID

Returns

a list of application credentials

Return type

list of keystoneclient.v3.application_credentials.ApplicationCredential

resource_class¶

alias of ApplicationCredential

update()¶

keystoneclient.v3.auth module¶

class keystoneclient.v3.auth.AuthManager(client)¶

Bases: Manager

Retrieve auth context specific information.

The information returned by the auth routes is entirely dependent on the authentication information provided by the user.

domains()¶

List Domains that the specified token can be rescoped to.

Returns

a list of domains.

Return type

list of keystoneclient.v3.domains.Domain.

projects()¶

List projects that the specified token can be rescoped to.

Returns

a list of projects.

Return type

list of keystoneclient.v3.projects.Project

systems()¶

List Systems that the specified token can be rescoped to.

At the moment this is either empty or “all”.

Returns

a list of systems.

Return type

list of keystoneclient.v3.systems.System.

keystoneclient.v3.client module¶

class keystoneclient.v3.client.Client(**kwargs)¶

Bases: HTTPClient

Client for the OpenStack Identity API v3.

Parameters

• session (keystoneauth1.session.Session) – Session for requests. (optional)

• user_id (string) – User ID for authentication. (optional)

• username (string) – Username for authentication. (optional)

• user_domain_id (string) – User’s domain ID for authentication. (optional)

• user_domain_name (string) – User’s domain name for authentication. (optional)

• password (string) – Password for authentication. (optional)

• token (string) – Token for authentication. (optional)

• domain_id (string) – Domain ID for domain scoping. (optional)

• domain_name (string) – Domain name for domain scoping. (optional)

• project_id (string) – Project ID for project scoping. (optional)

• project_name (string) – Project name for project scoping. (optional)

• project_domain_id (string) – Project’s domain ID for project scoping. (optional)

• project_domain_name (string) – Project’s domain name for project scoping. (optional)

• tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.

• tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.

• auth_url (string) – Identity service endpoint for authorization.

• region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.

• endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)

• timeout (integer) – Allows customization of the timeout for client http requests. (optional)

Warning

Constructing an instance of this class without a session is deprecated as of the 1.7.0 release and will be removed in the 2.0.0 release.

Example:

>>> from keystoneauth1.identity import v3
>>> from keystoneauth1 import session
>>> from keystoneclient.v3 import client
>>> auth = v3.Password(user_domain_name=DOMAIN_NAME,
...                    username=USER,
...                    password=PASS,
...                    project_domain_name=PROJECT_DOMAIN_NAME,
...                    project_name=PROJECT_NAME,
...                    auth_url=KEYSTONE_URL)
>>> sess = session.Session(auth=auth)
>>> keystone = client.Client(session=sess)
>>> keystone.projects.list()
...
>>> user = keystone.users.get(USER_ID)
>>> user.delete()

Instances of this class have the following managers:

credentials¶

keystoneclient.v3.credentials.CredentialManager

domain_configs¶

keystoneclient.v3.domain_configs.DomainConfigManager

ec2¶

keystoneclient.v3.ec2.EC2Manager

endpoint_filter¶

keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager

endpoint_groups¶

keystoneclient.v3.endpoint_groups.EndpointGroupManager

endpoint_policy¶

keystoneclient.v3.contrib.endpoint_policy.EndpointPolicyManager

endpoints¶

keystoneclient.v3.endpoints.EndpointManager

domains¶

keystoneclient.v3.domains.DomainManager

federation¶

keystoneclient.v3.contrib.federation.core.FederationManager

groups¶

keystoneclient.v3.groups.GroupManager

limits¶

keystoneclient.v3.limits.LimitManager

oauth1¶

keystoneclient.v3.contrib.oauth1.core.OAuthManager

policies¶

keystoneclient.v3.policies.PolicyManager

regions¶

keystoneclient.v3.regions.RegionManager

registered_limits¶

keystoneclient.v3.registered_limits.RegisteredLimitManager

role_assignments¶

keystoneclient.v3.role_assignments.RoleAssignmentManager

roles¶

keystoneclient.v3.roles.RoleManager

simple_cert¶

keystoneclient.v3.contrib.simple_cert.SimpleCertManager

services¶

keystoneclient.v3.services.ServiceManager

tokens¶

keystoneclient.v3.tokens.TokenManager

trusts¶

keystoneclient.v3.contrib.trusts.TrustManager

users¶

keystoneclient.v3.users.UserManager

get_raw_token_from_identity_service(auth_url, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, token=None, trust_id=None, **kwargs)¶

Authenticate against the v3 Identity API.

If password and token methods are both provided then both methods will be used in the request.

Returns

access.AccessInfo if authentication was successful.

Return type

keystoneclient.access.AccessInfoV3

Raises

• keystoneclient.exceptions.AuthorizationFailure – if unable to authenticate or validate the existing authorization token.

• keystoneclient.exceptions.Unauthorized – if authentication fails due to invalid token.

process_token(**kwargs)¶

Extract and process information from the new auth_ref.

And set the relevant authentication information.

serialize(entity)¶

version = 'v3'¶

keystoneclient.v3.credentials module¶

class keystoneclient.v3.credentials.Credential(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity credential.

Attributes:

• id: a uuid that identifies the credential

• user_id: user ID to which credential belongs

• type: the type of credential

• blob: the text that represents the credential

• project_id: project ID which limits the scope of the credential

class keystoneclient.v3.credentials.CredentialManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity credentials.

collection_key = 'credentials'¶

create(user, type, blob, project=None, **kwargs)¶

Create a credential.

Parameters

• user (str or keystoneclient.v3.users.User) – the user to which the credential belongs

• type (str) – the type of the credential, valid values are: ec2, cert or totp

• blob (str) – the arbitrary blob of the credential data, to be parsed according to the type

• project (str or keystoneclient.v3.projects.Project) – the project which limits the scope of the credential, this attribbute is mandatory if the credential type is ec2

• kwargs – any other attribute provided will be passed to the server

Returns

the created credential

Return type

keystoneclient.v3.credentials.Credential

delete(credential)¶

Delete a credential.

Parameters

credential (str or keystoneclient.v3.credentials.Credential) – the credential to be deleted

Returns

response object with 204 status

Return type

requests.models.Response

get(credential)¶

Retrieve a credential.

Parameters

credential (str or keystoneclient.v3.credentials.Credential) – the credential to be retrieved from the server

Returns

the specified credential

Return type

keystoneclient.v3.credentials.Credential

key = 'credential'¶

list(**kwargs)¶

List credentials.

Parameters

kwargs – If user_id or type is specified then credentials will be filtered accordingly.

Returns

a list of credentials

Return type

list of keystoneclient.v3.credentials.Credential

resource_class¶

alias of Credential

update(credential, user, type=None, blob=None, project=None, **kwargs)¶

Update a credential.

Parameters

• credential (str or keystoneclient.v3.credentials.Credential) – the credential to be updated on the server

• user (str or keystoneclient.v3.users.User) – the new user to which the credential belongs

• type (str) – the new type of the credential, valid values are: ec2, cert or totp

• blob (str) – the new blob of the credential data and may be removed in the future release.

• project (str or keystoneclient.v3.projects.Project) – the new project which limits the scope of the credential, this attribute is mandatory if the credential type is ec2

• kwargs – any other attribute provided will be passed to the server

Returns

the updated credential

Return type

keystoneclient.v3.credentials.Credential

keystoneclient.v3.domain_configs module¶

class keystoneclient.v3.domain_configs.DomainConfig(manager, info, loaded=False)¶

Bases: Resource

An object representing a domain config association.

This resource object does not necessarily contain fixed attributes, as new attributes are added in the server, they are supported here directly. The currently supported configs are identity and ldap.

class keystoneclient.v3.domain_configs.DomainConfigManager(client)¶

Bases: Manager

Manager class for manipulating domain config associations.

build_url(domain)¶

create(domain, config)¶

Create a config for a domain.

Parameters

• domain (str or keystoneclient.v3.domains.Domain) – the domain where the config is going to be applied.

• config (dict) – a dictionary of domain configurations.

Example of the config parameter:

{
     "identity": {
         "driver": "ldap"
     },
     "ldap": {
         "url": "ldap://myldap.com:389/",
         "user_tree_dn": "ou=Users,dc=my_new_root,dc=org"
     }
}

Returns

the created domain config returned from server.

Return type

keystoneclient.v3.domain_configs.DomainConfig

delete(domain)¶

Delete a config for a domain.

Parameters

domain (str or keystoneclient.v3.domains.Domain) – the domain which the config will be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

find(**kwargs)¶

get(domain)¶

Get a config for a domain.

Parameters

domain (str or keystoneclient.v3.domains.Domain) – the domain for which the config is defined.

Returns

the domain config returned from server.

Return type

keystoneclient.v3.domain_configs.DomainConfig

key = 'config'¶

list(**kwargs)¶

resource_class¶

alias of DomainConfig

update(domain, config)¶

Update a config for a domain.

Parameters

• domain (str or keystoneclient.v3.domains.Domain) – the domain where the config is going to be updated.

• config (dict) – a dictionary of domain configurations.

Example of the config parameter:

{
     "identity": {
         "driver": "ldap"
     },
     "ldap": {
         "url": "ldap://myldap.com:389/",
         "user_tree_dn": "ou=Users,dc=my_new_root,dc=org"
     }
}

Returns

the updated domain config returned from server.

Return type

keystoneclient.v3.domain_configs.DomainConfig

keystoneclient.v3.domains module¶

class keystoneclient.v3.domains.Domain(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity domain.

Attributes:

• id: a uuid that identifies the domain

• name: the name of the domain

• description: a description of the domain

• enabled: determines whether the domain is enabled

class keystoneclient.v3.domains.DomainManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity domains.

collection_key = 'domains'¶

create(name, description=None, enabled=True, **kwargs)¶

Create a domain.

Parameters

• name (str) – the name of the domain.

• description (str) – a description of the domain.

• enabled (bool) – whether the domain is enabled.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created domain returned from server.

Return type

keystoneclient.v3.domains.Domain

delete(domain)¶

“Delete a domain.

Parameters

domain (str or keystoneclient.v3.domains.Domain) – the domain to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(domain)¶

Retrieve a domain.

Parameters

domain (str or keystoneclient.v3.domains.Domain) – the domain to be retrieved from the server.

Returns

the specified domain returned from server.

Return type

keystoneclient.v3.domains.Domain

key = 'domain'¶

list(**kwargs)¶

List domains.

Parameters

kwargs – allows filter criteria to be passed where supported by the server.

Returns

a list of domains.

Return type

list of keystoneclient.v3.domains.Domain.

resource_class¶

alias of Domain

update(domain, name=None, description=None, enabled=None, **kwargs)¶

Update a domain.

Parameters

• domain (str or keystoneclient.v3.domains.Domain) – the domain to be updated on the server.

• name (str) – the new name of the domain.

• description (str) – the new description of the domain.

• enabled (bool) – whether the domain is enabled.

• kwargs – any other attribute provided will be passed to the server.

Returns

the updated domain returned from server.

Return type

keystoneclient.v3.domains.Domain

keystoneclient.v3.ec2 module¶

class keystoneclient.v3.ec2.EC2(manager, info, loaded=False)¶

Bases: Resource

Represents an EC2 resource.

Attributes:

• id: a string that identifies the EC2 resource.

• user_id: the ID field of a pre-existing user in the backend.

• project_id: the ID field of a pre-existing project in the backend.

• access: a string representing access key of the access/secret pair.

• secret: a string representing the secret of the access/secret pair.

class keystoneclient.v3.ec2.EC2Manager(client)¶

Bases: ManagerWithFind

create(user_id, project_id)¶

Create a new access/secret pair.

Parameters

• user_id (str or keystoneclient.v3.users.User) – the ID of the user having access/secret pair.

• project_id (str or keystoneclient.v3.projects.Project) – the ID of the project having access/secret pair.

Returns

the created access/secret pair returned from server.

Return type

keystoneclient.v3.ec2.EC2

delete(user_id, access)¶

Delete an access/secret pair.

Parameters

• user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be deleted on the server.

• access (str) – the access key whose access/secret pair will be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(user_id, access)¶

Retrieve an access/secret pair for a given access key.

Parameters

• user_id (str or keystoneclient.v3.users.User) – the ID of the user whose access/secret pair will be retrieved from the server.

• access (str) – the access key whose access/secret pair will be retrieved from the server.

Returns

the specified access/secret pair returned from server.

Return type

keystoneclient.v3.ec2.EC2

list(user_id)¶

List access/secret pairs for a given user.

Parameters

user_id (str) – the ID of the user having access/secret pairs will be listed.

Returns

a list of access/secret pairs.

Return type

list of keystoneclient.v3.ec2.EC2

resource_class¶

alias of EC2

keystoneclient.v3.endpoint_groups module¶

class keystoneclient.v3.endpoint_groups.EndpointGroup(manager, info, loaded=False)¶

Bases: Resource

Represents an identity endpoint group.

Attributes:

• id: a UUID that identifies the endpoint group

• name: the endpoint group name

• description: the endpoint group description

• filters: representation of filters in the format of JSON that define

  what endpoint entities are part of the group

class keystoneclient.v3.endpoint_groups.EndpointGroupManager(client)¶

Bases: CrudManager

Manager class for Endpoint Groups.

base_url = 'OS-EP-FILTER'¶

check(endpoint_group)¶

Check if an endpoint group exists.

Parameters

endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be checked against the server.

Returns

none if the specified endpoint group exists.

collection_key = 'endpoint_groups'¶

create(name, filters, description=None, **kwargs)¶

Create an endpoint group.

Parameters

• name (str) – the name of the endpoint group.

• filters (str) – representation of filters in the format of JSON that define what endpoint entities are part of the group.

• description (str) – a description of the endpoint group.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created endpoint group returned from server.

Return type

keystoneclient.v3.endpoint_groups.EndpointGroup

delete(endpoint_group)¶

Delete an endpoint group.

Parameters

endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(endpoint_group)¶

Retrieve an endpoint group.

Parameters

endpoint_group (str or keystoneclient.v3.endpoint_groups.EndpointGroup) – the endpoint group to be retrieved from the server.

Returns

the specified endpoint group returned from server.

Return type

keystoneclient.v3.endpoint_groups.EndpointGroup

key = 'endpoint_group'¶

list(**kwargs)¶

List endpoint groups.

Any parameter provided will be passed to the server.

Returns

a list of endpoint groups.

Return type

list of keystoneclient.v3.endpoint_groups.EndpointGroup.

resource_class¶

alias of EndpointGroup

update(endpoint_group, name=None, filters=None, description=None, **kwargs)¶

Update an endpoint group.

Parameters

• name (str) – the new name of the endpoint group.

• filters (str) – the new representation of filters in the format of JSON that define what endpoint entities are part of the group.

• description (str) – the new description of the endpoint group.

• kwargs – any other attribute provided will be passed to the server.

Returns

the updated endpoint group returned from server.

Return type

keystoneclient.v3.endpoint_groups.EndpointGroup

keystoneclient.v3.endpoints module¶

class keystoneclient.v3.endpoints.Endpoint(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity endpoint.

Attributes:

• id: a uuid that identifies the endpoint

• interface: ‘public’, ‘admin’ or ‘internal’ network interface

• region: geographic location of the endpoint

• service_id: service to which the endpoint belongs

• url: fully qualified service endpoint

• enabled: determines whether the endpoint appears in the service

  catalog

class keystoneclient.v3.endpoints.EndpointManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity endpoints.

collection_key = 'endpoints'¶

create(service, url, interface=None, region=None, enabled=True, **kwargs)¶

Create an endpoint.

Parameters

• service (str or keystoneclient.v3.services.Service) – the service to which the endpoint belongs.

• url (str) – the URL of the fully qualified service endpoint.

• interface (str) – the network interface of the endpoint. Valid values are: public, admin or internal.

• region (str or keystoneclient.v3.regions.Region) – the region to which the endpoint belongs.

• enabled (bool) – whether the endpoint is enabled or not, determining if it appears in the service catalog.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created endpoint returned from server.

Return type

keystoneclient.v3.endpoints.Endpoint

delete(endpoint)¶

Delete an endpoint.

Parameters

endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(endpoint)¶

Retrieve an endpoint.

Parameters

endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be retrieved from the server.

Returns

the specified endpoint returned from server.

Return type

keystoneclient.v3.endpoints.Endpoint

key = 'endpoint'¶

list(service=None, interface=None, region=None, enabled=None, region_id=None, **kwargs)¶

List endpoints.

Parameters

• service (str or keystoneclient.v3.services.Service) – the service of the endpoints to be filtered on.

• interface (str) – the network interface of the endpoints to be filtered on. Valid values are: public, admin or internal.

• enabled (bool) – whether to return enabled or disabled endpoints.

• region_id (str) – filter endpoints by the region_id attribute. If both region and region_id are specified, region takes precedence.

• kwargs – any other attribute provided will filter endpoints on.

Returns

a list of endpoints.

Return type

list of keystoneclient.v3.endpoints.Endpoint

resource_class¶

alias of Endpoint

update(endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs)¶

Update an endpoint.

Parameters

• endpoint (str or keystoneclient.v3.endpoints.Endpoint) – the endpoint to be updated on the server.

• service (str or keystoneclient.v3.services.Service) – the new service to which the endpoint belongs.

• url (str) – the new URL of the fully qualified service endpoint.

• interface (str) – the new network interface of the endpoint. Valid values are: public, admin or internal.

• region (str or keystoneclient.v3.regions.Region) – the new region to which the endpoint belongs.

• enabled (bool) – determining if the endpoint appears in the service catalog by enabling or disabling it.

• kwargs – any other attribute provided will be passed to the server.

Returns

the updated endpoint returned from server.

Return type

keystoneclient.v3.endpoints.Endpoint

keystoneclient.v3.groups module¶

class keystoneclient.v3.groups.Group(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity user group.

Attributes:

• id: a uuid that identifies the group

• name: group name

• description: group description

update(name=None, description=None)¶

class keystoneclient.v3.groups.GroupManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity groups.

collection_key = 'groups'¶

create(name, domain=None, description=None, **kwargs)¶

Create a group.

Parameters

• name (str) – the name of the group.

• domain (str or keystoneclient.v3.domains.Domain) – the domain of the group.

• description (str) – a description of the group.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created group returned from server.

Return type

keystoneclient.v3.groups.Group

delete(group)¶

Delete a group.

Parameters

group (str or keystoneclient.v3.groups.Group) – the group to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(group)¶

Retrieve a group.

Parameters

group (str or keystoneclient.v3.groups.Group) – the group to be retrieved from the server.

Returns

the specified group returned from server.

Return type

keystoneclient.v3.groups.Group

key = 'group'¶

list(user=None, domain=None, **kwargs)¶

List groups.

Parameters

• user (str or keystoneclient.v3.users.User) – the user of the groups to be filtered on.

• domain (str or keystoneclient.v3.domains.Domain) – the domain of the groups to be filtered on.

• kwargs – any other attribute provided will filter groups on.

Returns

a list of groups.

Return type

list of keystoneclient.v3.groups.Group.

resource_class¶

alias of Group

update(group, name=None, description=None, **kwargs)¶

Update a group.

Parameters

• group (str or keystoneclient.v3.groups.Group) – the group to be updated on the server.

• name (str) – the new name of the group.

• description (str) – the new description of the group.

• kwargs – any other attribute provided will be passed to server.

Returns

the updated group returned from server.

Return type

keystoneclient.v3.groups.Group

keystoneclient.v3.limits module¶

class keystoneclient.v3.limits.Limit(manager, info, loaded=False)¶

Bases: Resource

Represents a project limit.

Attributes:

• id: a UUID that identifies the project limit

• service_id: a UUID that identifies the service for the limit

• region_id: a UUID that identifies the region for the limit

• project_id: a UUID that identifies the project for the limit

• resource_name: the name of the resource to limit

• resource_limit: the limit to apply to the project

• description: a description for the project limit

class keystoneclient.v3.limits.LimitManager(client)¶

Bases: CrudManager

Manager class for project limits.

collection_key = 'limits'¶

create(project, service, resource_name, resource_limit, description=None, region=None, **kwargs)¶

Create a project-specific limit.

Parameters

• project (str or keystoneclient.v3.projects.Project) – the project to create a limit for.

• service (str or keystoneclient.v3.services.Service) – the service that owns the resource to limit.

• resource_name (str) – the name of the resource to limit

• resource_limit (int) – the quantity of the limit

• description (str) – a description of the limit

• region (str or keystoneclient.v3.regions.Region) – region the limit applies to

Returns

a reference of the created limit

Return type

keystoneclient.v3.limits.Limit

delete(limit)¶

Delete a project-specific limit.

Parameters

limit (str or keystoneclient.v3.limit.Limit) – the project-specific limit to be deleted.

Returns

Response object with 204 status

Return type

requests.models.Response

get(limit)¶

Retrieve a project limit.

Parameters

limit (str or keystoneclient.v3.limit.Limit) – the project-specific limit to be retrieved.

Returns

a project-specific limit

Return type

keystoneclient.v3.limit.Limit

key = 'limit'¶

list(service=None, region=None, resource_name=None, **kwargs)¶

List project-specific limits.

Any parameter provided will be passed to the server as a filter

Parameters

• service (UUID or keystoneclient.v3.services.Service) – service to filter limits by

• region (UUID or keystoneclient.v3.regions.Region) – region to filter limits by

• resource_name (str) – the name of the resource to filter limits by

Returns

a list of project-specific limits.

Return type

list of keystoneclient.v3.limits.Limit

resource_class¶

alias of Limit

update(limit, project=None, service=None, resource_name=None, resource_limit=None, description=None, **kwargs)¶

Update a project-specific limit.

Parameters

• limit – a limit to update

• project (str or keystoneclient.v3.projects.Project) – the project ID of the limit to update

• resource_limit – the limit of the limit’s resource to update

• description (str) – a description of the limit

Type

resource_limit: int

Returns

a reference of the updated limit.

Return type

keystoneclient.v3.limits.Limit

keystoneclient.v3.policies module¶

class keystoneclient.v3.policies.Policy(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity policy.

Attributes:

• id: a uuid that identifies the policy

• blob: a policy document (blob)

• type: the MIME type of the policy blob

update(blob=None, type=None)¶

class keystoneclient.v3.policies.PolicyManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity policies.

collection_key = 'policies'¶

create(blob, type='application/json', **kwargs)¶

Create a policy.

Parameters

• blob (str) – the policy document.

• type (str) – the MIME type of the policy blob.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created policy returned from server.

Return type

keystoneclient.v3.policies.Policy

delete(policy)¶

“Delete a policy.

Parameters

policy (str or keystoneclient.v3.policies.Policy) – the policy to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(policy)¶

Retrieve a policy.

Parameters

policy (str or keystoneclient.v3.policies.Policy) – the policy to be retrieved from the server.

Returns

the specified policy returned from server.

Return type

keystoneclient.v3.policies.Policy

key = 'policy'¶

list(**kwargs)¶

List policies.

Parameters

kwargs – allows filter criteria to be passed where supported by the server.

Returns

a list of policies.

Return type

list of keystoneclient.v3.policies.Policy.

resource_class¶

alias of Policy

update(policy, blob=None, type=None, **kwargs)¶

Update a policy.

Parameters

• policy (str or keystoneclient.v3.policies.Policy) – the policy to be updated on the server.

• blob (str) – the new policy document.

• type (str) – the new MIME type of the policy blob.

• kwargs – any other attribute provided will be passed to the server.

Returns

the updated policy returned from server.

Return type

keystoneclient.v3.policies.Policy

keystoneclient.v3.projects module¶

class keystoneclient.v3.projects.Project(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity project.

Attributes:

• id: a uuid that identifies the project

• name: project name

• description: project description

• enabled: boolean to indicate if project is enabled

• parent_id: a uuid representing this project’s parent in hierarchy

• parents: a list or a structured dict containing the parents of this

  project in the hierarchy

• subtree: a list or a structured dict containing the subtree of this

  project in the hierarchy

add_tag(tag)¶

check_tag(tag)¶

delete_all_tags()¶

delete_tag(tag)¶

list_tags()¶

update(name=None, description=None, enabled=None)¶

update_tags(tags)¶

class keystoneclient.v3.projects.ProjectManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity projects.

add_tag(project, tag)¶

Add a tag to a project.

Parameters

• project – project to add a tag to.

• tag – str name of tag.

check_tag(project, tag)¶

Check if tag is associated with project.

Parameters

• project – project to check tags for.

• tag – str name of tag

Returns

true if tag is associated, false otherwise

collection_key = 'projects'¶

create(name, domain, description=None, enabled=True, parent=None, **kwargs)¶

Create a project.

Parameters

• name (str) – the name of the project.

• domain (str or keystoneclient.v3.domains.Domain) – the domain of the project.

• description (str) – the description of the project.

• enabled (bool) – whether the project is enabled.

• parent (str or keystoneclient.v3.projects.Project) – the parent of the project in the hierarchy.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created project returned from server.

Return type

keystoneclient.v3.projects.Project

delete(project)¶

Delete a project.

Parameters

project (str or keystoneclient.v3.projects.Project) – the project to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

delete_tag(project, tag)¶

Remove tag from project.

Parameters

• projectd – project to remove tag from.

• tag – str name of tag to remove from project

find(**kwargs)¶

Find a single item with attributes matching **kwargs.

get(project, subtree_as_list=False, parents_as_list=False, subtree_as_ids=False, parents_as_ids=False)¶

Retrieve a project.

Parameters

• project (str or keystoneclient.v3.projects.Project) – the project to be retrieved from the server.

• subtree_as_list (bool) – retrieve projects below this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.

• parents_as_list (bool) – retrieve projects above this project in the hierarchy as a flat list. It only includes the projects in which the current user has role assignments on.

• subtree_as_ids (bool) – retrieve the IDs from the projects below this project in the hierarchy as a structured dictionary.

• parents_as_ids (bool) – retrieve the IDs from the projects above this project in the hierarchy as a structured dictionary.

Returns

the specified project returned from server.

Return type

keystoneclient.v3.projects.Project

Raises

keystoneclient.exceptions.ValidationError – if subtree_as_list and subtree_as_ids or parents_as_list and parents_as_ids are included at the same time in the call.

key = 'project'¶

list(domain=None, user=None, parent=None, **kwargs)¶

List projects.

Parameters

• domain (str or keystoneclient.v3.domains.Domain) – the domain of the projects to be filtered on.

• user (str or keystoneclient.v3.users.User) – filter in projects the specified user has role assignments on.

• parent (str or keystoneclient.v3.projects.Project) – filter in projects the specified project is a parent for

• kwargs – any other attribute provided will filter projects on. Project tags filter keyword: tags, tags_any, not_tags, and not_tags_any. tag attribute type string. Pass in a comma separated string to filter with multiple tags.

Returns

a list of projects.

Return type

list of keystoneclient.v3.projects.Project

list_tags(project)¶

List tags associated with project.

Parameters

project – project to list tags for.

Returns

list of str tag names

resource_class¶

alias of Project

update(project, name=None, domain=None, description=None, enabled=None, **kwargs)¶

Update a project.

Parameters

• project (str or keystoneclient.v3.projects.Project) – the project to be updated on the server.

• name (str) – the new name of the project.

• domain (str or keystoneclient.v3.domains.Domain) – the new domain of the project.

• description (str) – the new description of the project.

• enabled (bool) – whether the project is enabled.

• kwargs – any other attribute provided will be passed to server.

Returns

the updated project returned from server.

Return type

keystoneclient.v3.projects.Project

update_tags(project, tags)¶

Update tag list of a project.

Replaces current tag list with list specified in tags parameter.

Parameters

• project – project to update.

• tags – list of str tag names to add to the project

Returns

list of tags

keystoneclient.v3.regions module¶

class keystoneclient.v3.regions.Region(manager, info, loaded=False)¶

Bases: Resource

Represents a Catalog region.

Attributes:

• id: a string that identifies the region.

• description: a string that describes the region.

• parent_region_id: a pre-existing region in the backend or its ID

  field. Allows for hierarchical region organization.

• enabled: determines whether the endpoint appears in the catalog.

class keystoneclient.v3.regions.RegionManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity regions.

collection_key = 'regions'¶

create(id=None, description=None, enabled=True, parent_region=None, **kwargs)¶

Create a region.

Parameters

• id (str) – the unique identifier of the region. If not specified an ID will be created by the server.

• description (str) – the description of the region.

• enabled (bool) – whether the region is enabled or not, determining if it appears in the catalog.

• parent_region (str or keystoneclient.v3.regions.Region) – the parent of the region in the hierarchy.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created region returned from server.

Return type

keystoneclient.v3.regions.Region

delete(region)¶

Delete a region.

Parameters

region (str or keystoneclient.v3.regions.Region) – the region to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(region)¶

Retrieve a region.

Parameters

region (str or keystoneclient.v3.regions.Region) – the region to be retrieved from the server.

Returns

the specified region returned from server.

Return type

keystoneclient.v3.regions.Region

key = 'region'¶

list(**kwargs)¶

List regions.

Parameters

kwargs – any attributes provided will filter regions on.

Returns

a list of regions.

Return type

list of keystoneclient.v3.regions.Region.

resource_class¶

alias of Region

update(region, description=None, enabled=None, parent_region=None, **kwargs)¶

Update a region.

Parameters

• region (str or keystoneclient.v3.regions.Region) – the region to be updated on the server.

• description (str) – the new description of the region.

• enabled (bool) – determining if the region appears in the catalog by enabling or disabling it.

• parent_region (str or keystoneclient.v3.regions.Region) – the new parent of the region in the hierarchy.

• kwargs – any other attribute provided will be passed to server.

Returns

the updated region returned from server.

Return type

keystoneclient.v3.regions.Region

keystoneclient.v3.registered_limits module¶

class keystoneclient.v3.registered_limits.RegisteredLimit(manager, info, loaded=False)¶

Bases: Resource

Represents a registered limit.

Attributes:

• id: a UUID that identifies the registered limit

• service_id: a UUID that identifies the service for the limit

• region_id: a UUID that identifies the region for the limit

• resource_name: the name of the resource to limit

• default_limit: the default limit for projects to assume

• description: a description of the registered limit

class keystoneclient.v3.registered_limits.RegisteredLimitManager(client)¶

Bases: CrudManager

Manager class for registered limits.

collection_key = 'registered_limits'¶

create(service, resource_name, default_limit, description=None, region=None, **kwargs)¶

Create a registered limit.

Parameters

• service (str) – a UUID that identifies the service for the limit.

• resource_name (str) – the name of the resource to limit.

• default_limit (int) – the default limit for projects to assume.

• description (str) – a string that describes the limit

• region (str) – a UUID that identifies the region for the limit.

Returns

a reference of the created registered limit.

Return type

keystoneclient.v3.registered_limits.RegisteredLimit

delete(registered_limit)¶

Delete a registered limit.

Parameters

registered_limit (str or keystoneclient.v3.registered_limits.RegisteredLimit) – the registered limit to delete.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(registered_limit)¶

Retrieve a registered limit.

Parameters

registered_limit (str or keystoneclient.v3.registered_limits.RegisteredLimit) – the registered limit to get.

Returns

a specific registered limit.

Return type

keystoneclient.v3.registered_limits.RegisteredLimit

key = 'registered_limit'¶

list(service=None, resource_name=None, region=None, **kwargs)¶

List registered limits.

Any parameter provided will be passed to the server as a filter.

Parameters

• service (a UUID or keystoneclient.v3.services.Service) – filter registered limits by service

• resource_name (str) – filter registered limits by resource name

• region (a UUID or keystoneclient.v3.regions.Region) – filter registered limits by region

Returns

a list of registered limits.

Return type

list of keystoneclient.v3.registered_limits.RegisteredLimit

resource_class¶

alias of RegisteredLimit

update(registered_limit, service=None, resource_name=None, default_limit=None, description=None, region=None, **kwargs)¶

Update a registered limit.

Parameters

• registered_limit – the UUID or reference of the registered limit to update.

• registered_limit – str or keystoneclient.v3.registered_limits.RegisteredLimit

• service (str) – a UUID that identifies the service for the limit.

• resource_name (str) – the name of the resource to limit.

• default_limit (int) – the default limit for projects to assume.

• description (str) – a string that describes the limit

• region (str) – a UUID that identifies the region for the limit.

Returns

a reference of the updated registered limit.

Return type

keystoneclient.v3.registered_limits.RegisteredLimit

keystoneclient.v3.role_assignments module¶

class keystoneclient.v3.role_assignments.RoleAssignment(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity role assignment.

Attributes:

• role: an object which contains a role uuid

• user or group: an object which contains either a user or

  group uuid

• scope: an object which has either a project or domain object

  containing an uuid

class keystoneclient.v3.role_assignments.RoleAssignmentManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity roles assignments.

collection_key = 'role_assignments'¶

create(**kwargs)¶

delete(**kwargs)¶

find(**kwargs)¶

Find a single item with attributes matching **kwargs.

get(**kwargs)¶

key = 'role_assignment'¶

list(user=None, group=None, project=None, domain=None, system=False, role=None, effective=False, os_inherit_extension_inherited_to=None, include_subtree=False, include_names=False)¶

List role assignments.

If no arguments are provided, all role assignments in the system will be listed.

If both user and group are provided, a ValidationError will be raised. If both domain and project are provided, it will also raise a ValidationError.

Parameters

• user – User to be used as query filter. (optional)

• group – Group to be used as query filter. (optional)

• project – Project to be used as query filter. (optional)

• domain – Domain to be used as query filter. (optional)

• system – Boolean to be used to filter system assignments. (optional)

• role – Role to be used as query filter. (optional)

• effective (boolean) – return effective role assignments. (optional)

• os_inherit_extension_inherited_to (string) – return inherited role assignments for either ‘projects’ or ‘domains’. (optional)

• include_subtree (boolean) – Include subtree (optional)

• include_names (boolean) – Display names instead of IDs. (optional)

put(**kwargs)¶

resource_class¶

alias of RoleAssignment

update(**kwargs)¶

keystoneclient.v3.roles module¶

class keystoneclient.v3.roles.InferenceRule(manager, info, loaded=False)¶

Bases: Resource

Represents a rule that states one role implies another.

Attributes:

• prior_role: this role implies the other

• implied_role: this role is implied by the other

class keystoneclient.v3.roles.InferenceRuleManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity inference rules.

check(prior_role, implied_role)¶

Check if an inference rule exists.

Valid HTTP return codes:

• 204: The rule inference exists

• 404: A role cannot be found

Parameters

• prior_role – the role which implies implied_role.

• implied_role – the role which is implied by prior_role.

Returns

response object with 204 status returned from server.

Return type

requests.models.Response

collection_key = 'role_inferences'¶

create(prior_role, implied_role)¶

Create an inference rule.

An inference rule is comprised of two roles, a prior role and an implied role. The prior role will imply the implied role.

Valid HTTP return codes:

• 201: Resource is created successfully

• 404: A role cannot be found

• 409: The inference rule already exists

Parameters

• prior_role – the role which implies implied_role.

• implied_role – the role which is implied by prior_role.

Returns

a newly created role inference returned from server.

Return type

keystoneclient.v3.roles.InferenceRule

delete(prior_role, implied_role)¶

Delete an inference rule.

When deleting an inference rule, both roles are required. Note that neither role is deleted, only the inference relationship is dissolved.

Valid HTTP return codes:

• 204: Delete request is accepted

• 404: A role cannot be found

Parameters

• prior_role – the role which implies implied_role.

• implied_role – the role which is implied by prior_role.

Returns

Response object with 204 status.

Return type

requests.models.Response

find(**kwargs)¶

Find a single item with attributes matching **kwargs.

get(prior_role, implied_role)¶

Retrieve an inference rule.

Valid HTTP return codes:

• 200: Inference rule is returned

• 404: A role cannot be found

Parameters

• prior_role – the role which implies implied_role.

• implied_role – the role which is implied by prior_role.

Returns

the specified role inference returned from server.

Return type

keystoneclient.v3.roles.InferenceRule

key = 'role_inference'¶

list(prior_role)¶

List all roles that a role may imply.

Valid HTTP return codes:

• 200: List of inference rules are returned

• 404: A role cannot be found

Parameters

prior_role – the role which implies implied_role.

Returns

the specified role inference returned from server.

Return type

keystoneclient.v3.roles.InferenceRule

list_inference_roles()¶

List all rule inferences.

Valid HTTP return codes:

• 200: All inference rules are returned

Parameters

kwargs – attributes provided will be passed to the server.

Returns

a list of inference rules.

Return type

list of keystoneclient.v3.roles.InferenceRule

put(**kwargs)¶

resource_class¶

alias of InferenceRule

update(**kwargs)¶

class keystoneclient.v3.roles.Role(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity role.

Attributes:

• id: a uuid that identifies the role

• name: user-facing identifier

• domain: optional domain for the role

class keystoneclient.v3.roles.RoleManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity roles.

check(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶

Check if a user or group has a role on a domain or project.

Parameters

• user (str or keystoneclient.v3.users.User) – check for role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.

• group (str or keystoneclient.v3.groups.Group) – check for role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.

• system (str) – check for role grants on the system. Project, domain, and system are mutually exclusive.

• domain (str or keystoneclient.v3.domains.Domain) – check for role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• project (str or keystoneclient.v3.projects.Project) – check for role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.

• kwargs – any other attribute provided will be passed to server.

Returns

the specified role returned from server if it exists.

Return type

keystoneclient.v3.roles.Role

Returns

Response object with 204 status if specified role doesn’t exist.

Return type

requests.models.Response

check_implied(prior_role, implied_role, **kwargs)¶

collection_key = 'roles'¶

create(name, domain=None, **kwargs)¶

Create a role.

Parameters

• name (str) – the name of the role.

• domain (str or keystoneclient.v3.domains.Domain) – the domain of the role. If a value is passed it is a domain-scoped role, otherwise it’s a global role.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created role returned from server.

Return type

keystoneclient.v3.roles.Role

create_implied(prior_role, implied_role, **kwargs)¶

delete(role)¶

Delete a role.

When a role is deleted all the role inferences that have deleted role as prior role will be deleted as well.

Parameters

role (str or keystoneclient.v3.roles.Role) – the role to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

delete_implied(prior_role, implied_role, **kwargs)¶

deprecation_msg = 'keystoneclient.v3.roles.InferenceRuleManager'¶

get(role)¶

Retrieve a role.

Parameters

role (str or keystoneclient.v3.roles.Role) – the role to be retrieved from the server.

Returns

the specified role returned from server.

Return type

keystoneclient.v3.roles.Role

get_implied(prior_role, implied_role, **kwargs)¶

grant(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶

Grant a role to a user or group on a domain or project.

Parameters

• role (str or keystoneclient.v3.roles.Role) – the role to be granted on the server.

• user (str or keystoneclient.v3.users.User) – the specified user to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.

• group (str or keystoneclient.v3.groups.Group) – the specified group to have the role granted on a resource. Domain or project must be specified. User and group are mutually exclusive.

• system (str) – system information to grant the role on. Project, domain, and system are mutually exclusive.

• domain (str or keystoneclient.v3.domains.Domain) – the domain in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• project (str or keystoneclient.v3.projects.Project) – the project in which the role will be granted. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.

• kwargs – any other attribute provided will be passed to server.

Returns

the granted role returned from server.

Return type

keystoneclient.v3.roles.Role

key = 'role'¶

list(user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶

List roles and role grants.

Parameters

• user (str or keystoneclient.v3.users.User) – filter in role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.

• group (str or keystoneclient.v3.groups.Group) – filter in role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.

• domain (str or keystoneclient.v3.domains.Domain) – filter in role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• project (str or keystoneclient.v3.projects.Project) – filter in role grants on the specified project. Either user or group must be specified. Project, domain and system are mutually exclusive.

• os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.

• kwargs – any other attribute provided will filter roles on.

Returns

a list of roles.

Return type

list of keystoneclient.v3.roles.Role

list_role_inferences(**kwargs)¶

resource_class¶

alias of Role

revoke(role, user=None, group=None, system=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)¶

Revoke a role from a user or group on a domain or project.

Parameters

• user (str or keystoneclient.v3.users.User) – revoke role grants for the specified user on a resource. Domain or project must be specified. User and group are mutually exclusive.

• group (str or keystoneclient.v3.groups.Group) – revoke role grants for the specified group on a resource. Domain or project must be specified. User and group are mutually exclusive.

• system (str) – revoke role grants on the system. Project, domain, and system are mutually exclusive.

• domain (str or keystoneclient.v3.domains.Domain) – revoke role grants on the specified domain. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• project (str or keystoneclient.v3.projects.Project) – revoke role grants on the specified project. Either user or group must be specified. Project, domain, and system are mutually exclusive.

• os_inherit_extension_inherited (bool) – OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from parent projects in the hierarchy.

• kwargs – any other attribute provided will be passed to server.

Returns

the revoked role returned from server.

Return type

list of keystoneclient.v3.roles.Role

update(role, name=None, **kwargs)¶

Update a role.

Parameters

• role (str or keystoneclient.v3.roles.Role) – the role to be updated on the server.

• name (str) – the new name of the role.

• kwargs – any other attribute provided will be passed to server.

Returns

the updated role returned from server.

Return type

keystoneclient.v3.roles.Role

keystoneclient.v3.services module¶

class keystoneclient.v3.services.Service(manager, info, loaded=False)¶

Bases: Resource

Represents an Identity service.

Attributes:

• id: a uuid that identifies the service

• name: the user-facing name of the service (e.g. Keystone)

• description: a description of the service

• type: the type of the service (e.g. ‘compute’, ‘identity’)

• enabled: determines whether the service appears in the catalog

class keystoneclient.v3.services.ServiceManager(client)¶

Bases: CrudManager

Manager class for manipulating Identity services.

collection_key = 'services'¶

create(name, type=None, enabled=True, description=None, **kwargs)¶

Create a service.

Parameters

• name (str) – the name of the service.

• type (str) – the type of the service.

• enabled (bool) – whether the service appears in the catalog.

• description (str) – the description of the service.

• kwargs – any other attribute provided will be passed to the server.

Returns

the created service returned from server.

Return type

keystoneclient.v3.services.Service

delete(service=None, id=None)¶

Delete a service.

Parameters

service (str or keystoneclient.v3.services.Service) – the service to be deleted on the server.

Returns

Response object with 204 status.

Return type

requests.models.Response

get(service)¶

Retrieve a service.

Parameters

service (str or keystoneclient.v3.services.Service) – the service to be retrieved from the server.

Returns

the specified service returned from server.

Return type

keystoneclient.v3.services.Service

key = 'service'¶

list(name=None, type=None, **kwargs)¶

List services.

Parameters

• name (str) – the name of the services to be filtered on.

• type (str) – the type of the services to be filtered on.

• kwargs – any other attribute provided will filter services on.

Returns

a list of services.

Return type

list of keystoneclient.v3.services.Service

resource_class¶

alias of Service

update(service, name=None, type=None, enabled=None, description=None, **kwargs)¶

Update a service.

Parameters

• service (str or keystoneclient.v3.services.Service) – the service to be updated on the server.

• name (str) – the new name of the service.

• type (str) – the new type of the service.

• enabled (bool) – whether the service appears in the catalog.

• description (str) – the new description of the service.

• kwargs – any other attribute provided will be passed to server.

Returns

the updated service returned from server.

Return type

keystoneclient.v3.services.Service

keystoneclient.v3.system module¶

class keystoneclient.v3.system.System(manager, info, loaded=False)¶

Bases: Resource

Represents the deployment system, with all the services in it.

Attributes:

• all: boolean

keystoneclient.v3.tokens module¶

class keystoneclient.v3.tokens.TokenManager(client)¶

Bases: object

Manager class for manipulating Identity tokens.

get_revoked(audit_id_only=False)¶

Get revoked tokens list.

Parameters

audit_id_only (bool) – If true, the server is requested to not send token IDs, but only audit IDs instead. New in version 2.2.0.

Returns

A dict containing signed which is a CMS formatted string if the server signed the response. If audit_id_only is true then the response may be a dict containing revoked which is the list of token audit IDs and expiration times.

Return type

dict

get_token_data(token, include_catalog=True, allow_expired=False, access_rules_support=None)¶

Fetch the data about a token from the identity server.

Parameters

• token (str) – The ID of the token to be fetched.

• include_catalog (bool) – Whether the service catalog should be included in the response.

• allow_expired – If True the token will be validated and returned if it has already expired.

• access_rules_support (float) – Version number indicating that the client is capable of enforcing keystone access rules, if unset this client does not support access rules.

Return type

dict

revoke_token(token)¶

Revoke a token.

Parameters

token (str or keystoneclient.access.AccessInfo) – The token to be revoked.

validate(token, include_catalog=True, allow_expired=False, access_rules_support=None)¶

Validate a token.

Parameters

• token (str or keystoneclient.access.AccessInfo) – The token to be validated.

• include_catalog – If False, the response is requested to not include the catalog.

• allow_expired (bool) – If True the token will be validated and returned if it has already expired.

• access_rules_support (float) – Version number indicating that the client is capable of enforcing keystone access rules, if unset this client does not support access rules.

Return type

keystoneclient.access.AccessInfoV3