keystoneclient.v3 package

Submodules

keystoneclient.v3.auth module

class keystoneclient.v3.auth.AuthManager(client)

Bases: keystoneclient.base.Manager

Retrieve auth context specific information.

The information returned by the /auth routes are entirely dependant on the authentication information provided by the user.

domains()

List Domains that this token can be rescoped to.

projects()

List projects that this token can be rescoped to.

class keystoneclient.v3.auth.Domain(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity domain.

Attributes:
  • id: a uuid that identifies the domain
class keystoneclient.v3.auth.Project(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity project.

Attributes:

  • id: a uuid that identifies the project

  • name: project name

  • description: project description

  • enabled: boolean to indicate if project is enabled

  • parent_id: a uuid representing this project’s parent in hierarchy

  • parents: a list or a structured dict containing the parents of this

    project in the hierarchy

  • subtree: a list or a structured dict containing the subtree of this

    project in the hierarchy

keystoneclient.v3.client module

class keystoneclient.v3.client.Client(**kwargs)

Bases: keystoneclient.httpclient.HTTPClient

Client for the OpenStack Identity API v3.

Parameters:
  • user_id (string) – User ID for authentication. (optional)
  • username (string) – Username for authentication. (optional)
  • user_domain_id (string) – User’s domain ID for authentication. (optional)
  • user_domain_name (string) – User’s domain name for authentication. (optional)
  • password (string) – Password for authentication. (optional)
  • token (string) – Token for authentication. (optional)
  • domain_id (string) – Domain ID for domain scoping. (optional)
  • domain_name (string) – Domain name for domain scoping. (optional)
  • project_id (string) – Project ID for project scoping. (optional)
  • project_name (string) – Project name for project scoping. (optional)
  • project_domain_id (string) – Project’s domain ID for project scoping. (optional)
  • project_domain_name (string) – Project’s domain name for project scoping. (optional)
  • tenant_name (string) – Tenant name. (optional) The tenant_name keyword argument is deprecated as of the 1.7.0 release in favor of project_name and may be removed in the 2.0.0 release.
  • tenant_id (string) – Tenant id. (optional) The tenant_id keyword argument is deprecated as of the 1.7.0 release in favor of project_id and may be removed in the 2.0.0 release.
  • auth_url (string) – Identity service endpoint for authorization.
  • region_name (string) – Name of a region to select when choosing an endpoint from the service catalog.
  • endpoint (string) – A user-supplied endpoint URL for the identity service. Lazy-authentication is possible for API service calls if endpoint is set at instantiation. (optional)
  • timeout (integer) – Allows customization of the timeout for client http requests. (optional)

Warning

Constructing an instance of this class without a session is deprecated as of the 1.7.0 release and will be removed in the 2.0.0 release.

Example:

>>> from keystoneclient.v3 import client
>>> keystone = client.Client(user_domain_name=DOMAIN_NAME,
...                          username=USER,
...                          password=PASS,
...                          project_domain_name=PROJECT_DOMAIN_NAME,
...                          project_name=PROJECT_NAME,
...                          auth_url=KEYSTONE_URL)
...
>>> keystone.projects.list()
...
>>> user = keystone.users.get(USER_ID)
>>> user.delete()

Instances of this class have the following managers:

credentials

keystoneclient.v3.credentials.CredentialManager

ec2

keystoneclient.v3.ec2.EC2Manager

endpoint_filter

keystoneclient.v3.contrib.endpoint_filter.EndpointFilterManager

endpoint_policy

keystoneclient.v3.contrib.endpoint_policy.EndpointPolicyManager

endpoints

keystoneclient.v3.endpoints.EndpointManager

domains

keystoneclient.v3.domains.DomainManager

federation

keystoneclient.v3.contrib.federation.core.FederationManager

groups

keystoneclient.v3.groups.GroupManager

oauth1

keystoneclient.v3.contrib.oauth1.core.OAuthManager

policies

keystoneclient.v3.policies.PolicyManager

regions

keystoneclient.v3.regions.RegionManager

role_assignments

keystoneclient.v3.role_assignments.RoleAssignmentManager

roles

keystoneclient.v3.roles.RoleManager

simple_cert

keystoneclient.v3.contrib.simple_cert.SimpleCertManager

services

keystoneclient.v3.services.ServiceManager

tokens

keystoneclient.v3.tokens.TokenManager

trusts

keystoneclient.v3.contrib.trusts.TrustManager

users

keystoneclient.v3.users.UserManager

get_raw_token_from_identity_service(auth_url, user_id=None, username=None, user_domain_id=None, user_domain_name=None, password=None, domain_id=None, domain_name=None, project_id=None, project_name=None, project_domain_id=None, project_domain_name=None, token=None, trust_id=None, **kwargs)

Authenticate against the v3 Identity API.

If password and token methods are both provided then both methods will be used in the request.

Returns:

access.AccessInfo if authentication was successful.
Raises:
process_token(**kwargs)

Extract and process information from the new auth_ref.

And set the relevant authentication information.

serialize(entity)
version = 'v3'

keystoneclient.v3.credentials module

class keystoneclient.v3.credentials.Credential(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity credential.

Attributes:
  • id: a uuid that identifies the credential
  • user_id: user ID
  • type: credential type
  • blob: credential data
  • project_id: project ID (optional)
class keystoneclient.v3.credentials.CredentialManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity credentials.

collection_key = 'credentials'
create(*args, **kwargs)

Create a credential

Parameters:
  • user (keystoneclient.v3.users.User or str) – User
  • type (str) – credential type, should be either ec2 or cert
  • blob (JSON) – Credential data
  • data (JSON) – Deprecated as of the 1.7.0 release in favor of blob and may by removed in the 2.0.0 release.
  • project (keystoneclient.v3.projects.Project or str) – Project, optional
  • kwargs – Extra attributes passed to create.
Raises:

ValueError – if one of blob or data is not specified.
delete(credential)

Delete a credential

Parameters:credential (Credential or str) – Credential
get(credential)

Get a credential

Parameters:credential (Credential or str) – Credential
key = 'credential'
list(**kwargs)

List credentials.

If **kwargs are provided, then filter credentials with attributes matching **kwargs.

resource_class

alias of Credential

update(*args, **kwargs)

Update a credential

Parameters:
  • credential (Credential or str) – Credential to update
  • user (keystoneclient.v3.users.User or str) – User
  • type (str) – credential type, should be either ec2 or cert
  • blob (JSON) – Credential data
  • data (JSON) – Deprecated as of the 1.7.0 release in favor of blob and may be removed in the 2.0.0 release.
  • project (keystoneclient.v3.projects.Project or str) – Project
  • kwargs – Extra attributes passed to create.
Raises:

ValueError – if one of blob or data is not specified.

keystoneclient.v3.domains module

class keystoneclient.v3.domains.Domain(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity domain.

Attributes:
  • id: a uuid that identifies the domain
class keystoneclient.v3.domains.DomainManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity domains.

collection_key = 'domains'
create(name, description=None, enabled=True, **kwargs)
delete(domain)
get(domain)
key = 'domain'
list(**kwargs)

List domains.

**kwargs allows filter criteria to be passed where
supported by the server.
resource_class

alias of Domain

update(domain, name=None, description=None, enabled=None, **kwargs)

keystoneclient.v3.ec2 module

class keystoneclient.v3.ec2.EC2(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

class keystoneclient.v3.ec2.EC2Manager(client)

Bases: keystoneclient.base.ManagerWithFind

create(user_id, project_id)

Create a new access/secret pair for the user/project pair.

Return type:object of type EC2
delete(user_id, access)

Delete an access/secret pair for a user.

get(user_id, access)

Get the access/secret pair for a given access key.

Return type:object of type EC2
list(user_id)

Get a list of access/secret pairs for a user_id.

Return type:list of EC2
resource_class

alias of EC2

keystoneclient.v3.endpoints module

class keystoneclient.v3.endpoints.Endpoint(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity endpoint.

Attributes:
  • id: a uuid that identifies the endpoint
  • interface: ‘public’, ‘admin’ or ‘internal’ network interface
  • region: geographic location of the endpoint
  • service_id: service to which the endpoint belongs
  • url: fully qualified service endpoint
  • enabled: determines whether the endpoint appears in the catalog
class keystoneclient.v3.endpoints.EndpointManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity endpoints.

collection_key = 'endpoints'
create(service, url, interface=None, region=None, enabled=True, **kwargs)
delete(endpoint)
get(endpoint)
key = 'endpoint'
list(service=None, interface=None, region=None, enabled=None, region_id=None, **kwargs)

List endpoints.

If **kwargs are provided, then filter endpoints with attributes matching **kwargs.

resource_class

alias of Endpoint

update(endpoint, service=None, url=None, interface=None, region=None, enabled=None, **kwargs)

keystoneclient.v3.groups module

class keystoneclient.v3.groups.Group(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user group.

Attributes:
  • id: a uuid that identifies the group
  • name: group name
  • description: group description
update(name=None, description=None)
class keystoneclient.v3.groups.GroupManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity groups.

collection_key = 'groups'
create(name, domain=None, description=None, **kwargs)
delete(group)
get(group)
key = 'group'
list(user=None, domain=None, **kwargs)

List groups.

If domain or user is provided, then filter groups with that attribute.

If **kwargs are provided, then filter groups with attributes matching **kwargs.

resource_class

alias of Group

update(group, name=None, description=None, **kwargs)

keystoneclient.v3.policies module

class keystoneclient.v3.policies.Policy(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity policy.

Attributes:
  • id: a uuid that identifies the policy
  • blob: a policy document (blob)
  • type: the mime type of the policy blob
update(blob=None, type=None)
class keystoneclient.v3.policies.PolicyManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity policies.

collection_key = 'policies'
create(blob, type='application/json', **kwargs)
delete(policy)
get(policy)
key = 'policy'
list(**kwargs)

List policies.

**kwargs allows filter criteria to be passed where
supported by the server.
resource_class

alias of Policy

update(entity, blob=None, type=None, **kwargs)

keystoneclient.v3.projects module

class keystoneclient.v3.projects.Project(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity project.

Attributes:

  • id: a uuid that identifies the project

  • name: project name

  • description: project description

  • enabled: boolean to indicate if project is enabled

  • parent_id: a uuid representing this project’s parent in hierarchy

  • parents: a list or a structured dict containing the parents of this

    project in the hierarchy

  • subtree: a list or a structured dict containing the subtree of this

    project in the hierarchy

update(name=None, description=None, enabled=None)
class keystoneclient.v3.projects.ProjectManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity projects.

collection_key = 'projects'
create(name, domain, description=None, enabled=True, parent=None, **kwargs)

Create a project.

Parameters:
delete(project)
get(project, subtree_as_list=False, parents_as_list=False, subtree_as_ids=False, parents_as_ids=False)

Get a project.

Parameters:
  • project (keystoneclient.v3.projects.Project or str) – project to be retrieved.
  • subtree_as_list (boolean) – retrieve projects below this project in the hierarchy as a flat list. (optional)
  • parents_as_list (boolean) – retrieve projects above this project in the hierarchy as a flat list. (optional)
  • subtree_as_ids (boolean) – retrieve the IDs from the projects below this project in the hierarchy as a structured dictionary. (optional)
  • parents_as_ids (boolean) – retrieve the IDs from the projects above this project in the hierarchy as a structured dictionary. (optional)
Raises:

keystoneclient.exceptions.ValidationError – if subtree_as_list and subtree_as_ids or parents_as_list and parents_as_ids are included at the same time in the call.
key = 'project'
list(domain=None, user=None, **kwargs)

List projects.

If domain or user are provided, then filter projects with those attributes.

If **kwargs are provided, then filter projects with attributes matching **kwargs.

resource_class

alias of Project

update(project, name=None, domain=None, description=None, enabled=None, **kwargs)

keystoneclient.v3.regions module

class keystoneclient.v3.regions.Region(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents a Catalog region.

Attributes:
  • id: a string that identifies the region.
  • description: a string that describes the region. Optional.
  • parent_region_id: string that is the id field for a pre-existing region in the backend. Allows for hierarchical region organization
  • enabled: determines whether the endpoint appears in the catalog. Defaults to True
class keystoneclient.v3.regions.RegionManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity regions.

collection_key = 'regions'
create(id=None, description=None, enabled=True, parent_region=None, **kwargs)

Create a Catalog region.

Parameters:
  • id – a string that identifies the region. If not specified a unique identifier will be assigned to the region.
  • description – a string that describes the region.
  • parent_region – string that is the id field for a pre-existing region in the backend. Allows for hierarchical region organization.
  • enabled – determines whether the endpoint appears in the catalog.
delete(region)
get(region)
key = 'region'
list(**kwargs)

List regions.

If **kwargs are provided, then filter regions with attributes matching **kwargs.

resource_class

alias of Region

update(region, description=None, enabled=None, parent_region=None, **kwargs)

Update a Catalog region.

Parameters:
  • region – a string that identifies the region.
  • description – a string that describes the region.
  • parent_region – string that is the id field for a pre-existing region in the backend. Allows for hierarchical region organization.
  • enabled – determines whether the endpoint appears in the catalog.

keystoneclient.v3.role_assignments module

class keystoneclient.v3.role_assignments.RoleAssignment(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role assignment.

Attributes:

  • role: an object which contains a role uuid

  • user or group: an object which contains either a user or

    group uuid

  • scope: an object which has either a project or domain object

    containing an uuid

class keystoneclient.v3.role_assignments.RoleAssignmentManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles assignments.

collection_key = 'role_assignments'
create(**kwargs)
delete(**kwargs)
find(**kwargs)
get(**kwargs)
key = 'role_assignment'
list(user=None, group=None, project=None, domain=None, role=None, effective=False, os_inherit_extension_inherited_to=None, include_subtree=False, include_names=False)

Lists role assignments.

If no arguments are provided, all role assignments in the system will be listed.

If both user and group are provided, a ValidationError will be raised. If both domain and project are provided, it will also raise a ValidationError.

Parameters:
  • user – User to be used as query filter. (optional)
  • group – Group to be used as query filter. (optional)
  • project – Project to be used as query filter. (optional)
  • domain – Domain to be used as query filter. (optional)
  • role – Role to be used as query filter. (optional)
  • effective (boolean) – return effective role assignments. (optional)
  • os_inherit_extension_inherited_to (string) – return inherited role assignments for either ‘projects’ or ‘domains’. (optional)
  • include_subtree (boolean) – Include subtree (optional)
  • include_names (boolean) – Display names instead of IDs. (optional)
put(**kwargs)
resource_class

alias of RoleAssignment

update(**kwargs)

keystoneclient.v3.roles module

class keystoneclient.v3.roles.InferenceRule(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Rule that states one ROle implies another

Attributes:
  • prior_role: this role implies the other
  • implied_role: this role is implied by the other
class keystoneclient.v3.roles.Role(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity role.

Attributes:
  • id: a uuid that identifies the role
  • name: user-facing identifier
  • domain: optional domain for the role
class keystoneclient.v3.roles.RoleManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity roles.

check(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Checks if a user or group has a role on a domain or project.

If ‘os_inherit_extension_inherited’ is passed, then OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from projects in the hierarchy.

check_implied(prior_role, implied_role, **kwargs)
collection_key = 'roles'
create(name, domain=None, **kwargs)
create_implied(prior_role, implied_role, **kwargs)
delete(role)
delete_implied(prior_role, implied_role, **kwargs)
get(role)
get_implied(prior_role, implied_role, **kwargs)
grant(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Grants a role to a user or group on a domain or project.

If ‘os_inherit_extension_inherited’ is passed, then OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from projects in the hierarchy.

key = 'role'
list(user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Lists roles and role grants.

If no arguments are provided, all roles in the system will be listed.

If a user or group is specified, you must also specify either a domain or project to list role grants on that pair. And if **kwargs are provided, then also filter roles with attributes matching **kwargs.

If ‘os_inherit_extension_inherited’ is passed, then OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from projects in the hierarchy.

list_role_inferences(**kwargs)
resource_class

alias of Role

revoke(role, user=None, group=None, domain=None, project=None, os_inherit_extension_inherited=False, **kwargs)

Revokes a role from a user or group on a domain or project.

If ‘os_inherit_extension_inherited’ is passed, then OS-INHERIT will be used. It provides the ability for projects to inherit role assignments from their domains or from projects in the hierarchy.

update(role, name=None, **kwargs)

keystoneclient.v3.services module

class keystoneclient.v3.services.Service(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity service.

Attributes:
  • id: a uuid that identifies the service
  • name: user-facing name of the service (e.g. Keystone)
  • type: ‘compute’, ‘identity’, etc
  • enabled: determines whether the service appears in the catalog
class keystoneclient.v3.services.ServiceManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity services.

collection_key = 'services'
create(name, type=None, enabled=True, description=None, **kwargs)
delete(service=None, id=None)
get(service)
key = 'service'
list(name=None, type=None, **kwargs)
resource_class

alias of Service

update(service, name=None, type=None, enabled=None, description=None, **kwargs)

keystoneclient.v3.tokens module

class keystoneclient.v3.tokens.TokenManager(client)

Bases: object

Manager class for manipulating Identity tokens.

get_revoked()

Get revoked tokens list.

Returns:A dict containing “signed” which is a CMS formatted string.
Return type:dict
get_token_data(token, include_catalog=True)

Fetch the data about a token from the identity server.

Parameters:
  • token (str) – The token id.
  • include_catalog (bool) – If False, the response is requested to not include the catalog.
Return type:

dict
revoke_token(token)

Revoke a token.

Parameters:token – Token to be revoked. This can be an instance of keystoneclient.access.AccessInfo or a string token_id.
validate(token, include_catalog=True)

Validate a token.

Parameters:
  • token – Token to be validated. This can be an instance of keystoneclient.access.AccessInfo or a string token_id.
  • include_catalog – If False, the response is requested to not include the catalog.
Return type:

keystoneclient.access.AccessInfoV3

keystoneclient.v3.users module

class keystoneclient.v3.users.User(manager, info, loaded=False)

Bases: keystoneclient.base.Resource

Represents an Identity user.

Attributes:
  • id: a uuid that identifies the user
class keystoneclient.v3.users.UserManager(client)

Bases: keystoneclient.base.CrudManager

Manager class for manipulating Identity users.

add_to_group(user, group)
check_in_group(user, group)
collection_key = 'users'
create(*args, **kwargs)

Create a user.

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

delete(user)
get(user)
key = 'user'
list(*args, **kwargs)

List users.

If project, domain or group are provided, then filter users with those attributes.

If **kwargs are provided, then filter users with attributes matching **kwargs.

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

remove_from_group(user, group)
resource_class

alias of User

update(*args, **kwargs)

Update a user.

Warning

The project argument is deprecated as of the 1.7.0 release in favor of default_project and may be removed in the 2.0.0 release.

If both default_project and project is provided, the default_project will be used.

update_password(old_password, new_password)

Update the password for the user the token belongs to.

Module contents