CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-python-swiftclient

OpenStack Object Storage API Client Library

Overview
Eval results
Files

authentication.mddocs/

Authentication

Comprehensive authentication support for Swift v1 auth, Keystone v2/v3, and session-based authentication with multiple credential types and authentication methods.

Capabilities

Main Authentication Function

Central authentication function supporting multiple Swift authentication methods and OpenStack Keystone versions.

def get_auth(auth_url, user, key, **kwargs):
    """
    Get authentication/authorization credentials.

    Parameters:
    - auth_url: str, authentication URL
    - user: str, username to authenticate as
    - key: str, key/password to authenticate with
    - auth_version: str, API version ('1', '2.0', '3', default '1')
    - os_options: dict, OpenStack identity service options
    - session: keystoneauth1.Session, existing session object
    - snet: bool, use SERVICENET internal network (default False)
    - cacert: str, CA bundle file for TLS verification
    - insecure: bool, disable SSL certificate verification
    - cert: str, client certificate file
    - cert_key: str, client certificate private key file
    - timeout: float, connection timeout in seconds
    - tenant_name: str, tenant name for v2.0 auth

    Returns:
    tuple: (storage_url, auth_token)

    Raises:
    ClientException: Authentication failed
    """

Swift v1 Authentication

Original Swift authentication using HTTP headers, compatible with tempauth, swauth, and legacy Swift installations.

def get_auth_1_0(url, user, key, snet, **kwargs):
    """
    Authenticate using Swift v1.0 authentication.

    Parameters:
    - url: str, authentication URL
    - user: str, username (often in format tenant:user)
    - key: str, authentication key/password
    - snet: bool, use SERVICENET internal network
    - cacert: str, CA bundle file for TLS verification
    - insecure: bool, disable SSL certificate verification
    - cert: str, client certificate file
    - cert_key: str, client certificate private key file
    - timeout: float, connection timeout in seconds

    Returns:
    tuple: (storage_url, auth_token)

    Raises:
    ClientException: Authentication failed
    """

Keystone Authentication

OpenStack Identity (Keystone) authentication supporting v2.0 and v3 APIs with comprehensive credential options.

def get_auth_keystone(auth_url, user, key, os_options, **kwargs):
    """
    Authenticate against Keystone identity service.

    Parameters:
    - auth_url: str, Keystone authentication URL
    - user: str, username for authentication
    - key: str, password for authentication
    - os_options: dict, OpenStack authentication options
    - auth_version: str, Keystone version ('2.0', '3')
    - cacert: str, CA bundle file for TLS verification
    - insecure: bool, disable SSL certificate verification
    - cert: str, client certificate file
    - cert_key: str, client certificate private key file
    - timeout: float, connection timeout in seconds

    Returns:
    tuple: (storage_url, auth_token)

    Raises:
    ClientException: Authentication failed
    """

def get_keystoneclient_2_0(auth_url, user, key, os_options, **kwargs):
    """
    Legacy wrapper for Keystone v2.0 authentication.

    Parameters:
    - auth_url: str, Keystone v2.0 authentication URL
    - user: str, username for authentication
    - key: str, password for authentication
    - os_options: dict, OpenStack authentication options

    Returns:
    tuple: (storage_url, auth_token)
    """

OpenStack Options

The os_options dictionary supports comprehensive OpenStack identity configuration:

Basic Identity Options

os_options = {
    'tenant_id': 'tenant-uuid',
    'tenant_name': 'tenant-name',
    'project_id': 'project-uuid',
    'project_name': 'project-name',
    'user_id': 'user-uuid',
    'user_domain_id': 'user-domain-uuid',
    'user_domain_name': 'user-domain-name',
    'project_domain_id': 'project-domain-uuid',
    'project_domain_name': 'project-domain-name',
}

Service Configuration

os_options = {
    'service_type': 'object-store',  # Default: 'object-store'
    'endpoint_type': 'publicURL',    # 'publicURL', 'internalURL', 'adminURL'
    'region_name': 'us-east-1',
    'auth_token': 'existing-token',
    'object_storage_url': 'https://swift.example.com/v1/AUTH_account',
}

Application Credentials

os_options = {
    'auth_type': 'v3applicationcredential',
    'application_credential_id': 'app-cred-id',
    'application_credential_secret': 'app-cred-secret',
}

Usage Examples

Swift v1 Authentication

from swiftclient import get_auth

# Basic v1 auth
storage_url, token = get_auth(
    'http://swift.example.com/auth/v1.0',
    'tenant:username',
    'password'
)

# v1 auth with SSL
storage_url, token = get_auth(
    'https://swift.example.com/auth/v1.0',
    'tenant:username',
    'password',
    cacert='/path/to/ca-bundle.crt',
    insecure=False
)

Keystone v2.0 Authentication

# Basic v2.0 auth
storage_url, token = get_auth(
    'https://identity.example.com:5000/v2.0',
    'username',
    'password',
    auth_version='2.0',
    os_options={'tenant_name': 'project-name'}
)

# v2.0 with all options
storage_url, token = get_auth(
    'https://identity.example.com:5000/v2.0',
    'username',
    'password',
    auth_version='2.0',
    os_options={
        'tenant_name': 'project-name',
        'region_name': 'us-west-2',
        'service_type': 'object-store',
        'endpoint_type': 'publicURL'
    }
)

Keystone v3 Authentication

# Basic v3 auth
storage_url, token = get_auth(
    'https://identity.example.com:5000/v3',
    'username',
    'password',
    auth_version='3',
    os_options={
        'project_name': 'project-name',
        'user_domain_name': 'domain-name',
        'project_domain_name': 'domain-name'
    }
)

# v3 with domain IDs
storage_url, token = get_auth(
    'https://identity.example.com:5000/v3',
    'username',
    'password',
    auth_version='3',
    os_options={
        'project_id': 'project-uuid',
        'user_domain_id': 'user-domain-uuid',
        'project_domain_id': 'project-domain-uuid'
    }
)

# v3 application credentials
storage_url, token = get_auth(
    'https://identity.example.com:5000/v3',
    None,  # Not required for app creds
    None,  # Not required for app creds
    auth_version='3',
    os_options={
        'auth_type': 'v3applicationcredential',
        'application_credential_id': 'app-credential-id',
        'application_credential_secret': 'app-credential-secret'
    }
)

Session-Based Authentication

from keystoneauth1 import session
from keystoneauth1.identity import v3

# Create session with v3 password auth
auth = v3.Password(
    auth_url='https://identity.example.com:5000/v3',
    username='username',
    password='password',
    project_name='project-name',
    user_domain_name='domain-name',
    project_domain_name='domain-name'
)
sess = session.Session(auth=auth)

# Use session for authentication
storage_url, token = get_auth(
    None,  # Not required when using session
    None,  # Not required when using session
    None,  # Not required when using session
    session=sess,
    os_options={
        'service_type': 'object-store',
        'endpoint_type': 'public',
        'region_name': 'us-east-1'
    }
)

Environment Variable Authentication

import os

# Set environment variables
os.environ['ST_AUTH'] = 'http://swift.example.com/auth/v1.0'
os.environ['ST_USER'] = 'tenant:username'
os.environ['ST_KEY'] = 'password'

# Or OpenStack environment variables
os.environ['OS_AUTH_URL'] = 'https://identity.example.com:5000/v3'
os.environ['OS_USERNAME'] = 'username'
os.environ['OS_PASSWORD'] = 'password'
os.environ['OS_PROJECT_NAME'] = 'project-name'
os.environ['OS_USER_DOMAIN_NAME'] = 'domain-name'
os.environ['OS_PROJECT_DOMAIN_NAME'] = 'domain-name'

# Authentication will use environment variables
from swiftclient.service import get_conn
conn = get_conn({})  # Empty options uses environment variables

Error Handling

from swiftclient import ClientException, get_auth

try:
    storage_url, token = get_auth(
        'https://identity.example.com:5000/v3',
        'username',
        'wrong-password',
        auth_version='3',
        os_options={'project_name': 'project-name'}
    )
except ClientException as e:
    print(f"Authentication failed: {e}")
    if e.http_status == 401:
        print("Invalid credentials")
    elif e.http_status is None:
        print("Connection error")

Pre-authenticated Connections

# Skip authentication when you already have credentials
from swiftclient import Connection

conn = Connection(
    preauthurl='https://swift.example.com/v1/AUTH_account',
    preauthtoken='existing-auth-token'
)

# Use connection without authentication step
headers, containers = conn.get_account()

Advanced Authentication Classes

Specialized authentication components for legacy Swift v1 authentication and keystoneauth1 integration.

class ServiceCatalogV1:
    def __init__(self, auth_url, storage_url, account):
        """
        Service catalog for Swift v1 authentication.

        Parameters:
        - auth_url: str, authentication endpoint URL
        - storage_url: str, Swift storage URL
        - account: str, Swift account identifier
        """

    @property
    def storage_url(self):
        """Get the complete storage URL with account path."""

    @property
    def catalog(self):
        """Get service catalog in OpenStack format."""

class AccessInfoV1:
    def __init__(self, auth_url, storage_url, account, username, auth_token,
                 token_lifetime=None, session=None):
        """
        Access info container for Swift v1 authentication results.

        Parameters:
        - auth_url: str, authentication URL used
        - storage_url: str, Swift storage URL
        - account: str, Swift account
        - username: str, authenticated username
        - auth_token: str, authentication token
        - token_lifetime: int, token lifetime in seconds
        - session: Session, keystoneauth1 session
        """

    @property
    def expires(self):
        """Get token expiration datetime."""

    @property
    def will_expire_soon(self):
        """Check if token will expire within 30 seconds."""

class PasswordPlugin(base.BaseIdentityPlugin):
    def __init__(self, auth_url, username, password, account=None):
        """
        Keystoneauth1 plugin for Swift v1 password authentication.

        Parameters:
        - auth_url: str, Swift v1 auth URL
        - username: str, username for authentication
        - password: str, password for authentication
        - account: str, Swift account override
        """

    def get_auth_ref(self, session, **kwargs):
        """Authenticate and return access info."""

    def invalidate(self):
        """Invalidate current authentication."""

class PasswordLoader(loading.BaseLoader):
    """Configuration loader for Swift v1 password authentication."""

    available_load_methods = ['password']

    def get_available_load_methods(self):
        """Get available authentication methods."""

    def load_from_options(self, **kwargs):
        """Create plugin from configuration options."""

Advanced Swift v1 Authentication

from keystoneauth1 import session
from swiftclient.authv1 import PasswordPlugin, ServiceCatalogV1, AccessInfoV1

# Use Swift v1 plugin with keystoneauth1 session
auth = PasswordPlugin(
    auth_url='https://swift.example.com/auth/v1.0',
    username='tenant:user',
    password='password'
)

sess = session.Session(auth=auth)

# Get service catalog
catalog = sess.get_access().service_catalog

# Use with Connection
from swiftclient import Connection
conn = Connection(session=sess)

Install with Tessl CLI

npx tessl i tessl/pypi-python-swiftclient

docs

authentication.md

bulk-operations.md

client-connection.md

command-line-interface.md

exceptions.md

index.md

low-level-operations.md

utilities.md

tile.json