On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges).
- Gabriel From: openstack-bounces+gabriel.hurley=nebula....@lists.launchpad.net [mailto:openstack-bounces+gabriel.hurley=nebula....@lists.launchpad.net] On Behalf Of Luis Gervaso Sent: Thursday, May 03, 2012 1:24 PM To: Everett Toews Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone API question Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) How can an administrator user list all the tenants a user belongs to? Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.to...@cybera.ca<mailto:everett.to...@cybera.ca>> wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.math...@gmail.com<mailto:dolph.math...@gmail.com>> wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating "User roles not supported: tenant ID required". GET /users/{user_id}/roles Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK) in favor of "roles". -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <l...@woorea.es<mailto:l...@woorea.es>> wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {"user": {"name": "admin", "enabled": true, "email": "ad...@example.com<mailto:ad...@example.com>", "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}} Regards -- ------------------------------------------- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO & CTO mobile: (+34) 627983344<tel:%28%2B34%29%20627983344> luis@<mailto:luis.gerv...@gmail.com>woorea.es<http://woorea.es/> _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- ------------------------------------------- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO & CTO mobile: (+34) 627983344 luis@<mailto:luis.gerv...@gmail.com>woorea.es<http://woorea.es/>
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp