Re: [openstack-dev] [neutron] How to look up a project name from Neutron server code?
Thanks Aditya, that looks like just what I need. Best wishes, Neil On Tue, Jul 17, 2018 at 5:48 PM Aditya Vaja wrote: > hey neil, > > neutron.conf has a section called '[keystone_authtoken]’ which has > credentials to query keystone as neutron. you can read the config as you’d > typically do from the mechanism driver for any other property using > oslo.config. > > you could then use python-keystoneclient with those creds to query the > mapping. a sample is given in the keystoneclient repo [1]. > > via telegram > > [1] > https://github.com/openstack/python-keystoneclient/blob/650716d0dd30a73ccabe3f0ec20eb722ca0d70d4/keystoneclient/v3/client.py#L102-L116 > On Tue, Jul 17, 2018 at 9:58 PM, Neil Jerram wrote: > > On Tue, Jul 17, 2018 at 3:55 PM Jay Pipes wrote: > >> On 07/17/2018 03:36 AM, Neil Jerram wrote: >> > Can someone help me with how to look up a project name (aka tenant >> name) >> > for a known project/tenant ID, from code (specifically a mechanism >> > driver) running in the Neutron server? >> > >> > I believe that means I need to make a GET REST call as here: >> > https://developer.openstack.org/api-ref/identity/v3/index.html#projects. >> But >> > I don't yet understand how a piece of Neutron server code can ensure >> > that it has the right credentials to do that. If someone happens to >> > have actual code for doing this, I'm sure that would be very helpful. >> > >> > (I'm aware that whenever the Neutron server processes an API request, >> > the project name for the project that generated that request is added >> > into the request context. That is great when my code is running in an >> > API request context. But there are other times when the code isn't in a >> > request context and still needs to map from a project ID to project >> > name; hence the question here.) >> >> Hi Neil, >> >> You basically answered your own question above :) The neutron request >> context gets built from oslo.context's Context.from_environ() [1] which >> has this note in the implementation [2]: >> >> # Load a new context object from the environment variables set by >> # auth_token middleware. See: >> # >> >> https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service >> >> So, basically, simply look at the HTTP headers for HTTP_X_PROJECT_NAME. >> If you don't have access to a HTTP headers, then you'll need to pass >> some context object/struct to the code you're referring to. Might as >> well pass the neutron RequestContext (derived from oslo_context.Context) >> to the code you're referring to and you get all this for free. >> >> Best, >> -jay >> >> [1] >> >> https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L424 >> >> [2] >> >> https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L433-L435 > > > Many thanks for this reply, Jay. > > If I'm understanding fully, I believe it all works beautifully so long as > the Neutron server is processing a specific API request, e.g. a port CRUD > operation. Then, as you say, the RequestContext includes the name of the > project/tenant that originated that request. > > I have an additional requirement, though, to do a occasional audit of > standing resources in the Neutron DB, and to check that my mechanism > driver's programming for them is correct. To do that, I have an independent > eventlet thread that runs in admin context and occasionally queries Neutron > resources, e.g. all the ports. For each port, the Neutron DB data includes > the project_id, but not project_name, and I'd like at that point to be able > to map from the project_id for each port to project_name. > > Do you have any thoughts on how I could do that? (E.g. perhaps there is > some way of generating and looping round a request with the project_id, > such that the middleware populates the project_name... but that sounds a > bit baroque; I would hope that there would be a way of doing a simpler > Keystone DB lookup.) > > Regards, > Neil > > > __ > OpenStack Development Mailing List (not for usage questions) Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] How to look up a project name from Neutron server code?
hey neil, neutron.conf has a section called ' [keystone_authtoken]’ which has credentials to query keystone as neutron. you can read the config as you’d typically do from the mechanism driver for any other property using oslo.config. you could then use python-keystoneclient with those creds to query the mapping. a sample is given in the keystoneclient repo [1]. via telegram [1] https://github.com/openstack/python-keystoneclient/blob/650716d0dd30a73ccabe3f0ec20eb722ca0d70d4/keystoneclient/v3/client.py#L102-L116 On Tue, Jul 17, 2018 at 9:58 PM, Neil Jerram wrote: On Tue, Jul 17, 2018 at 3:55 PM Jay Pipes < jaypi...@gmail.com [jaypi...@gmail.com] > wrote: On 07/17/2018 03:36 AM, Neil Jerram wrote: > Can someone help me with how to look up a project name (aka tenant name) > for a known project/tenant ID, from code (specifically a mechanism > driver) running in the Neutron server? > > I believe that means I need to make a GET REST call as here: > https://developer.openstack.org/api-ref/identity/v3/index.html#projects > [https://developer.openstack.org/api-ref/identity/v3/index.html#projects] . > But > I don't yet understand how a piece of Neutron server code can ensure > that it has the right credentials to do that. If someone happens to > have actual code for doing this, I'm sure that would be very helpful. > > (I'm aware that whenever the Neutron server processes an API request, > the project name for the project that generated that request is added > into the request context. That is great when my code is running in an > API request context. But there are other times when the code isn't in a > request context and still needs to map from a project ID to project > name; hence the question here.) Hi Neil, You basically answered your own question above :) The neutron request context gets built from oslo.context's Context.from_environ() [1] which has this note in the implementation [2]: # Load a new context object from the environment variables set by # auth_token middleware. See: # https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service [https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service] So, basically, simply look at the HTTP headers for HTTP_X_PROJECT_NAME. If you don't have access to a HTTP headers, then you'll need to pass some context object/struct to the code you're referring to. Might as well pass the neutron RequestContext (derived from oslo_context.Context) to the code you're referring to and you get all this for free. Best, -jay [1] https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L424 [https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L424] [2] https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L433-L435 [https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L433-L435] Many thanks for this reply, Jay. If I'm understanding fully, I believe it all works beautifully so long as the Neutron server is processing a specific API request, e.g. a port CRUD operation. Then, as you say, the RequestContext includes the name of the project/tenant that originated that request. I have an additional requirement, though, to do a occasional audit of standing resources in the Neutron DB, and to check that my mechanism driver's programming for them is correct. To do that, I have an independent eventlet thread that runs in admin context and occasionally queries Neutron resources, e.g. all the ports. For each port, the Neutron DB data includes the project_id, but not project_name, and I'd like at that point to be able to map from the project_id for each port to project_name. Do you have any thoughts on how I could do that? (E.g. perhaps there is some way of generating and looping round a request with the project_id, such that the middleware populates the project_name... but that sounds a bit baroque; I would hope that there would be a way of doing a simpler Keystone DB lookup.) Regards, Neil __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] How to look up a project name from Neutron server code?
On Tue, Jul 17, 2018 at 3:55 PM Jay Pipes wrote: > On 07/17/2018 03:36 AM, Neil Jerram wrote: > > Can someone help me with how to look up a project name (aka tenant name) > > for a known project/tenant ID, from code (specifically a mechanism > > driver) running in the Neutron server? > > > > I believe that means I need to make a GET REST call as here: > > https://developer.openstack.org/api-ref/identity/v3/index.html#projects. > But > > I don't yet understand how a piece of Neutron server code can ensure > > that it has the right credentials to do that. If someone happens to > > have actual code for doing this, I'm sure that would be very helpful. > > > > (I'm aware that whenever the Neutron server processes an API request, > > the project name for the project that generated that request is added > > into the request context. That is great when my code is running in an > > API request context. But there are other times when the code isn't in a > > request context and still needs to map from a project ID to project > > name; hence the question here.) > > Hi Neil, > > You basically answered your own question above :) The neutron request > context gets built from oslo.context's Context.from_environ() [1] which > has this note in the implementation [2]: > > # Load a new context object from the environment variables set by > # auth_token middleware. See: > # > > https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service > > So, basically, simply look at the HTTP headers for HTTP_X_PROJECT_NAME. > If you don't have access to a HTTP headers, then you'll need to pass > some context object/struct to the code you're referring to. Might as > well pass the neutron RequestContext (derived from oslo_context.Context) > to the code you're referring to and you get all this for free. > > Best, > -jay > > [1] > > https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L424 > > [2] > > https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L433-L435 Many thanks for this reply, Jay. If I'm understanding fully, I believe it all works beautifully so long as the Neutron server is processing a specific API request, e.g. a port CRUD operation. Then, as you say, the RequestContext includes the name of the project/tenant that originated that request. I have an additional requirement, though, to do a occasional audit of standing resources in the Neutron DB, and to check that my mechanism driver's programming for them is correct. To do that, I have an independent eventlet thread that runs in admin context and occasionally queries Neutron resources, e.g. all the ports. For each port, the Neutron DB data includes the project_id, but not project_name, and I'd like at that point to be able to map from the project_id for each port to project_name. Do you have any thoughts on how I could do that? (E.g. perhaps there is some way of generating and looping round a request with the project_id, such that the middleware populates the project_name... but that sounds a bit baroque; I would hope that there would be a way of doing a simpler Keystone DB lookup.) Regards, Neil __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [neutron] How to look up a project name from Neutron server code?
On 07/17/2018 03:36 AM, Neil Jerram wrote: Can someone help me with how to look up a project name (aka tenant name) for a known project/tenant ID, from code (specifically a mechanism driver) running in the Neutron server? I believe that means I need to make a GET REST call as here: https://developer.openstack.org/api-ref/identity/v3/index.html#projects. But I don't yet understand how a piece of Neutron server code can ensure that it has the right credentials to do that. If someone happens to have actual code for doing this, I'm sure that would be very helpful. (I'm aware that whenever the Neutron server processes an API request, the project name for the project that generated that request is added into the request context. That is great when my code is running in an API request context. But there are other times when the code isn't in a request context and still needs to map from a project ID to project name; hence the question here.) Hi Neil, You basically answered your own question above :) The neutron request context gets built from oslo.context's Context.from_environ() [1] which has this note in the implementation [2]: # Load a new context object from the environment variables set by # auth_token middleware. See: # https://docs.openstack.org/keystonemiddleware/latest/api/keystonemiddleware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the-openstack-service So, basically, simply look at the HTTP headers for HTTP_X_PROJECT_NAME. If you don't have access to a HTTP headers, then you'll need to pass some context object/struct to the code you're referring to. Might as well pass the neutron RequestContext (derived from oslo_context.Context) to the code you're referring to and you get all this for free. Best, -jay [1] https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L424 [2] https://github.com/openstack/oslo.context/blob/4abd5377e4d847102a4e87a528d689e31cc1713c/oslo_context/context.py#L433-L435 __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [neutron] How to look up a project name from Neutron server code?
Can someone help me with how to look up a project name (aka tenant name) for a known project/tenant ID, from code (specifically a mechanism driver) running in the Neutron server? I believe that means I need to make a GET REST call as here: https://developer.openstack.org/api-ref/identity/v3/index.html#projects. But I don't yet understand how a piece of Neutron server code can ensure that it has the right credentials to do that. If someone happens to have actual code for doing this, I'm sure that would be very helpful. (I'm aware that whenever the Neutron server processes an API request, the project name for the project that generated that request is added into the request context. That is great when my code is running in an API request context. But there are other times when the code isn't in a request context and still needs to map from a project ID to project name; hence the question here.) Many thanks, Neil __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev