Re: [Openstack] [Keystone] API Question
As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
curl -H X-Auth-Token:123456789001234 http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 04:05 PM, Matt Joyce wrote: curl -H X-Auth-Token:123456789001234http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. Ah, I see that is hooked up to: get_tenants_for_token, I was looking for the wrong API. That then calls: tenant_ids = self.identity_api.get_tenants_for_user(context, user_ref['id']) I'm not sure that this is the right semantics for it, but it looks like it does what you want. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Adam speaks lies ;)
Here's a regular user requesting a list of tenants on port 5000 (notice
they only get back 1 tenant):
GET http://localhost:5000/v2.0/tenants
==
X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961
200 OK
==
Status: 200
Content-Length: 133
Content-Location: http://localhost:5000/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:16 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
}
],
tenants_links: []
}
Here's an admin API call for all tenants in the system (notice there is an
additional tenant the above user did not have access to):
GET http://localhost:35357/v2.0/tenants
===
X-Auth-Token: ADMIN
200 OK
==
Status: 200
Content-Length: 236
Content-Location: http://localhost:35357/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:22 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
},
{
enabled: true,
description: null,
name: project-x,
id: 1213c2511f364264b1dfea9a56a225e0
}
],
tenants_links: []
}
-Dolph
On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.comwrote:
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote:
On 07/17/2012 03:47 PM, Matt Joyce wrote:
As a non admin user. Querying the keystone v2 API is there a way for me
to get a list of the tenants that I am a member of? Or is that only a v3
thing?
-Matt
I was just looking into it, and there is no such API yet. The
underlying Identity provider call is get_tenants_for_user and there does
not seem to be a route set up that calls that.
8( --- sad panda face.
That would have been a very useful call for me right now. I hope we have
something by folsom ( albeit s/tenant/project/ig )
-Matt
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Anyone by any chance know how to read out the auth_token or raw_token that
is acquired in keystoneclient when it performs a client.Client()
Authenticate?
I'd love to be able to read that. And it's totally not documented anywhere
if it exists.
-Matt
On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.comwrote:
Works for me. =D
On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.comwrote:
Adam speaks lies ;)
Here's a regular user requesting a list of tenants on port 5000 (notice
they only get back 1 tenant):
GET http://localhost:5000/v2.0/tenants
==
X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961
200 OK
==
Status: 200
Content-Length: 133
Content-Location: http://localhost:5000/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:16 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
}
],
tenants_links: []
}
Here's an admin API call for all tenants in the system (notice there is
an additional tenant the above user did not have access to):
GET http://localhost:35357/v2.0/tenants
===
X-Auth-Token: ADMIN
200 OK
==
Status: 200
Content-Length: 236
Content-Location: http://localhost:35357/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:22 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
},
{
enabled: true,
description: null,
name: project-x,
id: 1213c2511f364264b1dfea9a56a225e0
}
],
tenants_links: []
}
-Dolph
On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce
matt.jo...@cloudscaling.comwrote:
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote:
On 07/17/2012 03:47 PM, Matt Joyce wrote:
As a non admin user. Querying the keystone v2 API is there a way for
me to get a list of the tenants that I am a member of? Or is that only a
v3 thing?
-Matt
I was just looking into it, and there is no such API yet. The
underlying Identity provider call is get_tenants_for_user and there does
not seem to be a route set up that calls that.
8( --- sad panda face.
That would have been a very useful call for me right now. I hope we
have something by folsom ( albeit s/tenant/project/ig )
-Matt
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Not sure if it's documented outside of tests, but: *
client.Client().auth_token*
from keystoneclient.v2_0 import client
c = client.Client(auth_url='http://localhost:5000/v2.0/',
username='joe', password='secrete', tenant_name='project-x')
print c.auth_token
ec04fe9e554a43d1a853e6c665f3e9b2
-Dolph
On Tue, Jul 17, 2012 at 5:06 PM, Matt Joyce matt.jo...@cloudscaling.comwrote:
Anyone by any chance know how to read out the auth_token or raw_token that
is acquired in keystoneclient when it performs a client.Client()
Authenticate?
I'd love to be able to read that. And it's totally not documented
anywhere if it exists.
-Matt
On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce
matt.jo...@cloudscaling.comwrote:
Works for me. =D
On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews
dolph.math...@gmail.comwrote:
Adam speaks lies ;)
Here's a regular user requesting a list of tenants on port 5000 (notice
they only get back 1 tenant):
GET http://localhost:5000/v2.0/tenants
==
X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961
200 OK
==
Status: 200
Content-Length: 133
Content-Location: http://localhost:5000/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:16 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
}
],
tenants_links: []
}
Here's an admin API call for all tenants in the system (notice there is
an additional tenant the above user did not have access to):
GET http://localhost:35357/v2.0/tenants
===
X-Auth-Token: ADMIN
200 OK
==
Status: 200
Content-Length: 236
Content-Location: http://localhost:35357/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:22 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
},
{
enabled: true,
description: null,
name: project-x,
id: 1213c2511f364264b1dfea9a56a225e0
}
],
tenants_links: []
}
-Dolph
On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com
wrote:
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote:
On 07/17/2012 03:47 PM, Matt Joyce wrote:
As a non admin user. Querying the keystone v2 API is there a way for
me to get a list of the tenants that I am a member of? Or is that only a
v3 thing?
-Matt
I was just looking into it, and there is no such API yet. The
underlying Identity provider call is get_tenants_for_user and there does
not seem to be a route set up that calls that.
8( --- sad panda face.
That would have been a very useful call for me right now. I hope we
have something by folsom ( albeit s/tenant/project/ig )
-Matt
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 06:06 PM, Matt Joyce wrote:
Anyone by any chance know how to read out the auth_token or raw_token
that is acquired in keystoneclient when it performs a client.Client()
Authenticate?
The token is just a UUID, randomly generated.
In the PKI proposal, it is a base64 encoding of a Signed document in CMS
format.
I'd love to be able to read that. And it's totally not documented
anywhere if it exists.
-Matt
On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce
matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote:
Works for me. =D
On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews
dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote:
Adam speaks lies ;)
Here's a regular user requesting a list of tenants on port
5000 (notice they only get back 1 tenant):
GET http://localhost:5000/v2.0/tenants
==
X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961
200 OK
==
Status: 200
Content-Length: 133
Content-Location: http://localhost:5000/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:16 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
}
],
tenants_links: []
}
Here's an admin API call for all tenants in the system (notice
there is an additional tenant the above user did not have
access to):
GET http://localhost:35357/v2.0/tenants
===
X-Auth-Token: ADMIN
200 OK
==
Status: 200
Content-Length: 236
Content-Location: http://localhost:35357/v2.0/tenants
Vary: X-Auth-Token
Date: Tue, 17 Jul 2012 20:49:22 GMT
Content-Type: application/json
{
tenants: [
{
enabled: true,
description: null,
name: my-project,
id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8
},
{
enabled: true,
description: null,
name: project-x,
id: 1213c2511f364264b1dfea9a56a225e0
}
],
tenants_links: []
}
-Dolph
On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce
matt.jo...@cloudscaling.com
mailto:matt.jo...@cloudscaling.com wrote:
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young
ayo...@redhat.com mailto:ayo...@redhat.com wrote:
On 07/17/2012 03:47 PM, Matt Joyce wrote:
As a non admin user. Querying the keystone v2 API
is there a way for me to get a list of the tenants
that I am a member of? Or is that only a v3 thing?
-Matt
I was just looking into it, and there is no such API
yet. The underlying Identity provider call is
get_tenants_for_user and there does not seem to be a
route set up that calls that.
8( --- sad panda face.
That would have been a very useful call for me right now.
I hope we have something by folsom ( albeit
s/tenant/project/ig )
-Matt
___
Mailing list: https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
Post to : openstack@lists.launchpad.net
mailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
https://launchpad.net/%7Eopenstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Replied inline.
On Thu, May 3, 2012 at 3:23 PM, Luis Gervaso l...@woorea.es wrote:
Yes, this is the real issue.
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
Correct.
How can an administrator user list all the tenants a user belongs to?
In the current API, I'm only aware of the opposite call:
GET /tenants/{tenant_id}/users
Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:
/service/{service_id}/endpoints
is more appropiate than
/endpoints
We had a brief discussion on this topic at the summit in the v.NEXT API
talk, and Joseph Heck followed up with an email on the list regarding use
cases of the service catalog:
http://www.mail-archive.com/openstack@lists.launchpad.net/msg10194.html
I think the direction of that discussion should answer your question :)
Dolph, please correct me
Luis
On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote:
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
AttributeError: 'UserController' object has no attribute 'get_user_roles'
message instead of a nice 501.
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
Everett
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote:
The philosophy in essex is that it's meaningless for a user to have a
role without that role being applied to a tenant, so the call that's
implemented is:
GET /tenants/{tenant_id}/users/{user_id}/roles
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
GET /users/{user_id}/roles
Also, the term roleRefs was deprecated late in the diablo cycle
(AFAIK) in favor of roles.
-Dolph
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Hi Luis,
I'm digging around in the Keystone code right now and helping answer your
questions is helping me learn the code base. Keep 'em coming!
Anyway, from what I can tell, you're correct that there's no general way to
get all of the tenants that a user belongs to in the current high level
API. However, there is already support for exactly this feature in the
lower level API. In [1] you'll see that the Driver object has the
method get_tenants_for_user. This method is implemented in all of the
backends in [2] so there's support for it everywhere, it just hasn't been
exposed in the high level API. Looking closer at [1] we see the comment,
# NOTE(termie): seven calls below should probably be exposed by the api
# more clearly when the api redesign happens
which includes the method get_tenants_for_user. Looks like it's just a
matter of adding this method to one of the Routers to make it available in
the REST API.
My advice to you is to track down termie and find out what the story is
with the API redesign he mentions. Of course, you could always propose a
blueprint to [3] and make the method available yourself ;)
Hope this helps,
Everett
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py
[2]
https://github.com/openstack/keystone/tree/master/keystone/identity/backends
[3] https://blueprints.launchpad.net/keystone
On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote:
From admin port I want to list the tenants a user (different from the
current user) belongs to.
On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley
gabriel.hur...@nebula.comwrote:
On the keystone admin port the tenants call will list all tenants
(provided the token corresponds to a user who has admin privileges).
** **
**- **Gabriel
** **
*From:*
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto:
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On
Behalf Of *Luis Gervaso
*Sent:* Thursday, May 03, 2012 1:24 PM
*To:* Everett Toews
*Cc:* openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Keystone API question
** **
Yes, this is the real issue.
** **
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
** **
How can an administrator user list all the tenants a user belongs to?
** **
Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:
** **
/service/{service_id}/endpoints
** **
is more appropiate than
** **
/endpoints
** **
Dolph, please correct me
** **
Luis
** **
** **
On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca
wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
** **
AttributeError: 'UserController' object has no attribute 'get_user_roles'
** **
message instead of a nice 501.
** **
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
** **
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
** **
Everett
** **
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com
wrote:
The philosophy in essex is that it's meaningless for a user to have a
role without that role being applied to a tenant, so the call that's
implemented is:
** **
GET /tenants/{tenant_id}/users/{user_id}/roles
** **
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
** **
GET /users/{user_id}/roles
** **
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK)
in favor of roles.
** **
-Dolph
** **
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
** **
In Diablo was:
** **
GET /users/{user_id}/roleRefs
** **
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
** **
I can find:
** **
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
** **
How can get all the roles having a user_id?
** **
GET /users/{user_id}/roles (i can't find this on stable/essex)
** **
Returning role list with tenant associated
** **
Another option that would work for me is:
** **
GET /users/{user_id}/tenants
** **
Returning tenant list with role list associated per tenant
** **
** **
When i GET /user/{user_id} i obtain only this info
** **
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
** **
Regards
Re: [Openstack] Keystone API question
Hi Everett,
I just uploaded a video showing all the issues i found:
http://youtu.be/TXw7h9Kl-Ow
As you can show, I can't drill down to roles related info from user if i
haven't selected a tenant or the user does
not have a default tenantId
From administrative tasks should be useful list tenants from userId (not
only from X-AuthToken), so I hope this to
be included in the ws api sooner or later ;)
Note : This is using OpenStack Java SDK
On Fri, May 4, 2012 at 6:51 PM, Everett Toews everett.to...@cybera.cawrote:
Hi Luis,
I'm digging around in the Keystone code right now and helping answer your
questions is helping me learn the code base. Keep 'em coming!
Anyway, from what I can tell, you're correct that there's no general way
to get all of the tenants that a user belongs to in the current high level
API. However, there is already support for exactly this feature in the
lower level API. In [1] you'll see that the Driver object has the
method get_tenants_for_user. This method is implemented in all of the
backends in [2] so there's support for it everywhere, it just hasn't been
exposed in the high level API. Looking closer at [1] we see the comment,
# NOTE(termie): seven calls below should probably be exposed by the api
# more clearly when the api redesign happens
which includes the method get_tenants_for_user. Looks like it's just a
matter of adding this method to one of the Routers to make it available in
the REST API.
My advice to you is to track down termie and find out what the story is
with the API redesign he mentions. Of course, you could always propose a
blueprint to [3] and make the method available yourself ;)
Hope this helps,
Everett
[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py
[2]
https://github.com/openstack/keystone/tree/master/keystone/identity/backends
[3] https://blueprints.launchpad.net/keystone
On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote:
From admin port I want to list the tenants a user (different from the
current user) belongs to.
On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.com
wrote:
On the keystone admin port the tenants call will list all tenants
(provided the token corresponds to a user who has admin privileges).
** **
**- **Gabriel
** **
*From:*
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto:
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On
Behalf Of *Luis Gervaso
*Sent:* Thursday, May 03, 2012 1:24 PM
*To:* Everett Toews
*Cc:* openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Keystone API question
** **
Yes, this is the real issue.
** **
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
** **
How can an administrator user list all the tenants a user belongs to?***
*
** **
Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:
** **
/service/{service_id}/endpoints
** **
is more appropiate than
** **
/endpoints
** **
Dolph, please correct me
** **
Luis
** **
** **
On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca
wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
** **
AttributeError: 'UserController' object has no attribute 'get_user_roles'
** **
message instead of a nice 501.
** **
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit
more detail have a look at
** **
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
** **
Everett
** **
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com
wrote:
The philosophy in essex is that it's meaningless for a user to have a
role without that role being applied to a tenant, so the call that's
implemented is:
** **
GET /tenants/{tenant_id}/users/{user_id}/roles
** **
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
** **
GET /users/{user_id}/roles
** **
Also, the term roleRefs was deprecated late in the diablo cycle
(AFAIK) in favor of roles.
** **
-Dolph
** **
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
** **
In Diablo was:
** **
GET /users/{user_id}/roleRefs
** **
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
** **
I can find:
** **
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
** **
How can get all the roles having a user_id?
** **
GET /users
Re: [Openstack] Keystone API question
On 05/03/2012 12:06 AM, Luis Gervaso wrote: This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ,
Re: [Openstack] Keystone API question
The philosophy in essex is that it's meaningless for a user to have a role
without that role being applied to a tenant, so the call that's implemented
is:
GET /tenants/{tenant_id}/users/{user_id}/roles
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
GET /users/{user_id}/roles
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK)
in favor of roles.
-Dolph
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
AttributeError: 'UserController' object has no attribute 'get_user_roles'
message instead of a nice 501.
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
Everett
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote:
The philosophy in essex is that it's meaningless for a user to have a role
without that role being applied to a tenant, so the call that's implemented
is:
GET /tenants/{tenant_id}/users/{user_id}/roles
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
GET /users/{user_id}/roles
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK)
in favor of roles.
-Dolph
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Yes, this is the real issue.
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
How can an administrator user list all the tenants a user belongs to?
Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:
/service/{service_id}/endpoints
is more appropiate than
/endpoints
Dolph, please correct me
Luis
On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote:
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
AttributeError: 'UserController' object has no attribute 'get_user_roles'
message instead of a nice 501.
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
Everett
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote:
The philosophy in essex is that it's meaningless for a user to have a
role without that role being applied to a tenant, so the call that's
implemented is:
GET /tenants/{tenant_id}/users/{user_id}/roles
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
GET /users/{user_id}/roles
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK)
in favor of roles.
-Dolph
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
On the keystone admin port the tenants call will list all tenants (provided the
token corresponds to a user who has admin privileges).
- Gabriel
From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net
[mailto:openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] On
Behalf Of Luis Gervaso
Sent: Thursday, May 03, 2012 1:24 PM
To: Everett Toews
Cc: openstack@lists.launchpad.net
Subject: Re: [Openstack] Keystone API question
Yes, this is the real issue.
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
How can an administrator user list all the tenants a user belongs to?
Another issue i've detected is that endpoints are always dependant on a service,
may be i'm wrong but for me:
/service/{service_id}/endpoints
is more appropiate than
/endpoints
Dolph, please correct me
Luis
On Thu, May 3, 2012 at 10:12 PM, Everett Toews
everett.to...@cybera.camailto:everett.to...@cybera.ca wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex
(using devstack). Keystone spits back an
AttributeError: 'UserController' object has no attribute 'get_user_roles'
message instead of a nice 501.
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
Everett
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews
dolph.math...@gmail.commailto:dolph.math...@gmail.com wrote:
The philosophy in essex is that it's meaningless for a user to have a role
without that role being applied to a tenant, so the call that's implemented is:
GET /tenants/{tenant_id}/users/{user_id}/roles
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
GET /users/{user_id}/roles
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in
favor of roles.
-Dolph
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso
l...@woorea.esmailto:l...@woorea.es wrote:
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that this is
the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email:
ad...@example.commailto:ad...@example.com, id:
ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344tel:%28%2B34%29%20627983344
luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/
___
Mailing list: https://launchpad.net/~openstack
Post to :
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to :
openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
From admin port I want to list the tenants a user (different from the
current user) belongs to.
On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.comwrote:
On the keystone admin port the tenants call will list all tenants
(provided the token corresponds to a user who has admin privileges).
** **
**- **Gabriel
** **
*From:*
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto:
openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On
Behalf Of *Luis Gervaso
*Sent:* Thursday, May 03, 2012 1:24 PM
*To:* Everett Toews
*Cc:* openstack@lists.launchpad.net
*Subject:* Re: [Openstack] Keystone API question
** **
Yes, this is the real issue.
** **
Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)
** **
How can an administrator user list all the tenants a user belongs to?
** **
Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:
** **
/service/{service_id}/endpoints
** **
is more appropiate than
** **
/endpoints
** **
Dolph, please correct me
** **
Luis
** **
** **
On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca
wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an
** **
AttributeError: 'UserController' object has no attribute 'get_user_roles'*
***
** **
message instead of a nice 501.
** **
GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at
** **
http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
** **
Everett
** **
On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com
wrote:
The philosophy in essex is that it's meaningless for a user to have a role
without that role being applied to a tenant, so the call that's implemented
is:
** **
GET /tenants/{tenant_id}/users/{user_id}/roles
** **
Calling this instead should get you an HTTP 501 stating User roles not
supported: tenant ID required.
** **
GET /users/{user_id}/roles
** **
Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK)
in favor of roles.
** **
-Dolph
** **
On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote:
Hi,
** **
In Diablo was:
** **
GET /users/{user_id}/roleRefs
** **
In Essex it is maintained for compatibility reasons. I understand that
this is the obsolete now.
** **
I can find:
** **
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
** **
How can get all the roles having a user_id?
** **
GET /users/{user_id}/roles (i can't find this on stable/essex)
** **
Returning role list with tenant associated
** **
Another option that would work for me is:
** **
GET /users/{user_id}/tenants
** **
Returning tenant list with role list associated per tenant
** **
** **
When i GET /user/{user_id} i obtain only this info
** **
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
** **
Regards
** **
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
** **
** **
** **
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
** **
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
** **
** **
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
** **
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API question
Hi,
In Diablo was:
GET /users/{user_id}/roleRefs
In Essex it is maintained for compatibility reasons. I understand that this
is the obsolete now.
I can find:
PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
How can get all the roles having a user_id?
GET /users/{user_id}/roles (i can't find this on stable/essex)
Returning role list with tenant associated
Another option that would work for me is:
GET /users/{user_id}/tenants
Returning tenant list with role list associated per tenant
When i GET /user/{user_id} i obtain only this info
{user: {name: admin, enabled: true, email: ad...@example.com,
id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}}
Regards
--
---
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO CTO
mobile: (+34) 627983344
luis@ luis.gerv...@gmail.comwoorea.es
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ,
