Re: [Openstack] [Keystone] API Question
As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
curl -H X-Auth-Token:123456789001234 http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 04:05 PM, Matt Joyce wrote: curl -H X-Auth-Token:123456789001234http://localhost:5000/v2.0/tenants that seems to do the trick for me for now. Ah, I see that is hooked up to: get_tenants_for_token, I was looking for the wrong API. That then calls: tenant_ids = self.identity_api.get_tenants_for_user(context, user_ref['id']) I'm not sure that this is the right semantics for it, but it looks like it does what you want. On Tue, Jul 17, 2012 at 1:03 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:55 PM, Matt Joyce wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt You can try this one out: https://github.com/admiyo/keystone/commit/997f9cb76fa908afebf434bef4905add085823ca ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
Not sure if it's documented outside of tests, but: * client.Client().auth_token* from keystoneclient.v2_0 import client c = client.Client(auth_url='http://localhost:5000/v2.0/', username='joe', password='secrete', tenant_name='project-x') print c.auth_token ec04fe9e554a43d1a853e6c665f3e9b2 -Dolph On Tue, Jul 17, 2012 at 5:06 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.comwrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.comwrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [Keystone] API Question
On 07/17/2012 06:06 PM, Matt Joyce wrote: Anyone by any chance know how to read out the auth_token or raw_token that is acquired in keystoneclient when it performs a client.Client() Authenticate? The token is just a UUID, randomly generated. In the PKI proposal, it is a base64 encoding of a Signed document in CMS format. I'd love to be able to read that. And it's totally not documented anywhere if it exists. -Matt On Tue, Jul 17, 2012 at 2:19 PM, Matt Joyce matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote: Works for me. =D On Tue, Jul 17, 2012 at 1:51 PM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: Adam speaks lies ;) Here's a regular user requesting a list of tenants on port 5000 (notice they only get back 1 tenant): GET http://localhost:5000/v2.0/tenants == X-Auth-Token: a6094f62e38c4fafa57e6edf7bd04961 200 OK == Status: 200 Content-Length: 133 Content-Location: http://localhost:5000/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:16 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 } ], tenants_links: [] } Here's an admin API call for all tenants in the system (notice there is an additional tenant the above user did not have access to): GET http://localhost:35357/v2.0/tenants === X-Auth-Token: ADMIN 200 OK == Status: 200 Content-Length: 236 Content-Location: http://localhost:35357/v2.0/tenants Vary: X-Auth-Token Date: Tue, 17 Jul 2012 20:49:22 GMT Content-Type: application/json { tenants: [ { enabled: true, description: null, name: my-project, id: 2cf2efb1da5c4d5b8c97d8055ff3b5d8 }, { enabled: true, description: null, name: project-x, id: 1213c2511f364264b1dfea9a56a225e0 } ], tenants_links: [] } -Dolph On Tue, Jul 17, 2012 at 2:55 PM, Matt Joyce matt.jo...@cloudscaling.com mailto:matt.jo...@cloudscaling.com wrote: On Tue, Jul 17, 2012 at 12:55 PM, Adam Young ayo...@redhat.com mailto:ayo...@redhat.com wrote: On 07/17/2012 03:47 PM, Matt Joyce wrote: As a non admin user. Querying the keystone v2 API is there a way for me to get a list of the tenants that I am a member of? Or is that only a v3 thing? -Matt I was just looking into it, and there is no such API yet. The underlying Identity provider call is get_tenants_for_user and there does not seem to be a route set up that calls that. 8( --- sad panda face. That would have been a very useful call for me right now. I hope we have something by folsom ( albeit s/tenant/project/ig ) -Matt ___ Mailing list: https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack Post to : openstack@lists.launchpad.net mailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack https://launchpad.net/%7Eopenstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Replied inline. On Thu, May 3, 2012 at 3:23 PM, Luis Gervaso l...@woorea.es wrote: Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) Correct. How can an administrator user list all the tenants a user belongs to? In the current API, I'm only aware of the opposite call: GET /tenants/{tenant_id}/users Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints We had a brief discussion on this topic at the summit in the v.NEXT API talk, and Joseph Heck followed up with an email on the list regarding use cases of the service catalog: http://www.mail-archive.com/openstack@lists.launchpad.net/msg10194.html I think the direction of that discussion should answer your question :) Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Hi Luis, I'm digging around in the Keystone code right now and helping answer your questions is helping me learn the code base. Keep 'em coming! Anyway, from what I can tell, you're correct that there's no general way to get all of the tenants that a user belongs to in the current high level API. However, there is already support for exactly this feature in the lower level API. In [1] you'll see that the Driver object has the method get_tenants_for_user. This method is implemented in all of the backends in [2] so there's support for it everywhere, it just hasn't been exposed in the high level API. Looking closer at [1] we see the comment, # NOTE(termie): seven calls below should probably be exposed by the api # more clearly when the api redesign happens which includes the method get_tenants_for_user. Looks like it's just a matter of adding this method to one of the Routers to make it available in the REST API. My advice to you is to track down termie and find out what the story is with the API redesign he mentions. Of course, you could always propose a blueprint to [3] and make the method available yourself ;) Hope this helps, Everett [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py [2] https://github.com/openstack/keystone/tree/master/keystone/identity/backends [3] https://blueprints.launchpad.net/keystone On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote: From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.comwrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to? ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles' ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users/{user_id}/roles (i can't find this on stable/essex) ** ** Returning role list with tenant associated ** ** Another option that would work for me is: ** ** GET /users/{user_id}/tenants ** ** Returning tenant list with role list associated per tenant ** ** ** ** When i GET /user/{user_id} i obtain only this info ** ** {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} ** ** Regards
Re: [Openstack] Keystone API question
Hi Everett, I just uploaded a video showing all the issues i found: http://youtu.be/TXw7h9Kl-Ow As you can show, I can't drill down to roles related info from user if i haven't selected a tenant or the user does not have a default tenantId From administrative tasks should be useful list tenants from userId (not only from X-AuthToken), so I hope this to be included in the ws api sooner or later ;) Note : This is using OpenStack Java SDK On Fri, May 4, 2012 at 6:51 PM, Everett Toews everett.to...@cybera.cawrote: Hi Luis, I'm digging around in the Keystone code right now and helping answer your questions is helping me learn the code base. Keep 'em coming! Anyway, from what I can tell, you're correct that there's no general way to get all of the tenants that a user belongs to in the current high level API. However, there is already support for exactly this feature in the lower level API. In [1] you'll see that the Driver object has the method get_tenants_for_user. This method is implemented in all of the backends in [2] so there's support for it everywhere, it just hasn't been exposed in the high level API. Looking closer at [1] we see the comment, # NOTE(termie): seven calls below should probably be exposed by the api # more clearly when the api redesign happens which includes the method get_tenants_for_user. Looks like it's just a matter of adding this method to one of the Routers to make it available in the REST API. My advice to you is to track down termie and find out what the story is with the API redesign he mentions. Of course, you could always propose a blueprint to [3] and make the method available yourself ;) Hope this helps, Everett [1] https://github.com/openstack/keystone/blob/master/keystone/identity/core.py [2] https://github.com/openstack/keystone/tree/master/keystone/identity/backends [3] https://blueprints.launchpad.net/keystone On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso l...@woorea.es wrote: From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.com wrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to?*** * ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles' ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users
Re: [Openstack] Keystone API question
On 05/03/2012 12:06 AM, Luis Gervaso wrote: This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ,
Re: [Openstack] Keystone API question
The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) How can an administrator user list all the tenants a user belongs to? Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.cawrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.comwrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). - Gabriel From: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net [mailto:openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] On Behalf Of Luis Gervaso Sent: Thursday, May 03, 2012 1:24 PM To: Everett Toews Cc: openstack@lists.launchpad.net Subject: Re: [Openstack] Keystone API question Yes, this is the real issue. Since /tenants is only valid for the current user (that's X-Auth-Token dependant) How can an administrator user list all the tenants a user belongs to? Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: /service/{service_id}/endpoints is more appropiate than /endpoints Dolph, please correct me Luis On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.camailto:everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an AttributeError: 'UserController' object has no attribute 'get_user_roles' message instead of a nice 501. GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html Everett On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.commailto:dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: GET /tenants/{tenant_id}/users/{user_id}/roles Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. GET /users/{user_id}/roles Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. -Dolph On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.esmailto:l...@woorea.es wrote: Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.commailto:ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344tel:%28%2B34%29%20627983344 luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.netmailto:openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@mailto:luis.gerv...@gmail.comwoorea.eshttp://woorea.es/ ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
From admin port I want to list the tenants a user (different from the current user) belongs to. On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley gabriel.hur...@nebula.comwrote: On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges). ** ** **- **Gabriel ** ** *From:* openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net[mailto: openstack-bounces+gabriel.hurley=nebula@lists.launchpad.net] *On Behalf Of *Luis Gervaso *Sent:* Thursday, May 03, 2012 1:24 PM *To:* Everett Toews *Cc:* openstack@lists.launchpad.net *Subject:* Re: [Openstack] Keystone API question ** ** Yes, this is the real issue. ** ** Since /tenants is only valid for the current user (that's X-Auth-Token dependant) ** ** How can an administrator user list all the tenants a user belongs to? ** ** Another issue i've detected is that endpoints are always dependant on a service, may be i'm wrong but for me: ** ** /service/{service_id}/endpoints ** ** is more appropiate than ** ** /endpoints ** ** Dolph, please correct me ** ** Luis ** ** ** ** On Thu, May 3, 2012 at 10:12 PM, Everett Toews everett.to...@cybera.ca wrote: I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an ** ** AttributeError: 'UserController' object has no attribute 'get_user_roles'* *** ** ** message instead of a nice 501. ** ** GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at ** ** http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html ** ** Everett ** ** On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews dolph.math...@gmail.com wrote: The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is: ** ** GET /tenants/{tenant_id}/users/{user_id}/roles ** ** Calling this instead should get you an HTTP 501 stating User roles not supported: tenant ID required. ** ** GET /users/{user_id}/roles ** ** Also, the term roleRefs was deprecated late in the diablo cycle (AFAIK) in favor of roles. ** ** -Dolph ** ** On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso l...@woorea.es wrote: Hi, ** ** In Diablo was: ** ** GET /users/{user_id}/roleRefs ** ** In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. ** ** I can find: ** ** PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} ** ** How can get all the roles having a user_id? ** ** GET /users/{user_id}/roles (i can't find this on stable/essex) ** ** Returning role list with tenant associated ** ** Another option that would work for me is: ** ** GET /users/{user_id}/tenants ** ** Returning tenant list with role list associated per tenant ** ** ** ** When i GET /user/{user_id} i obtain only this info ** ** {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} ** ** Regards ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ** ** ** ** ** ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ** ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ** ** ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ** ** -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] Keystone API question
Hi, In Diablo was: GET /users/{user_id}/roleRefs In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now. I can find: PUT DELETE /users/{user_id}/roles/OS-KSADM/{role_id} How can get all the roles having a user_id? GET /users/{user_id}/roles (i can't find this on stable/essex) Returning role list with tenant associated Another option that would work for me is: GET /users/{user_id}/tenants Returning tenant list with role list associated per tenant When i GET /user/{user_id} i obtain only this info {user: {name: admin, enabled: true, email: ad...@example.com, id: ef1e63df85b641d7bf3c575bb8670cef, tenantId: null}} Regards -- --- Luis Alberto Gervaso Martin Woorea Solutions, S.L CEO CTO mobile: (+34) 627983344 luis@ luis.gerv...@gmail.comwoorea.es ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Keystone API question
This is what i get. 1 GET http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles 1 X-Auth-Token: secret0 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10 2 500 2 Connection: close 2 Content-Length: 5500 2 Content-Type: text/plain 2 Date: Mon, 26 Mar 2012 06:39:34 GMT Traceback (most recent call last): File /usr/lib/python2.7/dist-packages/eventlet/wsgi.py, line 336, in handle_one_response result = self.application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/paste/urlmap.py, line 203, in __call__ return app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 299, in __call__ response = request.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 147, in __call__ resp = self.call_func(req, *args, **self.kwargs) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 208, in call_func return self.func(req, *args, **kwargs) File /opt/stack/keystone/keystone/common/wsgi.py, line 322, in __call__ resp = req.get_response(self.application) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1053, in get_response application, catch_exc_info=False) File /usr/lib/python2.7/dist-packages/webob/request.py, line 1022, in call_application app_iter = application(self.environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ, start_response) File /usr/lib/pymodules/python2.7/routes/middleware.py, line 131, in __call__ response = self.app(environ, start_response) File /usr/lib/python2.7/dist-packages/webob/dec.py, line 159, in __call__ return resp(environ,