Ask Your Question
3

OpenStack APIs and Admin User

asked 2013-04-08 11:21:51 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

We are using OpenStack Folsom REST APIs to collect instance, tenant and environment related information. The challenge we are having is that there is no super-admin type user for the APIs to give us all the information we need. As a workaround we have to follow these steps to achieve what we want: - We add the OpenStack admin user to every single tenant in the environment and give him the admin role (this is done through OpenStack's Horizon UI). - We use the OpenStack admin user and Keystone's admin-token (found in keystone config file) to extract all users and tenants within the environment (by calling the keystone admin API). - Then for each tenant we authenticate using OpenStack's admin user to get detailed tenant/instance level information.

As you can see this workaround involves some hacking. So, we are wondering if there is a better way of doing this. We expected the admin user to be able to access the same information through the REST APIs that he could access through the OpenStack's Horizon UI, but this doesn't seem to be the case. For example the admin user can see all tenants through the UI, but only the ones he is a member of through the REST APIs.

UPDATE:

Some more details on what I've tried in order to get the list of all tenants in an OpenStack installation.

These scenarios were tried with "admin" user who is able see all tenants, instances, ... through the OpenStack dashbaord. I tried these scenarios on three different OpenStack installations, and they all behaved the same way.

Scenario 1. Using the public URL:

  1. I authenticate to http://[ip]:5000/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:5000/v2.0/tenants. This does not return tenants "admin" is not a member; and returns only the ones "admin" belongs to.
  3. I retry step 2 with ?all_tenants=1, but The result is the same.

Scenario 2. Using the admin URL:

  1. I authenticate to http://[ip]:35357/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:35357/v2.0/tenants. It returns with an error message: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized" } }
  3. I retry step 2 with ?all_tenants=1, but The result is the same (the error above).

Just in case, here is the output of authentication:

{
   "access":
   {
       "token":
       {
           "expires": "2013-04-11T15:24:54Z",
           "id": "95fb2a3921554cc9abd74d88468d9b32"
       },
       "serviceCatalog":
       [
       ],
       "user":
       {
           "username": "admin",
           "roles_links":
           [
           ],
           "id": "61d77b68420f4f7889c5efaad3edcb7b",
           "roles":
           [
           ],
           "name": "admin"
       }
   }
}
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
3

answered 2013-04-08 11:45:55 -0500

jpichon gravatar image

updated 2013-04-09 04:20:29 -0500

Many list commands, e.g. nova list, cinder list, have an --all-tenants switch that you can use to list all the resources for all tenants.

Using the CLI clients it's also possible to use a --debug option that shows the details of the curl calls, e.g. nova --debug list --all-tenants shows:

curl -i http://<my_ip>:8774/v2/<my_tenant_id>/servers/detail?all_tenants=1 -X GET -H "X-Auth-Project-Id: demo" -H "Accept: application/json" -H "X-Auth-Token: <my_token>"

I hope this helps.

edit flag offensive delete link more

Comments

Thanks jpichon,

We've been using the REST API list at http://api.openstack.org/api-ref.html. Could you please elaborate on how I can use this "--all-tenants" switch within REST API calls?

Thanks.

vahid gravatar imagevahid ( 2013-04-08 11:58:12 -0500 )edit

I updated my answer with the corresponding curl calls, I hope this helps.

jpichon gravatar imagejpichon ( 2013-04-09 04:21:25 -0500 )edit

jpichon, thank you very much for your clarification. I'll try it out and let you know how it goes.

vahid gravatar imagevahid ( 2013-04-09 10:21:21 -0500 )edit

jpichon, thanks again for the pointer. I was able to get all instances using that switch, even those belonging to a tenant my user is not a member of. However, I have not been able to get the list of all tenants. I've tried with Keystone's both regular and admin APIs, with no luck ...

vahid gravatar imagevahid ( 2013-04-09 16:25:35 -0500 )edit

... My guess is that the switch does not apply to Keystone APIs. If so, any idea how that piece can be achieved? To clarify, I can get only tenants my user (with admin role) is a member of; and I'd like to get all users (similar to how I see them all in the dashboard). Thanks.

vahid gravatar imagevahid ( 2013-04-09 16:28:40 -0500 )edit
see more comments
4

answered 2013-04-11 10:08:33 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

Thanks to jpichon's help here is how I was able to get the list of all tenants:

  1. Authenticate as "admin" (public URL) with {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}} in the request body.
  2. Grab the token and issue a /tenants Keystone call (public URL). This will return the list of all tenants "admin" is a member of.
  3. Authenticate as "admin" (public URL) against each tenant found in previous step until a tenant is found on which "admin" has "admin" role (look for access.user.roles in authentication output).
  4. Grab the token of the authentication against that tenant and issue a /tenants Keystone call (admin URL). This will return all tenants in the OpenStack environment, including those "admin" is not a member of.

Note: These steps can be performed with any user, as long as the user has the "admin" role in at least one tenant. If the user does not belong to any tenant as "admin" you're out of luck.

In order to get all the information from Nova APIs the switch "?all_tenants=1" should be used in the API calls. This switch guarantees that, for example, information about instances of tenants the user does not belong to are included in the output.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-04-08 11:21:51 -0500

Seen: 2,977 times

Last updated: Apr 11 '13

Related questions

devstack keystone authentication

HTTP Header Request to Keystone

Is it possible to add SSL to keystone API ?

Rocky keystone: admin role on project is too permissive

block non-admin user to grant admin role

keystone Client returns 401

keystone service-create --name=keystone --type=identity \ > --description="Keystone Identity Service" Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL] [closed]

glance flavor-keystone not working Need Help!!!

how can I disable SHA1?

endpoints fetching results differs with user's Admin role assigned on None and on a tenant