OpenStack APIs and Admin User
We are using OpenStack Folsom REST APIs to collect instance, tenant and environment related information. The challenge we are having is that there is no super-admin type user for the APIs to give us all the information we need. As a workaround we have to follow these steps to achieve what we want: - We add the OpenStack admin user to every single tenant in the environment and give him the admin role (this is done through OpenStack's Horizon UI). - We use the OpenStack admin user and Keystone's admin-token (found in keystone config file) to extract all users and tenants within the environment (by calling the keystone admin API). - Then for each tenant we authenticate using OpenStack's admin user to get detailed tenant/instance level information.
As you can see this workaround involves some hacking. So, we are wondering if there is a better way of doing this. We expected the admin user to be able to access the same information through the REST APIs that he could access through the OpenStack's Horizon UI, but this doesn't seem to be the case. For example the admin user can see all tenants through the UI, but only the ones he is a member of through the REST APIs.
UPDATE:
Some more details on what I've tried in order to get the list of all tenants in an OpenStack installation.
These scenarios were tried with "admin" user who is able see all tenants, instances, ... through the OpenStack dashbaord. I tried these scenarios on three different OpenStack installations, and they all behaved the same way.
Scenario 1. Using the public URL:
- I authenticate to http://[ip]:5000/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
- Once the token is returned I use it to make a call to http://[ip]:5000/v2.0/tenants. This does not return tenants "admin" is not a member; and returns only the ones "admin" belongs to.
- I retry step 2 with ?all_tenants=1, but The result is the same.
Scenario 2. Using the admin URL:
- I authenticate to http://[ip]:35357/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
- Once the token is returned I use it to make a call to http://[ip]:35357/v2.0/tenants. It returns with an error message: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized" } }
- I retry step 2 with ?all_tenants=1, but The result is the same (the error above).
Just in case, here is the output of authentication:
{
"access":
{
"token":
{
"expires": "2013-04-11T15:24:54Z",
"id": "95fb2a3921554cc9abd74d88468d9b32"
},
"serviceCatalog":
[
],
"user":
{
"username": "admin",
"roles_links":
[
],
"id": "61d77b68420f4f7889c5efaad3edcb7b",
"roles":
[
],
"name": "admin"
}
}
}