Ask Your Question
3

OpenStack APIs and Admin User

asked 2013-04-08 11:21:51 -0600

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

We are using OpenStack Folsom REST APIs to collect instance, tenant and environment related information. The challenge we are having is that there is no super-admin type user for the APIs to give us all the information we need. As a workaround we have to follow these steps to achieve what we want: - We add the OpenStack admin user to every single tenant in the environment and give him the admin role (this is done through OpenStack's Horizon UI). - We use the OpenStack admin user and Keystone's admin-token (found in keystone config file) to extract all users and tenants within the environment (by calling the keystone admin API). - Then for each tenant we authenticate using OpenStack's admin user to get detailed tenant/instance level information.

As you can see this workaround involves some hacking. So, we are wondering if there is a better way of doing this. We expected the admin user to be able to access the same information through the REST APIs that he could access through the OpenStack's Horizon UI, but this doesn't seem to be the case. For example the admin user can see all tenants through the UI, but only the ones he is a member of through the REST APIs.

UPDATE:

Some more details on what I've tried in order to get the list of all tenants in an OpenStack installation.

These scenarios were tried with "admin" user who is able see all tenants, instances, ... through the OpenStack dashbaord. I tried these scenarios on three different OpenStack installations, and they all behaved the same way.

Scenario 1. Using the public URL:

  1. I authenticate to http://[ip]:5000/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:5000/v2.0/tenants. This does not return tenants "admin" is not a member; and returns only the ones "admin" belongs to.
  3. I retry step 2 with ?all_tenants=1, but The result is the same.

Scenario 2. Using the admin URL:

  1. I authenticate to http://[ip]:35357/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:35357/v2.0/tenants. It returns with an error message: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized" } }
  3. I retry step 2 with ?all_tenants=1, but The result is the same (the error above).

Just in case, here is the output of authentication:

{
   "access":
   {
       "token":
       {
           "expires": "2013-04-11T15:24:54Z",
           "id": "95fb2a3921554cc9abd74d88468d9b32"
       },
       "serviceCatalog":
       [
       ],
       "user":
       {
           "username": "admin",
           "roles_links":
           [
           ],
           "id": "61d77b68420f4f7889c5efaad3edcb7b",
           "roles":
           [
           ],
           "name": "admin"
       }
   }
}
edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
3

answered 2013-04-08 11:45:55 -0600

jpichon gravatar image

updated 2013-04-09 04:20:29 -0600

Many list commands, e.g. nova list, cinder list, have an --all-tenants switch that you can use to list all the resources for all tenants.

Using the CLI clients it's also possible to use a --debug option that shows the details of the curl calls, e.g. nova --debug list --all-tenants shows:

curl -i http://<my_ip>:8774/v2/<my_tenant_id>/servers/detail?all_tenants=1 -X GET -H "X-Auth-Project-Id: demo" -H "Accept: application/json" -H "X-Auth-Token: <my_token>"

I hope this helps.

edit flag offensive delete link more

Comments

Thanks jpichon,

We've been using the REST API list at http://api.openstack.org/api-ref.html. Could you please elaborate on how I can use this "--all-tenants" switch within REST API calls?

Thanks.

vahid gravatar imagevahid ( 2013-04-08 11:58:12 -0600 )edit

I updated my answer with the corresponding curl calls, I hope this helps.

jpichon gravatar imagejpichon ( 2013-04-09 04:21:25 -0600 )edit

jpichon, thank you very much for your clarification. I'll try it out and let you know how it goes.

vahid gravatar imagevahid ( 2013-04-09 10:21:21 -0600 )edit

jpichon, thanks again for the pointer. I was able to get all instances using that switch, even those belonging to a tenant my user is not a member of. However, I have not been able to get the list of all tenants. I've tried with Keystone's both regular and admin APIs, with no luck ...

vahid gravatar imagevahid ( 2013-04-09 16:25:35 -0600 )edit

... My guess is that the switch does not apply to Keystone APIs. If so, any idea how that piece can be achieved? To clarify, I can get only tenants my user (with admin role) is a member of; and I'd like to get all users (similar to how I see them all in the dashboard). Thanks.

vahid gravatar imagevahid ( 2013-04-09 16:28:40 -0600 )edit
see more comments
4

answered 2013-04-11 10:08:33 -0600

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

Thanks to jpichon's help here is how I was able to get the list of all tenants:

  1. Authenticate as "admin" (public URL) with {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}} in the request body.
  2. Grab the token and issue a /tenants Keystone call (public URL). This will return the list of all tenants "admin" is a member of.
  3. Authenticate as "admin" (public URL) against each tenant found in previous step until a tenant is found on which "admin" has "admin" role (look for access.user.roles in authentication output).
  4. Grab the token of the authentication against that tenant and issue a /tenants Keystone call (admin URL). This will return all tenants in the OpenStack environment, including those "admin" is not a member of.

Note: These steps can be performed with any user, as long as the user has the "admin" role in at least one tenant. If the user does not belong to any tenant as "admin" you're out of luck.

In order to get all the information from Nova APIs the switch "?all_tenants=1" should be used in the API calls. This switch guarantees that, for example, information about instances of tenants the user does not belong to are included in the output.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-04-08 11:21:51 -0600

Seen: 3,289 times

Last updated: Apr 11 '13

Related questions

Creation of service project in keystone fails with error 'The request you have made requires authentication. (HTTP 401)'

What are endpoints?

How to run keystone user-role-add in keystone V3 ?

Openstack global vs. project roles: What do they mean?

keystone HTTP 500 error

How should I authenticate against keystone?

Openstack APIs testing using REST Client - 403 Forbidden Response

Devstack installation failure

user-role-add failed [ldap backend]

Select a specific identity endpoint