Ask Your Question

OpenStack APIs and Admin User

asked 2013-04-08 11:21:51 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

We are using OpenStack Folsom REST APIs to collect instance, tenant and environment related information. The challenge we are having is that there is no super-admin type user for the APIs to give us all the information we need. As a workaround we have to follow these steps to achieve what we want: - We add the OpenStack admin user to every single tenant in the environment and give him the admin role (this is done through OpenStack's Horizon UI). - We use the OpenStack admin user and Keystone's admin-token (found in keystone config file) to extract all users and tenants within the environment (by calling the keystone admin API). - Then for each tenant we authenticate using OpenStack's admin user to get detailed tenant/instance level information.

As you can see this workaround involves some hacking. So, we are wondering if there is a better way of doing this. We expected the admin user to be able to access the same information through the REST APIs that he could access through the OpenStack's Horizon UI, but this doesn't seem to be the case. For example the admin user can see all tenants through the UI, but only the ones he is a member of through the REST APIs.


Some more details on what I've tried in order to get the list of all tenants in an OpenStack installation.

These scenarios were tried with "admin" user who is able see all tenants, instances, ... through the OpenStack dashbaord. I tried these scenarios on three different OpenStack installations, and they all behaved the same way.

Scenario 1. Using the public URL:

  1. I authenticate to http://[ip]:5000/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:5000/v2.0/tenants. This does not return tenants "admin" is not a member; and returns only the ones "admin" belongs to.
  3. I retry step 2 with ?all_tenants=1, but The result is the same.

Scenario 2. Using the admin URL:

  1. I authenticate to http://[ip]:35357/v2.0/tokens with "admin" user. The body is {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}}
  2. Once the token is returned I use it to make a call to http://[ip]:35357/v2.0/tenants. It returns with an error message: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized" } }
  3. I retry step 2 with ?all_tenants=1, but The result is the same (the error above).

Just in case, here is the output of authentication:

           "expires": "2013-04-11T15:24:54Z",
           "id": "95fb2a3921554cc9abd74d88468d9b32"
           "username": "admin",
           "id": "61d77b68420f4f7889c5efaad3edcb7b",
           "name": "admin"
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2013-04-08 11:45:55 -0500

jpichon gravatar image

updated 2013-04-09 04:20:29 -0500

Many list commands, e.g. nova list, cinder list, have an --all-tenants switch that you can use to list all the resources for all tenants.

Using the CLI clients it's also possible to use a --debug option that shows the details of the curl calls, e.g. nova --debug list --all-tenants shows:

curl -i http://<my_ip>:8774/v2/<my_tenant_id>/servers/detail?all_tenants=1 -X GET -H "X-Auth-Project-Id: demo" -H "Accept: application/json" -H "X-Auth-Token: <my_token>"

I hope this helps.

edit flag offensive delete link more


Thanks jpichon,

We've been using the REST API list at Could you please elaborate on how I can use this "--all-tenants" switch within REST API calls?


vahid gravatar imagevahid ( 2013-04-08 11:58:12 -0500 )edit

I updated my answer with the corresponding curl calls, I hope this helps.

jpichon gravatar imagejpichon ( 2013-04-09 04:21:25 -0500 )edit

jpichon, thank you very much for your clarification. I'll try it out and let you know how it goes.

vahid gravatar imagevahid ( 2013-04-09 10:21:21 -0500 )edit

jpichon, thanks again for the pointer. I was able to get all instances using that switch, even those belonging to a tenant my user is not a member of. However, I have not been able to get the list of all tenants. I've tried with Keystone's both regular and admin APIs, with no luck ...

vahid gravatar imagevahid ( 2013-04-09 16:25:35 -0500 )edit

... My guess is that the switch does not apply to Keystone APIs. If so, any idea how that piece can be achieved? To clarify, I can get only tenants my user (with admin role) is a member of; and I'd like to get all users (similar to how I see them all in the dashboard). Thanks.

vahid gravatar imagevahid ( 2013-04-09 16:28:40 -0500 )edit

Glad this helped! If it's in Horizon it's normally also possible to do using the APIs. Perhaps the call you're looking for is http://<my_ip>:35357/v2.0/tenants ? I see the list of all projects using this. You need to use the admin credentials and adminURL endpoint.

jpichon gravatar imagejpichon ( 2013-04-09 17:17:23 -0500 )edit

Well, when I authenticate and query using normal URL (port 5000), I get only tenants I'm a member of. When I try with admin URL (port 35357) I get this: { "error": { "message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized" } }

vahid gravatar imagevahid ( 2013-04-09 18:02:19 -0500 )edit

Port 35357 requires admin credentials, and can only be used by the admin. Asking for the tenants list using the publicURL will only return the tenants for the current user, as you discovered (it's a different API).

jpichon gravatar imagejpichon ( 2013-04-10 03:46:49 -0500 )edit

Thanks. I think I'm trying exactly what you suggested, and having no luck. Since there is not much room in each comment I'm going to edit the post and explain what I've tried in details. Maybe that helps in pinpointing what the issue is.

vahid gravatar imagevahid ( 2013-04-10 09:59:06 -0500 )edit

Just updated the post with more details. Hopefully it'll shed some light.

vahid gravatar imagevahid ( 2013-04-10 10:40:33 -0500 )edit

Maybe add the keystone tag so keystone folks notice the question? It looks correct to me. Although, I notice when I do keystone tenant-list on the CLI, I get my auth token from /tokens on port 5000 then run the /tenants command on 35357. Perhaps that helps, another combination to try!

jpichon gravatar imagejpichon ( 2013-04-10 10:48:21 -0500 )edit

Thanks for the suggestion. I added the keystone tag. I also tried the two other combinations. Authentication on port 5000 and query on port 35357 stills gives me the auth error I mentioned in the post. Authentication on port 35357 and query on port 5000 gives me only tenants "admin" belongs to.

vahid gravatar imagevahid ( 2013-04-10 10:55:12 -0500 )edit

jpichon, any chance the token you are using in your admin URL query the same as the admintoken found in keystone.conf file? I'm asking because if I use that admintoken (instead of the token I'm getting after authentication) I see the full list of tenants.

vahid gravatar imagevahid ( 2013-04-10 11:52:59 -0500 )edit

Nope, I'm getting a new token from port 5000 with a request body like this: {"auth": {"tenantName": "mytenant", "passwordCredentials": {"username": "admin", "password": "mypassword"}}}. Perhaps you're missing the tenant name even if it's for the admin user? If you don't get a reply I'd suggest...

jpichon gravatar imagejpichon ( 2013-04-11 08:25:07 -0500 )edit

...asking a new question only about the keystone admin credentials and the /tenants call. The current question is very general and people with the relevant expertise might miss it. Good luck!

jpichon gravatar imagejpichon ( 2013-04-11 08:25:49 -0500 )edit

I think you got it. I did not authenticate against a particular tenant. When I do that as you suggested, I'm able to see all tenants. I'll post the steps as an answer. Truly appreciate your time and help on this.

vahid gravatar imagevahid ( 2013-04-11 09:52:38 -0500 )edit

answered 2013-04-11 10:08:33 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

Thanks to jpichon's help here is how I was able to get the list of all tenants:

  1. Authenticate as "admin" (public URL) with {"auth":{"passwordCredentials":{"username": "admin","password":"[password]"}}} in the request body.
  2. Grab the token and issue a /tenants Keystone call (public URL). This will return the list of all tenants "admin" is a member of.
  3. Authenticate as "admin" (public URL) against each tenant found in previous step until a tenant is found on which "admin" has "admin" role (look for access.user.roles in authentication output).
  4. Grab the token of the authentication against that tenant and issue a /tenants Keystone call (admin URL). This will return all tenants in the OpenStack environment, including those "admin" is not a member of.

Note: These steps can be performed with any user, as long as the user has the "admin" role in at least one tenant. If the user does not belong to any tenant as "admin" you're out of luck.

In order to get all the information from Nova APIs the switch "?all_tenants=1" should be used in the API calls. This switch guarantees that, for example, information about instances of tenants the user does not belong to are included in the output.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-04-08 11:21:51 -0500

Seen: 2,863 times

Last updated: Apr 11 '13