Is it possible for a normal user to check the tenant list?

asked 2013-10-09 16:19:46 -0600

kj-tanaka gravatar image

Is there a way for a normal user to check the list of the tenants where s/he has access to? The command "keystone help tenant-list" doesn't tell much, and it seems only available for admin.

Thanks in advance,

edit retag flag offensive close merge delete

7 answers

Sort by » oldest newest most voted

answered 2013-10-10 04:52:19 -0600

haneef gravatar image

It depends on policy file. If you haven't changed the policy file, then default policy file setting is

"identity:list_user_projects": [["rule:admin_or_owner"]],

which allows you to list your projects. You can directly use the curl command to get the tenant list

curl -H "X-Auth-Token: Your token" keystone_url/v3/users/<user_id>/projects should list your projects.

BTW I have used v3 api.

edit flag offensive delete link more

answered 2013-10-10 15:09:03 -0600

kj-tanaka gravatar image

Thanks Haneef.

I see this

"identity:list_user_projects": [["rule:admin_or_owner"]]

on the policy.

And, mine is v2.0, but this

curl -H "X-Auth-Token: Your token" keystone_url/v2.0/users/<user_id>/projects

doesn't work... I guess I'm doing something wrong, but my ideal way is some simple command line like "nova image-list". So, even though I would figure this out with curl, I still hope there is(/will be) something short command to check tenant list.

edit flag offensive delete link more

answered 2013-10-10 15:19:45 -0600

aji-zqfan gravatar image

keystone --os-username xxx --os-password xxx tenant-list

usually, we set os env var to OS_USERNAME=admin OS_PASSWORD=xxx (and there are other necessary env vars) to short the command, and run for admin: keystone tenant-list

you can set os env var to your own tenant name (along woth its corresponding password), so the command can short as admin tenant, but it would be a little inconvinent to switch back, that depends on you

edit flag offensive delete link more

answered 2013-10-10 16:23:58 -0600

kj-tanaka gravatar image

Thanks ZhiQiang.

I still get this error when I execute "keystone --os-username xxx --os-password xxx tenant-list"

Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

Should I change the following line to something else?

"identity:list_user_projects": [["rule:admin_or_owner"]]

edit flag offensive delete link more

answered 2013-10-10 16:37:27 -0600

aji-zqfan gravatar image

i think there is no need to change the policy, i will reverify it in real envrioment, grizzly 2013.1.3, or maybe someone else can sovle it

good luck

edit flag offensive delete link more

answered 2013-10-11 03:22:20 -0600

aji-zqfan gravatar image

sorry, i reverified, i think there is no such way fo us to list user's tenant directly via keystone cli, but as @haneef Ali (haneef) said, you can use rest api to get the result

NOTE: i think only v3 support such request, if you modify the v3 to v2.0, it will return 404 error

so you can edit a small shell script and use it like:

root@openstack:~# cat #! /usr/bin/env bash

user_id=$(keystone user-get $1 | awk '/ id / {print $4}') curl -H "X-Auth-Token: ${OS_TOKEN:-$SERVICE_TOKEN}" "${OS_AUTH_URL%5000*}35357/v3/users/$user_id/projects"

root@openstack:~# sh demo {"links": {"self": "http://localhost:5000/v3/users/4bb84f6f499b481fa7f433a4168b03a6/projects", "previous": null, "next": null}, "projects": [{"description": null, "links": {"self": "http://localhost:5000/v3/projects/543cf789e0ca4f189f7d955592991ed0"}, "enabled": true, "id": "543cf789e0ca4f189f7d955592991ed0", "domain_id": "default", "name": "service"}]}

NOTE: you mush set OS_TOKEN and/or SERVICE_TOKEN, or you will get a 401 unauthorized error

or you can use this prettyTable script : download it to you local directory and link it

ln -s /path/to/the script /usr/local/bin

then you can directly type: # user-tenant-list demo +----------------------------------+---------+---------+-------------+ | id | name | enabled | description | +----------------------------------+---------+---------+-------------+ | 543cf789e0ca4f189f7d955592991ed0 | service | True | | +----------------------------------+---------+---------+-------------+

Finally, i think these two approaches are not so convinent, there must be a convinent way or we should creat it in keystone

edit flag offensive delete link more

answered 2013-10-11 14:07:13 -0600

kj-tanaka gravatar image

Ok thanks ZhiQiang.

I'll use the script. I think I need to add some more lines on it for getting OS_TOKEN and SERVICE_TOKEN. But it should be good enough right now. So I'll close this thread.

p.s. It would be nice if keystone-client could make it happen in the future.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-10-09 16:19:46 -0600

Seen: 1,125 times

Last updated: Oct 11 '13