Need Clarification on "List users with a role"

asked 2013-04-29 11:06:21 -0600

harika-vakadi gravatar image

According to "OpenStack Identity API v3" Doc : (

I have tried to list users with a role URL: GET /roles/{role_id}/users This was resulting resource NotFound Error, below are the steps I have followed to achieve it.

Steps Followed:

1) Created a Project 2) Created a User associated the above created project to it

3) Now assigned the admin role to the user on the same project, as below curl -i http://<ip>:35357/v3/projects/228128d950be4ebd9c22830bad9ea284/users/09f03ece89d44eb9a8cca381cd2aa524/roles/9ac9bb8ac07c477fb908b8f1c13a4407 -X PUT -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:<token>" HTTP/1.1 204 No Content Vary: X-Auth-Token Content-Length: 0 Date: Mon, 29 Apr 2013 15:33:28 GMT

4) Lastly, List users with a role curl -i http://<ip>:35357/v3/roles/9ac9bb8ac07c477fb908b8f1c13a4407/users -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: <token>" HTTP/1.1 404 Not Found Vary: X-Auth-Token Content-Type: application/json Content-Length: 93 Date: Mon, 29 Apr 2013 15:34:28 GMT

{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}

Can anyone help in resolving the issue, or please correct me if I am wrong in covering this use case

Thanks in advance, Harika

edit retag flag offensive close merge delete

6 answers

Sort by » oldest newest most voted

answered 2013-05-06 05:11:50 -0600

I think list all the users that under a role is still under implementation, I've checked the latest code and there is no API open for /roles/{role_id}/users. Also, there is already a blueprint for this feature, please also see: (

edit flag offensive delete link more

answered 2013-05-07 10:50:42 -0600

harika-vakadi gravatar image

Thanks for the answer xingzhou.

The issue is with API open for /roles/{role_id}/users. According to the blueprint (

FYI, Following resources are working fine in V3 API

  • List users with role on project: GET /projects/{project_id}/roles/{role_id}/users

  • List groups with roles on project: GET /projects/{project_id}/roles/{role_id}/groups

  • List users with roles on domain: GET /domains/{domain_id}/roles/{role_id}/users

  • List groups with roles on domain: GET /domains/{domain_id}/roles/{role_id}/groups

edit flag offensive delete link more

answered 2013-05-09 01:21:24 -0600

Hi Harika, yeah, current V3 API seems only support the listing of role's users under specific tenant or domain, as in current design, identity service only grant roles to user under domain or project, so I'm thinking we need to improve the API doc to correct this, what's your idea on this?

edit flag offensive delete link more

answered 2013-05-09 05:24:08 -0600

harika-vakadi gravatar image

@xingzhou As "roles/{role_id}/users" would give us the list of users that a particular role is assigned to and there is no other equivalent url to get this result. Hence I feel implementing this would be good. Please suggest your view.

edit flag offensive delete link more

answered 2013-05-10 01:35:51 -0600

Hi Harika, yes, provide this API will let user know all the users granted by specific role regardless of domains or tenants, I would suggest add one advice to blueprint ( to add this API

edit flag offensive delete link more

answered 2013-05-10 05:37:03 -0600

harika-vakadi gravatar image

Thanks xingzhou, that solved my question.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-04-29 11:06:21 -0600

Seen: 141 times

Last updated: May 10 '13