Ask Your Question
1

Get tenant of instance from instance VM

asked 2014-10-15 02:31:02 -0500

JonasH gravatar image

I would like to get the tenant name or ID of the instance within the instance VM. Is this possible with any API without logging in to any API.

edit retag flag offensive close merge delete
add a comment

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-10-15 07:11:39 -0500

Syed Awais Ali gravatar image

You can use python-novaclient to achieve this objective. You just need to install the required Python client and start using it. For example on Ubuntu you can install it by apt-get install python-novaclient and you are ready to use it.

edit flag offensive delete link more
add a comment
0

answered 2014-10-15 12:56:14 -0500

larsks gravatar image

It's not clear what you mean by "without logging in to any api". All of the OpenStack APIs require authentication, because OpenStack is a multi-tenant environment. With appropriate credentials, you can use the command line nova command to retrieve the tenant that spawned an image like this:

nova show <image id> | awk '$2 == "tenant_id" {print $4}'

Since the cli tools just use the published REST api, you can obviously get at the same thing by either using the provided novaclient python module, as S.Ali suggested, or by writing your own code that talks to the REST api directly.

You can get information about the user and tenant that spawned an instance -- without authenticating -- by using the libvirt virsh command. For example, I have three nova instances running, corresponding to these libvirt guests:

# virsh list
 Id    Name                           State
----------------------------------------------------
 106   instance-00000069              running
 107   instance-0000006a              running
 108   instance-0000006b              running

The domain XML for each guest includes a <nova:instance> block that contains the following section:

  <nova:owner>
    <nova:user uuid="a570fa8d18824c4d867c0b4673b30324">lars</nova:user>
    <nova:project uuid="d4c6b93d16d14c4d9bbbcd2af0417bcc">lars</nova:project>
  </nova:owner>

There you can see both the user UUID and the tenant (aka "project") UUID.

edit flag offensive delete link more

Comments

We are implementing a pam module that verifys users token with keystone. But as a added security we would like to check that the user is a member in the same tenant/project as the instance. The pam module is running on the instance it self. I tried the EC2 API curl http://169.254.169.254/2009-04

JonasH gravatar imageJonasH ( 2014-10-15 13:19:14 -0500 )edit

But no tenent info there. I guess we could supply that information in the user-data when booting instance with nova.

JonasH gravatar imageJonasH ( 2014-10-15 13:19:57 -0500 )edit

you can get a tenant through python-novaclient, then against that tenant get a list of users, once you have a list of users you can iterate through it and check against a user whether its a part of that list or not.

Syed Awais Ali gravatar imageSyed Awais Ali ( 2014-10-15 14:23:33 -0500 )edit

If you are verifying users with keystone, you already have all the credentials you need in order to authenticate to the API.

larsks gravatar imagelarsks ( 2014-10-15 20:08:45 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-10-15 02:31:02 -0500

Seen: 3,163 times

Last updated: Oct 15 '14

Related questions

Host not accepting instances

tenant bind with certain hypervisor

create a tenant in openstack mitaka

Is there any way to find the creation date of a tenant?

How to move a instance between projects?

How to boot windows instance from ISO?

cannot change instance password with nova api [closed]

Implementing QoS in openstack juno

"Virtual Interface creation failed", "code": 500, "details": " File \"/usr/lib/python2.7/dist-packages/nova/compute/manager.py\"

Unable to resolve the server's DNS address.