Get tenant of instance from instance VM
I would like to get the tenant name or ID of the instance within the instance VM. Is this possible with any API without logging in to any API.
First time here? Check out the FAQ!
I would like to get the tenant name or ID of the instance within the instance VM. Is this possible with any API without logging in to any API.
You can use python-novaclient
to achieve this objective. You just need to install the required Python client and start using it. For example on Ubuntu
you can install it by apt-get install python-novaclient
and you are ready to use it.
It's not clear what you mean by "without logging in to any api". All of the OpenStack APIs require authentication, because OpenStack is a multi-tenant environment. With appropriate credentials, you can use the command line nova
command to retrieve the tenant that spawned an image like this:
nova show <image id> | awk '$2 == "tenant_id" {print $4}'
Since the cli tools just use the published REST api, you can obviously get at the same thing by either using the provided novaclient
python module, as S.Ali suggested, or by writing your own code that talks to the REST api directly.
You can get information about the user and tenant that spawned an instance -- without authenticating -- by using the libvirt virsh
command. For example, I have three nova instances running, corresponding to these libvirt guests:
# virsh list
Id Name State
----------------------------------------------------
106 instance-00000069 running
107 instance-0000006a running
108 instance-0000006b running
The domain XML for each guest includes a <nova:instance>
block that contains the following section:
<nova:owner>
<nova:user uuid="a570fa8d18824c4d867c0b4673b30324">lars</nova:user>
<nova:project uuid="d4c6b93d16d14c4d9bbbcd2af0417bcc">lars</nova:project>
</nova:owner>
There you can see both the user UUID and the tenant (aka "project") UUID.
We are implementing a pam module that verifys users token with keystone. But as a added security we would like to check that the user is a member in the same tenant/project as the instance. The pam module is running on the instance it self. I tried the EC2 API curl http://169.254.169.254/2009-04
you can get a tenant through python-novaclient, then against that tenant get a list of users, once you have a list of users you can iterate through it and check against a user whether its a part of that list or not.
Asked: 2014-10-15 02:31:02 -0600
Seen: 3,232 times
Last updated: Oct 15 '14