Ask Your Question
1

Get tenant of instance from instance VM

asked 2014-10-15 02:31:02 -0500

JonasH gravatar image

I would like to get the tenant name or ID of the instance within the instance VM. Is this possible with any API without logging in to any API.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-10-15 07:11:39 -0500

You can use python-novaclient to achieve this objective. You just need to install the required Python client and start using it. For example on Ubuntu you can install it by apt-get install python-novaclient and you are ready to use it.

edit flag offensive delete link more
0

answered 2014-10-15 12:56:14 -0500

larsks gravatar image

It's not clear what you mean by "without logging in to any api". All of the OpenStack APIs require authentication, because OpenStack is a multi-tenant environment. With appropriate credentials, you can use the command line nova command to retrieve the tenant that spawned an image like this:

nova show <image id> | awk '$2 == "tenant_id" {print $4}'

Since the cli tools just use the published REST api, you can obviously get at the same thing by either using the provided novaclient python module, as S.Ali suggested, or by writing your own code that talks to the REST api directly.

You can get information about the user and tenant that spawned an instance -- without authenticating -- by using the libvirt virsh command. For example, I have three nova instances running, corresponding to these libvirt guests:

# virsh list
 Id    Name                           State
----------------------------------------------------
 106   instance-00000069              running
 107   instance-0000006a              running
 108   instance-0000006b              running

The domain XML for each guest includes a <nova:instance> block that contains the following section:

  <nova:owner>
    <nova:user uuid="a570fa8d18824c4d867c0b4673b30324">lars</nova:user>
    <nova:project uuid="d4c6b93d16d14c4d9bbbcd2af0417bcc">lars</nova:project>
  </nova:owner>

There you can see both the user UUID and the tenant (aka "project") UUID.

edit flag offensive delete link more

Comments

We are implementing a pam module that verifys users token with keystone. But as a added security we would like to check that the user is a member in the same tenant/project as the instance. The pam module is running on the instance it self. I tried the EC2 API curl http://169.254.169.254/2009-04

JonasH gravatar imageJonasH ( 2014-10-15 13:19:14 -0500 )edit

But no tenent info there. I guess we could supply that information in the user-data when booting instance with nova.

JonasH gravatar imageJonasH ( 2014-10-15 13:19:57 -0500 )edit

you can get a tenant through python-novaclient, then against that tenant get a list of users, once you have a list of users you can iterate through it and check against a user whether its a part of that list or not.

Syed Awais Ali gravatar imageSyed Awais Ali ( 2014-10-15 14:23:33 -0500 )edit

If you are verifying users with keystone, you already have all the credentials you need in order to authenticate to the API.

larsks gravatar imagelarsks ( 2014-10-15 20:08:45 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-10-15 02:31:02 -0500

Seen: 3,034 times

Last updated: Oct 15 '14