Ask Your Question
0

keystone Identity Admin API v2.0 behavior RHEL OS -vs- Community OS

asked 2016-04-07 15:02:07 -0600

rshoemaker gravatar image

Hi,

I've noticed there's a difference between the way the RHEL OS and Community OS identity admin apis work and I'm hoping someone can provide a little perspective on what I'm seeing. Specifically, it looks like this API is expecting different values for {user-id} on different releases of OS:

/v2.0/tenants/{tenant-id}/users/{user-id}/roles

We are currently testing our product on Community Icehouse/Juno/Kilo as well as RHEL Kilo.

On Community Icehouse/Juno/Kilo, we are passing a user name for {user-id}:

$ curl -H "X-Auth-Token:$ostoken" http://keystone.somedomain.com:35357/v2.0/tenants/02b3cc5d8e0b420e8a15777f9a7d6420/users/rshoemaker/roles
{"roles": [{"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}]}

If we pass a user id, then we get a 404:

$ curl -H "X-Auth-Token:$ostoken" http://keystone.somedomain.com:35357/v2.0/tenants/02b3cc5d8e0b420e8a15777f9a7d6420/users/9fe2ff9ee4384b1894a90878d3e92bab/roles
{"error": {"message": "Could not find user: 9fe2ff9ee4384b1894a90878d3e92bab", "code": 404, "title": "Not Found"}}

On RHEL Kilo, if we pass the user name in, we get a 404:

$ curl -H "X-Auth-Token:$ostoken" http://rh-openstack.somedomain.com:35357/v2.0/tenants/1f6807689c904d6f9824fa3d202f5743/users/rshoemaker/roles
{"error": {"message": "Could not find user: rshoemaker", "code": 404, "title": "Not Found"}}

But if we pass the user id it works fine:

$ curl -H "X-Auth-Token:$ostoken" http://rh-openstack.somedomain.com:35357/v2.0/tenants/1f6807689c904d6f9824fa3d202f5743/users/3cf1b596585e419dac0c3bb94fd2f3b5/roles
{"roles": [{"id": "9fe2ff9ee4384b1894a90878d3e92bab", "name": "_member_"}]}

So, to summarize:

  • RHEL Kilo expects user ids and fails on user names
  • Community Icehouse/Juno/Kilo expect user names and fails on user ids

Can anyone explain why there's a difference? I'd almost feel better if Community Kilo and RHEL Kilo worked the same, but perhaps this is a case when RH changed the code to accept a user-id instead.

Based on the http://developer.openstack.org/api-ref-identity-admin-v2.html (OS docs here), it certainly seems like the API was meant to take a user-id, not a user-name.

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-04-07 15:17:42 -0600

dbaxps gravatar image

updated 2016-04-07 15:26:10 -0600 

       I would install KIlo on Ubuntu 14.04 via devstack and make same testing. At least one REST API request  should  work on upstream Kilo release been checked out from stable branch of devstack. I believe that there is no need to continue. 
Devstack is a great tool. It works via stable branches of upstream master.
edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2016-04-07 15:02:07 -0600

Seen: 144 times

Last updated: Apr 07 '16

Related questions

Identity api 3.6

How to assign admin role to a Federated User?

How to change keystone policy?

os-auth-url or env[OS_AUTH_URL]

deleted admin role by accident

Change Keystone Admin Pass [closed]

Liberty: The request you have made requires authentication. (HTTP 401)

Keystone and Nova Users

instance launch failure on hyperv

How to cleanly remove a user