Is it possible to ge the list of tenants a user is associated with in OpenStack using the keystoneclient?
Solution 1
No idea with the keystone-client but it's possible with the version 3 of the keystone API :
GET /v3/users/['USER_ID']/projects
Solution 2
This is not implemented by CLI or API. You can list all of the tenants a token can access, but you cannot list tenants by user id.
Keystone associates a user with a tenant and a role. So basically we should be able to list all the roles of a user and thus get all the tenants. But in practice, you can't:
Keystone client does have a user-role-list subcommand but tenant-id is mandatory as shown in these examples:
$ keystone --token <...> --endpoint http://<...> user-role-list
'Client' object has no attribute 'auth_tenant_id'
$ keystone --token <...> --endpoint http://<...> user-role-list --user-id 0ab2b35d609d4994aa3100b13bcf9cb8
'Client' object has no attribute 'auth_tenant_id'
$ keystone --token <...> --endpoint http://<...> user-role-list --user-id 0ab2b35d609d4994aa3100b13bcf9cb8 --tenant-id 74ece217e4f543c5bd1387786fd9173c
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 3ddf15ce213e4fa08f4d5769db4ee30b | admin | 0ab2b35d609d4994aa3100b13bcf9cb8 | 74ece217e4f543c5bd1387786fd9173c |
+----------------------------------+-------+----------------------------------+----------------------------------+
The same goes for the Rest API:
/users/{user_id}/roles returns an HTTP 501 on port 35357 (and an HTTP 404 on port 5000):
$ curl -H "X-Auth-Token:..." http://localhost:35357/v2.0/users/aa1a4faf337544f8a29eb033fa895eef/roles | jq '.'
{
"error": {
"title": "Not Implemented",
"code": 501,
"message": "User roles not supported: tenant ID required"
}
}
If you specify a tenant id, it works:
$ curl -H "X-Auth-Token:..." http://localhost:35357/v2.0/tenants/8e0c523848e645be829c779bb9307290/users/aa1a4faf337544f8a29eb033fa895eef/roles | jq '.'
{
"roles": [
{
"id": "9fe2ff9ee4384b1894a90878d3e92bab",
"name": "_member_",
"description": "Default role for project membership",
"enabled": "True"
},
{
"name": "admin",
"id": "3ddf15ce213e4fa08f4d5769db4ee30b"
}
]
}
For completeness purposes you can get tenants by token with Rest API:
$ curl -H "X-Auth-Token:<token here>" http://localhost:5000/v2.0/tenants/ | jq '.'
{
"tenants": [
{
"name": "Altair",
"id": "51b8b30d4e574899b8fef6d819fda389",
"enabled": true,
"description": ""
},
{
"name": "Aldebaran",
"id": "92b1315b07f44afdaec920a868685b28",
"enabled": true,
"description": ""
}
],
"tenants_links": []
}
Solution 3
Using user3067622's suggestion, the following syntax worked after obtaining my Auth Token from Keystone:
curl -v http://your.cloud.com:35357/v3/users/<user_UUID>/projects -X GET \
-H 'Content-type: application/json' \
-H 'Accept: application/json' \
-H "X-Auth-Token: 27427040f887440c80ed6a697b294c47" | python -m json.tool | grep name
Related videos on Youtube
06 : 21
09 : 02
01 : 31 : 43
07 : 39
27 : 05
01 : 31
32 : 34
50 : 52
23 : 53
14 : 51
30 : 23
38 : 15
![[Demo] Tự động hóa cài đặt OpenStack Mitaka theo mô hình HA](https://i.ytimg.com/vi/s4og8lUM6_4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDtmNLuiuNhWVOlpWEAW_CiYPkEcg)
01 : 00 : 49
ldeluca
I am an IBMer working on OmniChannel and Mobile development. I am a committer on Apache Cordova.
Updated on June 04, 2022Comments
-
ldeluca about 2 years
Anyone know a way to get the list of tenants for a user? I know I can get the users for a tenant and I can get a list of all the tenants so technically I could loop through all the tenants and look for a specific user but that seems like a cumbersome approach.
-
Matt Joyce over 11 yearstechnically you don't at least in v2.0 api need a tenant specified to get a token. as per my example listed there is a keystone API ( not keystoneclient ) for listing tenants of a user. This does NOT require an admin token.
-
Romain Hardouin over 11 years@Matt Maybe I was unclear but I explained that you can't list tenants by user id. Your example lists tenants by token. This is different. I've edited my post to add some clarification and to add an example with curl to list all of the tenants a token can access. Regards.
-
Rishi Shrivastava over 9 yearsi create user by CURL 173.234.161.218:5000/v3/users -h X-Auth-Token :<token_id> -d { "user": { "default_project_id": "55b686ef2fd148eaaa1f6ca77d1b2b89", "description": "Test Users", "email": "[email protected]", "enabled": true, "name": "Rishi", "password": "123456" } } But i can't login by this user "You are not authorized for any projects." what i have to do
