Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenStack: Dev

Keystone API question

 

 

OpenStack dev RSS feed   Index | Next | Previous | View Threaded


luis at woorea

May 2, 2012, 1:44 PM

Post #1 of 12 (420 views)
Permalink
Keystone API question

Hi,

In Diablo was:

GET /users/{user_id}/roleRefs

In Essex it is maintained for compatibility reasons. I understand that this
is the obsolete now.

I can find:

PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}

How can get all the roles having a user_id?

GET /users/{user_id}/roles (i can't find this on stable/essex)

Returning role list with tenant associated

Another option that would work for me is:

GET /users/{user_id}/tenants

Returning tenant list with role list associated per tenant


When i GET /user/{user_id} i obtain only this info

{"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
"id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}

Regards

--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es


luis at woorea

May 2, 2012, 3:06 PM

Post #2 of 12 (413 views)
Permalink
Re: Keystone API question [In reply to]

This is what i get.

1 > GET
http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles
1 > X-Auth-Token: secret0

2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity - 2 *
LoggingFilter - Response received on thread http-bio-8080-exec-10
2 < 500
2 < Connection: close
2 < Content-Length: 5500
2 < Content-Type: text/plain
2 < Date: Mon, 26 Mar 2012 06:39:34 GMT
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336, in
handle_one_response
result = self.application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 203, in
__call__
return app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in __call__
response = request.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in __call__
response = request.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in __call__
response = request.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in __call__
response = request.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 322, in __call__
resp = req.get_response(self.application)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053, in
get_response
application, catch_exc_info=False)
File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022, in
call_application
app_iter = application(self.environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in
__call__
response = self.app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in
__call__
response = self.app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in
__call__
response = self.app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131, in
__call__
response = self.app(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
__call__
return resp(environ, start_response)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
__call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
call_func
return self.func(req, *args, **kwargs)
File "/opt/stack/keystone/keystone/common/wsgi.py", line 178, in __call__
method = getattr(self, action)
AttributeError: 'UserController' object has no attribute 'get_user_roles'


On Wed, May 2, 2012 at 10:44 PM, Luis Gervaso <luis [at] woorea> wrote:

> Hi,
>
> In Diablo was:
>
> GET /users/{user_id}/roleRefs
>
> In Essex it is maintained for compatibility reasons. I understand that
> this is the obsolete now.
>
> I can find:
>
> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>
> How can get all the roles having a user_id?
>
> GET /users/{user_id}/roles (i can't find this on stable/essex)
>
> Returning role list with tenant associated
>
> Another option that would work for me is:
>
> GET /users/{user_id}/tenants
>
> Returning tenant list with role list associated per tenant
>
>
> When i GET /user/{user_id} i obtain only this info
>
> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>
> Regards
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es
>
>
>


--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es


rafadurancastaneda at gmail

May 2, 2012, 11:51 PM

Post #3 of 12 (403 views)
Permalink
Re: Keystone API question [In reply to]

On 05/03/2012 12:06 AM, Luis Gervaso wrote:
> This is what i get.
>
> 1 > GET
> http://192.168.1.41:35357/v2.0/users/ef1e63df85b641d7bf3c575bb8670cef/roles
> 1 > X-Auth-Token: secret0
>
> 2012-05-03 00:03:55,337 [http-bio-8080-exec-10] INFO api.identity -
> 2 * LoggingFilter - Response received on thread http-bio-8080-exec-10
> 2 < 500
> 2 < Connection: close
> 2 < Content-Length: 5500
> 2 < Content-Type: text/plain
> 2 < Date: Mon, 26 Mar 2012 06:39:34 GMT
> Traceback (most recent call last):
> File "/usr/lib/python2.7/dist-packages/eventlet/wsgi.py", line 336,
> in handle_one_response
> result = self.application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 203,
> in __call__
> return app(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in
> __call__
> response = request.get_response(self.application)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053,
> in get_response
> application, catch_exc_info=False)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022,
> in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in
> __call__
> response = request.get_response(self.application)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053,
> in get_response
> application, catch_exc_info=False)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022,
> in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in
> __call__
> response = request.get_response(self.application)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053,
> in get_response
> application, catch_exc_info=False)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022,
> in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 299, in
> __call__
> response = request.get_response(self.application)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053,
> in get_response
> application, catch_exc_info=False)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022,
> in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 322, in
> __call__
> resp = req.get_response(self.application)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1053,
> in get_response
> application, catch_exc_info=False)
> File "/usr/lib/python2.7/dist-packages/webob/request.py", line 1022,
> in call_application
> app_iter = application(self.environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131,
> in __call__
> response = self.app(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131,
> in __call__
> response = self.app(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131,
> in __call__
> response = self.app(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/pymodules/python2.7/routes/middleware.py", line 131,
> in __call__
> response = self.app(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 159, in
> __call__
> return resp(environ, start_response)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 147, in
> __call__
> resp = self.call_func(req, *args, **self.kwargs)
> File "/usr/lib/python2.7/dist-packages/webob/dec.py", line 208, in
> call_func
> return self.func(req, *args, **kwargs)
> File "/opt/stack/keystone/keystone/common/wsgi.py", line 178, in
> __call__
> method = getattr(self, action)
> AttributeError: 'UserController' object has no attribute 'get_user_roles'
>
>
> On Wed, May 2, 2012 at 10:44 PM, Luis Gervaso <luis [at] woorea
> <mailto:luis [at] woorea>> wrote:
>
> Hi,
>
> In Diablo was:
>
> GET /users/{user_id}/roleRefs
>
> In Essex it is maintained for compatibility reasons. I understand
> that this is the obsolete now.
>
> I can find:
>
> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>
> How can get all the roles having a user_id?
>
> GET /users/{user_id}/roles (i can't find this on stable/essex)
>
> Returning role list with tenant associated
>
> Another option that would work for me is:
>
> GET /users/{user_id}/tenants
>
> Returning tenant list with role list associated per tenant
>
>
> When i GET /user/{user_id} i obtain only this info
>
> {"user": {"name": "admin", "enabled": true, "email":
> "admin [at] example <mailto:admin [at] example>", "id":
> "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>
> Regards
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344 <tel:%28%2B34%29%20627983344>
> luis@ <mailto:luis.gervaso [at] gmail>woorea.es <http://woorea.es/>
>
>
>
>
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <mailto:luis.gervaso [at] gmail>woorea.es <http://woorea.es/>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
I think you are searching for:

"/users/{user_id}/roleRefs"


dolph.mathews at gmail

May 3, 2012, 8:34 AM

Post #4 of 12 (401 views)
Permalink
Re: Keystone API question [In reply to]

The philosophy in essex is that it's meaningless for a user to have a role
without that role being applied to a tenant, so the call that's implemented
is:

GET /tenants/{tenant_id}/users/{user_id}/roles

Calling this instead should get you an HTTP 501 stating "User roles not
supported: tenant ID required".

GET /users/{user_id}/roles

Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK)
in favor of "roles".

-Dolph

On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:

> Hi,
>
> In Diablo was:
>
> GET /users/{user_id}/roleRefs
>
> In Essex it is maintained for compatibility reasons. I understand that
> this is the obsolete now.
>
> I can find:
>
> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>
> How can get all the roles having a user_id?
>
> GET /users/{user_id}/roles (i can't find this on stable/essex)
>
> Returning role list with tenant associated
>
> Another option that would work for me is:
>
> GET /users/{user_id}/tenants
>
> Returning tenant list with role list associated per tenant
>
>
> When i GET /user/{user_id} i obtain only this info
>
> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>
> Regards
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


heckj at me

May 3, 2012, 9:29 AM

Post #5 of 12 (403 views)
Permalink
Re: Keystone API question [In reply to]

Hey Luis,

Through the admin API - there is:

/tenants/{tenant_id}/users/{user_id}/roles

and

/users/{user_id}/roles

- these are coded in keystone/identity/core.py in the stable/essex release

and the diablo compatibility API

/users/{user_id}/roleRefs

which is also there - keystone/contrib/admin_crud/core.py

Is that what you're asking?

-joe

On May 2, 2012, at 1:44 PM, Luis Gervaso wrote:

> Hi,
>
> In Diablo was:
>
> GET /users/{user_id}/roleRefs
>
> In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now.
>
> I can find:
>
> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>
> How can get all the roles having a user_id?
>
> GET /users/{user_id}/roles (i can't find this on stable/essex)
>
> Returning role list with tenant associated
>
> Another option that would work for me is:
>
> GET /users/{user_id}/tenants
>
> Returning tenant list with role list associated per tenant
>
>
> When i GET /user/{user_id} i obtain only this info
>
> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example", "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>
> Regards
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis [at] woorea
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


everett.toews at cybera

May 3, 2012, 1:12 PM

Post #6 of 12 (399 views)
Permalink
Re: Keystone API question [In reply to]

I get the same as Luis when trying GET /users/{user_id}/roles on
stable/essex (using devstack). Keystone spits back an

AttributeError: 'UserController' object has no attribute 'get_user_roles'

message instead of a nice 501.

GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
detail have a look at

http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html

Everett

On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>wrote:

> The philosophy in essex is that it's meaningless for a user to have a role
> without that role being applied to a tenant, so the call that's implemented
> is:
>
> GET /tenants/{tenant_id}/users/{user_id}/roles
>
> Calling this instead should get you an HTTP 501 stating "User roles not
> supported: tenant ID required".
>
> GET /users/{user_id}/roles
>
> Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK)
> in favor of "roles".
>
> -Dolph
>
> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:
>
>> Hi,
>>
>> In Diablo was:
>>
>> GET /users/{user_id}/roleRefs
>>
>> In Essex it is maintained for compatibility reasons. I understand that
>> this is the obsolete now.
>>
>> I can find:
>>
>> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>>
>> How can get all the roles having a user_id?
>>
>> GET /users/{user_id}/roles (i can't find this on stable/essex)
>>
>> Returning role list with tenant associated
>>
>> Another option that would work for me is:
>>
>> GET /users/{user_id}/tenants
>>
>> Returning tenant list with role list associated per tenant
>>
>>
>> When i GET /user/{user_id} i obtain only this info
>>
>> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
>> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>>
>> Regards
>>
>> --
>> -------------------------------------------
>> Luis Alberto Gervaso Martin
>> Woorea Solutions, S.L
>> CEO & CTO
>> mobile: (+34) 627983344
>> luis@ <luis.gervaso [at] gmail>woorea.es
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


luis at woorea

May 3, 2012, 1:23 PM

Post #7 of 12 (398 views)
Permalink
Re: Keystone API question [In reply to]

Yes, this is the real issue.

Since /tenants is only valid for the current user (that's X-Auth-Token
dependant)

How can an administrator user list all the tenants a user belongs to?

Another issue i've detected is that endpoints are always dependant on a
service,
may be i'm wrong but for me:

/service/{service_id}/endpoints

is more appropiate than

/endpoints

Dolph, please correct me

Luis


On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera>wrote:

> I get the same as Luis when trying GET /users/{user_id}/roles on
> stable/essex (using devstack). Keystone spits back an
>
> AttributeError: 'UserController' object has no attribute 'get_user_roles'
>
> message instead of a nice 501.
>
> GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
> detail have a look at
>
>
> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
>
> Everett
>
>
> On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>wrote:
>
>> The philosophy in essex is that it's meaningless for a user to have a
>> role without that role being applied to a tenant, so the call that's
>> implemented is:
>>
>> GET /tenants/{tenant_id}/users/{user_id}/roles
>>
>> Calling this instead should get you an HTTP 501 stating "User roles not
>> supported: tenant ID required".
>>
>> GET /users/{user_id}/roles
>>
>> Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK)
>> in favor of "roles".
>>
>> -Dolph
>>
>> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:
>>
>>> Hi,
>>>
>>> In Diablo was:
>>>
>>> GET /users/{user_id}/roleRefs
>>>
>>> In Essex it is maintained for compatibility reasons. I understand that
>>> this is the obsolete now.
>>>
>>> I can find:
>>>
>>> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>>>
>>> How can get all the roles having a user_id?
>>>
>>> GET /users/{user_id}/roles (i can't find this on stable/essex)
>>>
>>> Returning role list with tenant associated
>>>
>>> Another option that would work for me is:
>>>
>>> GET /users/{user_id}/tenants
>>>
>>> Returning tenant list with role list associated per tenant
>>>
>>>
>>> When i GET /user/{user_id} i obtain only this info
>>>
>>> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
>>> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>>>
>>> Regards
>>>
>>> --
>>> -------------------------------------------
>>> Luis Alberto Gervaso Martin
>>> Woorea Solutions, S.L
>>> CEO & CTO
>>> mobile: (+34) 627983344
>>> luis@ <luis.gervaso [at] gmail>woorea.es
>>>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>


--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es


Gabriel.Hurley at nebula

May 3, 2012, 4:24 PM

Post #8 of 12 (400 views)
Permalink
Re: Keystone API question [In reply to]

On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges).


- Gabriel

From: openstack-bounces+gabriel.hurley=nebula.com [at] lists [mailto:openstack-bounces+gabriel.hurley=nebula.com [at] lists] On Behalf Of Luis Gervaso
Sent: Thursday, May 03, 2012 1:24 PM
To: Everett Toews
Cc: openstack [at] lists
Subject: Re: [Openstack] Keystone API question

Yes, this is the real issue.

Since /tenants is only valid for the current user (that's X-Auth-Token dependant)

How can an administrator user list all the tenants a user belongs to?

Another issue i've detected is that endpoints are always dependant on a service,
may be i'm wrong but for me:

/service/{service_id}/endpoints

is more appropiate than

/endpoints

Dolph, please correct me

Luis


On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera<mailto:everett.toews [at] cybera>> wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an

AttributeError: 'UserController' object has no attribute 'get_user_roles'

message instead of a nice 501.

GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at

http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html

Everett

On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail<mailto:dolph.mathews [at] gmail>> wrote:
The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is:

GET /tenants/{tenant_id}/users/{user_id}/roles

Calling this instead should get you an HTTP 501 stating "User roles not supported: tenant ID required".

GET /users/{user_id}/roles

Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK) in favor of "roles".

-Dolph

On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea<mailto:luis [at] woorea>> wrote:
Hi,

In Diablo was:

GET /users/{user_id}/roleRefs

In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now.

I can find:

PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}

How can get all the roles having a user_id?

GET /users/{user_id}/roles (i can't find this on stable/essex)

Returning role list with tenant associated

Another option that would work for me is:

GET /users/{user_id}/tenants

Returning tenant list with role list associated per tenant


When i GET /user/{user_id} i obtain only this info

{"user": {"name": "admin", "enabled": true, "email": "admin [at] example<mailto:admin [at] example>", "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}

Regards

--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344<tel:%28%2B34%29%20627983344>
luis@<mailto:luis.gervaso [at] gmail>woorea.es<http://woorea.es/>



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists<mailto:openstack [at] lists>
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists<mailto:openstack [at] lists>
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp




--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@<mailto:luis.gervaso [at] gmail>woorea.es<http://woorea.es/>


luis at woorea

May 3, 2012, 4:27 PM

Post #9 of 12 (397 views)
Permalink
Re: Keystone API question [In reply to]

>From admin port I want to list the tenants a user (different from the
current user) belongs to.

On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley <Gabriel.Hurley [at] nebula>wrote:

> On the keystone admin port the tenants call will list all tenants
> (provided the token corresponds to a user who has admin privileges).****
>
> ** **
>
> **- **Gabriel****
>
> ** **
>
> *From:* openstack-bounces+gabriel.hurley=nebula.com [at] lists[mailto:
> openstack-bounces+gabriel.hurley=nebula.com [at] lists] *On
> Behalf Of *Luis Gervaso
> *Sent:* Thursday, May 03, 2012 1:24 PM
> *To:* Everett Toews
> *Cc:* openstack [at] lists
> *Subject:* Re: [Openstack] Keystone API question****
>
> ** **
>
> Yes, this is the real issue.****
>
> ** **
>
> Since /tenants is only valid for the current user (that's X-Auth-Token
> dependant)****
>
> ** **
>
> How can an administrator user list all the tenants a user belongs to?****
>
> ** **
>
> Another issue i've detected is that endpoints are always dependant on a
> service,****
>
> may be i'm wrong but for me:****
>
> ** **
>
> /service/{service_id}/endpoints****
>
> ** **
>
> is more appropiate than****
>
> ** **
>
> /endpoints****
>
> ** **
>
> Dolph, please correct me****
>
> ** **
>
> Luis****
>
> ** **
>
> ** **
>
> On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera>
> wrote:****
>
> I get the same as Luis when trying GET /users/{user_id}/roles on
> stable/essex (using devstack). Keystone spits back an****
>
> ** **
>
> AttributeError: 'UserController' object has no attribute 'get_user_roles'*
> ***
>
> ** **
>
> message instead of a nice 501.****
>
> ** **
>
> GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
> detail have a look at****
>
> ** **
>
>
> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
> ****
>
> ** **
>
> Everett****
>
> ** **
>
> On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>
> wrote:****
>
> The philosophy in essex is that it's meaningless for a user to have a role
> without that role being applied to a tenant, so the call that's implemented
> is:****
>
> ** **
>
> GET /tenants/{tenant_id}/users/{user_id}/roles****
>
> ** **
>
> Calling this instead should get you an HTTP 501 stating "User roles not
> supported: tenant ID required".****
>
> ** **
>
> GET /users/{user_id}/roles****
>
> ** **
>
> Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK)
> in favor of "roles".****
>
> ** **
>
> -Dolph****
>
> ** **
>
> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:****
>
> Hi,****
>
> ** **
>
> In Diablo was:****
>
> ** **
>
> GET /users/{user_id}/roleRefs
> ****
>
> ** **
>
> In Essex it is maintained for compatibility reasons. I understand that
> this is the obsolete now.****
>
> ** **
>
> I can find:****
>
> ** **
>
> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}****
>
> ** **
>
> How can get all the roles having a user_id?****
>
> ** **
>
> GET /users/{user_id}/roles (i can't find this on stable/essex)****
>
> ** **
>
> Returning role list with tenant associated****
>
> ** **
>
> Another option that would work for me is:****
>
> ** **
>
> GET /users/{user_id}/tenants****
>
> ** **
>
> Returning tenant list with role list associated per tenant****
>
> ** **
>
> ** **
>
> When i GET /user/{user_id} i obtain only this info****
>
> ** **
>
> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
> ****
>
> ** **
>
> Regards****
>
> ** **
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin****
>
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es****
>
> ** **
>
> ** **
>
> ** **
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp****
>
> ** **
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp****
>
> ** **
>
>
>
> ****
>
> ** **
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin****
>
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es****
>
> ** **
>



--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es


dolph.mathews at gmail

May 4, 2012, 6:28 AM

Post #10 of 12 (395 views)
Permalink
Re: Keystone API question [In reply to]

Replied inline.

On Thu, May 3, 2012 at 3:23 PM, Luis Gervaso <luis [at] woorea> wrote:

> Yes, this is the real issue.
>
> Since /tenants is only valid for the current user (that's X-Auth-Token
> dependant)
>

Correct.


>
> How can an administrator user list all the tenants a user belongs to?
>
>
In the current API, I'm only aware of the opposite call:

GET /tenants/{tenant_id}/users


> Another issue i've detected is that endpoints are always dependant on a
> service,
> may be i'm wrong but for me:
>
> /service/{service_id}/endpoints
>
> is more appropiate than
>
> /endpoints
>

We had a brief discussion on this topic at the summit in the v.NEXT API
talk, and Joseph Heck followed up with an email on the list regarding use
cases of the service catalog:
http://www.mail-archive.com/openstack [at] lists/msg10194.html

I think the direction of that discussion should answer your question :)


>
> Dolph, please correct me
>
> Luis
>
>
> On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera>wrote:
>
>> I get the same as Luis when trying GET /users/{user_id}/roles on
>> stable/essex (using devstack). Keystone spits back an
>>
>> AttributeError: 'UserController' object has no attribute 'get_user_roles'
>>
>> message instead of a nice 501.
>>
>> GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
>> detail have a look at
>>
>>
>> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
>>
>> Everett
>>
>>
>> On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>wrote:
>>
>>> The philosophy in essex is that it's meaningless for a user to have a
>>> role without that role being applied to a tenant, so the call that's
>>> implemented is:
>>>
>>> GET /tenants/{tenant_id}/users/{user_id}/roles
>>>
>>> Calling this instead should get you an HTTP 501 stating "User roles not
>>> supported: tenant ID required".
>>>
>>> GET /users/{user_id}/roles
>>>
>>> Also, the term "roleRefs" was deprecated late in the diablo cycle
>>> (AFAIK) in favor of "roles".
>>>
>>> -Dolph
>>>
>>> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:
>>>
>>>> Hi,
>>>>
>>>> In Diablo was:
>>>>
>>>> GET /users/{user_id}/roleRefs
>>>>
>>>> In Essex it is maintained for compatibility reasons. I understand that
>>>> this is the obsolete now.
>>>>
>>>> I can find:
>>>>
>>>> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}
>>>>
>>>> How can get all the roles having a user_id?
>>>>
>>>> GET /users/{user_id}/roles (i can't find this on stable/essex)
>>>>
>>>> Returning role list with tenant associated
>>>>
>>>> Another option that would work for me is:
>>>>
>>>> GET /users/{user_id}/tenants
>>>>
>>>> Returning tenant list with role list associated per tenant
>>>>
>>>>
>>>> When i GET /user/{user_id} i obtain only this info
>>>>
>>>> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
>>>> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>>>>
>>>> Regards
>>>>
>>>> --
>>>> -------------------------------------------
>>>> Luis Alberto Gervaso Martin
>>>> Woorea Solutions, S.L
>>>> CEO & CTO
>>>> mobile: (+34) 627983344
>>>> luis@ <luis.gervaso [at] gmail>woorea.es
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack [at] lists
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es
>
>


everett.toews at cybera

May 4, 2012, 9:51 AM

Post #11 of 12 (394 views)
Permalink
Re: Keystone API question [In reply to]

Hi Luis,

I'm digging around in the Keystone code right now and helping answer your
questions is helping me learn the code base. Keep 'em coming!

Anyway, from what I can tell, you're correct that there's no general way to
get all of the tenants that a user belongs to in the current high level
API. However, there is already support for exactly this feature in the
lower level API. In [1] you'll see that the Driver object has the
method get_tenants_for_user. This method is implemented in all of the
backends in [2] so there's support for it everywhere, it just hasn't been
exposed in the high level API. Looking closer at [1] we see the comment,

# NOTE(termie): seven calls below should probably be exposed by the api
# more clearly when the api redesign happens

which includes the method get_tenants_for_user. Looks like it's just a
matter of adding this method to one of the Routers to make it available in
the REST API.

My advice to you is to track down termie and find out what the story is
with the API redesign he mentions. Of course, you could always propose a
blueprint to [3] and make the method available yourself ;)

Hope this helps,
Everett

[1]
https://github.com/openstack/keystone/blob/master/keystone/identity/core.py
[2]
https://github.com/openstack/keystone/tree/master/keystone/identity/backends
[3] https://blueprints.launchpad.net/keystone

On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso <luis [at] woorea> wrote:

> From admin port I want to list the tenants a user (different from the
> current user) belongs to.
>
>
> On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley <Gabriel.Hurley [at] nebula>wrote:
>
>> On the keystone admin port the tenants call will list all tenants
>> (provided the token corresponds to a user who has admin privileges).****
>>
>> ** **
>>
>> **- **Gabriel****
>>
>> ** **
>>
>> *From:* openstack-bounces+gabriel.hurley=nebula.com [at] lists[mailto:
>> openstack-bounces+gabriel.hurley=nebula.com [at] lists] *On
>> Behalf Of *Luis Gervaso
>> *Sent:* Thursday, May 03, 2012 1:24 PM
>> *To:* Everett Toews
>> *Cc:* openstack [at] lists
>> *Subject:* Re: [Openstack] Keystone API question****
>>
>> ** **
>>
>> Yes, this is the real issue.****
>>
>> ** **
>>
>> Since /tenants is only valid for the current user (that's X-Auth-Token
>> dependant)****
>>
>> ** **
>>
>> How can an administrator user list all the tenants a user belongs to?****
>>
>> ** **
>>
>> Another issue i've detected is that endpoints are always dependant on a
>> service,****
>>
>> may be i'm wrong but for me:****
>>
>> ** **
>>
>> /service/{service_id}/endpoints****
>>
>> ** **
>>
>> is more appropiate than****
>>
>> ** **
>>
>> /endpoints****
>>
>> ** **
>>
>> Dolph, please correct me****
>>
>> ** **
>>
>> Luis****
>>
>> ** **
>>
>> ** **
>>
>> On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera>
>> wrote:****
>>
>> I get the same as Luis when trying GET /users/{user_id}/roles on
>> stable/essex (using devstack). Keystone spits back an****
>>
>> ** **
>>
>> AttributeError: 'UserController' object has no attribute 'get_user_roles'
>> ****
>>
>> ** **
>>
>> message instead of a nice 501.****
>>
>> ** **
>>
>> GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more
>> detail have a look at****
>>
>> ** **
>>
>>
>> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
>> ****
>>
>> ** **
>>
>> Everett****
>>
>> ** **
>>
>> On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>
>> wrote:****
>>
>> The philosophy in essex is that it's meaningless for a user to have a
>> role without that role being applied to a tenant, so the call that's
>> implemented is:****
>>
>> ** **
>>
>> GET /tenants/{tenant_id}/users/{user_id}/roles****
>>
>> ** **
>>
>> Calling this instead should get you an HTTP 501 stating "User roles not
>> supported: tenant ID required".****
>>
>> ** **
>>
>> GET /users/{user_id}/roles****
>>
>> ** **
>>
>> Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK)
>> in favor of "roles".****
>>
>> ** **
>>
>> -Dolph****
>>
>> ** **
>>
>> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:****
>>
>> Hi,****
>>
>> ** **
>>
>> In Diablo was:****
>>
>> ** **
>>
>> GET /users/{user_id}/roleRefs
>> ****
>>
>> ** **
>>
>> In Essex it is maintained for compatibility reasons. I understand that
>> this is the obsolete now.****
>>
>> ** **
>>
>> I can find:****
>>
>> ** **
>>
>> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}****
>>
>> ** **
>>
>> How can get all the roles having a user_id?****
>>
>> ** **
>>
>> GET /users/{user_id}/roles (i can't find this on stable/essex)****
>>
>> ** **
>>
>> Returning role list with tenant associated****
>>
>> ** **
>>
>> Another option that would work for me is:****
>>
>> ** **
>>
>> GET /users/{user_id}/tenants****
>>
>> ** **
>>
>> Returning tenant list with role list associated per tenant****
>>
>> ** **
>>
>> ** **
>>
>> When i GET /user/{user_id} i obtain only this info****
>>
>> ** **
>>
>> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
>> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>> ****
>>
>> ** **
>>
>> Regards****
>>
>> ** **
>>
>> --
>> -------------------------------------------
>> Luis Alberto Gervaso Martin****
>>
>> Woorea Solutions, S.L
>> CEO & CTO
>> mobile: (+34) 627983344
>> luis@ <luis.gervaso [at] gmail>woorea.es****
>>
>> ** **
>>
>> ** **
>>
>> ** **
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp****
>>
>> ** **
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp****
>>
>> ** **
>>
>>
>>
>> ****
>>
>> ** **
>>
>> --
>> -------------------------------------------
>> Luis Alberto Gervaso Martin****
>>
>> Woorea Solutions, S.L
>> CEO & CTO
>> mobile: (+34) 627983344
>> luis@ <luis.gervaso [at] gmail>woorea.es****
>>
>> ** **
>>
>
>
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es
>
>


luis at woorea

May 4, 2012, 10:38 AM

Post #12 of 12 (393 views)
Permalink
Re: Keystone API question [In reply to]

Hi Everett,

I just uploaded a video showing all the issues i found:

http://youtu.be/TXw7h9Kl-Ow

As you can show, I can't drill down to roles related info from user if i
haven't selected a tenant or the user does
not have a default tenantId

>From administrative tasks should be useful list tenants from userId (not
only from X-AuthToken), so I hope this to
be included in the ws api sooner or later ;)

Note : This is using OpenStack Java SDK

On Fri, May 4, 2012 at 6:51 PM, Everett Toews <everett.toews [at] cybera>wrote:

> Hi Luis,
>
> I'm digging around in the Keystone code right now and helping answer your
> questions is helping me learn the code base. Keep 'em coming!
>
> Anyway, from what I can tell, you're correct that there's no general way
> to get all of the tenants that a user belongs to in the current high level
> API. However, there is already support for exactly this feature in the
> lower level API. In [1] you'll see that the Driver object has the
> method get_tenants_for_user. This method is implemented in all of the
> backends in [2] so there's support for it everywhere, it just hasn't been
> exposed in the high level API. Looking closer at [1] we see the comment,
>
> # NOTE(termie): seven calls below should probably be exposed by the api
> # more clearly when the api redesign happens
>
> which includes the method get_tenants_for_user. Looks like it's just a
> matter of adding this method to one of the Routers to make it available in
> the REST API.
>
> My advice to you is to track down termie and find out what the story is
> with the API redesign he mentions. Of course, you could always propose a
> blueprint to [3] and make the method available yourself ;)
>
> Hope this helps,
> Everett
>
> [1]
> https://github.com/openstack/keystone/blob/master/keystone/identity/core.py
> [2]
> https://github.com/openstack/keystone/tree/master/keystone/identity/backends
> [3] https://blueprints.launchpad.net/keystone
>
> On Thu, May 3, 2012 at 5:27 PM, Luis Gervaso <luis [at] woorea> wrote:
>
>> From admin port I want to list the tenants a user (different from the
>> current user) belongs to.
>>
>>
>> On Fri, May 4, 2012 at 1:24 AM, Gabriel Hurley <Gabriel.Hurley [at] nebula
>> > wrote:
>>
>>> On the keystone admin port the tenants call will list all tenants
>>> (provided the token corresponds to a user who has admin privileges).****
>>>
>>> ** **
>>>
>>> **- **Gabriel****
>>>
>>> ** **
>>>
>>> *From:* openstack-bounces+gabriel.hurley=nebula.com [at] lists[mailto:
>>> openstack-bounces+gabriel.hurley=nebula.com [at] lists] *On
>>> Behalf Of *Luis Gervaso
>>> *Sent:* Thursday, May 03, 2012 1:24 PM
>>> *To:* Everett Toews
>>> *Cc:* openstack [at] lists
>>> *Subject:* Re: [Openstack] Keystone API question****
>>>
>>> ** **
>>>
>>> Yes, this is the real issue.****
>>>
>>> ** **
>>>
>>> Since /tenants is only valid for the current user (that's X-Auth-Token
>>> dependant)****
>>>
>>> ** **
>>>
>>> How can an administrator user list all the tenants a user belongs to?***
>>> *
>>>
>>> ** **
>>>
>>> Another issue i've detected is that endpoints are always dependant on a
>>> service,****
>>>
>>> may be i'm wrong but for me:****
>>>
>>> ** **
>>>
>>> /service/{service_id}/endpoints****
>>>
>>> ** **
>>>
>>> is more appropiate than****
>>>
>>> ** **
>>>
>>> /endpoints****
>>>
>>> ** **
>>>
>>> Dolph, please correct me****
>>>
>>> ** **
>>>
>>> Luis****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews [at] cybera>
>>> wrote:****
>>>
>>> I get the same as Luis when trying GET /users/{user_id}/roles on
>>> stable/essex (using devstack). Keystone spits back an****
>>>
>>> ** **
>>>
>>> AttributeError: 'UserController' object has no attribute 'get_user_roles'
>>> ****
>>>
>>> ** **
>>>
>>> message instead of a nice 501.****
>>>
>>> ** **
>>>
>>> GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit
>>> more detail have a look at****
>>>
>>> ** **
>>>
>>>
>>> http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html
>>> ****
>>>
>>> ** **
>>>
>>> Everett****
>>>
>>> ** **
>>>
>>> On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews [at] gmail>
>>> wrote:****
>>>
>>> The philosophy in essex is that it's meaningless for a user to have a
>>> role without that role being applied to a tenant, so the call that's
>>> implemented is:****
>>>
>>> ** **
>>>
>>> GET /tenants/{tenant_id}/users/{user_id}/roles****
>>>
>>> ** **
>>>
>>> Calling this instead should get you an HTTP 501 stating "User roles not
>>> supported: tenant ID required".****
>>>
>>> ** **
>>>
>>> GET /users/{user_id}/roles****
>>>
>>> ** **
>>>
>>> Also, the term "roleRefs" was deprecated late in the diablo cycle
>>> (AFAIK) in favor of "roles".****
>>>
>>> ** **
>>>
>>> -Dolph****
>>>
>>> ** **
>>>
>>> On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis [at] woorea> wrote:****
>>>
>>> Hi,****
>>>
>>> ** **
>>>
>>> In Diablo was:****
>>>
>>> ** **
>>>
>>> GET /users/{user_id}/roleRefs
>>> ****
>>>
>>> ** **
>>>
>>> In Essex it is maintained for compatibility reasons. I understand that
>>> this is the obsolete now.****
>>>
>>> ** **
>>>
>>> I can find:****
>>>
>>> ** **
>>>
>>> PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}****
>>>
>>> ** **
>>>
>>> How can get all the roles having a user_id?****
>>>
>>> ** **
>>>
>>> GET /users/{user_id}/roles (i can't find this on stable/essex)****
>>>
>>> ** **
>>>
>>> Returning role list with tenant associated****
>>>
>>> ** **
>>>
>>> Another option that would work for me is:****
>>>
>>> ** **
>>>
>>> GET /users/{user_id}/tenants****
>>>
>>> ** **
>>>
>>> Returning tenant list with role list associated per tenant****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> When i GET /user/{user_id} i obtain only this info****
>>>
>>> ** **
>>>
>>> {"user": {"name": "admin", "enabled": true, "email": "admin [at] example",
>>> "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}
>>> ****
>>>
>>> ** **
>>>
>>> Regards****
>>>
>>> ** **
>>>
>>> --
>>> -------------------------------------------
>>> Luis Alberto Gervaso Martin****
>>>
>>> Woorea Solutions, S.L
>>> CEO & CTO
>>> mobile: (+34) 627983344
>>> luis@ <luis.gervaso [at] gmail>woorea.es****
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> ** **
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp****
>>>
>>> ** **
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp****
>>>
>>> ** **
>>>
>>>
>>>
>>> ****
>>>
>>> ** **
>>>
>>> --
>>> -------------------------------------------
>>> Luis Alberto Gervaso Martin****
>>>
>>> Woorea Solutions, S.L
>>> CEO & CTO
>>> mobile: (+34) 627983344
>>> luis@ <luis.gervaso [at] gmail>woorea.es****
>>>
>>> ** **
>>>
>>
>>
>>
>> --
>> -------------------------------------------
>> Luis Alberto Gervaso Martin
>> Woorea Solutions, S.L
>> CEO & CTO
>> mobile: (+34) 627983344
>> luis@ <luis.gervaso [at] gmail>woorea.es
>>
>>
>


--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es

OpenStack dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.