openstack team mailing list archive

[Gabriel Hurley <Gabriel.Hurley@xxxxxxxxxx>]

On the keystone admin port the tenants call will list all tenants (provided the token corresponds to a user who has admin privileges).


-          Gabriel

From: openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+gabriel.hurley=nebula.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Luis Gervaso
Sent: Thursday, May 03, 2012 1:24 PM
To: Everett Toews
Cc: openstack@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Openstack] Keystone API question

Yes, this is the real issue.

Since /tenants is only valid for the current user (that's X-Auth-Token dependant)

How can an administrator user list all the tenants a user belongs to?

Another issue i've detected is that endpoints are always dependant on a service,
may be i'm wrong but for me:

/service/{service_id}/endpoints

is more appropiate than

/endpoints

Dolph, please correct me

Luis


On Thu, May 3, 2012 at 10:12 PM, Everett Toews <everett.toews@xxxxxxxxx<mailto:everett.toews@xxxxxxxxx>> wrote:
I get the same as Luis when trying GET /users/{user_id}/roles on stable/essex (using devstack). Keystone spits back an

AttributeError: 'UserController' object has no attribute 'get_user_roles'

message instead of a nice 501.

GET /tenants/{tenant_id}/users/{user_id}/roles works fine. For a bit more detail have a look at

http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_listRolesForUserOnTenant_v2.0_tenants__tenantId__users__user_id__roles_Admin_API_Service_Developer_Operations-d1e1356.html

Everett

On Thu, May 3, 2012 at 9:34 AM, Dolph Mathews <dolph.mathews@xxxxxxxxx<mailto:dolph.mathews@xxxxxxxxx>> wrote:
The philosophy in essex is that it's meaningless for a user to have a role without that role being applied to a tenant, so the call that's implemented is:

    GET /tenants/{tenant_id}/users/{user_id}/roles

Calling this instead should get you an HTTP 501 stating "User roles not supported: tenant ID required".

    GET /users/{user_id}/roles

Also, the term "roleRefs" was deprecated late in the diablo cycle (AFAIK) in favor of "roles".

-Dolph

On Wed, May 2, 2012 at 3:44 PM, Luis Gervaso <luis@xxxxxxxxx<mailto:luis@xxxxxxxxx>> wrote:
Hi,

In Diablo was:

GET /users/{user_id}/roleRefs

In Essex it is maintained for compatibility reasons. I understand that this is the obsolete now.

I can find:

PUT & DELETE /users/{user_id}/roles/OS-KSADM/{role_id}

How can get all the roles having a user_id?

GET /users/{user_id}/roles (i can't find this on stable/essex)

Returning role list with tenant associated

Another option that would work for me is:

GET /users/{user_id}/tenants

Returning tenant list with role list associated per tenant


When i GET /user/{user_id} i obtain only this info

{"user": {"name": "admin", "enabled": true, "email": "admin@xxxxxxxxxxx<mailto:admin@xxxxxxxxxxx>", "id": "ef1e63df85b641d7bf3c575bb8670cef", "tenantId": null}}

Regards

--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344<tel:%28%2B34%29%20627983344>
luis@<mailto:luis.gervaso@xxxxxxxxx>woorea.es<http://woorea.es/>



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx<mailto:openstack@xxxxxxxxxxxxxxxxxxx>
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp




--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@<mailto:luis.gervaso@xxxxxxxxx>woorea.es<http://woorea.es/>