My keystoneclient version is 0.3.2 (a) If you want get all users in a tenant, please try 'keystone user-list --tenant-id xxxxx' If you want get all roles of all users in a tenant, you need to get all users in a tenant first, then use 'keystone user-role-list' to get each user's roles and get them together
(b) I check keystoneclient user-role-list code in github master branch Keystoneclient will try to use User-name and tenant-name to get user and tenant, if can't find (404), then get all tenants and users, pick out result with same name, I think the problem occurs in the event of 500 responses, can you paste some keystone error log ? maybe change other user-name try again # now try the entity as a string try: return manager.get(name_or_id) except (exceptions.NotFound): pass # finally try to find entity by name try: if isinstance(name_or_id, str): name_or_id = name_or_id.decode('utf-8', 'strict') return manager.find(name=name_or_id) -----邮件原件----- 发件人: James [mailto:jamesze...@gmail.com] 发送时间: 2013年10月16日 1:29 收件人: Chenrui (A) 抄送: openstack@lists.openstack.org 主题: Re: 答复: [Openstack] keystone client issues Thanks for the reply. Answers in-line. On Mon, Oct 14, 2013 at 10:53 PM, Chenrui (A) <kiwik.chen...@huawei.com> wrote: > What is the version of your keystone? > My version is 2013.2~rc1-0ubuntu1~cloud0 v0.4.0 on this end. > I run same case on my host, (a) were encountered, but (b) not > I try to run command with --debug, find user-role-list will use the > authenticated user id as a default user-id, > Please check whether your authenticated user had roles in the tenant > So I think (a) is default behavior, is not a bug :) > > (a) > root@ubuntu-02:~# keystone user-role-list --tenant-id > d5e7a29a420949d3a7ef1c0513c5477a > > root@ubuntu-02:~# keystone user-role-list --tenant-id > d5e7a29a420949d3a7ef1c0513c5477a --user-id 63e367c0374e48a59e0e69f763590a35 > +----------------------------------+----------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > +----------------------------------+----------+----------------------------------+----------------------------------+ > | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | > 63e367c0374e48a59e0e69f763590a35 | d5e7a29a420949d3a7ef1c0513c5477a | > +----------------------------------+----------+----------------------------------+----------------------------------+ I was going on the assumption that without the --user-id, keystone would return a list of all users in the project. If this is proper behavior, then what is the best way to get a list of all users in a tenant / project? > (b) > root@ubuntu-02:~# keystone user-role-list --tenant service --user cinder > +----------------------------------+--------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > +----------------------------------+--------+----------------------------------+----------------------------------+ > | c4327e8913ca41b59f61bd5f58d8e420 | Member | > 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a | > | 6d740d49f4424501a83439dcbd03e027 | admin | > 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a | > +----------------------------------+--------+----------------------------------+----------------------------------+ This one is also interesting -- I know it *should* work (I've seen some of my colleagues do this on their systems), but it doesn't work here. Here's what the debug output shows (truncated for brevity and security): -->8-- ~ % keystone --debug user-role-list --tenant train-lab-04 --user <some_username> REQ: curl -i -X POST http://10.96.201.187:35357/v2.0/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient" REQ BODY: {"auth": {"tenantName": "<blah>", "passwordCredentials": {"username": "admin", "password": "SOMEPASSWORD"}}} RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07 GMT', 'vary': 'X-Auth-Token', 'content-length': '2416', 'content-type': 'application/json'}) RESP BODY: {"access": {"token": {"issued_at": "2013-10-15T17:08:06.805770", "expires": "2013-10-16T17:08:06Z", "id": "fb76306e38a64c55b9ce46ae2029abcd", "tenant": {"description": "Default Tenant - Admin", "enabled": true, "id": "fc9ba4c1d32d48679b5c3e9b2c00abcd", "name": "<blah>"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd", "region": "PA", "internalURL": "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd", "id": "280c800402da47d393e4e0890a5abcde", "publicURL": "http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.96.201.188:9696", "region": "PA", "internalURL": "http://10.96.201.188:9696", "id": "fc9ba4c1d32d48679b5c3e9b2c00abcd", "publicURL": "http://10.96.201.188:9696"}], "endpoints_links": [], "type": "network", "name": "quantum"}, {"endpoints": [{"adminURL": "http://10.96.201.185:9292", "region": "PA", "internalURL": "http://10.96.201.185:9292", "id": "be1d2f2449ac448299c1258913babcde", "publicURL": "http://10.96.201.185:9292"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd", "region": "PA", "internalURL": "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd", "id": "9ae35a87f24040038851ce9c9eabcde", "publicURL": "http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2cabcde"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.96.201.185:8773/service/Cloud", "region": "PA", "internalURL": "http://10.96.201.185:8773/service/Cloud", "id": "0ae37a0217d6445e8adbb5ce08abcde", "publicURL": "http://10.96.201.185:8773/service/Cloud"}], "endpoints_links": [], "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL": "http://10.96.201.187:35357/v2.0", "region": "PA", "internalURL": "http://10.96.201.187:5000/v2.0", "id": "37b3aa6fade24ced8d6dae8fdaabcdef", "publicURL": "http://10.96.201.187:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "admin", "roles_links": [], "id": "5e363b8f0665443d89ca9d9787aabcde", "roles": [{"name": "admin"}, {"name": "_member_"}], "name": "admin"}, "metadata": {"is_admin": 0, "roles": ["b04ac30a90f64c3692d54c73e92abcd", "9fe2ff9ee4384b1894a90878d3e9abcd"]}}} REQ: curl -i -X GET http://10.96.201.187:35357/v2.0/tenants/train-lab-04 -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: fb76306e38a64c55b9ce46ae2029abcd" RESP: [404] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07 GMT', 'vary': 'X-Auth-Token', 'content-length': '97', 'content-type': 'application/json'}) RESP BODY: {"error": {"message": "Could not find project: train-lab-04", "code": 404, "title": "Not Found"}} Request returned failure status: 404 REQ: curl -i -X GET http://10.96.201.187:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: fb76306e38a64c55b9ce46ae2029abcd" RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:08 GMT', 'vary': 'X-Auth-Token', 'content-length': '65744', 'content-type': 'application/json'}) RESP BODY: {"tenants_links": [], "tenants": [<blah blah blah>{"description": "Training Lab", "enabled": true, "id": "19371ce3a80b47e6bc31d7576c912de3", "name": "train-lab-04"}, <blah blah blah>]} <-- note that train-lab-04 is listed here! REQ: curl -i -X GET http://10.96.201.187:35357/v2.0/users/<some_username> -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: fb76306e38a64c55b9ce46ae2029abcd" RESP: [500] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:09 GMT', 'vary': 'X-Auth-Token', 'content-length': '181', 'content-type': 'application/json'}) RESP BODY: {"error": {"message": "An unexpected error prevented the server from fulfilling your request. global name 'user_ref' is not defined", "code": 500, "title": "Internal Server Error"}} Request returned failure status: 500 An unexpected error prevented the server from fulfilling your request. global name 'user_ref' is not defined (HTTP 500) --8<-- Here you can see that I'm logging in as admin (so I *should* be able to see all tenants and users, no?), and that the server returns a 404. In the tenant_links response, however you can clearly see train-lab-04. As I mentioned in my first post, however, if i search using the UUID of the tenant and the user, however, things work without any hiccups. Any ideas why? Thanks! > -----邮件原件----- > 发件人: James [mailto:jamesze...@gmail.com] > 发送时间: 2013年10月15日 4:43 > 收件人: openstack@lists.openstack.org > 主题: [Openstack] keystone client issues > > All, > > Hoping someone can point me in the right direction with two questions I have. > > > (a) Getting Roles from Tenant > I'm trying to get list of *all users* that are part of a project, as follows: > > % keystone tenant-list | grep -i test-lab > | 19371ce3a80b47e6bc31d7576c912de3 | train-lab-04 > | True | > > % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912ce3 > <-- empty response > > % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912de3 > --user-id 08fda199e7e34348ab2d216d1ac18f9a > +----------------------------------+--------+----------------------------------+----------------------------------+ > | id | name | user_id > | tenant_id | > +----------------------------------+--------+----------------------------------+----------------------------------+ > | bff399d92fa74d2e81ffdebb9cd4cc11 | member | > 08fda199e7e34348ab2d216d1ac18f9a | 19371ce3a80b47e6bc31d7576c912ce3 | > +----------------------------------+--------+----------------------------------+----------------------------------+ > > Is this a bug, or is there a way to get a list of all users that are > members of a tenant? Seems like the user-role-list command should > execute without a user-id being passed in. > > > (b) Using Non-UUID Values > I've seen some folks use usernames instead of UUIDs like this: > > keystone user-role-list --tenant <blah> --user <blah2> > > When I attempt do to this, I get the following error: > > An unexpected error prevented the server from fulfilling your request. > global name 'user_ref' is not defined (HTTP 500) > > Is there something that prevents me from using usernames and plain > tenant names instead of UUIDs, or is this a bug with the client? > > > Thanks! > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack