<div dir="ltr"><div>Hi James, </div><div><br></div> I check it on my environment(Ubuntu 12.04 + devstack), the situation is the same with Chen's.<div><br></div><div> Please give more info here, maybe some conf are incorrect. </div>
<div><br></div><div><br></div><div>Thanks~</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Oct 16, 2013 at 11:45 AM, Chenrui (A) <span dir="ltr"><<a href="mailto:kiwik.chenrui@huawei.com" target="_blank">kiwik.chenrui@huawei.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My keystoneclient version is 0.3.2<br>
<br>
(a)<br>
If you want get all users in a tenant, please try 'keystone user-list --tenant-id xxxxx'<br>
If you want get all roles of all users in a tenant, you need to get all users in a tenant first, then use 'keystone user-role-list' to get each user's roles and get them together<br>
<br>
(b)<br>
I check keystoneclient user-role-list code in github master branch<br>
Keystoneclient will try to use User-name and tenant-name to get user and tenant, if can't find (404), then get all tenants and users, pick out result with same name,<br>
I think the problem occurs in the event of 500 responses, can you paste some keystone error log ? maybe change other user-name try again<br>
<br>
# now try the entity as a string<br>
try:<br>
return manager.get(name_or_id)<br>
except (exceptions.NotFound):<br>
pass<br>
<br>
# finally try to find entity by name<br>
try:<br>
if isinstance(name_or_id, str):<br>
name_or_id = name_or_id.decode('utf-8', 'strict')<br>
return manager.find(name=name_or_id)<br>
<div class="im"><br>
<br>
-----邮件原件-----<br>
发件人: James [mailto:<a href="mailto:jameszee13@gmail.com">jameszee13@gmail.com</a>]<br>
</div>发送时间: 2013年10月16日 1:29<br>
收件人: Chenrui (A)<br>
抄送: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
主题: Re: 答复: [Openstack] keystone client issues<br>
<div class="HOEnZb"><div class="h5"><br>
Thanks for the reply. Answers in-line.<br>
<br>
On Mon, Oct 14, 2013 at 10:53 PM, Chenrui (A) <<a href="mailto:kiwik.chenrui@huawei.com">kiwik.chenrui@huawei.com</a>> wrote:<br>
> What is the version of your keystone?<br>
> My version is 2013.2~rc1-0ubuntu1~cloud0<br>
<br>
<br>
v0.4.0 on this end.<br>
<br>
<br>
> I run same case on my host, (a) were encountered, but (b) not<br>
> I try to run command with --debug, find user-role-list will use the authenticated user id as a default user-id,<br>
> Please check whether your authenticated user had roles in the tenant<br>
> So I think (a) is default behavior, is not a bug :)<br>
><br>
> (a)<br>
> root@ubuntu-02:~# keystone user-role-list --tenant-id d5e7a29a420949d3a7ef1c0513c5477a<br>
><br>
> root@ubuntu-02:~# keystone user-role-list --tenant-id d5e7a29a420949d3a7ef1c0513c5477a --user-id 63e367c0374e48a59e0e69f763590a35<br>
> +----------------------------------+----------+----------------------------------+----------------------------------+<br>
> | id | name | user_id | tenant_id |<br>
> +----------------------------------+----------+----------------------------------+----------------------------------+<br>
> | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 63e367c0374e48a59e0e69f763590a35 | d5e7a29a420949d3a7ef1c0513c5477a |<br>
> +----------------------------------+----------+----------------------------------+----------------------------------+<br>
<br>
<br>
I was going on the assumption that without the --user-id, keystone<br>
would return a list of all users in the project. If this is proper<br>
behavior, then what is the best way to get a list of all users in a<br>
tenant / project?<br>
<br>
<br>
> (b)<br>
> root@ubuntu-02:~# keystone user-role-list --tenant service --user cinder<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
> | id | name | user_id | tenant_id |<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
> | c4327e8913ca41b59f61bd5f58d8e420 | Member | 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a |<br>
> | 6d740d49f4424501a83439dcbd03e027 | admin | 89b87b9b584b40a09aae9d9283992444 | d5e7a29a420949d3a7ef1c0513c5477a |<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
<br>
<br>
This one is also interesting -- I know it *should* work (I've seen<br>
some of my colleagues do this on their systems), but it doesn't work<br>
here. Here's what the debug output shows (truncated for brevity and<br>
security):<br>
<br>
<br>
-->8--<br>
<br>
~ % keystone --debug user-role-list --tenant train-lab-04 --user <some_username><br>
REQ: curl -i -X POST <a href="http://10.96.201.187:35357/v2.0/tokens" target="_blank">http://10.96.201.187:35357/v2.0/tokens</a> -H<br>
"Content-Type: application/json" -H "User-Agent:<br>
python-keystoneclient"<br>
REQ BODY: {"auth": {"tenantName": "<blah>", "passwordCredentials":<br>
{"username": "admin", "password": "SOMEPASSWORD"}}}<br>
<br>
RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07<br>
GMT', 'vary': 'X-Auth-Token', 'content-length': '2416',<br>
'content-type': 'application/json'})<br>
RESP BODY: {"access": {"token": {"issued_at":<br>
"2013-10-15T17:08:06.805770", "expires": "2013-10-16T17:08:06Z", "id":<br>
"fb76306e38a64c55b9ce46ae2029abcd", "tenant": {"description": "Default<br>
Tenant - Admin", "enabled": true, "id":<br>
"fc9ba4c1d32d48679b5c3e9b2c00abcd", "name": "<blah>"}},<br>
"serviceCatalog": [{"endpoints": [{"adminURL":<br>
"<a href="http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd" target="_blank">http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd</a>",<br>
"region": "PA", "internalURL":<br>
"<a href="http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd" target="_blank">http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd</a>", "id":<br>
"280c800402da47d393e4e0890a5abcde", "publicURL":<br>
"<a href="http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd" target="_blank">http://10.96.201.185:8774/v2/fc9ba4c1d32d48679b5c3e9b2c00abcd</a>"}],<br>
"endpoints_links": [], "type": "compute", "name": "nova"},<br>
{"endpoints": [{"adminURL": "<a href="http://10.96.201.188:9696" target="_blank">http://10.96.201.188:9696</a>", "region":<br>
"PA", "internalURL": "<a href="http://10.96.201.188:9696" target="_blank">http://10.96.201.188:9696</a>", "id":<br>
"fc9ba4c1d32d48679b5c3e9b2c00abcd", "publicURL":<br>
"<a href="http://10.96.201.188:9696" target="_blank">http://10.96.201.188:9696</a>"}], "endpoints_links": [], "type":<br>
"network", "name": "quantum"}, {"endpoints": [{"adminURL":<br>
"<a href="http://10.96.201.185:9292" target="_blank">http://10.96.201.185:9292</a>", "region": "PA", "internalURL":<br>
"<a href="http://10.96.201.185:9292" target="_blank">http://10.96.201.185:9292</a>", "id": "be1d2f2449ac448299c1258913babcde",<br>
"publicURL": "<a href="http://10.96.201.185:9292" target="_blank">http://10.96.201.185:9292</a>"}], "endpoints_links": [],<br>
"type": "image", "name": "glance"}, {"endpoints": [{"adminURL":<br>
"<a href="http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd" target="_blank">http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd</a>",<br>
"region": "PA", "internalURL":<br>
"<a href="http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd" target="_blank">http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2c00abcd</a>", "id":<br>
"9ae35a87f24040038851ce9c9eabcde", "publicURL":<br>
"<a href="http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2cabcde" target="_blank">http://10.96.201.190:8776/v1/fc9ba4c1d32d48679b5c3e9b2cabcde</a>"}],<br>
"endpoints_links": [], "type": "volume", "name": "cinder"},<br>
{"endpoints": [{"adminURL": "<a href="http://10.96.201.185:8773/service/Cloud" target="_blank">http://10.96.201.185:8773/service/Cloud</a>",<br>
"region": "PA", "internalURL":<br>
"<a href="http://10.96.201.185:8773/service/Cloud" target="_blank">http://10.96.201.185:8773/service/Cloud</a>", "id":<br>
"0ae37a0217d6445e8adbb5ce08abcde", "publicURL":<br>
"<a href="http://10.96.201.185:8773/service/Cloud" target="_blank">http://10.96.201.185:8773/service/Cloud</a>"}], "endpoints_links": [],<br>
"type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL":<br>
"<a href="http://10.96.201.187:35357/v2.0" target="_blank">http://10.96.201.187:35357/v2.0</a>", "region": "PA", "internalURL":<br>
"<a href="http://10.96.201.187:5000/v2.0" target="_blank">http://10.96.201.187:5000/v2.0</a>", "id":<br>
"37b3aa6fade24ced8d6dae8fdaabcdef", "publicURL":<br>
"<a href="http://10.96.201.187:5000/v2.0" target="_blank">http://10.96.201.187:5000/v2.0</a>"}], "endpoints_links": [], "type":<br>
"identity", "name": "keystone"}], "user": {"username": "admin",<br>
"roles_links": [], "id": "5e363b8f0665443d89ca9d9787aabcde", "roles":<br>
[{"name": "admin"}, {"name": "_member_"}], "name": "admin"},<br>
"metadata": {"is_admin": 0, "roles":<br>
["b04ac30a90f64c3692d54c73e92abcd",<br>
"9fe2ff9ee4384b1894a90878d3e9abcd"]}}}<br>
<br>
REQ: curl -i -X GET<br>
<a href="http://10.96.201.187:35357/v2.0/tenants/train-lab-04" target="_blank">http://10.96.201.187:35357/v2.0/tenants/train-lab-04</a> -H "User-Agent:<br>
python-keystoneclient" -H "X-Auth-Token:<br>
fb76306e38a64c55b9ce46ae2029abcd"<br>
RESP: [404] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:07<br>
GMT', 'vary': 'X-Auth-Token', 'content-length': '97', 'content-type':<br>
'application/json'})<br>
RESP BODY: {"error": {"message": "Could not find project:<br>
train-lab-04", "code": 404, "title": "Not Found"}}<br>
<br>
Request returned failure status: 404<br>
REQ: curl -i -X GET <a href="http://10.96.201.187:35357/v2.0/tenants" target="_blank">http://10.96.201.187:35357/v2.0/tenants</a> -H<br>
"User-Agent: python-keystoneclient" -H "X-Auth-Token:<br>
fb76306e38a64c55b9ce46ae2029abcd"<br>
RESP: [200] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:08<br>
GMT', 'vary': 'X-Auth-Token', 'content-length': '65744',<br>
'content-type': 'application/json'})<br>
RESP BODY: {"tenants_links": [], "tenants": [<blah blah<br>
blah>{"description": "Training Lab", "enabled": true, "id":<br>
"19371ce3a80b47e6bc31d7576c912de3", "name": "train-lab-04"}, <blah<br>
blah blah>]} <-- note that train-lab-04 is listed here!<br>
<br>
REQ: curl -i -X GET<br>
<a href="http://10.96.201.187:35357/v2.0/users/" target="_blank">http://10.96.201.187:35357/v2.0/users/</a><some_username> -H "User-Agent:<br>
python-keystoneclient" -H "X-Auth-Token:<br>
fb76306e38a64c55b9ce46ae2029abcd"<br>
RESP: [500] CaseInsensitiveDict({'date': 'Tue, 15 Oct 2013 17:08:09<br>
GMT', 'vary': 'X-Auth-Token', 'content-length': '181', 'content-type':<br>
'application/json'})<br>
RESP BODY: {"error": {"message": "An unexpected error prevented the<br>
server from fulfilling your request. global name 'user_ref' is not<br>
defined", "code": 500, "title": "Internal Server Error"}}<br>
<br>
Request returned failure status: 500<br>
An unexpected error prevented the server from fulfilling your request.<br>
global name 'user_ref' is not defined (HTTP 500)<br>
<br>
--8<--<br>
<br>
<br>
Here you can see that I'm logging in as admin (so I *should* be able<br>
to see all tenants and users, no?), and that the server returns a 404.<br>
In the tenant_links response, however you can clearly see<br>
train-lab-04. As I mentioned in my first post, however, if i search<br>
using the UUID of the tenant and the user, however, things work<br>
without any hiccups. Any ideas why?<br>
<br>
Thanks!<br>
<br>
<br>
> -----邮件原件-----<br>
> 发件人: James [mailto:<a href="mailto:jameszee13@gmail.com">jameszee13@gmail.com</a>]<br>
> 发送时间: 2013年10月15日 4:43<br>
> 收件人: <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> 主题: [Openstack] keystone client issues<br>
><br>
> All,<br>
><br>
> Hoping someone can point me in the right direction with two questions I have.<br>
><br>
><br>
> (a) Getting Roles from Tenant<br>
> I'm trying to get list of *all users* that are part of a project, as follows:<br>
><br>
> % keystone tenant-list | grep -i test-lab<br>
> | 19371ce3a80b47e6bc31d7576c912de3 | train-lab-04<br>
> | True |<br>
><br>
> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912ce3<br>
> <-- empty response<br>
><br>
> % keystone user-role-list --tenant-id 19371ce3a80b47e6bc31d7576c912de3<br>
> --user-id 08fda199e7e34348ab2d216d1ac18f9a<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
> | id | name | user_id<br>
> | tenant_id |<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
> | bff399d92fa74d2e81ffdebb9cd4cc11 | member |<br>
> 08fda199e7e34348ab2d216d1ac18f9a | 19371ce3a80b47e6bc31d7576c912ce3 |<br>
> +----------------------------------+--------+----------------------------------+----------------------------------+<br>
><br>
> Is this a bug, or is there a way to get a list of all users that are<br>
> members of a tenant? Seems like the user-role-list command should<br>
> execute without a user-id being passed in.<br>
><br>
><br>
> (b) Using Non-UUID Values<br>
> I've seen some folks use usernames instead of UUIDs like this:<br>
><br>
> keystone user-role-list --tenant <blah> --user <blah2><br>
><br>
> When I attempt do to this, I get the following error:<br>
><br>
> An unexpected error prevented the server from fulfilling your request.<br>
> global name 'user_ref' is not defined (HTTP 500)<br>
><br>
> Is there something that prevents me from using usernames and plain<br>
> tenant names instead of UUIDs, or is this a bug with the client?<br>
><br>
><br>
> Thanks!<br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
> Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
> Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</div></div></blockquote></div><br></div>