[sdk]: identity service if get_application_credential method could use user name
Hello, Hope this email finds you well. Shall I please ask a question about the openstacksdk identity service, the application credential? We would like to get the expiration date of an application credential using the Identity v3 method get_application_credential or find_appplication_credential. We found that they require both the user id and the application credential id in order to get it. The code I'm using is as the following, and this works for us. conn = connection.Connection( session=sess, region_name='Victoria, identity_api_version='3') keystone = conn.identity find = keystone.get_application_credential(user='my_user_id', application_credential = 'app_cred_id') expire_date = find['expires_at'] We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs. Thanks and have a great day! Catherine
Hi
We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs.
You can use: user = conn.identity.find_user(name_or_id = ‘my_user’) ac = conn.identity.find_application_credential(user=user, name_or_id=‘app_cred’) Regards, Artem
Good morning, Thanks for replying back to me. I tried to use the fine_user to get the user id by username, but it seems like not all the user can use the find_user method. If I do: find_user = conn.identity.find_user(name_or_id='catherine'), it will show me that "You are not authorized to perform the requested action: identity:get_user". If I do: find_user = conn.identity.find_user(name_or_id='my_user_Id'), then it works fine. But I would like to use the username to find the user and get the id, so I'm not sure why in this case find_user only work with id not name. Thanks and have a great day! Catherine On 2021-05-08 03:01, Artem Goncharov wrote:
Hi
We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs.
You can use:
user = conn.identity.find_user(name_or_id = 'my_user') ac = conn.identity.find_application_credential(user=user, name_or_id='app_cred')
Regards, Artem
On 10. May 2021, at 18:47, dmeng <dmeng@uvic.ca> wrote:
Good morning,
Thanks for replying back to me. I tried to use the fine_user to get the user id by username, but it seems like not all the user can use the find_user method.
If I do: find_user = conn.identity.find_user(name_or_id='catherine'), it will show me that "You are not authorized to perform the requested action: identity:get_user".
If I do: find_user = conn.identity.find_user(name_or_id='my_user_Id'), then it works fine.
But I would like to use the username to find the user and get the id, so I'm not sure why in this case find_user only work with id not name.
Depending on the configuration of your Keystone (what is already a default) and the account privileges you use (admin, domain_admin, token scope) you may be allowed or not allowed to search/list another users. Normally this is only possible in the domain scope, so maybe you would need to use account with more powers.
Thanks and have a great day!
Catherine
On 2021-05-08 03:01, Artem Goncharov wrote:
Hi
We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs.
You can use:
user = conn.identity.find_user(name_or_id = 'my_user') ac = conn.identity.find_application_credential(user=user, name_or_id='app_cred')
Regards, Artem
Thanks Artem, just wondering how about if I use my own identity to get connected, and try to find the user id of myself? Like: auth = v3.ApplicationCredential( auth_url="my_auth_url", application_credential_secret="my_cred_secret", application_credential_id="my_cred_id", username='catherine', ) sess = session.Session(auth=auth) conn = connection.Connection( session=sess, region_name='Victoria', identity_api_version='3', ) # tested the above connection works well find_user = conn.identity.find_user(name_or_id='catherine') This returns me that "You are not authorized to perform the requested action: identity:get_user"; but conn.identity.find_user(name_or_id='my_user_Id') works fine. Think in the openstack cli tools, I couldn't show other users, but I could use my own username to list the info of myself, "/usr/local/bin/openstack user show catherine", this works. Thanks for your help, Catherine On 2021-05-10 10:08, Artem Goncharov wrote:
On 10. May 2021, at 18:47, dmeng <dmeng@uvic.ca> wrote:
Good morning,
Thanks for replying back to me. I tried to use the fine_user to get the user id by username, but it seems like not all the user can use the find_user method.
If I do: find_user = conn.identity.find_user(name_or_id='catherine'), it will show me that "You are not authorized to perform the requested action: identity:get_user".
If I do: find_user = conn.identity.find_user(name_or_id='my_user_Id'), then it works fine.
But I would like to use the username to find the user and get the id, so I'm not sure why in this case find_user only work with id not name.
Depending on the configuration of your Keystone (what is already a default) and the account privileges you use (admin, domain_admin, token scope) you may be allowed or not allowed to search/list another users. Normally this is only possible in the domain scope, so maybe you would need to use account with more powers.
Thanks and have a great day!
Catherine
On 2021-05-08 03:01, Artem Goncharov wrote: Hi
We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs.
You can use:
user = conn.identity.find_user(name_or_id = 'my_user') ac = conn.identity.find_application_credential(user=user, name_or_id='app_cred')
Regards, Artem
On 10. May 2021, at 19:27, dmeng <dmeng@uvic.ca> wrote:
Thanks Artem, just wondering how about if I use my own identity to get connected, and try to find the user id of myself? Like:
auth = v3.ApplicationCredential( auth_url="my_auth_url", application_credential_secret="my_cred_secret", application_credential_id="my_cred_id", username='catherine', )
sess = session.Session(auth=auth)
conn = connection.Connection( session=sess, region_name='Victoria', identity_api_version='3', )
# tested the above connection works well
find_user = conn.identity.find_user(name_or_id='catherine')
This returns me that "You are not authorized to perform the requested action: identity:get_user"; but conn.identity.find_user(name_or_id='my_user_Id') works fine.
Knowing object ID you can do nearly everything. Name is something like an alias and we always need to find ID of the resource by its name. That’s why knowing ID you can proceed, but knowing name you need to invoke additional methods (listing all users in domain), which are depending on the privileges not allowed.
Think in the openstack cli tools, I couldn't show other users, but I could use my own username to list the info of myself, "/usr/local/bin/openstack user show catherine", this works.
Thanks for your help,
Catherine
On 2021-05-10 10:08, Artem Goncharov wrote:
On 10. May 2021, at 18:47, dmeng <dmeng@uvic.ca <mailto:dmeng@uvic.ca>> wrote: Good morning,
Thanks for replying back to me. I tried to use the fine_user to get the user id by username, but it seems like not all the user can use the find_user method.
If I do: find_user = conn.identity.find_user(name_or_id='catherine'), it will show me that "You are not authorized to perform the requested action: identity:get_user".
If I do: find_user = conn.identity.find_user(name_or_id='my_user_Id'), then it works fine.
But I would like to use the username to find the user and get the id, so I'm not sure why in this case find_user only work with id not name.
Depending on the configuration of your Keystone (what is already a default) and the account privileges you use (admin, domain_admin, token scope) you may be allowed or not allowed to search/list another users. Normally this is only possible in the domain scope, so maybe you would need to use account with more powers.
Thanks and have a great day!
Catherine
On 2021-05-08 03:01, Artem Goncharov wrote:
Hi
We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs.
You can use:
user = conn.identity.find_user(name_or_id = 'my_user') ac = conn.identity.find_application_credential(user=user, name_or_id='app_cred')
Regards, Artem
participants (2)
-
Artem Goncharov
-
dmeng