[sdk]: identity service if get_application_credential method could use user name

dmeng dmeng at uvic.ca
Mon May 10 17:27:55 UTC 2021

Thanks Artem, just wondering how about if I use my own identity to get
connected, and try to find the user id of myself? Like: 

auth = v3.ApplicationCredential(

sess = session.Session(auth=auth) 

conn = connection.Connection(

# tested the above connection works well 

find_user = conn.identity.find_user(name_or_id='catherine') 

This returns me that "You are not authorized to perform the requested
action: identity:get_user"; but
conn.identity.find_user(name_or_id='my_user_Id') works fine. 

Think in the openstack cli tools, I couldn't show other users,  but I
could use my own username to list the info of myself,
"/usr/local/bin/openstack user show catherine", this works. 

Thanks for your help, 


On 2021-05-10 10:08, Artem Goncharov wrote:

>> On 10. May 2021, at 18:47, dmeng <dmeng at uvic.ca> wrote: 
>> Good morning, 
>> Thanks for replying back to me. I tried to use the fine_user to get the user id by username, but it seems like not all the user can use the find_user method. 
>> If I do: find_user = conn.identity.find_user(name_or_id='catherine'), it will show me that "You are not authorized to perform the requested action: identity:get_user". 
>> If I do: find_user = conn.identity.find_user(name_or_id='my_user_Id'), then it works fine. 
>> But I would like to use the username to find the user and get the id, so I'm not sure why in this case find_user only work with id not name.
> Depending on the configuration of your Keystone (what is already a default) and the account privileges you use (admin, domain_admin, token scope) you may be allowed or not allowed to search/list another users. Normally this is only possible in the domain scope, so maybe you would need to use account with more powers. 
> Thanks and have a great day! 
> Catherine
> On 2021-05-08 03:01, Artem Goncharov wrote: Hi
> We are wondering if we could use the user name to get it instead of the user id? If I do get_application_credential(user='catherine', application_credential = 'app_cred_id'), then it will show me an error that "You are not authorized to perform the requested action: identity:get_application_credential". Is there any method that no need user info, can just use the application credential id to get the expiration date? We also didn't find any documentation about the application credential in openstacksdk identity service docs. 
> You can use: 
> user = conn.identity.find_user(name_or_id = 'my_user') 
> ac = conn.identity.find_application_credential(user=user, name_or_id='app_cred')  
> Regards, 
> Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210510/174e392b/attachment.html>

More information about the openstack-discuss mailing list