OpenStack Identity (keystone)

Is there a way to see user-role-add and user-role-remove changes from termainal.

Asked by koolhead17

Hi,
Was trying out keystone commands from https://github.com/openstack/keystone/blob/master/doc/source/configuration.rst

I wanted to know if there is a way to see relationship changes after using user-role-add and user-role-remove commands anywhere?

How can i see there relationship? Is there a command which can list user -- role relation?

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
koolhead17
Solved:
Last query:
Last reply:
Revision history for this message
koolhead17 (koolhead17) said : 		#1

like

keystone user-role list ??

Revision history for this message
Anne Gentle (annegentle) said : 		#2

Looks like you can look up the UUIDs of roles (and get their names too) with:
keystone role-list

Revision history for this message
koolhead17 (koolhead17) said : 		#3

$ keystone user-role-add --user=26fa84af14fe4b4d9481ec23116ac052 --role=9aac93896b4e44c3900cfb30b53b1dfa --tenant_id=d2c3addc4272410f9836a542a1286a8e

$ keystone role-list
+----------------------------------+-------+
| id | name |
 +----------------------------------+-------+
| 9aac93896b4e44c3900cfb30b53b1dfa | local |
 +----------------------------------+-------+

Anne i can only see https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/v2_0/roles.py#L53

I need a associated command to query the same.

My question is still unanswered. :(

Revision history for this message
Joseph Heck (heckj) said : 		#4

This was resolved fairly recently as bug 932282.

role list was extended to take --user and --tenant as arguments to show you want you're asking for.

Revision history for this message
koolhead17 (koolhead17) said : 		#5

@heckj

What i wanted is a simple command which displays user with roles he is associates with in a tenant. :D

Revision history for this message
yong sheng gong (gongysh) said : 		#6

role-list will show roles associated with the user specified by --user and --tenant_id arguments.

I think maybe you are looking for some commands such as "keystone user-role-list", which will show all associations between user, role and tenant. I support. We have user-role-add, user-role-remove, why not "user-role-list"?

below is my running of this command:

[root@robinlinux gongys]# keystone role-list --user c7b0297a46a24363b51f9e9d52e62fb5 --tenant_id 19fe0f48d5124d208b3e78824481f777
+----------------------------------+-------+
| id | name |
 +----------------------------------+-------+
| 55514b3f6975473bb8b88f4d9134c06c | admin |

[root@robinlinux gongys]# keystone role-list
+----------------------------------+----------------------+
| id | name |
 +----------------------------------+----------------------+
| 4cbcb07936e04091853bc6c495601af8 | KeystoneAdmin |
| 55514b3f6975473bb8b88f4d9134c06c | admin |
| 8aba0bc25afe413987407cbf20aa3305 | KeystoneServiceAdmin |
 +----------------------------------+----------------------+
[root@robinlinux gongys]#

Revision history for this message
Tomasz Kłosiński (tomasz-michal-klosinski) said : 		#7

You can see it in table "metadata" in keystone db.

mysql> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from metadata;
+----------------------------------+----------------------------------+-------------------------------------------------+
| user_id | tenant_id | data |
 +----------------------------------+----------------------------------+-------------------------------------------------+
| 1f5039d64f624c9c936177d04f1bc480 | d456666e7ccc4db78c9141e57b70f0d5 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| 1f5039d64f624c9c936177d04f1bc480 | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| 526e94f5ab624ff78bb00800d083461d | d456666e7ccc4db78c9141e57b70f0d5 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| 6ad800e5b7ac4d18889b7f7da61bb709 | b0f983f0019746d8abe478df713aa689 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| 6ad800e5b7ac4d18889b7f7da61bb709 | e6a6b9aa314344099880702bbf7295f1 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| 6ad800e5b7ac4d18889b7f7da61bb709 | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| 8c99e25da0a44069917afee1f860dbd7 | b0f983f0019746d8abe478df713aa689 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| 8c99e25da0a44069917afee1f860dbd7 | e6a6b9aa314344099880702bbf7295f1 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| 8c99e25da0a44069917afee1f860dbd7 | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| ac3f1723728646ef807d69700314286a | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| c729ec7eefcc4f72b457786e623a703d | b0f983f0019746d8abe478df713aa689 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| c729ec7eefcc4f72b457786e623a703d | e6a6b9aa314344099880702bbf7295f1 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| c729ec7eefcc4f72b457786e623a703d | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| ce644daa8b6742e69febf82b3a15b8cb | ba5444f90ac546e981ec3b86c3f580bd | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| ce644daa8b6742e69febf82b3a15b8cb | d456666e7ccc4db78c9141e57b70f0d5 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| f46280931a7f460ebc362676345d3ff7 | b0f983f0019746d8abe478df713aa689 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
| f46280931a7f460ebc362676345d3ff7 | e6a6b9aa314344099880702bbf7295f1 | {"roles": ["9bcf239bf3f043f0887f9392070ec932"]} |
| f46280931a7f460ebc362676345d3ff7 | f4ac28a96c0747008142aa0a6ba87169 | {"roles": ["8d452cecec474443a2cef806a3a1ead0"]} |
 +----------------------------------+----------------------------------+-------------------------------------------------+
18 rows in set (0.00 sec)

mysql>

Revision history for this message
koolhead17 (koolhead17) said : 		#8

Thanks,
I was looking or specific command. Thanks or this workaround though. :)

Am sure keystone guys will have this command in mind with there new API for Folsom.