OpenStack Identity (keystone)

Need Clarification on "List users with a role"

Asked by Harika Vakadi

According to "OpenStack Identity API v3" Doc :
        https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md#list-users-with-a-role-get-rolesrole_idusers

I have tried to list users with a role
URL: GET /roles/{role_id}/users
This was resulting resource NotFound Error, below are the steps I have followed to achieve it.

Steps Followed:

1) Created a Project
2) Created a User associated the above created project to it

3) Now assigned the admin role to the user on the same project, as below
curl -i http://<IP>:35357/v3/projects/228128d950be4ebd9c22830bad9ea284/users/09f03ece89d44eb9a8cca381cd2aa524/roles/9ac9bb8ac07c477fb908b8f1c13a4407 -X PUT -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token:<Token>"
HTTP/1.1 204 No Content
Vary: X-Auth-Token
Content-Length: 0
Date: Mon, 29 Apr 2013 15:33:28 GMT

4) Lastly, List users with a role
curl -i http://<IP>:35357/v3/roles/9ac9bb8ac07c477fb908b8f1c13a4407/users -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: <Token>"
HTTP/1.1 404 Not Found
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 93
Date: Mon, 29 Apr 2013 15:34:28 GMT

{"error": {"message": "The resource could not be found.", "code": 404, "title": "Not Found"}}

Can anyone help in resolving the issue, or please correct me if I am wrong in covering this use case

Thanks in advance,
Harika

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
xingzhou
Solved:
Last query:
Last reply:
Revision history for this message
xingzhou (xingzhou) said : 		#1

I think list all the users that under a role is still under implementation, I've checked the latest code and there is no API open for /roles/{role_id}/users. Also, there is already a blueprint for this feature, please also see:

https://blueprints.launchpad.net/keystone/+spec/project-role-lists

Revision history for this message
Harika Vakadi (harika-vakadi) said : 		#2

Thanks for the answer xingzhou.

The issue is with API open for /roles/{role_id}/users.
According to the blueprint
https://blueprints.launchpad.net/keystone/+spec/project-role-lists

FYI, Following resources are working fine in V3 API

- List users with role on project:
GET /projects/{project_id}/roles/{role_id}/users

- List groups with roles on project:
GET /projects/{project_id}/roles/{role_id}/groups

- List users with roles on domain:
GET /domains/{domain_id}/roles/{role_id}/users

- List groups with roles on domain:
GET /domains/{domain_id}/roles/{role_id}/groups

Revision history for this message
xingzhou (xingzhou) said : 		#3

Hi Harika, yeah, current V3 API seems only support the listing of role's users under specific tenant or domain, as in current design, identity service only grant roles to user under domain or project, so I'm thinking we need to improve the API doc to correct this, what's your idea on this?

Revision history for this message
Harika Vakadi (harika-vakadi) said : 		#4

@xingzhou
As "roles/{role_id}/users" would give us the list of users that a particular role is assigned to and there is no other equivalent url to get this result. Hence I feel implementing this would be good. Please suggest your view.

Revision history for this message
Best xingzhou (xingzhou) said : 		#5

Hi Harika, yes, provide this API will let user know all the users granted by specific role regardless of domains or tenants, I would suggest add one advice to blueprint https://blueprints.launchpad.net/keystone/+spec/project-role-lists to add this API

Revision history for this message
Harika Vakadi (harika-vakadi) said : 		#6

Thanks xingzhou, that solved my question.