Is it possible for a normal user to check the tenant list?

It depends on policy file. If you haven't changed the policy file, then default policy file setting is

  "identity:list_user_projects": [["rule:admin_or_owner"]],

which allows you to list your projects. You can directly use the curl command to get the tenant list

curl -H "X-Auth-Token: Your token" keystone_url/v3/users/<user_id>/projects should list your projects.

BTW I have used v3 api.

Thanks Haneef.

I see this

"identity:list_user_projects": [["rule:admin_or_owner"]]

on the policy.

And, mine is v2.0, but this

curl -H "X-Auth-Token: Your token" keystone_url/v2.0/users/<user_id>/projects

doesn't work... I guess I'm doing something wrong, but my ideal way is some simple command line like "nova image-list". So, even though I would figure this out with curl, I still hope there is(/will be) something short command to check tenant list.

keystone --os-username xxx --os-password xxx tenant-list

usually, we set os env var to OS_USERNAME=admin OS_PASSWORD=xxx (and there are other necessary env vars) to short the command, and run for admin:
keystone tenant-list

you can set os env var to your own tenant name (along woth its corresponding password), so the command can short as admin tenant, but it would be a little inconvinent to switch back, that depends on you

Thanks ZhiQiang.

I still get this error when I execute "keystone --os-username xxx --os-password xxx tenant-list"

Unable to communicate with identity service: {"error": {"message": "You are not authorized to perform the requested action: admin_required", "code": 403, "title": "Not Authorized"}}. (HTTP 403)

Should I change the following line to something else?

"identity:list_user_projects": [["rule:admin_or_owner"]]

i think there is no need to change the policy,
i will reverify it in real envrioment, grizzly 2013.1.3,
or maybe someone else can sovle it

good luck

sorry, i reverified, i think there is no such way fo us to list user's tenant directly via keystone cli, but as @Haneef Ali (haneef) said, you can use rest api to get the result

NOTE: i think only v3 support such request, if you modify the v3 to v2.0, it will return 404 error

so you can edit a small shell script and use it like:

root@openstack:~# cat user-tenant-list.sh
#! /usr/bin/env bash

user_id=$(keystone user-get $1 | awk '/ id / {print $4}')
curl -H "X-Auth-Token: ${OS_TOKEN:-$SERVICE_TOKEN}" "${OS_AUTH_URL%5000*}35357/v3/users/$user_id/projects"

root@openstack:~# sh user-tenant-list.sh demo
{"links": {"self": "http://localhost:5000/v3/users/4bb84f6f499b481fa7f433a4168b03a6/projects", "previous": null, "next": null}, "projects": [{"description": null, "links": {"self": "http://localhost:5000/v3/projects/543cf789e0ca4f189f7d955592991ed0"}, "enabled": true, "id": "543cf789e0ca4f189f7d955592991ed0", "domain_id": "default", "name": "service"}]}

NOTE: you mush set OS_TOKEN and/or SERVICE_TOKEN, or you will get a 401 unauthorized error

or you can use this prettyTable script : https://gist.github.com/zqfan/6928881
download it to you local directory and link it
# ln -s /path/to/the script /usr/local/bin
then you can directly type: # user-tenant-list demo
+----------------------------------+---------+---------+-------------+
| id | name | enabled | description |
+----------------------------------+---------+---------+-------------+
| 543cf789e0ca4f189f7d955592991ed0 | service | True | |
+----------------------------------+---------+---------+-------------+

Finally, i think these two approaches are not so convinent, there must be a convinent way or we should creat it in keystone

Ok thanks ZhiQiang.

I'll use the script. I think I need to add some more lines on it for getting OS_TOKEN and SERVICE_TOKEN. But it should be good enough right now. So I'll close this thread.

p.s.
It would be nice if keystone-client could make it happen in the future.