Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE OpenStack Cloud Crowbar

4 Keystone User Guide

This section contains the documentation for end-users of keystone.

4.1 User Documentation

An end user can find the specific API documentation here, OpenStack’s Identity API.

Note
Note

Following are some API examples using curl. These examples are not automatically generated. They can be outdated as things change and are subject to regular updates and changes.

4.1.1 API Examples using Curl

4.1.1.1 v3 API Examples Using Curl

4.1.1.1.1 Tokens
4.1.1.1.1.1 Default scope

Get a token with default scope (may be unscoped):

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    }
  }
}' \
  "http://localhost:5000/v3/auth/tokens" ; echo

Example response:

HTTP/1.1 201 Created
X-Subject-Token: MIIFvgY...
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 1025
Date: Tue, 10 Jun 2014 20:55:16 GMT

{
  "token": {
    "methods": ["password"],
    "roles": [{
      "id": "9fe2ff9ee4384b1894a90878d3e92bab",
      "name": "_member_"
    }, {
      "id": "c703057be878458588961ce9a0ce686b",
      "name": "admin"
    }],
    "expires_at": "2014-06-10T2:55:16.806001Z",
    "project": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "8538a3f13f9541b28c2620eb19065e45",
      "name": "admin"
    },
    "catalog": [{
      "endpoints": [{
        "url": "http://localhost:3537/v2.0",
        "region": "RegionOne",
        "interface": "admin",
        "id": "29beb2f1567642eb810b042b6719ea88"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "internal",
        "id": "8707e3735d4415c97ae231b4841eb1c"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "public",
        "id": "ef303187fc8d41668f25199c298396a5"
      }],
      "type": "identity",
      "id": "bd73972c0e14fb69bae8ff76e112a90",
      "name": "keystone"
    }],
    "extras": {},
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "3ec3164f750146be97f21559ee4d9c51",
      "name": "admin"
    },
    "audit_ids": ["yRt0UrxJSs6-WYJgwEMMmg"],
    "issued_at": "201406-10T20:55:16.806027Z"
  }
}
4.1.1.1.1.2 Project-scoped

Get a project-scoped token:

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    },
    "scope": {
      "project": {
        "name": "demo",
        "domain": { "id": "default" }
      }
    }
  }
}' \
  "http://localhost:5000/v3/auth/tokens" ; echo

Example response:

HTTP/1.1 201 Created
X-Subject-Token: MIIFfQ...
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 960
Date: Tue, 10 Jun 2014 20:40:14 GMT

{
  "token": {
    "audit_ids": ["ECwrVNWbSCqmEgPnu0YCRw"],
    "methods": ["password"],
    "roles": [{
      "id": "c703057be878458588961ce9a0ce686b",
      "name": "admin"
    }],
    "expires_at": "2014-06-10T21:40:14.360795Z",
    "project": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "3d4c2c82bd5948f0bcab0cf3a7c9b48c",
      "name": "demo"
    },
    "catalog": [{
      "endpoints": [{
        "url": "http://localhost:35357/v2.0",
        "region": "RegionOne",
        "interface": "admin",
        "id": "29beb2f1567642eb810b042b6719ea88"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "internal",
        "id": "87057e3735d4415c97ae231b4841eb1c"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "public",
        "id": "ef303187fc8d41668f25199c298396a5"
      }],
      "type": "identity",
      "id": "bd7397d2c0e14fb69bae8ff76e112a90",
      "name": "keystone"
    }],
    "extras": {},
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "3ec3164f750146be97f21559ee4d9c51",
      "name": "admin"
    },
    "issued_at": "2014-06-10T20:40:14.360822Z"
  }
}
4.1.1.1.1.3 Domain-Scoped

Get a domain-scoped token:

Note
Note

Ensure you have a role-assignment on the domain first.

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["password"],
      "password": {
        "user": {
          "name": "admin",
          "domain": { "id": "default" },
          "password": "adminpwd"
        }
      }
    },
    "scope": {
      "domain": {
        "id": "default"
      }
    }
  }
}' \
  "http://localhost:5000/v3/auth/tokens" ; echo

Example response:

HTTP/1.1 201 Created
X-Subject-Token: MIIFNg...
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 889
Date: Tue, 10 Jun 2014 20:52:59 GMT

{
  "token": {
    "domain": {
      "id": "default",
      "name": "Default"
    },
    "methods": ["password"],
    "roles": [{
      "id": "c703057be878458588961ce9a0ce686b",
      "name": "admin"
    }],
    "expires_at": "2014-06-10T21:52:58.852167Z",
    "catalog": [{
      "endpoints": [{
        "url": "http://localhost:35357/v2.0",
        "region": "RegionOne",
        "interface": "admin",
        "id": "29beb2f1567642eb810b042b6719ea88"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "internal",
        "id": "87057e3735d4415c97ae231b4841eb1c"
      }, {
        "url": "http://localhost:5000/v2.0",
        "region": "RegionOne",
        "interface": "public",
        "id": "ef303187fc8d41668f25199c298396a5"
      }],
      "type": "identity",
      "id": "bd7397d2c0e14fb69bae8ff76e112a90",
      "name": "keystone"
    }],
    "extras": {},
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "3ec3164f750146be97f21559ee4d9c51",
      "name": "admin"
    },
    "audit_ids": ["Xpa6Uyn-T9S6mTREudUH3w"],
    "issued_at": "2014-06-10T20:52:58.852194Z"
  }
}
4.1.1.1.1.4 Getting a token from a token

Get a token from a token:

curl -i \
  -H "Content-Type: application/json" \
  -d '
{ "auth": {
    "identity": {
      "methods": ["token"],
      "token": {
        "id": "'$OS_TOKEN'"
      }
    }
  }
}' \
  "http://localhost:5000/v3/auth/tokens" ; echo

Example response:

HTTP/1.1 201 Created
X-Subject-Token: MIIFxw...
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 1034
Date: Tue, 10 Jun 2014 21:00:05 GMT

{
  "token": {
    "methods": ["token", "password"],
    "expires_at": "2015-05-28T07:43:44.808209Z",
    "extras": {},
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "753867c25c3340ffad1abc22d488c31a",
      "name": "admin"
    },
    "audit_ids": ["ZE0OPSuzTmCXHo0eIOYltw",
      "xxIQCkHOQOywL0oY6CTppQ"
    ],
    "issued_at": "2015-05-28T07:19:23.763532Z"
  }
}
Note
Note

If a scope was included in the request body, then this would get a token with the new scope.

4.1.1.1.1.5 DELETE /v3/auth/tokens

Revoke a token:

curl -i -X DELETE \
  -H "X-Auth-Token: $OS_TOKEN" \
  -H "X-Subject-Token: $OS_TOKEN" \
  "http://localhost:5000/v3/auth/tokens"

If there’s no error then the response is empty.

4.1.1.1.2 Domains
4.1.1.1.2.1 GET /v3/domains

List domains:

curl -s \
  -H "X-Auth-Token: $OS_TOKEN" \
  "http://localhost:5000/v3/domains" | python -mjson.tool

Example response:

{
    "domains": [
        {
            "description": "Owns users and tenants (i.e. projects) available on Identity API v2.",
            "enabled": true,
            "id": "default",
            "links": {
                "self": "http://identity-server:5000/v3/domains/default"
            },
            "name": "Default"
        }
    ],
    "links": {
        "next": null,
        "previous": null,
        "self": "http://identity-server:5000/v3/domains"
    }
}
4.1.1.1.2.2 POST /v3/domains

Create a domain:

curl -s \
  -H "X-Auth-Token: $OS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "domain": { "name": "newdomain"}}' \
  "http://localhost:5000/v3/domains" | python -mjson.tool

Example response:

{
    "domain": {
        "enabled": true,
        "id": "3a5140aecd974bf08041328b53a62458",
        "links": {
            "self": "http://identity-server:5000/v3/domains/3a5140aecd974bf08041328b53a62458"
        },
        "name": "newdomain"
    }
}
4.1.1.1.3 Projects
4.1.1.1.3.1 GET /v3/projects

List projects:

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 "http://localhost:5000/v3/projects" | python -mjson.tool

Example response:

{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://localhost:5000/v3/projects"
    },
    "projects": [
        {
            "description": null,
            "domain_id": "default",
            "enabled": true,
            "id": "3d4c2c82bd5948f0bcab0cf3a7c9b48c",
            "links": {
                "self": "http://localhost:5000/v3/projects/3d4c2c82bd5948f0bcab0cf3a7c9b48c"
            },
            "name": "demo"
        }
    ]
}
4.1.1.1.3.2 PATCH /v3/projects/{id}

Disable a project:

curl -s -X PATCH \
  -H "X-Auth-Token: $OS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '
{
  "project": {
      "enabled": false
    }
}'\
  "http://localhost:5000/v3/projects/$PROJECT_ID"  | python -mjson.tool

Example response:

{
    "project": {
        "description": null,
        "domain_id": "default",
        "enabled": false,
        "extra": {},
        "id": "3d4c2c82bd5948f0bcab0cf3a7c9b48c",
        "links": {
            "self": "http://localhost:5000/v3/projects/3d4c2c82bd5948f0bcab0cf3a7c9b48c"
        },
        "name": "demo"
    }
}
4.1.1.1.4 GET /v3/services

List the services:

curl -s \
  -H "X-Auth-Token: $OS_TOKEN" \
  "http://localhost:5000/v3/services" | python -mjson.tool

Example response:

{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://localhost:5000/v3/services"
    },
    "services": [
        {
            "description": "Keystone Identity Service",
            "enabled": true,
            "id": "bd7397d2c0e14fb69bae8ff76e112a90",
            "links": {
                "self": "http://localhost:5000/v3/services/bd7397d2c0e14fb69bae8ff76e112a90"
            },
            "name": "keystone",
            "type": "identity"
        }
    ]
}
4.1.1.1.5 GET /v3/endpoints

List the endpoints:

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 "http://localhost:5000/v3/endpoints" | python -mjson.tool

Example response:

{
    "endpoints": [
        {
            "enabled": true,
            "id": "29beb2f1567642eb810b042b6719ea88",
            "interface": "admin",
            "links": {
                "self": "http://localhost:5000/v3/endpoints/29beb2f1567642eb810b042b6719ea88"
            },
            "region": "RegionOne",
            "service_id": "bd7397d2c0e14fb69bae8ff76e112a90",
            "url": "http://localhost:35357/v2.0"
        }
    ],
    "links": {
        "next": null,
        "previous": null,
        "self": "http://localhost:5000/v3/endpoints"
    }
}
4.1.1.1.6 Users
4.1.1.1.6.1 GET /v3/users

List users:

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 "http://localhost:5000/v3/users" | python -mjson.tool
4.1.1.1.6.2 POST /v3/users

Create a user:

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"user": {"name": "newuser", "password": "changeme"}}' \
 "http://localhost:5000/v3/users" | python -mjson.tool

Example response:

{
    "user": {
        "domain_id": "default",
        "enabled": true,
        "id": "ec8fc20605354edd91873f2d66bf4fc4",
        "links": {
            "self": "http://identity-server:5000/v3/users/ec8fc20605354edd91873f2d66bf4fc4"
        },
        "name": "newuser"
    }
}
4.1.1.1.6.3 GET /v3/users/{user_id}

Show details for a user:

USER_ID=ec8fc20605354edd91873f2d66bf4fc4

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 "http://localhost:5000/v3/users/$USER_ID" | python -mjson.tool

Example response:

{
    "user": {
        "domain_id": "default",
        "enabled": true,
        "id": "ec8fc20605354edd91873f2d66bf4fc4",
        "links": {
            "self": "http://localhost:5000/v3/users/ec8fc20605354edd91873f2d66bf4fc4"
        },
        "name": "newuser"
    }
}
4.1.1.1.6.4 POST /v3/users/{user_id}/password

Change password using the default policy; this can be done as the user:

USER_ID=b7793000f8d84c79af4e215e9da78654
ORIG_PASS=userpwd
NEW_PASS=newuserpwd

curl \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{ "user": {"password": "'$NEW_PASS'", "original_password": "'$ORIG_PASS'"} }' \
 "http://localhost:5000/v3/users/$USER_ID/password"
Note
Note

This command will not print anything if the request was successful.

4.1.1.1.6.5 PATCH /v3/users/{user_id}

Reset password using the default policy; this requires admin:

USER_ID=b7793000f8d84c79af4e215e9da78654
NEW_PASS=newuserpwd

curl -s -X PATCH \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{ "user": {"password": "'$NEW_PASS'"} }' \
 "http://localhost:5000/v3/users/$USER_ID" | python -mjson.tool

Example response:

{
    "user": {
        "default_project_id": "3d4c2c82bd5948f0bcab0cf3a7c9b48c",
        "domain_id": "default",
        "email": "demo@example.com",
        "enabled": true,
        "extra": {
            "email": "demo@example.com"
        },
        "id": "269348fdd9374b8885da1418e0730af1",
        "links": {
            "self": "http://localhost:5000/v3/users/269348fdd9374b8885da1418e0730af1"
        },
        "name": "demo"
    }
}
4.1.1.1.7 PUT /v3/projects/{project_id}/groups/{group_id}/roles/{role_id}

Create group role assignment on project:

curl -s -X PUT \
 -H "X-Auth-Token: $OS_TOKEN" \
 "http://localhost:5000/v3/projects/$PROJECT_ID/groups/$GROUP_ID/roles/$ROLE_ID" |
   python -mjson.tool

There’s no data in the response if the operation is successful.

4.1.1.1.8 POST /v3/OS-TRUST/trusts

Create a trust:

curl -s \
 -H "X-Auth-Token: $OS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '
{ "trust": {
    "expires_at": "2014-12-30T23:59:59.999999Z",
    "impersonation": false,
    "project_id": "'$PROJECT_ID'",
    "roles": [
        { "name": "admin" }
      ],
    "trustee_user_id": "'$DEMO_USER_ID'",
    "trustor_user_id": "'$ADMIN_USER_ID'"
}}'\
 "http://localhost:5000/v3/OS-TRUST/trusts" | python -mjson.tool

Example response:

{
    "trust": {
        "expires_at": "2014-12-30T23:59:59.999999Z",
        "id": "394998fa61f14736b1f0c1f322882949",
        "impersonation": false,
        "links": {
            "self": "http://localhost:5000/v3/OS-TRUST/trusts/394998fa61f14736b1f0c1f322882949"
        },
        "project_id": "3d4c2c82bd5948f0bcab0cf3a7c9b48c",
        "remaining_uses": null,
        "roles": [
            {
                "id": "c703057be878458588961ce9a0ce686b",
                "links": {
                    "self": "http://localhost:5000/v3/roles/c703057be878458588961ce9a0ce686b"
                },
                "name": "admin"
            }
        ],
        "roles_links": {
            "next": null,
            "previous": null,
            "self": "http://localhost:5000/v3/OS-TRUST/trusts/394998fa61f14736b1f0c1f322882949/roles"
        },
        "trustee_user_id": "269348fdd9374b8885da1418e0730af1",
        "trustor_user_id": "3ec3164f750146be97f21559ee4d9c51"
    }
}

4.1.1.2 Service API Examples Using Curl

The service API is defined to be a subset of the Admin API and runs on port 5000 by default.

4.1.1.2.1 GET /

This call is identical to that documented for the Admin API, except that it uses port 5000 by default instead of port 35357:

$ curl "http://0.0.0.0:5000"

or:

$ curl "http://0.0.0.0:5000/v2.0/"

See the Section 4.1.1.3, “Admin API Examples Using Curl” for more info.

4.1.1.2.2 GET /extensions

This call is identical to that documented for the Admin API.

4.1.1.2.3 POST /tokens

This call is identical to that documented for the Admin API.

4.1.1.2.4 GET /tenants

List all of the tenants your token can access:

$ curl -H "X-Auth-Token:887665443383838" \
   "http://localhost:5000/v2.0/tenants"

Returns:

{
    "tenants_links": [],
    "tenants": [
        {
            "enabled": true,
            "description": "None",
            "name": "customer-x",
            "id": "1"
        }
    ]
}

4.1.1.3 Admin API Examples Using Curl

These examples assume a default port value of 35357, and depend on the sampledata bundled with keystone.

4.1.1.3.1 GET /

Discover API version information, links to documentation (PDF, HTML, WADL), and supported media types:

$ curl "http://0.0.0.0:35357"
{
    "versions": {
        "values": [
            {
                "id": "v3.4",
                "links": [
                    {
                        "href": "http://127.0.0.1:35357/v3/",
                        "rel": "self"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v3+json"
                    }
                ],
                "status": "stable",
                "updated": "2015-03-30T00:00:00Z"
            },
            {
                "id": "v2.0",
                "links": [
                    {
                        "href": "http://127.0.0.1:35357/v2.0/",
                        "rel": "self"
                    },
                    {
                        "href": "https://docs.openstack.org/",
                        "rel": "describedby",
                        "type": "text/html"
                    }
                ],
                "media-types": [
                    {
                        "base": "application/json",
                        "type": "application/vnd.openstack.identity-v2.0+json"
                    }
                ],
                "status": "stable",
                "updated": "2014-04-17T00:00:00Z"
            }
        ]
    }
}
$ curl "http://0.0.0.0:35357/v2.0/"

Returns:

{
    "version": {
        "id": "v2.0",
        "links": [
            {
                "href": "http://127.0.0.1:35357/v2.0/",
                "rel": "self"
            },
            {
                "href": "https://docs.openstack.org/",
                "rel": "describedby",
                "type": "text/html"
            }
        ],
        "media-types": [
            {
                "base": "application/json",
                "type": "application/vnd.openstack.identity-v2.0+json"
            }
        ],
        "status": "stable",
        "updated": "2014-04-17T00:00:00Z"
    }
}
4.1.1.3.2 GET /extensions

Discover the API extensions enabled at the endpoint:

$ curl "http://localhost:35357/v2.0/extensions/"

Returns:

{
    "extensions":{
        "values":[]
    }
}
4.1.1.3.3 POST /tokens

Authenticate by exchanging credentials for an access token:

$ curl -d '
   {"auth": {
      "tenantName": "customer-x",
      "passwordCredentials": {
        "username": "joeuser",
        "password": "secret"
       }
     }
   }' \
   -H "Content-type: application/json" \
   "http://localhost:35357/v2.0/tokens"

Returns:

{
    "access":{
        "token":{
            "expires":"2012-02-05T00:00:00",
            "id":"887665443383838",
            "tenant":{
                "id":"1",
                "name":"customer-x"
            }
        },
        "serviceCatalog":[
            {
                "endpoints":[
                {
                    "adminURL":"http://swift.admin-nets.local:8080/",
                    "region":"RegionOne",
                    "internalURL":"http://127.0.0.1:8080/v1/AUTH_1",
                    "publicURL":"http://swift.publicinternets.com/v1/AUTH_1"
                }
                ],
                "type":"object-store",
                "name":"swift"
            },
            {
                "endpoints":[
                {
                    "adminURL":"http://cdn.admin-nets.local/v1.1/1",
                    "region":"RegionOne",
                    "internalURL":"http://127.0.0.1:7777/v1.1/1",
                    "publicURL":"http://cdn.publicinternets.com/v1.1/1"
                }
                ],
                "type":"object-store",
                "name":"cdn"
            }
        ],
        "user":{
            "id":"1",
            "roles":[
                {
                "tenantId":"1",
                "id":"3",
                "name":"Member"
                }
            ],
            "name":"joeuser"
        }
    }
}
Note
Note

Take note of the value [‘access’][‘token’][‘id’] value produced here (887665443383838, above), as you can use it in the calls below.

4.1.1.3.4 GET /tokens/{token_id}
Note
Note

This call refers to a token known to be valid, 887665443383838 in this case.

Validate a token:

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tokens/887665443383838"

If the token is valid, returns:

{
    "access":{
        "token":{
            "expires":"2012-02-05T00:00:00",
            "id":"887665443383838",
            "tenant":{
                "id":"1",
                "name":"customer-x"
            }
        },
        "user":{
            "name":"joeuser",
            "tenantName":"customer-x",
            "id":"1",
            "roles":[
                {
                    "serviceId":"1",
                    "id":"3",
                    "name":"Member"
                }
            ],
            "tenantId":"1"
        }
    }
}
4.1.1.3.5 HEAD /tokens/{token_id}

This is a high-performance variant of the GET call documented above, which by definition, returns no response body:

$ curl -I -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tokens/887665443383838"

This returns 200, indicating the token is valid:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: None
Date: Tue, 08 Nov 2011 23:07:44 GMT
4.1.1.3.6 GET /tokens/{token_id}/endpoints

List all endpoints for a token:

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tokens/887665443383838/endpoints"

Returns:

{
    "endpoints_links": [
        {
            "href": "http://127.0.0.1:35357/tokens/887665443383838/endpoints?'marker=5&limit=10'",
            "rel": "next"
        }
    ],
    "endpoints": [
        {
            "internalURL": "http://127.0.0.1:8080/v1/AUTH_1",
            "name": "swift",
            "adminURL": "http://swift.admin-nets.local:8080/",
            "region": "RegionOne",
            "tenantId": 1,
            "type": "object-store",
            "id": 1,
            "publicURL": "http://swift.publicinternets.com/v1/AUTH_1"
        },
        {
            "internalURL": "http://localhost:8774/v1.0",
            "name": "nova_compat",
            "adminURL": "http://127.0.0.1:8774/v1.0",
            "region": "RegionOne",
            "tenantId": 1,
            "type": "compute",
            "id": 2,
            "publicURL": "http://nova.publicinternets.com/v1.0/"
        },
        {
            "internalURL": "http://localhost:8774/v1.1",
            "name": "nova",
            "adminURL": "http://127.0.0.1:8774/v1.1",
            "region": "RegionOne",
            "tenantId": 1,
            "type": "compute",
            "id": 3,
            "publicURL": "http://nova.publicinternets.com/v1.1/
        },
        {
            "internalURL": "http://127.0.0.1:9292/v1.1/",
            "name": "glance",
            "adminURL": "http://nova.admin-nets.local/v1.1/",
            "region": "RegionOne",
            "tenantId": 1,
            "type": "image",
            "id": 4,
            "publicURL": "http://glance.publicinternets.com/v1.1/"
        },
        {
            "internalURL": "http://127.0.0.1:7777/v1.1/1",
            "name": "cdn",
            "adminURL": "http://cdn.admin-nets.local/v1.1/1",
            "region": "RegionOne",
            "tenantId": 1,
            "type": "object-store",
            "id": 5,
            "publicURL": "http://cdn.publicinternets.com/v1.1/1"
        }
    ]
}
4.1.1.3.7 GET /tenants

List all of the tenants in the system (requires an Admin X-Auth-Token):

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tenants"

Returns:

{
    "tenants_links": [],
    "tenants": [
        {
            "enabled": false,
            "description": "None",
            "name": "project-y",
            "id": "3"
        },
        {
            "enabled": true,
            "description": "None",
            "name": "ANOTHER:TENANT",
            "id": "2"
        },
        {
            "enabled": true,
            "description": "None",
            "name": "customer-x",
            "id": "1"
        }
    ]
}
4.1.1.3.8 GET /tenants/{tenant_id}

Retrieve information about a tenant, by tenant ID:

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tenants/1"

Returns:

{
    "tenant":{
        "enabled":true,
        "description":"None",
        "name":"customer-x",
        "id":"1"
    }
}
4.1.1.3.9 GET /tenants/{tenant_id}/users/{user_id}/roles

List the roles a user has been granted on a tenant:

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/tenants/1/users/1/roles"

Returns:

{
    "roles_links":[],
    "roles":[
        {
            "id":"3",
            "name":"Member"
        }
    ]
}
4.1.1.3.10 GET /users/{user_id}

Retrieve information about a user, by user ID:

$ curl -H "X-Auth-Token:999888777666" \
   "http://localhost:35357/v2.0/users/1"

Returns:

{
    "user":{
        "tenantId":"1",
        "enabled":true,
        "id":"1",
        "name":"joeuser"
    }
}
4.1.1.3.11 GET /tokens/revoked

Get the revocation list:

curl -s -H "X-Auth-Token: $OS_TOKEN" \
  "http://localhost:35357/v2.0/tokens/revoked" |
 jq -r .signed |
 openssl cms -verify \
  -certfile /etc/keystone/ssl/certs/signing_cert.pem \
  -CAfile /etc/keystone/ssl/certs/ca.pem \
  -inform PEM \
  -nosmimecap -nodetach -nocerts -noattr 2>/dev/null |
 python -m json.tool

Example response:

{
    "revoked": [
        {
            "expires": "2014-06-10T21:40:14Z",
            "id": "e6e2b5c9092751f88d2bcd30b09777a9"
        },
        {
            "expires": "2014-06-10T21:47:29Z",
            "id": "883ef5d610bd1c68fbaa8ac528aa9f17"
        },
        {
            "expires": "2014-06-10T21:51:52Z",
            "id": "41775ff4838f8f406b7bad28bea0dde6"
        }
    ]
}
Print this page