Tenant Name or Tenant Id in OpenStack Keystone

OpenStack Keystone is the first stop to get into access of other services (Nova, Cinder, Glance, Neutron, etc). So it is critical to understand Keystone API well.

Applications, such as Vagrant OpenStack Providers, need to access service endpoints from Keystone service catalog. So they can access these services and create e.g. compute instances. Yet, there appears no consistency on which of the tenant forms to use and thus causes confusing for application developers.

Service catalog is on per tenant basis. A REST request to Keystone must contain necessary tenant information to get the service catalogs. Tenant information can either be name (string) or Id (UUID), as specified in the API doc. It is convenient to use names.

In this example, a Keystone authentication request doesn’t have any tenant information:

[code language=”bash”]

curl -v -D -i -H "Content-Type: application/json" -d ‘{"auth":{"passwordCredentials":{"username":"user","password":"password"}}}’ http://keystone:5000/v2.0/tokens

[/code]

And as expected, no service catalog is returned:

[code language=”bash”]

{"access": {"token": {"issued_at": "2015-07-10T18:26:07.389768", "expires": "2015-07-10T19:26:07Z", "id": "….."}, "serviceCatalog": [], "user": {"username": "user", "roles_links": [], "id": "…", "roles": [], "name": "user"}, "metadata": {"is_admin": 0, "roles": []}}}

[/code]

Then providing a tenantName in the request:

[code language=”bash”]

curl  -i -H "Content-Type: application/json" -d ‘{"auth":{"passwordCredentials":{"username":"user","password":"password"}, "tenantName":"Some tenant name"}}’ http://keystone:5000/v2.0/tokens

[/code]
.

You can then find service catalog and endpoints information.

Leave a Reply