More Keystone V3 API Examples

My previous example showed how to create a user using the V3 API. But what if you don’t even have an admin user in your database? How are you going to perform admin operations in a bootstrap scenario? Here’s how to do operations with no user in the database, and to get the database up to the point where you can perform operations directly.

There is a special value in the keystone config file that is used for the early stages of setting up Keystone: admin_token. For my examples, I use my favorite standby not-so-secret-password:

[DEFAULT]
admin_token = freeipa4all

When Keystone is restarted, you should be able to perform admin operations using:

curl -H"X-Auth-Token:freeipa4all"    localhost:35357/v3/users  | python -mjson.tool

So the previous example to create a user will work if you do

export TOKEN=freeipa4all

To create a project, create a sample file named create_project.json :

{
    "project": {
        "description": "demo-project",
        "domain_id": "default",
        "enabled": true,
        "name": "Demonstration"
    }
}

And create it using:

curl -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects -d @create_project.json

Check to see it was created with:

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects  | python -mjson.tool

Now lets work towards providing access to that user. We want to give the user a role on that project, but first we need to see what roles are available:

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles  | python -mjson.tool

If you ran the SQL migrations, you should see the role that is used by the V2 API when doing “add user to project”

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab  | python -mjson.tool
{
    "role": {
        "description": "Default role for project membership",
        "enabled": "True",
        "id": "9fe2ff9ee4384b1894a90878d3e92bab",
        "links": {
            "self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
        },
        "name": "_member_"
    }
}

Let’s give our user this role

curl  -X PUT  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles/9fe2ff9ee4384b1894a90878d3e92bab

This produces no output. TO check to see what happened:

 
curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles | python -mjson.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://127.0.0.1:5000/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles"
    },
    "roles": [
        {
            "description": "Default role for project membership",
            "enabled": "True",
            "id": "9fe2ff9ee4384b1894a90878d3e92bab",
            "links": {
                "self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
            },
            "name": "_member_"
        }
    ]
}

Now, lets test out that we can create a token as this user. Here is token_request.json

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "d36f803edcc74fae99428efe696c431d",
                    "password": "changeme"
                }
            }
        },
        "scope": {
            "project": {
                "id": "e15bab932d9349f7b2cbe6f1ae62cc8c"
            }
        }
    }
}

And execute it with:

curl  -d @token-request.json -H "Content-type: application/json" http://localhost:35357/v3/auth/tokens

The return code should tell you if it is successful or not.

To make an admin user, follow the same general path, but use the admin role instead of _member_.

To create a new role named usermanager, use the admin_token again:

curl  -H"X-Auth-Token:$TOKEN"   -d '{"role":{"name":"usermanager"}}' -H "Content-type: application/json" http://localhost:35357/v3/roles

One thought on “More Keystone V3 API Examples

  1. Hi, how can I get a domain scoped token? I didn’t find that in the documentation and any other examples. Could you help me?

    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>