More Keystone V3 API Examples

My previous example showed how to create a user using the V3 API. But what if you don’t even have an admin user in your database? How are you going to perform admin operations in a bootstrap scenario? Here’s how to do operations with no user in the database, and to get the database up to the point where you can perform operations directly.

Second of Three Articles: Examples. Policy

There is a special value in the keystone config file that is used for the early stages of setting up Keystone: admin_token. For my examples, I use my favorite standby not-so-secret-password:

[DEFAULT]
admin_token = freeipa4all

When Keystone is restarted, you should be able to perform admin operations using:

curl -H"X-Auth-Token:freeipa4all"    localhost:35357/v3/users  | python -mjson.tool

So the previous example to create a user will work if you do

export TOKEN=freeipa4all

To create a project, create a sample file named create_project.json :

{
    "project": {
        "description": "demo-project",
        "domain_id": "default",
        "enabled": true,
        "name": "Demonstration"
    }
}

And create it using:

curl -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects -d @create_project.json

Check to see it was created with:

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects  | python -mjson.tool

Now lets work towards providing access to that user. We want to give the user a role on that project, but first we need to see what roles are available:

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles  | python -mjson.tool

If you ran the SQL migrations, you should see the role that is used by the V2 API when doing “add user to project”

curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab  | python -mjson.tool
{
    "role": {
        "description": "Default role for project membership",
        "enabled": "True",
        "id": "9fe2ff9ee4384b1894a90878d3e92bab",
        "links": {
            "self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
        },
        "name": "_member_"
    }
}

Let’s give our user this role

curl  -X PUT  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles/9fe2ff9ee4384b1894a90878d3e92bab

This produces no output. TO check to see what happened:

 
curl  -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles | python -mjson.tool
{
    "links": {
        "next": null,
        "previous": null,
        "self": "http://127.0.0.1:5000/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles"
    },
    "roles": [
        {
            "description": "Default role for project membership",
            "enabled": "True",
            "id": "9fe2ff9ee4384b1894a90878d3e92bab",
            "links": {
                "self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
            },
            "name": "_member_"
        }
    ]
}

Now, lets test out that we can create a token as this user. Here is token_request.json

{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "id": "d36f803edcc74fae99428efe696c431d",
                    "password": "changeme"
                }
            }
        },
        "scope": {
            "project": {
                "id": "e15bab932d9349f7b2cbe6f1ae62cc8c"
            }
        }
    }
}

And execute it with:

curl  -d @token-request.json -H "Content-type: application/json" http://localhost:35357/v3/auth/tokens

The return code should tell you if it is successful or not.

To make an admin user, follow the same general path, but use the admin role instead of _member_.

To create a new role named usermanager, use the admin_token again:

curl  -H"X-Auth-Token:$TOKEN"   -d '{"role":{"name":"usermanager"}}' -H "Content-type: application/json" http://localhost:35357/v3/roles

One thought on “More Keystone V3 API Examples

  1. Hi, how can I get a domain scoped token? I didn’t find that in the documentation and any other examples. Could you help me?

    Regards.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>