Creating Hierarchical Projects in Keystone

Hierarchical Multitenancy is coming. Look busy.

Until we get CLI support for creating projects with parent relationships, we have to test via curl. This has given me a chance to clean up a few little techniques on using jq andd heredocs.

#!/usr/bin/bash -x
. ./keystonerc_admin

TOKEN=$( curl -si  -H "Content-type: application/json"  -d@- $OS_AUTH_URL/auth/tokens <<EOF | awk '/X-Subject-Token/ {print $2}'
{
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "domain": {
                        "name": "$OS_USER_DOMAIN_NAME"
                    },
                    "name": "admin",
                    "password": "$OS_PASSWORD"
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "$OS_PROJECT_DOMAIN_NAME"
                },
                "name": "$OS_PROJECT_NAME"
            }
        }
    }
}
EOF
)

PARENT_PROJECT=$( curl  -H "Content-type: application/json" -H"X-Auth-Token:$TOKEN"  -d@- $OS_AUTH_URL/projects <<EOF |  jq -r '.project  | {id}[]  '
{
    "project": {
        "description": "parent project",
        "domain_id": "default",
        "enabled": true,
        "name": "Parent"
    }
}
EOF
)

echo $PARENT_PROJECT


curl  -H "Content-type: application/json" -H"X-Auth-Token:$TOKEN"  -d@- $OS_AUTH_URL/projects <<EOF 
{
    "project": {
        "description": "demo-project",
        "parent_project_id": "$PARENT_PROJECT",
        "domain_id": "default",
        "enabled": true,
        "name": "child"
    }
}
EOF


Note that this uses V3 of the API. I have the following keystone_adminrc

export OS_USERNAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_PASSWORD=cf8dcb8aae804722
export OS_AUTH_URL=http://192.168.1.80:5000/v3/

export OS_IDENTITY_API_VERSION=3

export OS_REGION_NAME=RegionOne
export PS1='[\u@\h \W(keystone_admin)]\$ '

3 thoughts on “Creating Hierarchical Projects in Keystone

  1. Nice! This combined with domains will give great flexibility in access control. I found handy also this:

    # curl -H “Content-type: application/json” -H”X-Auth-Token:$TOKEN” $OS_AUTH_URL/projects/$PARENT_PROJECT?subtree_as_list | python -m json.tool

    {
    “project”: {
    “description”: “parent project”,
    “domain_id”: “default”,
    “enabled”: true,
    “id”: “30e3012fdefa4175886232eace09d8ce”,
    “links”: {
    “self”: “http://192.168.178.2:5000/v3/projects/30e3012fdefa4175886232eace09d8ce”
    },
    “name”: “Parent”
    }
    }

    to retrieve the list of parent projects. One question: how deep can the tree be?

Leave a Reply

Your email address will not be published. Required fields are marked *