Listing openstack keystone credentials

I often find myself trying to figure out what role and tenants certain users have on a keystone server and this for me usually comes down to running combinations of
keystone user-list
keystone tenant-list
keystone user-role-list

As an alternative I’ve put together a small script that list the relationship between users/tenants and roles in a table format

As an example see the output when run against keystone as installed by devstack (tenants are across the top, users down the left and roles at their intersections)

First we need to setup the openstack admin environment i.e define OS_AUTH_URL etc…

> . openrc admin admin 
> listkeystonecreds 
+--------+---------------+--------------------+-------------+----------------------+
|  name  |    service    | invisible_to_admin |     demo    |        admin         |
+--------+---------------+--------------------+-------------+----------------------+
| admin  |               |                    |    admin    |    KeystoneAdmin     |
|        |               |                    |             | KeystoneServiceAdmin |
|        |               |                    |             |        admin         |
| cinder |     admin     |                    |             |                      |
|  demo  |               |       Member       | anotherrole |                      |
|        |               |                    |    Member   |                      |
| glance |     admin     |                    |             |                      |
|  nova  |     admin     |                    |             |                      |
|        | ResellerAdmin |                    |             |                      |
+--------+---------------+--------------------+-------------+----------------------+

I’ve also included options to filter by username or tenant

> listkeystonecreds -u admin
+-------+---------+--------------------+-------+----------------------+
|  name | service | invisible_to_admin |  demo |        admin         |
+-------+---------+--------------------+-------+----------------------+
| admin |         |                    | admin |    KeystoneAdmin     |
|       |         |                    |       | KeystoneServiceAdmin |
|       |         |                    |       |        admin         |
+-------+---------+--------------------+-------+----------------------+
> listkeystonecreds -t service
+--------+---------------+
|  name  |    service    |
+--------+---------------+
| admin  |               |
| cinder |     admin     |
|  demo  |               |
| glance |     admin     |
|  nova  |     admin     |
|        | ResellerAdmin |
+--------+---------------+
> listkeystonecreds -t service -u nova
+------+---------------+
| name |    service    |
+------+---------------+
| nova |     admin     |
|      | ResellerAdmin |
+------+---------------+

The code is below for anybody that might find it helpful, please forgive the poor mans command line parsing and name filtering, I was trying to keep it brief. On large keystone data sets it will end up running quit a lot of HTTP GET’s so its probably only suitable for smaller installations.

#!/usr/bin/python
import os, prettytable, sys

from keystoneclient.v2_0 import client
from keystoneclient import utils

keystone = client.Client(username=os.environ['OS_USERNAME'], password=os.environ['OS_PASSWORD'], 
                         tenant_name=os.environ['OS_TENANT_NAME'], auth_url=os.environ['OS_AUTH_URL'])

f_user = f_tenant = ""
if "-u" in sys.argv: f_user = sys.argv[sys.argv.index("-u")+1]
if "-t" in sys.argv: f_tenant = sys.argv[sys.argv.index("-t")+1]

tenants = [t for t in keystone.tenants.list() if f_tenant in t.name]
users =   [u for u in keystone.users.list() if f_user in u.name]

pt = prettytable.PrettyTable(["name"]+[t.name for t in tenants])
for user in users:
    row = [user.name]
    for tenant in tenants:
        row.append("\n".join([u.name for u in user.list_roles(tenant.id)]))
    pt.add_row(row)
print pt.get_string(sortby="name")