That said, I tried out some things in devstack and got interesting results.
I created two instances, one in admin tenant and one in demo tenant. As admin/admin, I found in order for --tenant to work as expected, you have to also give --all-tenants.
1. 'nova list' shows the instance in admin tenant
2. 'nova list --all-tenants' shows both instances, the one in demo tenant and the one in admin tenant
3. 'nova list --tenant 5d460e88a8ea450c9c992e7a07d34889 --all-tenants' shows the instance in demo tenant
4. 'nova list --all-tenants --tenant blah' shows an empty list
5. 'nova list --tenant blah' shows the instance in admin tenant
The 4. result is what I'd expect to see if I gave a wrong tenant id (list of nothing). The only way to check tenant id validity would be to make an extra call to keystone on the client-side. Because just because no instance in nova belongs to a tenant, doesn't necessarily mean the tenant is invalid. I also mentioned this in bug 1233492
So, I'm going to mark this as a Wishlist item, to have the client check keystone for validity if nothing is returned from nova api.
Note that 'nova list --tenant' only works with tenant ids, not tenant names, see https:/ /bugs.launchpad .net/python- novaclient/ +bug/1233492
That said, I tried out some things in devstack and got interesting results.
I created two instances, one in admin tenant and one in demo tenant. As admin/admin, I found in order for --tenant to work as expected, you have to also give --all-tenants.
1. 'nova list' shows the instance in admin tenant c9c992e7a07d348 89 --all-tenants' shows the instance in demo tenant
2. 'nova list --all-tenants' shows both instances, the one in demo tenant and the one in admin tenant
3. 'nova list --tenant 5d460e88a8ea450
4. 'nova list --all-tenants --tenant blah' shows an empty list
5. 'nova list --tenant blah' shows the instance in admin tenant
The 4. result is what I'd expect to see if I gave a wrong tenant id (list of nothing). The only way to check tenant id validity would be to make an extra call to keystone on the client-side. Because just because no instance in nova belongs to a tenant, doesn't necessarily mean the tenant is invalid. I also mentioned this in bug 1233492
So, I'm going to mark this as a Wishlist item, to have the client check keystone for validity if nothing is returned from nova api.