Open Stack

Hi all,

My previous message was sent incomplete. Sorry for that. Here it is the
correct one.

I'm currently working on the virtual organisations (VO) management code and
I would like to add the functionallity that when a user creates a VO Role,
he automatically joins it.

Since VO Roles are represented as Groups, I need to create a new group and
add my own user into it.

I have noticed that when I call the methods *add_user_to_group* and
*remove_user_from_group* from the identity_api, the actions are performed
correctly, but I get my token invalidated and receive the following error
message:

[Thu Feb 19 00:41:23 2015] [error] 11764 WARNING keystone.middleware.core
[-] *RBAC: Invalid token*
[Thu Feb 19 00:41:23 2015] [error] 11764 WARNING keystone.common.wsgi [-]
The request you have made requires authentication. (Disable debug mode to
suppress these details.)

I have also tested using the original horizon UI for adding and removing
users to groups and tried to remove my own user from a group.
I got exaclty the same behaviour, so I think the problem is not related to
my code.

Does anyone know if this is the expected behaviour?

I think that maybe because the groups can be associated to roles, this
roles should be added to or removed from the token.
Therefore, the token needs to be replaced by a new one with new privileges.
But, I think this could be done automatically, instead of invalidating the
old ones and forcing the users to log out and in.

Does it make sense to you?
Is there an easy way to avoid the token to be invalidated?

PS: I'm still working on the icehouse version, so this issue can already be
addressed in newer releases.

Regards,
Ioram Sette
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150219/46d836b7/attachment.html>