"AuthorizationFailure" after I add/remove the current user in a project
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python-keystoneclient |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
My instructions are like below and I always use ipython to check the instructions are fine:
1. Create a new connection(
unscope_conn = keystone_
unscope_token = unscope_
2. Create a scope_token from unscope_token
tokens = unscope_
scope_token = tokens.id
3. Create a scope connection from scope_token
scope_conn = keystone_
4. Add/Remove the current user in a project using the scope connection
user_id = "7345085bf11e47
role_id = "2ad4ede52c8940
tenant_id = "b2d0bf5931e949
scope_conn.
5. The user has been added to the project from the step 4. But if I need to use the same scope connection to do other things, I would get an error "AuthorizationF
For example:
scope_conn.
Then I would get "AuthorizationF
My Question is
Is it a limitation if a user add/remove himself in a project, the token must be refresh?
| Joseph Heck (heckj) wrote | #1 |
| Changed in python-keystoneclient: | |
| status: | New → Invalid |
William-
For the keystone V2 API, the mechanisms to modify any elements within keystone are all "admin only". Once you have an administrative connection like you do in step "4", you should be able to do any other tasks with the same token *unless* you've just modified the roles for the user to which you authenticated.
This is because when you modify the roles, etc for a user, all relevant tokens for that user and project are then invalidated to prevent inadvertant access. Re-requesting an authorization token will solve this issue - or have a different "admin account" that isn't the one you're changing.