devstack job failing on auth failure for neutron net-create

this isn't an akanda bug but filing it here till i find the right place.

our devstack plugin needs to create a public network using neutronclient. it passes keystone auth params as CLI arguments to neutronclient. it first does a 'net-show public' then a 'net-create public' if it doesnt exist:

https://git.openstack.org/cgit/stackforge/akanda-rug/tree/devstack/plugin.sh#n164

Over the last day or so the second neutron command is failing to authenticate with error:

User b0482414a4e548ea8b1c2ef6c43de21b has no access to project 4e1345be292e49d29a7214d1205b2000 (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-45d2cae1-22e0-4c2b-bf27-a1155c94465b)

tho the first command works fine using the same auth params.

From the keystone log (http://logs.openstack.org/45/220345/1/check/gate-functional-dsvm-akanda/013cc80/logs/apache/keystone.txt.gz)

/opt/stack/new/keystone/keystone/common/controller.py:66
2015-09-04 07:26:05.028431 24461 DEBUG keystone.policy.backends.rules [-] enforce identity:validate_token: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'b0482414a4e548ea8b1c2ef6c43de21b', 'roles': [u'service'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=tRyf14xHTECv88dT_O9OUQ, audit_chain_id=tRyf14xHTECv88dT_O9OUQ) at 0x7f57f8112ab8>, 'project_id': u'7f65026655f9493884be9efec3b3e795', 'trust_id': None} enforce /opt/stack/new/keystone/keystone/policy/backends/rules.py:76
2015-09-04 07:26:05.029207 24461 DEBUG keystone.common.controller [-] RBAC: Authorization granted inner /opt/stack/new/keystone/keystone/common/controller.py:161
2015-09-04 07:26:05.730240 24459 INFO keystone.common.wsgi [-] GET http://127.0.0.1:35357/
2015-09-04 07:26:05.923298 24462 INFO keystone.middleware.core [-] Cannot find client issuer in env by the issuer attribute - SSL_CLIENT_I_DN.
2015-09-04 07:26:05.923481 24462 DEBUG keystone.middleware.core [-] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. process_request /opt/stack/new/keystone/keystone/middleware/core.py:301
2015-09-04 07:26:05.927659 24462 INFO keystone.common.wsgi [-] POST http://127.0.0.1:35357/v3/auth/tokens
2015-09-04 07:26:06.003837 24462 DEBUG keystone.token.providers.common [-] User b0482414a4e548ea8b1c2ef6c43de21b has no access to project 4e1345be292e49d29a7214d1205b2000 _populate_roles /opt/stack/new/keystone/keystone/token/providers/common.py:413
2015-09-04 07:26:06.007363 24462 WARNING keystone.common.wsgi [-] Authorization failed. User b0482414a4e548ea8b1c2ef6c43de21b has no access to project 4e1345be292e49d29a7214d1205b2000 (Disable debug mode to suppress these details.) (Disable debug mode to suppress these details.) from 127.0.0.1

Running devstack locally fails at the same place, but manually attempting to create the network after its failed works fine and I cannot replicate the auth failure after.

This smells like a keystone bug but haven't been able to pinpoint the cause. keystonemiddleware version has not changed since the last passing job and the recent failing.

Failing run here http://logs.openstack.org/45/220345/1/check/gate-functional-dsvm-akanda/013cc80/logs/