So the query should also have q.filter_by(type='UserProject') (group project because the args are user_id=xxx,tenant_id=yyy rather than group_id=xxx,tenant_id=yyy.
I tried writing a quick test in test_auth but that uses the kvs backend which apparently handles this correctly.
It should be good enough to write a test for get_roles_for_user_and_project, since that's what's called when the token is created.
Looks like the problem code is keystone. assignment. backends. sql.Assignment: _get_metadata. You pass in a user_id or group_id and it treats them the same: http:// git.openstack. org/cgit/ openstack/ keystone/ tree/keystone/ assignment/ backends/ sql.py? id=2fea9c560a6d 8c4fc5522795624 ac9a84bd40450# n81
The likely fix is to calculate the role type based on the arguments and include that in the query. Here's the table:
mysql> select * from assignment; ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------+ ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------+ 09d3b8c98dc53db 61 | ce9a1366f8294da a80e3dc432b416c 2c | 9e262162c0c24b7 3906a8171a787dc 10 | 0 | 681db106103c81b 81 | a77bec4d368a4a8 19e59ad364b793d 85 | 0 | ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+----- ------+
+------
| type | actor_id | target_id | role_id | inherited |
+------
| UserProject | f4d347ad6e2b461
| GroupProject | suspectid | 79edaf3db5634de
+------
So the query should also have q.filter_ by(type= 'UserProject' ) (group project because the args are user_id= xxx,tenant_ id=yyy rather than group_id= xxx,tenant_ id=yyy.
I tried writing a quick test in test_auth but that uses the kvs backend which apparently handles this correctly.
It should be good enough to write a test for get_roles_ for_user_ and_project, since that's what's called when the token is created.