Comment 4 for bug 1309228

Looks like the problem code is keystone.assignment.backends.sql.Assignment:_get_metadata. You pass in a user_id or group_id and it treats them the same: http://git.openstack.org/cgit/openstack/keystone/tree/keystone/assignment/backends/sql.py?id=2fea9c560a6d8c4fc5522795624ac9a84bd40450#n81

The likely fix is to calculate the role type based on the arguments and include that in the query. Here's the table:

mysql> select * from assignment;
+--------------+----------------------------------+----------------------------------+----------------------------------+-----------+
| type | actor_id | target_id | role_id | inherited |
+--------------+----------------------------------+----------------------------------+----------------------------------+-----------+
| UserProject | f4d347ad6e2b46109d3b8c98dc53db61 | ce9a1366f8294daa80e3dc432b416c2c | 9e262162c0c24b73906a8171a787dc10 | 0 |
| GroupProject | suspectid | 79edaf3db5634de681db106103c81b81 | a77bec4d368a4a819e59ad364b793d85 | 0 |
+--------------+----------------------------------+----------------------------------+----------------------------------+-----------+

So the query should also have q.filter_by(type='UserProject') (group project because the args are user_id=xxx,tenant_id=yyy rather than group_id=xxx,tenant_id=yyy.

I tried writing a quick test in test_auth but that uses the kvs backend which apparently handles this correctly.

It should be good enough to write a test for get_roles_for_user_and_project, since that's what's called when the token is created.