Comment 5 for bug 1773967

Encountered the same with a federation use-case. A user doesn't have direct role assignments for a project and the user is also not present in a group (in the keystone db) that has a role assignment on the project. However, the federated domain-scoped token and a project-scoped token created based on the federated one both have group membership information present => the user has the Member role on the project.

Trying to create an application credential (from Horizon) results in the following logged at the Keystone side:

(keystone.policy.backends.rules): 2019-05-14 09:01:42,703 DEBUG enforce identity:create_application_credential: {'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_id': None, 'domain_name': None, 'group_ids': ['a82a32cc8c8540afb47d0f568d035e91'], 'token': <TokenModel (audit_id=EhAR7yT8Q4-W1TURPGeXrg, audit_chain_id=['EhAR7yT8Q4-W1TURPGeXrg']) at 0x7f5b466ce550>, 'user_id': '7c2cd54542714c82a0854d4b159deaf2', 'user_domain_id': 'Federated', 'system_scope': None, 'project_id': '07d0c2ef8af340a9b2e07d2f82d5a65a', 'project_domain_id': '4787f8cd807f4d67bf5bf70b84fd3dc2', 'roles': ['Member'], 'is_admin_project': False, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []}

(keystone.common.wsgi): 2019-05-14 09:01:33,026 WARNING Invalid application credential: Could not find role assignment with role: f82ad8932d8f4f69ab4199aee3b4b736, user or group: 7c2cd54542714c82a0854d4b159deaf2, project, domain, or system: 07d0c2ef8af340a9b2e07d2f82d5a65a.

f82ad8932d8f4f69ab4199aee3b4b736 - Member role (global, domain == None)
7c2cd54542714c82a0854d4b159deaf2 - a shadow-mapped (federated) user
07d0c2ef8af340a9b2e07d2f82d5a65a - the target project.