This looks like it's related to a long-standing, and unfortunately public bug (https://bugs.launchpad.net/keystone/+bug/968696). This bug has side-effects across several services, not just keystone, making the fix complex to orchestrate across services.
We do have a set of enhancements to keystone and oslo libraries that should provide the necessary tooling to address these gaps across OpenStack services [0]. I've addressed specific gaps within keystone's API in separate bug reports [1]. There is one bug report [2] that is closely related to what you've described here.
Keystone is undergoing a major overhaul to make addressing these types of issues easier. We're planning to address those bugs in Stein (given the point we're at with the Rocky release).
Hi Eric,
This looks like it's related to a long-standing, and unfortunately public bug (https:/ /bugs.launchpad .net/keystone/ +bug/968696). This bug has side-effects across several services, not just keystone, making the fix complex to orchestrate across services.
We do have a set of enhancements to keystone and oslo libraries that should provide the necessary tooling to address these gaps across OpenStack services [0]. I've addressed specific gaps within keystone's API in separate bug reports [1]. There is one bug report [2] that is closely related to what you've described here.
Keystone is undergoing a major overhaul to make addressing these types of issues easier. We're planning to address those bugs in Stein (given the point we're at with the Rocky release).
[0] http:// specs.openstack .org/openstack/ keystone- specs/specs/ keystone/ queens/ system- scope.html /bugs.launchpad .net/keystone/ +bugs?field. tag=policy /bugs.launchpad .net/keystone/ +bug/1750673
[1] https:/
[2] https:/