Comment 4 for bug 1783659

Hi Eric,

This looks like it's related to a long-standing, and unfortunately public bug (https://bugs.launchpad.net/keystone/+bug/968696). This bug has side-effects across several services, not just keystone, making the fix complex to orchestrate across services.

We do have a set of enhancements to keystone and oslo libraries that should provide the necessary tooling to address these gaps across OpenStack services [0]. I've addressed specific gaps within keystone's API in separate bug reports [1]. There is one bug report [2] that is closely related to what you've described here.

Keystone is undergoing a major overhaul to make addressing these types of issues easier. We're planning to address those bugs in Stein (given the point we're at with the Rocky release).

[0] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/queens/system-scope.html
[1] https://bugs.launchpad.net/keystone/+bugs?field.tag=policy
[2] https://bugs.launchpad.net/keystone/+bug/1750673