After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.
'token.project.domain.id'
This capability was taken away by the removal of KeystoneToken from the model by this patch.
From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context.to_policy_values() for credential match instead. So we can change the rule to either 'token.project.domain_id' or simply 'project_domain_id'.
After further investigation, turns out my initial analysis was incorrect. Looks like we are no longer be able to specify something like this for the credential match anymore.
'token. project. domain. id'
This capability was taken away by the removal of KeystoneToken from the model by this patch.
https:/ /review. openstack. org/#/c/ 577567
KeystoneToken used to be a subclass of dict which stores the token ref json.
https:/ /github. com/openstack/ keystone/ blob/stable/ queens/ keystone/ models/ token_model. py#L47
TokenModel, on the other hand, is an object.
https:/ /github. com/openstack/ keystone/ blob/stable/ rocky/keystone/ models/ token_model. py#L35
From now on, I guess we'll need to use the attributes in the TokenModel or oslo_context. to_policy_ values( ) for credential match instead. So we can change the rule to either 'token. project. domain_ id' or simply 'project_ domain_ id'.