So looks like there are two problems.
1) We assume that request_context will always have a token_reference, which is not true in the case of X.509 tokenless auth.
2) We are no longer using auth_context when formulating the credentials for RBAC. Instead, we are using the Oslo request_context.
https://github.com/openstack/keystone/blob/master/keystone/common/rbac_enforcer/enforcer.py#L388 https://github.com/openstack/oslo.policy/blob/master/oslo_policy/policy.py#L981
So looks like there are two problems.
1) We assume that request_context will always have a token_reference, which is not true in the case
of X.509 tokenless auth.
2) We are no longer using auth_context when formulating the credentials for RBAC. Instead, we are using the Oslo request_context.
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ common/ rbac_enforcer/ enforcer. py#L388 /github. com/openstack/ oslo.policy/ blob/master/ oslo_policy/ policy. py#L981
https:/