I was able to reproduce the problem on the trunk (trunks for Keystone and Glance).
According to my tests, it is not important if the application credentials were created by an admin user or a regular user (with no admin role).
The result is, the access rules are ignored if they are applied to service "identity". But they work for other services as intended. The app creds work as intended otherwise, and setting _only_ OS_AUTH_TYPE=v3applicationcredential, OS_APPLICATION_CREDENTIAL_SECRET=yyyyy, OS_APPLICATION_CREDENTIAL_ID=zzzzzzzzzz is sufficient to authenticate with user's normal roles. Seems exactly as Simon reported.
BTW, Devstack does not configure service_type=xxxx in [keystone_authtoken] for any of its services, so it needs adding as documentation explains.
Isn't it the case that Keystone API does not have keystonemiddleware in its pipeline?
I was able to reproduce the problem on the trunk (trunks for Keystone and Glance).
According to my tests, it is not important if the application credentials were created by an admin user or a regular user (with no admin role).
The result is, the access rules are ignored if they are applied to service "identity". But they work for other services as intended. The app creds work as intended otherwise, and setting _only_ OS_AUTH_ TYPE=v3applicat ioncredential, OS_APPLICATION_ CREDENTIAL_ SECRET= yyyyy, OS_APPLICATION_ CREDENTIAL_ ID=zzzzzzzzzz is sufficient to authenticate with user's normal roles. Seems exactly as Simon reported.
BTW, Devstack does not configure service_type=xxxx in [keystone_ authtoken] for any of its services, so it needs adding as documentation explains.
Isn't it the case that Keystone API does not have keystonemiddleware in its pipeline?