Application credentials do not take account of implied roles

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/893737

I've added a proof of concept in https://review.opendev.org/c/openstack/keystone/+/893737 for a fix. I'd suggest this needs more work before it's worthy of merging, but gives us a workaround.

Whilst I'm not familiar with all of the tokens that get processed here, a brief scan of the methods and those which do or don't take account of implied roles seems to suggest the following:

_get_system_roles -> OK
_get_trust_roles -> OK
_get_oauth_roles (builds on _get_project_roles) -> OK

_get_federated_roles -> NOT OK
_get_domain_roles -> NOT OK
_get_project_roles -> NOT OK
_get_application_credential_roles -> NOT OK
_get_oauth2_credential_roles (builds on _get_project_roles) -> NOT OK

The extent to which this is intentional I'm not sure, but it does feel like there's a bit of repetition here and the best fix might involve some refactoring and some tests for each token type's behaviour with implied roles.

The previous comment can be ignored. I missed that https://opendev.org/openstack/keystone/src/branch/master/keystone/assignment/core.py#L865 mostly deals with implied roles for all of the above. The issue in the application credentials case as it stands is that this returned list is filtered after the implied roles are added, which the patch works around in a similar way to _get_oauth_roles.

I'm facing the same issue. I've kolla-ansible deployment. Any timeline for when it will be resolved? What I observe is that openrc file created with app creds with member, reader roles or any implied roles of these two cannot list servers. Is it expected behaviour?

I'm also facing this issue in a new Bobcat deployment.

Yeah this is a big issue, glance has changed policy to only allow reader role to list images.
Now all the app-creds with member role can't list image.