Encountered the same with a federation use-case. A user doesn't have direct role assignments for a project and the user is also not present in a group (in the keystone db) that has a role assignment on the project. However, the federated domain-scoped token and a project-scoped token created based on the federated one both have group membership information present => the user has the Member role on the project.
Trying to create an application credential (from Horizon) results in the following logged at the Keystone side:
(keystone.common.wsgi): 2019-05-14 09:01:33,026 WARNING Invalid application credential: Could not find role assignment with role: f82ad8932d8f4f69ab4199aee3b4b736, user or group: 7c2cd54542714c82a0854d4b159deaf2, project, domain, or system: 07d0c2ef8af340a9b2e07d2f82d5a65a.
f82ad8932d8f4f69ab4199aee3b4b736 - Member role (global, domain == None)
7c2cd54542714c82a0854d4b159deaf2 - a shadow-mapped (federated) user
07d0c2ef8af340a9b2e07d2f82d5a65a - the target project.
Encountered the same with a federation use-case. A user doesn't have direct role assignments for a project and the user is also not present in a group (in the keystone db) that has a role assignment on the project. However, the federated domain-scoped token and a project-scoped token created based on the federated one both have group membership information present => the user has the Member role on the project.
Trying to create an application credential (from Horizon) results in the following logged at the Keystone side:
(keystone. policy. backends. rules): 2019-05-14 09:01:42,703 DEBUG enforce identity: create_ application_ credential: {'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_id': None, 'domain_name': None, 'group_ids': ['a82a32cc8c854 0afb47d0f568d03 5e91'], 'token': <TokenModel (audit_ id=EhAR7yT8Q4- W1TURPGeXrg, audit_chain_ id=['EhAR7yT8Q4 -W1TURPGeXrg' ]) at 0x7f5b466ce550>, 'user_id': '7c2cd54542714c 82a0854d4b159de af2', 'user_domain_id': 'Federated', 'system_scope': None, 'project_id': '07d0c2ef8af340 a9b2e07d2f82d5a 65a', 'project_ domain_ id': '4787f8cd807f4d 67bf5bf70b84fd3 dc2', 'roles': ['Member'], 'is_admin_project': False, 'service_user_id': None, 'service_ user_domain_ id': None, 'service_ project_ id': None, 'service_ project_ domain_ id': None, 'service_roles': []}
(keystone. common. wsgi): 2019-05-14 09:01:33,026 WARNING Invalid application credential: Could not find role assignment with role: f82ad8932d8f4f6 9ab4199aee3b4b7 36, user or group: 7c2cd54542714c8 2a0854d4b159dea f2, project, domain, or system: 07d0c2ef8af340a 9b2e07d2f82d5a6 5a.
f82ad8932d8f4f6 9ab4199aee3b4b7 36 - Member role (global, domain == None) 2a0854d4b159dea f2 - a shadow-mapped (federated) user 9b2e07d2f82d5a6 5a - the target project.
7c2cd54542714c8
07d0c2ef8af340a