Closed gtema closed 5 months ago
a new token retrieved from the token is having all roles as expected. Most likely this is caused by delays on identity which is not doing immediate group assignment (something like sleep 1s before getting token after placing user to the group)
@gtema sleep is a bad practice, because we don't know how much time keystone needs to apply groups. Maybe we should add a WARN
/INFO
message in logs and in docs
yeah, but returning not what user is expecting is not much better. It was just a "statement" describing what may be an issue.
issue is that we can't even detect that easily, rather then going through all user groups, collecting their roles and verifying those are present in the token
Refers to: #106
dynamic user created during requesting dynamic creds is placed into the desired user_group, but token does not have roles of this user_group