This is not a bug, it is working as designed. The list grants API only lists explicit grants. If you want to see "effective" grants, you should use he List Assignments API.
** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1583948 Title: getting whole user-roles in domain or project in V3 Status in OpenStack Identity (keystone): Invalid Bug description: If one user joins a group and the group has the domain roles, now, we could not get the whole user-roles from the domain, but the user should have the group-domain roles.(the user belongs to the domain.) Eg. Group1 has role1 in domain1, and the user from domain1 joins the Group1, in fact, in V3, the user should has role1, but actually now, we cannot get roles from /v3/domains/domain1/users/user/roles. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1583948/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp