When using role assignment through groups, the user cannot use
the application credentials created. This allows to look up
the membership by checking inherited and group assignments.
Conflicts:
This change conflicts with newer branches because most of the
logic in keystone/token/providers/common.py was refactored into
keystone/models/token_model.py during the Rocky release. This
refactor causes the stable/queens version to diverge from
stable/rocky, stable/stein, and stable/train patches, although it
is functionally equivalent to the approach used in later releases.
Change-Id: If1bf5bd785a494923303265797311d42018ba7af
Closes-Bug: #1773967
(cherry picked from commit 14b25bc5d1)
(cherry picked from commit 933ea511d1)
(cherry picked from commit cf83fc1056)