Oslo.policy folks, I have been developing Swift's RBAC using oslo.policy[1]. It is necessary to check for service_roles(HTTP_X_SERVICE_ROLES)[2] in this patch. Current implementation looks if rule string starts with 'role', check the string whether the string is in 'roles' of the credential. https://github.com/openstack/oslo.policy/blob/master/oslo_policy/_checks.py#L244 I think service_roles should be in the credential as same as the roles so I need to have new Check class for the service_roles. I was wondering if you have a plan to extend it for the service_roles. So far, I implemented ServiceRoleCheck class keystoneauth.py#L757 in [1] but it's better to be in oslo.policy. [1] https://review.openstack.org/#/c/149930/ [2] https://github.com/openstack/keystone-specs/blob/master/specs/keystonemiddleware/implemented/service-tokens.rst Thanks in advance, Hisashi Osanai