The problem here is really OpenStack's gerrit plugin thing for LP team integration. It appears to have a cronjob that pulls all members of a Launchpad team, screenscrapes their delegated identity from Person:+index, and adds a permission for that identifier. This doesn't work well for LP accounts with multiple identifiers, usually from a person or SSO account merge, as the delegated identifier may not match the identity of the primary SSO account.
We probably want to expose an API in Launchpad to allow retrieval of team information for a given OpenID identifier, but the correct thing for gerrit to do in the current environment is use the team information from the OpenID response.
The problem here is really OpenStack's gerrit plugin thing for LP team integration. It appears to have a cronjob that pulls all members of a Launchpad team, screenscrapes their delegated identity from Person:+index, and adds a permission for that identifier. This doesn't work well for LP accounts with multiple identifiers, usually from a person or SSO account merge, as the delegated identifier may not match the identity of the primary SSO account.
We probably want to expose an API in Launchpad to allow retrieval of team information for a given OpenID identifier, but the correct thing for gerrit to do in the current environment is use the team information from the OpenID response.