(This may likely be pulp_container issue, but noting here)

'AnonymousUser' is a User object that gets created by pulp_container it seems. 

For token auth that fails, it returns an 'AnonymousUser' for the user of the request, but

an instance of the galaxy User obj for the username='AnonymousUser' has a `is_anonymous`

property that returns 'False'.

This causes problems in drf-access-policy, because it checks the User.is_anonymous property to match against 'anonymous' in access control permission statement.

See https://github.com/rsinger86/drf-access-policy/blob/master/rest_access_policy/access_policy.py#L99-L106

I'm guessing pulp_container creates and persists a instance of the class  django.contrib.auth.models.AnonymousUser. The class has a is_anonymous property

that should be true.

But when saved to galaxy_user, and loaded from galaxy_user table, it is just a generic User and not a AnonymousUser, and generic User.is_anonymous defaults to False.