In get_principal:

            principal, _ = Principal.objects.get_or_create(
                username=username, tenant=tenant, defaults={"user_id": request.user.user_id}
            )  # pylint: disable=unused-variable

This gets the user ID from the request, but sometimes the username is not the user of the request.

For example in 
 
def obtain_groups_in(obj, request):
 
The username may come from a request parameter:
 
principal=get_principal(username_paramorrequest.user.username, request)
 
This would associate the username with a different, duplicate user_id (e.g. the user ID of the admin making the request about another user).
 
To fix we probably need to pass in the user_id as well. However this means the caller may not always have this. In that case, creation would fail. If creation should succeed (i.e. if it's a cross-account Principal which does NOT have a user_id) then this would need to be parameterized as explicitly okay.
 
Service accounts will need a similar change eventually but this will come / can be handled with RHCLOUD-35541