`admin_token` is depreciated and recently removed from in paste-ini [1] with a recommendation is to move to using bootstrap. It will be removed entirely by keystone.
The current occurrences of admin_token are:
$ grep -R AdminToken ./* | cut -d: -f1 | sort | uniq
./ceph-rgw.yaml
./keystone.yaml
./network/contrail-base.yaml
./neutron-midonet.yaml
./neutron-plugin-opencontrail.yaml
ceph/rgw have already proposed and merged a patch [2]
[1] https://review.openstack.org/#/c/427878/
[2] https://review.openstack.org/#/c/405625/
excerpt from keystone.conf
# Using this feature is *NOT* recommended. Instead, use the `keystone-manage
# bootstrap` command. The value of this option is treated as a "shared secret"
# that can be used to bootstrap Keystone through the API. This "token" does not
# represent a user (it has no identity), and carries no explicit authorization
# (it effectively bypasses most authorization checks). If set to `None`, the
# value is ignored and the `admin_token` middleware is effectively disabled.
# However, to completely disable `admin_token` in production (highly
# recommended, as it presents a security risk), remove
# `AdminTokenAuthMiddleware` (the `admin_token_auth` filter) from your paste
# application pipelines (for example, in `keystone-paste.ini`). (string value)
# This is deprecated in the M release and will be removed in the O release.
# Use `keystone-manage bootstrap` and remove this from the pipelines below.
Excellent thing. I wanted to propose it for a while. Thanks!