Comment 4 for bug 1933332

Like the Keystone bug this is related to https://bugs.launchpad.net/keystone/+bug/968696 which was marked "Fix Released" in Cinder in Liberty and same in Keystone in Train. Thus I'd like to argue that either this is a new issue or regression considering the original bug was closed as fixed.

Personally I think the main issue here is that all the identity documentation is explaining the roles as if they were enforced and safe to use. With note that different projects treating the roles bit differently while the implementation is worked on. I've yet to see a single proper warning that "Hey it's not like you might not have admin rights because the scopes are not enforced, but you might give out global admin rights because the scope is not enforced". Does Cinder actually document somehwere that any admin role gets treated as de-facto admin in Cinder?