Comment 46 for bug 968696

So, a tweak on the approach proposed in Comment 39: We are still going to have an admin project specified in the Keystone config. Instead of limiting tokens with the Admin role to that project, we are going to add an extra value to tokes that are scoped to that project: is_admin_project=True.

This addresses the fact that many APIS require Admin scoped to projects, and will handle the multiple roles for managing service or endpoint specific admins as well.