After setting the admin_project_name = admin and admin_project_domain_name = Default in keystone.conf, I generated some tokens in the admin project. Then I validated the tokens. These tokens properly include the is_admin_project: true information.
Correct token: http://paste.openstack.org/show/591031/
Then I switched to the "bob" project and generated and then validated a token. I was admin in both projects. My "bob" project token is missing the is_admin_project field completely. This unfortunately then causes the oslo.context middleware to assume that you are in an admin project (context assumes missing = true).
Bob token, aka, where's the is_admin_project_field?: http://paste.openstack.org/show/591034/
We're on stable/newton running on commit 3609439599571a5919c4e1d328c1f06a8e4422c9
So sorry. Due to some confusion about the environment we we're actually on Mitaka and hence missing this fix, which will resolve this.
a5dd5609 (Marek Denis 2015-07-31 10:43:22 +0200 332) This method does not return anything, yet it modifies token_data in
a5dd5609 (Marek Denis 2015-07-31 10:43:22 +0200 333) place.
a5dd5609 (Marek Denis 2015-07-31 10:43:22 +0200 334)
mfischer@
commit ed634e8cdcdf385
Author: Jamie Lennox <email address hidden>
Date: Wed May 4 14:30:56 2016 +1000
Always add is_admin_project if admin project defined
By only setting is_admin_project in the token if it is true we are
unable to distinguish in policy enforcement if the admin project is not
defined in configuration or if the current scope is not the admin
project.
If the admin project is defined in config we should always set the
is_
backwards compatible policy files in projects.
Change-Id: Icdfc4f4792422a
Closes-Bug: #1577996