A simple check is to attempt to list domains with a token scoped to the project and domain referenced by admin_project_name and admin_project_domain_name in /etc/keystone.conf and comparing results with a policy-file before and after the change.
The admin_domain_id place-holder is of course replaced with the actual uuid of the domain used in the test.
Using Mitaka Keystone with the v3 sample policy after commit of change https:/ /review. openstack. org/411563 reverts the desired effects of https:/ /review. openstack. org/#/c/ 242232/ and https:/ /blueprints. launchpad. net/keystone/ +spec/is- admin-project
A simple check is to attempt to list domains with a token scoped to the project and domain referenced by admin_project_name and admin_project_ domain_ name in /etc/keystone.conf and comparing results with a policy-file before and after the change.
The admin_domain_id place-holder is of course replaced with the actual uuid of the domain used in the test.
Before the change: common. controller) : 2017-02-01 10:43:29,828 DEBUG RBAC: Adding query filter params () common. controller) : 2017-02-01 10:43:29,828 DEBUG RBAC: Authorizing identity: list_domains( ) common. controller) : 2017-02-01 10:43:29,828 DEBUG RBAC: using auth context from the request environment policy. backends. rules): 2017-02-01 10:43:29,829 DEBUG enforce identity: list_domains: {'is_delegated_ auth': False, 'access_token_id': None, 'user_id': u'47e2b6a7df204 ebfb9e7245e97c2 f345', 'roles': [u'Admin', u'Member'], 'user_domain_id': u'fe4e322a8a694 2f1a8fe7de8167f 0a6f', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_ id=slIt9et9SWef ByiRQV4Grw, audit_chain_ id=slIt9et9SWef ByiRQV4Grw) at 0x7fae3a9f1be0>, 'project_id': u'10f4dfe3abea4 5d4be6ee11a5793 4f89', 'trust_id': None, 'project_ domain_ id': u'fe4e322a8a694 2f1a8fe7de8167f 0a6f'} common. controller) : 2017-02-01 10:43:29,830 DEBUG RBAC: Authorization granted
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
After the change: common. controller) : 2017-02-01 10:45:26,059 DEBUG RBAC: Adding query filter params () common. controller) : 2017-02-01 10:45:26,060 DEBUG RBAC: Authorizing identity: list_domains( ) common. controller) : 2017-02-01 10:45:26,060 DEBUG RBAC: using auth context from the request environment policy. backends. rules): 2017-02-01 10:45:26,060 DEBUG enforce identity: list_domains: {'is_delegated_ auth': False, 'access_token_id': None, 'user_id': u'47e2b6a7df204 ebfb9e7245e97c2 f345', 'roles': [u'Admin', u'Member'], 'user_domain_id': u'fe4e322a8a694 2f1a8fe7de8167f 0a6f', 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_ id=Yo3- eosNTHqmjTfDGa9 Hpw, audit_chain_ id=Yo3- eosNTHqmjTfDGa9 Hpw) at 0x7fb75cbaa3c8>, 'project_id': u'10f4dfe3abea4 5d4be6ee11a5793 4f89', 'trust_id': None, 'project_ domain_ id': u'fe4e322a8a694 2f1a8fe7de8167f 0a6f'} _cache_ handler) : 2017-02-01 10:45:26,061 DEBUG Reloading cached file /etc/keystone/ policy. json policy) : 2017-02-01 10:45:26,070 DEBUG Reloaded policy file: /etc/keystone/ policy. json common. wsgi): 2017-02-01 10:45:26,071 WARNING You are not authorized to perform the requested action: identity: list_domains
(keystone.
(keystone.
(keystone.
(keystone.
(oslo_policy.
(oslo_policy.
(keystone.
I believe this is a regression and the change is either incomplete or in error.