So, a tweak on the approach proposed in Comment 39: We are still going to have an admin project specified in the Keystone config. Instead of limiting tokens with the Admin role to that project, we are going to add an extra value to tokes that are scoped to that project: is_admin_project=True.
This addresses the fact that many APIS require Admin scoped to projects, and will handle the multiple roles for managing service or endpoint specific admins as well.
So, a tweak on the approach proposed in Comment 39: We are still going to have an admin project specified in the Keystone config. Instead of limiting tokens with the Admin role to that project, we are going to add an extra value to tokes that are scoped to that project: is_admin_ project= True.
This addresses the fact that many APIS require Admin scoped to projects, and will handle the multiple roles for managing service or endpoint specific admins as well.