Comment 57 for bug 968696

I have a question about this specific feature (use of the is_project_admin flag in the tokens), and most of all the ability to leverage that in Keystone policy and the other service policy files.

I’m running this build:
openstack-keystone-9.0.0.0b4-0.20160304193251.9d6ab5d.el7.centos.noarch

In my keystone policy file, I did this:

  "admin_required": "role:admin and is_admin_project",
   ….
  "identity:list_domains": "rule:admin_required",

I set up the two variables (admin_project_domain_name and admin_project_name) in keystone.conf, and I can obtain a token for a user in the admin project. In the token response, I can see the is_admin_project: true flag which is good.

Somehow though, I get 403 when I try a get /v3/domains with that token.

I’m just looking to see if the code for the policies to leverage that flag is already in in build 9.0.0.0b4?

From the discussion above, it appears policy changes in the other services has not been merged yet so I'm sticking to just experimenting with Keystone's apis themselves first.