Sorry for patch formatting is my previous comment. Seems Launchpad mangles spaces. Patch attached instead.
Another issue which is orthogonal to the previous one is that despite having added the following patch to Neutron, 2e621eeb1cdfae5ceb3c83eb6befcb954f0b6cec(*) ("Use to_policy_values for policy enforcement"), Neutron completely ignores the "is_admin_project" value set in the token.
This is because neutron-server builds the request context differently than other projects. Instead of using "from_environ" in oslo_context, it does it itself in it's "NeutronKeystoneContext" class.
The fix is to tell it to look at the X_IS_ADMIN_PROJECT header.
Sorry for patch formatting is my previous comment. Seems Launchpad mangles spaces. Patch attached instead.
Another issue which is orthogonal to the previous one is that despite having added the following patch to Neutron, 2e621eeb1cdfae5 ceb3c83eb6befcb 954f0b6cec( *) ("Use to_policy_values for policy enforcement"), Neutron completely ignores the "is_admin_project" value set in the token.
This is because neutron-server builds the request context differently than other projects. Instead of using "from_environ" in oslo_context, it does it itself in it's "NeutronKeyston eContext" class.
The fix is to tell it to look at the X_IS_ADMIN_PROJECT header.
Patch attached.
* https:/ /github. com/openstack/ neutron/ commit/ 2e621eeb1cdfae5 ceb3c83eb6befcb 954f0b6cec