Comment 50 for bug 968696

With the above commit, we have the framework to start fixing this bug. However, we have to deal with existing deployments that expect the existing behavior.

Each of the projects needs a new version of the policy.json file that reflects the current logic, but with the added check for "is_admin_project" performed against the token. The deployment mechanism (devstack, puppet etc) needs to switch over to using the new version of the file, and also to configure the values in the Keystone config file that populate that value on tokens for the appropriate projects.

For exiting deployments, there will be some users that had admin on other-than-admi projects and the site administrators need to determine how to deal with this. Are they going to get admin on the admin project, or will they be limited to operations on the existing set of projects that no longer allow the global admin operations.