Comment 24 for bug 1614211

okay, so to add to the further madness/mess... ;)

yes, if you add:

    keystone_keystone_conf_overrides:
        resource:
            admin_project_name: admin
            admin_project_domain_name: Default

*and* you maintained the original keystone v3 sample policy of:

    "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:<insert domain id here>)",

then it should work as token.is_admin_project utilizes admin_project_name and admin_project_domain_name and is a backwards compatibility for users/processes that make requests with project-scoped tokens.

but as horizon needs a cached copy of keystone's policy and keystone + oslo.policy in mitaka can't handle token.is_admin_project [1][2], it had been removed so as to simplify the process of synchronizing horizon with keystone's policy.

so, to reiterate, using token.is_admin_project here is as a work-around to accommodate users/processes that can't request domain-scoped tokens.

[1] https://bugs.launchpad.net/horizon/+bug/1564851
[2] https://bugs.launchpad.net/oslo.policy/+bug/1547684

thanks for working this and tolerating our difficult configuration!