*and* you maintained the original keystone v3 sample policy of:
"cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:<insert domain id here>)",
then it should work as token.is_admin_project utilizes admin_project_name and admin_project_domain_name and is a backwards compatibility for users/processes that make requests with project-scoped tokens.
but as horizon needs a cached copy of keystone's policy and keystone + oslo.policy in mitaka can't handle token.is_admin_project [1][2], it had been removed so as to simplify the process of synchronizing horizon with keystone's policy.
so, to reiterate, using token.is_admin_project here is as a work-around to accommodate users/processes that can't request domain-scoped tokens.
okay, so to add to the further madness/mess... ;)
yes, if you add:
keystone_ keystone_ conf_overrides:
admin_ project_ name: admin
admin_ project_ domain_ name: Default
resource:
*and* you maintained the original keystone v3 sample policy of:
"cloud_admin": "role:admin and (token. is_admin_ project: True or domain_id:<insert domain id here>)",
then it should work as token.is_ admin_project utilizes admin_project_name and admin_project_ domain_ name and is a backwards compatibility for users/processes that make requests with project-scoped tokens.
but as horizon needs a cached copy of keystone's policy and keystone + oslo.policy in mitaka can't handle token.is_ admin_project [1][2], it had been removed so as to simplify the process of synchronizing horizon with keystone's policy.
so, to reiterate, using token.is_ admin_project here is as a work-around to accommodate users/processes that can't request domain-scoped tokens.
[1] https:/ /bugs.launchpad .net/horizon/ +bug/1564851 /bugs.launchpad .net/oslo. policy/ +bug/1547684
[2] https:/
thanks for working this and tolerating our difficult configuration!