Comment 5 for bug 1039132

FYI, this should be trivial to fix the right way. Currently, the is_admin check would go through the _check_generic() function in openstack/common/policy.py, but if we added an "is_admin"-specific check, we could correct this without having to stringify in enforce().

In current openstack/common/policy.py code, this would look something like:

    @policy.register('is_admin')
    def _check_is_admin(brain, match_kind, match_value, target_dict, creds_dict):
        return creds_dict['is_admin'] == (match_value.lower() == 'true')

In my pending policy rewrite patch, the above will work fine, but we could also do something like this:

    @policy.register('is_admin')
    class IsAdminCheck(policy.Check):
        def __init__(self, kind, match):
            super(IsAdminCheck, self).__init__(kind, match)
            self.expected = (match.lower() == 'true')

        def __call__(self, target, creds):
            return creds_dict['is_admin'] == self.expected

(See https://review.openstack.org/#/c/14122 for the policy rewrite patch I'm referring to.)