Change is_admin_project to False by default

Our token model code will return a default of True for
is_admin_project if that attribute is not defined. The
comment next to this says this is for backwards
compatibility, but this seems inherently dangerous.

Closes-Bug: #1652012

Change-Id: I035fe570972764b9c9342d1851654634d681ac5e

keystone/models/token_model.py

@@ -197,11 +197,7 @@ class KeystoneToken(dict):
         if self.domain_scoped:
             # Currently, domain scoped tokens cannot act as is_admin_project
             return False
-
-        # True gets returned by default for compatibility with older versions
-        # TODO(henry-nash): This seems inherently dangerous, and we should
-        # investigate how we can default this to False.
-        return self.get('is_admin_project', True)
+        return self.get('is_admin_project', False)
 
     @property
     def trust_id(self):

keystone/tests/unit/token/test_token_model.py

@@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
         self.assertTrue(token_data.scoped)
         self.assertTrue(token_data.trust_scoped)
 
-        # by default admin project is True for project scoped tokens
-        self.assertTrue(token_data.is_admin_project)
+        # by default admin project is False for project scoped tokens
+        self.assertFalse(token_data.is_admin_project)
 
         self.assertEqual(
             [r['id'] for r in self.v3_sample_token['token']['roles']],

releasenotes/notes/bug-1652012-b3aea7c0d5affdb6.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    [`bug 1652012 <https://bugs.launchpad.net/keystone/+bug/1652012>`_]
+    Changes the token_model to return is_admin_project False if the attribute
+    is not defined. Returning True for this has the potential to be dangerous
+    and the given reason for keeping it True is backwards compatability..