Revert change 438035 is_admin_project default

This change reverts having is_admin_project default to False [0]
since we currently need to have it revert to True in order to
account for anyone who has not configured an admin project. This
will be truely fixed at a later date.

This also adds comments from another change [1] which clarifies
the for why this should not be changed at this moment.

[0] https://review.openstack.org/#/c/438035/
[1] https://review.openstack.org/#/c/257636/

Partial-Bug: 968696

Change-Id: I039bfc8a41d43634ebad545725b9188a82afb990
Co-Authored-By: Adam Young <ayoung@redhat.com>
Co-Authored-By: Matthew Edmonds <edmondsw@us.ibm.com>
This commit is contained in:
Gage Hugo 2017-05-11 10:34:26 -04:00
parent 6e00d3c94d
commit 4a82ab9065
2 changed files with 9 additions and 4 deletions

View File

@ -192,10 +192,15 @@ class KeystoneToken(dict):
@property
def is_admin_project(self):
# Prevent domain scoped tokens from acting as is_admin_project
if self.domain_scoped:
# Currently, domain scoped tokens cannot act as is_admin_project
return False
return self.get('is_admin_project', False)
# TODO(ayoung/edmondsw): Having is_admin_project default to True is
# essential for fixing bug #968696. If an admin project is not
# configured, we can add checks for is_admin_project:True and not
# block anyone that hasn't configured an admin_project. Do not change
# this until we can assume admin_project is actually set
return self.get('is_admin_project', True)
@property
def trust_id(self):

View File

@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
self.assertTrue(token_data.scoped)
self.assertTrue(token_data.trust_scoped)
# by default admin project is False for project scoped tokens
self.assertFalse(token_data.is_admin_project)
# by default admin project is True for project scoped tokens
self.assertTrue(token_data.is_admin_project)
self.assertEqual(
[r['id'] for r in self.v3_sample_token['token']['roles']],