From 4a82ab9065a659bbcb838240da113a0509f651aa Mon Sep 17 00:00:00 2001
From: Gage Hugo <gagehugo@gmail.com>
Date: Thu, 11 May 2017 10:34:26 -0400
Subject: [PATCH] Revert change 438035 is_admin_project default

This change reverts having is_admin_project default to False [0]
since we currently need to have it revert to True in order to
account for anyone who has not configured an admin project. This
will be truely fixed at a later date.

This also adds comments from another change [1] which clarifies
the for why this should not be changed at this moment.

[0] https://review.openstack.org/#/c/438035/
[1] https://review.openstack.org/#/c/257636/

Partial-Bug: 968696

Change-Id: I039bfc8a41d43634ebad545725b9188a82afb990
Co-Authored-By: Adam Young <ayoung@redhat.com>
Co-Authored-By: Matthew Edmonds <edmondsw@us.ibm.com>
---
 keystone/models/token_model.py                | 9 +++++++--
 keystone/tests/unit/token/test_token_model.py | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/keystone/models/token_model.py b/keystone/models/token_model.py
index c869a6308c..00d5429e66 100644
--- a/keystone/models/token_model.py
+++ b/keystone/models/token_model.py
@@ -192,10 +192,15 @@ class KeystoneToken(dict):
 
     @property
     def is_admin_project(self):
+        # Prevent domain scoped tokens from acting as is_admin_project
         if self.domain_scoped:
-            # Currently, domain scoped tokens cannot act as is_admin_project
             return False
-        return self.get('is_admin_project', False)
+        # TODO(ayoung/edmondsw): Having is_admin_project default to True is
+        # essential for fixing bug #968696. If an admin project is not
+        # configured, we can add checks for is_admin_project:True and not
+        # block anyone that hasn't configured an admin_project. Do not change
+        # this until we can assume admin_project is actually set
+        return self.get('is_admin_project', True)
 
     @property
     def trust_id(self):
diff --git a/keystone/tests/unit/token/test_token_model.py b/keystone/tests/unit/token/test_token_model.py
index 702953ab8c..75b7a06201 100644
--- a/keystone/tests/unit/token/test_token_model.py
+++ b/keystone/tests/unit/token/test_token_model.py
@@ -87,8 +87,8 @@ class TestKeystoneTokenModel(core.TestCase):
         self.assertTrue(token_data.scoped)
         self.assertTrue(token_data.trust_scoped)
 
-        # by default admin project is False for project scoped tokens
-        self.assertFalse(token_data.is_admin_project)
+        # by default admin project is True for project scoped tokens
+        self.assertTrue(token_data.is_admin_project)
 
         self.assertEqual(
             [r['id'] for r in self.v3_sample_token['token']['roles']],