We have a fix for one of the most egregious bugs in the history of
Keystone: https://bugs.launchpad.net/keystone/+bug/968696 The only
problem is, it requires a configuration file change. A deployer needs to
set the values:
CONF.resource.admin_project_name
CONF.resource.admin_domain_name
How can we ensure that happens upon upgrade? Otherwise, we are stuck
with the existing brokeness.
For devstack, we can do
CONF.resource.admin_project_name = 'admin'
CONF.resource.admin_domain_name = 'Default'
And then, if we want, we would change the default policy files like this:
-"admin_required":"role:admin or is_admin:1",
+"admin_required":"role:admin and token.is_admin_project:True",
How do we make this happen?
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
