[openstack-dev] [cross_project] Ensuring there is an admin project

Adam Young ayoung at redhat.com
Thu Feb 11 03:11:35 UTC 2016

We have a fix for one of the most egregious bugs in the history of 
Keystone: https://bugs.launchpad.net/keystone/+bug/968696  The only 
problem is, it requires a configuration file change. A deployer needs to 
set the values:


How can we ensure that happens upon upgrade?  Otherwise, we are stuck 
with the existing brokeness.

For devstack, we can do

CONF.resource.admin_project_name = 'admin'
CONF.resource.admin_domain_name = 'Default'

And then, if we want, we would change the default policy files like this:

-"admin_required":"role:admin or is_admin:1",
+"admin_required":"role:admin and token.is_admin_project:True",

How do we make this happen?

More information about the OpenStack-dev mailing list