Our intention is for admin auth to be allowed to do anything. That's
accomplished through the built-in admin_statement policy.
Unfortunately if we assign multiple roles to it, it's possible that a
policy with "effect: deny" for one of those roles will block some
operation, possibly making it impossible to use admin token to revert
some changes. This commit rejects such Keystone V3 tokens, effectively
forcing a desired configuration of Keystone users and role assignments.
Our intention is for admin auth to be allowed to do anything. That's accomplished through the built-in
admin_statement
policy. Unfortunately if we assign multiple roles to it, it's possible that a policy with "effect: deny" for one of those roles will block some operation, possibly making it impossible to use admin token to revert some changes. This commit rejects such Keystone V3 tokens, effectively forcing a desired configuration of Keystone users and role assignments.