In order to make the 'admin' role more sensible, keystone added a
header to authentication responses X_IS_ADMIN_PROJECT indicating
whether or not a request was authenticated against the administrative
project (in devstack, this is configured to be the 'admin' project).
This patch adds support for the header. It defaults to True if the
header is not set, in accordance with other projects, for the reason
that older keystone deployments (or those where this feature is not
enabled) would otherwise not be useable.
The header is configured by admin_project_name and
admin_project_domain_name in keystone's keystone.conf. If these are
set, a request with the admin role against a non-admin project should
no longer be able to retrieve resources belonging to other tenants even
if all_projects is set. If the keystone options are *not* set, then
all admin-role requests will be able to retrieve resources belonging to
other tenants.
See also https://bugs.launchpad.net/keystone/+bug/968696
Change-Id: Iaa6e6b6e85d0474a9e1fa1cf6c7d8012a9557188
Closes-Bug: #1626589
5d50149aa3