api.keystone.is_cloud_admin/is_domain_admin do not work with the latest policy from keystone repo

There were some discussions around this in the team meeting last week [1][2].
[1] http://eavesdrop.openstack.org/meetings/horizon/2017/horizon.2017-12-13-20.00.log.html#l-157
[2] http://eavesdrop.openstack.org/irclogs/%23openstack-horizon/%23openstack-horizon.2017-12-13.log.html#t2017-12-13T21:00:58

One idea is to make the policies used by is_cloud_admin() and is_domain_admin() configurable. We can use 'admin_required' as a default value. It behaves in a backward-compatible way.

I am not sure this is the right direction or not. If we need to do more than the above idea, folks familiar with keystone needs to be involved.

The default behavior for policy in horizon is that if the rule is not defined, the policy engine in horizon returns True which means the action is allowed. I see nowhere that value is overridden. I'm not sure you have found the root of the problem.

https://review.openstack.org/#/c/527668/ sync the policy file from the latest master of keystone repo.
After applying this, you cannot see "Modify Quitas" menu in the project panel.
"Modify Quotas" allowed() method refers to is_cloud_admin() [1], so at least I believe is_cloud_admin() does not work with the latest policy file.

While the root cause might be wrong, is it "Incomplete" bug report?

[1] http://git.openstack.org/cgit/openstack/horizon/tree/openstack_dashboard/dashboards/identity/projects/tables.py#n151

The fix is to remove https://github.com/openstack/horizon/blob/master/openstack_auth/policy.py#L184-192. Those lines are wrong. The default for policy should be to allow, not block.

The other option is to look for a "default" rule definition. If not present, allow. If present evaluate against it. This is closest to current behavior and leaves the option for operators to set a "default" rule in horizon's copy of the policy file.

Fix proposed to branch: master
Review: https://review.openstack.org/530488

Reviewed: https://review.openstack.org/530488
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Submitter: Zuul
Branch: master

commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98
Author: Radomir Dopieralski <email address hidden>
Date: Fri Dec 29 18:33:20 2017 +0100

    Fix api.keystone.is_cloud_admin/is_domain_admin handling with new policies

    Allow an action if no policy exists for it and there is no default
    policy.

    Change-Id: Ief6dc5ff15a83c70ee171774d1bfc6470c0863d1
    Closes-bug: 1739108

This issue was fixed in the openstack/horizon 13.0.0.0b3 development milestone.

Reviewed: https://review.openstack.org/568545
Committed: https://git.openstack.org/cgit/openstack/django_openstack_auth/commit/?id=ddcfe7a6d4db1b476254b556057756eadd7b097d
Submitter: Zuul
Branch: stable/pike

commit ddcfe7a6d4db1b476254b556057756eadd7b097d
Author: Vladislav Kuzmin <email address hidden>
Date: Tue May 15 14:10:01 2018 +0400

    Allow an action if no policy exists for it and there is no default policy.

    This is a special cherry-pick from horizon master branch
    as openstack_auth was merged into horizon in Queens.

    Closes-bug: 1739108
    (cherry picked from commit 54365d7ef1007b3c8373ecb4e591c7f899dbeb98)

    Change-Id: I94b54b84e22f9c9f0f38adff087c465b558e5e2a

This issue was fixed in the openstack/django_openstack_auth 3.6.1 release.