This (presumably) pretty basic question tortures me for several months
already, so I kindly seek for help here.
I'm working on a Flask-based service  and I'd like to use Keystone
tokens for authentication. This is an admin-only API, so we need to
check for an admin role. We ended up with code  first accessing
Keystone with a given token and (configurable) admin tenant name, then
checking 'admin' role. Things went well for a while.
Now I'm writing an Ironic driver accessing API of . Pretty naively I
was trying to use an Ironic service user credentials, that we use for
accessing all other services. For TripleO-based installations it's a
user with name 'ironic' and a special tenant 'service'. Here is where
problems are. Our code perfectly authenticates a mere user (that has
tenant 'admin'), but asks Ironic to go away.
We've spent some time researching documentation and keystone middleware
source code, but didn't find any more clues. Neither did we find a way
to use keystone middleware without rewriting half of project. What we
need is 2 simple things in a simple Flask application:
1. validate a token
2. make sure it belongs to admin
I'll thankfully appreciate any ideas how to fix our situation.
Thanks in advance!
OpenStack Development Mailing List (not for usage questions)