Ask Your Question

Revision history [back]

V3 supports both project scope and domain scope. If you want domain scope, then you need to specifiy domain scope in token request. If you have default project_id setup and if the default project has role assoicated with the user, then no scope impliies project scoped token scoped to "default_project_id". (Current behavior)

This behavior creates another problem. If the user has default_project_id setup, there is no way for him to get unscoped token. This will be addressed in "kilo" release. https://github.com/openstack/keystone-specs/blob/master/specs/kilo/explicit-unscoped.rst