Revision history [back]

un-scoped tokens are not that useful at this moment. This is used for horizon logging and also in federation.

All the openstack services ( nova/glance/etc) operates on tenant/project. So if you need to do any operation on openstack servics you need to get tenant/project scoped tokens

If you need to do any identity operation, you need to get domain-scoped token. Identity operations are keystone REST API. Keystone ships with 2 different policy files. One is a simple policy file and other is v3_cloud_policy file which uses "domain_admin" concepts. Default policy file is the simple policy file which doesn't enforce domain concepts. So if you are running keystone with default policy file, you really don't need domain scoped tokens. Identity operations will work with project scoped tokens too.

To summarize, if you are working with devstack or any other default installation, all you need is "project-scoped" token.

un-scoped tokens are not that useful at this moment. This is used for horizon logging and also in federation.

All the openstack services ( nova/glance/etc) operates on tenant/project. So if you need to do any operation on openstack servics services you need to get tenant/project scoped tokens

If you need to do any identity operation, you need to get domain-scoped token. Identity operations are keystone REST API. Keystone ships with 2 different policy files. One is a simple policy file and other is v3_cloud_policy file which uses "domain_admin" concepts. Default policy file is the simple policy file which doesn't enforce domain concepts. So if you are running keystone with default policy file, you really don't need domain scoped tokens. Identity operations will work with project scoped tokens too.

To summarize, if you are working with devstack or any other default installation, all you need is "project-scoped" token.

un-scoped tokens are not that useful at this moment. This is used for in horizon logging console loggin and also in federation.

All the openstack services ( nova/glance/etc) operates on tenant/project. So if you need to do any operation on openstack services you need to get tenant/project scoped tokens

If you need to do any identity operation, you need to get domain-scoped token. Identity operations are keystone REST API. Keystone ships with 2 different policy files. One is a simple policy file and other is v3_cloud_policy file which uses "domain_admin" concepts. Default policy file is the simple policy file which doesn't enforce domain concepts. So if you are running keystone with default policy file, you really don't need domain scoped tokens. Identity operations will work with project scoped tokens too.

To summarize, if you are working with devstack or any other default installation, all you need is "project-scoped" token.