Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Please find answer from Haneef Ali:

1) No, there is no difference. Only certain operations are exposed at 5000 and all of them except one is exposed at 35357. In most of the cases you will be fine if you just use 35357

2) You should be authorized to invoke any identity operations. Authorization is defined by the role that the token have. Unscoped token doesn't have any role. So using unsciped token you cannot invoke any opearation.

3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

Update 1:

I didn't even notice this so far. I believe it is wrong design

5000:/v2.0/tenants -- Maps to "get_projects_for_token" . This doesn't even care about scope of token.

35357:/v2.0/tenants -- Maps to get_all_tenants which requires scoped token

BTW policy file is used only for v3 apis. These are v2.0 apis, and most of the v2.0 api just use one line from the policy file which is "admin" definition in the policy file

Reference: https://ask.openstack.org/en/question/56243/keystone-authentication-to-publicadmin-port-and-scopedunscoped-token/