When creating a Token must a scope be supplied if a default project is defined for a given user?
There seems to be some ambiguity about whether not providing a scope will give authorization/scope for the default project defined for a user or not.
V3 supports both project scope and domain scope. If you want domain scope, then you need to specifiy domain scope in token request. If you have default project_id setup and if the default project has role assoicated with the user, then no scope impliies project scoped token scoped to "default_project_id". (Current behavior)
This behavior creates another problem. If the user has default_project_id setup, there is no way for him to get unscoped token. This will be addressed in "kilo" release. https://github.com/openstack/keystone...
Thanks for the reply. Do you have an example of a response when the default_project_id is applied.
Hi, I'm pretty confused by the "scope" in OpenStack, what I wonder is why do we have "scope". what is the difference between domain-scoped token, project-scoped token and un-scoped token?
Asked: 2014-09-02 07:54:13 -0600
Seen: 139 times
Last updated: Sep 02 '14
