Ask Your Question

What does "scope" mean in OpenStack? [closed]

asked 2014-10-23 07:28:20 -0500

darren-wang gravatar image

Hi all,

I'm learning v3 API recently, the "scope" of tokens really makes me confused, could anyone tell me what's the difference between domain-scoped, project-scoped, and un-scoped tokens?

I read the docs, it says you will not get catalog, project, domain and some other fields in an un-scoped token, but which one should I choose between domain-scoped and project-scoped tokens?

Also, the "role" concept seems to have scope too, as we can grant a role to a user on a project, also we can grant a role to a user on a domain. Does this mean differences in privilege? Like granting a role to a user on a project means the user can only access resources in this project?

please help me to solve these questions, and I'm very happy to discuss these concepts with you.

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by darren-wang
close date 2014-11-30 02:33:00.105226

1 answer

Sort by ยป oldest newest most voted

answered 2014-10-23 11:41:05 -0500

updated 2014-10-23 12:50:37 -0500

un-scoped tokens are not that useful at this moment. This is used in horizon console loggin and also in federation.

All the openstack services ( nova/glance/etc) operates on tenant/project. So if you need to do any operation on openstack services you need to get tenant/project scoped tokens

If you need to do any identity operation, you need to get domain-scoped token. Identity operations are keystone REST API. Keystone ships with 2 different policy files. One is a simple policy file and other is v3_cloud_policy file which uses "domain_admin" concepts. Default policy file is the simple policy file which doesn't enforce domain concepts. So if you are running keystone with default policy file, you really don't need domain scoped tokens. Identity operations will work with project scoped tokens too.

To summarize, if you are working with devstack or any other default installation, all you need is "project-scoped" token.

edit flag offensive delete link more


+1 for the expalnation !

Syed Awais Ali gravatar imageSyed Awais Ali ( 2014-10-23 12:00:07 -0500 )edit

wow, thanks!

darren-wang gravatar imagedarren-wang ( 2014-11-02 04:41:32 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-10-23 07:28:20 -0500

Seen: 1,167 times

Last updated: Oct 23 '14