I have an application that is creating new projects in OpenStack and then resources in those projects, e.g. VMs, nets, etc.

This OpenStack is also used by other users who don't use this app and therefore the app should not be able to access their projects, resources.

Currently the app uses Keystone v2 API and just one admin OpenStack account -- which is the problem.

After reading about Keystone v3 API, I thought that I will just create an OpenStack domain for the app (let's call it app-domain) and the app will be requesting app-domain scoped tokens. I expected that then it will not be possible for the app to access resources outside the domain. But it seems that I am wrong.

What I have done via the API against RDO IceHouse 2014.1.3-3.el6:

• get an unscoped token for the admin user
• using the unscoped token:
  • create the app-domain
  • create a user assigned with the domain (no default project specified)
  • grant the admin role to that domain user
• then I authenticated again, this time as the domain user and I specified scoping of the token to the app-domain

And then with this domain-scoped token I was able to e.g. create a new domain and remove a project that I created via UI, in the v2 "default" domain.

So I probably completely missed the domain concept and scoping. Can you please enlighten me on that and give me some hints whether I can achieve such an (domain) isolation for the app that uses just one OpenStack account?

Thanks a lot!