Please find answer from Haneef Ali:
1) No, there is no difference. Only certain operations are exposed at 5000 and all of them except one is exposed at 35357. In most of the cases you will be fine if you just use 35357
2) You should be authorized to invoke any identity operations. Authorization is defined by the role that the token have. Unscoped token doesn't have any role. So using unsciped token you cannot invoke any opearation.
3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases
Update 1:
I didn't even notice this so far. I believe it is wrong design
5000:/v2.0/tenants -- Maps to "get_projects_for_token" . This doesn't even care about scope of token.
35357:/v2.0/tenants -- Maps to get_all_tenants which requires scoped token
BTW policy file is used only for v3 apis. These are v2.0 apis, and most of the v2.0 api just use one line from the policy file which is "admin" definition in the policy file
Reference: https://ask.openstack.org/en/question...