Please find answer from Haneef Ali:

1) No, there is no difference. Only certain operations are exposed at 5000 and all of them except one is exposed at 35357. In most of the cases you will be fine if you just use 35357

2) You should be authorized to invoke any identity operations. Authorization is defined by the role that the token have. Unscoped token doesn't have any role. So using unsciped token you cannot invoke any opearation.

3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

Update 1:

I didn't even notice this so far. I believe it is wrong design

5000:/v2.0/tenants -- Maps to "get_projects_for_token" . This doesn't even care about scope of token.

35357:/v2.0/tenants -- Maps to get_all_tenants which requires scoped token

BTW policy file is used only for v3 apis. These are v2.0 apis, and most of the v2.0 api just use one line from the policy file which is "admin" definition in the policy file

Reference: https://ask.openstack.org/en/question...

Admin-role API ---> 35357

Member-role API -----> 5000

Keystone identity API provides accces to a user at privilage some levels. Just rizz though the concepts of endpoints you will get to know the difference.

For the time being understand that --

1) PORT 35357 is used for authentication for accesing admin privilages via keystone and

2) PORT 5000 is used for public authentication i.e for end users.

Which port is required if i am planning use only swift with keystone ?

Answer is PORT 5000

I wonder how to change port 5000 to http/https ?