Comment 5 for bug 1208639

Revision history for this message
Dolph Mathews (dolph) wrote :

> a domain-scoped token (a.k.a. unscoped token in my worldview)

Unscoped tokens don't carry authorization. A domain-scoped token carries some type of explicit authorization on the domain in the form of roles. How do you propose representing domain-level authorization that keystone hands out freely to every user?

> if I need a domain token for a particular Nova call

Other than for metering purposes, I'm not aware of any use cases for other OpenStack projects to become domain-aware. If there are any such discussions going on, I'd love to hear about them.

> This is why users have a default domain

User's don't have a default domain, but they have a default project ID.