> a domain-scoped token (a.k.a. unscoped token in my worldview)
Unscoped tokens don't carry authorization. A domain-scoped token carries some type of explicit authorization on the domain in the form of roles. How do you propose representing domain-level authorization that keystone hands out freely to every user?
> if I need a domain token for a particular Nova call
Other than for metering purposes, I'm not aware of any use cases for other OpenStack projects to become domain-aware. If there are any such discussions going on, I'd love to hear about them.
> This is why users have a default domain
User's don't have a default domain, but they have a default project ID.
> a domain-scoped token (a.k.a. unscoped token in my worldview)
Unscoped tokens don't carry authorization. A domain-scoped token carries some type of explicit authorization on the domain in the form of roles. How do you propose representing domain-level authorization that keystone hands out freely to every user?
> if I need a domain token for a particular Nova call
Other than for metering purposes, I'm not aware of any use cases for other OpenStack projects to become domain-aware. If there are any such discussions going on, I'd love to hear about them.
> This is why users have a default domain
User's don't have a default domain, but they have a default project ID.