Comment 3 for bug 1431015

The method _get_domain_id_for_list_request retrieves the domain_id in the case domain specific backends are being used.

In the described case, there are two reasons that may raise a 401 Unauthorized:

i) the policy rules for "identity:list_users": "rule:admin_required" or "identity:list_groups": "rule:admin_required" (depending on the request) is not being satisfied, i.e, the provided user has not the admin role on the specified project or domain;
ii) the provided token is not domain scoped.

If the user "root" is assigned the "admin" role on the project "ibm-default", the described request should not fail for the reason i).

However, the provided request shows a project scoped token, which will fail since 'domain' is not in 'scope' (but 'project' is) [1].

---

In Keystone v3, if domain specific backends are not being used, we allow users and groups to be listed independently on the tokens being scoped to a project or a domain.

We should allow the same (for tokens v3) when domain specific backends are enabled.
In the case of project scoped token, the domain_id could be obtained by calling the project_domain_id property, from KeystoneToken.

[1] https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L656-L661