To be more specific, when migrating to policy.v3cloudsample.json, as an example multi-domain policy, domain-scoped tokens become a requirement to operate at a domain-level (eg list domains).
The need might be fulfilled as easily as adding a configuration variable/override to allow a user to configure OSA to request domain-scoped tokens or might be as difficult as refactoring the affected OSA role(s) so as to even allow domain-scoped tokens (both of which examples I totally made up, so please forgive me if my work estimates are horribly off).
To provide background on what Sean said...
Keystone domain vs project scoped tokens: http:// docs.openstack. org/admin- guide/keystone- tokens. html
To be more specific, when migrating to policy. v3cloudsample. json, as an example multi-domain policy, domain-scoped tokens become a requirement to operate at a domain-level (eg list domains).
The need might be fulfilled as easily as adding a configuration variable/override to allow a user to configure OSA to request domain-scoped tokens or might be as difficult as refactoring the affected OSA role(s) so as to even allow domain-scoped tokens (both of which examples I totally made up, so please forgive me if my work estimates are horribly off).