Currently, authorization in keystone is explicit in that you must grant users roles on projects or domains in order for them to get tokens scoped to those targets. Another option that might be available to you is to use role inheritance [0]. This API let's you grant roles to users and groups but let's them be inherited to children projects in the hierarchy.
[0] https://developer.openstack.org/api-ref/identity/v3/index.html#os- inherit-api ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1734117 Title: Scoping to project which is not on authentication domain is not working as expected Status in OpenStack Identity (keystone): Invalid Bug description: Having user "U" on domain "X" which has admin role on domain "X" and domain "Y" domain "X" and domain "Y" have projects "X1" and "Y1" respectively. Authenticating with user "U" on domain "X" and scoping to domain "X" OK. Authenticating with user "U" on domain "X" and scoping to domain "Y" OK. Authenticating with user "U" on domain "X" and scoping to project "X1" belonging to domain "X" OK. Authenticating with user "U" on domain "X" and scoping to project "Y1" belonging to domain "Y" FAILS. I expect the last authentication to succeed, since user has admin role on the domain of the project. This kind of authentication will succeed if admin role on project "Y" will be granted to the user. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1734117/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp