Ah. There are scoped and unscoped tokens in keystone. Unscoped ones are project-less but can do almost nothing. Project scoped ones usually used.
Most resources in openstack is bound to the project and not the user, so hence the need for scoped tokens.
From: Jordan Liggitt [jliggitt redhat com]
Sent: Thursday, April 14, 2016 9:53 AM
To: Fox, Kevin M; Scott Seago
Cc: Chmouel Boudjnah; OpenShift List Dev
Subject: Re: keystonepasswd auth
I'm not seeing where tenant name is defaulted to the user name. The keystone auth request is a password authentication with the user name and domain name, which uniquely identifies the user (users belong to domains, not tenants/projects)
On Thu, Apr 14, 2016 at 12:20 PM, Fox, Kevin M <Kevin Fox pnnl gov> wrote: