Open Stack

Hi,
I have a user with admin role in default domain.
I want to create a project scoped token using this, but getting a 401 error.

Following is the exact setup
Keystone: Juno version using identity v3 APIs
Domain: default
User: admin (has admin role assigned to default domain)
Project: testscope (created inside the default domain)

The curl command to create Project Scoped token:
# curl -k -i -H "Content-Type: application/json" -d '{ "auth": {"identity": {"methods": ["password"],"password": {"user": {"name": "admin","domain": { "id": "default"},"password": "admin" }}}, "scope": { "project": { "name": "testscope", "domain": { "id": "default" }}} }}' https://keystone:5000/v3/auth/tokens?nocatalog

HTTP/1.1 401 Unauthorized
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

But if I assign admin role to the Project then everything works fine.
My question is - why should I assign admin role to the project, even though I am a domain admin?
Shouldn’t a domain admin have access to all projects within it by default?

Thanks
Suresh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150605/e457f384/attachment.html>