When service catalog does not include tenant_id in token validation response, users cannot upload images to glance

I believe this is by design -- **unless** a global (tenant-less) administrative role is provided -- if no tenant ID is included in the validation response, that's because the token is not scoped to a tenant, and should not be authorized to act upon a tenant. In that case, the user needs to authenticate with keystone for a specific tenant, receive a scoped token, and provide *that* token to glance.

However, if glance is failing to authorize a global admin role, I believe that's a bug in glance, although I'm not sure how it should be resolved.

Gabriel: were you using a scoped token?

Sorry should have closed this as invalid earlier. It was in fact an unscoped token.

Do you not think that's a valid use case, for an admin to upload an image? Maybe we could handle the error more gracefully?

It may be, but that wasn't the case in what I was testing - and may have worked fine. The reason it didn't work for me was that when it initially registered there was no user associated with the image, so the subsequent upload failed as the owner didn't match and it wasn't public. In the case of an admin it may not matter if the owner matches? Haven't tried it yet.

I guess it would have been good if the image didn't sit in "queued" status and instead errored when the request was made or more obviously.