Comment 1 for bug 927870

I believe this is by design -- **unless** a global (tenant-less) administrative role is provided -- if no tenant ID is included in the validation response, that's because the token is not scoped to a tenant, and should not be authorized to act upon a tenant. In that case, the user needs to authenticate with keystone for a specific tenant, receive a scoped token, and provide *that* token to glance.

However, if glance is failing to authorize a global admin role, I believe that's a bug in glance, although I'm not sure how it should be resolved.