I believe this is by design -- **unless** a global (tenant-less) administrative role is provided -- if no tenant ID is included in the validation response, that's because the token is not scoped to a tenant, and should not be authorized to act upon a tenant. In that case, the user needs to authenticate with keystone for a specific tenant, receive a scoped token, and provide *that* token to glance.
However, if glance is failing to authorize a global admin role, I believe that's a bug in glance, although I'm not sure how it should be resolved.
I believe this is by design -- **unless** a global (tenant-less) administrative role is provided -- if no tenant ID is included in the validation response, that's because the token is not scoped to a tenant, and should not be authorized to act upon a tenant. In that case, the user needs to authenticate with keystone for a specific tenant, receive a scoped token, and provide *that* token to glance.
However, if glance is failing to authorize a global admin role, I believe that's a bug in glance, although I'm not sure how it should be resolved.