Comment 8 for bug 1614211

To provide background on what Sean said...

Keystone domain vs project scoped tokens: http://docs.openstack.org/admin-guide/keystone-tokens.html

To be more specific, when migrating to policy.v3cloudsample.json, as an example multi-domain policy, domain-scoped tokens become a requirement to operate at a domain-level (eg list domains).

The need might be fulfilled as easily as adding a configuration variable/override to allow a user to configure OSA to request domain-scoped tokens or might be as difficult as refactoring the affected OSA role(s) so as to even allow domain-scoped tokens (both of which examples I totally made up, so please forgive me if my work estimates are horribly off).