Comment 7 for bug 1023502

We changed this behavior in Grizzly not only in v3, but also in v2. Default tenancy used to be assumed by auth_token but is now applied by keystone during auth.

A default tenant_id attribute on a user no longer grants implicit authorization on a project but instead is assumed as the user's default auth scope of one is not specified. A role must exist to grant the user any authorization on that project or auth will fail.

I'm actually targeting this issue at RC1 because I'm not aware of test coverage of this behavior and I'd like to ensure we have some before it ships -- otherwise the above is just lies :)