1 files changed, 31 insertions, 27 deletions

diff --git a/keystone/common/controller.py b/keystone/common/controller.py
index affc34de..90818fb4 100644
--- a/keystone/common/controller.py
+++ b/keystone/common/controller.py
@@ -3,11 +3,10 @@ import functools
 import uuid
 
 from keystone.common import dependency
-from keystone.common import logging
 from keystone.common import wsgi
 from keystone import config
 from keystone import exception
-
+from keystone.openstack.common import log as logging
 
 LOG = logging.getLogger(__name__)
 CONF = config.CONF
@@ -169,6 +168,10 @@ class V2Controller(wsgi.Application):
             self._delete_tokens_for_trust(trust['trustee_user_id'],
                                           trust['id'])
 
+    def _delete_tokens_for_project(self, project_id):
+        for user_ref in self.identity_api.get_project_users(project_id):
+            self._delete_tokens_for_user(user_ref['id'], project_id=project_id)
+
     def _require_attribute(self, ref, attr):
         """Ensures the reference contains the specified attribute."""
         if ref.get(attr) is None or ref.get(attr) == '':
@@ -300,34 +303,35 @@ class V3Controller(V2Controller):
         ref['id'] = uuid.uuid4().hex
         return ref
 
+    def _get_domain_id_for_request(self, context):
+        """Get the domain_id for a v3 call."""
+
+        if context['is_admin']:
+            return DEFAULT_DOMAIN_ID
+
+        # Fish the domain_id out of the token
+        #
+        # We could make this more efficient by loading the domain_id
+        # into the context in the wrapper function above (since
+        # this version of normalize_domain will only be called inside
+        # a v3 protected call).  However, this optimization is probably not
+        # worth the duplication of state
+        try:
+            token_ref = self.token_api.get_token(
+                token_id=context['token_id'])
+        except exception.TokenNotFound:
+            LOG.warning(_('Invalid token in _get_domain_id_for_request'))
+            raise exception.Unauthorized()
+
+        if 'domain' in token_ref:
+            return token_ref['domain']['id']
+        else:
+            return DEFAULT_DOMAIN_ID
+
     def _normalize_domain_id(self, context, ref):
         """Fill in domain_id if not specified in a v3 call."""
-
         if 'domain_id' not in ref:
-            if context['is_admin']:
-                ref['domain_id'] = DEFAULT_DOMAIN_ID
-            else:
-                # Fish the domain_id out of the token
-                #
-                # We could make this more efficient by loading the domain_id
-                # into the context in the wrapper function above (since
-                # this version of normalize_domain will only be called inside
-                # a v3 protected call).  However, given that we only use this
-                # for creating entities, this optimization is probably not
-                # worth the duplication of state
-                try:
-                    token_ref = self.token_api.get_token(
-                        token_id=context['token_id'])
-                except exception.TokenNotFound:
-                    LOG.warning(_('Invalid token in normalize_domain_id'))
-                    raise exception.Unauthorized()
-
-                if 'domain' in token_ref:
-                    ref['domain_id'] = token_ref['domain']['id']
-                else:
-                    # FIXME(henry-nash) Revisit this once v3 token scoping
-                    # across domains has been hashed out
-                    ref['domain_id'] = DEFAULT_DOMAIN_ID
+            ref['domain_id'] = self._get_domain_id_for_request(context)
         return ref
 
     def _filter_domain_id(self, ref):