Magnum and Heat each use a service domain (conveniently named 'Magnum' and 'Heat') to store dynamically-created users and other resources.
This mostly works, and is well within the set of things that OpenStack is meant to support. Our custom code, however, generally expects there to be only one domain (id 'default' name 'Default') and has that hardcoded in quite a few places.
This change shouldn't break very much, but it is breaking situations where we try to enumerate projects and acquire auth in each one. Any keystone requests for project-specific tokens require a project domain to be specified. So, in places where we're creating keystone sessions with a specific project, we need to first dig up the proper project domain.
Note that I don't expect users to ever act outside of the default domain, only heat and magnum services.