what is the intended use for domain in keystone?

asked 2015-07-09 22:28:30 -0500

darren-wang gravatar image

As my title, I'm not clear of the necessity of domain in keystone, more specifically, the necessity of the division of "domain-scoped" and "project-scoped" token,

As far as I know, Horizon does not allow user to specify their login scope as domain, and, does other services like Nova, Glance et al support the concept of domain?

In my understanding, ordinary users sign in to Horizon then get project-scoped token, if Horizon let them spceify scope and choose corresponding domain/project they want to login to, this really complicates the login process(actually, I think the parameters provided to Keystone v3 API to authenticate for token has been superfluous enough).

Although I've been using v3 identity API for a while, I'm not clear if other openstack services actually support the domain concept, and what is the intended use of this concept. Could some one explain it to me?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-07-10 16:08:54 -0500

updated 2015-07-23 00:34:36 -0500

Conside the following situation. You are administrator of openstack, and want to define a new company operator with ability to add, remove and controling the access of other users. How can you do this before the emergence of domain concept? You had to add user_crud role to operator, that allows him to have full administrative access to all users and projects defined in keystone but not the subset of those. This is not a good solution and you don't want to give the operator to have full access over all defined users. You want to give access to a subset of users and tenants(projects).

So domain provides an administrative boundries for keystone entities(Project, users, roles, ...). Hope to be helpful.

See this page for more information.

edit flag offensive delete link more


Thanks for your reply and information, I didn't thought it was a pure Keystone concept, now I see. So if I want to mange vm's, networks, images, I still need to login as a project-scoped user, and only when I want to manage users, projects do I need to login as domain-scoped, am I right?

darren-wang gravatar imagedarren-wang ( 2015-07-10 23:29:28 -0500 )edit

No, as the same as when you login as administrator, you have two seperated panels 1- admin panel and 2- project panel. So you can manage your project-scoped resources via project panel and also domain-scoped resources via admin panel. The domain-scoped resources are subset of what superuser see.

Mzoorikh gravatar imageMzoorikh ( 2015-07-10 23:52:38 -0500 )edit

OK, great, so I can also manage project-scoped resources via domain admin panel, and only through domain admin panel can I manage domain-scoped resources, your answer is really helpful!

darren-wang gravatar imagedarren-wang ( 2015-07-11 00:34:07 -0500 )edit

Yes. fine.

Mzoorikh gravatar imageMzoorikh ( 2015-07-11 00:46:42 -0500 )edit

answered 2015-07-10 05:28:56 -0500

updated 2015-07-10 05:29:15 -0500

Mirantis has a somewhat dated blog entry on that subject: https://www.mirantis.com/blog/manage-.... I am sure that your favourite search engine will come up with newer tutorials.

In a nutshell, domains allow non-admin users to create projects and other users (and to modify and delete them). Domain is exclusively a keystone concept; the other parts of OpenStack are not aware of it afaik.

edit flag offensive delete link more


thanks, so the original intent of domain is not to allow domain-scoped user to manage other resources like images or vm's, instead, these users are assumed to manage users, projects in their domain. But we have "os_inherit" right? Domain users may still manage its projects' resource, am i right?

darren-wang gravatar imagedarren-wang ( 2015-07-10 23:25:50 -0500 )edit

The answer to your first question is yes. The intention is to give users (let's call them domain admins) the right to manage projects and users. The cloud admin must define domain admins, I think; at least the first domain admin.

Bernd Bausch gravatar imageBernd Bausch ( 2015-07-11 00:58:03 -0500 )edit

Second question: I am not familiar with the OS-INHERIT extension, but as a minimum a domain admin can give her/himself a role in a project and then do work inside that project.

Bernd Bausch gravatar imageBernd Bausch ( 2015-07-11 00:59:19 -0500 )edit

that's true, thanks a lot.

darren-wang gravatar imagedarren-wang ( 2015-07-11 03:39:26 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-07-09 22:28:30 -0500

Seen: 563 times

Last updated: Jul 23 '15