Understanding Domains, Projects and Adminstrator roles with IdentityV3
I am trying to wrap my head around identity v3, with domains, groups, etc.
One thing that confuses me, is the man-page for the openstack CLI. It provides me with the parameters:
--os-password <auth-password> and --os-username <auth-username> // of course
and
--os-domain-[name|id] --os-project-[name|id ]
Since a users (and groups?) are unique within domains, I will need to specify the domain the user belongs to, and which project I am "doing something with".
But then we have:
--os-project-domain-name
--os-user-domain-name
--os-default-domain*
And the confusion starts. Now I can specify the user and/or project domain again? And even the default domain?? When would I need this?
I have read texts about the fact that a token can only be either project scoped, or domain scoped (or unscoped), so I've got a feeling that this has something to do with that, but I am i dire need of clarifications. Especially:
What is domain scoped tokens? This implies that you have roles assigned to users, for a domain, without a related project?
What role assignments should be configured for my SuperMegaAdmin users, that should be possible to manage EVERYTHING.
A domain specific admin user, that should only be able to manage (all) projects and users within a specific domain, should have which roles? Admin role in...all projects within the domain? Admin role in the domain-specific admin-project? Or only admin role in the specific domain?