Revision history [back]

click to hide/show revision 1
initial version

what is the intended use for domain in keystone?

As my title, I'm not clear of the necessity of domain in keystone, more specifically, the necessity of the division of "domain-scoped" and "project-scoped" token,

As far as I know, Horizon does not allow user to specify their login scope as domain, and, does other services like Nova, Glance et al support the concept of domain?

In my understanding, ordinary users sign in to Horizon then get project-scoped token, if Horizon let them spceify scope and choose corresponding domain/project they want to login to, this really complicates the login process(actually, I think the parameters provided to Keystone v3 API to authenticate for token has been superfluous enough).

Although I've been using v3 identity API for a while, I'm not clear if other openstack services actually support the domain concept, and what is the intended use of this concept. Could some one explain it to me?