Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Understanding Domains, Projects and Adminstrator roles with IdentityV3

I am trying to wrap my head around identity v3, with domains, groups, etc.

One thing that confuses me, is the man-page for the openstack CLI. It provides me with the parameters:

--os-password <auth-password> and --os-username <auth-username> // of course. --os-domain-[name|id] --os-project-[name|id ]

Since a users (and groups?) are unique within domains, I will need to specify the domain the user belongs to, and which project I am "doing something with".

But then we have: --os-project-domain-name --os-user-domain-name --os-default-domain

And the confusion starts. Now I can specify the user and/or project domain again? And even the default domain?? When would I need this?

I have read texts about the fact that a token can only be either project scoped, or domain scoped (or unscoped), so I've got a feeling that this has something to do with that, but I am i dire need of clarifications. Especially 1) What is domain scoped tokens? This implies that you have roles assigned to users, for a domain, without a related project? 2) What role assignments should be configured for my SuperMegaAdmin users, that should be possible to manage EVERYTHING. 3) A domain specific admin user, that should only be able to manage (all) projects and users within a specific domain, should have which roles? Admin role in...all projects within the domain? Admin role in the domain-specific admin-project? Or only admin role in the specific domain?

Understanding Domains, Projects and Adminstrator roles with IdentityV3

I am trying to wrap my head around identity v3, with domains, groups, etc.

One thing that confuses me, is the man-page for the openstack CLI. It provides me with the parameters:

--os-password <auth-password> and --os-username <auth-username> // of course. course

and

--os-domain-[name|id] --os-project-[name|id ]

Since a users (and groups?) are unique within domains, I will need to specify the domain the user belongs to, and which project I am "doing something with".

But then we have: --os-project-domain-name --os-user-domain-name --os-default-domainhave:

--os-project-domain-name --os-user-domain-name --os-default-domain*

And the confusion starts. Now I can specify the user and/or project domain again? And even the default domain?? When would I need this?

I have read texts about the fact that a token can only be either project scoped, or domain scoped (or unscoped), so I've got a feeling that this has something to do with that, but I am i dire need of clarifications. Especially 1) Especially:

  • What is domain scoped tokens? This implies that you have roles assigned to users, for a domain, without a related project? 2) project?

  • What role assignments should be configured for my SuperMegaAdmin users, that should be possible to manage EVERYTHING. 3) EVERYTHING.

  • A domain specific admin user, that should only be able to manage (all) projects and users within a specific domain, should have which roles? Admin role in...all projects within the domain? Admin role in the domain-specific admin-project? Or only admin role in the specific domain?