[openstack-dev] Making domains more enterprise-capable
henryn at linux.vnet.ibm.com
Mon Jan 14 16:36:36 UTC 2013
There are two blueprints with proposed changes to the Keystone Identity API that are getting close to approval - both relate to expanding on the domain capability already added to enable them to better serve the needs of larger enterprises. Although both have been commented on and reviewed on this list before, they are now in their final form and so wanted to ensure everyone has had a chance to comment.
1) Domain-scoped tokens (https://review.openstack.org/#/c/18770/)
The goal here is to enable better support for domain administration - in particular the ability to effectively delegate this from a cloud provider to the admin of an enterprise being hosted in a particular domain. Initially this will likely only be used for access to keystone itself (e.g. enable a role where a user is allowed to manage the users/groups of one domain, but not others), although in the future one might imagine it being useful in other projects (e.g. glance supporting images that were domain-wide). No changes in any projects other than keystone is required unless they would like to use this capability.
2) Domain namespaces (https://review.openstack.org/#/c/18805/)
The goal here is to provide an optional feature to allow cloud providers to create a domain for hosting an enterprise within which the enterprise has their own namesapce for project and/or user names (i.e. they are only required to be globally unique within that domain, rather than unique across all domains). This will be a common requirement for enterprise customers - e.g. it won't be acceptable to an enterprise that they are prevented from calling a project, say, "Test" just because another customer in another domain got their first! Since this feature will be optional, there is no impact to other projects unless it is used, and even then there is only impact for those specific domains. Further, in all cases, user_id and project_id remain globally unique across all domains. For the domains that are created with this feature, then there are changes in terms of authentication (a domain name/id may need to be provided) and a project that users keystone could not assume that project/(tenant) name is unique.
All comments welcome.
More information about the OpenStack-dev