[openstack-dev] Keystone v3 API

Dolph Mathews dolph.mathews at gmail.com
Sat Jan 26 17:08:01 UTC 2013

Relevant blueprint:

Corresponding spec change: https://review.openstack.org/#/c/18805/

These changes have not been implemented yet.

Essentially it's an opt-in change of behavior per domain. Auth for users
and projects within those domains must either be identified by
globally-unique ID, or a combinations of owning domain and user/project

Users and projects are namespaced by their owning domain, so the
configuration of two different domains wouldn't apply to a single user or


On Sat, Jan 26, 2013 at 4:04 AM, David Chadwick <d.w.chadwick at kent.ac.uk>wrote:

> The keystone v3 API contains the following statement in the Users section
> Either globally or domain unique username, depending on owning domain.
> Can someone explain what this means please.
> More specifically, this states that a username is either globally unique
> across all domains, or is locally defined in a domain.
> First question. How can anyone tell the difference between a globally
> unique username and a domain specific username?
> Second, who or what is the owning domain for a globally unique username?
> Finally why should the owning domain determine whether the username is
> globally unique or not? What if owning domain 1 determines that username1
> is globally unique and owning domain 2 determines that username1 is locally
> unique to itself?
> thanks
> David
> ______________________________**_________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.**org <OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/**cgi-bin/mailman/listinfo/**openstack-dev<http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130126/7132b0f3/attachment.html>

More information about the OpenStack-dev mailing list