[openstack-dev] [keystone] Is "domain" a mapping to real-world cloud tenant?

Dolph Mathews dolph.mathews at gmail.com
Mon Dec 14 22:10:13 UTC 2015

Unfortunately, "tenancy" has multiple definitions in our world so let me
try to clarify further! Do you have a link to that paper?

Tenants (v2) and projects (v3) have a history as serving to isolate the
resources (VMs, networks, etc) of multiple tenants. They literally provide
for multitenancy.

Domains exist at a higher level, and actually (unfortunately) serve a
multiple purposes.

The first of which is as a container for multiple tenants/projects - think
of domains as the billable entity in a public cloud. A single domain might
be responsible for deploying multiple department's or project's resources
in the cloud (each of which requires multi-tenant isolation, and thus has
many tenants/projects).

The second purpose is that of authorization -- in keystone, you might need
domain-level authorization to create projects and assign roles. The same
might apply to domain-specific quotas, domain-specific policies, and other
domain-level concerns.

Lastly, domains serve as a namespaces for users and groups (identity /
authentication) within keystone itself. They are analogous to identity
providers in that regard.

Hope this helps!

On Mon, Dec 14, 2015 at 2:56 AM, darren wang <darren_wang at outlook.com>

> Hi,
> I am wondering whether “domain” is a mapping to a real-world cloud tenant
> (not the counterpart of “project” in v2 Identity API) because recently I
> read a paper that describes “domain” as a fit for the abstract concept
> “cloud tenant”. Does this saying stay in line with community’s purpose?
> Thanks!
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151214/bca13b05/attachment.html>

More information about the OpenStack-dev mailing list