[openstack-dev] 答复: [keystone] Is "domain" a mapping to real-world cloud tenant?

darren wang darren_wang at outlook.com
Tue Dec 15 00:38:14 UTC 2015

Hi Dolph,


         Here it is, http://profsandhu.com/confrnc/misconf/nss14-preprint-bo.pdf


         You may have a look at it and see if it’s reasonable.




发件人: Dolph Mathews [mailto:dolph.mathews at gmail.com] 
发送时间: 2015年12月15日 6:10
收件人: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
主题: Re: [openstack-dev] [keystone] Is "domain" a mapping to real-world cloud tenant?


Unfortunately, "tenancy" has multiple definitions in our world so let me try to clarify further! Do you have a link to that paper?


Tenants (v2) and projects (v3) have a history as serving to isolate the resources (VMs, networks, etc) of multiple tenants. They literally provide for multitenancy.


Domains exist at a higher level, and actually (unfortunately) serve a multiple purposes.


The first of which is as a container for multiple tenants/projects - think of domains as the billable entity in a public cloud. A single domain might be responsible for deploying multiple department's or project's resources in the cloud (each of which requires multi-tenant isolation, and thus has many tenants/projects).


The second purpose is that of authorization -- in keystone, you might need domain-level authorization to create projects and assign roles. The same might apply to domain-specific quotas, domain-specific policies, and other domain-level concerns.


Lastly, domains serve as a namespaces for users and groups (identity / authentication) within keystone itself. They are analogous to identity providers in that regard.


Hope this helps!


On Mon, Dec 14, 2015 at 2:56 AM, darren wang <darren_wang at outlook.com <mailto:darren_wang at outlook.com> > wrote:



I am wondering whether “domain” is a mapping to a real-world cloud tenant (not the counterpart of “project” in v2 Identity API) because recently I read a paper that describes “domain” as a fit for the abstract concept “cloud tenant”. Does this saying stay in line with community’s purpose?



OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe <http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151215/60e0eac1/attachment.html>

More information about the OpenStack-dev mailing list