[openstack-dev] 答复: [keystone] Is "domain" a mapping to real-world cloud tenant?
Lance Bragstad
lbragstad at gmail.com
Mon Jan 4 14:38:33 UTC 2016
Interesting. The paper says that the implementation was based on the Havana
release. Just out of curiosity, does anyone know if the code is public?
On Mon, Dec 14, 2015 at 6:38 PM, darren wang <darren_wang at outlook.com>
wrote:
> Hi Dolph,
>
>
>
> Here it is,
> http://profsandhu.com/confrnc/misconf/nss14-preprint-bo.pdf
>
>
>
> You may have a look at it and see if it’s reasonable.
>
>
>
> Darren
>
>
>
> *发件人:* Dolph Mathews [mailto:dolph.mathews at gmail.com]
> *发送时间:* 2015年12月15日 6:10
> *收件人:* OpenStack Development Mailing List (not for usage questions) <
> openstack-dev at lists.openstack.org>
> *主题:* Re: [openstack-dev] [keystone] Is "domain" a mapping to real-world
> cloud tenant?
>
>
>
> Unfortunately, "tenancy" has multiple definitions in our world so let me
> try to clarify further! Do you have a link to that paper?
>
>
>
> Tenants (v2) and projects (v3) have a history as serving to isolate the
> resources (VMs, networks, etc) of multiple tenants. They literally provide
> for multitenancy.
>
>
>
> Domains exist at a higher level, and actually (unfortunately) serve a
> multiple purposes.
>
>
>
> The first of which is as a container for multiple tenants/projects - think
> of domains as the billable entity in a public cloud. A single domain might
> be responsible for deploying multiple department's or project's resources
> in the cloud (each of which requires multi-tenant isolation, and thus has
> many tenants/projects).
>
>
>
> The second purpose is that of authorization -- in keystone, you might need
> domain-level authorization to create projects and assign roles. The same
> might apply to domain-specific quotas, domain-specific policies, and other
> domain-level concerns.
>
>
>
> Lastly, domains serve as a namespaces for users and groups (identity /
> authentication) within keystone itself. They are analogous to identity
> providers in that regard.
>
>
>
> Hope this helps!
>
>
>
> On Mon, Dec 14, 2015 at 2:56 AM, darren wang <darren_wang at outlook.com>
> wrote:
>
> Hi,
>
>
>
> I am wondering whether “domain” is a mapping to a real-world cloud tenant
> (not the counterpart of “project” in v2 Identity API) because recently I
> read a paper that describes “domain” as a fit for the abstract concept “cloud
> tenant”. Does this saying stay in line with community’s purpose?
>
>
>
> Thanks!
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160104/00e71b62/attachment.html>
More information about the OpenStack-dev
mailing list