OpenStack Identity (keystone)

Allow scoping to a domain, as well as a project

Registered by Henry Nash on 2012-11-21

The v3 API has introduced the concept of Domains, being the container that holds users and projects. For many cloud providers, the domain will be the object that really maps to a hosted customer, within which that customer will CRUD their users and projects. To facilitate this, the customer will want to create users that have "roles" that are domain wide (e.g. on-board new users, maintain a set of standard images for all projects etc.). To aid this, we should support the scoping of a token to a Domain (either at authentication or subsequent /tokens call)

Read the full specification

Blueprint information

Status:: Complete

Approver:: Joseph Heck

Priority:: Medium

Drafter:: Henry Nash

Direction:: Approved

Assignee:: Henry Nash

Definition:: Approved

Series goal:: Accepted for grizzly

Implementation:: Implemented

Milestone target:: 2013.1

Started by: Henry Nash on 2013-01-18

Completed by: Thierry Carrez on 2013-02-21

Related branches

Related bugs

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/domain-scoping,n,z

Addressed by: https://review.openstack.org/19820
Keystone backend preparation for domain-scoping

Gerrit topic: https://review.openstack.org/#q,topic:bug/1101244,n,z

Gerrit topic: https://review.openstack.org/#q,topic:domain-scoping,n,z

Addressed by: https://review.openstack.org/22565
domain-scoping

(?)

Work Items

Work items:
Plumbing for domain_id in all relevant entities: DONE
Integrate with v3 auth (https://review.openstack.org/#/c/21487/): DONE

This blueprint contains Public information

Everyone can see this information.

Subscribers

Adam Young

Bruce A Rich

David Chadwick

Dolph Mathews

Eduardo Patrocinio