[openstack-dev] 答复: [keystone] Is "domain" a mapping to real-world cloud tenant?

Mon, 14 Dec 2015 16:44:17 -0800 

Hi Dolph,

 

         Here it is, http://profsandhu.com/confrnc/misconf/nss14-preprint-bo.pdf

 

         You may have a look at it and see if it’s reasonable.

 

Darren

 

发件人: Dolph Mathews [mailto:dolph.math...@gmail.com] 
发送时间: 2015年12月15日 6:10
收件人: OpenStack Development Mailing List (not for usage questions) 
<openstack-dev@lists.openstack.org>
主题: Re: [openstack-dev] [keystone] Is "domain" a mapping to real-world cloud 
tenant?

 

Unfortunately, "tenancy" has multiple definitions in our world so let me try to 
clarify further! Do you have a link to that paper?

 

Tenants (v2) and projects (v3) have a history as serving to isolate the 
resources (VMs, networks, etc) of multiple tenants. They literally provide for 
multitenancy.

 

Domains exist at a higher level, and actually (unfortunately) serve a multiple 
purposes.

 

The first of which is as a container for multiple tenants/projects - think of 
domains as the billable entity in a public cloud. A single domain might be 
responsible for deploying multiple department's or project's resources in the 
cloud (each of which requires multi-tenant isolation, and thus has many 
tenants/projects).

 

The second purpose is that of authorization -- in keystone, you might need 
domain-level authorization to create projects and assign roles. The same might 
apply to domain-specific quotas, domain-specific policies, and other 
domain-level concerns.

 

Lastly, domains serve as a namespaces for users and groups (identity / 
authentication) within keystone itself. They are analogous to identity 
providers in that regard.

 

Hope this helps!

 

On Mon, Dec 14, 2015 at 2:56 AM, darren wang <darren_w...@outlook.com 
<mailto:darren_w...@outlook.com> > wrote:

Hi,

 

I am wondering whether “domain” is a mapping to a real-world cloud tenant (not 
the counterpart of “project” in v2 Identity API) because recently I read a 
paper that describes “domain” as a fit for the abstract concept “cloud tenant”. 
Does this saying stay in line with community’s purpose?

 

Thanks!


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe 
<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

 


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to