9.03.2017 - by Stephan Vanecek
Domains in OpenStack is an abstract structure used to segregate administrative units inside a cloud environment. Domains functionality is a part of Identity service (Keystone) API V3 since Grizzly release.
Keystone is an identity service that provides authentication in OpenStack. The identity service has two main purposes — the first one is to set permissions and keep track of the activity of the particular users and the second one is to expose a service catalog of OpenStack services. Domains help with handling the first mentioned. Referring to domains, there are a few Keystone terms that should to be defined:
The main purpose of domains is increasing the modularity of the infrastructure in terms of allowing and restricting the access to the resources and creating distinct divisions between diverse environments. Domains and projects have a tree structure with domains on top and projects at the bottom. Within a domain, one can create users and projects, and grant roles. Having clarified the characteristics of domains, let’s explain a use case called “Reseller”.
The reseller model targets a need to create more levels of ownership which allow granting access to the infrastructure. The typical reseller model story includes an OpenStack infrastructure provider having a customer. The customer does not facilitate the whole computing capacity or simply has a marketing strategy of subletting parts of the infrastructure to other clients. For this strategy to work, the sublet infrastructure must feature the same qualities as the original one. Moreover, the clients must have no information about the infrastructure of other clients and must be assured that no other client can access their infrastructure. Being able to alter the resources of another customer is not acceptable.
This approach benefits from the characteristics of domains. With domains, the coexistence of multiple different entities subletting other customer’s resources is possible. One is able to resell a domain where creation of users and groups is enable. Since users and projects are bound within its parent domain/project, a customer managing his own domain is isolated there so that he cannot be affected by or affect other entities. Allowing the administrative infrastructure to be divided multi-tenant silos which are required for reselling.
The reseller modell allows service providers to diversify their offerings, this in turn helps them to enter a wider variety of market segments.
Domains help us to incorporate multiple layers of resource access and ownership in OpenStack. Therefore, the administrators are enabled to set up the infrastructure according to their needs. Domains contribute to this process by providing an isolated administrative environment with own users and projects that is independent from other domains.