Home > keystone, openstack, Uncategorized > Relationship among concepts domain, project, role, user group, user and token in OpenStack Keystone

Relationship among concepts domain, project, role, user group, user and token in OpenStack Keystone

Domain, project, group, roles, users and token are the terms we use to hear a lot in term of OpenStack. Sometime, the meaning of these terms changes. For example, the semantics of the terms project, tenant, domain keep changing even in the Identity API. In this post, I will try to understand the relationship between these concepts. My understanding is based on the OpenStack Identity API V3[1] and the paper by Bo [7]

Screenshot 2016-03-09 11.56.49


Domains are the highest level abstraction for resources and users in an OpenStack environment. Domain can directly contain users, user groups and projects. If there is no domain, Identity V3 API assumes a default domain named ‘default’. Domains can also be considered as namespaces. Domain names must be unique across all domains. 


Projects are the second highest abstraction in OpenStack environment. Projects can directly contain user groups or users. Project can also contain resources. Note that, one project can be assigned to at most one domain. 

User groups:

As the name says, user groups are group of users. The advantage of having user groups is that by assigning roles to a user group, all users in the group get permissions of the roles. For example, an user group ‘CS6393’ may contain students in the course. By assigning  roles to ‘CS6393’ all students get access to the permissions of the roles. User group names are not global in OpenStack environment. Group names are unique within the owning domain and a group can be assigned to at most domain. 


In OpenStack, permissions to do anything is achieved via assignment to roles. Users or user groups  without any role assigned, can do nothing in the OpenStack environment. As in Role Based access Control (RBAC [2]), role contains permission which is a pair of object-type and operation. For example, create object of type VM or network can be considered as a permission. Note that role name are global in OpenStack environment. In other words, no two role can have the same name.


Users are the active entity in the OpenStack system who can consume resources. Users are assigned to role to be able to carry on their activity. Users without any role, cannot do anything in the system, though it is possible to have users without any roles assigned to them.


Tokens are like sessions/subjects acting on behalf of users. Basically, a token provide a stricter scope for a user. For example, if a user is assigned to two different projects ‘project1’ and ‘project2’, in a token a user can choose which project to work on. Similarly, token also provide scope for domains. Usually, a token can either be scoped for a project or a domain but not both.


[1] http://developer.openstack.org/api-ref-identity-v3.html

[7] http://profsandhu.com/confrnc/misconf/p131-zhang.pdf

To be continued.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: