Mirantis Training Blog: What are OpenStack Keystone Domains?

Devin Parrish - March 2, 2016 -

Welcome to Mirantis Training’s monthly Q&A section. Here our instructors field questions about all aspects of OpenStack, and every month we’ll be sharing some of those answers with you here on the blog. If you have a question that you would like a Mirantis technical instructor to answer, feel free to post your comments in the section below. We will do our best to cover your question in next month’s post.

What are OpenStack Domains?

A Keystone domain is an abstract resource that was introduced in version 3 of the Keystone API. A domain is a collection of users and projects that exist within the OpenStack environment. To understand what this really means, it is crucial to understand how things work without  OpenStack domains.

Traditionally, the resource mapping could be summed up by saying that “a user has a role in a project”. The user is typically an individual that is communicating with the cloud services, submitting requests to provision and destroy infrastructure. A role is an arbitrary bit of metadata that is used to influence that user’s authority and management within the environment. The project is a container used to group and isolate resources from one another. With the original mapping model, when the admin role was applied to a user, the user would become a cloud administrator, rather than just a project administrator, as intended.

With OpenStack project domain, the resource mapping can be summed up by saying that a “domain is made up of users and projects, wherein users can have roles at the project and domain level.” With this model, it is now possible to have an admin user for an entire domain, allowing that user to manage resources such as users and projects for that particular domain, but a user might also have a role applied just for a particular project, which behaves much like it did in the previous model.

Some of the benefits to using domains are:

  • More fine grained Role Based Access Control (RBAC) capabilities
  • Creating cloud administrators with the ability to delegate tasks to users
  • Support for overlapping resource names such as usernames
  • The ability for separate organizations to leverage different backends. For example, one can be SQL based, while another can be LDAP based

How Do You Use OpenStack Keystone Domains?

In the Liberty software release of OpenStack, the python-keystoneclient package was formally deprecated in favor of the unified python-openstackclient, which is capable of performing API operations to leverage domains.

You can create a domain with an OpenStack domain name:
$ openstack domain create

You can check the list domains:
$ openstack domain list

Once your domains are created, you can create a user in an existing domain:
$ openstack user create –domain –email –password

You can also create a project in a domain:
$ openstack project create –domain –description

For security access, you can assign a role to a user in a project:
$ openstack role add –project-domain –project –user

Finally, you can delete a domain and all resources belonging to it (including any source code or configuration file used)

$ openstack domain set –disable
$ openstack domain delete


Keystone domains provide OpenStack deployers with increased flexibility when dividing their computing environment into logical partitions that will be used by members of different departments of an organization or completely different organizations altogether. The resulting granularity in the authorization model provides a great mix of  independent service capabilities while still ensuring isolation between users and their projects.

If you have additional questions about OpenStack, take a look at the OpenStack courses that Mirantis Training offers or check any of our excellent docs online.


Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)

Note: this blog post was originally published by Avinash Desireddy on Medium. You can view the original post here. Docker Containers, Kubernetes, CNCF, and many other relevant projects completely changed how we package, ship, and run applications. As you all know, Kubernetes has become a defacto standard for running applications. At the same time, container registries and chart repositories play a …

Deploy Mirantis Secure Registry on any Kubernetes (Minikube, EKS, GKE, K0S, etc.)
Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0

Security and cloud infrastructure availability concerns have been in the news of late with the recent Log4j vulnerabilities and outages at some of the world’s largest public cloud providers. The security and integrity of your container-based images has never been more important. Many have taken to Kubernetes to assist in the deployment and management of their container-based workloads, and are leveraging …

Software Supply Chain Security on Any Kubernetes with Mirantis Secure Registry 3.0
A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021

2021 has been quite the year - and while there have been plenty of not-so-good times, we at Mirantis would like to take a moment to focus on the good. We are thankful for the opportunity to provide our readers with informative, accurate, and, above all, educational content via our company blog. We try not only to include helpful information …

A Year in Review: A Look Back at the Most Powerful Mirantis Resources from 2021
Service Mesh for Mere Mortals
A Guide to Istio and How to Use Service Mesh Platforms
The Definitive Guide to Container Platforms
Mirantis Webstore
Purchase Kubernetes support