The Keystone v3 API is included with OpenStack Grizzly & Havana but the Python-KeystoneClient does not expose v3 functionality at this time. Any interaction with the v3 API needs to be done directly via curl or tool of your choice. The term tenant is now officially replaced with project.

The Keystone v3 API introduces two significant Keystone features/concepts:

  • Domains
  • Groups

Let's first take a look at the Keystone v2 model.

Example Org Structure Utilizing Keystone v2 API

  • A user can reside in multiple departments yet have a different role in that department.
  • SandraD is a Sysadmin in Aerospace, but not in Biology. In the CompSci project, she has the Support role, but not the Sysadmin role.

Example of v3 API "Domains"

v3 now introduces true multi-tenancy with the use of domains. As we can see the domain acts as a high level container for projects.

With domains, a cloud customer can be the owner of the domain. They can then create additional users, groups, and roles to be used within their specified domain.

Example of v3 API "Groups"

A group is simply a container representing a collection of users. Rather than assign a role directly to user/project, a domain owner can assign a role to a group, and then add users to that group.

  • A role can be assigned to a domain on a group or a project on a group.

In this example:

  • JohnB will authenticate with Keystone, obtain the Sysadmin role and belong to Biology, Aerospace, and Compsci projects.
  • LisaD will authenticate with Keystone, obtain the Engineer role and only belong to the Compsci project.

Other Info:

  • Groups are optional.
  • The domain name and role name is globally unique across all domains.
  • The username, project, and group name are only unique to the owning domain.

New v3 Commands

  • Create a group
  • Delete a group
  • Update a group (change its name or description)
  • Add a user to a group
  • Remove a user from a group
  • List group members
  • List groups for a user
  • Assign a role on a tenant to a group
  • Assign a role on a domain to a group
  • Query role assignments to groups

Interacting with Keystone v3 API

Adam Young's blog has some examples of interacting with v3:


comments powered by Disqus