You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/05-iam/domain-manager-setup-and-usage.md
+2-27
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,5 @@
1
1
# Domain Manager setup and usage
2
2
3
-
:::info
4
-
5
-
The following documentation refers to a SCS standard that is still in draft state.
6
-
It is not meant for productive use yet but CSPs are encouraged to test-drive and provide feedback!
7
-
8
-
:::
9
-
10
3
## Preface
11
4
12
5
SCS defines the **Domain Manager** standard, introducing a special persona to the OpenStack Keystone identity manager.
@@ -15,19 +8,10 @@ Its intended use case is to offer extensive identity management self-service cap
15
8
16
9
This guide will explain setup, configuration and usage of the SCS Domain Manager standard.
17
10
18
-
### Warning regarding the exposure of domain names
19
-
20
-
Due to architectural limitations currently existing in OpenStack Keystone, assigning the `manager` role to users while the configuration of the SCS Domain Manager standard has been applied will **enable them to see the IDs and names of all existing domains**.
21
-
This includes domains other than their own, meaning that other tenant's identities might be exposed depending on the relation between them and the name of their domain.
22
-
CSPs aiming to appoint Domain Manager users must be aware of this limitation and should exclusively **use pseudonymized domain names across the whole infrastructure**.
23
-
If CSPs strictly follow the [SCS naming conventions](https://github.com/SovereignCloudStack/standards/blob/main/Standards/scs-0301-v1-naming-conventions.md) for domains this is already addressed.
24
-
If this is not feasible for the CSP, they may opt to refrain from making use of the Domain Manager functionality at all, i.e. never assign the `manager` role to tenant users.
25
-
26
11
:::info
27
12
28
-
This architectural limitation will be fixed in upcoming OpenStack and SCS releases.
29
-
30
-
See [https://bugs.launchpad.net/keystone/+bug/2041611](https://bugs.launchpad.net/keystone/+bug/2041611)
13
+
The Domain Manager functionality, formerly exclusive to the corresponding SCS standard, will be natively integrated into OpenStack starting with release 2024.2 ("Dalmatian").
14
+
When using an OpenStack release equal to 2024.2 or later, you can omit the instructions for Keystone API policy adjustments.
31
15
32
16
:::
33
17
@@ -89,15 +73,6 @@ Refer to the SCS Domain Manager standard for more information.
89
73
90
74
The following sections describe actions available to CSP operators that possess the `admin` role.
91
75
92
-
### Creating domains
93
-
94
-
:::caution
95
-
96
-
It is highly recommended to use pseudonymized domain names when creating domains, since Domain Managers will currently be able to see the names of all existing domains.
97
-
See [Warning regarding the exposure of domain names](#warning-regarding-the-exposure-of-domain-names) for more details.
98
-
99
-
:::
100
-
101
76
For each tenant for which a self-service area (i.e. a domain) is to be established, a domain should be created before creating any users, projects or groups for this tenant:
0 commit comments