Keystone Domains

Currently Keystone lacks the ability to scope users and their resources to an uber collection. Keystone is in need of a higher order entity (aka domain) to allow for the grouping of users, groups, roles, and tenants. A domain can represent an individual, company, or operator owned space. The intent of domain is to define the administrative boundaries for management of Keystone entities. By defining the domain collection an authorization system, whether external or internal to Keystone, can be used to enforce policies related to admin operations for that domain. With domains in place, administrative roles within each domain can then be defined to control CRUD operations on entities scoped to the domain. Additionally, domains afford the ability to setup cross domain trust relationships which can then be used to controlling the ability to give users one domain access to resources of another.

A sampling of related user stories:
1) As a cloud user I want to be able to create users who can have access to my tenants/services
2) As a cloud user I want to be able to control the kind of access that users have to my tenants/services by specifying role assignments for users.
3) As a cloud user I want to be able to create groups and place users into groups
4) As a cloud user I want to be able to control the kind of access that users have to my tenants/services by specifying role assignments for groups.