Domain → A top-level container that is globally unique in Keystone
Role → Permission set
Endpoint → External access address of a single service
Group → User set
These matches are consistent with official OpenStack Keystone identity concepts. OpenStack documentation defines a group as a collection of users , so “user set” is the correct description for Group . It also explains that a role is used in Keystone’s RBAC model to represent a set of permissions that can be assigned to users or groups, so Role → Permission set is correct.
For Endpoint , OpenStack service configuration documentation describes endpoints as the network-accessible API addresses used to access a service, which matches external access address of a single service .
For Domain , Keystone identity documentation explains that domains are top-level containers used to organize projects, users, and groups. In practice, a domain is a globally unique administrative boundary in Keystone, which matches the description a top-level container that is globally unique in Keystone .
So the final verified mapping is: Domain → top-level container , Role → permission set , Endpoint → service access address , and Group → user set .
Submit