Add a feature support matrix for identity sources
This introduces the various ways you can configure keystone to authenticate users, and provides a little compare/contrast to help people understand how each solution behaves at a high level before diving deeper. This patch covers: - SQL - LDAP (considering that all write operations are deprecated) - External authentication (REMOTE_USER) - OAuth 1.0a - OpenID Connect - SAMLv2 Change-Id: I86dfbd2c1f7fed199c612dd1456358e559da3fad
This commit is contained in:
parent
ed5df6f26f
commit
428a6e0faa
|
@ -107,6 +107,23 @@ is not an absolute path, then Keystone looks for it in the same directories as
|
|||
above. If not specified, WSGI pipeline definitions are loaded from the primary
|
||||
configuration file.
|
||||
|
||||
Identity sources
|
||||
----------------
|
||||
|
||||
One of the most impactful decisions you'll have to make when configuring
|
||||
keystone is deciding how you want keystone to source your identity data.
|
||||
Keystone supports several different choices that will substantially impact how
|
||||
you'll configure, deploy, and interact with keystone.
|
||||
|
||||
You can also mix-and-match various sources of identity (see `Domain-specific
|
||||
Drivers`_ below for an example). For example, you can store OpenStack service
|
||||
users and their passwords in SQL, manage customers in LDAP, and authenticate
|
||||
employees via SAML federation.
|
||||
|
||||
.. support_matrix:: identity-support-matrix.ini
|
||||
|
||||
.. Domain-specific Drivers:
|
||||
|
||||
Domain-specific Drivers
|
||||
-----------------------
|
||||
|
||||
|
|
|
@ -0,0 +1,120 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# This file contains a specification of what feature capabilities each driver
|
||||
# is able to support. Feature capabilities include what API operations are
|
||||
# supported, what backend behaviors features can be used and what aspects of
|
||||
# the driver implementation can be configured. The capabilities can be
|
||||
# considered to be structured into nested groups, but in this file they have
|
||||
# been flattened for ease of representation. The section names represent the
|
||||
# group structure. At the top level there are the following groups defined:
|
||||
#
|
||||
# - operation: Public API operations.
|
||||
# - feature: Features of the driver.
|
||||
#
|
||||
# When considering which capabilities should be marked as mandatory, consider
|
||||
# the following guiding principles.
|
||||
#
|
||||
# The 'status' field takes possible values:
|
||||
#
|
||||
# - mandatory: Unconditionally required to be implemented.
|
||||
# - optional: Optional to support, but nice to have.
|
||||
# - choice(group): At least one of the options within the named group
|
||||
# must be implemented.
|
||||
# - conditional(cond): Required, if the referenced condition is met.
|
||||
#
|
||||
# The value against each 'impl-XXXX' entry refers to the level of the
|
||||
# implementation of the feature in that driver:
|
||||
#
|
||||
# - complete: Fully implemented, expected to work at all times.
|
||||
# - partial: Implemented, but with caveats about when it will work.
|
||||
# For example, some configurations or hardware or guest OS may not
|
||||
# support it.
|
||||
# - missing: Not implemented at all.
|
||||
#
|
||||
# In the case of the driver being marked as 'partial', then
|
||||
# 'notes-XXX' entry should be used to explain the caveats around the
|
||||
# implementation.
|
||||
#
|
||||
# The 'cli' field takes a list of client commands, separated by semicolon.
|
||||
# These CLi commands are related to that feature.
|
||||
# Example:
|
||||
# cli=openstack domain list;openstack domain show <domain>
|
||||
#
|
||||
[targets]
|
||||
# List of driver implementations for which we are going to track the status of
|
||||
# features. This list only covers drivers that are in tree. Out of tree
|
||||
# drivers should maintain their own equivalent document, and merge it with this
|
||||
# when their code merges into core.
|
||||
|
||||
driver-impl-sql=SQL
|
||||
driver-impl-ldap=LDAP
|
||||
driver-impl-oauth1=OAuth v1.0a
|
||||
driver-impl-external=REMOTE_USER
|
||||
driver-impl-oidc=OpenID Connect
|
||||
driver-impl-samlv2=SAML v2
|
||||
|
||||
[feature.local_authentication]
|
||||
title=Local authentication
|
||||
status=optional
|
||||
notes=Authenticate with keystone by providing credentials directly to keystone.
|
||||
driver-impl-sql=complete
|
||||
driver-impl-ldap=complete
|
||||
driver-impl-oauth1=complete
|
||||
driver-impl-external=missing
|
||||
driver-impl-oidc=missing
|
||||
driver-impl-samlv2=missing
|
||||
|
||||
[feature.external_authentication]
|
||||
title=External authentication
|
||||
status=optional
|
||||
notes=Authenticate with keystone by providing credentials to an external system
|
||||
that keystone trusts (as with federation).
|
||||
driver-impl-sql=missing
|
||||
driver-impl-ldap=missing
|
||||
driver-impl-oauth1=missing
|
||||
driver-impl-external=complete
|
||||
driver-impl-oidc=complete
|
||||
driver-impl-samlv2=complete
|
||||
|
||||
[feature.identity_crud]
|
||||
title=Identity management
|
||||
status=optional
|
||||
notes=Create, update, enable/disable, and delete users via Keystone's HTTP API.
|
||||
driver-impl-sql=complete
|
||||
driver-impl-ldap=partial
|
||||
driver-impl-oauth1=complete
|
||||
driver-impl-external=missing
|
||||
driver-impl-oidc=missing
|
||||
driver-impl-samlv2=missing
|
||||
|
||||
[feature.pci_controls]
|
||||
title=PCI-DSS controls
|
||||
status=optional
|
||||
notes=Configure keystone to enforce PCI-DSS compliant security controls.
|
||||
driver-impl-sql=complete
|
||||
driver-impl-ldap=partial
|
||||
driver-impl-oauth1=missing
|
||||
driver-impl-external=partial
|
||||
driver-impl-oidc=missing
|
||||
driver-impl-samlv2=missing
|
||||
|
||||
[feature.auditing]
|
||||
title=Auditing
|
||||
status=optional
|
||||
notes=Audit authentication flows using PyCADF.
|
||||
driver-impl-sql=complete
|
||||
driver-impl-ldap=complete
|
||||
driver-impl-oauth1=missing
|
||||
driver-impl-external=missing
|
||||
driver-impl-oidc=complete
|
||||
driver-impl-samlv2=complete
|
Loading…
Reference in New Issue